---

# deploy nftables rules
- name: "firewall - nftables rules"
  ansible.builtin.template:
    src: "nftables.conf.j2"
    dest: "/etc/nftables.conf"
    mode: "0600"
    owner: "root"
    group: "root"
  notify: "restart nftables"

# load nf_conntrack module
- name: "firewall - load nf_conntrack module"
  community.general.modprobe:
    name: "nf_conntrack"
    state: "present"

# configure nf_conntrack hashsize
- name: "firewall - configure nf_conntrack hashsize"
  ansible.builtin.lineinfile:
    path: "/etc/modprobe.d/nf_conntrack.conf"
    line: "options nf_conntrack hashsize=16384"
    create: true
    mode: "0644"
    owner: "root"
    group: "root"

# load nf_conntrack at boot
- name: "firewall - load nf_conntrack at boot"
  ansible.builtin.lineinfile:
    path: "/etc/modules"
    line: "nf_conntrack"
    create: true
    mode: "0644"
    owner: "root"
    group: "root"

# set nf_conntrack hashsize at runtime
- name: "firewall - set nf_conntrack hashsize runtime"
  ansible.builtin.shell:
    cmd: "echo 16384 > /sys/module/nf_conntrack/parameters/hashsize"
  changed_when: false

# configure nf_conntrack sysctl settings
- name: "firewall - configure conntrack sysctl settings"
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: "present"
    sysctl_file: "/etc/sysctl.conf"
    reload: false
  loop:
    - name: "net.netfilter.nf_conntrack_max"
      value: "16384"
    - name: "net.netfilter.nf_conntrack_tcp_timeout_established"
      value: "3600"
    - name: "net.netfilter.nf_conntrack_generic_timeout"
      value: "120"