- name: Install Debian packages
  become: yes
  ansible.builtin.apt:
    name:
     - docker-ce
     - docker-compose-plugin
     - firewalld
    state: latest

- name: Upgrade Debian packages
  become: yes
  ansible.builtin.apt:
    upgrade: dist
    update_cache: yes
    cache_valid_time: 3600
    autoremove: yes
    state: latest
  register: apt_upgrades

- name: Ensure firewalld is running
  become: yes
  service:
    name: firewalld
    state: started
    enabled: yes

- name: Allow SSH
  become: yes
  firewalld:
    service: ssh
    permanent: yes
    state: enabled
    immediate: yes

- name: Allow Web
  become: yes
  firewalld:
    service: http
    permanent: yes
    state: disabled
    immediate: yes

- name: Allow Web Secure
  become: yes
  firewalld:
    service: https
    permanent: yes
    state: enabled
    immediate: yes

- name: Allow 443 udp for http3
  become: yes
  firewalld:
    port: 443/udp
    permanent: yes
    state: enabled
    immediate: yes

- name: Allow 514 tcp for syslog
  become: yes
  firewalld:
    port: 514/tcp
    permanent: yes
    state: enabled
    immediate: yes

- name: Reboot if needed
  become: yes
  ansible.builtin.reboot:
  when: apt_upgrades.changed