directories = { '/etc/iptables-rules.d': { 'purge': True, }, } files = { '/etc/systemd/system/iptables-enforce.service': { 'triggers': { 'action:systemd-reload', }, }, '/usr/local/sbin/iptables-enforce': { 'content_type': 'mako', 'context': repo.libs.tools.resolve_identifier(repo, node.name), 'mode': '0700', 'triggers': { 'action:iptables_enforce', }, }, '/etc/iptables-rules.d/00-defaults': { 'triggers': { 'action:iptables_enforce', }, }, } for bundle, rules in node.metadata.get('iptables', {}).get('bundle_rules', {}).items(): files[f'/etc/iptables-rules.d/20-{bundle}'] = { # We must never use sorted() here. Bundles might rely on their order. 'content': '\n'.join(rules) + '\n', 'triggers': { 'action:iptables_enforce', }, } if 'custom_rules' in node.metadata.get('iptables', {}): files[f'/etc/iptables-rules.d/40-custom'] = { 'content': '\n'.join(node.metadata['iptables']['custom_rules']) + '\n', 'triggers': { 'action:iptables_enforce', }, } actions = { 'iptables_enforce': { 'command': '/usr/local/sbin/iptables-enforce', 'triggered': True, }, } svc_systemd = { 'iptables-enforce': { 'running': None, 'needs': { 'file:/etc/systemd/system/iptables-enforce.service', }, }, }