add firewalld role

ansible/roles/firewalld/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+firewalld_configure: "{{ undef(hint='You must set this variable to specify whether to enable and start firewalld') }}"
+firewalld_default_zone: public
+firewalld_log_denied: "off"
+firewalld_firewall_backend: nftables
+...

ansible/roles/firewalld/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+# NOTE: hack for a systemd bug (restarting firewalld.service fails due to fail2ban.service)
+# https://github.com/systemd/systemd/issues/2830
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1146856
+# - name: Restart firewalld
+#   service: name=firewalld state=restarted
+- name: Stop firewalld
+  service:
+    name: firewalld
+    state: stopped
+  listen: Restart firewalld
+- name: Start firewalld
+  service:
+    name: firewalld
+    state: started
+  listen: Restart firewalld
+...

ansible/roles/firewalld/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: Install firewalld
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+
+- name: Install firewalld config
+  ansible.builtin.template:
+    src: firewalld.conf.j2
+    dest: /etc/firewalld/firewalld.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restart firewalld
+
+- name: Start and enable firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: "{{ firewalld_configure }}"
+    state: "{{ firewalld_configure | ternary('started', 'stopped') }}"
+
+- name: Disable default dhcpv6-client rule
+  ansible.posix.firewalld:
+    service: dhcpv6-client
+    state: disabled
+    immediate: true
+  when: "firewalld_configure and firewalld_disable_dhcpv6_client"
+...

ansible/roles/firewalld/templates/firewalld.conf.j2

@@ -0,0 +1,75 @@
+# {{ ansible_managed }}
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone={{ firewalld_default_zone }}
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld.
+# Default: yes
+CleanupOnExit=yes
+
+# Clean up kernel modules on exit
+# If set to yes or true the firewall related kernel modules will be
+# unloaded on exit or stop of firewalld. This might attempt to unload
+# modules not originally loaded by firewalld.
+# Default: no
+CleanupModulesOnExit=no
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied={{ firewalld_log_denied }}
+
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+# Note: The iptables backend is deprecated. It will be removed in a future
+# release.
+FirewallBackend={{ firewalld_firewall_backend }}
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload=yes
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+# correspond to IPv4 addresses that should not be routed over the public
+# internet.
+# Defaults to "yes".
+RFC3964_IPv4=yes