From 6715b0442972f326c2764ca8915bec51f88fe966 Mon Sep 17 00:00:00 2001
From: benfiedler <22305667+benfiedler@users.noreply.github.com>
Date: Thu, 23 Oct 2025 14:00:59 -0700
Subject: [PATCH] fix: stop services from being exclusively in pillar

---
 firewalld/defaults.yaml |  2 ++
 firewalld/services.sls  |  2 +-
 pillar.example          | 80 +++++++++++++++++++++--------------------
 3 files changed, 44 insertions(+), 40 deletions(-)

diff --git a/firewalld/defaults.yaml b/firewalld/defaults.yaml
index bbabd6e..9efe0b4 100644
--- a/firewalld/defaults.yaml
+++ b/firewalld/defaults.yaml
@@ -16,3 +16,5 @@ firewalld:
     pkg: nftables
 
   ipsets: {}
+
+  services: {}
diff --git a/firewalld/services.sls b/firewalld/services.sls
index 99e34c5..19227d3 100644
--- a/firewalld/services.sls
+++ b/firewalld/services.sls
@@ -23,7 +23,7 @@ directory_firewalld_services:
 # This defines a service configuration, see firewalld.service (5) man page.
 # You usually don't need this, you can simply add ports to zone.
 
-{% for k, v in salt['pillar.get']('firewalld:services', {}).items() %}
+{% for k, v in firewalld.services.items() %}
 {% set s_name = v.name|default(k) %}
 
 /etc/firewalld/services/{{ s_name }}.xml:
diff --git a/pillar.example b/pillar.example
index 87d4690..3850942 100644
--- a/pillar.example
+++ b/pillar.example
@@ -28,46 +28,48 @@ firewalld:
 
   default_zone: public
 
-  services:
-    sshcustom:
-      short: sshcustom
-      description: >-
-        SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
-        into and executing commands on remote machines. It provides secure
-        encrypted communications. If you plan on accessing your machine
-        remotely via SSH over a firewalled interface, enable this option. You
-        need the openssh-server package installed for this option to be useful.
-      ports:
-        tcp:
-          - 3232
-          - 5252
-      modules:
-        - some_module_to_load
-      protocols:
-        - igmp
-      source_ports:
-        tcp:
-          - 21
-      destinations:
-        ipv4:
-          - 224.0.0.251
-          - 224.0.0.252
-        ipv6:
-          - ff02::fb
-          - ff02::fc
 
-    zabbixcustom:
-      short: Zabbixcustom
-      description: "zabbix custom rule"
-      ports:
-        tcp:
-          - "10051"
-    salt-minion:
-      short: salt-minion
-      description: "salt-minion"
-      ports:
-        tcp:
-          - "8000"
+  lookup:
+    services:
+      sshcustom:
+        short: sshcustom
+        description: >-
+          SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
+          into and executing commands on remote machines. It provides secure
+          encrypted communications. If you plan on accessing your machine
+          remotely via SSH over a firewalled interface, enable this option. You
+          need the openssh-server package installed for this option to be useful.
+        ports:
+          tcp:
+            - 3232
+            - 5252
+        modules:
+          - some_module_to_load
+        protocols:
+          - igmp
+        source_ports:
+          tcp:
+            - 21
+        destinations:
+          ipv4:
+            - 224.0.0.251
+            - 224.0.0.252
+          ipv6:
+            - ff02::fb
+            - ff02::fc
+
+      zabbixcustom:
+        short: Zabbixcustom
+        description: "zabbix custom rule"
+        ports:
+          tcp:
+            - "10051"
+      salt-minion:
+        short: salt-minion
+        description: "salt-minion"
+        ports:
+          tcp:
+            - "8000"
 
   ipsets:
     fail2ban-ssh: