--- # generic settings - name: "firewall - set default policy and enable logging" tags: "firewall" block: # set vars - name: "set vars" ansible.builtin.set_fact: __firewall_enable: "{{ firewall_enable }}" __firewall_all_rules: "{{ firewall_basic_rules | union(firewall_host_rules | default[]) }}" # debugging - name: "debug" ansible.builtin.debug: msg: "outside {{ firewall_enable }}" - name: "debug" ansible.builtin.debug: msg: "inside {{ __firewall_enable }}" # manage firewall for debian - name: "firewall - debian family" when: "ansible_os_family == 'Debian'" block: # remove and disable firewall - name: "remove and disable firewall" when: '__firewall_enable == "false"' block: # stop service - name: "firewall - stop ufw" ansible.builtin.service: name: "ufw" state: "stopped" enabled: false ignore_errors: true # remove package - name: "firewall - remove ufw" ansible.builtin.apt: name: "ufw" state: "absent" # install and enable firewall - name: "install and enable firewall" when: '__firewall_enable == "true"' block: # install ufw - name: "firewall - install ufw" ansible.builtin.apt: name: "ufw" state: "present" # generic settings - name: "firewall - generic settings - debian" community.general.ufw: state: "enabled" direction: "incoming" policy: "deny" logging: "on" # firewall rules - name: "firewall - add rules" community.general.ufw: rule: "allow" direction: "in" proto: "{{ item.proto | default('tcp') }}" from_ip: "{{ item.from_ip }}" to_port: "{{ item.to_port }}" loop: "{{ __firewall_all_rules }}" loop_control: label: " {{ item.name }}"