From 1d2e0097ba2e059a8fb0f35d2bb0ae21f15af905 Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Sun, 5 Apr 2026 15:16:48 +0200
Subject: [PATCH] OP#561 add firewall

---
 Jenkinsfile                    | 24 ++++++++++++++++++++++++
 README.md                      |  5 +++++
 manifests/firewall/iptables.pp | 17 +++++++++++++++++
 manifests/main/install.pp      |  2 +-
 manifests/main/service.pp      |  3 +++
 manifests/params.pp            | 14 +++++++++++---
 6 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 manifests/firewall/iptables.pp

diff --git a/Jenkinsfile b/Jenkinsfile
index b3cb9f6..ff0a9cd 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -101,5 +101,29 @@ pipeline {
         }
       }
     }
+      stage('Mirror to Gitea') {
+        steps {
+          withCredentials([usernamePassword(
+            credentialsId: 'Jenkins-gitea',
+            usernameVariable: 'GITEA_USER',
+            passwordVariable: 'GITEA_TOKEN')]) {
+            script {
+              // Checkout from GitLab (already done implicitly)
+                sh '''
+                  git checkout master
+                  git pull origin master
+                  git branch -D development
+                  git branch -D jenkins-build-$BUILD_NUMBER
+                  git rm -f Jenkinsfile
+                  git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                  git commit --amend --no-edit --allow-empty
+                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_ssh.git
+                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                  push master --mirror
+                  '''
+          }
+        }
+      }
+    }
   }
 }
\ No newline at end of file
diff --git a/README.md b/README.md
index f647666..f89e32b 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,11 @@
 
 ## Features
 
+- install required binaries
+- manage configuration based on parameters
+- manage service
+- (optional) manage firewall
+  
 ## Support
 
 - Rocky 9
diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
new file mode 100644
index 0000000..83571b5
--- /dev/null
+++ b/manifests/firewall/iptables.pp
@@ -0,0 +1,17 @@
+## confdroid_ssh::firewall::iptables.pp
+# Module name: confdroid_ssh
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages firewall rules for SSH
+##############################################################################
+class confdroid_ssh::firewall::iptables (
+
+) inherits confdroid_ssh::params {
+  if $ssh_use_firewall {
+    firewall { "${ssh_fw_order}${ssh_fw_port} allow SSH on port ${ssh_fw_port}":
+      ensure => 'present',
+      jump   => 'accept',
+      proto  => 'tcp',
+      dport  => $ssh_fw_port,
+    }
+  }
+}
diff --git a/manifests/main/install.pp b/manifests/main/install.pp
index b2ca70d..b17e11f 100644
--- a/manifests/main/install.pp
+++ b/manifests/main/install.pp
@@ -5,7 +5,7 @@
 ##############################################################################
 class confdroid_ssh::main::install (
 ) inherits confdroid_ssh::params {
-  package { $reqpackages:
+  package { $ssh_reqpackages:
     ensure => $pkg_ensure,
   }
 }
diff --git a/manifests/main/service.pp b/manifests/main/service.pp
index 639fdca..50c048f 100644
--- a/manifests/main/service.pp
+++ b/manifests/main/service.pp
@@ -6,6 +6,9 @@
 class confdroid_ssh::main::service (
 ) inherits confdroid_ssh::params {
   require confdroid_ssh::main::files
+  if $ssh_use_firewall {
+    require confdroid_ssh::firewall::iptables
+  }
 
   service { $sshd_service:
     ensure     => running,
diff --git a/manifests/params.pp b/manifests/params.pp
index 520f6cb..2eb098a 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -2,13 +2,21 @@
 # Module name: confdroid_ssh
 # Author: 12ww1160 (12ww1160@confdroid.com)
 # @summary Class contains all class parameters for confdroid_ssh
-# @param [Array] reqpackages packages to install
+# @param [Array] ssh_reqpackages packages to install
 # @param [String] pkg_ensure version to install: 'present' or 'latest'
+# @param [Boolean] ssh_use_firewall whether to manage firewall settings
+# @param [String] ssh_fw_port port to use for SSHD and in fw
+# @param [String] ssh_fw_order order of firewall rule
 ##############################################################################
 class confdroid_ssh::params (
 
-  Array $reqpackages  = ['openssh','openssh-clients','openssh-server'],
-  String $pkg_ensure  = 'present',
+  Array $ssh_reqpackages  = ['openssh','openssh-clients','openssh-server'],
+  String $pkg_ensure      = 'present',
+
+  # firewall settings
+  Boolean $ssh_use_firewall  = true,
+  String $ssh_fw_port        = '22',
+  String $ssh_fw_order       = '50',
 
 ) {
 # default facts