From cb4b3cd6f1437d86cd9c3a2aa3134bc646aad786 Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Sun, 28 Dec 2025 13:41:45 -0700
Subject: [PATCH] Add some more sane defaults to firewalld

---
 ansible/roles/common/tasks/main.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/ansible/roles/common/tasks/main.yaml b/ansible/roles/common/tasks/main.yaml
index 556c924..96ceffa 100644
--- a/ansible/roles/common/tasks/main.yaml
+++ b/ansible/roles/common/tasks/main.yaml
@@ -14,3 +14,27 @@
     state: started
     enabled: true
 
+- name: Add ssh to firewalld
+  ansible.posix.firewalld:
+    service: ssh
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Add dhcpv6-client to firewalld
+  ansible.posix.firewalld:
+    service: dhcpv6-client
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Disallow cockpit firewalld
+  ansible.posix.firewalld:
+    service: cockpit
+    state: disabled
+    permanent: true
+    immediate: true
+    offline: true
+