ansible.nftables/tasks/main.yml

---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
#
# tasks file for nftables

- name: Check for group files
  become: no
  delegate_to: localhost
  stat:
    path: "{{ nft_merged_groups_dir ~ groupname }}"
  register: nftables_group_rules
  loop: "{{ group_names }}"
  loop_control:
    loop_var: groupname

- name: Debug nftables_group_rules
  debug: var=nftables_group_rules
  when: nft_debug

- name: Import nftables-variables if nft_merged_groups is set
  when: nft_merged_groups and varfile.stat.exists
  include_vars:
    file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"
    name: "{{ varfile.groupname }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- name: Combine Rules when nft_merged_groups is set
  when: nft_merged_groups and
        ((hostvars[inventory_hostname][varfile.groupname] is defined) and
         (hostvars[inventory_hostname][varfile.groupname]|length > 0)) and
        varfile.stat.exists
  set_fact:
    nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- name: Debug nft_combined_rules
  debug: var=nft_combined_rules
  when: nft_debug

- name: Debug ansible_os_family
  debug: var=ansible_os_family
  when: nft_debug

- name: Load specific OS vars for nftables
  include_vars: "{{ osname }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"
  loop_control:
    loop_var: osname

# Manage packages [[[1
- name: Ensure Nftables packages are in their desired state
  package:
    name: '{{ nft_pkg_list | list }}'
    state: '{{ nft_pkg_state }}'
    update_cache: true
  register: pkg_install_result
  until: pkg_install_result is success
  when: nft_enabled|bool

- name: Ensure old Iptables packages are in their desired state
  package:
    name: '{{ nft_old_pkg_list | list }}'
    state: '{{ nft_old_pkg_state }}'
  register: pkg_remove_result
  until: pkg_remove_result is success
  when: (nft_enabled|bool and
         nft_old_pkg_manage|bool)

# Common configuration [[[1
- name: Ensure to create nftables.d directory
  file:
    path: "{{ nft_conf_dir_path }}"
    state: directory
    mode: 0755
  when: nft_enabled|bool

- name: CONFIG generate main conf file
  template:
    src: "{{ nft_main_conf_content }}"
    dest: "{{ nft_main_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate vars definition file
  template:
    src: "{{ nft_define_conf_content }}"
    dest: "{{ nft_define_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate sets file
  template:
    src: "{{ nft_set_conf_content }}"
    dest: "{{ nft_set_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

# Filter table content [[[1
- name: Filter table - generate input rules file
  template:
    src: "{{ nft_input_conf_content }}"
    dest: "{{ nft_input_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: Filter table - generate output rules file
  template:
    src: "{{ nft_output_conf_content }}"
    dest: "{{ nft_output_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: Filter table - generate forward rules file
  template:
    src: "{{ nft_forward_conf_content }}"
    dest: "{{ nft_forward_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__forward_table_manage|bool)

# Nat table content [[[1
- name: Nat table - generate prerouting rules file
  template:
    src: "{{ nft__nat_prerouting_conf_content }}"
    dest: "{{ nft__nat_prerouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

- name: Nat table - generate postrouting rules file
  template:
    src: "{{ nft__nat_postrouting_conf_content }}"
    dest: "{{ nft__nat_postrouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

# Manage nftables service [[[1
- name: Install nftables Debian systemd service unit
  template:
    src: '{{ nft_service_unit_content }}'
    dest: '{{ nft_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_service
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']

- name: Ensure to remove nftables systemd service from old target
  file:
    path: '/etc/systemd/system/multi-user.target.wants/nftables.service'
    state: absent
  register: nftables__register_fix_systemd_target
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']

# Manage custom nftables service [[[1
- name: Create Nftables custom directory for systemd service
  file:
    path: "{{ nft__service_override_path | dirname }}"
    state: directory
    mode: '0755'
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
    - not nft__service_protect|bool

- name: Add Nftables systemd custom configuration
  template:
    src: '{{ nft__service_override_content }}'
    dest: '{{ nft__service_override_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_custom
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
    - not nft__service_protect|bool
  notify: ['Restart nftables service']

# Manage custom fail2ban service [[[1
- name: Create Fail2Ban custom directory for systemd service
  file:
    path: "{{ nft__fail2ban_service_unit_path | dirname }}"
    state: directory
    mode: '0755'
  when:
    - nft_enabled|bool
    - nft_service_manage|bool

- name: Install Debian Fail2Ban custom service
  template:
    src: '{{ nft__fail2ban_service_unit_content }}'
    dest: '{{ nft__fail2ban_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_fail2ban_service
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
  notify: ['Restart nftables service']
Install nftables. 2017-08-07 12:09:13 +02:00			`---`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# .. vim: foldmarker=[[[,]]]:foldmethod=marker`
			`#`
Install nftables. 2017-08-07 12:09:13 +02:00			`# tasks file for nftables`
Fix error when variables were empty 2020-11-11 15:27:08 +01:00
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`- name: Check for group files`
			`become: no`
			`delegate_to: localhost`
			`stat:`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`path: "{{ nft_merged_groups_dir ~ groupname }}"`
			`register: nftables_group_rules`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop: "{{ group_names }}"`
			`loop_control:`
			`loop_var: groupname`

Add task names as required by ansible-lint 2021-08-07 13:18:09 +02:00			`- name: Debug nftables_group_rules`
			`debug: var=nftables_group_rules`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`when: nft_debug`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- name: Import nftables-variables if nft_merged_groups is set`
			`when: nft_merged_groups and varfile.stat.exists`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`include_vars:`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`name: "{{ varfile.groupname }}"`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`loop: "{{ nftables_group_rules.results }}"`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`loop_control:`
			`loop_var: varfile`

Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- name: Combine Rules when nft_merged_groups is set`
Ansible-lint: Fix line longer than 160 chars 2021-01-05 15:58:43 +01:00			`when: nft_merged_groups and`
			`((hostvars[inventory_hostname][varfile.groupname] is defined) and`
			`(hostvars[inventory_hostname][varfile.groupname]\|length > 0)) and`
			`varfile.stat.exists`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`set_fact:`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`nft_combined_rules: "{{ nft_combined_rules \| default({}) \| combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`loop: "{{ nftables_group_rules.results }}"`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop_control:`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`loop_var: varfile`
Install nftables. 2017-08-07 12:09:13 +02:00
Add task names as required by ansible-lint 2021-08-07 13:18:09 +02:00			`- name: Debug nft_combined_rules`
			`debug: var=nft_combined_rules`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`when: nft_debug`

Debug os family detection in GitHub Actions 2021-08-07 14:32:43 +02:00			`- name: Debug ansible_os_family`
			`debug: var=ansible_os_family`
			`when: nft_debug`

Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: Load specific OS vars for nftables`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`include_vars: "{{ osname }}"`
Install nftables. 2017-08-07 12:09:13 +02:00			`with_first_found:`
			`- "{{ ansible_distribution\|lower }}-{{ ansible_distribution_version }}.yml"`
			`- "{{ ansible_distribution\|lower }}.yml"`
			`- "{{ ansible_os_family\|lower }}.yml"`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop_control:`
			`loop_var: osname`
Install nftables. 2017-08-07 12:09:13 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Manage packages [[[1`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`- name: Ensure Nftables packages are in their desired state`
Install nftables. 2017-08-07 12:09:13 +02:00			`package:`
Fix deprecation warning with ansible 2.7 [DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{ item }}"`, please use `name: ['{{ nft_old_pkg_list }}']` and remove the loop. This feature will be removed in version 2.11. Signed-off-by: Julien Viard de Galbert <julien@vdg.name> 2019-05-07 00:00:48 +02:00			`name: '{{ nft_pkg_list \| list }}'`
Install nftables. 2017-08-07 12:09:13 +02:00			`state: '{{ nft_pkg_state }}'`
Update cache on package install 2021-08-07 12:47:32 +02:00			`update_cache: true`
Fix E405 Remote package tasks should have a retry 2019-02-27 13:31:25 +01:00			`register: pkg_install_result`
			`until: pkg_install_result is success`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Install nftables. 2017-08-07 12:09:13 +02:00
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`- name: Ensure old Iptables packages are in their desired state`
Fix error when variables were empty 2020-11-11 15:27:08 +01:00			`package:`
Fix deprecation warning with ansible 2.7 [DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{ item }}"`, please use `name: ['{{ nft_old_pkg_list }}']` and remove the loop. This feature will be removed in version 2.11. Signed-off-by: Julien Viard de Galbert <julien@vdg.name> 2019-05-07 00:00:48 +02:00			`name: '{{ nft_old_pkg_list \| list }}'`
Ensure to remove old packages (iptables,…). 2017-08-18 09:25:28 +02:00			`state: '{{ nft_old_pkg_state }}'`
Fix E405 Remote package tasks should have a retry 2019-02-27 13:31:25 +01:00			`register: pkg_remove_result`
			`until: pkg_remove_result is success`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_old_pkg_manage\|bool)`

Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Common configuration [[[1`
			`- name: Ensure to create nftables.d directory`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`file:`
			`path: "{{ nft_conf_dir_path }}"`
			`state: directory`
			`mode: 0755`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00
			`- name: CONFIG generate main conf file`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`template:`
			`src: "{{ nft_main_conf_content }}"`
			`dest: "{{ nft_main_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: CONFIG generate vars definition file`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_define_conf_content }}"`
			`dest: "{{ nft_define_conf_path }}"`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: CONFIG generate sets file`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_set_conf_content }}"`
			`dest: "{{ nft_set_conf_path }}"`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Filter table content [[[1`
			`- name: Filter table - generate input rules file`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_input_conf_content }}"`
			`dest: "{{ nft_input_conf_path }}"`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: Filter table - generate output rules file`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_output_conf_content }}"`
			`dest: "{{ nft_output_conf_path }}"`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Manage nftables service at startup. 2017-08-09 14:27:07 +02:00
Added the option to manage the forwarding firewall table. 2021-03-03 10:47:02 +01:00			`- name: Filter table - generate forward rules file`
			`template:`
			`src: "{{ nft_forward_conf_content }}"`
			`dest: "{{ nft_forward_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
			`notify: ['Reload nftables service']`
			`when: (nft_enabled\|bool and`
			`nft__forward_table_manage\|bool)`

Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`# Nat table content [[[1`
			`- name: Nat table - generate prerouting rules file`
			`template:`
			`src: "{{ nft__nat_prerouting_conf_content }}"`
			`dest: "{{ nft__nat_prerouting_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`when: (nft_enabled\|bool and`
			`nft__nat_table_manage\|bool)`

			`- name: Nat table - generate postrouting rules file`
			`template:`
			`src: "{{ nft__nat_postrouting_conf_content }}"`
			`dest: "{{ nft__nat_postrouting_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
Make config backup configurable by using nft_backup_conf variable. 2021-03-12 09:28:45 +01:00			`backup: "{{ nft_backup_conf }}"`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`when: (nft_enabled\|bool and`
			`nft__nat_table_manage\|bool)`

Ensure to disable nftables unit from old target 2021-07-30 12:20:27 +02:00			`# Manage nftables service [[[1`
			`- name: Install nftables Debian systemd service unit`
Provide the systemd unit. 2018-02-06 16:58:18 +01:00			`template:`
			`src: '{{ nft_service_unit_content }}'`
			`dest: '{{ nft_service_unit_path }}'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0644'`
			`register: nftables__register_systemd_service`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_service_manage\|bool)`
Manage Fail2ban in the "systemd way" Thanks to @FinweVI ! Rebase after Gentoo related commits 2021-07-30 09:34:38 +02:00			`notify: ['Restart nftables service']`

Ensure to disable nftables unit from old target 2021-07-30 12:20:27 +02:00			`- name: Ensure to remove nftables systemd service from old target`
			`file:`
			`path: '/etc/systemd/system/multi-user.target.wants/nftables.service'`
			`state: absent`
			`register: nftables__register_fix_systemd_target`
			`when: (nft_enabled\|bool and`
			`nft_service_manage\|bool)`
			`notify: ['Restart nftables service']`

Move systemd "Protect" options to override file Rebase after Gentoo related commits 2021-07-30 13:05:34 +02:00			`# Manage custom nftables service [[[1`
			`- name: Create Nftables custom directory for systemd service`
			`file:`
			`path: "{{ nft__service_override_path \| dirname }}"`
			`state: directory`
Fix systemd directories permissions 2021-07-31 11:39:28 +02:00			`mode: '0755'`
Move systemd "Protect" options to override file Rebase after Gentoo related commits 2021-07-30 13:05:34 +02:00			`when:`
			`- nft_enabled\|bool`
			`- nft_service_manage\|bool`
			`- not nft__service_protect\|bool`

			`- name: Add Nftables systemd custom configuration`
			`template:`
			`src: '{{ nft__service_override_content }}'`
			`dest: '{{ nft__service_override_path }}'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0644'`
			`register: nftables__register_systemd_custom`
			`when:`
			`- nft_enabled\|bool`
			`- nft_service_manage\|bool`
			`- not nft__service_protect\|bool`
			`notify: ['Restart nftables service']`

Manage Fail2ban in the "systemd way" Thanks to @FinweVI ! Rebase after Gentoo related commits 2021-07-30 09:34:38 +02:00			`# Manage custom fail2ban service [[[1`
			`- name: Create Fail2Ban custom directory for systemd service`
			`file:`
			`path: "{{ nft__fail2ban_service_unit_path \| dirname }}"`
			`state: directory`
Fix systemd directories permissions 2021-07-31 11:39:28 +02:00			`mode: '0755'`
Manage Fail2ban in the "systemd way" Thanks to @FinweVI ! Rebase after Gentoo related commits 2021-07-30 09:34:38 +02:00			`when:`
			`- nft_enabled\|bool`
			`- nft_service_manage\|bool`

			`- name: Install Debian Fail2Ban custom service`
			`template:`
			`src: '{{ nft__fail2ban_service_unit_content }}'`
			`dest: '{{ nft__fail2ban_service_unit_path }}'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0644'`
			`register: nftables__register_fail2ban_service`
			`when:`
			`- nft_enabled\|bool`
			`- nft_service_manage\|bool`
			`notify: ['Restart nftables service']`