---
# ---------------------------------------------------------------------------
# UFW firewall — defense-in-depth behind OPNsense perimeter
# Allows SSH and the OpenClaw gateway port; blocks everything else inbound
# ---------------------------------------------------------------------------
- name: Install UFW
  ansible.builtin.apt:
    name: ufw
    state: present
    update_cache: true

- name: Set UFW default policies
  community.general.ufw:
    direction: "{{ item.direction }}"
    policy: "{{ item.policy }}"
  loop:
    - { direction: incoming, policy: deny }
    - { direction: outgoing, policy: allow }
    - { direction: routed,   policy: deny }

- name: Allow SSH
  community.general.ufw:
    rule: allow
    port: "{{ openclaw_ssh_port | string }}"
    proto: tcp

- name: Allow OpenClaw gateway port
  community.general.ufw:
    rule: allow
    port: "{{ openclaw_gateway_port | string }}"
    proto: tcp

- name: Enable UFW
  community.general.ufw:
    state: enabled

# ---------------------------------------------------------------------------
# Rootless Podman — used exclusively for agent sandbox isolation
# Runs as the openclaw user; no root daemon, no exposed sockets
# podman-docker provides a docker-compatible CLI shim for OpenClaw tooling
# ---------------------------------------------------------------------------
- name: Install Podman and dependencies
  ansible.builtin.apt:
    name:
      - podman
      - podman-docker
      - uidmap
    state: present
    update_cache: true