30 lines
837 B
YAML
30 lines
837 B
YAML
---
|
|
- name: Install nftables
|
|
ansible.builtin.apt:
|
|
name: nftables
|
|
state: present
|
|
tags: [firewall]
|
|
|
|
- name: Ensure nftables drop-in dir exists
|
|
ansible.builtin.file:
|
|
path: "{{ base__firewall_dropin_dir }}"
|
|
state: directory
|
|
mode: "0755"
|
|
tags: [firewall]
|
|
|
|
- name: Resolve firewall ingress rules for this host
|
|
ansible.builtin.set_fact:
|
|
base__firewall_resolved: >-
|
|
{{ firewall_catalog | default({})
|
|
| resolve_firewall_rules(firewall_zones | default({}),
|
|
inventory_hostname, hostvars, groups) }}
|
|
tags: [firewall]
|
|
|
|
- name: Render nftables ruleset (syntax-checked before install)
|
|
ansible.builtin.template:
|
|
src: nftables.conf.j2
|
|
dest: /etc/nftables.conf
|
|
mode: "0644"
|
|
validate: "nft -c -f %s"
|
|
register: base__firewall_render
|
|
tags: [firewall]
|