Add support for custom ports

README.md

@@ -11,11 +11,15 @@ Supported Distributions
 * RHEL-7+, CentOS-7+
 * Fedora
 
-Limitations
------------
+Requirements
+------------
 
-It is not currently possible to specify a custom port for the NBDE servers configured by this role.
+The role requires additional collections which are specified in `meta/collection-requirements.yml`.  These are not automatically installed.  You must install them like this:
 
+`ansible-galaxy install -vv -r meta/collection-requirements.yml`
+
+Limitations
+-----------
 
 Role Variables
 --------------
@@ -30,6 +34,9 @@ These are the variables that can be passed to the role:
 |`nbde_server_fetch_keys`| `no` | indicates whether we should fetch keys to the control node, in which case they will be placed in `nbde_server_keys_dir`. You **must** set `nbde_server_keys_dir` to use `nbde_server_fetch_keys`.
 |`nbde_server_deploy_keys`| `no` |indicates whether we should deploy the keys located in `nbde_server_keys_dir` directory to the remote hosts. You **must** set `nbde_server_keys_dir` to use `nbde_server_deploy_keys`.
 |`nbde_server_keys_dir`| | specifies a directory in the control node that contains keys to be deployed to the remote hosts. Keys located in the top level directory will be deployed to every remote host, while keys located within subdirectories named after the remote hosts  -- as per the inventory -- will be deployed only to these specific hosts. `nbde_server_keys_dir` **must** be an absolute path. You need to set this to use either `nbde_server_fetch_keys` and/or `nbde_server_deploy_keys`.
+|`nbde_server_port`|`80`| setup custom port which will be enabled in SELinux and firewalld.
+|`nbde_server_firewall_zone`|`public`| change the default zone where the port should be opened.
+
 
 
 #### nbde_server_fetch_keys and nbde_server_deploy_keys
@@ -108,6 +115,18 @@ To redeploy keys, they must be placed into subdirectories named after the host t
     - linux-system-roles.nbde_server
 ```
 
+#### Example 5: deploy NBDE server with custom port and zone
+```yaml
+---
+- hosts: all
+
+  vars:
+    nbde_server_port: 7500
+    nbde_server_firewall_zone: dmz
+  roles:
+    - linux-system-roles.nbde_server
+```
+
 License
 -------
 

defaults/main.yml

@@ -34,4 +34,14 @@ nbde_server_deploy_keys: no
 # to use either nbde_server_fetch_keys and/or nbde_server_deploy_keys.
 nbde_server_keys_dir: ""
 
+# nbde_server_port indicate the port that nbde_server's firewall should open.
+# The default port is 80. Tang uses the TCP protocol. Thus the specified port
+# will listen on the nbde_server_port/TCP
+nbde_server_port: 80
+
+# nbde_server_firewall_zone indicate the zone that nbde_server's firewall
+# should write into. The default zone is public. If that is not the case you
+# can change that here. Usually it should be left like that.
+nbde_server_firewall_zone: public
+
 # vim:set ts=2 sw=2 et:

meta/collection-requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - name: fedora.linux_system_roles

tasks/main-tang.yml

@@ -26,6 +26,10 @@
   when: (nbde_server_fetch_keys | bool) or (nbde_server_deploy_keys | bool)
   include_tasks: tang-key-management.yml
 
+- name: Open port in firewalld
+  when: (nbde_server_port != 80) or (nbde_server_firewall_zone != "public")
+  include_tasks: tangd-custom-port.yml
+
 - name: Ensure required services are enabled and at the right state
   service:
     name: "{{ item }}"

tasks/tangd-custom-port.yml

@@ -0,0 +1,59 @@
+---
+# This task tells SELinux for the port that we want the tangd
+# service to use when distribution Fedora
+- name: Allow the custom port for tangd_port_t in SELinux
+  import_role:
+    name: fedora.linux_system_roles.selinux
+  vars:
+    selinux_ports:
+      - ports: "{{ nbde_server_port }}"
+        proto: tcp
+        setype: tangd_port_t
+        state: present
+
+# This block creates the override file for systemd with the new
+# port that we have requested
+- name: Create override file
+  block:
+    # This task checks if the directory /etc/systemd/system/tangd.socket.d
+    # exist and registers the value in systemd__system__tangd_socket
+    - name: Check if directory /etc/systemd/system/tangd.socket.d exist
+      stat:
+        path: /etc/systemd/system/tangd.socket.d
+      register: systemd_system_tangd_socket
+
+    # This tasks Create the /etc/systemd/system/tangd.socket.d directory if
+    # it does not exist
+    - name: Create a directory if it does not exist
+      file:
+        path: /etc/systemd/system/tangd.socket.d
+        state: directory
+        mode: '0755'
+      when: not systemd_system_tangd_socket.stat.exists
+
+    # This tasks creates the file with the port entry that we want tangd to
+    # listen to
+    - name: Creates the file with the port entry that we want tangd to listen to
+      template:
+        src: tangd_socket_override.conf.j2
+        dest: /etc/systemd/system/tangd.socket.d/override.conf
+        backup: true
+        mode: '0644'
+      register: __nbde_server_daemon_reload
+
+    # This tasks reload the daemons so the new changes take effect
+    - name: Reload the daemons so the new changes take effect
+      systemd:
+        daemon_reload: true
+      when: __nbde_server_daemon_reload is changed
+
+- name: Ensure the desired port is added to firewalld
+  import_role:
+    name: fedora.linux_system_roles.firewall
+  vars:
+    firewall:
+      - port: "{{ nbde_server_port }}/tcp"
+        zone: "{{ nbde_server_firewall_zone }}"
+        state: enabled
+        immediate: true
+        permanent: true

templates/tangd_socket_override.conf.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+[Socket]
+ListenStream=
+ListenStream={{ nbde_server_port }}

tests/templates

@@ -0,0 +1 @@
+../../../templates

tests/tests_tangd_custom_port.yml

@@ -0,0 +1,45 @@
+---
+- name: Test tangd_custom_port
+  hosts: all
+  vars:
+    nbde_server_port: 7500
+    nbde_server_firewall_zone: public
+  tasks:
+    - name: install with custom port and firewall zone
+      import_role:
+        name: linux-system-roles.nbde_server
+
+    - name: check if port is open
+      shell:
+        cmd: |-
+          set -euo pipefail
+          ss -tulpn | grep {{ nbde_server_port }} | awk -F' ' '{print $5}'
+      register: __open_ports_output
+      failed_when: not __open_ports_output.stdout is
+        search(':' ~ (nbde_server_port | string) ~ '$')
+
+    - name: check if port TCP is open
+      shell:
+        cmd: |-
+          set -euo pipefail
+          ss -tulpn | grep {{ nbde_server_port }} | awk -F' ' '{print $1}'
+      register: __open_ports_output
+      failed_when: __open_ports_output.stdout != "tcp"
+
+    - name: check if port is opened in firewall
+      command: >-
+        firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port
+        {{ nbde_server_port }}/tcp
+      register: __firewall_output
+
+    - name: check if firewall zone is set
+      shell:
+        cmd: |-
+          set -euo pipefail
+          firewall-cmd --list-all | grep {{ nbde_server_firewall_zone }} | \
+            awk -F' ' '{print $1}'
+      register: __firewall_output_zone
+      failed_when: >-
+        __firewall_output_zone.stdout != "{{ nbde_server_firewall_zone }}"
+
+# vim:set ts=2 sw=2 et: