fix(system/sshd): handle firewall

Signed-off-by: Matej Focko <me@mfocko.xyz>

roles/system/sshd/tasks/main.yml

@@ -35,6 +35,22 @@
     state: "present"
   when: ansible_facts.selinux.status == 'enabled'
 
+- name: Enable the new SSH port on firewall
+  ansible.posix.firewalld:
+    port: "{{ system_sshd_port }}/tcp"
+    immediate: true
+    permanent: true
+    state: enabled
+  notify: "Restart SSH server"
+  tags: firewall
+
+- name: Disable the default SSH port
+  ansible.posix.firewalld:
+    service: ssh
+    permanent: true
+    state: disabled
+  tags: firewall
+
 - name: Set trusted CA
   ansible.builtin.include_tasks: trusted_ca.yml
   when: system_sshd_auth_trusted_ca