# vim: ft=yaml.ansible # code: language=ansible --- - name: General firewall rules notify: Reload firewalld block: - name: Move LAN networks to zone 'dmz' ansible.posix.firewalld: zone: dmz source: 192.168.0.0/16 permanent: true state: enabled when: instance_type != 'vps' - name: Move home IP addresses to zone 'dmz' ansible.posix.firewalld: zone: dmz source: "{{ item }}" permanent: true state: enabled loop: - "{{ home_ipv4 }}" - "{{ home_ipv6 }}" when: instance_type == 'vps' - name: Move internal network to zone 'internal' ansible.posix.firewalld: zone: internal source: 10.2.0.0/16 permanent: true state: enabled - name: Deny incoming connections to SSH port in zone 'public' ansible.posix.firewalld: zone: public service: ssh permanent: true state: disabled - name: Allow incoming connections to SSH port in zone 'dmz' ansible.posix.firewalld: zone: dmz service: ssh permanent: true state: enabled - name: Firewall rules for database servers when: hostname in groups['dbservers'] notify: Reload firewalld block: - name: Allow incoming connections to PostgreSQL port in zone 'internal' ansible.posix.firewalld: zone: internal service: postgresql permanent: true state: enabled - name: Firewall rules for proxy servers when: hostname in groups['proxyservers'] notify: Reload firewalld block: - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: http permanent: true state: enabled loop: - public - dmz - name: Allow incoming connections to HTTPS port in zones 'public' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: https permanent: true state: enabled loop: - public - dmz - name: Allow incoming connections to HTTP/3 port in zones 'public' and 'dmz' ansible.posix.firewalld: zone: "{{ item }}" service: http3 permanent: true state: enabled loop: - public - dmz