---
- name: Install
  package:
    name: firewalld
    state: present

- name: Start and activate
  service:
    name: firewalld
    state: started
    enabled: yes

- name: Block all ports
  firewalld:
    zone: public
    service: ssh
    permanent: yes
    state: enabled

- name: Add Tailscale interface to trusted zone
  firewalld:
    zone: trusted
    interface: tailscale0
    permanent: yes
    state: enabled

- name: Reload firewalld
  command: firewall-cmd --reload