From 4a212bde391628b78d2f2678fa549797bb7446f6 Mon Sep 17 00:00:00 2001
From: surtur <wanderer@dotya.ml>
Date: Wed, 2 Aug 2023 20:43:50 +0200
Subject: [PATCH] role(headscale): set firewall+add handler

---
 ansible/roles/headscale/handlers/main.yml |  7 ++++++
 ansible/roles/headscale/tasks/main.yml    | 27 ++++++++++++++++++-----
 2 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 ansible/roles/headscale/handlers/main.yml

diff --git a/ansible/roles/headscale/handlers/main.yml b/ansible/roles/headscale/handlers/main.yml
new file mode 100644
index 0000000..81c252f
--- /dev/null
+++ b/ansible/roles/headscale/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Restart caddy-hs
+  ansible.builtin.systemd:
+    name: caddy-hs
+    state: restarted
+  when: caddyfile.changed or caddysystemd.changed
+...
diff --git a/ansible/roles/headscale/tasks/main.yml b/ansible/roles/headscale/tasks/main.yml
index 05f3154..581a726 100644
--- a/ansible/roles/headscale/tasks/main.yml
+++ b/ansible/roles/headscale/tasks/main.yml
@@ -59,6 +59,26 @@
       - "%s"
   register: caddyfile
 
+- name: Enable services in the firewall
+  ansible.posix.firewalld:
+    zone: "{{ firewalld_default_zone }}"
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  with_items:
+    - http
+    - https
+  when: "firewalld_configure"
+
+- name: Expose gRPC
+  ansible.posix.firewalld:
+    port: 50443/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: "firewalld_configure"
+
 # - name: Install xcaddy
 #   ansible.builtin.command:
 #     cmd: >
@@ -100,12 +120,7 @@
     state: started
     enabled: true
     daemon_reload: true
-
-- name: Restart caddy-hs
-  ansible.builtin.systemd:
-    name: caddy-hs
-    state: restarted
-  when: caddyfile.changed or caddysystemd.changed
+  notify: Restart caddy-hs
 
 - name: Fetch crt,key
   ansible.builtin.fetch: