-
Notifications
You must be signed in to change notification settings - Fork 24
/
firewalld.yml
108 lines (93 loc) · 2.95 KB
/
firewalld.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
##### FIREWALLD #####
- name: install firewalld
apt:
package:
- iptables
- firewalld
- nftables
- ipset
state: present
- name: set iptables/ebtables alternatives to nftables versions
alternatives:
name: "{{ item.name }}"
path: "{{ item.path }}"
with_items:
- name: iptables
path: /usr/sbin/iptables-nft
- name: ebtables
path: /usr/sbin/ebtables-nft
ignore_errors: "{{ ansible_check_mode }}"
- name: configure firewalld
template:
src: etc_firewalld_firewalld.conf.j2
dest: /etc/firewalld/firewalld.conf
owner: root
group: root
mode: "0644"
notify: restart firewalld
ignore_errors: "{{ ansible_check_mode }}"
# apply firewalld configuration/default zone
- name: apply configuration (flush handlers)
meta: flush_handlers
- name: create/delete firewall zones
firewalld:
zone: "{{ item.zone }}"
state: "{{ 'present' if (item.delete is not defined) or (not item.delete) else 'absent' }}"
permanent: yes
immediate: no
with_items: "{{ firewalld_zone_sources }}"
ignore_errors: "{{ ansible_check_mode }}"
notify: reload firewalld
- name: apply configuration (flush handlers)
meta: flush_handlers
- name: configure firewalld zone sources
firewalld:
zone: "{{ item.0.zone }}"
state: "{{ item.0.state | default('enabled') }}"
permanent: "{{ item.0.permanent | default('yes') }}"
immediate: "{{ item.0.immediate | default('no') }}"
source: "{{ item.1 }}"
when: (item.0.delete is not defined) or (not item.0.delete)
loop: "{{ q('subelements', firewalld_zone_sources, 'sources', {'skip_missing': True}) }}"
ignore_errors: "{{ ansible_check_mode }}"
notify: reload firewalld
- name: configure firewalld zone services
firewalld:
zone: "{{ item.0.zone }}"
state: "{{ item.0.state | default('enabled') }}"
permanent: "{{ item.0.permanent | default('yes') }}"
immediate: "{{ item.0.immediate | default('no') }}"
service: "{{ item.1 }}"
with_subelements:
- "{{ firewalld_zone_services }}"
- services
ignore_errors: "{{ ansible_check_mode }}"
- name: configure additional firewalld rules
firewalld: "{{ item }}" # noqa args[module] # false positive
with_items: "{{ firewalld }}"
ignore_errors: "{{ ansible_check_mode }}"
#### SERVICE #####
- name: enable firewalld service
service:
name: firewalld
state: started
enabled: yes
ignore_errors: "{{ ansible_check_mode }}"
tags: services
##### FACTS #####
- name: create ansible facts.d directory
file:
path: /etc/ansible/facts.d
state: directory
mode: "0755"
ignore_errors: "{{ ansible_check_mode }}"
- name: create firewalld fact file
template:
src: etc_ansible_facts.d_firewalld.fact.j2
dest: /etc/ansible/facts.d/firewalld.fact
mode: "0644"
notify: update ansible facts
ignore_errors: "{{ ansible_check_mode }}"
# ensure ansible facts are up to date before continuing
- name: apply configuration (flush handlers)
meta: flush_handlers