#!/bin/bash
# Privileged helper for Lite Firewall Config.
# Invoked via pkexec; the polkit policy
# com.linuxliteos.lite-firewallconfig restricts this to authenticated admins.
#
# Usage: lite-firewallconfig-helper {enable|disable}
#
# systemctl notes:
#   --now is only valid with enable / disable / reenable / mask.
#   It is NOT valid with unmask, which is why the enable path unmasks first
#   as its own step and then combines enable+start via enable --now.

set -e

case "$1" in
    enable)
        /bin/systemctl unmask firewalld
        /bin/systemctl enable --now firewalld
        ;;
    disable)
        /bin/systemctl disable --now firewalld
        /bin/systemctl mask firewalld
        ;;
    *)
        echo "Usage: $0 {enable|disable}" >&2
        exit 2
        ;;
esac
