Firewall setup

[benoistlaurent]

Hi,

Thanks for the awesome role.
Quick question though.

Description

To be able to host a website, shouldn't the role take care of setting up the firewall?
Or maybe add the necessary piece of code in the section "Example of playbook"?

How to reproduce the issue

Vagrant file

Vagrant.configure("2") do |config|
  config.vm.box = "generic/rocky8"

  config.vm.synced_folder ".", "/vagrant", disabled: true

  # Use Vagrant's insecure key for SSH.
  config.ssh.insert_key = false
  config.ssh.private_key_path = "~/.vagrant.d/insecure_private_key"
  
  config.vm.hostname = "dokuserver"
  config.vm.network "private_network", ip: "192.168.33.10"
  config.vm.network "forwarded_port", guest: 80, host: 8080

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "512"
    vb.cpus = 1
    vb.linked_clone = true
  end
end

setup_server.yml playbook

---
- hosts: all
  vars_files:
    - vars/main.yml
  roles:
    - roles/apache

vars/main.yml

---
apache_listen_port: 80
apache_create_vhosts: true
apache_vhosts:
  - servername: "dokuwiki.test"
    documentroot: "/var/www/html"

Issue

Leads to this site can't be reached in browser.

Solved by login into the VM and setting-up the firewall:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

Suggested solution

Add this to the ansible role or to the minimal playbook

---
    - name: Ensure http service is enabled in firewall
      firewalld:
        service: http
        permanent: yes
        state: enabled
    - name: Reload firewalld  # probably should be a handler
      systemd:
        name: firewalld
        state: restarted

[geerlingguy]

Since firewall setup is different in almost every situation, I prefer to manage firewalls in a different role, or on the playbook level. See also my geerlingguy.firewall role for an IPtables-based approach.