---
- name: set required podman firewall rules
  become: true
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - "{{ syslog_udp_default }}/udp"
    - "{{ syslog_udp_error }}/udp"
    - "{{ syslog_udp_unifi }}/udp"
    # web server (Caddy)
    - 80/tcp
    - 443/tcp
    # Gitea Skudak SSH
    - 2222/tcp
    # pihole (unused?)
    - 53/tcp
    - 53/udp
    # nosql/redis
    - 6379/tcp
    # ???
    - 6875/tcp
    # Satisfactory
    - 7777/tcp
    - 7777/udp
    - 15000/udp
    - 15000/tcp
    - 15777/udp
    - 15777/tcp
    # Factorio
    - 27015/tcp
    - 34197/udp
    # Zomboid
    - 16261/udp
    - 16262/udp
    # crafty
    - 8443/tcp
    # minecraft
    - 25565/tcp
    - 25565/udp
  notify: restart firewalld
  tags: firewall

- name: unset non-required podman firewall rules
  become: true
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: disabled
  loop:
    - 1153/tcp
    - 1153/udp
    - 2000/udp
    - 2456/udp
    - 2457/udp
    - 9093/tcp
    - 9092/tcp
    - 9091/tcp
    - 9091/udp
    - 9092/udp
    # cam2ip
    - 56000/tcp
    - 56000/udp
    # Palworld
    - 8211/udp
    - 25575/udp
    # bunkerweb waf test ports
    - 1080/tcp
    - 1443/tcp
    - 7000/tcp
    # gelf-proxy (removed - now using GELF HTTP via Caddy)
    - 12201/udp
  notify: restart firewalld
  tags: firewall