From 8e5c279f7cecf29589835e74602155b9afc430d8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 15 Jun 2022 19:35:36 +0200
Subject: add simple handling for nftable rulesets in base role

---
 roles/network/nftables/base/defaults/main.yml | 11 +++++++++++
 roles/network/nftables/base/tasks/main.yml    | 12 ++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 roles/network/nftables/base/defaults/main.yml

(limited to 'roles/network/nftables')

diff --git a/roles/network/nftables/base/defaults/main.yml b/roles/network/nftables/base/defaults/main.yml
new file mode 100644
index 00000000..95ec9073
--- /dev/null
+++ b/roles/network/nftables/base/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+nftables_base_rules: {}
+
+# nftables_base_rules:
+#   example: |
+#     table inet global {
+#       chain input {
+#         type filter hook input priority filter; policy drop;
+#         ct state vmap { established: accept, related: accept, invalid: drop }
+#       }
+#     }
diff --git a/roles/network/nftables/base/tasks/main.yml b/roles/network/nftables/base/tasks/main.yml
index 46c7d0b5..3f268681 100644
--- a/roles/network/nftables/base/tasks/main.yml
+++ b/roles/network/nftables/base/tasks/main.yml
@@ -8,6 +8,18 @@
     path: /etc/nftables.d
     state: directory
 
+- name: generate rules files
+  loop: "{{ nftables_base_rules | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # Ansible managed
+
+      {{ item.value }}
+    dest: "/etc/nftables.d/{{ item.key }}.nft"
+  notify: reload nftables
+
 - name: generate base nft script
   copy:
     content: |
-- 
cgit v1.2.3