---
- name: gather facts if required
  ansible.builtin.setup:
    gather_subset:
      - distribution
      - virtualization_type

- name: install and configure nftables
  when: security.firewall.enable is truthy
  become: true
  notify:
    - 'security : [firewall] restart service'
  block:
    - name: install nftables
      ansible.builtin.apt:
        pkg:
          - nftables

    - name: enable nftables
      ansible.builtin.systemd:
        name: nftables
        enabled: true
        masked: false

    - name: create config dir
      ansible.builtin.file:
        path: /etc/nftables.d
        mode: '0700'
        state: directory

    - name: base config file
      ansible.builtin.template:
        src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
        dest: /etc/nftables.conf
        mode: '0700'
      vars:
        controller_ip: "{{ lookup('pipe', '/bin/dig +short A $(/usr/bin/hostname -f)') }}"
        controller_ip6: "{{ lookup('pipe', '/bin/dig +short AAAA $(/usr/bin/hostname -f)') }}"

    - name: common firewall rules
      ansible.builtin.template:
        src: "../templates/system/nftables/{{ item }}.table.j2"
        dest: "/etc/nftables.d/{{ item }}.table"
        mode: '0600'
      vars:
        firewall: "{{ security.firewall }}"
      loop:
        - 01-nat
        - 02-mangle
        - 03-filter