---
- name: Enable
  ufw:
    state: enabled
  register: enable

# ## CREATE RULES ############################
- name: ipv4
  ufw:
    rule: deny
    port: 22
    to_ip: 0.0.0.0
- name: ipv4
  ufw:
    rule: deny
    port: 23
    to_ip: 0.0.0.0

- name: ipv6
  ufw:
    rule: deny
    port: 122
    to_ip: "::"
- name: ipv6
  ufw:
    rule: deny
    port: 123
    to_ip: "::"

- name: first-ipv4
  ufw:
    rule: deny
    port: 10
    to_ip: 0.0.0.0
    insert: 0
    insert_relative_to: first-ipv4
- name: last-ipv4
  ufw:
    rule: deny
    port: 11
    to_ip: 0.0.0.0
    insert: 0
    insert_relative_to: last-ipv4

- name: first-ipv6
  ufw:
    rule: deny
    port: 110
    to_ip: "::"
    insert: 0
    insert_relative_to: first-ipv6
- name: last-ipv6
  ufw:
    rule: deny
    port: 111
    to_ip: "::"
    insert: 0
    insert_relative_to: last-ipv6

# ## CHECK RESULT ############################
- name: Get rules
  shell: |
    ufw status | grep DENY | cut -f 1-2 -d ' ' | grep -E "^(0\.0\.0\.0|::) [123]+"
  # Note that there was also a rule "ff02::fb mDNS" on at least one CI run;
  # to ignore these, the extra filtering (grepping for DENY and the regex) makes
  # sure to remove all rules not added here.
  register: ufw_status
- assert:
    that:
    - ufw_status.stdout_lines == expected_stdout
  vars:
    expected_stdout:
    - "0.0.0.0 10"
    - "0.0.0.0 22"
    - "0.0.0.0 11"
    - "0.0.0.0 23"
    - ":: 110"
    - ":: 122"
    - ":: 111"
    - ":: 123"