---

- name: packages
  ansible.builtin.apt:
    force_apt_get: true
    install_recommends: false
    name: "{{ ferm_packages }}"
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)

- name: remove default nftables package
  ansible.builtin.apt:
    state: absent
    purge: true
    autoremove: true
    name: nftables
  register: apt_status
  retries: 60
  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)

- name: use iptables-legacy
  ansible.builtin.shell: |
    update-alternatives --set iptables /usr/sbin/iptables-legacy
    update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
  register: cmd
  changed_when: "'using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode' in cmd.stdout"

- name: reboot the server to avoid kernel module bug (#38332)
  ansible.builtin.reboot:
  changed_when: false

- name: directories
  loop:
    - /etc/ferm/ferm.d
    - /etc/ferm/input.d
    - /etc/ferm/output.d
    - /etc/ferm/forward.d
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "755"

- name: configuration
  notify: restart ferm
  ansible.builtin.template:
    src: ferm.conf.j2
    dest: /etc/ferm/ferm.conf
    backup: true
    mode: "644"

- name: service
  ansible.builtin.systemd:
    name: ferm
    enabled: true
    masked: false
    state: started

...