# == State: firewalld.ipsets
#
# This state ensures that /etc/firewalld/ipsets/ exists.
#
{% from "firewalld/map.jinja" import firewalld with context %}

# Backward compatibility setting and deprecation notices
{% set ipset_manage = false %}
{% set ipset_pkg = 'ipset' %}
{% set ipset_sets = firewalld.ipsets %}

{% if firewalld.ipset is mapping %}
  {% set ipset_manage = firewalld.ipset.manage %}
  {% set ipset_pkg = firewalld.ipset.pkg %}
{% else %}
### Manage setting (old firewalld:ipset)
firewalld-ipset-deprecated:
  test.show_notification:
    - text: |
        'firewalld:ipset' format has changed and setting it as boolean is deprecated.
        Set 'firewalld:ipset:manage' instead.
        See firewalld/pillar.example for more information

  {% set ipset_manage = firewalld.ipset %}
{% endif %}

### Package setting (old firewalld:ipsetpackage)
{% if firewalld.ipsetpackage is defined %}
firewalld-ipsetpackage-deprecated:
  test.show_notification:
    - text: |
        'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead
        See firewalld/pillar.example for more information

  {% set ipset_pkg = firewalld.ipsetpackage %}
{% endif %}

{%- if ipset_manage %}
package_ipset:
  pkg.installed:
    - name: {{ ipset_pkg }}

directory_firewalld_ipsets:
  file.directory:            # make sure this is a directory
    - name: /etc/firewalld/ipsets
    - user: root
    - group: root
    - mode: 750
    - require:
      - pkg: package_firewalld # make sure package is installed
    - require_in:
      - service: service_firewalld
    - watch_in:
      - cmd: reload_firewalld # reload firewalld config

# == Define: firewalld.ipsets
#
# This defines a ipset configuration, see firewalld.ipset (5) man page.
#
  {% for k, v in ipset_sets.items() %}
  {% set z_name = v.name|default(k) %}

/etc/firewalld/ipsets/{{ z_name }}.xml:
  file.managed:
    - name: /etc/firewalld/ipsets/{{ z_name }}.xml
    - user: root
    - group: root
    - mode: 644
    - source: salt://firewalld/files/ipset.xml
    - template: jinja
    - require:
      - pkg: package_firewalld # make sure package is installed
      - file: directory_firewalld_ipsets
    - require_in:
      - service: service_firewalld
    - watch_in:
      - cmd: reload_firewalld # reload firewalld config
    - context:
        name: {{ z_name }}
        ipset: {{ v|json }}

  {% endfor %}
{%- endif %}