- name: setup nftables
  gather_facts: no
  hosts: "{{target}}"
  become: "{{become}}"
  tasks:

  - name: assert per-host/cluster target
    ansible.builtin.assert:
      that: target != 'servers' and target != 'all'

  - name: check nftables is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which nft` ]]"
    changed_when: false
    check_mode: false

  - debug: var=group_names

  # todo - fileglob of some sort to catch config file based on group_name when it exists

  - name: nftables config for netbird vpn gateways
    ansible.builtin.template:
      src: templates/nftables.netbird_agent.conf.j2
      dest: /etc/nftables.conf
      mode: 0600
    notify: load nftables
    diff: true
    when: "'netbird_agent' in group_names"

  - name: nftables config for openvpn servers
    ansible.builtin.template:
      src: templates/nftables.openvpn.conf.j2
      dest: /etc/nftables.conf
      mode: 0600
    notify: load nftables
    diff: true
    when: "'openvpn' in group_names"

  handlers:

  # avoid a restart which flushes the rules
  - name: load nftables
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x /lib/systemd/systemd ]] && systemctl reload nftables || nft -f /etc/nftables.conf"