add config validation task

defaults/main.yml

@@ -80,4 +80,13 @@ firewalld_services: []
 #           set:
 #           limit: ""
 # end
-firewalld_zones: []
+firewalld_zones:
+  - name: "public"
+    short: "Public"
+    description: >-
+      For use in public areas. You do not trust the other computers on networks
+      to not harm your computer. Only selected incoming connections are accepted.
+    service:
+      - name: ssh
+      - name: dhcpv6-client
+      - name: cockpit

tasks/setup.yml

@@ -95,6 +95,12 @@
       notify: __firewalld_reload
       when: (item | basename | splitext | first) not in (firewalld_zones | map(attribute='name') | list)
 
+    - name: Validate deployed configuration
+      command: firewall-offline-cmd --check-config
+      register: __firewalld_check
+      changed_when: False
+      failed_when: __firewalld_check.rc != 0
+
     - name: Ensure service is up and running
       service:
         name: firewalld

templates/etc/firewalld/zones/zone.xml.j2

@@ -1,12 +1,10 @@
 #jinja2: lstrip_blocks: True
 <?xml version="1.0" encoding="utf-8"?>
 <zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
-  <short>{{ item.short | default(item.name) | upper }}</short>
+  <short>{{ item.short | default(item.name) | capitalize }}</short>
 {% if item.description is defined %}
   <description>{{ item.description }}</description>
 {% endif %}
-{% if item | lenght > 0 %}
-
 {% for tag in item %}
   {# Settings which can be used several times #}
   {% if tag in ["interface", "source", "service", "port", "protocol", "icmp-block", "forward-port", "source-port"] %}
@@ -18,9 +16,6 @@
   <{{ tag }}/>
   {% endif %}
 {% endfor %}
-{% endif %}
-{% if item.rule | default([]) | length > 0 %}
-
 {% for rule in item.rule | default([]) %}
   <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
   {% for tag in rule %}
@@ -36,5 +31,4 @@
   {% endfor %}
   </rule>
 {% endfor %}
-{% endif %}
 </zone>