From 5d1b646d144c4f48e171ae1d0ac00e60c4f6c048 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 23 Mar 2018 10:16:31 -0500
Subject: [PATCH] roles/nftables: Basic nftables configuration

The *nftables* role handles installation and basic configuration of the
userspace components for nftables.

Note that this role currently only works on Fedora, and requires
*nftables* 0.8 or later for wildcard includes.
---
 roles/nftables/files/nftables.conf |  6 ++++++
 roles/nftables/handlers/main.yml   |  4 ++++
 roles/nftables/tasks/main.yml      | 29 +++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 roles/nftables/files/nftables.conf
 create mode 100644 roles/nftables/handlers/main.yml
 create mode 100644 roles/nftables/tasks/main.yml

diff --git a/roles/nftables/files/nftables.conf b/roles/nftables/files/nftables.conf
new file mode 100644
index 0000000..a897379
--- /dev/null
+++ b/roles/nftables/files/nftables.conf
@@ -0,0 +1,6 @@
+#
+# This this will contain your nftables rules and
+# is read by the systemd service when restarting
+#
+
+include "/etc/nftables/ruleset.d/*.nft"
diff --git a/roles/nftables/handlers/main.yml b/roles/nftables/handlers/main.yml
new file mode 100644
index 0000000..5afb8d3
--- /dev/null
+++ b/roles/nftables/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload nftables
+  service:
+    name=nftables
+    state=reloaded
diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml
new file mode 100644
index 0000000..3ee75f3
--- /dev/null
+++ b/roles/nftables/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: ensure nftables is installed
+  dnf:
+    name: nftables >= 0.8
+    state: present
+    enablerepo: updates-testing
+  tags:
+  - install
+
+- name: ensure nftables ruleset drop-in directory exists
+  file:
+    path=/etc/nftables/ruleset.d
+    mode=0755
+    state=directory
+- name: ensure nftables is configured
+  copy:
+    src=nftables.conf
+    dest=/etc/sysconfig/nftables.conf
+    mode=0644
+  notify: reload nftables
+
+- name: ensure nftables starts at boot
+  service:
+    name=nftables
+    enabled=yes
+- meta: flush_handlers
+- name: ensure nftables is running
+  service:
+    name=nftables
+    state=started