---

# generic settings
- name: "firewall - set default policy and enable logging"
  tags: "firewall"
  block:

    # set vars
    - name: "set vars"
      ansible.builtin.set_fact:
        __firewall_enable: "{{ firewall_enable }}"
        __firewall_all_rules: "{{ firewall_basic_rules | union(firewall_host_rules)}}"

    # manage firewall for debian
    - name: "firewall - debian family"
      when: "ansible_os_family == 'Debian'"
      block:

        # remove and disable firewall
        - name: "remove and disable firewall"
          when: "not __firewall_enable"
          block:

            # stop service
            - name: "firewall - stop ufw"
              ansible.builtin.service:
                name: "ufw"
                state: "stopped"
                enabled: false
              ignore_errors: true

            # remove package
            - name: "firewall - remove ufw"
              ansible.builtin.apt:
                name: "ufw"
                state: "absent"

        # install and enable firewall
        - name: "install and enable firewall"
          when: "__firewall_enable"
          block:

            # install ufw
            - name: "firewall - install ufw"
              ansible.builtin.apt:
                name: "ufw"
                state: "present"

            # generic settings
            - name: "firewall - generic settings - debian"
              community.general.ufw:
                state: "enabled"
                direction: "incoming"
                policy: "deny"
                logging: "on"

            # firewall rules
            - name: "firewall - add rules"
              community.general.ufw:
                rule: "allow"
                direction: "in"
                proto: "{{ item.proto | default('tcp') }}"
                from_ip: "{{ item.from_ip }}"
                to_port: "{{ item.to_port }}"
              loop: "{{ __firewall_all_rules  }}"
              loop_control:
                label: " {{ item.name }}"