---

- debug:
    var: minifirewall_trusted_ips
    verbosity: 1
- debug:
    var: minifirewall_privilegied_ips
    verbosity: 1

- name: Stat minifirewall config file (before)
  stat:
    path: "/etc/default/minifirewall"
  register: minifirewall_before

- name: Check if minifirewall is running
  shell:
    cmd: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
  changed_when: False
  failed_when: False
  check_mode: no
  register: minifirewall_is_running

- debug:
    var: minifirewall_is_running
    verbosity: 1

- name: Begin marker for IP addresses
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR IPS"
    insertbefore: '^# Main interface'
    create: no

- name: End marker for IP addresses
  lineinfile:
    dest: "/etc/default/minifirewall"
    create: no
    line: "# END ANSIBLE MANAGED BLOCK FOR IPS"
    insertafter: '^PRIVILEGIEDIPS='

- name: Verify that at least 1 trusted IP is provided
  assert:
    that: minifirewall_trusted_ips | length > 0
    msg: You must provide at least 1 trusted IP

- debug:
    msg: "Warning: minifirewall_trusted_ips contains '0.0.0.0/0', the firewall is useless on IPv4!"
  when: "'0.0.0.0/0' in minifirewall_trusted_ips"

- debug:
    msg: "Warning: minifirewall_trusted_ips contains '::/0', the firewall is useless on IPv6!"
  when: "'::/0' in minifirewall_trusted_ips"

- name: Configure IP addresses
  blockinfile:
    dest: "/etc/default/minifirewall"
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS"
    block: |
      # Main interface
      INT='{{ minifirewall_int }}'

      # IPv6
      IPV6='{{ minifirewall_ipv6 }}'

      # Docker Mode
      # Changes the behaviour of minifirewall to not break the containers' network
      # For instance, turning it on will disable nat table purge
      # Also, we'll add the DOCKER-USER chain, in iptables
      #
      # WARNING : If the port mapping is different between the host and the container
      # (ie: Listen on :8090 on host, but :8080 in container)
      # then you need to give the port used inside the container
      DOCKER='{{ minifirewall_docker }}'

      # Trusted IPv4 local network
      # ...will be often IP/32 if you don't trust anything
      INTLAN='{{ minifirewall_intlan }}'

      # Trusted IPv4 addresses for private and semi-public services
      TRUSTEDIPS='{{ minifirewall_trusted_ips | join(' ') }}'

      # Privilegied IPv4 addresses for semi-public services
      # (no need to add again TRUSTEDIPS)
      PRIVILEGIEDIPS='{{ minifirewall_privilegied_ips | join(' ') }}'
    create: no
  register: minifirewall_config_ips

- name: Begin marker for ports
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "# BEGIN ANSIBLE MANAGED BLOCK FOR PORTS"
    insertbefore: '^# Protected services'
    create: no

- name: End marker for ports
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "# END ANSIBLE MANAGED BLOCK FOR PORTS"
    insertafter: '^SERVICESUDP3='
    create: no

- name: Configure ports
  blockinfile:
    dest: "/etc/default/minifirewall"
    marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS"
    block: |
      # Protected services
      # (add also in Public services if needed)
      SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}'
      SERVICESUDP1p='{{ minifirewall_protected_ports_udp | join(' ') }}'

      # Public services (IPv4/IPv6)
      SERVICESTCP1='{{ minifirewall_public_ports_tcp | join(' ') }}'
      SERVICESUDP1='{{ minifirewall_public_ports_udp | join(' ') }}'

      # Semi-public services (IPv4)
      SERVICESTCP2='{{ minifirewall_semipublic_ports_tcp | join(' ') }}'
      SERVICESUDP2='{{ minifirewall_semipublic_ports_udp | join(' ') }}'

      # Private services (IPv4)
      SERVICESTCP3='{{ minifirewall_private_ports_tcp | join(' ') }}'
      SERVICESUDP3='{{ minifirewall_private_ports_udp | join(' ') }}'
    create: no
  register: minifirewall_config_ports

- name: Configure DNSSERVEURS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "DNSSERVEURS='{{ minifirewall_dns_servers | join(' ') }}'"
    regexp: "DNSSERVEURS=('|\").*('|\")"
    create: no
  when: minifirewall_dns_servers is not none

- name: Configure HTTPSITES
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "HTTPSITES='{{ minifirewall_http_sites | join(' ') }}'"
    regexp: "HTTPSITES=('|\").*('|\")"
    create: no
  when: minifirewall_http_sites is not none

- name: Configure HTTPSSITES
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "HTTPSSITES='{{ minifirewall_https_sites | join(' ') }}'"
    regexp: "HTTPSSITES=('|\").*('|\")"
    create: no
  when: minifirewall_https_sites is not none

- name: Configure FTPSITES
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "FTPSITES='{{ minifirewall_ftp_sites | join(' ') }}'"
    regexp: "FTPSITES=('|\").*('|\")"
    create: no
  when: minifirewall_ftp_sites is not none

- name: Configure SSHOK
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SSHOK='{{ minifirewall_ssh_ok | join(' ') }}'"
    regexp: "SSHOK=('|\").*('|\")"
    create: no
  when: minifirewall_ssh_ok is not none

- name: Configure SMTPOK
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SMTPOK='{{ minifirewall_smtp_ok | join(' ') }}'"
    regexp: "SMTPOK=('|\").*('|\")"
    create: no
  when: minifirewall_smtp_ok is not none

- name: Configure SMTPSECUREOK
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SMTPSECUREOK='{{ minifirewall_smtp_secure_ok | join(' ') }}'"
    regexp: "SMTPSECUREOK=('|\").*('|\")"
    create: no
  when: minifirewall_smtp_secure_ok is not none

- name: Configure NTPOK
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "NTPOK='{{ minifirewall_ntp_ok | join(' ') }}'"
    regexp: "NTPOK=('|\").*('|\")"
    create: no
  when: minifirewall_ntp_ok is not none

- name: Configure PROXY
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "PROXY='{{ minifirewall_proxy }}'"
    regexp: "PROXY=('|\").*('|\")"
    create: no
  when: minifirewall_proxy is not none

- name: Configure PROXYPORT
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "PROXYPORT='{{ minifirewall_proxyport }}'"
    regexp: "PROXYPORT=('|\").*('|\")"
    create: no
  when: minifirewall_proxyport is not none

# Warning: keep double quotes for the value,
# since we often reference a shell variable that needs to be interpolated
- name: Configure PROXYBYPASS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "PROXYBYPASS=\"{{ minifirewall_proxybypass | join(' ') }}\""
    regexp: "PROXYBYPASS=('|\").*('|\")"
    create: no
  when: minifirewall_proxybypass is not none

- name: Configure BACKUPSERVERS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "BACKUPSERVERS='{{ minifirewall_backupservers | join(' ') }}'"
    regexp: "BACKUPSERVERS=('|\").*('|\")"
    create: no
  when: minifirewall_backupservers is not none

- name: Configure SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='{{ minifirewall_sysctl_icmp_echo_ignore_broadcasts }}'"
    regexp: "SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_icmp_echo_ignore_broadcasts is not none

- name: Configure SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='{{ minifirewall_sysctl_icmp_ignore_bogus_error_responses }}'"
    regexp: "SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_icmp_ignore_bogus_error_responses is not none

- name: Configure SYSCTL_ACCEPT_SOURCE_ROUTE
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_ACCEPT_SOURCE_ROUTE='{{ minifirewall_sysctl_accept_source_route }}'"
    regexp: "SYSCTL_ACCEPT_SOURCE_ROUTE=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_accept_source_route is not none

- name: Configure SYSCTL_TCP_SYNCOOKIES
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_TCP_SYNCOOKIES='{{ minifirewall_sysctl_tcp_syncookies }}'"
    regexp: "SYSCTL_TCP_SYNCOOKIES=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_tcp_syncookies is not none

- name: Configure SYSCTL_ICMP_REDIRECTS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_ICMP_REDIRECTS='{{ minifirewall_sysctl_icmp_redirects }}'"
    regexp: "SYSCTL_ICMP_REDIRECTS=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_icmp_redirects is not none

- name: Configure SYSCTL_RP_FILTER
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_RP_FILTER='{{ minifirewall_sysctl_rp_filter }}'"
    regexp: "SYSCTL_RP_FILTER=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_rp_filter is not none

- name: Configure SYSCTL_LOG_MARTIANS
  lineinfile:
    dest: "/etc/default/minifirewall"
    line: "SYSCTL_LOG_MARTIANS='{{ minifirewall_sysctl_log_martians }}'"
    regexp: "SYSCTL_LOG_MARTIANS=('|\").*('|\")"
    create: no
  when: minifirewall_sysctl_log_martians is not none

- name: Stat minifirewall config file (after)
  stat:
    path: "/etc/default/minifirewall"
  register: minifirewall_after

- name: Schedule minifirewall restart (modern)
  command: /bin/true
  notify: "restart minifirewall (modern)"
  when:
    - minifirewall_install_mode != 'legacy'
    - minifirewall_restart_if_needed | bool
    - minifirewall_is_running.rc == 0
    - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum or minifirewall_upgrade_script is changed or minifirewall_upgrade_config is changed

- debug:
    var: minifirewall_init_restart
    verbosity: 2