Extract playbook actions to roles

ansible/roles/firewall/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+firewall_interfaces:
+  - name: vio0
+    allowed_tcp:
+      - 22    # SSH
+      - 80    # HTTP
+      - 443   # HTTPS
+    allowed_udp:
+      - 21841 # Wireguard

ansible/roles/firewall/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Configure firewall
+  template:
+    src: templates/pf.conf.j2
+    dest: /etc/pf.conf
+    validate: pfctl -n -f %s
+  register: pf
+
+- name: Load config to pf if needed
+  command: pfctl -f /etc/pf.conf
+  when: pf.changed

ansible/roles/firewall/templates/pf.conf.j2

@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+# Skip filtering on the loopback interface
+set skip on lo
+
+# set up a default deny policy
+block all
+
+# Block remote X11 connections
+block return in on ! lo0 proto tcp to port 6000:6010
+
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+
+{% for interface in firewall_interfaces %}
+# Pass rules for the specific ports on the {{ interface.name }} interface
+{% if (interface.allowed_tcp is defined) and interface.allowed_tcp %}
+{% for port in interface.allowed_tcp %}
+pass in on {{ interface.name }} proto tcp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+{% if (interface.allowed_udp is defined) and interface.allowed_udp %}
+{% for port in interface.allowed_udp %}
+pass in on {{ interface.name }} proto udp from any to any port {{ port }}
+{% endfor %}
+{% endif %}
+pass in on {{ interface.name }} proto icmp
+# Pass out rule to allow outgoing traffic on the {{ interface.name }} interface
+pass out on {{ interface.name }}
+{% endfor %}