Smarter firewall handling again

roles/vm-common/tasks/firewall.yml

@@ -1,6 +1,9 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
+- name: General firewall rules
+  notify: Reload firewalld
+  block:
     - name: Move main LAN and VPN networks to zone 'drop'
       ansible.posix.firewalld:
         zone: drop
@@ -35,6 +38,14 @@
         - dmz
         - internal
 
+    # Until sapt-labx-ctl01 is deployed
+    - name: Allow incoming connections to SSH port in zone 'drop'
+      ansible.posix.firewalld:
+        zone: drop
+        service: ssh
+        permanent: true
+        state: enabled
+
     # When sapt-labx-ctl01 is deployed
     # - name: Allow incoming connections from jump host to SSH port in zone 'dmz'
     #   ansible.posix.firewalld:
@@ -44,20 +55,13 @@
     #     permanent: true
     #     state: enabled
 
-# Until sapt-labx-ctl01 is deployed
-- name: Allow incoming connections to SSH port in zone 'drop'
-  ansible.posix.firewalld:
-    zone: drop
-    service: ssh
-    permanent: true
-    state: enabled
-
 - name: Firewall rules for production and staging
   loop:
     - prod
     - stage
   loop_control:
     loop_var: env
+  notify: Reload firewalld
   block:
     - name: Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
       ansible.posix.firewalld:

roles/vm-common/tasks/main.yml

@@ -6,7 +6,6 @@
 
 - name: Configure firewall
   ansible.builtin.import_tasks: firewall.yml
-  notify: Reload firewalld
 
 - name: Configure user accounts
   ansible.builtin.import_tasks: users.yml