class firewall::rules::in::consul (
  Boolean $is_server = false,
) {

  # serf traffic (lan and wan)
  nftables::rule { 'default_in-consul_udp_8301':
    content => 'udp dport 8301 accept',
  }
  nftables::rule { 'default_in-consul_tcp_8301':
    content => 'tcp dport 8301 accept',
  }
  nftables::rule { 'default_in-consul_udp_8302':
    content => 'udp dport 8302 accept',
  }
  nftables::rule { 'default_in-consul_tcp_8302':
    content => 'tcp dport 8302 accept',
  }

  if $is_server {
    # dns interface
    nftables::rule { 'default_in-consul_udp_8600':
      content => 'udp dport 8600 accept',
    }
    nftables::rule { 'default_in-consul_tcp_8600':
      content => 'tcp dport 8600 accept',
    }

    # communication with servers
    nftables::rule { 'default_in-consul_tcp_8300':
      content => 'tcp dport 8300 accept',
    }
    nftables::rule { 'default_in-consul_tcp_8500':
      content => 'tcp dport 8500 accept',
    }
    nftables::rule { 'default_in-consul_tcp_8503':
      content => 'tcp dport 8503 accept',
    }
  }
}