From 5312dc6bd59907cdaa71e793a266907baca5a1b8 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 27 Jan 2025 22:40:29 +0300 Subject: [PATCH] roles/common: use common nftables task Use a common nftables task on Debian and Ubuntu. --- roles/common/tasks/firewall_Debian.yml | 89 +---------------------- roles/common/tasks/firewall_Ubuntu.yml | 89 +---------------------- roles/common/tasks/nftables.yml | 97 ++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 174 deletions(-) create mode 100644 roles/common/tasks/nftables.yml diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 585eb86..891fdcb 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -17,94 +17,9 @@ pkg: iptables state: absent -- name: Copy nftables.conf - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: "0644" - notify: - - restart nftables - - restart fail2ban - -- name: Create /etc/nftables extra config directory - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: "0755" - -- name: Copy extra nftables configuration files - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: /etc/nftables/{{ item.src }} - owner: root - group: root - mode: "0644" - force: "{{ item.force }}" - loop: - - { src: spamhaus-ipv4.nft, force: "no" } - - { src: spamhaus-ipv6.nft, force: "no" } - - { src: abusech-ipv4.nft, force: "no" } - - { src: abuseipdb-ipv4.nft, force: "yes" } - - { src: abuseipdb-ipv6.nft, force: "yes" } - notify: - - restart nftables - - restart fail2ban - -- name: Copy nftables update scripts +- name: Configure nftables + ansible.builtin.include_tasks: nftables.yml when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /usr/local/bin/{{ item }} - mode: "0755" - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh - -- name: Copy nftables systemd units - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /etc/systemd/system/{{ item }} - mode: "0644" - owner: root - group: root - loop: - - update-spamhaus-nftables.service - - update-spamhaus-nftables.timer - - update-abusech-nftables.service - - update-abusech-nftables.timer - register: nftables_systemd_units - -# need to reload to pick up service/timer/environment changes -- name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed - -- name: Start and enable nftables update timers - when: ansible_distribution_version is version('11', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer - -- name: Start and enable nftables - when: ansible_distribution_major_version is version('11', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true - ansible.builtin.include_tasks: fail2ban.yml when: diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 4afc3c8..3355791 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -16,94 +16,9 @@ name: ufw state: absent -- name: Copy nftables.conf +- name: Configure nftables + ansible.builtin.include_tasks: nftables.yml when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.template: - src: nftables.conf.j2 - dest: /etc/nftables.conf - owner: root - mode: "0644" - notify: - - restart nftables - - restart fail2ban - -- name: Create /etc/nftables extra config directory - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.file: - path: /etc/nftables - state: directory - owner: root - mode: "0755" - -- name: Copy extra nftables configuration files - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item.src }}" - dest: /etc/nftables/{{ item.src }} - owner: root - group: root - mode: "0644" - force: "{{ item.force }}" - loop: - - { src: spamhaus-ipv4.nft, force: "no" } - - { src: spamhaus-ipv6.nft, force: "no" } - - { src: abusech-ipv4.nft, force: "no" } - - { src: abuseipdb-ipv4.nft, force: "yes" } - - { src: abuseipdb-ipv6.nft, force: "yes" } - notify: - - restart nftables - - restart fail2ban - -- name: Copy nftables update scripts - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /usr/local/bin/{{ item }} - mode: "0755" - owner: root - group: root - loop: - - update-spamhaus-nftables.sh - - aggregate-cidr-addresses.pl - - update-abusech-nftables.sh - -- name: Copy nftables systemd units - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.copy: - src: "{{ item }}" - dest: /etc/systemd/system/{{ item }} - mode: "0644" - owner: root - group: root - loop: - - update-spamhaus-nftables.service - - update-spamhaus-nftables.timer - - update-abusech-nftables.service - - update-abusech-nftables.timer - register: nftables_systemd_units - -# need to reload to pick up service/timer/environment changes -- name: Reload systemd daemon - ansible.builtin.systemd: - daemon_reload: true - when: nftables_systemd_units is changed - -- name: Start and enable nftables update timers - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - loop: - - update-spamhaus-nftables.timer - - update-abusech-nftables.timer - -- name: Start and enable nftables - when: ansible_distribution_version is version('20.04', '>=') - ansible.builtin.systemd: - name: nftables - state: started - enabled: true - ansible.builtin.include_tasks: fail2ban.yml when: diff --git a/roles/common/tasks/nftables.yml b/roles/common/tasks/nftables.yml new file mode 100644 index 0000000..319abcc --- /dev/null +++ b/roles/common/tasks/nftables.yml @@ -0,0 +1,97 @@ +--- +# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11, +# and Debian 12. + +- name: Copy nftables.conf + ansible.builtin.template: + src: nftables.conf.j2 + dest: /etc/nftables.conf + owner: root + mode: "0644" + notify: + - restart nftables + - restart fail2ban + +- name: Create /etc/nftables extra config directory + ansible.builtin.file: + path: /etc/nftables + state: directory + owner: root + mode: "0755" + +- name: Copy extra nftables configuration files + ansible.builtin.copy: + src: "{{ item.src }}" + dest: /etc/nftables/{{ item.src }} + owner: root + group: root + mode: "0644" + force: "{{ item.force }}" + loop: + - { src: firehol_level1-ipv4.nft, force: false } + notify: + - restart nftables + - restart fail2ban + +- name: Copy nftables update scripts + ansible.builtin.template: + src: update-firehol-nftables.sh.j2 + dest: /usr/local/bin/update-firehol-nftables.sh + mode: "0755" + owner: root + group: root + +- name: Remove deprecated data and scripts + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - /etc/nftables/spamhaus-ipv4.nft + - /etc/nftables/spamhaus-ipv6.nft + - /etc/nftables/abuseipdb-ipv4.nft + - /etc/nftables/abuseipdb-ipv6.nft + - /etc/nftables/abusech-ipv4.nft + - /usr/local/bin/update-abusech-nftables.sh + - /usr/local/bin/update-spamhaus-nftables.sh + - /etc/systemd/system/update-abusech-nftables.service + - /etc/systemd/system/update-abusech-nftables.timer + - /etc/systemd/system/update-spamhaus-nftables.service + - /etc/systemd/system/update-spamhaus-nftables.timer + - /usr/local/bin/aggregate-cidr-addresses.pl + notify: + - restart nftables + - restart fail2ban + +- name: Copy nftables systemd units + ansible.builtin.copy: + src: "{{ item }}" + dest: /etc/systemd/system/{{ item }} + mode: "0644" + owner: root + group: root + loop: + - update-firehol-nftables.service + - update-firehol-nftables.timer + register: nftables_systemd_units + +# need to reload to pick up service/timer/environment changes +- name: Reload systemd daemon + ansible.builtin.systemd: # noqa no-handler + daemon_reload: true + when: nftables_systemd_units is changed + +- name: Start and enable nftables update timers + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + loop: + - update-firehol-nftables.timer + +- name: Start and enable nftables + ansible.builtin.systemd: + name: nftables + state: started + enabled: true + +# vim: set sw=2 ts=2: