---
- name: "Activate changes"
  checkmk.general.activation:
    server_url: "{{ checkmk_agent_server_protocol }}://{{ checkmk_agent_server }}:{{ checkmk_agent_server_port }}/"
    site: "{{ checkmk_agent_site }}"
    automation_user: "{{ checkmk_agent_user }}"
    automation_secret: "{{ __checkmk_agent_auth }}"
    force_foreign_changes: "{{ checkmk_agent_force_foreign_changes }}"
    redirect: true
    validate_certs: "{{ checkmk_agent_server_validate_certs }}"
  become: false
  delegate_to: "{{ checkmk_agent_delegate_api_calls }}"
  run_once: true  # noqa run-once[task]
  when: checkmk_agent_auto_activate | bool

- name: "Restart firewall"
  become: true
  ansible.builtin.shell: |
    # Check and reload firewalld (RHEL/CentOS)
    if systemctl is-active --quiet firewalld 2>/dev/null; then
      echo "Reloading firewalld"
      firewall-cmd --reload
      exit 0
    fi
    
    # Check and reload ufw (Ubuntu/Debian)
    if systemctl is-active --quiet ufw 2>/dev/null; then
      echo "Reloading ufw"
      ufw reload
      exit 0
    fi
    
    # Check and reload SuSEfirewall2 (older SUSE)
    if systemctl is-active --quiet SuSEfirewall2 2>/dev/null; then
      echo "Reloading SuSEfirewall2"
      systemctl reload SuSEfirewall2
      exit 0
    fi
    
    echo "No active firewall found - skipping reload"
    exit 0
  args:
    executable: /bin/bash
  register: firewall_reload_result
  changed_when: "'Reloading' in firewall_reload_result.stdout"
  failed_when: false