1 files changed, 30 insertions, 10 deletions

diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index e5b8af8..4fba69e 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -1,17 +1,37 @@
+---
+
 - name: generate pf configuration
-  template:
+  ansible.builtin.template:
     src: pf.conf.j2
     dest: "{{ pf_configuration_file }}"
     owner: 0
     group: 0
-    mode: 0600
-  notify:
-    - lint pf configuration
-    - enable pf
-    - restart pf
+    mode: "0600"
+  register: pf_result_generate_configuration
+
+- name: lint pf configuration  # noqa: no-handler
+  ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}"
+  register: pf_result_lint_configuration
+  changed_when:
+    - pf_result_generate_configuration.changed
+    - pf_result_lint_configuration.rc != 0
 
-- name: test ssh connection on new pf rule
-  wait_for:
-    port: "{{ ansible_port }}"
-    delay: 2
+- name: restart pf  # noqa: no-handler
+  ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}"
+  when: pf_result_generate_configuration.changed
+
+- name: test pf rules
+  ansible.builtin.wait_for:
+    port: "{{ item }}"
+    delay: "{{ pf_test_delay }}"
     state: started
+  loop: "{{ pf_test_ports }}"
+
+- name: enable pf
+  ansible.builtin.command: pfctl -e
+  register: pf_result_enable
+  changed_when:
+    - "'already enabled' not in pf_result_enable.stderr"
+  failed_when:
+    - pf_result_enable.rc != 0
+    - "'already enabled' not in pf_result_enable.stderr"