lab-ansible/roles/virt-common/tasks/firewall.yml

# vim: ft=yaml.ansible
# code: language=ansible
---
- name: General firewall rules
  notify: Reload firewalld
  block:
    - name: Move Guest LAN and and IoT LAN networks to zone 'drop'
      ansible.posix.firewalld:
        zone: drop
        source: "{{ item }}"
        permanent: true
        state: enabled
      loop:
        - 192.168.2.0/24
        - 192.168.4.0/24

    - name: Move Home LAN and VPN networks to zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        source: "{{ item }}"
        permanent: true
        state: enabled
      loop:
        - 192.168.1.0/24
        - 192.168.8.0/24

    - name: Move Lab LAN network to zone 'public'
      ansible.posix.firewalld:
        zone: public
        source: 192.168.17.0/24
        permanent: true
        state: enabled

    - name: Move internal network to zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        source: 10.2.0.0/16
        permanent: true
        state: enabled

    - name: Default deny incoming connections to SSH port in all zones
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: ssh
        permanent: true
        state: disabled
      loop:
        - drop
        - dmz
        - public
        - internal

    # Until sapt-labx-ctl01 is deployed
    - name: Allow incoming connections to SSH port in zone 'dmz'
      ansible.posix.firewalld:
        zone: dmz
        service: ssh
        permanent: true
        state: enabled

    # When sapt-labx-ctl01 is deployed
    # - name: Allow incoming connections from control machines to SSH port in zone 'public'
    #   ansible.posix.firewalld:
    #     zone: public
    #     source: "{{ hostvars[item].ansible_host }}"
    #     service: ssh
    #     permanent: true
    #     state: enabled
    #   loop: "{{ groups['control_infra'] }}"

- name: Firewall rules for DB servers
  when: hostname in groups['production'] or hostname in groups['staging']
  notify: Reload firewalld
  block:
    - name: Production | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        source: "{{ hostvars[item].internal_ipv4 }}"
        service: postgresql
        permanent: true
        state: enabled
      loop: "{{ groups['app_prod'] }}"
      when: hostname in groups['db_prod']

    - name: Staging | Allow incoming connections from app servers to PostgreSQL port in zone 'internal'
      ansible.posix.firewalld:
        zone: internal
        source: "{{ hostvars[item].internal_ipv4 }}"
        service: postgresql
        permanent: true
        state: enabled
      loop: "{{ groups['app_stage'] }}"
      when: hostname in groups['db_stage']

- name: Firewall rules for proxy servers
  when: hostname in group['proxyservers']
  notify: Reload firewalld
  block:
    - name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: http
        permanent: true
        state: enabled
      loop:
        - drop
        - dmz

    - name: Allow incoming connections to HTTPS port in zones 'drop' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: https
        permanent: true
        state: enabled
      loop:
        - drop
        - dmz

    - name: Allow incoming connections to HTTP/3 port in zones 'drop' and 'dmz'
      ansible.posix.firewalld:
        zone: "{{ item }}"
        service: http3
        permanent: true
        state: enabled
      loop:
        - drop
        - dmz

- name: Flush handlers
  ansible.builtin.meta: flush_handlers