# This is an example to demonstrate
# - behaviour of the role
# - how to add overlay/merged custom configuration items to group_vars inventory/group_vars/firewalld.xml

firewalld:
  enable: true

# create new ruleset
# - each xcat_network with a corresponding entry in inventroy/networks.yml will have an ipset automatically generated
# - each xcat_network entry will assign service to a zone of that name, the zone accepts ingress from the corresponding ipset
# - xcat_groups will assign the ruleset to hosts in groups
# 
# this ruleset applies inbound ftp to cluster and infiniband zones on hosts in groups all/compute/slurm/ansible
  firewalld_services:
    - name: ftp
      short: "FTP"
      description: "FTP service"
      port:
        - port: 21
          protocol: tcp
      xcat_groups:
        - compute
        - all
        - slurm
        - ansible
      xcat_networks:
        - cluster
        - infiniband

# create new ruleset with a custom zone        
# - the xcat_networks entry zabbix is not present in inventroy/networks.yml, a new zone zabbix will be created
# - the zone requires an ipset named zabbix to add an ingress source
    - name: zabbix
      short: "Zabbix"
      description: "Zabbix Ports"
      port:
        - port: 10050
          protocol: tcp
        - port: 10051
          protocol: tcp
      xcat_groups:
        - all
      xcat_networks:
        - zabbix

# create new ipset   
# - this ipset is for the corresponding auto-generated zabbix zone required by the zabbix service(ruleset) 
  firewalld_ipsets:
    zabbix:
      short: zabbix
      description: zabbix ipset
      type: 'hash:ip'
      targets:
        - 172.22.1.220/32
        # - 172.22.1.0/24
        # - 10.0.10.0/16

# create new zone
# - this zone has an embedded ruleset to allow ANY inbound from IP range, no ipset is required
  firewalld_zones:
    - name: mgt
      short: "MGT"
      description: "management host"
      target: "ACCEPT"
      source:
        - address: 172.22.1.220/32