install-update-firewall.yml: don't start firewall if initial install.

2019-07-17 17:39:09 +02:00 · 2019-07-17 17:39:09 +02:00 · 462e65766b
commit 462e65766b
parent 4bc1270d33
1 changed files with 18 additions and 14 deletions
--- a/scripts/install-update-firewall.yml
+++ b/scripts/install-update-firewall.yml
@ -620,8 +620,6 @@
    command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample  /etc/ipt-firewall/interfaces_ipv4.conf
    when: not interfaces_ipv4_exists.stat.exists
    register: new_interfaces_ipv4
-    notify:
-      - Restart IPv4 Firewall


  - name: Configure interfaces_ipv4.conf 1/2
@ -656,8 +654,6 @@
    command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv6.conf.sample  /etc/ipt-firewall/interfaces_ipv6.conf
    when: not interfaces_ipv6_exists.stat.exists
    register: new_interfaces_ipv6
-    notify:
-      - Restart IPv6 Firewall

  - name: Configure interfaces_ipv6.conf 1/2
    lineinfile:
@ -704,15 +700,11 @@
    command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample  /etc/ipt-firewall/main_ipv4.conf
    when: not main_ipv4_exists.stat.exists
    register: cp_main_ipv4
-    notify:
-      - Restart IPv4 Firewall

  - name: Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
    command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample  /etc/ipt-firewall/main_ipv6.conf
    when: not main_ipv6_exists.stat.exists
    register: cp_main_ipv6
-    notify:
-      - Restart IPv6 Firewall

  # Configure main_ipv4.conf
  #
@ -979,15 +971,21 @@
       - ipt
       - ip6t

-  - name: Start firewall services
+  - name: Enable firewall services IPv4
    systemd:
-      name: "{{ item }}-firewall"
-      state: restarted
+      name: ipt-firewall
+      state: stopped
+      enabled: yes
+      daemon_reload: yes
+    when: systemd_service_files_installed is changed
+    register: firewall_service_started
+
+  - name: Enable firewall services IPv6
+    systemd:
+      name: ip6t-firewall
+      state: stopped
      enabled: yes
      daemon_reload: yes
-    with_items:
-       - ipt
-       - ip6t
    when: systemd_service_files_installed is changed
    register: firewall_service_started

@ -1020,8 +1018,14 @@
      service:
        name: ipt-firewall
        state: restarted
+      when:
+         - interfaces_ipv4_exists.stat.exists
+         - main_ipv4_exists.stat.exists

    - name: Restart IPv6 Firewall
      service:
        name: ip6t-firewall
        state: restarted
+      when:
+         - interfaces_ipv6_exists.stat.exists
+         - main_ipv6_exists.stat.exists