zuul-jobs/roles/multi-node-firewall/tasks/main.yaml

- name: Include operating system specific vars
  include_vars: "{{ zj_distro_os }}"
  with_first_found:
    - "{{ ansible_distribution }}.yaml"
    - "{{ ansible_os_family }}.yaml"
    - "default.yaml"
  loop_control:
    loop_var: zj_distro_os

- name: 'Ensure {{ iptables_package }}'
  become: true
  package:
    name: "{{ iptables_package }}"

- name: Set up the host ip addresses
  set_fact:
    ipv4_addresses: >
      {% set hosts = [] -%}
      {% for host, vars in hostvars.items() -%}
      {% if 'nodepool' in vars -%}
      {% if vars['nodepool']['private_ipv4'] -%}
        {% set _ = hosts.append(vars['nodepool']['private_ipv4']) -%}
      {% endif -%}
      {% if vars['nodepool']['public_ipv4'] -%}
        {% set _ = hosts.append(vars['nodepool']['public_ipv4']) -%}
      {% endif -%}
      {% endif -%}
      {% endfor -%}
      {{- hosts | sort | unique -}}      
    ipv6_addresses: >
      {% set hosts = [] -%}
      {% for host, vars in hostvars.items() -%}
      {% if 'nodepool' in vars -%}
      {% if vars['nodepool']['public_ipv6'] -%}
        {% set _ = hosts.append(vars['nodepool']['public_ipv6']) -%}
      {% endif -%}
      {% endif -%}
      {% endfor -%}
      {{- hosts | sort | unique -}}      

- name: Set up ipv4 iptables rules
  become: yes
  iptables:
    state: present
    action: insert
    chain: INPUT
    ip_version: ipv4
    source: "{{ zj_ipv4 }}"
    jump: ACCEPT
  with_items: "{{ ipv4_addresses }}"
  loop_control:
    loop_var: zj_ipv4

- name: Set up ipv6 iptables rules
  become: yes
  iptables:
    state: present
    action: insert
    chain: INPUT
    ip_version: ipv6
    source: "{{ zj_ipv6 }}"
    jump: ACCEPT
  with_items: "{{ ipv6_addresses }}"
  loop_control:
    loop_var: zj_ipv6

- name: Persist iptables rules
  include_role:
    name: persistent-firewall