Configure wireguard service:
  firewalld.service:
    - name: wireguard
    - ports:
      - {{ pillar['wireguard']['port'] }}/udp

Configure firewalld for external interface:
  firewalld.present:
    - name: external
    - masquerade: True
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['interface']['external'] }}
    - services:
      - ssh
      - wireguard

Configure firewalld for internal network:
  firewalld.present:
    - name: internal
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['interface']['internal'] }}
      - {{ pillar['wireguard']['iface'] }}
      - {{ pillar['network']['interface']['wireless'] }}
    - sources:
      - {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp

Configure firewalld for vlan networks:
  firewalld.present:
    - name: public
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      {% for vlan in pillar['network']['vlan'] -%}
      - vlan.{{ vlan['id'] }}
      {% endfor %}
    - sources:
      {% for vlan in pillar['network']['vlan'] -%}
      {% set ip = vlan['address'] -%}
      {% set netmask = vlan['netmask'] -%}
      - {{ ip[0:-1] }}0/{{ netmask }}
      {% endfor %}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp

Add forwarding on Internal zone:
  cmd.run:
    - name: firewall-cmd --permanent --zone=internal --add-forward
    - unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"

Reload firewalld:
  cmd.run:
    - name: firewall-cmd --reload
    - onchanges:
      - cmd: Add forwarding on Internal zone