Fix systemd directories permissions

Rebase after Gentoo related commits

.ansible-lint

@@ -0,0 +1,4 @@
+skip_list:
+  - command-instead-of-module
+  - no-changed-when
+  - role-name

.github/workflows/main.yml

@@ -0,0 +1,23 @@
+---
+name: ipr-cnrs.nftables.molecule
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on:  ubuntu-latest
+    steps:
+
+      - name: checkout
+        uses: actions/checkout@v2
+        with:
+          path: "${{ github.repository }}"
+
+      - name: molecule
+        uses: robertdebock/molecule-action@2.6.17

.yamllint

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable

CHANGELOG.md

@@ -5,6 +5,8 @@
 * New rules (disable by default) can be define in *forward* chain (thanks to
   @p-rintz − PR #14).
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
+* Gentoo-specific variables
+* Ability to specify nft binary path through **nft__bin_location**
 * Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
 
 ### Removed

README.md

@@ -89,6 +89,7 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 Please see default value by Operating System file in [vars][vars directory] directory.
 
 * **nft_pkg_list** : The list of package(s) to provide `nftables`.
+* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`]
 
 ### Rules Dictionaries
 

defaults/main.yml

@@ -609,3 +609,13 @@ nft_backup_conf: True
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
+# OS specific variables defaults [[[
+# ----------------------------------
+
+# .. envvar:: nft__bin_location [[[
+#
+# Specify Nftables executable location.
+#
+nft__bin_location: '/usr/sbin/nft'
+                                                                   # ]]]
+                                                                   # ]]]

meta/main.yml

@@ -4,11 +4,13 @@ dependencies: []
 
 galaxy_info:
   author: "Jérémy Gardais"
+  namespace: ipr-cnrs
+  role_name: nftables
   description: "Manage Nftables rules and packages"
   license: WTFPL
   company: IPR
   issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables/issues
-  min_ansible_version: 2.5
+  min_ansible_version: '2.5'
   platforms:
   - name: Debian
     versions:

molecule/archlinux/Dockerfile.j2

@@ -0,0 +1,7 @@
+FROM archlinux:latest
+ENV container=docker
+
+RUN pacman -Sy --noconfirm python
+
+VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
+CMD ["/usr/sbin/init"]

molecule/archlinux/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/archlinux/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: archlinux
+    image: archlinux:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/archlinux/verify.yml

@@ -0,0 +1,72 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

molecule/default/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: yes
+  roles:
+    - role: ipr-cnrs.nftables
+      nft_debug: true
+      # can't remove iptables on an instance with docker
+      nft_old_pkg_manage: false

molecule/default/molecule.yml

@@ -0,0 +1,55 @@
+---
+dependency:
+  name: galaxy
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+driver:
+  name: docker
+platforms:
+
+  - name: systemd-ubuntu-latest
+    image: jrei/systemd-ubuntu:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-centos-latest
+    image: centos/systemd:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-debian-latest
+    image: jrei/systemd-debian:latest
+    command: /sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+  - name: systemd-fedora-latest
+    image: jrei/systemd-fedora:latest
+    command: /usr/sbin/init
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    tmpfs:
+      - /run
+      - /tmp
+
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/default/verify.yml

@@ -0,0 +1,72 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+
+  - name: check for nftables.d
+    stat:
+      path: /etc/nftables.d
+    register: p
+
+  - name: check nftables.d
+    assert:
+      that:
+        - p.stat.exists and p.stat.isdir
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.conf
+    register: p
+
+  - name: check nftables.conf
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: check for nftables.conf
+    stat:
+      path: /etc/nftables.d/filter-input.nft
+    register: p
+
+  - name: check filter-input.nft
+    assert:
+      that:
+        - p.stat.exists
+
+  - name: list rules
+    command: nft list ruleset
+    register: nft
+
+  - name: debug rules
+    debug: var=nft
+
+  - name: check rules
+    assert:
+      that:
+        # The whole line is:
+        # type filter hook input priority 0; policy drop;
+        # However on CentOS will return "priority 0", while Debian will
+        # show "priority filter"
+        - '"type filter hook input" in nft.stdout'
+        - '"type filter hook output" in nft.stdout'
+
+  - name: service status - active
+    command: systemctl is-active nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "active"'
+
+  - name: service status - enabled
+    command: systemctl is-enabled nftables.service
+    register: status
+
+  - name: check service status
+    assert:
+      that:
+        - 'status.stdout == "enabled"'

tasks/main.yml

@@ -13,7 +13,8 @@
   loop_control:
     loop_var: groupname
 
-- debug: var=nftables_group_rules
+- name: Debug nftables_group_rules
+  debug: var=nftables_group_rules
   when: nft_debug
 
 - name: Import nftables-variables if nft_merged_groups is set
@@ -36,7 +37,12 @@
   loop_control:
     loop_var: varfile
 
-- debug: var=nft_combined_rules
+- name: Debug nft_combined_rules
+  debug: var=nft_combined_rules
+  when: nft_debug
+
+- name: Debug ansible_os_family
+  debug: var=ansible_os_family
   when: nft_debug
 
 - name: Load specific OS vars for nftables
@@ -53,6 +59,7 @@
   package:
     name: '{{ nft_pkg_list | list }}'
     state: '{{ nft_pkg_state }}'
+    update_cache: true
   register: pkg_install_result
   until: pkg_install_result is success
   when: nft_enabled|bool

templates/etc/nftables.conf.j2

@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: "True", trim_blocks: "True"
-#!/usr/sbin/nft -f
+#!{{ nft__bin_location }} -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}

templates/lib/systemd/system/nftables.service.j2

@@ -13,9 +13,9 @@ RemainAfterExit=yes
 StandardInput=null
 ProtectSystem=full
 ProtectHome=true
-ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecStop=/usr/sbin/nft flush ruleset
+ExecStop={{ nft__bin_location }} flush ruleset
 
 [Install]
 WantedBy=sysinit.target

vars/alpine.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Alpine
+nft_pkg_list:
+  - nftables

vars/archlinux.yml

@@ -0,0 +1,4 @@
+---
+# vars file for Archlinux-based distros
+nft_pkg_list:
+  - nftables

vars/gentoo.yml

@@ -0,0 +1,5 @@
+---
+# vars file for Gentoo
+nft_pkg_list:
+  - net-firewall/nftables
+nft__bin_location: "/sbin/nft"