From bc6f69fc59c1d85867fe2ca0aef0258d3ec70567 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Mon, 7 Aug 2017 13:48:54 +0200
Subject: [PATCH] Generate main configuration file.

---
 README.md                      |  3 +++
 defaults/main.yml              |  8 ++++++--
 tasks/main.yml                 | 14 ++++++++++++++
 templates/etc/nftables.conf.j2 | 14 ++++++++++++++
 4 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100755 templates/etc/nftables.conf.j2

diff --git a/README.md b/README.md
index befecfc..6d1c555 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,8 @@ A role to manage Nftables rules and packages.
 
 * **nft_pkg_manage** : If `nftables` package(s) should be managed with this role [default : `true`].
 * **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`].
+* **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`].
+* **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
 
 ### OS Specific Variables
 
@@ -38,6 +40,7 @@ Please see default value by Operating System file in [vars][vars directory] dire
 
 This role will :
 * Install `nftables` on the system.
+* Generate a default configuration file loaded by systemd unit.
 
 ## Development
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 3f41661..ccdbd07 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,5 +2,9 @@
 # defaults file for nftables
 
 # packages
- nft_pkg_manage: true
- nft_pkg_state: 'installed'
+nft_pkg_manage: true
+nft_pkg_state: 'installed'
+
+# conf
+nft_main_conf_path: '/etc/nftables.conf'
+nft_main_conf_content: 'etc/nftables.conf.j2'
diff --git a/tasks/main.yml b/tasks/main.yml
index 1810ede..bf9b302 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -8,6 +8,7 @@
     - "{{ ansible_distribution|lower }}.yml"
     - "{{ ansible_os_family|lower }}.yml"
 
+# package {{{
 - name: Manage packages
   package:
     name: '{{ item }}'
@@ -16,3 +17,16 @@
     - '{{ nft_pkg_list }}'
   when: nft_pkg_manage
 
+# }}}
+
+# conf {{{
+- name: generate main conf file
+  template:
+    src: "{{ nft_main_conf_content }}"
+    dest: "{{ nft_main_conf_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    backup: yes
+
+# }}}
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
new file mode 100755
index 0000000..1eafe07
--- /dev/null
+++ b/templates/etc/nftables.conf.j2
@@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+# clean
+flush ruleset
+
+table inet firewall {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}