From 14a46715c76f0c3625191e936641b5f351e2a2cc Mon Sep 17 00:00:00 2001
From: NaeiKinDus <git@0x2a.ninja>
Date: Thu, 11 Jul 2024 00:00:00 +0000
Subject: [PATCH] feat(security): allow all registered provisioners to connect
 without limitations instead of the one running playbooks only

---
 .../roles/security/tasks/firewall.yml         | 14 +---------
 .../templates/system/debian/nftables.conf.j2  |  7 ++---
 .../system/nftables/02-mangle.table.j2        | 26 ++++++-------------
 .../system/nftables/03-filter.table.j2        | 18 +++----------
 4 files changed, 17 insertions(+), 48 deletions(-)

diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
index 203edbb..5cec9a0 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml
@@ -5,18 +5,6 @@
       - distribution
       - virtualization_type
 
-- name: get supervisor IP address
-  ansible.builtin.shell: "echo $SSH_CLIENT | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1"
-  register: ssh_client
-  when: ansible_connection is not match("local")
-  changed_when: false
-  failed_when: ssh_client.stdout is falsy
-
-- name: set fact
-  ansible.builtin.set_fact:
-    security_firewall_supervisor_ip: "{{ ssh_client.get('stdout', None) }}"
-  changed_when: false
-
 - name: install and configure nftables
   when: security_firewall_enabled is truthy
   become: true
@@ -42,9 +30,9 @@
 
     - name: set firewall templates facts
       ansible.builtin.set_fact:
+        security_firewall_supervisors_ip4: '{{ provisioner_facts.controllers_list.values() }}'
         security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}"
         security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}"
-        security_firewall_supervisor_has_ip6: "{{ true if security_firewall_supervisor_ip is defined and security_firewall_supervisor_ip and security_firewall_supervisor_ip | ansible.utils.ipv6 else false }}"
 
     - name: base config file
       ansible.builtin.template:
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
index e667450..6d40be6 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
@@ -2,9 +2,10 @@
 
 flush ruleset
 
-{% if security_firewall_supervisor_ip -%}
-define ansible_controller_ip = {{ security_firewall_supervisor_ip }}
-{% endif -%}
+define ansible_controllers_ip4 = {
+    {{ security_firewall_supervisors_ip4 | join(", ") | wordwrap(40, wrapstring="\n    ") }}
+}
+define ansible_controllers_ip6 = { }
 {% if security_firewall_dns4_servers -%}
 define dns_servers = {
     {{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t") }}
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
index aff9a34..1fdae0f 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
@@ -22,15 +22,10 @@ table inet mangle {
         tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
         tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
 
-        {% if security_firewall_supervisor_ip -%}
-        {% if security_firewall_supervisor_has_ip6 -%}
-        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {% else -%}
-        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {%- endif +%}
-        {% endif -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
 
         {% if security_firewall_mangle_drop_privatenets -%}
         ip saddr $private_nets counter drop
@@ -50,14 +45,9 @@ table inet mangle {
     chain postrouting {
         type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }};
 
-        {% if security_firewall_supervisor_ip -%}
-        {% if security_firewall_supervisor_has_ip6 -%}
-        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {%- else -%}
-        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {%- endif +%}
-        {% endif -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
     }
 }
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
index fdac971..6942bb3 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2
@@ -3,13 +3,8 @@ table inet filter {
     chain input {
         type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }};
 
-        {% if security_firewall_supervisor_ip -%}
-        {% if security_firewall_supervisor_has_ip6 -%}
-        ip6 saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        {%- else -%}
-        ip saddr $ansible_controller_ip tcp dport $ssh_localport accept
-        {%- endif +%}
-        {% endif -%}
+        ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
+        ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
 
         iifname "lo" counter accept
         ct state related,established counter accept
@@ -18,13 +13,8 @@ table inet filter {
 
     chain output {
         type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
-        {% if security_firewall_supervisor_ip -%}
-        {% if security_firewall_supervisor_has_ip6 -%}
-        ip6 daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {%- else -%}
-        ip daddr $ansible_controller_ip tcp sport $ssh_localport accept
-        {%- endif +%}
-        {% endif -%}
+        ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
+        ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
 
         oifname "lo" counter accept
         ct state related,established counter accept