--- # tasks file for nftables - name: Load specific OS vars for nft include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution|lower }}.yml" - "{{ ansible_os_family|lower }}.yml" # package {{{ - name: INSTALL Manage nftables packages package: name: '{{ item }}' state: '{{ nft_pkg_state }}' with_items: - '{{ nft_pkg_list }}' when: nft_enabled|bool - name: INSTALL Remove iptables packages apt: name: '{{ item }}' state: '{{ nft_old_pkg_state }}' with_items: - '{{ nft_old_pkg_list }}' when: (nft_enabled|bool and nft_old_pkg_manage|bool) # }}} # conf {{{ - name: CONFIG create nftables.d dir file: path: "{{ nft_conf_dir_path }}" state: directory mode: 0755 when: nft_enabled|bool - name: CONFIG generate main conf file template: src: "{{ nft_main_conf_content }}" dest: "{{ nft_main_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['restart nftables service'] when: nft_enabled|bool - name: CONFIG generate input rules file template: src: "{{ nft_input_conf_content }}" dest: "{{ nft_input_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['restart nftables service'] when: nft_enabled|bool - name: CONFIG generate output rules file template: src: "{{ nft_output_conf_content }}" dest: "{{ nft_output_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['restart nftables service'] when: nft_enabled|bool - name: CONFIG generate vars definition file template: src: "{{ nft_define_conf_content }}" dest: "{{ nft_define_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['restart nftables service'] when: nft_enabled|bool - name: CONFIG generate sets and maps file template: src: "{{ nft_set_conf_content }}" dest: "{{ nft_set_conf_path }}" owner: root group: root mode: 0755 backup: yes notify: ['restart nftables service'] when: nft_enabled|bool # }}} # service {{{ - name: install Debian systemd service unit template: src: '{{ nft_service_unit_content }}' dest: '{{ nft_service_unit_path }}' owner: 'root' group: 'root' mode: '0644' register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) notify: ['restart nftables service'] - name: Reload systemd daemons command: systemctl daemon-reload notify: ['restart nftables service'] when: (nft_service_manage|bool and nftables__register_systemd_service|changed) - name: SERVICE manage '{{ nft_service_name }}' service: name: '{{ nft_service_name }}' state: started enabled: '{{ nft_service_enabled }}' when: (nft_enabled|bool and nft_service_manage|bool) # }}}