- name: Install nftables
  become: yes
  apt:
    name: nftables
    state: present

- name: Blacklist ip_tables
  become: yes
  copy:
    content: |
      # Emphasize that we use nftables exclusively.  No networkd or nspawn.
      # (https://bugs.freedesktop.org/show_bug.cgi?id=89269)
      # https://cgit.freedesktop.org/systemd/systemd/tree/src/core/kmod-setup.c be damned.
      blacklist ip_tables
    dest: /etc/modprobe.d/no-iptables.conf
    owner: root
    group: root
    mode: 0644

- name: Check for connection tracking entries
  become: yes
  command:
    cmd: head -c1 /proc/net/nf_conntrack
  ignore_errors: yes
  check_mode: no
  changed_when: False
  register: nf_conntrack_head

- name: Start up connection tracking to avoid locking ourselves out
  become: yes
  command:
    cmd: nft -f -
    stdin: |
      table inet ansible_temporary {
        chain ansible_temporary {
          type filter hook input priority 0; policy accept;
          ct state new log prefix "New connection: " level info
        }
      }
  when: nf_conntrack_head.stdout == ''
  notify: Reload nftables ruleset

- name: Load candidate ruleset into a temporary network namespace, then dump it
  become: yes
  command:
    cmd: unshare --net sh -c 'nft --file - && nft --stateless -nnn list ruleset'
    stdin: "{{ lookup('template', 'firewall.nft') }}"
  register: nftables_ruleset_candidate
  check_mode: no
  changed_when: False

- name: Install new nftables ruleset
  become: yes
  template:
    src: nftables.conf
    dest: /etc/nftables.conf
    owner: root
    group: root
    mode: 0644
  notify: Reload nftables ruleset

- name: Enable nftables service
  become: yes
  systemd:
    name: nftables
    enabled: yes