- tags:
    - ufw
    - packages
  become: yes
  block:
    - apt:
        name: ufw
        install_recommends: no

- tags:
    - ufw
  become: yes
  block:
    - notify: ufw reload
      vars:
        state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
        nat:
          address: "{{ ufw__nat_address if ufw__nat_address is defined else '' }}"
          prefix: "{{ ufw__nat_prefix if ufw__nat_prefix is defined else '' }}"
      blockinfile:
        path: /etc/ufw/before.rules
        insertbefore: "^# Don't delete these required lines"
        marker: "# NAT config: {mark}"
        state: "{{ state }}"
        content: |
          *nat
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -s {{ nat.address }}/{{ nat.prefix }} -o eth0 -j MASQUERADE
          COMMIT

    - notify: ufw reload
      vars:
        forwardings: "{{ ufw__port_forwardings if ufw__port_forwardings is defined else [] }}"
      blockinfile:
        path: /etc/ufw/before.rules
        insertbefore: "^# Don't delete these required lines"
        marker: "# Port forwarding: {mark}"
        state: "{{ 'present' if ufw__port_forwardings is defined else 'absent' }}"
        content: |
          *nat
          {% for pf in forwardings %}
          -A PREROUTING -i eth0 {{ " -d" + pf.addr if pf.addr is defined else "" }} -p {{ pf.proto if pf.proto is defined else "tcp" }} --dport {{ pf.port }} -j DNAT --to-destination {{ pf.to }}:{{ pf.to_port if pf.to_port is defined else pf.port }}
          {% endfor %}
          COMMIT

    - ufw:
        state: enabled

    - ufw:
        name: OpenSSH
        rule: allow