From 7f5ab456417778b88658381ddc0e83466d673f31 Mon Sep 17 00:00:00 2001
From: AnsibleGuy <guy@ansibleguy.net>
Date: Sun, 24 Sep 2023 15:12:23 +0200
Subject: [PATCH] added systemd-override to check config before
 reloading/restarting

---
 tasks/main.yml                                | 24 +++++++++++++++++++
 templates/etc/nftables.conf.j2                |  1 +
 templates/etc/nftables.d/table.nft.j2         |  3 +++
 .../nftables.service.d/override.conf.j2       | 15 ++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 templates/etc/systemd/system/nftables.service.d/override.conf.j2

diff --git a/tasks/main.yml b/tasks/main.yml
index ee49a5a..d67d483 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,6 +45,30 @@
     name: ['nftables']
     state: present
 
+- name: NFTables | Adding systemd-override directory
+  ansible.builtin.file:
+    state: directory
+    path: '/etc/systemd/system/nftables.service.d'
+    mode: 0755
+    owner: 'root'
+    group: 'root'
+
+- name: NFTables | Copying systemd-override
+  ansible.builtin.template:
+    src: "templates/etc/systemd/system/nftables.service.d/override.conf.j2"
+    dest: '/etc/systemd/system/nftables.service.d/override.conf'
+    mode: 0644
+    owner: 'root'
+    group: 'root'
+  register: nft_svc_override
+
+- name: NFTables | Loading systemd-override
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: 'nftables.service'
+    state: restarted
+  when: nft_svc_override.changed
+
 - name: NFTables | Adding config directory
   ansible.builtin.file:
     state: directory
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
index eb2929b..091993b 100644
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@@ -1,6 +1,7 @@
 #!/usr/sbin/nft -f
 
 # {{ ansible_managed }}
+# ansibleguy.infra_nftables
 
 flush ruleset
 
diff --git a/templates/etc/nftables.d/table.nft.j2 b/templates/etc/nftables.d/table.nft.j2
index 8ee913c..63841e2 100644
--- a/templates/etc/nftables.d/table.nft.j2
+++ b/templates/etc/nftables.d/table.nft.j2
@@ -1,5 +1,8 @@
 #!/usr/sbin/nft -f
 
+# {{ ansible_managed }}
+# ansibleguy.infra_nftables
+
 table {{ nft_table.type }} {{ nft_table_name }} {
 {% include "_includes/definition_table.j2" %}
 
diff --git a/templates/etc/systemd/system/nftables.service.d/override.conf.j2 b/templates/etc/systemd/system/nftables.service.d/override.conf.j2
new file mode 100644
index 0000000..f62e8f8
--- /dev/null
+++ b/templates/etc/systemd/system/nftables.service.d/override.conf.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+# ansibleguy.infra_nftables
+
+[Unit]
+Documentation=https://github.com/ansibleguy/infra_nftables
+
+[Service]
+ExecStartPre=/usr/sbin/nft -cf /etc/nftables.conf
+
+ExecReload=
+ExecReload=/usr/sbin/nft -cf /etc/nftables.conf
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+
+Restart=on-failure
+RestartSec=5s