107 lines
2.3 KiB
YAML
107 lines
2.3 KiB
YAML
---
|
|
- name: Install nftables
|
|
become: true
|
|
ansible.builtin.apt:
|
|
name: nftables
|
|
state: present
|
|
update_cache: true
|
|
notify: Start nftables service
|
|
|
|
- name: Start nftables
|
|
become: true
|
|
ansible.builtin.systemd:
|
|
name: nftables
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Setup needed directories
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0750
|
|
state: directory
|
|
with_items:
|
|
- /etc/nftables/input.d
|
|
- /etc/nftables/output.d
|
|
- /etc/nftables/forward.d
|
|
- /etc/nftables/pre-hooks.d
|
|
- /etc/nftables/post-hooks.d
|
|
- /etc/nftables/include.d
|
|
- /etc/systemd/system/nftables.service.d
|
|
|
|
- name: Copy local systemd configuration
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: systemd-local.conf
|
|
dest: /etc/systemd/system/nftables.service.d/local.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
notify: Reload systemd daemon
|
|
|
|
- name: Copy default configuration
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: nftables.conf
|
|
dest: /etc/nftables.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
notify: Restart nftables service
|
|
|
|
- name: Copy default input rules
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/etc/nftables/input.d/{{ item | basename }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
with_fileglob:
|
|
- input.d/*
|
|
notify: Restart nftables service
|
|
|
|
- name: Copy default post-hook rules
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/etc/nftables/post-hooks.d/{{ item | basename }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0750
|
|
with_fileglob:
|
|
- post-hooks.d/*
|
|
notify: Restart nftables service
|
|
|
|
- name: Copy default output rules
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: "/etc/nftables/output.d/{{ item | basename }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
with_fileglob:
|
|
- output.d/*
|
|
notify: Restart nftables service
|
|
|
|
- name: Setup netfilter.log
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: netfilter.rsyslog
|
|
dest: /etc/rsyslog.d/netfilter.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
notify: Restart rsyslog service
|
|
|
|
- name: Setup logrotate for netfilter.log
|
|
become: true
|
|
ansible.builtin.copy:
|
|
src: netfilter.logrotate
|
|
dest: /etc/logrotate.d/netfilter
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|