xoxys.firewalld/tasks/setup.yml

---
- block:
    - name: Install packages
      package:
        name: "{{ item }}"
      loop:
        - firewalld
        - python3-firewall

    - name: Configure firewalld ipsets
      template:
        src: etc/firewalld/ipsets/ipset.xml.j2
        dest: /etc/firewalld/ipsets/{{ item.name }}.xml
      loop: "{{ firewalld_ipsets }}"
      loop_control:
        label: "{{ item.name }}"
      notify: __firewalld_reload

    - name: Register active ipsets
      find:
        paths: /etc/firewalld/ipsets
        file_type: file
        patterns: "*.xml"
      register: __firewalld_ipsets_active
      changed_when: false
      failed_when: false

    - name: Remove unmanaged ipsets
      file:
        path: "/etc/firewalld/ipsets/{{ item }}"
        state: absent
      loop: "{{ __firewalld_ipsets_active.files | map(attribute='path') | list }}"
      notify: __firewalld_reload
      when: item | replace('.xml','') not in firewalld_ipsets | map(attribute='name') | list

    - name: Configure firewalld services
      template:
        src: etc/firewalld/services/service.xml.j2
        dest: /etc/firewalld/services/{{ item.name }}.xml
      loop: "{{ firewalld_services }}"
      loop_control:
        label: "{{ item.name }}"
      notify: __firewalld_reload

    - name: Register active services
      find:
        paths: /etc/firewalld/services
        file_type: file
        patterns: "*.xml"
      register: __firewalld_services_active
      changed_when: false
      failed_when: false

    - name: Remove unmanaged services
      file:
        path: "/etc/firewalld/services/{{ item }}"
        state: absent
      loop: "{{ __firewalld_services_active.files | map(attribute='path') | list }}"
      notify: __firewalld_reload
      when: item | replace('.xml','') not in firewalld_services | map(attribute='name') | list

    - name: Configure firewalld zones
      template:
        src: etc/firewalld/zones/zone.xml.j2
        dest: /etc/firewalld/zones/{{ item.name }}.xml
      loop: "{{ firewalld_zones }}"
      loop_control:
        label: "{{ item.name }}"
      notify: __firewalld_reload

    - name: Register active zones
      find:
        paths: /etc/firewalld/zones
        file_type: file
        patterns: "*.xml"
      register: __firewalld_zones_active
      changed_when: false
      failed_when: false

    - name: Remove unmanaged zones
      file:
        path: "/etc/firewalld/zones/{{ item }}"
        state: absent
      loop: "{{ __firewalld_zones_active.files | map(attribute='path') | list }}"
      notify: __firewalld_reload
      when: item | replace('.xml','') not in firewalld_zones | map(attribute='name') | list

    - name: Ensure service is up and running
      service:
        name: firewalld
        daemon_reload: True
        enabled: True
        state: started
  become: True
  become_user: root