libvirt and firewall additions

ansible/roles/firewall/defaults/main.yml

@@ -1,2 +1,4 @@
 ---
-firewall_package: ufw
+firewall_package: ufw
+firewall_ssh_interface: br22
+firewall_spice_interface: br22

ansible/roles/firewall/tasks/main.yml

@@ -5,6 +5,54 @@
     name: "{{ firewall_package }}"
     state: latest
     update_cache: true
-    reason: explicit
   when:
-    - ansible_os_family == 'Arch'
+    - ansible_os_family == 'Arch'
+
+- name: start ufw in allow mode
+  become: true
+  community.general.ufw:
+    policy: allow
+    state: enabled
+
+- name: start and enable ufw service
+  become: true
+  ansible.builtin.service:
+    name: ufw.service
+    state: started
+    enabled: yes
+
+- name: add ssh rules
+  become: true
+  community.general.ufw:
+    comment: SSH access
+    rule: allow
+    to_port: '22'
+    proto: tcp
+    interface: "{{ firewall_ssh_interface }}"
+    direction: in
+    src: '{{ item }}'
+  loop:
+    - 192.168.20.0/24
+    - 192.168.72.0/24
+    - 2406:e001:a:cb20::/64
+
+- name: add spice rules
+  become: true
+  community.general.ufw:
+    comment: SPICE access to guests
+    rule: allow
+    to_port: 5901:5904
+    proto: tcp
+    interface: "{{ firewall_spice_interface }}"
+    direction: in
+    src: '{{ item }}'
+  loop:
+    - 192.168.20.0/24
+    - 192.168.72.0/24
+    - 2406:e001:a:cb20::/64
+
+- name: restore default deny policy
+  become: true
+  community.general.ufw:
+    policy: deny
+    logging: low