roles/common: simplify firewall tasks

Apply firewall tag to included tasks, then we don't need to use a
block.

roles/common/tasks/firewall.yml

@@ -1,12 +1,20 @@
 ---
 - name: Configure firewall (Debian)
-  ansible.builtin.include_tasks: firewall_Debian.yml
   when: ansible_distribution == 'Debian'
+  ansible.builtin.include_tasks:
+    file: firewall_Debian.yml
+    apply:
+      tags:
+        - firewall
   tags: firewall
 
 - name: Configure firewall (Ubuntu)
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
   when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks:
+    file: firewall_Ubuntu.yml
+    apply:
+      tags:
+        - firewall
   tags: firewall
 
 

roles/common/tasks/firewall_Debian.yml

@@ -1,7 +1,6 @@
 ---
 # Debian 11+ will use nftables directly, with no firewalld.
 
-- block:
 - name: Install Debian firewall packages
   when: ansible_distribution_major_version is version('11', '>=')
   ansible.builtin.package:
@@ -110,6 +109,5 @@
 - ansible.builtin.include_tasks: fail2ban.yml
   when:
     - ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,7 +1,6 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
 
-- block:
 - name: Install Ubuntu firewall packages
   when: ansible_distribution_version is version('20.04', '>=')
   ansible.builtin.package:
@@ -109,6 +108,5 @@
 - ansible.builtin.include_tasks: fail2ban.yml
   when:
     - ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
 
 # vim: set sw=2 ts=2: