ansible.nftables/tasks/main.yml

---
# tasks file for nftables

- name: Load specific OS vars for nft
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"

# package {{{
- name: INSTALL Manage nftables packages
  package:
    name: '{{ item }}'
    state: '{{ nft_pkg_state }}'
  with_items:
    - '{{ nft_pkg_list }}'
  when: nft_enabled|bool

- name: INSTALL Remove iptables packages
  apt:
    name: '{{ item }}'
    state: '{{ nft_old_pkg_state }}'
  with_items:
    - '{{ nft_old_pkg_list }}'
  when: (nft_enabled|bool and
         nft_old_pkg_manage|bool)

# }}}

# conf {{{
- name: CONFIG create nftables.d dir
  file:
    path: "{{ nft_conf_dir_path }}"
    state: directory
    mode: 0755
  when: nft_enabled|bool

- name: CONFIG generate main conf file
  template:
    src: "{{ nft_main_conf_content }}"
    dest: "{{ nft_main_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Restart nftables service']
  when: nft_enabled|bool

- name: CONFIG generate input rules file
  template:
    src: "{{ nft_input_conf_content }}"
    dest: "{{ nft_input_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Restart nftables service']
  when: nft_enabled|bool

- name: CONFIG generate output rules file
  template:
    src: "{{ nft_output_conf_content }}"
    dest: "{{ nft_output_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Restart nftables service']
  when: nft_enabled|bool

- name: CONFIG generate vars definition file
  template:
    src: "{{ nft_define_conf_content }}"
    dest: "{{ nft_define_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Restart nftables service']
  when: nft_enabled|bool

- name: CONFIG generate sets and maps file
  template:
    src: "{{ nft_set_conf_content }}"
    dest: "{{ nft_set_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Restart nftables service']
  when: nft_enabled|bool
# }}}

# service {{{

- name: install Debian systemd service unit
  template:
    src: '{{ nft_service_unit_content }}'
    dest: '{{ nft_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_service
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']

# }}}
Install nftables. 2017-08-07 12:09:13 +02:00			`---`
			`# tasks file for nftables`

			`- name: Load specific OS vars for nft`
			`include_vars: "{{ item }}"`
			`with_first_found:`
			`- "{{ ansible_distribution\|lower }}-{{ ansible_distribution_version }}.yml"`
			`- "{{ ansible_distribution\|lower }}.yml"`
			`- "{{ ansible_os_family\|lower }}.yml"`

Generate main configuration file. 2017-08-07 13:48:54 +02:00			`# package {{{`
Ensure to remove old packages (iptables,…). 2017-08-18 09:25:28 +02:00			`- name: INSTALL Manage nftables packages`
Install nftables. 2017-08-07 12:09:13 +02:00			`package:`
			`name: '{{ item }}'`
			`state: '{{ nft_pkg_state }}'`
			`with_items:`
			`- '{{ nft_pkg_list }}'`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Install nftables. 2017-08-07 12:09:13 +02:00
Ensure to remove old packages (iptables,…). 2017-08-18 09:25:28 +02:00			`- name: INSTALL Remove iptables packages`
			`apt:`
			`name: '{{ item }}'`
			`state: '{{ nft_old_pkg_state }}'`
			`with_items:`
			`- '{{ nft_old_pkg_list }}'`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_old_pkg_manage\|bool)`

Generate main configuration file. 2017-08-07 13:48:54 +02:00			`# }}}`

			`# conf {{{`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`- name: CONFIG create nftables.d dir`
			`file:`
			`path: "{{ nft_conf_dir_path }}"`
			`state: directory`
			`mode: 0755`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00
			`- name: CONFIG generate main conf file`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`template:`
			`src: "{{ nft_main_conf_content }}"`
			`dest: "{{ nft_main_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`- name: CONFIG generate input rules file`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`template:`
			`src: "{{ nft_input_conf_content }}"`
			`dest: "{{ nft_input_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`- name: CONFIG generate output rules file`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`template:`
			`src: "{{ nft_output_conf_content }}"`
			`dest: "{{ nft_output_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`- name: CONFIG generate vars definition file`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`template:`
			`src: "{{ nft_define_conf_content }}"`
			`dest: "{{ nft_define_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`- name: CONFIG generate sets and maps file`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`template:`
			`src: "{{ nft_set_conf_content }}"`
			`dest: "{{ nft_set_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`# }}}`
Manage nftables service at startup. 2017-08-09 14:27:07 +02:00
			`# service {{{`
Provide the systemd unit. 2018-02-06 16:58:18 +01:00
			`- name: install Debian systemd service unit`
			`template:`
			`src: '{{ nft_service_unit_content }}'`
			`dest: '{{ nft_service_unit_path }}'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0644'`
			`register: nftables__register_systemd_service`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_service_manage\|bool)`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`
Provide the systemd unit. 2018-02-06 16:58:18 +01:00
Manage nftables service at startup. 2017-08-09 14:27:07 +02:00			`# }}}`