- name: Install security-related packages
  aur:
    name: "{{ item }}"
  become: true
  become_user: aur_builder
  loop:
    - gnome-keyring
    - firejail
    - keepassxc
    - qomui
    - seahorse
    - wireguard-tools
    - yubikey-personalization-gui

- name: Create .ssh directory
  file:
    state: directory
    path: "{{ home }}/.ssh"
    owner: "{{ user }}"
    mode: 0700

- name: Install assh config
  copy:
    src: ./files/assh.yml
    dest: "{{ home }}/.ssh/assh.yml"
    mode: 0644
    owner: "{{ user }}"

- name: Install Firewall
  aur:
    name: "{{ item }}"
  become: true
  become_user: aur_builder
  loop:
    - firewalld

- name: Enable firewalld
  systemd:
    name: firewalld
    enabled: true
    state: started

- name: Define firewall ports
  set_fact:
    requested_firewall_ports:
      - 22/tcp  # SSH
      - 80/tcp  # Web (crab)

- name: Get firewall ports
  shell: firewall-cmd --list-ports
  become: true
  register: firewall_ports

- name: Open firewall ports
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: enabled
  loop: "{{ requested_firewall_ports }}"

- name: Close firewall ports
  ansible.posix.firewalld:
    port: "{{ item }}"
    permanent: true
    immediate: true
    state: disabled
  when: item and item not in requested_firewall_ports
  loop: "{{ firewall_ports.stdout.split(' ') }}"