---
- name: Check nftables installation
  ansible.builtin.shell: |
    command -v nft
  become: true # nftables is located in /usr/sbin, which means root permission is needed.
  changed_when: false
  failed_when: false
  register: "is_nftables_installed"
  ignore_errors: true

- name: Install nftables
  ansible.builtin.apt:
    name: "nftables"
    state: "present"
  become: true
  when: is_nftables_installed.rc != 0

- name: Enable nftables.service
  ansible.builtin.systemd:
    name: "nftables.service"
    state: "started"
    enabled: true
  become: true

- name: Deploy nftables.conf
  ansible.builtin.template:
    src: "{{ hostvars['console']['node']['config_path'] }}/node/{{ node['name'] }}/nftables.conf.j2"
    dest: "/etc/nftables.conf"
    owner: "root"
    group: "root"
    mode: "0700"
    validate: "/usr/sbin/nft -c -f %s"
  become: true
  notify:
    - "notification_update_nftables"
    - "notification_restart_crowdsec_bouncer"