--- # .. vim: foldmarker=[[[,]]]:foldmethod=marker # # tasks file for nftables - name: Import nftables-variables if merged_groups is set when: merged_groups set_fact: "{{ groupname }}": "{{ lookup('file',merged_groups_dir ~ groupname) | from_yaml }}" loop: "{{ group_names }}" loop_control: loop_var: groupname - name: Combine Rules when merged_groups is set when: merged_groups set_fact: nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][groupname], recursive=True ) }}" loop: "{{ group_names }}" loop_control: loop_var: groupname - name: Load specific OS vars for nftables include_vars: "{{ osname }}" with_first_found: - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution|lower }}.yml" - "{{ ansible_os_family|lower }}.yml" loop_control: loop_var: osname # Manage packages [[[1 - name: Ensure Nftables packages are in their desired state package: name: '{{ nft_pkg_list | list }}' state: '{{ nft_pkg_state }}' register: pkg_install_result until: pkg_install_result is success when: nft_enabled|bool - name: Ensure old Iptables packages are in their desired state apt: name: '{{ nft_old_pkg_list | list }}' state: '{{ nft_old_pkg_state }}' register: pkg_remove_result until: pkg_remove_result is success when: (nft_enabled|bool and nft_old_pkg_manage|bool) # Common configuration [[[1 - name: Ensure to create nftables.d directory file: path: "{{ nft_conf_dir_path }}" state: directory mode: 0755 when: nft_enabled|bool - name: CONFIG generate main conf file template: src: "{{ nft_main_conf_content }}" dest: "{{ nft_main_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: nft_enabled|bool - name: CONFIG generate vars definition file template: src: "{{ nft_define_conf_content }}" dest: "{{ nft_define_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: nft_enabled|bool - name: CONFIG generate sets file template: src: "{{ nft_set_conf_content }}" dest: "{{ nft_set_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: nft_enabled|bool # Filter table content [[[1 - name: Filter table - generate input rules file template: src: "{{ nft_input_conf_content }}" dest: "{{ nft_input_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: nft_enabled|bool - name: Filter table - generate output rules file template: src: "{{ nft_output_conf_content }}" dest: "{{ nft_output_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: nft_enabled|bool # Nat table content [[[1 - name: Nat table - generate prerouting rules file template: src: "{{ nft__nat_prerouting_conf_content }}" dest: "{{ nft__nat_prerouting_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool) - name: Nat table - generate postrouting rules file template: src: "{{ nft__nat_postrouting_conf_content }}" dest: "{{ nft__nat_postrouting_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Reload nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool) # Manage service [[[1 - name: Install Debian systemd service unit template: src: '{{ nft_service_unit_content }}' dest: '{{ nft_service_unit_path }}' owner: 'root' group: 'root' mode: '0644' register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) notify: ['Restart nftables service']