roles/common: Retab nftables.conf.j2

The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.

roles/common/tasks/firewall_Debian.yml

@@ -39,7 +39,7 @@
 
   - name: Copy extra nftables configuration files
     when: ansible_distribution_major_version is version('11', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
     loop:
       - spamhaus-ipv4.nft
       - spamhaus-ipv6.nft

roles/common/templates/nftables.conf.j2

@@ -48,7 +48,29 @@ table inet filter {
         ip6 nexthdr ipv6-icmp limit rate 4/second accept
         ip protocol igmp limit rate 4/second accept
 
-        ip saddr 172.20.0.1 ct state new tcp dport 22 counter accept
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
 
         # everything else
         reject with icmpx type port-unreachable