From 024cec94014250a7b24c4d72fc29ddea581f1c7b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 18 Apr 2025 15:54:32 +0200
Subject: [PATCH] add nftables config and deployment tasks for resolv-dns host

---
 deploy.yaml                              | 20 ++++++++++++++++++
 resources/resolv-dns/files/nftables.conf | 26 ++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 resources/resolv-dns/files/nftables.conf

diff --git a/deploy.yaml b/deploy.yaml
index 8ae7ea7..95af3c2 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -4,6 +4,26 @@
   roles:
     - base_config
 
+- name: Ensure nftables configuration
+  hosts: resolv-dns
+  tasks:
+    - name: deploy nftables config
+      ansible.builtin.copy:
+        src: "resources/{{ inventory_hostname }}/files/nftables.conf"
+        dest: /etc/nftables.conf
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Restart nftables service
+      become: true
+      
+  handlers:
+    - name: Restart nftables service
+      ansible.builtin.service:
+        name: nftables
+        state: restarted
+      become: true
+
 - name: Deploy DHCP server
   hosts: dhcp
   tasks:
diff --git a/resources/resolv-dns/files/nftables.conf b/resources/resolv-dns/files/nftables.conf
new file mode 100644
index 0000000..8123f88
--- /dev/null
+++ b/resources/resolv-dns/files/nftables.conf
@@ -0,0 +1,26 @@
+#!/usr/sbin/nft -f
+
+# only flush tables managed by this file
+table inet filter
+flush table inet filter
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy drop;
+		ip protocol icmp accept
+		ip6 nexthdr icmpv6 accept
+		iifname lo accept
+		ct state related,established accept
+
+		tcp dport 22 accept
+		tcp dport 53 accept
+		udp dport 53 accept
+	}
+	chain forward {
+		type filter hook forward priority filter; policy drop;
+		ct state related,established counter accept
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}