---

- name: Ensure iptables packages are installed
  apt:
    pkg:
      - iptables
      - ipset
      - conntrack
      - ipv6calc        # Required by update-firewall-outbound
    state: present
  when: firewall_run is not defined
  tags: packages

- name: Install the firewall init.d script
  template:
    dest: /etc/init.d/firewall
    src: etc_init.d_firewall.j2
    mode: 0755
    owner: root
    group: root
  when: firewall_run is not defined and firewall_enabled
  tags:
    - configs
    - firewall

- name: Enable the firewall init.d script
  service:
    name: firewall
    enabled: yes
  when: firewall_run is not defined and firewall_enabled
  tags:
    - configs
    - firewall

- name: Ensure the rules directories exist
  file:
    path: "/etc/firewall/{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700
  with_items:
    - rules-v4.d
    - rules-v6.d
  when: firewall_run is not defined
  tags:
    - configs
    - firewall

- name: Install the firewall configs
  template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
  with_items:
    - rules-v4.d/10_conntrack.sh
    - rules-v4.d/15_local.sh
    - rules-v4.d/17_monitoring.sh
    - rules-v4.d/18_internal.sh
    - rules-v4.d/20_whitelist.sh
    - rules-v4.d/22_ssh.sh
    - rules-v4.d/24_influxdb.sh
    - rules-v4.d/33_mariadb.sh
    - rules-v4.d/85_whitelist.sh
    - rules-v4.d/90_allow_outbound.sh
    - rules-v4.d/90_drop_all.sh
    - rules-v4.d/95_fail2ban.sh

    - rules-v6.d/10_conntrack.sh
    - rules-v6.d/15_local.sh
    - rules-v6.d/18_internal.sh
    - rules-v6.d/20_whitelist.sh
    - rules-v4.d/24_influxdb.sh
    - rules-v4.d/33_mariadb.sh
    - rules-v4.d/85_whitelist.sh
    - rules-v6.d/90_allow_outbound.sh
    - rules-v6.d/90_drop_all.sh
  when: firewall_run is not defined and firewall_enabled and firewall_standard_rules
  notify: Restart firewall
  tags:
    - configs
    - firewall

- name: Install the extra firewall configs
  template: dest=/etc/firewall/{{ item }} src={{ item }}.j2 mode=0600
  with_items:
    - rules-v4.d/50_custom.sh
    - rules-v6.d/50_custom.sh
  when: firewall_run is not defined and firewall_enabled and (firewall_custom_ipv4_rules or firewall_custom_ipv6_rules)
  notify: Restart firewall
  tags:
    - configs
    - firewall

- name: Install the firewall outbound ACLs
  template: dest=/etc/firewall/outbound_whitelist.acl src=etc_firewall_outbound_whitelist.acl.j2 mode=0600
  when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
  notify: Restart firewall
  tags:
    - configs
    - firewall
    - whitelists

- name: Remove obsolete configs
  file: dest=/etc/firewall/{{ item }} state=absent
  with_items:
    - rules-v4.d/19_monitoring.sh
  when: firewall_run is not defined and firewall_enabled
  notify: Restart firewall
  tags:
    - configs
    - firewall

- name: Install the firewall outbound update script
  template: dest=/usr/sbin/update-firewall-outbound src=usr_sbin_update-firewall-outbound.j2 mode=0700
  when: firewall_run is not defined and firewall_enabled and firewall_output_whitelist_domains
  notify: Restart firewall
  tags:
    - firewall
    - scripts
    - whitelists

- set_fact:
    firewall_run: true
  when: firewall_run is not defined