115 lines
3.7 KiB
YAML
115 lines
3.7 KiB
YAML
---
|
|
- when: firewalld_enabled | bool
|
|
block:
|
|
- name: Install packages
|
|
ansible.builtin.package:
|
|
name: "{{ item }}"
|
|
loop:
|
|
- firewalld
|
|
- python3-firewall
|
|
|
|
- name: Configure firewalld
|
|
ansible.builtin.template:
|
|
src: etc/firewalld/firewalld.conf.j2
|
|
dest: /etc/firewalld/firewalld.conf
|
|
mode: "0644"
|
|
notify: __firewalld_reload
|
|
|
|
- name: Configure firewalld ipsets
|
|
ansible.builtin.template:
|
|
src: etc/firewalld/ipsets/ipset.xml.j2
|
|
dest: /etc/firewalld/ipsets/{{ item.name }}.xml
|
|
mode: "0640"
|
|
loop: "{{ __firewalld_ipsets }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
notify: __firewalld_reload
|
|
|
|
- name: Register active ipsets
|
|
ansible.builtin.find:
|
|
paths: /etc/firewalld/ipsets
|
|
file_type: file
|
|
patterns: "*.xml"
|
|
register: __firewalld_ipsets_active
|
|
changed_when: False
|
|
failed_when: False
|
|
|
|
- name: Remove unmanaged ipsets
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
|
|
notify: __firewalld_reload
|
|
when: (item | basename | splitext | first) not in (__firewalld_ipsets | map(attribute='name') | list)
|
|
|
|
- name: Configure firewalld services
|
|
ansible.builtin.template:
|
|
src: etc/firewalld/services/service.xml.j2
|
|
dest: /etc/firewalld/services/{{ item.name }}.xml
|
|
mode: "0640"
|
|
loop: "{{ __firewalld_services }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
notify: __firewalld_reload
|
|
|
|
- name: Register active services
|
|
ansible.builtin.find:
|
|
paths: /etc/firewalld/services
|
|
file_type: file
|
|
patterns: "*.xml"
|
|
register: __firewalld_services_active
|
|
changed_when: False
|
|
failed_when: False
|
|
|
|
- name: Remove unmanaged services
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
|
|
notify: __firewalld_reload
|
|
when: (item | basename | splitext | first) not in (__firewalld_services | map(attribute='name') | list)
|
|
|
|
- name: Configure firewalld zones
|
|
ansible.builtin.template:
|
|
src: etc/firewalld/zones/zone.xml.j2
|
|
dest: /etc/firewalld/zones/{{ item.name }}.xml
|
|
mode: "0640"
|
|
loop: "{{ __firewalld_zones }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
when: item.name not in firewalld_zones_unmanaged
|
|
notify: __firewalld_reload
|
|
|
|
- name: Register active zones
|
|
ansible.builtin.find:
|
|
paths: /etc/firewalld/zones
|
|
file_type: file
|
|
patterns: "*.xml"
|
|
register: __firewalld_zones_active
|
|
changed_when: False
|
|
failed_when: False
|
|
|
|
- name: Remove unmanaged zones
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
|
|
notify: __firewalld_reload
|
|
when:
|
|
- (item | basename | splitext | first) not in (__firewalld_zones | map(attribute='name') | list)
|
|
- (item | basename | splitext | first) not in firewalld_zones_unmanaged
|
|
|
|
- name: Validate deployed configuration
|
|
ansible.builtin.command: firewall-offline-cmd --check-config
|
|
register: __firewalld_check
|
|
changed_when: False
|
|
failed_when: __firewalld_check.rc != 0
|
|
|
|
- name: Ensure service has expected state
|
|
ansible.builtin.service:
|
|
name: firewalld
|
|
daemon_reload: True
|
|
enabled: "{{ firewalld_enabled | bool }}"
|
|
masked: "{{ not firewalld_enabled | bool }}"
|
|
state: "{{ firewalld_enabled | bool | ternary('started', 'stopped', 'started') }}"
|