Smarter firewall handling again

roles/vm-common/tasks/firewall.yml

@@ -1,56 +1,59 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
-- name: Move main LAN and VPN networks to zone 'drop'
+- name: General firewall rules
-  ansible.posix.firewalld:
+  notify: Reload firewalld
-    zone: drop
+  block:
-    source: "{{ item }}"
+    - name: Move main LAN and VPN networks to zone 'drop'
-    permanent: true
+      ansible.posix.firewalld:
-    state: enabled
+        zone: drop
-  loop:
+        source: "{{ item }}"
-    - 192.168.1.0/24
+        permanent: true
-    - 192.168.8.0/24
+        state: enabled
+      loop:
+        - 192.168.1.0/24
+        - 192.168.8.0/24
 
-- name: Move lab network to zone 'dmz'
+    - name: Move lab network to zone 'dmz'
-  ansible.posix.firewalld:
+      ansible.posix.firewalld:
-    zone: dmz
+        zone: dmz
-    source: 192.168.17.0/24
+        source: 192.168.17.0/24
-    permanent: true
+        permanent: true
-    state: enabled
+        state: enabled
 
-- name: Move internal network to zone 'internal'
+    - name: Move internal network to zone 'internal'
-  ansible.posix.firewalld:
+      ansible.posix.firewalld:
-    zone: internal
+        zone: internal
-    source: 10.2.0.0/16
+        source: 10.2.0.0/16
-    permanent: true
+        permanent: true
-    state: enabled
+        state: enabled
 
-- name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
+    - name: Default deny incoming connections to SSH port in zones 'dmz' and 'internal'
-  ansible.posix.firewalld:
+      ansible.posix.firewalld:
-    zone: "{{ item }}"
+        zone: "{{ item }}"
-    service: ssh
+        service: ssh
-    permanent: true
+        permanent: true
-    state: disabled
+        state: disabled
-  loop:
+      loop:
-    - dmz
+        - dmz
-    - internal
+        - internal
 
-# When sapt-labx-ctl01 is deployed
+    # Until sapt-labx-ctl01 is deployed
-# - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
+    - name: Allow incoming connections to SSH port in zone 'drop'
-#   ansible.posix.firewalld:
+      ansible.posix.firewalld:
-#     zone: dmz
+        zone: drop
-#     source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
+        service: ssh
-#     service: ssh
+        permanent: true
-#     permanent: true
+        state: enabled
-#     state: enabled
 
-# Until sapt-labx-ctl01 is deployed
+    # When sapt-labx-ctl01 is deployed
-- name: Allow incoming connections to SSH port in zone 'drop'
+    # - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
-  ansible.posix.firewalld:
+    #   ansible.posix.firewalld:
-    zone: drop
+    #     zone: dmz
-    service: ssh
+    #     source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
-    permanent: true
+    #     service: ssh
-    state: enabled
+    #     permanent: true
+    #     state: enabled
 
 - name: Firewall rules for production and staging
   loop:
@@ -58,6 +61,7 @@
     - stage
   loop_control:
     loop_var: env
+  notify: Reload firewalld
   block:
     - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
       ansible.posix.firewalld:

roles/vm-common/tasks/main.yml

@@ -6,7 +6,6 @@
 
 - name: Configure firewall
   ansible.builtin.import_tasks: firewall.yml
-  notify: Reload firewalld
 
 - name: Configure user accounts
   ansible.builtin.import_tasks: users.yml