From efcc761955f8e0176a3ef9c36fad1025a77a5630 Mon Sep 17 00:00:00 2001
From: Phillip Smith <fukawi2@gmail.com>
Date: Tue, 14 Aug 2018 13:34:38 +1000
Subject: [PATCH] make all firewalld changes take effect immediately

---
 playbooks/apollo.yml              | 2 +-
 roles/dbscripts/tasks/main.yml    | 4 ++--
 roles/dovecot/tasks/main.yml      | 2 +-
 roles/mariadb/tasks/main.yml      | 2 +-
 roles/nginx/tasks/main.yml        | 2 +-
 roles/oidentd/tasks/main.yml      | 2 +-
 roles/postfix/tasks/main.yml      | 2 +-
 roles/postgres/tasks/main.yml     | 2 +-
 roles/quassel/tasks/main.yml      | 2 +-
 roles/sshd/tasks/main.yml         | 2 +-
 roles/syncrepo/tasks/main.yml     | 2 +-
 roles/zabbix-agent/tasks/main.yml | 2 +-
 12 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index f08e7c107..21d34e41a 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -49,4 +49,4 @@
     - { role: archwiki, tags: ["archwiki"] }
   tasks:
     - name: open firewall hole for hefurd
-      firewalld: port=6969/tcp permanent=true state=enabled
+      firewalld: port=6969/tcp permanent=true state=enabled immediate=yes
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 45d0614e2..5c7653c7f 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -225,7 +225,7 @@
   service: name=rsyncd.socket enabled=yes state=started
 
 - name: open firewall holes for rsync
-  firewalld: service=rsyncd permanent=true state=enabled
+  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
 
 - name: configure svnserve
@@ -235,7 +235,7 @@
   service: name=svnserve enabled=yes state=started
 
 - name: open firewall holes for svnserve
-  firewalld: port=3690/tcp permanent=true state=enabled
+  firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
 
 - name: install systemd timers
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index 99b43e15b..af832d716 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -18,7 +18,7 @@
   service: name=dovecot enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - pop3
     - pop3s
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 29f72724a..dee4ae4ca 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -48,6 +48,6 @@
   # the source addresses here could be tightened up more, but it's far better
   # than having mariadb open to the world
 - name: open firewall holes to other infrastructure hosts
-  firewalld: service=mysql permanent=true state="{{'disabled' if mariadb_skip_networking else 'enabled'}}" source={{item}}
+  firewalld: service=mysql permanent=true state="{{'disabled' if mariadb_skip_networking else 'enabled'}}" source={{item}} immediate=yes
   with_items: "{{ groups['all'] }}"
   when: configure_firewall
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index d2404689c..541594d39 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -67,7 +67,7 @@
   service: name=nginx enabled=yes
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - http
     - https
diff --git a/roles/oidentd/tasks/main.yml b/roles/oidentd/tasks/main.yml
index ea499dadc..da16e65a1 100644
--- a/roles/oidentd/tasks/main.yml
+++ b/roles/oidentd/tasks/main.yml
@@ -12,5 +12,5 @@
     - oidentd.socket
 
 - name: open firewall holes
-  firewalld: port=113/tcp permanent=true state=enabled
+  firewalld: port=113/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 69dbdf0d1..1b9da151c 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -86,7 +86,7 @@
     - compat_maps.db
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - smtp
     - smtp-submission
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 33578bc63..5254a2958 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -51,6 +51,6 @@
   when: postgres_ssl == 'on'
 
 - name: open firewall holes to known postgresql clients
-  firewalld: service=postgresql permanent=true state=enabled source={{item}}
+  firewalld: service=postgresql permanent=true state=enabled source={{item}} immediate=yes
   with_items: "{{ postgres_ssl_hosts }}"
   when: configure_firewall
diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml
index 713f1f2fe..2a7269f6e 100644
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
@@ -63,5 +63,5 @@
     - clean-quassel.timer
 
 - name: open firewall holes
-  firewalld: port=4242/tcp permanent=true state=enabled
+  firewalld: port=4242/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 03322775c..0bb89b282 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -18,5 +18,5 @@
   service: name=sshd enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=ssh permanent=true state=enabled
+  firewalld: service=ssh permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 136356004..86317f621 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -45,5 +45,5 @@
   tags: ['nginx']
 
 - name: open firewall holes
-  firewalld: service=rsyncd permanent=true state=enabled
+  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/zabbix-agent/tasks/main.yml b/roles/zabbix-agent/tasks/main.yml
index 9523ea6e1..af0c8dd0a 100644
--- a/roles/zabbix-agent/tasks/main.yml
+++ b/roles/zabbix-agent/tasks/main.yml
@@ -63,5 +63,5 @@
   service: name=zabbix-agent enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=zabbix-agent permanent=true state=enabled
+  firewalld: service=zabbix-agent permanent=true state=enabled immediate=yes
   when: configure_firewall
-- 
GitLab