Update documentations

README.md

@@ -13,12 +13,14 @@ Role `kravietz.freebsd.config` — essential system configuration: `/etc/rc.conf
 ## kravietz.freebsd.pf
 Role `kravietz.freebsd.pf` — manage `pf` firewall with multi-level Ansible group and host rules.
 
+* Documentation [roles/pf/README.md][roles/pf/README.md]
 * Variables: [roles/pf/defaults/main.yaml](roles/pf/defaults/main.yaml)
 * Example: [tests/pf.yaml](tests/pf.yaml)
 
 ## kravietz.freebsd.ipfw
 Role `kravietz.freebsd.ipfw` — manage `ipfw` FreeBSD native firewall.
 
+* Documentation [roles/ipfw/README.md][roles/ipfw/README.md]
 * Variables: [roles/ipfw/defaults/main.yaml](roles/ipfw/defaults/main.yaml)
 * Example: [tests/ipfw.yaml](tests/ipfw.yaml)
 

freebsd/roles/config/README.md

@@ -93,6 +93,7 @@ Dictionary of users to be added or removed from the system.
 Example:
 
 ```
+# group_vars/all.yaml
 freebsd_users_global:
   - name: user1
     uid: 5000
@@ -103,6 +104,8 @@ freebsd_users_global:
     password: "*"
     sudo_nopassword: true
     groups: wheel
+
+# group_vars/group1.yaml
 freebsd_users_group:
   - name: user2
     uid: 5001
@@ -170,14 +173,6 @@ Example Playbook
       test dir:
         dest: /tmp/test1
         state: directory
-    freebsd_configs_group:
-      test 2:
-        dest: /usr/local/etc/test2.txt
-        content: test 2
-    freebsd_configs_host:
-      test 3:
-        dest: /usr/local/etc/test3.txt
-        content: test 3
   roles:
     - kravietz.freebsd.config
 ```

freebsd/roles/ipfw/README.md

@@ -1,31 +1,58 @@
 Role Name
 =========
 
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Configure FreeBSD [ipfw](https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw) firewall.
 
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+### `ipfw_rules_debug`
+
+Boolean controlling whether to dump final rules set during playbook run for debugging purposes. Default `false`.
+
+### `ipfw_rules_global`, `ipfw_rules_group`, `ipfw_rules_host`
 
-Dependencies
-------------
+Variables storing actual `ipfw` rules on global, group and host level. The variables are merged across all groups, contrasting with the default Ansible behaviour (overwrite). When the host is a member of several groups, it will receive rules from _all_ of these groups.
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+Rules are also sorted alphabetically by the key name, which impacts the ordering of output rules in the final firewall file
+installed to `/usr/local/etc/ipfw.conf`. This allows very precise ordering of rules even in case of complex architectures with many groups and hosts. It is recommended that a consistent ranges are used across all projects, for example ranges 000-100 and 900-999 for global rules, 101-499 for group rules and 500-899 for host-level rules.
+
+Example:
+
+```
+ipfw_rules_global:
+  000 default:
+    # set 31 is always loaded at the end of the ruleset
+    # and contains the default deny rule at the end
+    - add set 31 allow tcp from 192.168.0.0/16 to me ssh
+  001 lo0:
+    # add new rules to an arbitrary set 8
+    - set 8 flush
+    - add set 8 allow ip from any to any via lo0
+  101 logged drop:
+    - add set 8 deny log ip from any to any
+  999 swap sets:
+    # swap the new rules into the default set 0
+    - set swap 8 0
+    - delete set 8
+```
+
+The role also sets `ipfw_type` variable in [rc.conf](https://man.freebsd.org/cgi/man.cgi?rc.conf) to the above file name, which will enable `ipfw` on boot and load the specified file. Please note that while syntax check is performed on the rules on write, logical validity of the rules is the responsibility of the user.
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Assuming the above example variables configured in respective group and host files:
+
+```
+- hosts: localhost
+  become: true
+  become_user: root
+  name: Test
+  roles:
+    - kravietz.freebsd.ipfw
+```
 
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
 
 License
 -------

freebsd/roles/pf/README.md

@@ -1,38 +1,84 @@
 Role Name
 =========
 
-A brief description of the role goes here.
-
-Requirements
-------------
-
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Configure FreeBSD [pf](https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf) firewall.
 
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+### `pf_rules_debug`
+
+Boolean controlling whether to dump final rules set during playbook run for debugging purposes. Default `false`.
+
+### `pf_rules_global`, `pf_rules_group`, `pf_rules_host`
+
+Variables storing actual `pf` rules on global, group and host level. The variables are merged across all groups, contrasting with the default Ansible behaviour (overwrite). When the host is a member of several groups, it will receive rules from _all_ of these groups.
+
+Rules are also sorted alphabetically by the key name, which impacts the ordering of output rules in the final `/etc/pf.conf`. This allows very precise ordering of rules even in case of complex architectures with many groups and hosts. It is recommended that a consistent ranges are used across all projects, for example ranges 000-100 and 900-999 for global rules, 101-499 for group rules and 500-899 for host-level rules.
+
+Examples:
+
+```
+# host_vars/localhost.yaml
+pf_rules_host:
+  500 nfs:
+    - nfs="{ sunrpc, nfsd-status, nfsd-keepalive, nfsd, lockd, 2050 }"
+    - pass in quick inet6 proto { tcp, udp } from 2a02:390:79ef::/48 to any port $nfs
+
+# group_vars/all.yaml
+pf_rules_global:
+  900 policy:
+    - pass in log
+  000 lo0:
+    - set skip on lo0
+
+# group_vars/group1.yaml
+pf_rules_group:
+  101 rules for group1:
+    - pass in quick inet  proto tcp from 192.168.0.0/16 to any port = ssh
+
+# group_vars/group2.yaml
+pf_rules_group:
+  201 rules for group2:
+    - "pass in quick inet6 proto tcp from { 2001:db8::/32 } to any port = ssh"
+```
 
-Dependencies
-------------
+This will produce the following `pf.conf`:
 
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+```
+# 000 lo0
+set skip on lo0
+# 101 rules for group1
+pass in quick inet  proto tcp from 192.168.0.0/16 to any port = ssh
+# 201 rules for group2
+pass in quick inet6 proto tcp from { 2001:db8::/32 } to any port = ssh
+# 500 nfs
+nfs="{ sunrpc, nfsd-status, nfsd-keepalive, nfsd, lockd, 2050 }"
+pass in quick inet6 proto { tcp, udp } from 2a02:390:79ef::/48 to any port $nfs
+# 900 policy
+pass in log
+```
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+Assuming the above example variables configured in respective group and host files:
 
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
+```
+- hosts: localhost
+  become: true
+  become_user: root
+  name: Test
+  roles:
+    - kravietz.freebsd.pf
+```
 
 License
 -------
 
-BSD
+GPL-3.0-or-later
 
 Author Information
 ------------------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+Paweł Krawczyk https://krvtz.net/