windows: don’t disable builtin firewall rules before setting our own

Oops.
2025-05-11 14:34:38 +02:00 · 2025-05-11 14:34:38 +02:00 · e6876ff265
commit e6876ff265
parent e30fcf0bd4
2 changed files with 15 additions and 14 deletions
--- a/roles/windows/tasks/firewall.yml
+++ b/roles/windows/tasks/firewall.yml
@ -1,16 +1,3 @@
- name: Disable some builtin rules
-  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
-  changed_when: false # no way to tell
-  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
-    - "AllJoyn Router"
-    - "File and Printer Sharing"
-    - "mDNS"
-    - "OpenSSH Server"
-    - "Secure World Wide Web Services (HTTPS)"
-    - "Secure World Wide Web Services (QUIC)"
-    - "Windows Remote Management"
-    - "World Wide Web Services (HTTP)"
-
 - name: Allow ICMP
  win_firewall_rule:
    name: Allow incoming ICMP
@ -45,3 +32,17 @@
  loop_control:
    label: "{{ service.name }}"
    loop_var: service
+
+- name: Disable some builtin rules
+  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
+  changed_when: false # no way to tell
+  failed_when: false # fails if the group doesn’t exist
+  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
+    - "AllJoyn Router"
+    - "File and Printer Sharing"
+    - "mDNS"
+    - "OpenSSH Server"
+    - "Secure World Wide Web Services (HTTPS)"
+    - "Secure World Wide Web Services (QUIC)"
+    - "Windows Remote Management"
+    - "World Wide Web Services (HTTP)"
--- a/roles/windows/tasks/firewall_rule.yml
+++ b/roles/windows/tasks/firewall_rule.yml
@ -1,4 +1,4 @@
- name: Allow service
+- name: "Allow service {{ service.name }}"
  win_firewall_rule:
    name: "Allow incoming {{ service.name }} for {{ remoteip }}"
    group: "{{ service.name }}"