Use nftables for firewall on ingress

See ya never, iptables!

ansible/galaxy-requirements.yml

@@ -13,7 +13,6 @@ roles:
   - src: realorangeone.reflector
   - src: ironicbadger.proxmox_nag_removal
     version: 1.0.2
-  - src: chmduquesne.iptables_persistent
   - src: ironicbadger.snapraid
     version: 1.0.0
   - src: dokku_bot.ansible_dokku

ansible/group_vars/all/network.yml

@@ -1 +1,2 @@
 private_ip: "{{ nebula.clients[hostname_slug].ip }}"
+ssh_port: 7743

ansible/main.yml

@@ -70,8 +70,6 @@
 
 - hosts: ingress
   roles:
-    - role: chmduquesne.iptables_persistent
-      become: true
     - role: nginxinc.nginx  # The nginx in debian's repos is very old
       become: true
     - ingress

ansible/roles/base/vars/main.yml

@@ -1 +0,0 @@
-ssh_port: 7743

ansible/roles/ingress/files/nftables.conf

@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        ct state {established, related} counter accept
+
+        iif lo accept
+
+        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority srcnat
+        policy accept
+
+        # NAT - because the proxmox machines may not have routes back
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+    }
+
+    chain FORWARD {
+        type filter hook forward priority mangle
+        policy drop
+
+        # Allow traffic from nebula to proxmox network
+        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+    }
+}

ansible/roles/ingress/handlers/main.yml

@@ -9,3 +9,11 @@
     name: nginx
     state: restarted
   become: true
+
+- name: reload nftables
+  command:
+    argv:
+      - nft
+      - -f
+      - /etc/nftables.conf
+  become: true

ansible/roles/ingress/tasks/firewall.yml

@@ -0,0 +1,19 @@
+- name: Install nftables
+  package:
+    name: nftables
+  become: true
+
+- name: Copy firewall config
+  template:
+    src: files/nftables.conf
+    dest: /etc/nftables.conf
+    validate: nft -c -f %s
+  become: true
+  notify: reload firewall
+
+- name: Enable nftables
+  service:
+    name: nftables
+    enabled: true
+    state: started
+  become: true

ansible/roles/ingress/tasks/main.yml

@@ -3,3 +3,6 @@
 
 - name: Configure nginx
   include_tasks: nginx.yml
+
+- name: Configure firewall
+  include_tasks: firewall.yml

ansible/roles/nebula/tasks/main.yml

@@ -53,14 +53,3 @@
     name: nebula
     enabled: true
   become: true
-
-- name: Enable unsafe routing
-  iptables:
-    table: nat
-    chain: POSTROUTING
-    out_interface: ens18
-    source: "{{ nebula.cidr }}"
-    jump: MASQUERADE
-  notify: persist iptables
-  become: true
-  when: ansible_hostname == "ingress"