{"id":23637038,"url":"https://github.com/ansibleguy/addons_nftables","last_synced_at":"2025-03-21T07:26:54.521Z","repository":{"id":150853686,"uuid":"591657251","full_name":"ansibleguy/addons_nftables","owner":"ansibleguy","description":"Ansible Role to provision Add-Ons for NFTables on Linux servers","archived":false,"fork":false,"pushed_at":"2024-07-21T05:15:25.000Z","size":138,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"latest","last_synced_at":"2024-07-21T18:05:40.923Z","etag":null,"topics":["ansible","ansible-role","automation","firewall","firewall-rules","iac","infrastructure-as-code","network-as-code","nftable","nftables","nftables-rules"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ansibleguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"ko_fi":"ansible0guy","github":"ansibleguy"}},"created_at":"2023-01-21T12:47:59.000Z","updated_at":"2024-07-21T05:15:28.000Z","dependencies_parsed_at":"2023-07-10T03:00:22.026Z","dependency_job_id":"d1e72889-4cca-4721-878f-d12f332f3423","html_url":"https://github.com/ansibleguy/addons_nftables","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Faddons_nftables","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Faddons_nftables/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Faddons_nftables/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansibleguy%2Faddons_nftables/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ansibleguy","download_url":"https://codeload.github.com/ansibleguy/addons_nftables/tar.gz/refs/heads/latest","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244754974,"owners_count":20504816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","automation","firewall","firewall-rules","iac","infrastructure-as-code","network-as-code","nftable","nftables","nftables-rules"],"created_at":"2024-12-28T06:17:29.884Z","updated_at":"2025-03-21T07:26:54.515Z","avatar_url":"https://github.com/ansibleguy.png","language":"Python","readme":"\u003ca href=\"https://netfilter.org/projects/nftables/index.html\"\u003e\n\u003cimg src=\"https://netfilter.org/images/netfilter-logo3.png\" alt=\"NFTables logo\" width=\"400\"/\u003e\n\u003c/a\u003e\n\n# Ansible Role - NFTables Add-Ons\n\nRole to deploy Addons for NFTables on Linux servers.\n\n[![Lint](https://github.com/ansibleguy/addons_nftables/actions/workflows/lint.yml/badge.svg)](https://github.com/ansibleguy/addons_nftables/actions/workflows/lint.yml)\n[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/addons_nftables)\n\n**Molecule Integration-Tests**:\n\n* Status: [![Molecule Test Status](https://badges.ansibleguy.net/addons_nftables.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) |\n[![Functional-Tests](https://github.com/ansibleguy/addons_nftables/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/ansibleguy/addons_nftables/actions/workflows/integration_test_result.yml)\n* Logs: [API](https://ci.ansibleguy.net/api/job/ansible-test-molecule-addons_nftables/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70\u0026lines=1000) | [Short](https://badges.ansibleguy.net/log/molecule_addons_nftables_test_short.log) | [Full](https://badges.ansibleguy.net/log/molecule_addons_nftables_test.log)\n\nInternal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd)\n\n**Tested:**\n* Debian 11\n* Debian 12\n\n----\n\n## Install\n\n```bash\n# latest\nansible-galaxy role install git+https://github.com/ansibleguy/addons_nftables\n\nä from galaxy\nansible-galaxy install ansibleguy.addons_nftables\n\n# or to custom role-path\nansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles\n```\n\n----\n\n## Documentation\n\n* NFTables: [Wiki](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes)\n* Check out the [Example](https://github.com/ansibleguy/addons_nftables/blob/stable/Example.md)!\n* Ansible-manage all of NFTables: [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables/blob/main/README.md)\n\n----\n\n## Advertisement\n\n* Need **professional support** using Ansible or NFTables? Contact us:\n\n  E-Mail: [contact@oxl.at](mailto:contact@oxl.at)\n\n  Tel: [+43 3115 40 900 0](tel:+433115409000)\n\n  Web: [EN](https://www.o-x-l.com) | [DE](https://www.oxl.at)\n\n  Language: German or English\n\n* You want a simple **Ansible GUI**?\n\n  Check-out this [Ansible WebUI](https://github.com/ansibleguy/webui)\n\n----\n\n## Usage\n\nYou can manage the NFTables base-config using the [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables) role!\n\n### Config\n\nYou can find a more detailed example here: [Example](https://github.com/ansibleguy/addons_nftables/blob/stable/Example.md)!\n\nDefine the config as needed:\n\n```yaml\nnftables_addons:\n  enable:\n    dns: true  # enable DNS-addon\n    dns_v6: true  # enable IPv6-processing of DNS-addon\n    iplist: true  # enable IPList-addon\n    iplist_v6: true  # enable IPv6-processing of IPList-addon\n    # timer: true  # you could disable the timer-management if you want to do it yourself\n    # systemd: true  # update addons using a systemd-timer\n    # cron: false  # update addons using a cron-job\n    # include: true  # disable auto-include of addons in /etc/nftables.conf\n\n  config:\n    iplists:\n      iplist_tor_exit_nodes:  # var-name\n        urls: ['https://check.torproject.org/torbulkexitlist']\n        separator: \"\\n\"\n        comment: '#'\n    dns_records:\n      ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org']\n      repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org']\n\n  ext: 'nft'  # extension used by nftables config-files\n  path:\n    base:\n      config: '/etc/nftables.conf'\n      dir: '/etc/nftables.d'\n    addon:\n      dir: '/etc/nftables.d/addons'\n\n  timer:\n    systemd:\n      dns: '*:0/15'  # update every 15min\n      iplist: '*-*-* 00,12:00:00'  # update twice a day\n\n    # cron:\n    #   dns:  # every 15min\n    #     minute: '*/15'\n    #   iplist:  # twice a day\n    #     minute: '0'\n    #     hour: '0,12'\n\n```\n\n### Execution\n\nRun the playbook:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml\n```\n\nThere are also some useful **tags** available:\n* dns\n* iplist\n* config (_only update addon-config_)\n\nTo debug errors - you can set the 'debug' variable at runtime:\n```bash\nansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes\n```\n\n----\n\n## Functionality\n\n* **Configuration**\n\n  * **Default config**:\n    * Systemd Timer to run the addons\n    * Logging to Syslog\n    * Appendix for IPv6 variables: '_v6'\n      * Per example: variable 'repo_debian' =\u003e 'repo_debian_v6'\n    * Timers\n      * DNS =\u003e updated every 15 minutes\n      * IP-List =\u003e updated twice a day\n    * Systemd\n      * Syslog ID: 'nftables_addon_{ addon }'\n      * Service/Timer Prefix: 'ansibleguy.addons_nftables-'\n\n  * **Default opt-ins**:\n    * Timer to automatically update variables\n    * Systemd Timer\n    * Adding include into '/etc/nftables.conf'\n\n\n  * **Default opt-outs**:\n    * **Add-Ons**\n      * DNS\n        * DNS IPv6 processing\n      * IP-Lists\n        * IP-List IPv6 processing\n    * Cron-Job Timer\n\n----\n\n## Info\n\n* **Note:** this role currently only supports debian-based systems\n\n\n* **Note:** Most of the role's functionality can be opted in or out.\n\n  For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/addons_nftables/blob/latest/defaults/main/1_main.yml)!\n\n\n* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!\n\n\n* **Note:** **Every defined variable will be created** as a missing one might break your config!\n\n  If a DNS-record cannot be resolved or no entry is returned - a fallback value (_IPv4: 0.0.0.0, IPv6: ::_) will be set.\n","funding_links":["https://ko-fi.com/ansible0guy","https://github.com/sponsors/ansibleguy"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Faddons_nftables","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fansibleguy%2Faddons_nftables","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansibleguy%2Faddons_nftables/lists"}