feat: Create role

.gitignore

@@ -21,4 +21,4 @@ tags
 
 # ---> Ansible
 *.retry
-
+.ansible

README.md

@@ -1,3 +1,65 @@
-# role_modele
+# role_nftables
 
-Modèle
+Allow to install, enable and manage nftables.
+
+## Variables
+
+### nftables_conf_template
+
+Template deployed as nftables configuration.
+
+*<span style="text-decoration: underline">Default value:</span> false*
+
+### nftables_conf_path
+
+Configuration fullpath of nftables.
+
+*<span style="text-decoration: underline">Default value:</span> false*
+
+### nftables_rules_*
+
+List of dicts containing rules to deploy with comment and associated rules.
+
+*<span style="text-decoration: underline">Default value:</span> none*
+
+## Usages
+
+### inventory.yml
+
+```yaml
+---
+
+all:
+  hosts:
+    host1.ykn.local:
+    host2.ykn.local:
+  children:
+    dnsservers:
+      hosts:
+        host1.ykn.local:
+        host2.ykn.local:
+```
+
+### group_vars/dnsservers.yml
+
+```yaml
+---
+
+nftables_rules_dnsservers:
+  - comment: Allow LAN to dns
+    rules:
+      - "ip saddr 192.168.93.0/24 meta l4proto {tcp, udp} th dport 53 accept"
+      - "ip6 saddr abcd:ef9:8765:895::/64 meta l4proto {tcp, udp} th dport 53 accept"
+      - "ip6 saddr fe80::/64 meta l4proto {tcp, udp} th dport 53 accept"
+```
+
+### host_vars/host1.ykn.local.yml
+
+```yaml
+---
+
+nftables_rules_host:
+  - comment: Allow ANY to https
+    rules:
+      - "tcp dport 443 accept"
+```

defaults/main.yml

@@ -0,0 +1,11 @@
+---
+# defaults file for nftables
+
+# Template used to configure nftables
+nftables_conf_template: nftables.conf.j2
+
+# Default configuration path
+nftables_conf_path: /etc/nftables.conf
+
+# List of rules to deploy
+nftables_rules: []

handlers/main.yml

@@ -0,0 +1,10 @@
+---
+# handlers file for nftables
+
+- name: Restart nftables.service
+  ansible.builtin.systemd:
+    name: nftables.service
+    state: restarted
+    enabled: true
+    masked: false
+  become: true

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de nftables (pare-feu)
 
   license: GPL-3.0-or-later
 

tasks/configuration.yml

@@ -0,0 +1,20 @@
+---
+# tasks file for nftables
+
+- name: Build rules list
+  ansible.builtin.set_fact:
+    nftables_rules: "{{ nftables_rules + specific }}"
+  when: specific | length > 0
+  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules_.+', wantlist=True) }}"
+  vars:
+    specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+
+- name: Deploy configuration file
+  ansible.builtin.template:
+    src: "{{ nftables_conf_template }}"
+    dest: "{{ nftables_conf_path }}"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  become: true
+  notify: Restart nftables.service

tasks/installation.yml

@@ -0,0 +1,8 @@
+---
+# tasks file for nftables
+
+- name: Install nftables
+  ansible.builtin.apt:
+    state: present
+    name: nftables
+  when: ansible_facts['pkg_mgr'] == "apt"

tasks/main.yml

@@ -0,0 +1,10 @@
+---
+# tasks file for nftables
+
+- name: Include installation tasks
+  ansible.builtin.include_tasks:
+    file: installation.yml
+
+- name: Import configuration tasks
+  ansible.builtin.import_tasks:
+    file: configuration.yml

templates/nftables.conf.j2

@@ -0,0 +1,31 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # Accept any localhost traffic
+    iif lo accept
+
+    # Accept traffic originated from us
+    ct state established,related accept
+
+    # Accept neighbour discovery otherwise IPv6 connectivity breaks.
+    ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert} accept
+
+    # Specific rules
+{% for infos in nftables_rules %}
+    ## {{ infos.comment }}
+    {{ infos.rules | join('\n') | indent(width=4, first=false) }}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}
+
+    # Count and drop any other traffic
+    counter drop
+  }
+}