72 lines
1.5 KiB
YAML
72 lines
1.5 KiB
YAML
---
|
|
- name: Install required packages
|
|
apt:
|
|
name:
|
|
- python3-nftables
|
|
- python3-pydantic
|
|
- python3-yaml
|
|
- nftables
|
|
|
|
- name: Install script
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}/{{ item.src }}"
|
|
owner: root
|
|
group: root
|
|
mode: "{{ item.mode }}"
|
|
loop:
|
|
- src: firewall
|
|
dest: /usr/local/sbin
|
|
mode: u=rwx,g=rx,o=rx
|
|
- src: nft.py
|
|
dest: /usr/lib/python3/dist-packages
|
|
mode: u=rw,g=r,o=r
|
|
|
|
- name: Install systemd unit
|
|
template:
|
|
src: firewall.service.j2
|
|
dest: /etc/systemd/system/firewall.service
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,g=r,o=r
|
|
|
|
- name: Create /etc/firewall
|
|
file:
|
|
path: /etc/firewall
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,g=rx,o=rx
|
|
|
|
- name: Configure firewall
|
|
template:
|
|
src: rules.yml.j2
|
|
dest: /etc/firewall/rules.yml
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,g=r,o=r
|
|
vars:
|
|
firewall__rules:
|
|
zones: "{{ firewall__zones }}"
|
|
reverse_path_filter:
|
|
interfaces: "{{ firewall__rp_filter_disabled }}"
|
|
filter:
|
|
input: "{{ firewall__input }}"
|
|
forward: "{{ firewall__forward }}"
|
|
output: "{{ firewall__output }}"
|
|
nat: "{{ firewall__nat }}"
|
|
notify:
|
|
- Reload firewall
|
|
|
|
- name: Mask nftables service
|
|
systemd:
|
|
name: nftables.service
|
|
masked: true
|
|
|
|
- name: Enable firewall service
|
|
systemd:
|
|
name: firewall.service
|
|
daemon_reload: true
|
|
state: started
|
|
enabled: true
|
|
...
|