---

- name: "4.1.1 | PATCH | Ensure nftables is installed"
  when:
    - rhel9cis_rule_4_1_1
    - rhel9cis_firewall == 'nftables'
  tags:
    - level1-server
    - level1-workstation
    - patch
    - nftables
    - rule_4.1.1
    - NIST800-53R5_CA-9
  ansible.builtin.package:
    name:
      - nftables
    state: present

- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
  when: rhel9cis_rule_4_1_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - firewalld
    - nftables
    - rule_4.1.2
  block:
    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables"
      when:
        - item in ansible_facts.packages
        - rhel9cis_firewall == 'nftables'
      ansible.builtin.systemd:
        name: "{{ item }}"
        masked: true
      loop:
        - firewalld

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld"
      when:
        - item in ansible_facts.packages
        - rhel9cis_firewall == 'firewalld'
      ansible.builtin.systemd:
        name: "{{ item }}"
        masked: true
      loop:
        - nftables

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed"
      ansible.builtin.package:
        name: "{{ rhel9cis_firewall }}"
        state: installed

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"  # noqa name[template]
      ansible.builtin.systemd:
        name: "{{ rhel9cis_firewall }}"
        enabled: true
        state: started