firewall: move from iptables to firewalld (nftables)

2 files changed, 24 insertions, 11 deletions

diff --git a/roles/git/files/runner-zola/webhook.sh b/roles/git/files/runner-zola/webhook.sh
index 1c10685..b874233 100755
--- a/roles/git/files/runner-zola/webhook.sh
+++ b/roles/git/files/runner-zola/webhook.sh
@@ -18,9 +18,24 @@ while true; do
     REF=${REF:-main}
 
     if [ ! -d blog ]; then
-        # Use non-redirected port as redirection is handled via PREROUTING
-        # iptables rules and if this hook runs on the same machine the request
-        # packages will not go through the routing chain.
+        # Use non-redirected port to clone repository as the runner executes on
+        # the same machine as the webserver.
+        #
+        # We use a NAT:PREROUTING chain to implement the redirection (dnat).
+        # However as described by the netfilter packet flow and the connection
+        # tracking system (CONNTRACK), the NAT hooks are only traversed for NEW
+        # connections.
+        # For packages originating from the local machine, the connection will
+        # be seen as NEW by the CONNTRACK system on the OUTPUT path and hence
+        # the NAT:OUTPUT hooks will be traversed.
+        # Once the package is looped-back and arrives at the PREROUTING path,
+        # the NAT:PREROUTING rules wont be traversed as the package is already
+        # known to the CONNTRACK system (not NEW).
+        #
+        # We could additionally implement dnat for lo interface on the OUTPUT
+        # path as described here, but we dont do it and just use the actual
+        # port here :^)
+        # https://unix.stackexchange.com/questions/618229/nftables-destination-nat-block-local-access-to-port
         git clone https://git.memzero.de:8443/blog
     fi
     git -C blog submodule init
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
index 131b971..2c69953 100644
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -23,7 +23,7 @@
     image: gitolite-cgit
     network: "{{ NETWORK }}"
     ports:
-      - "2222:22"
+      - "8022:22"
     env:
       SSH_KEY: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/memzero.pub') }}"
     volumes:
@@ -33,13 +33,11 @@
   notify: Restart nginx
 
 - name: Open port for gitolite ssh port
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    match: tcp
-    destination_port: 2222
-    jump: ACCEPT
-    comment: Accept gitolite SSH connections.
+  ansible.posix.firewalld:
+    port: 8022/tcp
+    permanent: yes
+    immediate: yes
+    state: enabled
   become: true
 
 - name: Build zola runner image