--- - name: Install nftables become: true apt: name: nftables state: present update_cache: yes notify: Start nftables service - name: Start nftables become: true systemd: name: nftables state: started enabled: true - name: Setup needed directories become: true file: path={{ item }} owner=root group=root mode=0750 state=directory with_items: - /etc/nftables/input.d - /etc/nftables/output.d - /etc/nftables/forward.d - /etc/nftables/pre-hooks.d - /etc/nftables/post-hooks.d - /etc/nftables/include.d - /etc/systemd/system/nftables.service.d - name: Copy local systemd configuration become: true copy: src: systemd-local.conf dest: /etc/systemd/system/nftables.service.d/local.conf owner: root group: root mode: 0640 notify: Reload systemd daemon - name: Copy default configuration become: true copy: src: nftables.conf dest: /etc/nftables.conf owner: root group: root mode: 0640 notify: Restart nftables service - name: Copy default input rules become: true copy: src: "{{ item }}" dest: "/etc/nftables/input.d/{{ item | basename }}" owner: root group: root mode: 0640 with_fileglob: - input.d/* notify: Restart nftables service - name: Copy default post-hook rules become: true copy: src: "{{ item }}" dest: "/etc/nftables/post-hooks.d/{{ item | basename }}" owner: root group: root mode: 0750 with_fileglob: - post-hooks.d/* notify: Restart nftables service - name: Copy default output rules become: true copy: src: "{{ item }}" dest: "/etc/nftables/output.d/{{ item | basename }}" owner: root group: root mode: 0640 with_fileglob: - output.d/* notify: Restart nftables service - name: Setup netfilter.log become: true copy: src: netfilter.rsyslog dest: /etc/rsyslog.d/netfilter.conf owner: root group: root mode: 0644 notify: Restart rsyslog service - name: Setup logrotate for netfilter.log become: true copy: src: netfilter.logrotate dest: /etc/logrotate.d/netfilter owner: root group: root mode: 0644