---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


# "tripleo_firewall" will search for and load any operating system variable file
- name: Gather variables for each operating system
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
    - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
    - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
    - "{{ ansible_facts['distribution'] | lower }}.yml"
    - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml"
    - "{{ ansible_facts['os_family'] | lower }}.yml"
  tags:
    - always

- name: Set rule fact
  set_fact:
    firewall_rules_sorted: "{{
      tripleo_firewall_default_rules |
      combine(tripleo_firewall_rules) |
      dict2items(key_name='rule_name', value_name='rule') |
      sort(attribute='rule_name') |
      reverse |
      list
    }}"

- name: Firewall add block
  become: true
  block:
    - name: Ensure firewall is installed
      package:
        name: "{{ tripleo_firewall_packages }}"
        state: present

    - name: Ensure firewall is enabled
      systemd:
        name: iptables
        state: started
        enabled: true

    - name: Manage firewall rules
      tripleo_iptables:
        tripleo_rules: "{{ firewall_rules_sorted }}"
      register: _iptables_result

- name: Firewall save block
  when:
    - _iptables_result.changed
  become: true
  block:
    - name: Save firewall rules ipv4
      command: /usr/libexec/iptables/iptables.init save

    - name: Save firewall rules ipv6
      command: /usr/libexec/iptables/ip6tables.init save

    - name: Enable iptables service (and do a daemon-reload systemd)
      systemd:
        daemon_reload: true
        enabled: true
        name: "{{ item }}"
        state: started
      loop:
        - iptables.service
        - ip6tables.service

    - name: Enable tripleo-iptables service (and do a daemon-reload systemd)
      systemd:
        daemon_reload: true
        enabled: true
        name: "{{ item }}"
        state: started
      loop:
        - tripleo-iptables.service
        - tripleo-ip6tables.service
      failed_when: false

    - name: Stop and disable firewalld
      systemd:
        enabled: false
        name: "firewalld.service"
        state: stopped
      failed_when: false

    - name: Find non-persistent rules
      command: egrep -l 'comment.*(neutron-|ironic-inspector)' /etc/sysconfig/iptables* /etc/sysconfig/ip6tables*
      failed_when: false
      changed_when: false
      register: neutron_rules

    - name: Remove non-persistent line(s)
      lineinfile:
        path: "{{ item }}"
        state: absent
        regexp: '^((?!.*comment)(?=.*(ironic-inspector|neutron-)))'
      when:
        - not ansible_check_mode|bool
        - item.find('v=' ~ '^/') == -1
      loop: "{{ neutron_rules.stdout_lines }}"