From b685f16c914b9fa05bda7c69ce9e157d04262d09 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 30 Apr 2023 16:07:21 +0200
Subject: Add manage_firewall conditional

Allow us to enroll machines in Salt which do not yet have their firewall
configuration imported without having their rules overwritten.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/cluster/denc/web-proxy.sls           | 1 +
 pillar/id/dericom02_rigel_lysergic_dev.sls  | 1 +
 pillar/id/derimisc01_rigel_lysergic_dev.sls | 2 ++
 pillar/id/deriweb01_rigel_lysergic_dev.sls  | 1 +
 pillar/id/moni_lysergic_dev.sls             | 2 ++
 pillar/id/themis_lysergic_dev.sls           | 1 +
 salt/common/suse.sls                        | 3 +++
 7 files changed, 11 insertions(+)

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 61fd653..0bdeec7 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -212,6 +212,7 @@ nginx:
             - error_log: /var/log/nginx/libsso_public.error.log
             - access_log: /var/log/nginx/libsso_public.access.log combined
 
+manage_firewall: True
 firewalld:
   zones:
     public:
diff --git a/pillar/id/dericom02_rigel_lysergic_dev.sls b/pillar/id/dericom02_rigel_lysergic_dev.sls
index 4cc5145..2462239 100644
--- a/pillar/id/dericom02_rigel_lysergic_dev.sls
+++ b/pillar/id/dericom02_rigel_lysergic_dev.sls
@@ -267,6 +267,7 @@ profile:
         host: 'chillnet\.matterbridge\.dericom02\.rigel\.lysergic\.dev'
         root: {{ mediapath }}chill
 
+manage_firewall: True
 firewalld:
   zones:
     web:
diff --git a/pillar/id/derimisc01_rigel_lysergic_dev.sls b/pillar/id/derimisc01_rigel_lysergic_dev.sls
index 1c6928d..98c2919 100644
--- a/pillar/id/derimisc01_rigel_lysergic_dev.sls
+++ b/pillar/id/derimisc01_rigel_lysergic_dev.sls
@@ -12,3 +12,5 @@ tor:
       hostname: cr36xbvmgjwnfw4sly4kuc6c3ozhesjre3y5pggq5xdkkmbrq6dz4fad.onion
       hs_ed25519_public_key: PT0gZWQyNTUxOXYxLXB1YmxpYzogdHlwZTAgPT0AAAAUd+uGrDJs0tuSXjiqC8LbsnJJMSbx15jQ7calMDGHhw==
       hs_ed25519_secret_key: ${'secret_tor:hidden_services:irc:key'}
+
+manage_firewall: True
diff --git a/pillar/id/deriweb01_rigel_lysergic_dev.sls b/pillar/id/deriweb01_rigel_lysergic_dev.sls
index a0ed675..1be2ab9 100644
--- a/pillar/id/deriweb01_rigel_lysergic_dev.sls
+++ b/pillar/id/deriweb01_rigel_lysergic_dev.sls
@@ -441,3 +441,4 @@ nginx:
                 - sub_filter_types: application/xml
                 - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life
 
+manage_firewall: True
diff --git a/pillar/id/moni_lysergic_dev.sls b/pillar/id/moni_lysergic_dev.sls
index 2ebf296..60c3e5c 100644
--- a/pillar/id/moni_lysergic_dev.sls
+++ b/pillar/id/moni_lysergic_dev.sls
@@ -108,3 +108,5 @@ prometheus:
               require_tls: false
               smarthost: 'zz0.email:465'
               send_resolved: yes
+
+manage_firewall: True
diff --git a/pillar/id/themis_lysergic_dev.sls b/pillar/id/themis_lysergic_dev.sls
index 67a7757..52186a6 100644
--- a/pillar/id/themis_lysergic_dev.sls
+++ b/pillar/id/themis_lysergic_dev.sls
@@ -142,6 +142,7 @@ profile:
       pwd: ${'secret_privatebin:model_options:pwd'}
       opt[12]: true
 
+manage_firewall: True
 firewalld:
   zones:
     backend:
diff --git a/salt/common/suse.sls b/salt/common/suse.sls
index 764517e..01c7333 100644
--- a/salt/common/suse.sls
+++ b/salt/common/suse.sls
@@ -1,5 +1,8 @@
 include:
+  {#- drop pillar check after all firewall configurations have been imported #}
+  {%- if salt['pillar.get']('manage_firewall'), False %}
   - firewalld
+  {%- endif %}
   - profile.seccheck
   - profile.zypp
   - profile.prometheus.node_exporter
-- 
cgit v1.2.3