Fix systemd directories permissions

Move systemd "Protect" options to override file
Ensure to disable nftables unit from old target
2021-07-31 11:39:28 +02:00 · 2021-07-30 13:06:59 +02:00 · 2021-07-30 12:20:27 +02:00 · 2021-07-30 11:19:40 +02:00 · 2021-07-30 11:04:37 +02:00 · 2021-07-30 09:39:45 +02:00
21 changed files with 7 additions and 345 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,4 +0,0 @@
-skip_list:
-  - command-instead-of-module
-  - no-changed-when
-  - role-name
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -1,23 +0,0 @@
---
-name: ipr-cnrs.nftables.molecule
-
-on:
-  push:
-    branches: [master]
-  pull_request:
-    branches: [master]
-
-  workflow_dispatch:
-
-jobs:
-  test:
-    runs-on:  ubuntu-latest
-    steps:
-
-      - name: checkout
-        uses: actions/checkout@v2
-        with:
-          path: "${{ github.repository }}"
-
-      - name: molecule
-        uses: robertdebock/molecule-action@2.6.17
--- a/.yamllint
+++ b/.yamllint
@ -1,33 +0,0 @@
---
-# Based on ansible-lint config
-extends: default
-
-rules:
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  colons:
-    max-spaces-after: -1
-    level: error
-  commas:
-    max-spaces-after: -1
-    level: error
-  comments: disable
-  comments-indentation: disable
-  document-start: disable
-  empty-lines:
-    max: 3
-    level: error
-  hyphens:
-    level: error
-  indentation: disable
-  key-duplicates: enable
-  line-length: disable
-  new-line-at-end-of-file: disable
-  new-lines:
-    type: unix
-  trailing-spaces: disable
-  truthy: disable
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,8 +5,6 @@
 * New rules (disable by default) can be define in *forward* chain (thanks to
  @p-rintz − PR #14).
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
-* Gentoo-specific variables
-* Ability to specify nft binary path through **nft__bin_location**
 * Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).

 ### Removed
--- a/README.md
+++ b/README.md
@ -89,7 +89,6 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 Please see default value by Operating System file in [vars][vars directory] directory.

 * **nft_pkg_list** : The list of package(s) to provide `nftables`.
-* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`]

 ### Rules Dictionaries

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -609,13 +609,3 @@ nft_backup_conf: True
                                                                   # ]]]
                                                                   # ]]]
                                                                   # ]]]
-# OS specific variables defaults [[[
-# ----------------------------------
-
-# .. envvar:: nft__bin_location [[[
-#
-# Specify Nftables executable location.
-#
-nft__bin_location: '/usr/sbin/nft'
-                                                                   # ]]]
-                                                                   # ]]]
--- a/meta/main.yml
+++ b/meta/main.yml
@ -4,13 +4,11 @@ dependencies: []

 galaxy_info:
  author: "Jérémy Gardais"
-  namespace: ipr-cnrs
-  role_name: nftables
  description: "Manage Nftables rules and packages"
  license: WTFPL
  company: IPR
  issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables/issues
-  min_ansible_version: '2.5'
+  min_ansible_version: 2.5
  platforms:
  - name: Debian
    versions:
--- a/molecule/archlinux/Dockerfile.j2
+++ b/molecule/archlinux/Dockerfile.j2
@ -1,7 +0,0 @@
-FROM archlinux:latest
-ENV container=docker
-
-RUN pacman -Sy --noconfirm python
-
-VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
-CMD ["/usr/sbin/init"]
--- a/molecule/archlinux/converge.yml
+++ b/molecule/archlinux/converge.yml
@ -1,9 +0,0 @@
---
- name: Converge
-  hosts: all
-  gather_facts: yes
-  roles:
-    - role: ipr-cnrs.nftables
-      nft_debug: true
-      # can't remove iptables on an instance with docker
-      nft_old_pkg_manage: false
--- a/molecule/archlinux/molecule.yml
+++ b/molecule/archlinux/molecule.yml
@ -1,19 +0,0 @@
---
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: archlinux
-    image: archlinux:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-provisioner:
-  name: ansible
-verifier:
-  name: ansible
--- a/molecule/archlinux/verify.yml
+++ b/molecule/archlinux/verify.yml
@ -1,72 +0,0 @@
---
-# This is an example playbook to execute Ansible tests.
-
- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-
-  - name: check for nftables.d
-    stat:
-      path: /etc/nftables.d
-    register: p
-
-  - name: check nftables.d
-    assert:
-      that:
-        - p.stat.exists and p.stat.isdir
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.conf
-    register: p
-
-  - name: check nftables.conf
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.d/filter-input.nft
-    register: p
-
-  - name: check filter-input.nft
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: list rules
-    command: nft list ruleset
-    register: nft
-
-  - name: debug rules
-    debug: var=nft
-
-  - name: check rules
-    assert:
-      that:
-        # The whole line is:
-        # type filter hook input priority 0; policy drop;
-        # However on CentOS will return "priority 0", while Debian will
-        # show "priority filter"
-        - '"type filter hook input" in nft.stdout'
-        - '"type filter hook output" in nft.stdout'
-
-  - name: service status - active
-    command: systemctl is-active nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "active"'
-
-  - name: service status - enabled
-    command: systemctl is-enabled nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "enabled"'
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -1,9 +0,0 @@
---
- name: Converge
-  hosts: all
-  gather_facts: yes
-  roles:
-    - role: ipr-cnrs.nftables
-      nft_debug: true
-      # can't remove iptables on an instance with docker
-      nft_old_pkg_manage: false
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,55 +0,0 @@
---
-dependency:
-  name: galaxy
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-driver:
-  name: docker
-platforms:
-
-  - name: systemd-ubuntu-latest
-    image: jrei/systemd-ubuntu:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-centos-latest
-    image: centos/systemd:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-debian-latest
-    image: jrei/systemd-debian:latest
-    command: /sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-fedora-latest
-    image: jrei/systemd-fedora:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-provisioner:
-  name: ansible
-verifier:
-  name: ansible
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -1,72 +0,0 @@
---
-# This is an example playbook to execute Ansible tests.
-
- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-
-  - name: check for nftables.d
-    stat:
-      path: /etc/nftables.d
-    register: p
-
-  - name: check nftables.d
-    assert:
-      that:
-        - p.stat.exists and p.stat.isdir
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.conf
-    register: p
-
-  - name: check nftables.conf
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.d/filter-input.nft
-    register: p
-
-  - name: check filter-input.nft
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: list rules
-    command: nft list ruleset
-    register: nft
-
-  - name: debug rules
-    debug: var=nft
-
-  - name: check rules
-    assert:
-      that:
-        # The whole line is:
-        # type filter hook input priority 0; policy drop;
-        # However on CentOS will return "priority 0", while Debian will
-        # show "priority filter"
-        - '"type filter hook input" in nft.stdout'
-        - '"type filter hook output" in nft.stdout'
-
-  - name: service status - active
-    command: systemctl is-active nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "active"'
-
-  - name: service status - enabled
-    command: systemctl is-enabled nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "enabled"'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -13,8 +13,7 @@
  loop_control:
    loop_var: groupname

- name: Debug nftables_group_rules
-  debug: var=nftables_group_rules
+- debug: var=nftables_group_rules
  when: nft_debug

 - name: Import nftables-variables if nft_merged_groups is set
@ -37,12 +36,7 @@
  loop_control:
    loop_var: varfile

- name: Debug nft_combined_rules
-  debug: var=nft_combined_rules
-  when: nft_debug
-
- name: Debug ansible_os_family
-  debug: var=ansible_os_family
+- debug: var=nft_combined_rules
  when: nft_debug

 - name: Load specific OS vars for nftables
@ -59,7 +53,6 @@
  package:
    name: '{{ nft_pkg_list | list }}'
    state: '{{ nft_pkg_state }}'
-    update_cache: true
  register: pkg_install_result
  until: pkg_install_result is success
  when: nft_enabled|bool
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: "True", trim_blocks: "True"
-#!{{ nft__bin_location }} -f
+#!/usr/sbin/nft -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}
--- a/templates/lib/systemd/system/nftables.service.j2
+++ b/templates/lib/systemd/system/nftables.service.j2
@ -13,9 +13,9 @@ RemainAfterExit=yes
 StandardInput=null
 ProtectSystem=full
 ProtectHome=true
-ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
-ExecStop={{ nft__bin_location }} flush ruleset
+ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
+ExecStop=/usr/sbin/nft flush ruleset

 [Install]
 WantedBy=sysinit.target
--- a/vars/alpine.yml
+++ b/vars/alpine.yml
@ -1,4 +0,0 @@
---
-# vars file for Alpine
-nft_pkg_list:
-  - nftables
--- a/vars/archlinux.yml
+++ b/vars/archlinux.yml
@ -1,4 +0,0 @@
---
-# vars file for Archlinux-based distros
-nft_pkg_list:
-  - nftables
--- a/vars/centos.yml
+++ b/vars/centos.yml
--- a/vars/gentoo.yml
+++ b/vars/gentoo.yml
@ -1,5 +0,0 @@
---
-# vars file for Gentoo
-nft_pkg_list:
-  - net-firewall/nftables
-nft__bin_location: "/sbin/nft"
Author	SHA1	Message	Date
Jeremy Gardais	073d14aed8	Fix systemd directories permissions	2021-07-31 11:39:28 +02:00
Jeremy Gardais	e0b58c9bfd	Move systemd "Protect" options to override file	2021-07-30 13:06:59 +02:00
Jeremy Gardais	790741a2c5	Ensure to disable nftables unit from old target	2021-07-30 12:20:27 +02:00
Jeremy Gardais	ac64fdad2f	Start nftables systemd unit earlier Source: nftables 0.9.8-3.1 from Debian Bullseye Thanks to @kravietz − PR #19	2021-07-30 11:19:40 +02:00
Jeremy Gardais	b99e54d1fd	Add infos about Fail2ban integration	2021-07-30 11:04:37 +02:00
Jeremy Gardais	6fe9bdb263	Automatically add overrides for fail2ban unit	2021-07-30 09:39:45 +02:00
Jeremy Gardais	1674155bab	Drop fail2ban restart from nftables unit	2021-07-30 09:36:24 +02:00
Jeremy Gardais	89619c8ef3	Manage Fail2ban in the "systemd way" Thanks to @FinweVI !	2021-07-30 09:34:38 +02:00