---
# Firewall management for Alpine hosts.
# Manages iptables persistence and fail2ban for SSH protection.
#
# NOTE: Docker manages port-forwarding rules for published container ports
# (e.g. mail ports on nuremberg-a). This role only handles non-Docker rules.

- name: Install iptables and fail2ban
  community.general.apk:
    name:
      - iptables
      - fail2ban
    state: present

# --- iptables persistence ---

- name: Ensure /etc/iptables directory exists
  ansible.builtin.file:
    path: /etc/iptables
    state: directory
    mode: '0700'

- name: Deploy iptables rules
  ansible.builtin.template:
    src: rules.v4.j2
    dest: /etc/iptables/rules-save
    mode: '0600'
  notify: Restore iptables
  when: firewall_alpine_persist | bool

- name: Ensure iptables starts on boot
  ansible.builtin.service:
    name: iptables
    enabled: true
  when: firewall_alpine_persist | bool

# --- fail2ban ---

- name: Deploy fail2ban Alpine SSH jail
  ansible.builtin.template:
    src: alpine-ssh.conf.j2
    dest: /etc/fail2ban/jail.d/alpine-ssh.conf
    mode: '0644'
  notify: Restart fail2ban
  when: firewall_alpine_fail2ban_enabled | bool

- name: Enable fail2ban
  ansible.builtin.service:
    name: fail2ban
    state: started
    enabled: true
  when: firewall_alpine_fail2ban_enabled | bool