- name: Install UFW
  apt:
    name:
      - ufw
    state: latest
    install_recommends: false

# ----------------------------------------------------------------------------------------------------

- name: UFW allow {{ wireguard_port }} UDP for Wireguard
  community.general.ufw:
    rule: allow
    src: 0.0.0.0/0
    dest: any
    proto: udp
    port: {{ wireguard_port }}

# ----------------------------------------------------------------------------------------------------

- name: UFW allow {{ ssh_port }} TCP
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: {{ ssh_port }}

# ----------------------------------------------------------------------------------------------------

- name: UFW allow 8870 from {{ oracle_ipv4_cidr_block }}/16 TCP for Socks Proxy
  community.general.ufw:
    rule: allow
    src: {{ oracle_ipv4_cidr_block }}/16
    dest: any
    proto: tcp
    port: 8870
  when:
    - inventory_hostname in groups["oracle"]

- name: UFW allow 8870 from {{ wireguard_mesh_subnet }}/16 TCP for Socks Proxy
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: 8870

- name: UFW allow NFS TCP
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: 2049

# ----------------------------------------------------------------------------------------------------

- name: UFW allow 80 TCP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: tcp
    port: 80
  when: inventory_hostname == 'oracle4'

- name: UFW allow 443 TCP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: tcp
    port: 443
  when: inventory_hostname == 'oracle4'

- name: UFW allow 443 UDP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: udp
    port: 443
  when: inventory_hostname == 'oracle4'

# ----------------------------------------------------------------------------------------------------

- name: UFW default deny routed
  community.general.ufw:
    default: deny
    direction: routed

- name: UFW default deny incoming
  community.general.ufw:
    default: deny
    direction: incoming

- name: UFW default allow outgoing
  community.general.ufw:
    default: allow
    direction: outgoing

# ----------------------------------------------------------------------------------------------------

- name: UFW enable
  community.general.ufw:
    state: enabled