---
- name: "{{ ansible_os_family }} Derivatives: Install host-specific {{ checkmk_agent_edition | upper }} Agent."
  become: true
  ansible.builtin.dnf:
    name: "{{ __checkmk_agent_agent.file.host }}"
    state: present
    disable_gpg_check: true
  when: |
    checkmk_agent_edition | lower != "cre"
    and checkmk_agent_host_specific | bool
  tags:
    - install-package

- name: "{{ ansible_os_family }} Derivatives: Install GENERIC or folder-specific {{ checkmk_agent_edition | upper }} Agent."
  become: true
  ansible.builtin.dnf:
    name: "{{ __checkmk_agent_agent.file.cee }}"
    state: present
    disable_gpg_check: true
  when: |
    checkmk_agent_edition | lower != "cre"
    and not checkmk_agent_host_specific | bool
  tags:
    - install-package

- name: "{{ ansible_os_family }} Derivatives: Transfer Vanilla agent."
  ansible.builtin.copy:
    src: "{{ __checkmk_agent_agent.file.cre }}"
    dest: "{{ __checkmk_agent_agent.file.cre }}"
    mode: "0644"
  when: |
    checkmk_agent_edition | lower == "cre"
    and checkmk_agent_delegate_download != inventory_hostname
  tags:
    - download-package

- name: "{{ ansible_os_family }} Derivatives: Install Vanilla agent."
  become: true
  ansible.builtin.dnf:
    name: "{{ __checkmk_agent_agent.file.cre }}"
    state: present
    disable_gpg_check: true
  when: checkmk_agent_edition | lower == "cre"
  tags:
    - install-package

- name: "{{ ansible_os_family }} Derivatives: Configure Firewall for Agent."
  when: checkmk_agent_configure_firewall | bool and "firewalld.service" in ansible_facts.services
  block:
    - name: "{{ ansible_os_family }} Derivatives: Add Checkmk Server to Firewall Whitelist if it is an IP address."
      when: checkmk_agent_server | ansible.utils.ipaddr()
      ansible.builtin.set_fact:
        checkmk_agent_server_ips: "{{ checkmk_agent_server_ips + [checkmk_agent_server] }}"

    - name: "{{ ansible_os_family }} Derivatives: Allow Checkmk services access to the agent."
      when: checkmk_agent_server_ips is defined
      ansible.posix.firewalld:
        permanent: 'yes'
        immediate: 'yes'
        state: enabled
        rich_rule: 'rule family="ipv4" source address={{ item }} port port="{{ checkmk_agent_port }}" protocol="tcp" accept'
        zone: "{{ checkmk_agent_configure_firewall_zone | default('public') }}"
      loop: "{{ checkmk_agent_server_ips }}"
      become: true