---
##### Firewall pre-requisites #####
- name: Enable and start systemd-networkd
  ansible.builtin.systemd:
    name: systemd-networkd
    enabled: true
    state: started

- name: Enable and start firewalld
  ansible.builtin.systemd:
    name: firewalld
    enabled: yes
    state: started

- name: firewall-cmd --get-zones
  ansible.builtin.command: firewall-cmd --get-zones
  register: firewalld_zones

- name: firewall-cmd --get-active-zones
  ansible.builtin.command: firewall-cmd --get-active-zones
  register: firewalld_zones

- name: Check existing zones
  ansible.builtin.debug:
    var: firewalld_zones.stdout

- name: Create firewalld core zone
  ansible.posix.firewalld:
    zone: core
    state: present
    permanent: true

- name: Create firewalld mgmt zone
  ansible.posix.firewalld:
    zone: mgmt
    state: present
    permanent: true

- name: Create firewalld dmz zone
  ansible.posix.firewalld:
    zone: dmz
    state: present
    permanent: true

- name: Reload firewalld to apply changes
  ansible.builtin.command: firewall-cmd --reload

- name: Enable ssh rule in core 
  ansible.posix.firewalld:
    zone: core
    service: ssh
    state: enabled
    permanent: true

- name: Enable ssh rule in mgmt 
  ansible.posix.firewalld:
    zone: mgmt
    service: ssh
    state: enabled
    permanent: true

- name: Reload firewalld to apply changes
  ansible.builtin.command: firewall-cmd --reload

#### Network config ####
- name: Ensure systemd-networkd directories exist
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: '0755'
  loop:
    - /etc/systemd/network
    - /etc/systemd/networkd.conf.d

- name: Generate default interface .network file
  ansible.builtin.template:
    src: default-interface.network.j2
    dest: "/etc/systemd/network/{{ default_interface.prefix }}-{{ default_interface.ifname }}-{{ default_interface.name }}.network"
    owner: root
    group: root
    mode: '0644'
  notify: Restart systemd-networkd

- name: Generate auxiliary interfaces .network files
  ansible.builtin.template:
    src: auxiliary-interface.network.j2
    dest: "/etc/systemd/network/{{ item.prefix }}-{{ item.ifname }}-{{ item.name }}.network"
    owner: root
    group: root
    mode: '0644'
  loop: "{{ network_interfaces }}"
  notify: Restart systemd-networkd

# - name: Deploy .network files
#   ansible.builtin.copy:
#     src: "files/network/{{ item }}"
#     dest: "/etc/systemd/network/{{ item }}"
#     owner: root
#     group: root
#     mode: '0644'
#   loop:
#     - 10-ens18-core.network
#     - 20-ens19-mgmt.network
#     - 30-ens20-dmz.network
#   notify: Restart systemd-networkd

- name: Deploy systemd-networkd global .conf files
  ansible.builtin.copy:
    src: "files/networkd.conf.d/{{ item }}"
    dest: "/etc/systemd/networkd.conf.d/{{ item }}"
    owner: root
    group: root
    mode: '0644'
  loop:
    - 10-routes.conf
  notify: Restart systemd-networkd

- name: Ensure NetworkManager is disabled
  ansible.builtin.systemd_service:
    name: NetworkManager
    masked: true
    enabled: false
    state: stopped 

- name: Ensure NetworkManager-wait-online is disabled
  ansible.builtin.systemd_service:
    name: NetworkManager-wait-online
    masked: true
    enabled: false
    state: stopped