diff --git a/defaults/main.yml b/defaults/main.yml index 447e4a2..bac8b2e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -80,4 +80,13 @@ firewalld_services: [] # set: # limit: "" # end -firewalld_zones: [] +firewalld_zones: + - name: "public" + short: "Public" + description: >- + For use in public areas. You do not trust the other computers on networks + to not harm your computer. Only selected incoming connections are accepted. + service: + - name: ssh + - name: dhcpv6-client + - name: cockpit diff --git a/tasks/setup.yml b/tasks/setup.yml index 98d4de6..074067f 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -95,6 +95,12 @@ notify: __firewalld_reload when: (item | basename | splitext | first) not in (firewalld_zones | map(attribute='name') | list) + - name: Validate deployed configuration + command: firewall-offline-cmd --check-config + register: __firewalld_check + changed_when: False + failed_when: __firewalld_check.rc != 0 + - name: Ensure service is up and running service: name: firewalld diff --git a/templates/etc/firewalld/zones/zone.xml.j2 b/templates/etc/firewalld/zones/zone.xml.j2 index d172507..eef9e68 100644 --- a/templates/etc/firewalld/zones/zone.xml.j2 +++ b/templates/etc/firewalld/zones/zone.xml.j2 @@ -1,12 +1,10 @@ #jinja2: lstrip_blocks: True - {{ item.short | default(item.name) | upper }} + {{ item.short | default(item.name) | capitalize }} {% if item.description is defined %} {{ item.description }} {% endif %} -{% if item | lenght > 0 %} - {% for tag in item %} {# Settings which can be used several times #} {% if tag in ["interface", "source", "service", "port", "protocol", "icmp-block", "forward-port", "source-port"] %} @@ -18,9 +16,6 @@ <{{ tag }}/> {% endif %} {% endfor %} -{% endif %} -{% if item.rule | default([]) | length > 0 %} - {% for rule in item.rule | default([]) %} {% for tag in rule %} @@ -36,5 +31,4 @@ {% endfor %} {% endfor %} -{% endif %}