Skip to content

Ansible Role to provision Add-Ons for NFTables on Linux servers

License

Notifications You must be signed in to change notification settings

ansibleguy/addons_nftables

Folders and files

NameName
Last commit message
Last commit date

Latest commit

2177998 · Nov 10, 2024

History

49 Commits
Mar 16, 2024
Jul 23, 2023
Jan 21, 2023
Jul 23, 2023
Jul 20, 2024
May 4, 2024
Jul 23, 2023
Jul 23, 2023
Jan 21, 2023
Oct 6, 2024
Oct 6, 2024
Jan 21, 2023
Jul 23, 2023
Jul 21, 2024
Nov 10, 2024
Jun 28, 2023
Jun 28, 2023
Jun 28, 2023

Repository files navigation

NFTables logo

Ansible Role - NFTables Add-Ons

Role to deploy Addons for NFTables on Linux servers.

Buy me a coffee

Molecule Test Status YamlLint Test Status PyLint Test Status Ansible-Lint Test Status Ansible Galaxy

Molecule Logs: Short, Full

Tested:

  • Debian 11
  • Debian 12

Install

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/addons_nftables

ä from galaxy
ansible-galaxy install ansibleguy.addons_nftables

# or to custom role-path
ansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles

Documentation


Advertisement

  • Need professional support using Ansible or NFTables? Contact us:

    E-Mail: contact@oxl.at

    Tel: +43 3115 40 900 0

    Web: EN | DE

    Language: German or English

  • You want a simple Ansible GUI?

    Check-out this Ansible WebUI


Usage

You can manage the NFTables base-config using the ansibleguy.infra_nftables role!

Config

You can find a more detailed example here: Example!

Define the config as needed:

nftables_addons:
  enable:
    dns: true  # enable DNS-addon
    dns_v6: true  # enable IPv6-processing of DNS-addon
    iplist: true  # enable IPList-addon
    iplist_v6: true  # enable IPv6-processing of IPList-addon
    # timer: true  # you could disable the timer-management if you want to do it yourself
    # systemd: true  # update addons using a systemd-timer
    # cron: false  # update addons using a cron-job
    # include: true  # disable auto-include of addons in /etc/nftables.conf

  config:
    iplists:
      iplist_tor_exit_nodes:  # var-name
        urls: ['https://check.torproject.org/torbulkexitlist']
        separator: "\n"
        comment: '#'
    dns_records:
      ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org']
      repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org']

  ext: 'nft'  # extension used by nftables config-files
  path:
    base:
      config: '/etc/nftables.conf'
      dir: '/etc/nftables.d'
    addon:
      dir: '/etc/nftables.d/addons'

  timer:
    systemd:
      dns: '*:0/15'  # update every 15min
      iplist: '*-*-* 00,12:00:00'  # update twice a day

    # cron:
    #   dns:  # every 15min
    #     minute: '*/15'
    #   iplist:  # twice a day
    #     minute: '0'
    #     hour: '0,12'

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available:

  • dns
  • iplist
  • config (only update addon-config)

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Functionality

  • Configuration

    • Default config:

      • Systemd Timer to run the addons
      • Logging to Syslog
      • Appendix for IPv6 variables: '_v6'
        • Per example: variable 'repo_debian' => 'repo_debian_v6'
      • Timers
        • DNS => updated every 15 minutes
        • IP-List => updated twice a day
      • Systemd
        • Syslog ID: 'nftables_addon_{ addon }'
        • Service/Timer Prefix: 'ansibleguy.addons_nftables-'
    • Default opt-ins:

      • Timer to automatically update variables
      • Systemd Timer
      • Adding include into '/etc/nftables.conf'
    • Default opt-outs:

      • Add-Ons
        • DNS
          • DNS IPv6 processing
        • IP-Lists
          • IP-List IPv6 processing
      • Cron-Job Timer

Info

  • Note: this role currently only supports debian-based systems

  • Note: Most of the role's functionality can be opted in or out.

    For all available options - see the default-config located in the main defaults-file!

  • Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

  • Note: Every defined variable will be created as a missing one might break your config!

    If a DNS-record cannot be resolved or no entry is returned - a fallback value (IPv4: 0.0.0.0, IPv6: ::) will be set.