---
- name: Require firewalld
  apt:
    name: firewalld
    state: latest

- name: Add wireguard firewalld service
  template:
    src: firewalld/wireguard.xml.j2
    dest: "/etc/firewalld/services/{{ gateway.vpn.name }}.xml"
    owner: root
    group: root
    mode: 0644

# - name: Ensure firewalld is enabled
#   systemd:
#     name: firewalld.service
#     enabled: yes
#     masked: no
#     state: started

- name: Force all notified handlers to run at this point, not waiting for normal sync points
  meta: flush_handlers

- name: Add zones
  ansible.posix.firewalld:
    zone: "{{ item }}"
    state: present
    permanent: yes
  with_items:
    - home
    - public
    - trusted

- name: Add home interface
  ansible.posix.firewalld:
    zone: home
    interface: "{{ gateway.firewall.home_iface }}"
    permanent: yes
    immediate: yes
    state: enabled

- name: Add public interface
  ansible.posix.firewalld:
    zone: public
    interface: "{{ gateway.firewall.public_iface|default(ppp0) }}"
    permanent: yes
    immediate: yes
    state: enabled

- name: Add vm interface
  ansible.posix.firewalld:
    zone: trusted
    interface: "{{ gateway.firewall.vm_iface }}"
    permanent: yes
    immediate: yes
    state: enabled

- name: Enable masquerade on public interface
  ansible.posix.firewalld:
    zone: public
    masquerade: yes
    permanent: yes
    immediate: yes
    state: enabled

- name: Enable masquerade on vm interface
  ansible.posix.firewalld:
    zone: trusted
    masquerade: yes
    permanent: yes
    immediate: yes
    state: enabled

- name: Add services to public interface
  ansible.posix.firewalld:
    zone: public
    service: "{{ item }}"
    permanent: yes
    immediate: yes
    state: enabled
  with_items:
    - dhcpv6-client
    - http
    - https
    - ssh

- name: Add services to home interface
  ansible.posix.firewalld:
    zone: home
    service: "{{ item }}"
    permanent: yes
    immediate: yes
    state: enabled
  with_items:
    - dhcpv6-client
    - http
    - https
    - ssh
    - "{{ gateway.vpn.name }}"
    - mdns
    - samba-client
    - samba

- name: Forward ports to hosts
  ansible.posix.firewalld:
    rich_rule: "rule family=ipv4 forward-port protocol={{ item.proto }} port={{ item.from.port }} to-addr=\"{{ item.to.addr }}\" to-port={{ item.to.port|default(item.from.port) }}"
    zone: "{{ item.zone }}"
    permanent: yes
    immediate: yes
    state: enabled
  when: gateway.firewall.forwarded_ports is defined
  with_items: "{{ gateway.firewall.forwarded_ports }}"