---

- name: Enable firewall with deny by default
  ufw:
    state: enabled
    policy: deny
    direction: incoming

- name: Block known addresses
  ufw:
    insert: 1 # Insert before common rules
    rule: deny
    from_ip: "{{ item }}"
    direction: in
    comment: "IP from Blocklist"
  loop: "{{ global_ip_blocklist }}"
  tags:
    - ip_blocklist