---
- name: Install required packages
  apt:
    name:
      - python3-nftables
      - python3-pydantic
      - python3-yaml
      - nftables

- name: Install script
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}/{{ item.src }}"
    owner: root
    group: root
    mode: "{{ item.mode }}"
  loop:
    - src: firewall
      dest: /usr/local/sbin
      mode: u=rwx,g=rx,o=rx
    - src: nft.py
      dest: /usr/lib/python3/dist-packages
      mode: u=rw,g=r,o=r

- name: Install systemd unit
  template:
    src: firewall.service.j2
    dest: /etc/systemd/system/firewall.service
    owner: root
    group: root
    mode: u=rw,g=r,o=r

- name: Create /etc/firewall
  file:
    path: /etc/firewall
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx

- name: Configure firewall
  template:
    src: rules.yml.j2
    dest: /etc/firewall/rules.yml
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  vars:
    firewall__rules:
      zones: "{{ firewall__zones }}"
      reverse_path_filter:
        interfaces: "{{ firewall__rp_filter_disabled }}"
      filter:
        input: "{{ firewall__input }}"
        forward: "{{ firewall__forward }}"
        output: "{{ firewall__output }}"
      nat: "{{ firewall__nat }}"
  notify:
    - Reload firewall

- name: Mask nftables service
  systemd:
    name: nftables.service
    masked: true

- name: Enable firewall service
  systemd:
    name: firewall.service
    daemon_reload: true
    state: started
    enabled: true
...