---
- import_playbook: helpers/firewall_basic_setup.yaml


- name: Configure firewall
  hosts: outpost.ping.local, union.ping.local, dropshuttle.ping.local, malinka.ping.local, jezynka.ping.local, potemkin.ping.local, python-cave.ping.local, rawhide.ping.local, strategie.ping.local, stream.ping.local, ubuntu2004test.ping.local, centos8test.ping.local, fedora33test.ping.local, leap15test.ping.local, rhel8.ping.local


  tasks:

# ------------------------------------------------------
# ---------------- SSH ---------------------------------
# ------------------------------------------------------

  - name: Open ports on all hosts.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {service_firewalld: ssh, zone: home, service_ufw: OpenSSH, source: 192.168.111.0/24, proto: tcp, comment: Remote shell}

  - name: Close ports on all hosts.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {service_firewalld: ssh, zone: public}
    - {service_firewalld: samba-client, zone: home}
    - {service_firewalld: mdns, zone: home}
    - {service_firewalld: cockpit, zone: home}
    - {service_firewalld: cockpit, zone: public}


# ------------------------------------------------------
# ---------------- Monitoring---------------------------
# ------------------------------------------------------

  - name: Open ports for NRPE.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 5666/tcp, zone: home, port_ufw: 5666, source: 192.168.111.19, proto: tcp, comment: nrpe}

  - name: Delete rules, which are blocking access to NRPE.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 5666/tcp, zone: home, port_ufw: 5666, source: 192.168.111.19, proto: tcp, comment: nrpe}

  - name: Open ports for MariaDB.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 3306/tcp, zone: home, port_ufw: 3306, source: 192.168.111.19, proto: tcp, comment: Monitoring MariaDB}
    when: "'mariadb' in group_names"

  - name: Delete rules, which are blocking access to MariaDB.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 3306/tcp, zone: home, port_ufw: 3306, source: 192.168.111.19, proto: tcp, comment: Monitoring MariaDB}
    when: "'mariadb' in group_names"

  - name: Close ports for MariaDB.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {port_firewalld: 3306/tcp, zone: home, port_ufw: 3306, source: 192.168.111.19, proto: tcp, comment: Monitoring MariaDB}
    when: "'mariadb' not in group_names"


# ------------------------------------------------------
# ---------------- Samba -------------------------------
# ------------------------------------------------------

  - name: Open ports for Samba.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    when: "'samba' in group_names"

  - name: Delete rules, which are blocking access to Samba.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 0.0.0.0/0, proto: udp, comment: Samba}
    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    when: "'samba' in group_names"

  - name: Close ports for Samba.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {port_firewalld: 445/tcp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 445/tcp, zone: public, port_ufw: 445, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 445/udp, zone: home, port_ufw: 445, source: 192.168.111.0/24, proto: udp, comment: Samba}
    - {port_firewalld: 445/udp, zone: public, port_ufw: 445, source: 0.0.0.0/0, proto: udp, comment: Samba}
    - {port_firewalld: 137/tcp, zone: home, port_ufw: 137, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 137/tcp, zone: public, port_ufw: 137, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 138/tcp, zone: home, port_ufw: 138, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 138/tcp, zone: public, port_ufw: 138, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    - {port_firewalld: 139/tcp, zone: home, port_ufw: 139, source: 192.168.111.0/24, proto: tcp, comment: Samba}
    - {port_firewalld: 139/tcp, zone: public, port_ufw: 139, source: 0.0.0.0/0, proto: tcp, comment: Samba}
    when: "'samba' not in group_names"

# ------------------------------------------------------
# ---------------- DNS, Pi-hole ------------------------
# ------------------------------------------------------

  - name: Open ports for DNS server.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    when: "'pihole' in group_names"

  - name: Delete rules, which are blocking access DNS server.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
    when: "'pihole' in group_names"

  - name: Close ports for DNS server.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {port_firewalld: 53/tcp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/tcp, zone: public, port_ufw: 53, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 53/udp, zone: home, port_ufw: 53, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 53/udp, zone: public, port_ufw: 53, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
    - {port_firewalld: 67/udp, zone: home, port_ufw: 67, source: 192.168.111.0/24, proto: udp, comment: Pi-hole}
    - {port_firewalld: 67/udp, zone: public, port_ufw: 67, source: 0.0.0.0/0, proto: udp, comment: Pi-hole}
    - {port_firewalld: 4711/tcp, zone: home, port_ufw: 4711, source: 192.168.111.0/24, proto: tcp, comment: Pi-hole}
    - {port_firewalld: 4711/tcp, zone: public, port_ufw: 4711, source: 0.0.0.0/0, proto: tcp, comment: Pi-hole}
    when: "'pihole' not in group_names"

# ------------------------------------------------------
# ---------------- HTTP(S) -----------------------------
# ------------------------------------------------------
  
  - name: Open ports for http.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    when: ('www' in group_names) or
          ('www_apache' in group_names) or
          ('pihole' in group_names)

  - name: Open ports for https.
    include_tasks: helpers/firewall_open.yaml
    loop:
    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    when: ('www' in group_names) or 
          ('www_apache' in group_names)

  - name: Close http access.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    - {port_firewalld: 80/tcp, zone: public, port_ufw: 80, source: 0.0.0.0/0, proto: tcp, comment: WWW}
    when: not (('www' in group_names) or
               ('pihole' in group_names) or
               ('www_apache' in group_names))

  - name: Close https access.
    include_tasks: helpers/firewall_close.yaml
    loop:
    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    - {port_firewalld: 443/tcp, zone: public, port_ufw: 443, source: 0.0.0.0/0, proto: tcp, comment: WWW}
    when: not (('www' in group_names) or
               ('www_apache' in group_names))

  - name: Delete rule blocking http.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    - {port_firewalld: 80/tcp, zone: home, port_ufw: 80, source: 0.0.0.0/0, proto: tcp, comment: WWW}
    when: ('www' in group_names) or
          ('www_apache' in group_names) or
          ('pihole' in group_names)

  - name: Delete rule blocking https.
    include_tasks: helpers/firewall_delete_deny.yaml
    loop:
    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 192.168.111.0/24, proto: tcp, comment: WWW}
    - {port_firewalld: 443/tcp, zone: home, port_ufw: 443, source: 0.0.0.0/0, proto: tcp, comment: WWW}
    when: ('www' in group_names) or 
          ('www_apache' in group_names)
  
  handlers:
  
  - name: Reload firewall
    raw: firewall-cmd --reload