From fa0d70732d6ab6a21ff3c5b3bc47843fbcd557da Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Thu, 28 Dec 2023 21:04:33 +0100
Subject: [PATCH] Allow HTTP(S) for public zone

---
 roles/virt-common/tasks/firewall.yml | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml
index 4e649c1..03dc312 100644
--- a/roles/virt-common/tasks/firewall.yml
+++ b/roles/virt-common/tasks/firewall.yml
@@ -18,8 +18,9 @@
         permanent: true
         state: enabled
 
-    - name: Deny incoming connections to SSH port in default zone
+    - name: Deny incoming connections to SSH port in zone 'public'
       ansible.posix.firewalld:
+        zone: public
         service: ssh
         permanent: true
         state: disabled
@@ -46,23 +47,32 @@
   when: hostname in groups['proxyservers']
   notify: Reload firewalld
   block:
-    - name: Allow incoming connections to HTTP port in zone 'dmz'
+    - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: http
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz
 
-    - name: Allow incoming connections to HTTPS port in zone 'dmz'
+    - name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: https
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz
 
-    - name: Allow incoming connections to HTTP/3 port in zone 'dmz'
+    - name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz'
       ansible.posix.firewalld:
-        zone: dmz
+        zone: "{{ item }}"
         service: http3
         permanent: true
         state: enabled
+      loop:
+        - public
+        - dmz