add simple handling for nftable rulesets in base role

3 files changed, 29 insertions, 0 deletions

diff --git a/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml b/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
index ae8068b4..40c6629e 100644
--- a/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
+++ b/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
@@ -6,6 +6,12 @@
     - ntp_server is not defined
     msg: "systemd-timesyncd can not be used as a NTP server or sync to local clocks"
 
+- name: install systemd-timesyncd
+  when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) > 10) or (ansible_distribution == 'Ubuntu')
+  apt:
+    name: systemd-timesyncd
+    state: present
+
 - name: set ntp servers
   when:
   - ntp_client is defined
diff --git a/roles/network/nftables/base/defaults/main.yml b/roles/network/nftables/base/defaults/main.yml
new file mode 100644
index 00000000..95ec9073
--- /dev/null
+++ b/roles/network/nftables/base/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+nftables_base_rules: {}
+
+# nftables_base_rules:
+#   example: |
+#     table inet global {
+#       chain input {
+#         type filter hook input priority filter; policy drop;
+#         ct state vmap { established: accept, related: accept, invalid: drop }
+#       }
+#     }
diff --git a/roles/network/nftables/base/tasks/main.yml b/roles/network/nftables/base/tasks/main.yml
index 46c7d0b5..3f268681 100644
--- a/roles/network/nftables/base/tasks/main.yml
+++ b/roles/network/nftables/base/tasks/main.yml
@@ -8,6 +8,18 @@
     path: /etc/nftables.d
     state: directory
 
+- name: generate rules files
+  loop: "{{ nftables_base_rules | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # Ansible managed
+
+      {{ item.value }}
+    dest: "/etc/nftables.d/{{ item.key }}.nft"
+  notify: reload nftables
+
 - name: generate base nft script
   copy:
     content: |