From 62d698325d1c5eb9894758a8c43640bd942de537 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 18 Dec 2022 19:01:04 +0100 Subject: [PATCH] Extract nftables into its own role --- playbooks/system/main.yml | 2 ++ playbooks/system/roles/base/defaults/main.yml | 2 -- .../system/roles/base/meta/argument_specs.yml | 8 -------- playbooks/system/roles/base/tasks/main.yml | 4 ---- playbooks/system/roles/nftables/defaults/main.yml | 2 ++ .../system/roles/nftables/meta/argument_specs.yml | 14 ++++++++++++++ .../nftables.yml => nftables/tasks/main.yml} | 12 ++++++------ .../templates}/nftables.conf.j2 | 0 8 files changed, 24 insertions(+), 20 deletions(-) create mode 100644 playbooks/system/roles/nftables/defaults/main.yml create mode 100644 playbooks/system/roles/nftables/meta/argument_specs.yml rename playbooks/system/roles/{base/tasks/include/nftables.yml => nftables/tasks/main.yml} (67%) rename playbooks/system/roles/{base/templates/nftables => nftables/templates}/nftables.conf.j2 (100%) diff --git a/playbooks/system/main.yml b/playbooks/system/main.yml index b3f67ca..e9137cf 100644 --- a/playbooks/system/main.yml +++ b/playbooks/system/main.yml @@ -25,6 +25,8 @@ - role: "mail" when: the_nine_worlds_production | bool tags: "system:mail" + - role: "nftables" + tags: "system:nftables" - role: "base" vars: system_base_motd_dir: "files/base/motd" diff --git a/playbooks/system/roles/base/defaults/main.yml b/playbooks/system/roles/base/defaults/main.yml index bfe399b..fd78e64 100644 --- a/playbooks/system/roles/base/defaults/main.yml +++ b/playbooks/system/roles/base/defaults/main.yml @@ -1,3 +1 @@ system_base_additional_ssh_users: [] -system_base_additional_tcp_ports: [] -system_base_udp_ports: [] diff --git a/playbooks/system/roles/base/meta/argument_specs.yml b/playbooks/system/roles/base/meta/argument_specs.yml index 92749ce..ffa84f9 100644 --- a/playbooks/system/roles/base/meta/argument_specs.yml +++ b/playbooks/system/roles/base/meta/argument_specs.yml @@ -14,14 +14,6 @@ argument_specs: type: "list" elements: "str" required: true - system_base_additional_tcp_ports: - type: "list" - elements: "int" - required: true - system_base_udp_ports: - type: "list" - elements: "int" - required: true system_base_fail2ban_ignoreip: type: "str" required: true diff --git a/playbooks/system/roles/base/tasks/main.yml b/playbooks/system/roles/base/tasks/main.yml index d43151d..3eeea46 100644 --- a/playbooks/system/roles/base/tasks/main.yml +++ b/playbooks/system/roles/base/tasks/main.yml @@ -2,10 +2,6 @@ ansible.builtin.import_tasks: "include/sshd.yml" tags: "system:base:sshd" -- name: "play:system : role:base : tasks:nftables" - ansible.builtin.import_tasks: "include/nftables.yml" - tags: "system:base:nftables" - - name: "play:system : role:base : tasks:ntp" ansible.builtin.import_tasks: "include/ntp.yml" tags: "system:base:ntp" diff --git a/playbooks/system/roles/nftables/defaults/main.yml b/playbooks/system/roles/nftables/defaults/main.yml new file mode 100644 index 0000000..ea27a80 --- /dev/null +++ b/playbooks/system/roles/nftables/defaults/main.yml @@ -0,0 +1,2 @@ +system_base_additional_tcp_ports: [] +system_base_udp_ports: [] diff --git a/playbooks/system/roles/nftables/meta/argument_specs.yml b/playbooks/system/roles/nftables/meta/argument_specs.yml new file mode 100644 index 0000000..69a5719 --- /dev/null +++ b/playbooks/system/roles/nftables/meta/argument_specs.yml @@ -0,0 +1,14 @@ +argument_specs: + main: + options: + ansible_port: + type: "int" + required: true + system_base_additional_tcp_ports: + type: "list" + elements: "int" + required: true + system_base_udp_ports: + type: "list" + elements: "int" + required: true diff --git a/playbooks/system/roles/base/tasks/include/nftables.yml b/playbooks/system/roles/nftables/tasks/main.yml similarity index 67% rename from playbooks/system/roles/base/tasks/include/nftables.yml rename to playbooks/system/roles/nftables/tasks/main.yml index df6444a..2873d6c 100644 --- a/playbooks/system/roles/base/tasks/include/nftables.yml +++ b/playbooks/system/roles/nftables/tasks/main.yml @@ -1,26 +1,26 @@ -- name: "nftables : install nftables" +- name: "install nftables" ansible.builtin.apt: name: "nftables" -- name: "nftables : configure nftables" +- name: "configure nftables" ansible.builtin.template: - src: "./nftables/nftables.conf.j2" + src: "./nftables.conf.j2" dest: "/etc/nftables.conf" mode: 0755 register: system_base_nftables_conf -- name: "nftables : enable nftables" +- name: "enable nftables" ansible.builtin.systemd: name: "nftables" enabled: true -- name: "nftables : start nftables" +- name: "start nftables" ansible.builtin.systemd: name: "nftables" state: "started" register: system_base_nftables_start -- name: "nftables : reload nftables configuration" +- name: "reload nftables configuration" ansible.builtin.command: cmd: "nft -f /etc/nftables.conf" when: diff --git a/playbooks/system/roles/base/templates/nftables/nftables.conf.j2 b/playbooks/system/roles/nftables/templates/nftables.conf.j2 similarity index 100% rename from playbooks/system/roles/base/templates/nftables/nftables.conf.j2 rename to playbooks/system/roles/nftables/templates/nftables.conf.j2