#!/usr/bin/env bash
# Declarative firewall configuration with common + profile-specific rules
source "$PROJECT_DIR/lib.sh"
enable_strict_mode

cat <<'EOM'

=> Firewall configuration

EOM

ufw_initialize

COMMON_RULES_FILE="$ROLE_DIR/firewall/rules.common.list"
PROFILE_RULES_FILE="$ROLE_DIR/firewall/rules.${profile:-}.list"

apply_ufw_rules_file "$COMMON_RULES_FILE"
apply_ufw_rules_file "$PROFILE_RULES_FILE"

ufw reload
log_ok "Firewall rules applied"