Add support for custom ports

.cache/roles/nbde_server

@@ -0,0 +1 @@
+../..

README.md

@@ -14,9 +14,6 @@ Supported Distributions
 Limitations
 -----------
 
-It is not currently possible to specify a custom port for the NBDE servers configured by this role.
-
-
 Role Variables
 --------------
 
@@ -30,6 +27,9 @@ These are the variables that can be passed to the role:
 |`nbde_server_fetch_keys`| `no` | indicates whether we should fetch keys to the control node, in which case they will be placed in `nbde_server_keys_dir`. You **must** set `nbde_server_keys_dir` to use `nbde_server_fetch_keys`.
 |`nbde_server_deploy_keys`| `no` |indicates whether we should deploy the keys located in `nbde_server_keys_dir` directory to the remote hosts. You **must** set `nbde_server_keys_dir` to use `nbde_server_deploy_keys`.
 |`nbde_server_keys_dir`| | specifies a directory in the control node that contains keys to be deployed to the remote hosts. Keys located in the top level directory will be deployed to every remote host, while keys located within subdirectories named after the remote hosts  -- as per the inventory -- will be deployed only to these specific hosts. `nbde_server_keys_dir` **must** be an absolute path. You need to set this to use either `nbde_server_fetch_keys` and/or `nbde_server_deploy_keys`.
+|`nbde_server_port`|`80`| setup custom port which will be enabled in SELinux and firewalld.
+|`nbde_server_firewall_zone`|`public`| change the default zone where the port should be opened.
+
 
 
 #### nbde_server_fetch_keys and nbde_server_deploy_keys
@@ -108,6 +108,18 @@ To redeploy keys, they must be placed into subdirectories named after the host t
     - linux-system-roles.nbde_server
 ```
 
+#### Example 5: deploy NBDE server with custom port and zone
+```yaml
+---
+- hosts: all
+
+  vars:
+    nbde_server_port: 7500
+    nbde_server_firewall_zone: dmz
+  roles:
+    - linux-system-roles.nbde_server
+```
+
 License
 -------
 

defaults/main.yml

@@ -34,4 +34,14 @@ nbde_server_deploy_keys: no
 # to use either nbde_server_fetch_keys and/or nbde_server_deploy_keys.
 nbde_server_keys_dir: ""
 
+# nbde_server_port indicate the port that nbde_server's firewall should open.
+# The default port is 80. Tang uses the TCP protocol. Thus the specified port
+# will listen on the nbde_server_port/TCP
+nbde_server_port: 80
+
+# nbde_server_firewall_zone indicate the zone that nbde_server's firewall should 
+# write into. The default zone is public. If that is not the case you can change
+# that here. Usually it should be left like that. 
+nbde_server_firewall_zone: public
+
 # vim:set ts=2 sw=2 et:

tasks/main-tang.yml

@@ -26,6 +26,9 @@
   when: (nbde_server_fetch_keys | bool) or (nbde_server_deploy_keys | bool)
   include_tasks: tang-key-management.yml
 
+- name: Open port in firewalld
+  include_tasks: tangd-custom-port.yml
+
 - name: Ensure required services are enabled and at the right state
   service:
     name: "{{ item }}"

tasks/tangd-custom-port.yml

@@ -0,0 +1,55 @@
+---
+# This task tells SELinux for the port that we want the tangd service to use when distribution Fedora
+- name: Allow the custom port for tangd_port_t in SELinux
+  import_role:
+    name: linux-system-roles.selinux
+  vars:
+    selinux_ports:
+      - { ports: '{{ nbde_server_port }}', proto: 'tcp', setype: 'tangd_port_t', state: 'present' }
+
+# This block creates the override file for systemd with the new port that we have requested
+- name: Create override file
+  block:
+    # This task checks if the directory /etc/systemd/system/tangd.socket.d exist and registers the value in systemd__system__tangd_socket
+    - name: Check if directory /etc/systemd/system/tangd.socket.d exist
+      stat:
+        path: /etc/systemd/system/tangd.socket.d
+      register: systemd_system_tangd_socket
+
+    # This tasks Create the /etc/systemd/system/tangd.socket.d directory if it does not exist
+    - name: Create a directory if it does not exist
+      file:
+        path: /etc/systemd/system/tangd.socket.d
+        state: directory
+        mode: '0755'
+      when: systemd_system_tangd_socket.stat.exists
+
+    # This tasks creates the file with the port entry that we want tangd to listen to 
+    - name: Creates the file with the port entry that we want tangd to listen to 
+      blockinfile:
+        path: /etc/systemd/system/tangd.socket.d/override.conf
+        block: |
+          [Socket]
+          ListenStream=
+          ListenStream={{ nbde_server_port }}
+        state: present
+        create: yes
+        mode: '0644'
+        marker: "# {mark} ANSIBLE MANAGED BLOCK NBDE"
+      register: __nbde_server_daemon_reload
+
+    # This tasks reload the daemons so the new changes take effect
+    - name: Reload the daemons so the new changes take effect
+      systemd:
+        daemon_reload: yes
+      when: __nbde_server_daemon_reload.changed
+
+# This task makes sure that we add the new port to firewalld
+- name: Ensure the desired port is added to firewalld
+  firewalld:
+    port: "{{ nbde_server_port }}/tcp"
+    zone: "{{ nbde_server_firewall_zone }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+