---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
#
# tasks file for nftables

- name: Check for group files
  become: no
  delegate_to: localhost
  stat:
    path: "{{ nft_merged_groups_dir ~ groupname }}"
  register: nftables_group_rules
  loop: "{{ group_names }}"
  loop_control:
    loop_var: groupname

- name: Debug nftables_group_rules
  debug: var=nftables_group_rules
  when: nft_debug

- name: Import nftables-variables if nft_merged_groups is set
  when: nft_merged_groups and varfile.stat.exists
  include_vars:
    file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"
    name: "{{ varfile.groupname }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- name: Combine Rules when nft_merged_groups is set
  when: nft_merged_groups and
        ((hostvars[inventory_hostname][varfile.groupname] is defined) and
         (hostvars[inventory_hostname][varfile.groupname]|length > 0)) and
        varfile.stat.exists
  set_fact:
    nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- name: Debug nft_combined_rules
  debug: var=nft_combined_rules
  when: nft_debug

- name: Debug ansible_os_family
  debug: var=ansible_os_family
  when: nft_debug

- name: Load specific OS vars for nftables
  include_vars: "{{ osname }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"
  loop_control:
    loop_var: osname

# Manage packages [[[1
- name: Ensure Nftables packages are in their desired state
  package:
    name: '{{ nft_pkg_list | list }}'
    state: '{{ nft_pkg_state }}'
    # update_cache: true
  register: pkg_install_result
  until: pkg_install_result is success
  when: nft_enabled|bool

- name: Ensure old Iptables packages are in their desired state
  package:
    name: '{{ nft_old_pkg_list | list }}'
    state: '{{ nft_old_pkg_state }}'
  register: pkg_remove_result
  until: pkg_remove_result is success
  when: (nft_enabled|bool and
         nft_old_pkg_manage|bool)

# Common configuration [[[1
- name: Ensure to create nftables.d directory
  file:
    path: "{{ nft_conf_dir_path }}"
    state: directory
    mode: 0755
  when: nft_enabled|bool

- name: CONFIG generate main conf file
  template:
    src: "{{ nft_main_conf_content }}"
    dest: "{{ nft_main_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate vars definition file
  template:
    src: "{{ nft_define_conf_content }}"
    dest: "{{ nft_define_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate sets file
  template:
    src: "{{ nft_set_conf_content }}"
    dest: "{{ nft_set_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

# Filter table content [[[1
- name: Filter table - generate input rules file
  template:
    src: "{{ nft_input_conf_content }}"
    dest: "{{ nft_input_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: Filter table - generate output rules file
  template:
    src: "{{ nft_output_conf_content }}"
    dest: "{{ nft_output_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: Filter table - generate forward rules file
  template:
    src: "{{ nft_forward_conf_content }}"
    dest: "{{ nft_forward_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__forward_table_manage|bool)

# Nat table content [[[1
- name: Nat table - generate prerouting rules file
  template:
    src: "{{ nft__nat_prerouting_conf_content }}"
    dest: "{{ nft__nat_prerouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

- name: Nat table - generate postrouting rules file
  template:
    src: "{{ nft__nat_postrouting_conf_content }}"
    dest: "{{ nft__nat_postrouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: "{{ nft_backup_conf }}"
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

# Manage nftables service [[[1
- name: Install nftables Debian systemd service unit
  template:
    src: '{{ nft_service_unit_content }}'
    dest: '{{ nft_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_service
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']

- name: Ensure to remove nftables systemd service from old target
  file:
    path: '/etc/systemd/system/multi-user.target.wants/nftables.service'
    state: absent
  register: nftables__register_fix_systemd_target
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']

# Manage custom nftables service [[[1
- name: Create Nftables custom directory for systemd service
  file:
    path: "{{ nft__service_override_path | dirname }}"
    state: directory
    mode: '0755'
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
    - not nft__service_protect|bool

- name: Add Nftables systemd custom configuration
  template:
    src: '{{ nft__service_override_content }}'
    dest: '{{ nft__service_override_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_custom
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
    - not nft__service_protect|bool
  notify: ['Restart nftables service']

# Manage custom fail2ban service [[[1
- name: Create Fail2Ban custom directory for systemd service
  file:
    path: "{{ nft__fail2ban_service_unit_path | dirname }}"
    state: directory
    mode: '0755'
  when:
    - nft_enabled|bool
    - nft_service_manage|bool

- name: Install Debian Fail2Ban custom service
  template:
    src: '{{ nft__fail2ban_service_unit_content }}'
    dest: '{{ nft__fail2ban_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_fail2ban_service
  when:
    - nft_enabled|bool
    - nft_service_manage|bool
  notify: ['Restart nftables service']