Provide the systemd unit.
This commit is contained in:
parent
3e69865a56
commit
eb93ff65f9
|
|
@ -1,4 +1,9 @@
|
||||||
|
|
||||||
|
## v1.3
|
||||||
|
|
||||||
|
### Features
|
||||||
|
* Provide the systemd unit.
|
||||||
|
|
||||||
## v1.2.3
|
## v1.2.3
|
||||||
* Rename firewall table to filter table (most use on Debian).
|
* Rename firewall table to filter table (most use on Debian).
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -106,3 +106,5 @@ nft_set_host: {}
|
||||||
nft_service_manage: true
|
nft_service_manage: true
|
||||||
nft_service_name: 'nftables'
|
nft_service_name: 'nftables'
|
||||||
nft_service_enabled: true
|
nft_service_enabled: true
|
||||||
|
nft_service_unit_path: '/lib/systemd/system/nftables.service'
|
||||||
|
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
- name: CONFIG generate input rules file
|
- name: CONFIG generate input rules file
|
||||||
template:
|
template:
|
||||||
|
|
@ -51,7 +51,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
- name: CONFIG generate output rules file
|
- name: CONFIG generate output rules file
|
||||||
template:
|
template:
|
||||||
|
|
@ -61,7 +61,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
- name: CONFIG generate vars definition file
|
- name: CONFIG generate vars definition file
|
||||||
template:
|
template:
|
||||||
|
|
@ -71,7 +71,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
- name: CONFIG generate sets and maps file
|
- name: CONFIG generate sets and maps file
|
||||||
template:
|
template:
|
||||||
|
|
@ -81,10 +81,26 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: ['restart nftables service']
|
||||||
# }}}
|
# }}}
|
||||||
|
|
||||||
# service {{{
|
# service {{{
|
||||||
|
|
||||||
|
- name: install Debian systemd service unit
|
||||||
|
template:
|
||||||
|
src: '{{ nft_service_unit_content }}'
|
||||||
|
dest: '{{ nft_service_unit_path }}'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
mode: '0644'
|
||||||
|
register: nftables__register_systemd_service
|
||||||
|
when: nft_service_manage
|
||||||
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
|
- name: Reload systemd daemons
|
||||||
|
command: systemctl daemon-reload
|
||||||
|
notify: ['restart nftables service']
|
||||||
|
|
||||||
- name: SERVICE manage '{{ nft_service_name }}'
|
- name: SERVICE manage '{{ nft_service_name }}'
|
||||||
service:
|
service:
|
||||||
name: '{{ nft_service_name }}'
|
name: '{{ nft_service_name }}'
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
[Unit]
|
||||||
|
Description={{ nft_service_name }}
|
||||||
|
Documentation=man:nft(8) http://wiki.nftables.org
|
||||||
|
Before=fail2ban.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
StandardInput=null
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=true
|
||||||
|
ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
|
||||||
|
ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
|
||||||
|
ExecStop=/usr/sbin/nft flush ruleset
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
Loading…
Reference in New Issue