--- - name: Install packages ansible.builtin.package: name: "{{ item }}" loop: - firewalld - python3-firewall - name: Configure firewalld ansible.builtin.template: src: etc/firewalld/firewalld.conf.j2 dest: /etc/firewalld/firewalld.conf mode: "0644" notify: __firewalld_reload - name: Configure firewalld ipsets ansible.builtin.template: src: etc/firewalld/ipsets/ipset.xml.j2 dest: /etc/firewalld/ipsets/{{ item.name }}.xml mode: "0640" loop: "{{ __firewalld_ipsets }}" loop_control: label: "{{ item.name }}" notify: __firewalld_reload - name: Register active ipsets ansible.builtin.find: paths: /etc/firewalld/ipsets file_type: file patterns: "*.xml" register: __firewalld_ipsets_active changed_when: False failed_when: False - name: Remove unmanaged ipsets ansible.builtin.file: path: "{{ item }}" state: absent loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}" notify: __firewalld_reload when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list) - name: Configure firewalld services ansible.builtin.template: src: etc/firewalld/services/service.xml.j2 dest: /etc/firewalld/services/{{ item.name }}.xml mode: "0640" loop: "{{ __firewalld_services }}" loop_control: label: "{{ item.name }}" notify: __firewalld_reload - name: Register active services ansible.builtin.find: paths: /etc/firewalld/services file_type: file patterns: "*.xml" register: __firewalld_services_active changed_when: False failed_when: False - name: Remove unmanaged services ansible.builtin.file: path: "{{ item }}" state: absent loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}" notify: __firewalld_reload when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list) - name: Configure firewalld zones ansible.builtin.template: src: etc/firewalld/zones/zone.xml.j2 dest: /etc/firewalld/zones/{{ item.name }}.xml mode: "0640" loop: "{{ __firewalld_zones }}" loop_control: label: "{{ item.name }}" when: item.name not in firewalld_zones_unmanaged notify: __firewalld_reload - name: Register active zones ansible.builtin.find: paths: /etc/firewalld/zones file_type: file patterns: "*.xml" register: __firewalld_zones_active changed_when: False failed_when: False - name: Remove unmanaged zones ansible.builtin.file: path: "{{ item }}" state: absent loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}" notify: __firewalld_reload when: - (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list) - (item | basename | splitext | first) not in firewalld_zones_unmanaged - name: Validate deployed configuration ansible.builtin.command: firewall-offline-cmd --check-config register: __firewalld_check changed_when: False failed_when: __firewalld_check.rc != 0