Refactor firewall config to new file

Author: Alex-Welsh

doc/source/configuration/firewall.rst

@@ -0,0 +1,37 @@
+.. _firewall:
+
+========
+Firewall
+========
+
+StackHPC Kayobe configuration provides a standardised firewalld configuration.
+The configuration uses the :kayobe-doc:`firewall
+<configuration/reference/hosts.html#firewalld>` host configuration
+functionality of Kayobe.
+
+The firewall configuration is provided in
+``etc/kayobe/inventory/group_vars/all/firewall``. This allows configuration
+variables to be overridden on a per-group or per-host basis (which would not be
+possible for an "extra variable" in ``etc/kayobe/*.yml``). This configuration
+is not used by default, and must be actively opted into. This can be done as
+follows:
+
+.. code-block:: yaml
+   :caption: ``etc/kayobe/controllers.yml``
+
+   controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+   controller_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+
+This will configure the standard set of firewalld rules on controller hosts.
+Rule definitions are automatically added according to group membership.Rule
+sets exist for the following groups:
+
+* Controllers - ``stackhpc_controller_firewalld_rules``
+* Compute - ``stackhpc_compute_firewalld_rules``
+* Storage - ``stackhpc_storage_firewalld_rules``
+* Monitoring - ``stackhpc_monitoring_firewalld_rules``
+* Wazuh Manager Infrastructure VM - ``stackhpc_infra_vm_firewalld_rules``
+* Ansible Control host Infrastructure VM - ``stackhpc_infra_vm_firewalld_rules``
+* Seed - ``stackhpc_seed_firewalld_rules``
+* Seed Hypervisor - ``stackhpc_seed_hypervisor_firewalld_rules``
+

doc/source/configuration/index.rst

@@ -20,3 +20,4 @@ the various features provided.
    magnum-capi
    ci-cd
    security-hardening
+   firewall