--- # .. vim: foldmarker=[[[,]]]:foldmethod=marker # # tasks file for nftables - name: Load specific OS vars for nftables include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution|lower }}.yml" - "{{ ansible_os_family|lower }}.yml" # Manage packages [[[1 - name: Ensure Nftables packages are in there desired state package: name: '{{ item }}' state: '{{ nft_pkg_state }}' with_items: - '{{ nft_pkg_list | to_nice_json }}' register: pkg_install_result until: pkg_install_result is success when: nft_enabled|bool - name: Ensure old Iptables packages are in there desired state apt: name: '{{ item }}' state: '{{ nft_old_pkg_state }}' with_items: - '{{ nft_old_pkg_list | to_nice_json }}' register: pkg_remove_result until: pkg_remove_result is success when: (nft_enabled|bool and nft_old_pkg_manage|bool) # Common configuration [[[1 - name: Ensure to create nftables.d directory file: path: "{{ nft_conf_dir_path }}" state: directory mode: 0755 when: nft_enabled|bool - name: CONFIG generate main conf file template: src: "{{ nft_main_conf_content }}" dest: "{{ nft_main_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: nft_enabled|bool - name: CONFIG generate vars definition file template: src: "{{ nft_define_conf_content }}" dest: "{{ nft_define_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: nft_enabled|bool - name: CONFIG generate sets file template: src: "{{ nft_set_conf_content }}" dest: "{{ nft_set_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: nft_enabled|bool # Filter table content [[[1 - name: Filter table - generate input rules file template: src: "{{ nft_input_conf_content }}" dest: "{{ nft_input_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: nft_enabled|bool - name: Filter table - generate output rules file template: src: "{{ nft_output_conf_content }}" dest: "{{ nft_output_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: nft_enabled|bool # Nat table content [[[1 - name: Nat table - generate prerouting rules file template: src: "{{ nft__nat_prerouting_conf_content }}" dest: "{{ nft__nat_prerouting_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool) - name: Nat table - generate postrouting rules file template: src: "{{ nft__nat_postrouting_conf_content }}" dest: "{{ nft__nat_postrouting_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['Restart nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool) # Manage service [[[1 - name: Install Debian systemd service unit template: src: '{{ nft_service_unit_content }}' dest: '{{ nft_service_unit_path }}' owner: 'root' group: 'root' mode: '0644' register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) notify: ['Restart nftables service']