---
#  # ---
#  # - Check if firewall repository exist
#  # ---
#
#  - name: (ipt-gateway.yml) Check if firewall repository exist
#    stat:
#      path: '{{ git_firewall_repository.dest }}'
#    register: git_firewall_repository_exists
#
#  - meta: end_host
#    when: not git_firewall_repository_exists.stat.exists

# ---
# Create firewall config directory '/etc/ipt/firewall' if not exists
# ---

- name: (ipt-gateway.yml) Install/update firewall repository
  git:
    repo: '{{ git_firewall_repository.repo }}'
    dest: '{{ git_firewall_repository.dest }}'
  when: git_firewall_repository is defined and git_firewall_repository|length > 0
  tags:
    - git-firewall-repository

# Exit if no firewall repository variable exists or is empty
#
- meta: end_host
  when: git_firewall_repository is not defined or git_firewall_repository|length < 1

- name: (ipt-gateway.yml) Create directory /etc/ipt-firewall if not exists
  file:
    path: /etc/ipt-firewall
    state: directory

# ---
# Check presence of files
# ---

- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv4.conf are present
  stat:
    path: /etc/ipt-firewall/interfaces_ipv4.conf
  register: interfaces_ipv4_exists

- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/interfaces_ipv6.conf are present
  stat:
    path: /etc/ipt-firewall/interfaces_ipv6.conf
  register: interfaces_ipv6_exists

- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv4.conf' exists
  stat:
    path: /etc/ipt-firewall/main_ipv4.conf
  register: main_ipv4_exists

- name: (ipt-gateway.yml) Check if file '/etc/ipt-firewall/main_ipv6.conf' exists
  stat:
    path: /etc/ipt-firewall/main_ipv6.conf
  register: main_ipv6_exists

- name: (ipt-gateway.yml) Check if /etc/ipt-firewall/ban_ipv4.list are present
  stat:
    path: /etc/ipt-firewall/ban_ipv4.list
  register: ban_ipv4_exists

# ---
# Get information about network devices
# ---

- name: (ipt-gateway.yml) define traditional ethernet facts
  set_fact:
    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
  when: 
    - not interfaces_ipv4_exists.stat.exists
    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'ether'
    - inventory_hostname not in groups['lxc_host']|string
  with_items:
    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"

- name: (ipt-gateway.yml) define traditional bridge facts
  set_fact:
    ansible_netdev: "{% set ansible_netdev = ansible_netdev|default([]) + [hostvars[inventory_hostname]['ansible_' + item]] %}{{ ansible_netdev|list }}"
  when: 
    - not interfaces_ipv4_exists.stat.exists
    - hostvars[inventory_hostname]['ansible_' + item]['type'] is defined
    - hostvars[inventory_hostname]['ansible_' + item]['type'] == 'bridge'
    - "groups['lxc_host']|string is search(inventory_hostname)"
  with_items:
    - "{{ hostvars[inventory_hostname]['ansible_interfaces'] }}"

- name: (ipt-gateway.yml) Debug message IPv4
  debug:
     msg: 
       - "index: {{ idx + 1 }}"
       - "device: {{ item.device }}"
       - "ipv4-address: {{ item.ipv4.address }}"
  loop: "{{ ansible_netdev }}"
  loop_control:
    label: "{{ item.device }}"
    index_var: idx
  when:
    - item.ipv4.address is defined and item.ipv4.address|length > 0

- name: (ipt-gateway.yml) Debug message IPv6
  debug:
     msg: 
       - "index: {{ idx + 1 }}"
       - "device: {{ item.device }}"
       - "ipv6-address: {{ item.ipv6.0.address }}{{ (item.ipv6.1.address is match 'f.*') | ternary('', ' ' + item.ipv6.1.address) }}"
  loop: "{{ ansible_netdev }}"
  loop_control:
    label: "{{ item.device }}"
    index_var: idx
  when:
    - item.default_ipv6 is defined and item.default_ipv6|length > 0
    - item.ipv6.0.address is defined and item.ipv6.0.address|length > 0

#- meta: end_host

# ---
# Get sshd ports
# ---

- name: (ipt-gateway.yml) Get sshd ports as blank separated list
  set_fact:
    fw_sshd_ports: "{{ sshd_ports | join (' ') }}"
  when: 
    - sshd_ports is defined and sshd_ports | length > 0
    - sshd_ports|join() != "22"

- name: (ipt-gateway.yml) Set default sshd ports
  set_fact:
    fw_sshd_ports: "$standard_ssh_port"
  when: 
    - sshd_ports is not defined or sshd_ports | length == 0 or sshd_ports|join() == "22"

# ===
# Update/Modify firewall
# ===

# ---
# Host specific configuration files
# ---

# /etc/ipt-firewall/interfaces_ipv[4|6].conf
#
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/interfaces_ipv4.conf'
  command: cp {{ git_firewall_repository.dest }}/conf/interfaces_ipv4.conf.sample  /etc/ipt-firewall/interfaces_ipv4.conf
  when: not interfaces_ipv4_exists.stat.exists
  register: new_interfaces_ipv4


- name: (ipt-gateway.yml) Configure interfaces_ipv4.conf 1/2
  lineinfile:
    path: /etc/ipt-firewall/interfaces_ipv4.conf
    regexp: 'local_if_1='
    line: 'local_if_1="{{ item.device }}"' 
  register: interfaces_ipv4_device
  loop: "{{ ansible_netdev }}"
  loop_control:
    label: "{{ item.device }}"
  until:
    - interfaces_ipv4_device is changed
  when: 
    - not interfaces_ipv4_exists.stat.exists
    - new_interfaces_ipv4 is changed
    - item.ipv4.address is defined and item.ipv4.address|length > 0

# /etc/ipt-firewall/ban_ipv[4|6].list
#
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/ban_ipv4.list'
  command: cp {{ git_firewall_repository.dest }}/conf/ban_ipv4.list.sample  /etc/ipt-firewall/ban_ipv4.list
  when: not ban_ipv4_exists.stat.exists

# /etc/ipt-firewall/main_ipv[4|6].conf
#
- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv4.conf'
  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv4.conf.sample  /etc/ipt-firewall/main_ipv4.conf
  when: not main_ipv4_exists.stat.exists
  register: cp_main_ipv4

- name: (ipt-gateway.yml) Place new configuration file '/etc/ipt-firewall/main_ipv6.conf'
  command: cp {{ git_firewall_repository.dest }}/conf/main_ipv6.conf.sample  /etc/ipt-firewall/main_ipv6.conf
  when: not main_ipv6_exists.stat.exists
  register: cp_main_ipv6

# ---
# Host independet configuration files
# ---

- name: (ipt-gateway.yml) Check if common configuration files are latest
  shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1'
  changed_when: "diff_output.rc > 0"
  # diff_output.rc
  #    0  -> unchanged
  #    1  -> changed
  #    2  -> not present
  failed_when: "diff_output.rc > 2"
  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
  loop:
     - include_functions.conf
     - load_modules_ipv4.conf
     - load_modules_ipv6.conf
     - logging_ipv4.conf
     - logging_ipv6.conf
     - default_ports.conf
     - post_decalrations.conf
  register: diff_output

- name: (ipt-gateway.yml) Ensure common configuration files are latest
  command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }}
  loop:
     - include_functions.conf
     - load_modules_ipv4.conf
     - load_modules_ipv6.conf
     - logging_ipv4.conf
     - logging_ipv6.conf
     - default_ports.conf
     - post_decalrations.conf
  when:
    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
    - diff_output.changed

# ---
# Firewall scripts
# ---

- name: (ipt-gateway.yml) Check if firewall scripts are latest
  shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1'
  changed_when: "diff_script_output.rc > 0"
  # diff_output.rc
  #    0  -> unchanged
  #    1  -> changed
  #    2  -> not present
  failed_when: "diff_script_output.rc > 2"
  when: (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
  loop:
     - ipt-firewall-gateway
     - ip6t-firewall-gateway
  register: diff_script_output

- name: (ipt-gateway.yml) Ensure firewall scripts are latest
  command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }}
  loop:
     - ipt-firewall-gateway
     - ip6t-firewall-gateway
  when:
    - (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
    - diff_script_output.changed

# ---
# Install systemd service files  ip[6]t-firewall.service
# ---

- name: (ipt-gateway.yml) Configure firewall systemd service files
  template:
    src: etc/systemd/system/{{ item }}-firewall.service.j2
    dest: /etc/systemd/system/{{ item }}-firewall.service
  register: systemd_service_files_installed
  with_items:
     - ipt
     - ip6t

- name: (ipt-gateway.yml) Enable firewall services IPv4
  systemd:
    name: (ipt-gateway.yml) ipt-firewall
    state: stopped
    enabled: yes
    daemon_reload: yes
  when: systemd_service_files_installed is changed
  register: firewall_service_started

- name: (ipt-gateway.yml) Enable firewall services IPv6
  systemd:
    name: (ipt-gateway.yml) ip6t-firewall
    state: stopped
    enabled: yes
    daemon_reload: yes
  when: systemd_service_files_installed is changed
  register: firewall_service_started

- meta: end_host
  when: firewall_service_started is changed