ansible/roles/firewall/tasks/main.yml

72 lines
1.5 KiB
YAML

---
- name: Install required packages
apt:
name:
- python3-nftables
- python3-pydantic
- nftables
- name: Install script
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}/{{ item.src }}"
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- src: firewall
dest: /usr/local/sbin
mode: u=rwx,g=rx,o=rx
- src: nft.py
dest: /usr/lib/python3/dist-packages
mode: u=rw,g=r,o=r
- name: Install systemd unit
template:
src: firewall.service.j2
dest: /etc/systemd/system/firewall.service
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Create /etc/firewall
file:
path: /etc/firewall
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: Configure firewall
template:
src: rules.yml.j2
dest: /etc/firewall/rules.yml
owner: root
group: root
mode: u=rw,g=r,o=r
vars:
firewall__rules:
zones: "{{ firewall__zones }}"
reverse_path_filter:
interfaces: "{{ firewall__rp_filter_disabled }}"
filter:
input: "{{ firewall__input }}"
forward: "{{ firewall__forward }}"
output: "{{ firewall__output }}"
nat: "{{ firewall__nat }}"
notify:
- Reload firewall
- name: Disable nftables service
systemd:
name: nftables.service
state: stopped
enabled: false
- name: Enable firewall service
systemd:
name: firewall.service
daemon_reload: true
state: started
enabled: true
...