---
# Firewall role - UFW configuration

- name: Install UFW
  apt:
    name: ufw
    state: present
  tags: ['install']

- name: Set UFW default policies
  ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  loop:
    - { direction: 'incoming', policy: 'deny' }
    - { direction: 'outgoing', policy: 'allow' }
  tags: ['policy']

- name: Allow SSH
  ufw:
    rule: allow
    port: "{{ ssh_port }}"
    proto: tcp
  tags: ['ssh']

- name: Allow TCP ports
  ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
  loop: "{{ firewall_allowed_tcp_ports }}"
  tags: ['ports']

- name: Enable UFW
  ufw:
    state: enabled
  tags: ['enable']

- name: Display status
  command: ufw status verbose
  register: ufw_status
  changed_when: false
  tags: ['status']

- name: Show configuration
  debug:
    msg: "✅ Firewall configured - {{ ufw_status.stdout_lines | length }} rules"
  tags: ['status']