---
- name: Configure UFW NAT rules for IoT.
  become: yes
  blockinfile:
    block: |
      *nat
      -A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
      -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
      -A POSTROUTING -s {{ campus_wg_net_cidr }} -o wild -j MASQUERADE
      COMMIT
    dest: /etc/ufw/before.rules
    marker: "# {mark} ABBEY MANAGED BLOCK"
    insertafter: EOF
    prepend_newline: yes

- name: Configure UFW FORWARD rules for IoT.
  become: yes
  blockinfile:
    block: |
      *filter
      -A ufw-user-forward -i lan -o wild -j ACCEPT
      -A ufw-user-forward -i wg0 -o wild -j ACCEPT
      COMMIT
    dest: /etc/ufw/user.rules
    marker: "# {mark} ABBEY MANAGED BLOCK"
    insertafter: EOF
    prepend_newline: yes