---
- name: Enable the firewall daemon in the install chroot
  when:
    - firewall_phase == 'install'
    - _configuration_platform.init_system == 'systemd'
    - system_cfg.features.firewall.enabled | bool
  ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ system_cfg.features.firewall.backend }}"
  register: _firewall_enable
  changed_when: _firewall_enable.rc == 0
  failed_when: >-
    _firewall_enable.rc != 0
    and 'No such file or directory' not in (_firewall_enable.stderr | default(''))
    and 'does not exist' not in (_firewall_enable.stderr | default(''))

# ufw's CLI needs a running kernel and is a no-op in the chroot (leaves ENABLED=no),
# so its activation and SSH rule are applied here, after reboot.
- name: Allow SSH through ufw before enabling
  when:
    - firewall_phase == 'postreboot'
    - system_cfg.features.firewall.backend == 'ufw'
    - system_cfg.features.firewall.enabled | bool
    - system_cfg.features.ssh.enabled | bool
  ansible.builtin.command: ufw allow 22/tcp
  register: _ufw_allow
  changed_when: "'added' in _ufw_allow.stdout or 'updated' in _ufw_allow.stdout"

- name: Activate ufw on the booted target
  when:
    - firewall_phase == 'postreboot'
    - system_cfg.features.firewall.backend == 'ufw'
    - system_cfg.features.firewall.enabled | bool
  ansible.builtin.command: ufw --force enable
  register: _ufw_enable
  changed_when: "'active' in _ufw_enable.stdout"