Configure firewall for NFS server on CentOS 7.9

.gitignore

@@ -9,6 +9,7 @@
 /config*/
 !/config.example/
 /roles/galaxy/
+/collections/*
 /k8s-config/
 /kubectl
 /tridentctl

ansible.cfg

@@ -1,4 +1,5 @@
 [defaults]
+collections_paths = ./collections
 roles_path = ./roles/galaxy:./roles:./submodules/kubespray/roles
 library = ./submodules/kubespray/library
 inventory = ./config/inventory

roles/nfs/handlers/main.yml

@@ -1,11 +1,10 @@
 ---
-- name: restart nfs
-  service: name=nfs-kernel-server state=restarted
-  when: ansible_os_family == "Debian"
+- name: restart rpcbind
+  service:
+    name: rpcbind
+    state: restarted
 
 - name: restart nfs
-  service: name=nfs-server state=restarted
-  when: ansible_os_family == "RedHat"
-
-- name: restart rpcbind
-  service: name=rpcbind state=restarted
+  service:
+    name: "{{ nfs_server_daemon }}"
+    state: restarted

roles/nfs/tasks/firewall.yml

@@ -0,0 +1,17 @@
+---
+- name: configure firewall to allow NFS server
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+    immediate: yes
+  with_items:
+    - mountd
+    - rpc-bind
+    - nfs
+  tags:
+    - nfs
+  notify:
+  - restart rpcbind
+  - restart nfs
+  when: ansible_os_family == "RedHat"

roles/nfs/tasks/main.yml

@@ -1,4 +1,17 @@
 ---
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+      - "{{ ansible_distribution|lower }}.yml"
+      - "{{ ansible_os_family|lower }}.yml"
+      paths:
+      - ../vars
+      skip: true
+  tags:
+    - vars
+    - nfs
+
 - name: install ubuntu packages
   apt:
     name: nfs-common
@@ -29,6 +42,8 @@
 - include: server.yml
   when: nfs_is_server
 
+- include: firewall.yml
+  when: nfs_is_server
+
 - include: client.yml
   when: nfs_is_client
-

roles/nfs/tasks/server.yml

@@ -37,26 +37,11 @@
   tags:
     - nfs
 
-- name: restart when exports change
-  service: name=nfs-kernel-server state=restarted
-  when: nfs_exports_copy.changed and ansible_os_family == "Debian"
-  tags:
-    - nfs
-
-- name: restart when exports change
-  service: name=nfs-server state=restarted
-  when: nfs_exports_copy.changed and ansible_os_family == "RedHat"
-  tags:
-    - nfs
-
 - name: ensure nfs server is running
-  service: name=nfs-kernel-server state=started enabled=yes
-  when: nfs_exports|length and ansible_os_family == "Debian"
-  tags:
-    - nfs
-
-- name: ensure nfs server is running
-  service: name=nfs-server state=started enabled=yes
-  when: nfs_exports|length and ansible_os_family == "RedHat"
+  service:
+    name: "{{ nfs_server_daemon }}"
+    state: started
+    enabled: yes
+  when: nfs_exports|length
   tags:
     - nfs

roles/nfs/vars/redhat.yml

@@ -0,0 +1 @@
+nfs_server_daemon: nfs-server

roles/nfs/vars/ubuntu.yml

@@ -0,0 +1 @@
+nfs_server_daemon: nfs-kernel-server

roles/requirements.yml

@@ -1,4 +1,10 @@
 ---
+collections:
+
+- name: ansible.posix
+  version: 1.1.1
+
+roles:
 
 - src: dev-sec.ssh-hardening
   version: "6.1.3"

scripts/setup.sh

@@ -254,9 +254,11 @@ ansible-galaxy --version >/dev/null 2>&1
 if [ $? -eq 0 ] ; then
     echo "Updating Ansible Galaxy roles..."
     if [ $PROXY_USE -gt 0 ]; then
-        . ${SCRIPT_DIR}/deepops/proxy.sh && ansible-galaxy install --force -r roles/requirements.yml >/dev/null
+        . ${SCRIPT_DIR}/deepops/proxy.sh && ansible-galaxy collection install --force -r roles/requirements.yml >/dev/null
+        . ${SCRIPT_DIR}/deepops/proxy.sh && ansible-galaxy role install --force -r roles/requirements.yml >/dev/null
     else
-        ansible-galaxy install --force -r roles/requirements.yml >/dev/null
+        ansible-galaxy collection install --force -r roles/requirements.yml >/dev/null
+        ansible-galaxy role install --force -r roles/requirements.yml >/dev/null
     fi