ansible-personal/roles/common/tasks/nftables.yml

---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
# and Debian 12.

- name: Copy nftables.conf
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    mode: "0644"
  notify:
    - restart nftables
    - restart fail2ban

- name: Create /etc/nftables extra config directory
  ansible.builtin.file:
    path: /etc/nftables
    state: directory
    owner: root
    mode: "0755"

- name: Copy extra nftables configuration files
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: /etc/nftables/{{ item.src }}
    owner: root
    group: root
    mode: "0644"
    force: "{{ item.force }}"
  loop:
    - { src: firehol_level1-ipv4.nft, force: false }
  notify:
    - restart nftables
    - restart fail2ban

- name: Copy nftables update scripts
  ansible.builtin.template:
    src: update-firehol-nftables.sh.j2
    dest: /usr/local/bin/update-firehol-nftables.sh
    mode: "0755"
    owner: root
    group: root

- name: Remove deprecated data and scripts
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/nftables/spamhaus-ipv4.nft
    - /etc/nftables/spamhaus-ipv6.nft
    - /etc/nftables/abuseipdb-ipv4.nft
    - /etc/nftables/abuseipdb-ipv6.nft
    - /etc/nftables/abusech-ipv4.nft
    - /usr/local/bin/update-abusech-nftables.sh
    - /usr/local/bin/update-spamhaus-nftables.sh
    - /etc/systemd/system/update-abusech-nftables.service
    - /etc/systemd/system/update-abusech-nftables.timer
    - /etc/systemd/system/update-spamhaus-nftables.service
    - /etc/systemd/system/update-spamhaus-nftables.timer
    - /usr/local/bin/aggregate-cidr-addresses.pl
  notify:
    - restart nftables
    - restart fail2ban

- name: Copy nftables systemd units
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - update-firehol-nftables.service
    - update-firehol-nftables.timer
  register: nftables_systemd_units

# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
  ansible.builtin.systemd: # noqa no-handler
    daemon_reload: true
  when: nftables_systemd_units is changed

- name: Start and enable nftables update timers
  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - update-firehol-nftables.timer

- name: Start and enable nftables
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true

# vim: set sw=2 ts=2:
roles/common: use common nftables task Use a common nftables task on Debian and Ubuntu. 2025-01-27 22:40:29 +03:00			`---`
			`# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,`
			`# and Debian 12.`

			`- name: Copy nftables.conf`
			`ansible.builtin.template:`
			`src: nftables.conf.j2`
			`dest: /etc/nftables.conf`
			`owner: root`
			`mode: "0644"`
			`notify:`
			`- restart nftables`
			`- restart fail2ban`

			`- name: Create /etc/nftables extra config directory`
			`ansible.builtin.file:`
			`path: /etc/nftables`
			`state: directory`
			`owner: root`
			`mode: "0755"`

			`- name: Copy extra nftables configuration files`
			`ansible.builtin.copy:`
			`src: "{{ item.src }}"`
			`dest: /etc/nftables/{{ item.src }}`
			`owner: root`
			`group: root`
			`mode: "0644"`
			`force: "{{ item.force }}"`
			`loop:`
			`- { src: firehol_level1-ipv4.nft, force: false }`
			`notify:`
			`- restart nftables`
			`- restart fail2ban`

			`- name: Copy nftables update scripts`
			`ansible.builtin.template:`
			`src: update-firehol-nftables.sh.j2`
			`dest: /usr/local/bin/update-firehol-nftables.sh`
			`mode: "0755"`
			`owner: root`
			`group: root`

			`- name: Remove deprecated data and scripts`
			`ansible.builtin.file:`
			`path: "{{ item }}"`
			`state: absent`
			`loop:`
			`- /etc/nftables/spamhaus-ipv4.nft`
			`- /etc/nftables/spamhaus-ipv6.nft`
			`- /etc/nftables/abuseipdb-ipv4.nft`
			`- /etc/nftables/abuseipdb-ipv6.nft`
			`- /etc/nftables/abusech-ipv4.nft`
			`- /usr/local/bin/update-abusech-nftables.sh`
			`- /usr/local/bin/update-spamhaus-nftables.sh`
			`- /etc/systemd/system/update-abusech-nftables.service`
			`- /etc/systemd/system/update-abusech-nftables.timer`
			`- /etc/systemd/system/update-spamhaus-nftables.service`
			`- /etc/systemd/system/update-spamhaus-nftables.timer`
			`- /usr/local/bin/aggregate-cidr-addresses.pl`
			`notify:`
			`- restart nftables`
			`- restart fail2ban`

			`- name: Copy nftables systemd units`
			`ansible.builtin.copy:`
			`src: "{{ item }}"`
			`dest: /etc/systemd/system/{{ item }}`
			`mode: "0644"`
			`owner: root`
			`group: root`
			`loop:`
			`- update-firehol-nftables.service`
			`- update-firehol-nftables.timer`
			`register: nftables_systemd_units`

			`# need to reload to pick up service/timer/environment changes`
			`- name: Reload systemd daemon`
			`ansible.builtin.systemd: # noqa no-handler`
			`daemon_reload: true`
			`when: nftables_systemd_units is changed`

			`- name: Start and enable nftables update timers`
			`ansible.builtin.systemd:`
			`name: "{{ item }}"`
			`state: started`
			`enabled: true`
			`loop:`
			`- update-firehol-nftables.timer`

			`- name: Start and enable nftables`
			`ansible.builtin.systemd:`
			`name: nftables`
			`state: started`
			`enabled: true`

			`# vim: set sw=2 ts=2:`