ansibleguy.addons_nftables

<a href="https://netfilter.org/projects/nftables/index.html">
<img src="https://netfilter.org/images/netfilter-logo3.png" alt="NFTables logo" width="400"/>
</a>

# Ansible Role - NFTables Add-Ons

This role helps you install Add-ons for NFTables on Linux servers.

<a href='https://ko-fi.com/ansible0guy' target='_blank'><img height='35' style='border:0px;height:46px;' src='https://az743702.vo.msecnd.net/cdn/kofi3.png?v=0' border='0' alt='Buy me a coffee' />

[![Molecule Test Status](https://badges.ansibleguy.net/addons_nftables.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2)
[![YamlLint Test Status](https://badges.ansibleguy.net/addons_nftables.yamllint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/yamllint.sh.j2)
[![PyLint Test Status](https://badges.ansibleguy.net/addons_nftables.pylint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/pylint.sh.j2)
[![Ansible-Lint Test Status](https://badges.ansibleguy.net/addons_nftables.ansiblelint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/ansiblelint.sh.j2)
[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/addons_nftables)

Molecule Logs: [Short](https://badges.ansibleguy.net/log/molecule_addons_nftables_test_short.log), [Full](https://badges.ansibleguy.net/log/molecule_addons_nftables_test.log)

**Tested on:**
* Debian 11
* Debian 12

## Installation

```bash
# to install the latest version
ansible-galaxy role install git+https://github.com/ansibleguy/addons_nftables

# to install from Ansible Galaxy
ansible-galaxy install ansibleguy.addons_nftables

# or to install in a custom location
ansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles

Documentation

• Learn about NFTables: Wiki
• Check out an Example!
• Manage all of NFTables with Ansible: ansibleguy.infra_nftables

How to Use

You can manage your NFTables base configuration using the ansibleguy.infra_nftables role!

Configuration

For a detailed example, refer to this Example!

Define the configurations as needed:

nftables_addons:
  enable:
    dns: true  # enable DNS add-on
    dns_v6: true  # enable IPv6 for DNS add-on
    iplist: true  # enable IP List add-on
    iplist_v6: true  # enable IPv6 for IP List add-on
    # timer: true  # you can manage the timer yourself if preferred
    # systemd: true  # use systemd timers to update add-ons
    # cron: false  # use cron jobs to update add-ons
    # include: true  # disable automatic inclusion of add-ons in /etc/nftables.conf

  config:
    iplists:
      iplist_tor_exit_nodes:  # Variable name
        urls: ['https://check.torproject.org/torbulkexitlist']
        separator: "\n"
        comment: '#'
    dns_records:
      ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org']
      repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org']

  ext: 'nft'  # extension for nftables configuration files
  path:
    base:
      config: '/etc/nftables.conf'
      dir: '/etc/nftables.d'
    addon:
      dir: '/etc/nftables.d/addons'

  timer:
    systemd:
      dns: '*:0/15'  # update every 15 minutes
      iplist: '*-*-* 00,12:00:00'  # update twice daily

    # cron:
    #   dns:  # every 15 minutes
    #     minute: '*/15'
    #   iplist:  # twice daily
    #     minute: '0'
    #     hour: '0,12'

Running the Playbook

To execute the playbook, use the following command:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

Some useful tags include:

• dns
• iplist
• config (only updates the add-on configuration)

For debugging, set the 'debug' variable during runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Features

• Configuration:

  • Default settings:

    • Systemd Timer to run the add-ons
    • Logs to Syslog
    • IPv6 variable suffix: '_v6'
      • For example: variable 'repo_debian' => 'repo_debian_v6'
    • Update Timers
      • DNS gets updated every 15 minutes
      • IP List gets updated twice a day
    • Systemd
      • Syslog ID: 'nftables_addon_{ addon }'
      • Service/Timer Prefix: 'ansibleguy.addons_nftables-'

  • Default options included:

    • Timer for automatic updates
    • Systemd Timer
    • Adding include to '/etc/nftables.conf'

  • Default options excluded:

    • Add-ons
      • DNS
        • IPv6 processing for DNS
      • IP Lists
        • IPv6 processing for IP Lists
    • Cron Job Timer

Important Notes

• Note: This role only supports Debian-based systems

• Note: Most features can be turned on or off.

  Check all available options in the default-config found in the main defaults file!

• Warning: Not all settings/variables you provide will be validated. Incorrect configurations might cause issues!

• Note: Every variable you define will be created because missing variables can break your configuration!

  If a DNS record cannot be resolved or returns no entry, a fallback value will be used (IPv4: 0.0.0.0, IPv6: ::) for reliability.

```