Use ferm delete attribute for toggling HTTP3 firewall allow rule.

roots · Jul 29, 2024 · ce0bd88 · ce0bd88
1 parent c16da0a
commit ce0bd88
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 23 deletions.
diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml
@@ -4,6 +4,15 @@ ferm_input_list:
   - type: dport_accept
     dport: [http]
     filename: nginx_accept
+  - type: dport_accept
+    dport: [https]
+    filename: nginx_accept_https
+    delete: "{{ not (sites_use_ssl | bool) }}"
+  - type: dport_accept
+    dport: ['443']
+    protocol: udp
+    filename: nginx_accept_http3
+    delete: "{{ not (nginx_http3_enabled and (sites_use_ssl | bool)) }}"
   - type: dport_accept
     dport: [ssh]
     saddr: "{{ ip_whitelist }}"

diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml
@@ -35,29 +35,6 @@
   notify:
     - restart ferm
 
-
-- name: allow conditionally inbound HTTPS
-  set_fact:
-    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_https] }}"
-  when: sites_using_ssl | count
-  vars:
-    ferm_dport_nginx_https:
-      type: dport_accept
-      dport: [https]
-      filename: nginx_accept_https
-
-- name: allow conditionally port UDP/443 for HTTP/3 (QUIC) support
-  set_fact:
-    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_http3] }}"
-  when: nginx_http3_enabled and (sites_using_ssl | count)
-  vars:
-    ferm_dport_nginx_http3:
-      type: dport_accept
-      dport: ['443']
-      protocol: udp
-      filename: nginx_accept_http3
-
-
 - name: ensure iptables INPUT rules are removed
   file:
     path: "/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ (item.filename is defined and item.filename) | ternary(item.filename, item.type + '_' + item.dport[0]) }}.conf"