- name: Install packages
  community.general.pacman:
    name:
      - ufw

- name: Deny all ports by default
  community.general.ufw:
    policy: deny

- name: Allow Matrix federation port
  community.general.ufw:
    rule: allow
    port: 8448
    proto: tcp
    state: enabled
  when: enable_synapse

- name: Allow http/https ports
  community.general.ufw:
    rule: allow
    port: "{{ item }}"
    proto: tcp
    state: enabled
  when: enable_webserver
  with_items:
    - http
    - https

- name: Allow ssh port
  community.general.ufw:
    rule: allow
    port: "{{ sshd_port }}"
    proto: tcp
    state: enabled

- name: Allow DNS port to LAN
  community.general.ufw:
    rule: allow
    port: domain
    proto: any
    state: enabled
    src: "{{ local_subnet }}"
  when: enable_nameserver

- name: Enable firewall service
  service:
    name: ufw
    state: started
    enabled: yes