# vim: ft=yaml.ansible
# code: language=ansible
---
- name: General firewall rules
  notify: Reload firewalld
  block:
    - name: Move LAN networks to zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        source: 192.168.0.0/16
        permanent: true
        state: enabled
      when: instance_type != 'vps'

    - name: Move home IP addresses to zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        source: "{{ item }}"
        permanent: true
        state: enabled
      loop:
        - '46.32.144.131'
        - '2a06:4001:f02a::/48'
      when: instance_type == 'vps'

    - name: Move internal network to zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        source: 10.2.0.0/16
        permanent: true
        state: enabled

    - name: Deny incoming connections to SSH port in zone 'public'
      ansible.posix.firewalld:
        zone: public
        service: ssh
        permanent: true
        state: disabled

    - name: Allow incoming connections to SSH port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: ssh
        permanent: true
        state: enabled

- name: Firewall rules for database servers
  when: hostname in groups['dbservers']
  notify: Reload firewalld
  block:
    - name: Allow incoming connections to PostgreSQL port in zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        service: postgresql
        permanent: true
        state: enabled

- name: Firewall rules for proxy & public servers
  when: hostname in groups['proxyservers']
  notify: Reload firewalld
  block:
    - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: http
        permanent: true
        state: enabled
      loop:
        - public
        - dmz

    - name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: https
        permanent: true
        state: enabled
      loop:
        - public
        - dmz

    - name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: http3
        permanent: true
        state: enabled
      loop:
        - public
        - dmz