Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ansibleguy/addons_nftables
Ansible Role to provision Add-Ons for NFTables on Linux servers
https://github.com/ansibleguy/addons_nftables
ansible ansible-role automation firewall firewall-rules iac infrastructure-as-code network-as-code nftable nftables nftables-rules
Last synced: 6 days ago
JSON representation
Ansible Role to provision Add-Ons for NFTables on Linux servers
- Host: GitHub
- URL: https://github.com/ansibleguy/addons_nftables
- Owner: ansibleguy
- License: other
- Created: 2023-01-21T12:47:59.000Z (almost 2 years ago)
- Default Branch: latest
- Last Pushed: 2024-07-21T05:15:25.000Z (6 months ago)
- Last Synced: 2024-07-21T18:05:40.923Z (6 months ago)
- Topics: ansible, ansible-role, automation, firewall, firewall-rules, iac, infrastructure-as-code, network-as-code, nftable, nftables, nftables-rules
- Language: Python
- Homepage:
- Size: 135 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE.txt
Awesome Lists containing this project
README
# Ansible Role - NFTables Add-Ons
Role to deploy Addons for NFTables on Linux servers.
[](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2)
[](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/yamllint.sh.j2)
[](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/pylint.sh.j2)
[](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/ansiblelint.sh.j2)
[](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/addons_nftables)
Molecule Logs: [Short](https://badges.ansibleguy.net/log/molecule_addons_nftables_test_short.log), [Full](https://badges.ansibleguy.net/log/molecule_addons_nftables_test.log)
**Tested:**
* Debian 11
* Debian 12
----
## Install
```bash
# latest
ansible-galaxy role install git+https://github.com/ansibleguy/addons_nftables
ä from galaxy
ansible-galaxy install ansibleguy.addons_nftables
# or to custom role-path
ansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles
```
----
## Documentation
* NFTables: [Wiki](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes)
* Check out the [Example](https://github.com/ansibleguy/addons_nftables/blob/stable/Example.md)!
* Ansible-manage all of NFTables: [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables/blob/main/README.md)
----
## Advertisement
* Need **professional support** using Ansible or NFTables? Contact us:
E-Mail: [[email protected]](mailto:[email protected])
Tel: [+43 3115 40 900 0](tel:+433115409000)
Web: [EN](https://www.o-x-l.com) | [DE](https://www.oxl.at)
Language: German or English
* You want a simple **Ansible GUI**?
Check-out this [Ansible WebUI](https://github.com/ansibleguy/webui)
----
## Usage
You can manage the NFTables base-config using the [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables) role!
### Config
You can find a more detailed example here: [Example](https://github.com/ansibleguy/addons_nftables/blob/stable/Example.md)!
Define the config as needed:
```yaml
nftables_addons:
enable:
dns: true # enable DNS-addon
dns_v6: true # enable IPv6-processing of DNS-addon
iplist: true # enable IPList-addon
iplist_v6: true # enable IPv6-processing of IPList-addon
# timer: true # you could disable the timer-management if you want to do it yourself
# systemd: true # update addons using a systemd-timer
# cron: false # update addons using a cron-job
# include: true # disable auto-include of addons in /etc/nftables.conf
config:
iplists:
iplist_tor_exit_nodes: # var-name
urls: ['https://check.torproject.org/torbulkexitlist']
separator: "\n"
comment: '#'
dns_records:
ntp_servers: ['0.europe.pool.ntp.org', '1.europe.pool.ntp.org']
repo_debian: ['deb.debian.org', 'debian.map.fastlydns.net', 'security.debian.org']
ext: 'nft' # extension used by nftables config-files
path:
base:
config: '/etc/nftables.conf'
dir: '/etc/nftables.d'
addon:
dir: '/etc/nftables.d/addons'
timer:
systemd:
dns: '*:0/15' # update every 15min
iplist: '*-*-* 00,12:00:00' # update twice a day
# cron:
# dns: # every 15min
# minute: '*/15'
# iplist: # twice a day
# minute: '0'
# hour: '0,12'
```
### Execution
Run the playbook:
```bash
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
```
There are also some useful **tags** available:
* dns
* iplist
* config (_only update addon-config_)
To debug errors - you can set the 'debug' variable at runtime:
```bash
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
```
----
## Functionality
* **Configuration**
* **Default config**:
* Systemd Timer to run the addons
* Logging to Syslog
* Appendix for IPv6 variables: '_v6'
* Per example: variable 'repo_debian' => 'repo_debian_v6'
* Timers
* DNS => updated every 15 minutes
* IP-List => updated twice a day
* Systemd
* Syslog ID: 'nftables_addon_{ addon }'
* Service/Timer Prefix: 'ansibleguy.addons_nftables-'
* **Default opt-ins**:
* Timer to automatically update variables
* Systemd Timer
* Adding include into '/etc/nftables.conf'
* **Default opt-outs**:
* **Add-Ons**
* DNS
* DNS IPv6 processing
* IP-Lists
* IP-List IPv6 processing
* Cron-Job Timer
----
## Info
* **Note:** this role currently only supports debian-based systems
* **Note:** Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/addons_nftables/blob/latest/defaults/main/1_main.yml)!
* **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
* **Note:** **Every defined variable will be created** as a missing one might break your config!
If a DNS-record cannot be resolved or no entry is returned - a fallback value (_IPv4: 0.0.0.0, IPv6: ::_) will be set.