feat(zones): add purging option

This introduces a "purge_zones" toggle which, if enabled, ensures zones not managed using the firewalld pillar get deleted. Useful to enforce that only Salt managed zones exist and to clean up pre-Salt data. Signed-off-by: Georg Pfuetzenreuter <[email protected]>
saltstack-formulas · Feb 7, 2024 · 9373db5 · 9373db5
1 parent cc7d05a
commit 9373db5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/firewalld/zones.sls b/firewalld/zones.sls
@@ -44,3 +44,16 @@ directory_firewalld_zones:
         zone: {{ v|json }}
 
 {% endfor %}
+
+{%- if firewalld.get('purge_zones', False) %}
+{%- for file in salt['file.find']('/etc/firewalld/zones', name='*.xml', print='name', type='f') %}
+
+{%- if file.replace('.xml', '') not in firewalld.get('zones', {}).keys() %}
+/etc/firewalld/zones/{{ file }}:
+  file.absent:
+    - watch_in:
+      - cmd: reload_firewalld
+{%- endif %}
+
+{%- endfor %}
+{%- endif %}
diff --git a/pillar.example b/pillar.example
@@ -99,6 +99,9 @@ firewalld:
       entries:
         - 2a01::1
 
+  # Delete zones not defined under "zones"
+  purge_zones: False
+
   zones:
     public:
       short: Public