- name: Create temporary file
  ansible.builtin.tempfile:
  register: rules_file

- name: Configure rules in temporary file
  become: true
  ansible.builtin.template:
    src: '{{ item.src }}'
    dest: '{{ rules_file.path }}'
    owner: root
    group: root
    mode: '640'

- name: Print temporary file path
  ansible.builtin.debug:
    msg: 'Temporary rules file: {{ rules_file.path }}'

# If I simply restart the netfilter-persistent service, it happily restarts,
# effectively ignoring errors in files. That way the operator doesn't get
# feedback if the rules file is malformed.
- name: Check that rules are valid
  become: true
  ansible.builtin.command:
    argv:
      - '/usr/sbin/{{ item.tool }}-restore'
      - --test
      - '{{ rules_file.path }}'
  changed_when: false

- name: Copy rules to /etc/iptables
  become: true
  ansible.builtin.copy:
    remote_src: true
    src: '{{ rules_file.path }}'
    dest: '{{ item.dest }}'
    owner: root
    group: root
    mode: '640'
  notify: firewall_reboot

- name: Remove temporary file
  become: true
  ansible.builtin.file:
    path: '{{ rules_file.path }}'
    state: absent