Don't fail when port 5665 is not open by default

defaults/main.yml

@@ -80,6 +80,8 @@ icinga_default_remote_check_commands:
 
 icinga_mariadb_socket: /var/run/mysqld/mysqld.sock
 
+# Set icinga_iptables_check_fail to true only after everything is working!
+icinga_iptables_check_fail: false
 # IPv4 rule for Icinga
 icinga_iptables_ipv4_rule: "-A INPUT -s {{ icinga_master_node_ipv4 }}/32 -p tcp -m state --state NEW -m tcp --dport 5665 -j ACCEPT"
 # Insert the Icinga IPv4 rule before this one

tasks/firewall.yml

@@ -84,7 +84,6 @@
                   - "Please set the `icinga_iptables_ipv4_insertbefore` variable to one of the lines above and then re-run this role."
                   - "The line to be added is:"
                   - "{{ icinga_iptables_ipv4_rule }}"
-              when: icinga_first_check | bool
 
         - name: Add IPv4 iptables rule for Icinga
           ansible.builtin.lineinfile:
@@ -174,6 +173,8 @@
               You can check this manyally using the following command
               nmap -oX /home/chris/nmap.xml -p 5665 {{ inventory_hostname }}
 
+      when: icinga_iptables_check_fail | bool
+
   tags:
     - icinga
 ...

tasks/main.yml

@@ -43,8 +43,6 @@
 
         - name: Check and open the firewall if needed
           ansible.builtin.include_tasks: firewall.yml
-          vars:
-            icinga_first_check: true
 
         # TODO These checks work but don't list agent nodes that are not connected
         # if they did then they would be worth including as then the cert_config.yml
@@ -59,11 +57,6 @@
         - name: Include tasks to validate and reload config
           ansible.builtin.include_tasks: reload.yml
 
-        - name: Check and open the firewall if needed
-          ansible.builtin.include_tasks: firewall.yml
-          vars:
-            icinga_first_check: false
-
       when:
         - inventory_hostname != icinga_master_node
         - inventory_hostname not in groups['icinga_master_nodes']