--- - name: Install nftables ansible.builtin.apt: name: nftables state: present tags: [firewall] - name: Ensure nftables drop-in dir exists ansible.builtin.file: path: "{{ base__firewall_dropin_dir }}" state: directory mode: "0755" tags: [firewall] - name: Resolve firewall ingress rules for this host ansible.builtin.set_fact: base__firewall_resolved: >- {{ firewall_catalog | default({}) | resolve_firewall_rules(firewall_zones | default({}), inventory_hostname, hostvars, groups) }} tags: [firewall] - name: Render nftables ruleset (syntax-checked before install) ansible.builtin.template: src: nftables.conf.j2 dest: /etc/nftables.conf mode: "0644" validate: "nft -c -f %s" register: base__firewall_render tags: [firewall]