refactor(configuration): consolidate firewall into one phase-aware path

2026-05-27 05:28:00 +02:00
parent d922efd2e4
commit 00acd4d200
7 changed files with 67 additions and 23 deletions
--- a/main.yml
+++ b/main.yml
@@ -1,14 +1,4 @@
 ---
-# Bootstrap pipeline - role execution order:
-#   1. global_defaults  - normalize + validate system/hypervisor/disk input
-#   2. system_check     - pre-flight hardware/environment safety checks
-#   3. virtualization   - create VM on hypervisor (libvirt/proxmox/vmware/xen)
-#   4. environment      - detect live ISO, configure installer network, install tools, detect hardware
-#   5. partitioning     - partition disk, create FS, LUKS, LVM, mount everything
-#   6. bootstrap        - debootstrap/pacstrap/dnf install the target OS into /mnt
-#   7. configuration    - users, network, encryption, fstab, bootloader, services
-#   8. cis              - CIS hardening (optional, per system.features.cis.enabled)
-#   9. cleanup          - unmount, remove cloud-init artifacts, reboot/shutdown
 - name: Create and configure VMs
  hosts: "{{ bootstrap_target | default('all') }}"
  strategy: free # noqa: run-once[play]
@@ -166,6 +156,15 @@
        - system_cfg.os | lower in os_family_rhel
      ansible.builtin.include_tasks: "{{ playbook_dir }}/roles/configuration/tasks/satellite_register.yml"

+    - name: Activate the firewall on the rebooted host
+      when:
+        - post_reboot_can_connect | bool
+        - system_cfg.features.firewall.enabled | bool
+        - system_cfg.features.firewall.backend == 'ufw'
+      ansible.builtin.include_tasks: "{{ playbook_dir }}/roles/configuration/tasks/firewall.yml"
+      vars:
+        firewall_phase: postreboot
+
    - name: Install post-reboot packages
      when:
        - post_reboot_can_connect | bool