Start firewalld:
  service.running:
    - name: firewalld
    - enable: True

Configure wireguard service:
  firewalld.service:
    - name: wireguard
    - ports:
      - {{ pillar['wireguard']['port'] }}/udp

Configure container registry service:
  firewalld.service:
    - name: registry
    - ports:
      - 5000/tcp

Configure firewalld for external interface:
  firewalld.present:
    - name: external
    - masquerade: True
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['external'] }}
    - services:
      - ssh
      - wireguard

Configure firewalld for internal network:
  firewalld.present:
    - name: internal
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['interface'] }}
      - {{ pillar['wireguard']['iface'] }}
      - {{ pillar['network']['wireless'] }}
      - {{ pillar['network']['bridge'] }}
    - sources:
      - {{ pillar['network']['ip'][0:-1] }}0/24
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry

Configure firewalld for public networks:
  firewalld.present:
    - name: public
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      {% for vlan in pillar['network']['vlan'] -%}
      {% if vlan['zone'] == 'public' -%}
      - vlan.{{ vlan['id'] }}
      {% endif -%}
      {% endfor %}
    - sources:
      {% for vlan in pillar['network']['vlan'] -%}
      {% set ip = vlan['address'] -%}
      {% if vlan['zone'] == 'public' -%}
      - {{ ip[0:-1] }}0/24
      {% endif -%}
      {% endfor %}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry


Configure firewalld for airgap networks:
  firewalld.present:
    - name: airgap
    - prune_ports: True
    - prune_services: True
    - prune_interfaces: True
    - prune_sources: True
    - interfaces:
      {% for vlan in pillar['network']['vlan'] -%}
      {% if vlan['zone'] == 'airgap' -%}
      - vlan.{{ vlan['id'] }}
      {% endif -%}
      {% endfor %}
    - sources:
      {% for vlan in pillar['network']['vlan'] -%}
      {% set ip = vlan['address'] -%}
      {% if vlan['zone'] == 'airgap' -%}
      - {{ ip[0:-1] }}0/24
      {% endif -%}
      {% endfor %}
    - services:
      - ssh
      - dhcp
      - tftp
      - http
      - https
      - dns
      - ntp
      - registry

Add forwarding on Internal zone:
  cmd.run:
    - name: firewall-cmd --permanent --zone=internal --add-forward
    - unless: bash -c "if [[ \"$(firewall-cmd --zone=internal --list-all | sed -n 's/.* forward. \(.*\)$/\1/p')\" = \"yes\" ]]; then exit 0; else exit 1;fi"

Reload firewalld:
  cmd.run:
    - name: firewall-cmd --reload
    - onchanges:
      - cmd: Add forwarding on Internal zone