- name: Install EPEL repository
  ansible.builtin.dnf:
    name: epel-release
    state: present
    update_cache: true

- name: Install useful software
  ansible.builtin.dnf:
    name: "{{ common_packages }}"
    state: present
    update_cache: true

- name: Install firewalld
  ansible.builtin.dnf:
    name: firewalld
    state: present

- name: Start and enable firewalld service
  ansible.builtin.systemd:
    name: firewalld
    state: started
    enabled: true

- name: Set default zone to drop (deny incoming by default)
  ansible.posix.firewalld:
    zone: drop
    state: enabled
    permanent: true
    immediate: true

- name: Allow SSH in drop zone with rate limiting via rich rule
  ansible.posix.firewalld:
    zone: drop
    rich_rule: 'rule service name="ssh" accept limit value="10/m"'
    permanent: true
    immediate: true
    state: enabled

- name: Set drop as the default zone
  ansible.builtin.command:
    cmd: firewall-cmd --set-default-zone=drop
  changed_when: false