Move systemd "Protect" options to override file

Source: nftables 0.9.8-3.1 from Debian Bullseye
Thanks to @kravietz − PR #19

.ansible-lint

@@ -1,4 +0,0 @@
-skip_list:
-  - command-instead-of-module
-  - no-changed-when
-  - role-name

.github/workflows/main.yml

@@ -1,23 +0,0 @@
----
-name: ipr-cnrs.nftables.molecule
-
-on:
-  push:
-    branches: [master]
-  pull_request:
-    branches: [master]
-
-  workflow_dispatch:
-
-jobs:
-  test:
-    runs-on:  ubuntu-latest
-    steps:
-
-      - name: checkout
-        uses: actions/checkout@v2
-        with:
-          path: "${{ github.repository }}"
-
-      - name: molecule
-        uses: robertdebock/molecule-action@2.6.17

.yamllint

@@ -1,33 +0,0 @@
----
-# Based on ansible-lint config
-extends: default
-
-rules:
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  colons:
-    max-spaces-after: -1
-    level: error
-  commas:
-    max-spaces-after: -1
-    level: error
-  comments: disable
-  comments-indentation: disable
-  document-start: disable
-  empty-lines:
-    max: 3
-    level: error
-  hyphens:
-    level: error
-  indentation: disable
-  key-duplicates: enable
-  line-length: disable
-  new-line-at-end-of-file: disable
-  new-lines:
-    type: unix
-  trailing-spaces: disable
-  truthy: disable

CHANGELOG.md

@@ -1,27 +1,14 @@
-## v2.0.1
+## v1.X.Y
-
-### Added
-* Molecule tests for Gentoo (many thanks to @VTimofeenko ! − PR #25).
-
-### Fixed
-* Separate repositories update from installation task (fix #24).
-
-## v2.0.0
 
 ### Added
 * New examples usecases (mostly for playbooks) in README.md.
 * New rules (disable by default) can be define in *forward* chain (thanks to
   @p-rintz − PR #14).
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
-* Gentoo-specific variables (thanks to @VTimofeenko − PR #22).
-* Ability to specify nft binary path through **nft__bin_location** (thanks to @VTimofeenko − PR #22).
 * Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
-* Molecule tests (on Archlinux, Ubuntu, CentOS, Debian and Fedora) (many thanks to @kravietz ! − PR #23).
-* Support for Debian Bullseye (everything should now works fine).
 
 ### Removed
-* Remove everything related to **in_udp_accept** (see conversation in
+* Remove everything related to **in_udp_accept** (see conversation in PR #13).
-  [Github PR #13](https://github.com/ipr-cnrs/nftables/pull/13)).
   Cause it was empty by default and the role currently doesn't manage it very
   well. Take a look to new examples in README.md to find your preferred solution
   (re-adding it, new simple/multi-ports filter rule,…).
@@ -29,8 +16,8 @@
 ### Fixed
 * Ansible-lint: Fix line longer than 160 chars.
 * Start nftables systemd unit earlier (thanks to @kravietz − PR #19).
-* Ensure to disable nftables systemd unit from old target (PR #20).
+* Ensure to disable nftables systemd unit from old target.
-* Move systemd "Protect" options for nftables to specific override.conf file (PR #20).
+* Move systemd "Protect" options for nftables to specific override.conf file.
 
 ## v1.7.0
 

README.md

@@ -89,7 +89,6 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 Please see default value by Operating System file in [vars][vars directory] directory.
 
 * **nft_pkg_list** : The list of package(s) to provide `nftables`.
-* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`]
 
 ### Rules Dictionaries
 
@@ -600,7 +599,7 @@ Jérémy Gardais
 * [IPR][ipr website] (Institut de Physique de Rennes)
 
 [gogs to github hook]: https://stackoverflow.com/a/21998477
-[nftables source]: https://git.ipr.univ-rennes.fr/cellinfo/ansible.nftables
+[nftables source]: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables
 [nftables github]: https://github.com/ipr-cnrs/nftables
 [wtfpl website]: http://www.wtfpl.net/about/
 [ipr website]: https://ipr.univ-rennes1.fr/

defaults/main.yml

@@ -609,13 +609,3 @@ nft_backup_conf: True
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
-# OS specific variables defaults [[[
-# ----------------------------------
-
-# .. envvar:: nft__bin_location [[[
-#
-# Specify Nftables executable location.
-#
-nft__bin_location: '/usr/sbin/nft'
-                                                                   # ]]]
-                                                                   # ]]]

meta/main.yml

@@ -4,31 +4,15 @@ dependencies: []
 
 galaxy_info:
   author: "Jérémy Gardais"
-  namespace: ipr-cnrs
-  role_name: nftables
   description: "Manage Nftables rules and packages"
   license: WTFPL
   company: IPR
-  issue_tracker_url: https://git.ipr.univ-rennes.fr/cellinfo/ansible.nftables/issues
+  issue_tracker_url: https://git.ipr.univ-rennes1.fr/cellinfo/ansible.nftables/issues
-  min_ansible_version: '2.5'
+  min_ansible_version: 2.5
   platforms:
   - name: Debian
     versions:
-    - bullseye
-    - buster
     - stretch
-  - name: Archlinux
-    versions:
-    - all
-  - name: Fedora
-    versions:
-    - all
-  - name: Gentoo
-    versions:
-    - all
-  - name: Ubuntu
-    versions:
-    - focal
   galaxy_tags:
     - system
     - nftables

molecule/archlinux/Dockerfile.j2

@@ -1,7 +0,0 @@
-FROM archlinux:latest
-ENV container=docker
-
-RUN pacman -Sy --noconfirm python
-
-VOLUME ["/sys/fs/cgroup", "/tmp", "/run"]
-CMD ["/usr/sbin/init"]

molecule/archlinux/converge.yml

@@ -1,9 +0,0 @@
----
-- name: Converge
-  hosts: all
-  gather_facts: yes
-  roles:
-    - role: ipr-cnrs.nftables
-      nft_debug: true
-      # can't remove iptables on an instance with docker
-      nft_old_pkg_manage: false

molecule/archlinux/molecule.yml

@@ -1,19 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: archlinux
-    image: archlinux:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-provisioner:
-  name: ansible
-verifier:
-  name: ansible

molecule/archlinux/verify.yml

@@ -1,92 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-
-  - name: check for nftables.d
-    stat:
-      path: /etc/nftables.d
-    register: p
-
-  - name: check nftables.d
-    assert:
-      that:
-        - p.stat.exists and p.stat.isdir
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.conf
-    register: p
-
-  - name: check nftables.conf
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: check for filter-input.nft
-    stat:
-      path: /etc/nftables.d/filter-input.nft
-    register: p
-
-  - name: check filter-input.nft
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: list rules
-    command: nft list ruleset
-    register: nft
-
-  - name: debug rules
-    debug: var=nft
-
-  - name: check rules
-    assert:
-      that:
-        # The whole line is:
-        # type filter hook input priority 0; policy drop;
-        # However on CentOS will return "priority 0", while Debian will
-        # show "priority filter"
-        - '"type filter hook input" in nft.stdout'
-        - '"type filter hook output" in nft.stdout'
-
-  - name: check for fail2ban systemd custom dir
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d
-    register: f2b_systemd_dir
-
-  - name: check fail2ban systemd custom dir
-    assert:
-      that:
-        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
-
-  - name: check for fail2ban systemd override
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d/override.conf
-    register: f2b_systemd_override
-
-  - name: check fail2ban systemd override
-    assert:
-      that:
-        - f2b_systemd_override.stat.exists
-
-  - name: service status - active
-    command: systemctl is-active nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "active"'
-
-  - name: service status - enabled
-    command: systemctl is-enabled nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "enabled"'

molecule/default/converge.yml

@@ -1,9 +0,0 @@
----
-- name: Converge
-  hosts: all
-  gather_facts: yes
-  roles:
-    - role: ipr-cnrs.nftables
-      nft_debug: true
-      # can't remove iptables on an instance with docker
-      nft_old_pkg_manage: false

molecule/default/molecule.yml

@@ -1,55 +0,0 @@
----
-dependency:
-  name: galaxy
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
-driver:
-  name: docker
-platforms:
-
-  - name: systemd-ubuntu-latest
-    image: jrei/systemd-ubuntu:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-centos-latest
-    image: centos/systemd:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-debian-latest
-    image: jrei/systemd-debian:latest
-    command: /sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-  - name: systemd-fedora-latest
-    image: jrei/systemd-fedora:latest
-    command: /usr/sbin/init
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-
-provisioner:
-  name: ansible
-verifier:
-  name: ansible

molecule/default/verify.yml

@@ -1,92 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-
-  - name: check for nftables.d
-    stat:
-      path: /etc/nftables.d
-    register: p
-
-  - name: check nftables.d
-    assert:
-      that:
-        - p.stat.exists and p.stat.isdir
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.conf
-    register: p
-
-  - name: check nftables.conf
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: check for filter-input.nft
-    stat:
-      path: /etc/nftables.d/filter-input.nft
-    register: p
-
-  - name: check filter-input.nft
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: list rules
-    command: nft list ruleset
-    register: nft
-
-  - name: debug rules
-    debug: var=nft
-
-  - name: check rules
-    assert:
-      that:
-        # The whole line is:
-        # type filter hook input priority 0; policy drop;
-        # However on CentOS will return "priority 0", while Debian will
-        # show "priority filter"
-        - '"type filter hook input" in nft.stdout'
-        - '"type filter hook output" in nft.stdout'
-
-  - name: check for fail2ban systemd custom dir
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d
-    register: f2b_systemd_dir
-
-  - name: check fail2ban systemd custom dir
-    assert:
-      that:
-        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
-
-  - name: check for fail2ban systemd override
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d/override.conf
-    register: f2b_systemd_override
-
-  - name: check fail2ban systemd override
-    assert:
-      that:
-        - f2b_systemd_override.stat.exists
-
-  - name: service status - active
-    command: systemctl is-active nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "active"'
-
-  - name: service status - enabled
-    command: systemctl is-enabled nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "enabled"'

molecule/gentoo/Dockerfile.j2

@@ -1,5 +0,0 @@
-FROM gentoo/stage3:systemd
-ENV container=docker
-
-VOLUME ["/sys/fs/cgroup"]
-CMD ["/sbin/init"]

molecule/gentoo/converge.yml

@@ -1,9 +0,0 @@
----
-- name: Converge
-  hosts: all
-  gather_facts: yes
-  roles:
-    - role: ipr-cnrs.nftables
-      nft_debug: true
-      # can't remove iptables on an instance with docker
-      nft_old_pkg_manage: false

molecule/gentoo/molecule.yml

@@ -1,21 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: docker
-platforms:
-  - name: Gentoo
-    image: gentoo/stage3:systemd
-    command: /sbin/init
-    privileged: true
-    volumes:
-      - /srv/gentoo-molecule/gentoo-repo:/var/db/repos/gentoo
-      - /srv/gentoo-molecule/binpkgs:/var/cache/binpkgs
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
-provisioner:
-  name: ansible
-verifier:
-  name: ansible

molecule/gentoo/prepare.yml

@@ -1,34 +0,0 @@
-# Taken from https://github.com/VTimofeenko/portage-overlay-cfg on commit d8914035e236c4f3819985098dd1ae36551bfc52
-# If bugs are found – check that repository
-# Since Gentoo builds from source, to save time on molecule tests, we should reuse artifacts as much as possible
-# This playbook performs the initial setup of a Gentoo container
-# It configures portage to try to use prebuilt packages if available and to save the built packages.
----
-- name: Run preparation playbook
-  hosts: Gentoo
-  tasks:
-    - name: Enable buildpkg feature
-      lineinfile:
-        line: "FEATURES='buildpkg'"
-        dest: /etc/portage/make.conf
-        state: present
-    - name: Enable trying to install from binpkgs by default
-      lineinfile:
-        line: "EMERGE_DEFAULT_OPTS='--usepkg'"
-        dest: /etc/portage/make.conf
-        state: present
-    - name: Synchronize gentoo repository if needed
-      block:
-        - name: Check if there is anything in the repo
-          find:
-            paths: '/var/db/repos/gentoo/'
-          register: find_files_in_repo
-        - name: Synchronize the repo if needed
-          command: "emaint sync -a"
-          when: find_files_in_repo.matched == 0
-
-    - name: Install equery, needed for package check
-      # Command, because equery does not exist yet
-      command: emerge --changed-use --oneshot app-portage/gentoolkit
-      changed_when: false
-# The rest of the original file is specific to that role and not needed here

molecule/gentoo/verify.yml

@@ -1,92 +0,0 @@
----
-# This is an example playbook to execute Ansible tests.
-
-- name: Verify
-  hosts: all
-  gather_facts: false
-  tasks:
-
-  - name: check for nftables.d
-    stat:
-      path: /etc/nftables.d
-    register: p
-
-  - name: check nftables.d
-    assert:
-      that:
-        - p.stat.exists and p.stat.isdir
-
-  - name: check for nftables.conf
-    stat:
-      path: /etc/nftables.conf
-    register: p
-
-  - name: check nftables.conf
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: check for filter-input.nft
-    stat:
-      path: /etc/nftables.d/filter-input.nft
-    register: p
-
-  - name: check filter-input.nft
-    assert:
-      that:
-        - p.stat.exists
-
-  - name: list rules
-    command: nft list ruleset
-    register: nft
-
-  - name: debug rules
-    debug: var=nft
-
-  - name: check rules
-    assert:
-      that:
-        # The whole line is:
-        # type filter hook input priority 0; policy drop;
-        # However on CentOS will return "priority 0", while Debian will
-        # show "priority filter"
-        - '"type filter hook input" in nft.stdout'
-        - '"type filter hook output" in nft.stdout'
-
-  - name: check for fail2ban systemd custom dir
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d
-    register: f2b_systemd_dir
-
-  - name: check fail2ban systemd custom dir
-    assert:
-      that:
-        - f2b_systemd_dir.stat.exists and f2b_systemd_dir.stat.isdir
-
-  - name: check for fail2ban systemd override
-    stat:
-      path: /etc/systemd/system/fail2ban.service.d/override.conf
-    register: f2b_systemd_override
-
-  - name: check fail2ban systemd override
-    assert:
-      that:
-        - f2b_systemd_override.stat.exists
-
-  - name: service status - active
-    command: systemctl is-active nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "active"'
-
-  - name: service status - enabled
-    command: systemctl is-enabled nftables.service
-    register: status
-
-  - name: check service status
-    assert:
-      that:
-        - 'status.stdout == "enabled"'

tasks/main.yml

@@ -13,8 +13,7 @@
   loop_control:
     loop_var: groupname
 
-- name: Debug nftables_group_rules
+- debug: var=nftables_group_rules
-  debug: var=nftables_group_rules
   when: nft_debug
 
 - name: Import nftables-variables if nft_merged_groups is set
@@ -37,12 +36,7 @@
   loop_control:
     loop_var: varfile
 
-- name: Debug nft_combined_rules
+- debug: var=nft_combined_rules
-  debug: var=nft_combined_rules
-  when: nft_debug
-
-- name: Debug ansible_os_family
-  debug: var=ansible_os_family
   when: nft_debug
 
 - name: Load specific OS vars for nftables
@@ -55,12 +49,6 @@
     loop_var: osname
 
 # Manage packages [[[1
-- name: Update repositories
-  package:
-    update_cache: true
-  when: (nft_enabled|bool and
-         ansible_os_family not in [ 'Gentoo' ])
-
 - name: Ensure Nftables packages are in their desired state
   package:
     name: '{{ nft_pkg_list | list }}'
@@ -206,7 +194,7 @@
   file:
     path: "{{ nft__service_override_path | dirname }}"
     state: directory
-    mode: '0755'
+    recurse: yes
   when:
     - nft_enabled|bool
     - nft_service_manage|bool
@@ -231,7 +219,7 @@
   file:
     path: "{{ nft__fail2ban_service_unit_path | dirname }}"
     state: directory
-    mode: '0755'
+    recurse: yes
   when:
     - nft_enabled|bool
     - nft_service_manage|bool

templates/etc/nftables.conf.j2

@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: "True", trim_blocks: "True"
-#!{{ nft__bin_location }} -f
+#!/usr/sbin/nft -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}

templates/lib/systemd/system/nftables.service.j2

@@ -13,9 +13,9 @@ RemainAfterExit=yes
 StandardInput=null
 ProtectSystem=full
 ProtectHome=true
-ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
+ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
-ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
+ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
-ExecStop={{ nft__bin_location }} flush ruleset
+ExecStop=/usr/sbin/nft flush ruleset
 
 [Install]
 WantedBy=sysinit.target

vars/alpine.yml

@@ -1,4 +0,0 @@
----
-# vars file for Alpine
-nft_pkg_list:
-  - nftables

vars/archlinux.yml

@@ -1,4 +0,0 @@
----
-# vars file for Archlinux-based distros
-nft_pkg_list:
-  - nftables

vars/gentoo.yml

@@ -1,5 +0,0 @@
----
-# vars file for Gentoo
-nft_pkg_list:
-  - net-firewall/nftables
-nft__bin_location: "/sbin/nft"