# manage the firewall
class firewall (
  Boolean $enable = false,
  Hash $ipset_queries = {},
){

  if $enable {
    $ipset_queries.each |$ipset, $query| {
      $ips = sort(query_nodes($query, 'networking.ip'))

      nftables::set{$ipset:
        type     => 'ipv4_addr',
        flags    => ['dynamic'],
        elements => $ips,
      }
    }

    class {'nftables':
      in_ssh    => false,
      in_icmp   => true,
      out_ntp   => false,
      out_dns   => false,
      out_http  => false,
      out_https => false,
      out_icmp  => true,
      out_all   => false,
    }
  }
}