---
- name: provision eap-adp-jump01
  hosts: eae-adp-jump01
  tasks:
    - name: create /etc/pf.include.conf
      file:
        path: /etc/pf.include.conf
        state: touch
        mode: 0600
        access_time: preserve

    - name: basic firewall configuration
      copy:
        src: files/pf.conf
        dest: /etc/pf.conf
        validate: "/sbin/pfctl -vnf %s"
      notify:
        - reload firewall

    # TODO: only activates after reboot :(
    - name: activate routing
      blockinfile:
        content: |
          net.inet.ip.forwarding=1
          net.inet6.ip6.forwarding=1
        path: /etc/sysctl.conf
        mode: 0600
        create: yes

  handlers:
    - name: reload firewall
      command: pfctl -vf /etc/pf.conf