---
# Gitea Firewall Configuration - Rick-Infra
# Self-contained firewall management for Gitea SSH access
# Opens port 2222 for Gitea's SSH server

- name: Install nftables (if not present)
  pacman:
    name: nftables
    state: present

- name: Create nftables rules directory
  file:
    path: /etc/nftables.d
    state: directory
    mode: '0755'

- name: Deploy Gitea nftables rules
  template:
    src: gitea.nft.j2
    dest: /etc/nftables.d/50-gitea.nft
    mode: '0644'
  notify: reload nftables
  register: gitea_nft_deployed

- name: Validate nftables loader configuration
  command: nft -c -f /etc/nftables-load.conf
  changed_when: false
  failed_when: false
  register: nft_validation

- name: Display nftables validation results
  debug:
    msg: "{{ 'nftables configuration valid' if nft_validation.rc == 0 else 'nftables validation failed: ' + nft_validation.stderr }}"
  when: nft_validation is defined

- name: Enable and start nftables service
  systemd:
    name: nftables
    enabled: yes
    state: started

- name: Display Gitea firewall status
  debug:
    msg: |
      🔥 Gitea firewall configuration deployed
      📍 Rule file: /etc/nftables.d/50-gitea.nft
      🔓 Port opened: {{ gitea_ssh_port }} (Gitea SSH)
      
      ⚠️  Note: nftables will reload automatically via handler

# Rick-Infra: Self-contained firewall management per role