From 8e5c279f7cecf29589835e74602155b9afc430d8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 15 Jun 2022 19:35:36 +0200
Subject: add simple handling for nftable rulesets in base role

---
 chaos-at-home/ch-gw-lan.yml                       | 27 -----------------------
 inventory/host_vars/ch-gw-lan.yml                 | 23 +++++++++++++++++++
 roles/core/ntp/tasks/Debian_systemd-timesyncd.yml |  6 +++++
 roles/network/nftables/base/defaults/main.yml     | 11 +++++++++
 roles/network/nftables/base/tasks/main.yml        | 12 ++++++++++
 5 files changed, 52 insertions(+), 27 deletions(-)
 create mode 100644 roles/network/nftables/base/defaults/main.yml

diff --git a/chaos-at-home/ch-gw-lan.yml b/chaos-at-home/ch-gw-lan.yml
index 11d65b17..37ed17fa 100644
--- a/chaos-at-home/ch-gw-lan.yml
+++ b/chaos-at-home/ch-gw-lan.yml
@@ -10,33 +10,6 @@
   - role: network/dhcp-server
   - role: network/nftables/base
   post_tasks:
-  - name: install public service nftable rules
-    copy:
-      content: |
-        # Ansible managed
-
-        define nic_lan = lan0
-        define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
-
-        table ip nat {
-          chain public-services-prerouting {
-            type nat hook prerouting priority -100; policy accept;
-            iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
-        {% for name, svc in network_services.items() %}
-            iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
-        {% endfor %}
-          }
-          chain public-services-output {
-            type nat hook output priority -100; policy accept;
-            ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
-        {% for name, svc in network_services.items() %}
-            ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
-        {% endfor %}
-          }
-        }
-      dest: /etc/nftables.d/public-services.nft
-    notify: reload nftables
-
   - name: install etherwake
     apt:
       name: etherwake
diff --git a/inventory/host_vars/ch-gw-lan.yml b/inventory/host_vars/ch-gw-lan.yml
index 4637f04e..2aa27ab0 100644
--- a/inventory/host_vars/ch-gw-lan.yml
+++ b/inventory/host_vars/ch-gw-lan.yml
@@ -47,3 +47,26 @@ dhcp_server_interfaces:
     limit: "{{ network_zones.lan.dhcp.limit }}"
     domain: "{{ host_domain }}"
     dns: "{{ network_zones.lan.dns }}"
+
+
+nftables_base_rules:
+  public-services: |
+    define nic_lan = lan0
+    define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
+
+    table ip nat {
+      chain public-services-prerouting {
+        type nat hook prerouting priority -100; policy accept;
+        iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
+    {% for name, svc in network_services.items() %}
+        iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
+    {% endfor %}
+      }
+      chain public-services-output {
+        type nat hook output priority -100; policy accept;
+        ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
+    {% for name, svc in network_services.items() %}
+        ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
+    {% endfor %}
+      }
+    }
diff --git a/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml b/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
index ae8068b4..40c6629e 100644
--- a/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
+++ b/roles/core/ntp/tasks/Debian_systemd-timesyncd.yml
@@ -6,6 +6,12 @@
     - ntp_server is not defined
     msg: "systemd-timesyncd can not be used as a NTP server or sync to local clocks"
 
+- name: install systemd-timesyncd
+  when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) > 10) or (ansible_distribution == 'Ubuntu')
+  apt:
+    name: systemd-timesyncd
+    state: present
+
 - name: set ntp servers
   when:
   - ntp_client is defined
diff --git a/roles/network/nftables/base/defaults/main.yml b/roles/network/nftables/base/defaults/main.yml
new file mode 100644
index 00000000..95ec9073
--- /dev/null
+++ b/roles/network/nftables/base/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+nftables_base_rules: {}
+
+# nftables_base_rules:
+#   example: |
+#     table inet global {
+#       chain input {
+#         type filter hook input priority filter; policy drop;
+#         ct state vmap { established: accept, related: accept, invalid: drop }
+#       }
+#     }
diff --git a/roles/network/nftables/base/tasks/main.yml b/roles/network/nftables/base/tasks/main.yml
index 46c7d0b5..3f268681 100644
--- a/roles/network/nftables/base/tasks/main.yml
+++ b/roles/network/nftables/base/tasks/main.yml
@@ -8,6 +8,18 @@
     path: /etc/nftables.d
     state: directory
 
+- name: generate rules files
+  loop: "{{ nftables_base_rules | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # Ansible managed
+
+      {{ item.value }}
+    dest: "/etc/nftables.d/{{ item.key }}.nft"
+  notify: reload nftables
+
 - name: generate base nft script
   copy:
     content: |
-- 
cgit v1.2.3