diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 026396f..8efbf6c 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -33,10 +33,7 @@ group: root mode: u=rw,g=,o= src: "{{ role_path }}/templates/rules.conf.j2" - dest: "/srv/nftables/rules_{{ item.filename }}.conf" - loop: "{{ nftables_rules }}" - loop_control: - label: "{{ item.filename }}" + dest: "/srv/nftables/rules.conf" become: true notify: Redémarrer nftables.service diff --git a/tasks/installation.yml b/tasks/installation.yml index 6c30564..3f2bfa9 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -12,6 +12,9 @@ owner: root group: root mode: u=rwx,g=rx,o=rx - state: directory + state: "{{ item }}" path: /srv/nftables become: true + loop: + - absent + - directory diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index 8df2dd3..4fc00e5 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -16,8 +16,8 @@ table inet filter { # accept neighbour discovery otherwise IPv6 connectivity breaks. ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept - # include specifics rules - include "/srv/nftables/rules_*.conf" + # include specific rules + include "/srv/nftables/rules.conf" # count and drop any other traffic counter drop diff --git a/templates/rules.conf.j2 b/templates/rules.conf.j2 index 81e015c..d77c60d 100644 --- a/templates/rules.conf.j2 +++ b/templates/rules.conf.j2 @@ -1,5 +1,7 @@ # {{ ansible_managed }} -{% for rule in item.rules %} -{{ rule }} +{% for item in nftables_rules %} +# {{ item.comment }} +{{ item.rules | join('\n') }} + {% endfor %}