---

- name: Install needed packages
  become: true
  ansible.builtin.apt:
    name:
      - nftables
      - rsyslog
    state: present

- name: Start and enable nftables service
  become: true
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true

- name: Setup needed directories
  become: true
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: root
    mode: 0750
    state: directory
  with_items:
    - /etc/nftables/input.d
    - /etc/nftables/output.d
    - /etc/nftables/forward.d
    - /etc/nftables/pre-hooks.d
    - /etc/nftables/post-hooks.d
    - /etc/nftables/include.d
    - /etc/systemd/system/nftables.service.d

- name: Copy local systemd configuration
  become: true
  ansible.builtin.copy:
    src: systemd-local.conf
    dest: /etc/systemd/system/nftables.service.d/local.conf
    owner: root
    group: root
    mode: 0640
  notify: Reload systemd daemon

- name: Copy default configuration
  become: true
  ansible.builtin.copy:
    src: nftables.conf
    dest: /etc/nftables.conf
    owner: root
    group: root
    mode: 0640
  notify: Reload nftables service

- name: Copy default input rules
  become: true
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/nftables/input.d/{{ item | basename }}"
    owner: root
    group: root
    mode: 0640
  with_fileglob:
    - input.d/*
  notify: Reload nftables service

- name: Copy default post-hook rules
  become: true
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/nftables/post-hooks.d/{{ item | basename }}"
    owner: root
    group: root
    mode: 0750
  with_fileglob:
    - post-hooks.d/*
  notify: Reload nftables service

- name: Check if server is using DHCP
  become: true
  ansible.builtin.command:
    cmd: "ip addr show dynamic"
  register: dhcp_grep
  changed_when: false

- name: Copy dhclient output rule
  become: true
  ansible.builtin.copy:
    src: output.d/dhclient.conf
    dest: /etc/nftables/output.d/dhclient.conf
    owner: root
    group: root
    mode: 0640
  notify: Reload nftables service
  when: dhcp_grep.stdout != ""

# The restart of rsyslog service seems to hang when done just after reloading of nftables service
- name: Make sure nftables service is reloaded
  ansible.builtin.meta: flush_handlers

- name: Setup netfilter.log
  become: true
  ansible.builtin.copy:
    src: netfilter.rsyslog
    dest: /etc/rsyslog.d/netfilter.conf
    owner: root
    group: root
    mode: 0644
  notify: Restart rsyslog service

- name: Setup logrotate for netfilter.log
  become: true
  ansible.builtin.copy:
    src: netfilter.logrotate
    dest: /etc/logrotate.d/netfilter
    owner: root
    group: root
    mode: 0644