From 9373db5a1585ab90483a2e0dd6dc3c44de88df36 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Wed, 7 Feb 2024 02:44:04 +0100
Subject: [PATCH 1/2] feat(zones): add purging option

This introduces a "purge_zones" toggle which, if enabled, ensures
zones not managed using the firewalld pillar get deleted.
Useful to enforce that only Salt managed zones exist and to clean
up pre-Salt data.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 firewalld/zones.sls | 13 +++++++++++++
 pillar.example      |  3 +++
 2 files changed, 16 insertions(+)

diff --git a/firewalld/zones.sls b/firewalld/zones.sls
index 220cc96..ed82429 100644
--- a/firewalld/zones.sls
+++ b/firewalld/zones.sls
@@ -44,3 +44,16 @@ directory_firewalld_zones:
         zone: {{ v|json }}
 
 {% endfor %}
+
+{%- if firewalld.get('purge_zones', False) %}
+{%- for file in salt['file.find']('/etc/firewalld/zones', name='*.xml', print='name', type='f') %}
+
+{%- if file.replace('.xml', '') not in firewalld.get('zones', {}).keys() %}
+/etc/firewalld/zones/{{ file }}:
+  file.absent:
+    - watch_in:
+      - cmd: reload_firewalld
+{%- endif %}
+
+{%- endfor %}
+{%- endif %}
diff --git a/pillar.example b/pillar.example
index 87d4690..1b973ba 100644
--- a/pillar.example
+++ b/pillar.example
@@ -99,6 +99,9 @@ firewalld:
       entries:
         - 2a01::1
 
+  # Delete zones not defined under "zones"
+  purge_zones: False
+
   zones:
     public:
       short: Public

From 7883127581300a0e2646b79bf7eda24c489cec70 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Wed, 7 Feb 2024 12:27:34 +0100
Subject: [PATCH 2/2] feat(zones): use variables for iterations

Avoid redundant lookups and keys calculations.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 firewalld/zones.sls | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/firewalld/zones.sls b/firewalld/zones.sls
index ed82429..35ddadf 100644
--- a/firewalld/zones.sls
+++ b/firewalld/zones.sls
@@ -3,6 +3,7 @@
 # This state ensures that /etc/firewalld/zones/ exists.
 #
 {% from "firewalld/map.jinja" import firewalld with context %}
+{%- set zones = firewalld.get('zones', {}) %}
 
 directory_firewalld_zones:
   file.directory:            # make sure this is a directory
@@ -21,7 +22,7 @@ directory_firewalld_zones:
 #
 # This defines a zone configuration, see firewalld.zone (5) man page.
 #
-{% for k, v in salt['pillar.get']('firewalld:zones', {}).items() %}
+{% for k, v in zones.items() %}
 {% set z_name = v.name|default(k) %}
 
 /etc/firewalld/zones/{{ z_name }}.xml:
@@ -46,9 +47,10 @@ directory_firewalld_zones:
 {% endfor %}
 
 {%- if firewalld.get('purge_zones', False) %}
+{%- set zone_names = zones.keys() %}
 {%- for file in salt['file.find']('/etc/firewalld/zones', name='*.xml', print='name', type='f') %}
 
-{%- if file.replace('.xml', '') not in firewalld.get('zones', {}).keys() %}
+{%- if file.replace('.xml', '') not in zone_names %}
 /etc/firewalld/zones/{{ file }}:
   file.absent:
     - watch_in: