---

- name: Check if ferm is installed.
  shell:
    cmd: type ferm
  check_mode: false
  failed_when: ferm_installed.rc not in [0, 1, 127]
  changed_when: false
  register: ferm_installed

- name: Check version of ferm.
  command:
    cmd: ferm --version
  check_mode: false
  changed_when: false
  register: ferm_current_version
  when: ferm_installed.rc == 0

- name: Ensure differing version of ferm is not installed.
  assert:
    that: ferm_installed.rc or
          ferm_current_version.stdout_lines[0] == "ferm {{ ferm_version }}"
    fail_msg: "A different version of ferm is currently installed. Remove it
               before continuing."

- name: Gather service facts.
  service_facts:

# Unfortunately, as of Ansible v2.9.3, service_facts incorrectly reports the
# state of active "oneshot" services as stopped: such services are listed by
# systemd as "active exited" while they are active, rather than "active
# running," as for services that contain running processes. Thus, this task will
# not capture the case where ufw is active but disabled.
- name: Ensure conflicting firewall managers are not running.
  assert:
    that:
      - "'ufw' not in ansible_facts.services or
         ansible_facts.services['ufw.service'].status == 'disabled'"
      - "'firewalld' not in ansible_facts.services or
         ansible_facts.services['firewalld.service'].status == 'disabled'
         and ansible_facts.services['firewalld.service'].state != 'running'"
    fail_msg: "A conflicting firewall manager appears to be enabled. Remove it
               before continuing."
  when: not ferm_skip_conflicts_in_check_mode or not ansible_check_mode

- name: Install ferm.
  block:
  - name: Install dependencies.
    package:
      name:
        - make
        - perl
      state: present

  - name: Download ferm.
    get_url:
      url: "{{ ferm_url }}"
      dest: /usr/local/src/{{ ferm_url | basename }}
      owner: root
      mode: 0644
      checksum: "{{ ferm_checksum }}"

  - name: Create temporary directory.
    tempfile:
      state: directory
    register: tmpdir

  - name: Extract ferm.
    unarchive:
      dest: "{{ tmpdir.path }}"
      src: /usr/local/src/{{ ferm_url | basename }}
      remote_src: true
    when: tmpdir.path is defined

  - name: Install ferm.
    command:
      cmd: make PREFIX=/usr/local install
      chdir: "{{ tmpdir.path }}/ferm-{{ ferm_version }}"
    when: tmpdir.path is defined

  - name: Correct paths in unit file.
    command:
      cmd: "sed -i 's|/usr/sbin/|/usr/local/sbin/|'
            /usr/local/lib/systemd/system/ferm.service"

  - name: Remove temporary directory.
    file:
      path: "{{ tmpdir.path }}"
      state: absent
    when: tmpdir.path is defined
  when: ferm_installed.rc

- name: Install base ferm configuration.
  copy:
    dest: /etc/ferm.conf
    content: "@include ferm.d/;\n"
    owner: root
    mode: 0644
  notify: restart_ferm

- name: Create ferm.d.
  file:
    path: /etc/ferm.d
    state: directory
    owner: root
    mode: 0755

- name: Enable and start ferm service.
  service:
    name: ferm
    enabled: true
    state: started
    daemon_reload: true