---
- name: Install OpenApply prerequisite packages
  ansible.builtin.apt:
    name:
      - ca-certificates
      - curl
      - git
      - gnupg
      - ufw
      - build-essential
    state: present
    update_cache: true
    cache_valid_time: 3600

- name: Configure UFW for production web access
  when: openapply_app_enable_firewall | bool
  block:
    - name: Set default incoming firewall policy
      community.general.ufw:
        direction: incoming
        default: deny

    - name: Set default outgoing firewall policy
      community.general.ufw:
        direction: outgoing
        default: allow

    - name: Allow required TCP ports
      community.general.ufw:
        rule: allow
        port: "{{ item }}"
        proto: tcp
      loop: "{{ openapply_app_allowed_tcp_ports }}"

    - name: Enable UFW
      community.general.ufw:
        state: enabled