---

# ===
# Ensure /etc/ipt-firewall directory exists
# ===

- name: Create /etc/ipt-firewall if not present
  file:
    path: /etc/ipt-firewall
    state: directory
    owner: root
    group: root
    mode: "0750"


# ===
# Check presence of host-specific config files
# ===

- name: Check if interfaces_ipv4.conf exists
  stat:
    path: /etc/ipt-firewall/interfaces_ipv4.conf
  register: interfaces_ipv4_exists

- name: Check if interfaces_ipv6.conf exists
  stat:
    path: /etc/ipt-firewall/interfaces_ipv6.conf
  register: interfaces_ipv6_exists

- name: Check if main_ipv4.conf exists
  stat:
    path: /etc/ipt-firewall/main_ipv4.conf
  register: main_ipv4_exists

- name: Check if main_ipv6.conf exists
  stat:
    path: /etc/ipt-firewall/main_ipv6.conf
  register: main_ipv6_exists


# ===
# Deploy host-specific config files from templates.
#
# Safety guard: by default (fw_manage_config: false) a file is only written
# when it does not yet exist on the host — so existing hosts are never touched
# accidentally.
#
# Once a host has been migrated (host_vars populated and diff verified), set
#   fw_manage_config: true
# in its host_vars. From that point on Ansible is the authoritative source and
# will update the config on every run, triggering a firewall restart on changes.
# ===

- name: Deploy interfaces_ipv4.conf from template
  template:
    src: etc/ipt-firewall/interfaces_ipv4.conf.j2
    dest: /etc/ipt-firewall/interfaces_ipv4.conf
    owner: root
    group: root
    mode: "0640"
  when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
  notify:
    - Restart IPv4 Firewall

- name: Deploy interfaces_ipv6.conf from template
  template:
    src: etc/ipt-firewall/interfaces_ipv6.conf.j2
    dest: /etc/ipt-firewall/interfaces_ipv6.conf
    owner: root
    group: root
    mode: "0640"
  when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
  notify:
    - Restart IPv6 Firewall

- name: Deploy main_ipv4.conf from template
  template:
    src: etc/ipt-firewall/main_ipv4.conf.j2
    dest: /etc/ipt-firewall/main_ipv4.conf
    owner: root
    group: root
    mode: "0640"
  when: fw_manage_config or not main_ipv4_exists.stat.exists
  notify:
    - Restart IPv4 Firewall

- name: Deploy main_ipv6.conf from template
  template:
    src: etc/ipt-firewall/main_ipv6.conf.j2
    dest: /etc/ipt-firewall/main_ipv6.conf
    owner: root
    group: root
    mode: "0640"
  when: fw_manage_config or not main_ipv6_exists.stat.exists
  notify:
    - Restart IPv6 Firewall


# ===
# Firewall scripts
# ===

- name: Deploy ipt-firewall-server
  copy:
    src: usr/local/sbin/ipt-firewall-server
    dest: /usr/local/sbin/ipt-firewall-server
    owner: root
    group: root
    mode: "0750"

- name: Deploy ip6t-firewall-server
  copy:
    src: usr/local/sbin/ip6t-firewall-server
    dest: /usr/local/sbin/ip6t-firewall-server
    owner: root
    group: root
    mode: "0750"


# ===
# Shared conf files (not host-specific — always kept in sync with the role)
# ===

- name: Deploy shared conf files
  copy:
    src: "etc/ipt-firewall/{{ item }}"
    dest: "/etc/ipt-firewall/{{ item }}"
    owner: root
    group: root
    mode: "0640"
  loop:
    - default_settings.conf
    - include_functions.conf
    - logging_ipv4.conf
    - logging_ipv6.conf
    - post_declarations.conf


# ===
# Ban lists — copy from sample once; the file can be customised per host.
# ===

- name: Check if ban_ipv4.list exists
  stat:
    path: /etc/ipt-firewall/ban_ipv4.list
  register: ban_ipv4_exists

- name: Copy ban_ipv4.list from sample (first install only)
  copy:
    src: etc/ipt-firewall/ban_ipv4.list.sample
    dest: /etc/ipt-firewall/ban_ipv4.list
    owner: root
    group: root
    mode: "0640"
  when: not ban_ipv4_exists.stat.exists

- name: Check if ban_ipv6.list exists
  stat:
    path: /etc/ipt-firewall/ban_ipv6.list
  register: ban_ipv6_exists

- name: Copy ban_ipv6.list from sample (first install only)
  copy:
    src: etc/ipt-firewall/ban_ipv6.list.sample
    dest: /etc/ipt-firewall/ban_ipv6.list
    owner: root
    group: root
    mode: "0640"
  when: not ban_ipv6_exists.stat.exists


# ===
# Systemd service units
# ===

- name: Deploy ipt-firewall.service
  copy:
    src: etc/systemd/system/ipt-firewall.service
    dest: /etc/systemd/system/ipt-firewall.service
    owner: root
    group: root
    mode: "0644"
  notify:
    - Reload systemd daemon
    - Restart IPv4 Firewall

- name: Deploy ip6t-firewall.service
  copy:
    src: etc/systemd/system/ip6t-firewall.service
    dest: /etc/systemd/system/ip6t-firewall.service
    owner: root
    group: root
    mode: "0644"
  notify:
    - Reload systemd daemon
    - Restart IPv6 Firewall


# ===
# Enable and start services
# ===

- name: Enable and start ipt-firewall
  systemd:
    name: ipt-firewall
    enabled: true
    state: started
    daemon_reload: true

- name: Enable and start ip6t-firewall
  systemd:
    name: ip6t-firewall
    enabled: true
    state: started
    daemon_reload: true