Provide the systemd unit.

This commit is contained in:
Jeremy Gardais 2018-02-06 16:58:18 +01:00
parent 3e69865a56
commit eb93ff65f9
4 changed files with 46 additions and 5 deletions

View File

@ -1,4 +1,9 @@
## v1.3
### Features
* Provide the systemd unit.
## v1.2.3 ## v1.2.3
* Rename firewall table to filter table (most use on Debian). * Rename firewall table to filter table (most use on Debian).

View File

@ -106,3 +106,5 @@ nft_set_host: {}
nft_service_manage: true nft_service_manage: true
nft_service_name: 'nftables' nft_service_name: 'nftables'
nft_service_enabled: true nft_service_enabled: true
nft_service_unit_path: '/lib/systemd/system/nftables.service'
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'

View File

@ -41,7 +41,7 @@
group: root group: root
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: ['restart nftables service']
- name: CONFIG generate input rules file - name: CONFIG generate input rules file
template: template:
@ -51,7 +51,7 @@
group: root group: root
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: ['restart nftables service']
- name: CONFIG generate output rules file - name: CONFIG generate output rules file
template: template:
@ -61,7 +61,7 @@
group: root group: root
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: ['restart nftables service']
- name: CONFIG generate vars definition file - name: CONFIG generate vars definition file
template: template:
@ -71,7 +71,7 @@
group: root group: root
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: ['restart nftables service']
- name: CONFIG generate sets and maps file - name: CONFIG generate sets and maps file
template: template:
@ -81,10 +81,26 @@
group: root group: root
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: ['restart nftables service']
# }}} # }}}
# service {{{ # service {{{
- name: install Debian systemd service unit
template:
src: '{{ nft_service_unit_content }}'
dest: '{{ nft_service_unit_path }}'
owner: 'root'
group: 'root'
mode: '0644'
register: nftables__register_systemd_service
when: nft_service_manage
notify: ['restart nftables service']
- name: Reload systemd daemons
command: systemctl daemon-reload
notify: ['restart nftables service']
- name: SERVICE manage '{{ nft_service_name }}' - name: SERVICE manage '{{ nft_service_name }}'
service: service:
name: '{{ nft_service_name }}' name: '{{ nft_service_name }}'

View File

@ -0,0 +1,18 @@
# {{ ansible_managed }}
[Unit]
Description={{ nft_service_name }}
Documentation=man:nft(8) http://wiki.nftables.org
Before=fail2ban.service
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
ExecStop=/usr/sbin/nft flush ruleset
[Install]
WantedBy=multi-user.target