- name: ensure outside-address dhcpcd hook is installed
  copy:
    src=outside-address.dhcpcd-hook
    dest=/usr/libexec/dhcpcd-hooks/10-outside-address
    mode=0444
  notify: rebind dhcp leases
- meta: flush_handlers

- name: ensure dhcpcd unit extension directory exists
  file:
    path=/etc/systemd/system/dhcpcd.service.d/
    mode=0755
    state=directory
- name: ensure dhcpcd starts after network
  copy:
    src=dhcpcd-after-network.conf
    dest=/etc/systemd/system/dhcpcd.service.d/after-network.conf
    mode=0644
  notify: reload systemd

- name: ensure ipv4 forwarding is enabled
  sysctl:
    name=net.ipv4.conf.all.forwarding
    value=1
    sysctl_file=/etc/sysctl.d/ip-forwarding.conf
    state=present
- name: ensure ipv6 forwarding is enabled
  sysctl:
    name=net.ipv6.conf.all.forwarding
    value=1
    sysctl_file=/etc/sysctl.d/ip-forwarding.conf
    state=present

- name: ensure inet filter rules are configured
  copy:
    src=inet-filter.nft
    dest=/etc/nftables/ruleset.d/10_inet-filter.nft
    mode=0644
  notify: reload nftables
- name: ensure basic rules are defined
  template:
    src={{ item }}.nft.j2
    dest=/etc/nftables/ruleset.d/20_{{ item }}.nft
    mode=0644
  with_items:
  - incoming
  - forward
  - outgoing
  notify: reload nftables
- name: ensure final reject rules are defined
  template:
    src=reject.nft.j2
    dest=/etc/nftables/ruleset.d/90_{{ item }}-reject.nft
    mode=0644
  with_items:
  - input
  - forward
  - output
  notify: reload nftables

- name: ensure ipv4 nat rules are configured
  copy:
    src=ipv4-nat.nft
    dest=/etc/nftables/ruleset.d/10_ipv4-nat.nft
    mode=0644
  notify: reload nftables
- name: ensure port forwards are configured
  template:
    src=port-forwards.nft.j2
    dest=/etc/nftables/ruleset.d/70_port-forwards.nft
    mode=0644
  notify: reload nftables
- name: ensure ip masquerading is configured
  template:
    src=masquerade.nft.j2
    dest=/etc/nftables/ruleset.d/90_masquerade.nft
    mode=0644
  notify: reload nftables