From eb93ff65f9d57041be4435f01bbc09ebbabcd750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Tue, 6 Feb 2018 16:58:18 +0100 Subject: [PATCH] Provide the systemd unit. --- CHANGELOG.md | 5 ++++ defaults/main.yml | 2 ++ tasks/main.yml | 26 +++++++++++++++---- .../lib/systemd/system/nftables.service.j2 | 18 +++++++++++++ 4 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 templates/lib/systemd/system/nftables.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index f26fd0e..a0ca6c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,9 @@ +## v1.3 + +### Features +* Provide the systemd unit. + ## v1.2.3 * Rename firewall table to filter table (most use on Debian). diff --git a/defaults/main.yml b/defaults/main.yml index ac4f823..6f32874 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -106,3 +106,5 @@ nft_set_host: {} nft_service_manage: true nft_service_name: 'nftables' nft_service_enabled: true +nft_service_unit_path: '/lib/systemd/system/nftables.service' +nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' diff --git a/tasks/main.yml b/tasks/main.yml index 05932df..dad8bd6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,7 +41,7 @@ group: root mode: 0755 backup: yes - notify: restart nftables service + notify: ['restart nftables service'] - name: CONFIG generate input rules file template: @@ -51,7 +51,7 @@ group: root mode: 0755 backup: yes - notify: restart nftables service + notify: ['restart nftables service'] - name: CONFIG generate output rules file template: @@ -61,7 +61,7 @@ group: root mode: 0755 backup: yes - notify: restart nftables service + notify: ['restart nftables service'] - name: CONFIG generate vars definition file template: @@ -71,7 +71,7 @@ group: root mode: 0755 backup: yes - notify: restart nftables service + notify: ['restart nftables service'] - name: CONFIG generate sets and maps file template: @@ -81,10 +81,26 @@ group: root mode: 0755 backup: yes - notify: restart nftables service + notify: ['restart nftables service'] # }}} # service {{{ + +- name: install Debian systemd service unit + template: + src: '{{ nft_service_unit_content }}' + dest: '{{ nft_service_unit_path }}' + owner: 'root' + group: 'root' + mode: '0644' + register: nftables__register_systemd_service + when: nft_service_manage + notify: ['restart nftables service'] + +- name: Reload systemd daemons + command: systemctl daemon-reload + notify: ['restart nftables service'] + - name: SERVICE manage '{{ nft_service_name }}' service: name: '{{ nft_service_name }}' diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2 new file mode 100644 index 0000000..6622a63 --- /dev/null +++ b/templates/lib/systemd/system/nftables.service.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} +[Unit] +Description={{ nft_service_name }} +Documentation=man:nft(8) http://wiki.nftables.org +Before=fail2ban.service + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} +ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} +ExecStop=/usr/sbin/nft flush ruleset + +[Install] +WantedBy=multi-user.target