From 9373db5a1585ab90483a2e0dd6dc3c44de88df36 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Wed, 7 Feb 2024 02:44:04 +0100
Subject: [PATCH] feat(zones): add purging option

This introduces a "purge_zones" toggle which, if enabled, ensures
zones not managed using the firewalld pillar get deleted.
Useful to enforce that only Salt managed zones exist and to clean
up pre-Salt data.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 firewalld/zones.sls | 13 +++++++++++++
 pillar.example      |  3 +++
 2 files changed, 16 insertions(+)

diff --git a/firewalld/zones.sls b/firewalld/zones.sls
index 220cc96..ed82429 100644
--- a/firewalld/zones.sls
+++ b/firewalld/zones.sls
@@ -44,3 +44,16 @@ directory_firewalld_zones:
         zone: {{ v|json }}
 
 {% endfor %}
+
+{%- if firewalld.get('purge_zones', False) %}
+{%- for file in salt['file.find']('/etc/firewalld/zones', name='*.xml', print='name', type='f') %}
+
+{%- if file.replace('.xml', '') not in firewalld.get('zones', {}).keys() %}
+/etc/firewalld/zones/{{ file }}:
+  file.absent:
+    - watch_in:
+      - cmd: reload_firewalld
+{%- endif %}
+
+{%- endfor %}
+{%- endif %}
diff --git a/pillar.example b/pillar.example
index 87d4690..1b973ba 100644
--- a/pillar.example
+++ b/pillar.example
@@ -99,6 +99,9 @@ firewalld:
       entries:
         - 2a01::1
 
+  # Delete zones not defined under "zones"
+  purge_zones: False
+
   zones:
     public:
       short: Public