Smarter firewall handling

roles/vm-common/handlers/main.yml

@@ -10,3 +10,8 @@
   ansible.builtin.service:
     name: sshd
     state: restarted
+
+- name: Reload firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: reloaded

roles/vm-common/tasks/firewall.yml

@@ -1,20 +1,21 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Move main LAN network to zone 'drop'
+- name: Move main LAN and VPN networks to zone 'drop'
   ansible.posix.firewalld:
     zone: drop
-    source: 192.168.1.0/24
+    source: "{{ item }}"
     permanent: true
-    immediate: true
     state: enabled
+  loop:
+    - 192.168.1.0/24
+    - 192.168.8.0/24
 
 - name: Move lab network to zone 'dmz'
   ansible.posix.firewalld:
     zone: dmz
     source: 192.168.17.0/24
     permanent: true
-    immediate: true
     state: enabled
 
 - name: Move internal network to zone 'internal'
@@ -22,37 +23,26 @@
     zone: internal
     source: 10.2.0.0/16
     permanent: true
-    immediate: true
     state: enabled
-  when: hostname in groups['virtualservers']
 
-- name: Default deny incoming connections to SSH port in zone 'dmz'
+- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
   ansible.posix.firewalld:
-    zone: dmz
+    zone: "{{ item }}"
     service: ssh
     permanent: true
-    immediate: true
     state: disabled
-
-- name: Default deny incoming connections to SSH port in zone 'internal'
-  ansible.posix.firewalld:
-    zone: internal
-    service: ssh
-    permanent: true
-    immediate: true
-    state: disabled
-  when: hostname in groups['virtualservers']
+  loop:
+    - dmz
+    - internal
 
 # When sapt-labx-ctl01 is deployed
-- name: Allow incoming connections from jump host to SSH port in zone 'dmz'
-  ansible.posix.firewalld:
-    zone: dmz
-    source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
-    service: ssh
-    permanent: true
-    immediate: true
-    state: enabled
-  when: false  # hostname not in groups['control_infra']
+# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
+#   ansible.posix.firewalld:
+#     zone: dmz
+#     source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
+#     service: ssh
+#     permanent: true
+#     state: enabled
 
 # Until sapt-labx-ctl01 is deployed
 - name: Allow incoming connections to SSH port in zone 'drop'
@@ -60,31 +50,7 @@
     zone: drop
     service: ssh
     permanent: true
-    immediate: true
     state: enabled
-  when: true
-
-- name: Firewall rules for group 'control_infra'
-  when: hostname in groups['control_infra']
-  block:
-    - name: Allow incoming connections to SSH port in zone 'dmz'
-      ansible.posix.firewalld:
-        zone: dmz
-        service: ssh
-        permanent: true
-        immediate: true
-        state: enabled
-
-    - name: Allow incoming connections to DNS port in zones 'drop' and 'dmz'
-      ansible.posix.firewalld:
-        zone: "{{ item }}"
-        service: dns
-        permanent: true
-        immediate: true
-        state: enabled
-      loop:
-        - drop
-        - dmz
 
 - name: Firewall rules for production and staging
   loop:
@@ -93,13 +59,15 @@
   loop_control:
     loop_var: env
   block:
-    - name: Allow incoming connections from app servers to PostgreSQL
+    - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
       ansible.posix.firewalld:
         zone: internal
         source: "{{ hostvars[item].internal_ipv4 }}"
         service: postgresql
         permanent: true
-        immediate: true
         state: enabled
       loop: "{{ groups['app_' + env] }}"
       when: hostname in groups['db_' + env]
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/vm-common/tasks/main.yml

@@ -6,6 +6,7 @@
 
 - name: Configure firewall
   ansible.builtin.import_tasks: firewall.yml
+  notify: Reload firewalld
 
 - name: Configure user accounts
   ansible.builtin.import_tasks: users.yml