Add certbot renewal and nftables role

roles/certbot/files/http-certbot.conf

@@ -0,0 +1 @@
+tcp dport http accept comment "Allow http to all for certbot renewal"

roles/certbot/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: install-nftables

roles/certbot/tasks/main.yml

@@ -25,3 +25,10 @@
   register: result
   changed_when: "'already enabled' not in result.stdout"
   notify: Reload apache2 service
+
+- name: Allow certbot renewal
+  become: true
+  copy:
+    src: http-certbot.conf
+    dest: /etc/nftables/input.d/http-certbot.conf
+  notify: Reload nftables service

roles/common/handlers/main.yml

@@ -1,9 +1,9 @@
 ---
-- name: Restart apache2 service
+- name: Start apache2 service
   become: true
   systemd:
     name: apache2
-    state: restarted
+    state: started
     enabled: true
 
 - name: Reload apache2 service
@@ -18,3 +18,16 @@
     name: mariadb
     state: started
     enabled: true
+
+- name: Start nftables service
+  become: true
+  systemd:
+    name: nftables
+    state: restarted
+    enabled: true
+
+- name: Reload nftables service
+  become: true
+  systemd:
+    name: nftables
+    state: reloaded

roles/install-apache2/tasks/main.yml

@@ -5,7 +5,7 @@
     name: apache2
     state: present
     update_cache: yes
-  notify: Restart apache2 service
+  notify: Start apache2 service
 
 - name: Remove default html dir
   become: true

roles/install-nftables/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Install nftables
+  become: true
+  apt:
+    name: nftables
+    state: present
+    update_cache: yes
+  notify: Start nftables service
+
+- name: Enable nftables
+  become: true
+  systemd:
+    name: nftables
+    enabled: true