# vim: ft=yaml.ansible
# code: language=ansible
---
- name: Move DMZ network to zone 'dmz'
  ansible.posix.firewalld:
    zone: dmz
    source: 192.168.17.0/24
    permanent: true
    immediate: true
    state: enabled

- name: Move interface 'eth1' to zone 'internal'
  ansible.posix.firewalld:
    zone: internal
    interface: eth1
    permanent: true
    immediate: true
    state: enabled

# Until sapt-labx-ctl01 is deployed
- name: Allow incoming connections from main LAN to SSH port
  ansible.posix.firewalld:
    zone: dmz
    source: 192.168.1.0/24
    service: ssh
    permanent: true
    immediate: true
    state: enabled
  when: true

# When sapt-labx-ctl01 is deployed
- name: Allow incoming connections from jump host to SSH port
  ansible.posix.firewalld:
    zone: dmz
    source: "{{ hostvars['sapt-labx-ctl01'].ansible_host }}"
    service: ssh
    permanent: true
    immediate: true
    state: enabled
  when: false

- name: Firewall rules for group 'control_infra'
  when: hostname in groups['control_infra']
  block:
    - name: Allow incoming connections from main LAN to SSH port
      ansible.posix.firewalld:
        zone: dmz
        source: 192.168.1.0/24
        service: ssh
        permanent: true
        immediate: true
        state: enabled

    - name: Allow incoming connections from LAN to DNS port
      ansible.posix.firewalld:
        zone: dmz
        source: 192.168.0.0/16
        port: 53/{{ item }}
        permanent: true
        immediate: true
        state: enabled
      loop:
        - tcp
        - udp

- name: Firewall rules for production and staging
  loop:
    - prod
    - stage
  loop_control:
    loop_var: env
  block:
    - name: Allow incoming connections from app servers to PostgreSQL
      ansible.posix.firewalld:
        zone: internal
        source: "{{ hostvars[item].internal_ipv4 }}"
        port: 5432/tcp
        permanent: true
        immediate: true
        state: enabled
      loop: "{{ groups['app_' + env] }}"
      when: hostname in groups['db_' + env]