feat(firewall): use collection nofusscomputing.firewall to configure kubernetes firewall

!46

roles/nfc_kubernetes/tasks/install.yaml

@@ -21,28 +21,18 @@
     nfc_kubernetes_install_architectures: "{{ nfc_kubernetes_install_architectures | default({}) | combine({ansible_architecture: ''}) }}"
 
 
-- name: Firewall Rules
+- name: Configure Kubernetes Firewall Rules
   ansible.builtin.include_role:
-    name: nfc_firewall
+    name: nofusscomputing.firewall.nfc_firewall
   vars:
-    nfc_firewall_enabled_kubernetes: "{{ nfc_kubernetes.enable_firewall | default(false) | bool }}"
+    nfc_role_firewall_firewall_type: iptables
+    nfc_role_firewall_additional_rules: "{{ ( lookup('template', 'vars/firewall_rules.yaml') | from_yaml ).kubernetes_chains }}"
   tags:
-    - never
-    - install
+    - always
+  when: >
+    nfc_role_kubernetes_configure_firewall
 
 
-# fix, reload firewall `iptables-reloader`
-- name: Reload iptables
-  ansible.builtin.command:
-    cmd: bash -c /usr/bin/iptables-reloader
-  changed_when: false
-  tags:
-    - never
-    - install
-
-
-# kubernetes_installed
-
 - name: K3s Install
   ansible.builtin.include_tasks:
     file: k3s/install.yaml

roles/nfc_kubernetes/tasks/k3s/configure.yaml

@@ -14,7 +14,7 @@
 
 - name: Check if FW dir exists
   ansible.builtin.stat:
-    name: /etc/iptables.rules.d
+    name: /etc/iptables-reloader/rules.d
   register: firewall_rules_dir_metadata
 
 
@@ -37,10 +37,10 @@
         when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"
 
       - src: iptables-kubernetes.rules.j2
-        dest: "/etc/iptables.rules.d/iptables-kubernetes.rules"
+        dest: "/etc/iptables-reloader/rules.d/iptables-kubernetes.rules"
         notify: firewall_reloader
         when: |-
-          {%- if nfc_kubernetes.enable_firewall -%}
+          {%- if firewall_installed -%}
 
             {{ firewall_rules_dir_metadata.stat.exists }}