---
- name: Enable and start firewalld
  ansible.builtin.systemd:
    name: firewalld
    enabled: yes
    state: started

- name: Enable and start NetworkManager
  ansible.builtin.systemd:
    name: NetworkManager
    enabled: yes
    state: started

- name: Check existing zones
  ansible.builtin.command: firewall-cmd --get-zones
  register: firewalld_zones

- name: Debug output
  ansible.builtin.debug:
    var: firewalld_zones.stdout

# - name: Create zone "core"
#   ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
#   loop: ["core", "mgmt"]
#   # loop: "{{  firewalld_zones.stdout | split }}"
#   when: item in firewalld_zones.stdout.split()
  # (item  != "core" and
  #       item != "dmz")

- name: Create firewalld core zone
  ansible.posix.firewalld:
    zone: core
    state: present
    permanent: true

- name: Create firewalld mgmt zone
  ansible.posix.firewalld:
    zone: mgmt
    state: present
    permanent: true

- name: Create firewalld dmz zone
  ansible.posix.firewalld:
    zone: dmz
    state: present
    permanent: true

- name: Reload firewalld to apply changes
  ansible.builtin.command: firewall-cmd --reload

- name: Enable ssh rule in core for initial ansible config
  ansible.posix.firewalld:
    zone: core
    service: ssh
    state: enabled
    permanent: true

# - name: Ensure all other zones are disabled
#   ansible.posix.firewalld:
#     zone: "{{ item }}"
#     state: disabled
#     permanent: true
#   when: item not in zones
#   loop: "{{ firewalld_zones.stdout | split }}"
    
- name: Set up CORE interface manually
  nmcli:
    conn_name: CORE
    zone: core
    type: ethernet
    ip4: "{{ provision_core_ip4 }}"
    gw4: "{{ core_gw4 }}"
    dns4: "{{ core_gw4 }}"
    method4: "manual"
    ifname: ens18
    dns4_search: lan.xbazzi.com
    state: present
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Set up mgmt interface manually
  nmcli:
    conn_name: MGMT
    zone: mgmt
    type: ethernet
    ip4: "{{ provision_mgmt_ip4 }}"
    routes4: "0.0.0.0/0 {{ mgmt_gw4 }}"
    routing_rules4:
      - "priority 2 from {{ mgmt_net }} table 200"
    route_metric4: 102
    dns4: "{{ mgmt_gw4 }}"
    method4: "manual"
    ifname: "ens19"
    dns4_search: "lan.xbazzi.com"
    state: present
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Set up dmz interface manually
  nmcli:
    conn_name: DMZ
    zone: dmz
    type: ethernet
    ip4: "{{ provision_dmz_ip4 }}"
    routes4: "0.0.0.0/0 {{ dmz_gw4 }}"
    routing_rules4:
      - "priority 3 from {{ dmz_net }} table 300"
    route_metric4: 103
    dns4: "{{ dmz_gw4 }}"
    method4: "manual"
    ifname: "ens20"
    dns4_search: "lan.xbazzi.com"
    state: present
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Remove ens18 default connection
  nmcli:
    conn_name: ens18
    state: absent
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Remove ens19 default connection
  nmcli:
    conn_name: ens19
    state: absent
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Remove ens20 default connection
  nmcli:
    conn_name: ens20
    state: absent
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"

- name: Remove "Wired connection 1"
  nmcli:
    conn_name: Wired connection 1
    state: absent
  # delegate_to: "{{ provision_core_ip4_no_subnet }}"