Add ipt-server role with firewall configuration and management

- Created handlers for reloading systemd and restarting firewall services.
- Implemented tasks to ensure the existence of configuration directories and files.
- Deployed host-specific and shared configuration files using templates.
- Added scripts for managing IPv4 and IPv6 firewalls.
- Configured systemd service units for ipt-firewall and ip6t-firewall.
- Enabled and started firewall services on system boot.

roles/ipt-server/tasks/main.yml

@@ -0,0 +1,215 @@
+---
+
+# ===
+# Ensure /etc/ipt-firewall directory exists
+# ===
+
+- name: Create /etc/ipt-firewall if not present
+  file:
+    path: /etc/ipt-firewall
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+
+
+# ===
+# Check presence of host-specific config files
+# ===
+
+- name: Check if interfaces_ipv4.conf exists
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv4.conf
+  register: interfaces_ipv4_exists
+
+- name: Check if interfaces_ipv6.conf exists
+  stat:
+    path: /etc/ipt-firewall/interfaces_ipv6.conf
+  register: interfaces_ipv6_exists
+
+- name: Check if main_ipv4.conf exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv4.conf
+  register: main_ipv4_exists
+
+- name: Check if main_ipv6.conf exists
+  stat:
+    path: /etc/ipt-firewall/main_ipv6.conf
+  register: main_ipv6_exists
+
+
+# ===
+# Deploy host-specific config files from templates.
+#
+# Safety guard: by default (fw_manage_config: false) a file is only written
+# when it does not yet exist on the host — so existing hosts are never touched
+# accidentally.
+#
+# Once a host has been migrated (host_vars populated and diff verified), set
+#   fw_manage_config: true
+# in its host_vars. From that point on Ansible is the authoritative source and
+# will update the config on every run, triggering a firewall restart on changes.
+# ===
+
+- name: Deploy interfaces_ipv4.conf from template
+  template:
+    src: etc/ipt-firewall/interfaces_ipv4.conf.j2
+    dest: /etc/ipt-firewall/interfaces_ipv4.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: Deploy interfaces_ipv6.conf from template
+  template:
+    src: etc/ipt-firewall/interfaces_ipv6.conf.j2
+    dest: /etc/ipt-firewall/interfaces_ipv6.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
+- name: Deploy main_ipv4.conf from template
+  template:
+    src: etc/ipt-firewall/main_ipv4.conf.j2
+    dest: /etc/ipt-firewall/main_ipv4.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not main_ipv4_exists.stat.exists
+  notify:
+    - Restart IPv4 Firewall
+
+- name: Deploy main_ipv6.conf from template
+  template:
+    src: etc/ipt-firewall/main_ipv6.conf.j2
+    dest: /etc/ipt-firewall/main_ipv6.conf
+    owner: root
+    group: root
+    mode: "0640"
+  when: fw_manage_config or not main_ipv6_exists.stat.exists
+  notify:
+    - Restart IPv6 Firewall
+
+
+# ===
+# Firewall scripts
+# ===
+
+- name: Deploy ipt-firewall-server
+  copy:
+    src: usr/local/sbin/ipt-firewall-server
+    dest: /usr/local/sbin/ipt-firewall-server
+    owner: root
+    group: root
+    mode: "0750"
+
+- name: Deploy ip6t-firewall-server
+  copy:
+    src: usr/local/sbin/ip6t-firewall-server
+    dest: /usr/local/sbin/ip6t-firewall-server
+    owner: root
+    group: root
+    mode: "0750"
+
+
+# ===
+# Shared conf files (not host-specific — always kept in sync with the role)
+# ===
+
+- name: Deploy shared conf files
+  copy:
+    src: "etc/ipt-firewall/{{ item }}"
+    dest: "/etc/ipt-firewall/{{ item }}"
+    owner: root
+    group: root
+    mode: "0640"
+  loop:
+    - default_settings.conf
+    - include_functions.conf
+    - logging_ipv4.conf
+    - logging_ipv6.conf
+    - post_declarations.conf
+
+
+# ===
+# Ban lists — copy from sample once; the file can be customised per host.
+# ===
+
+- name: Check if ban_ipv4.list exists
+  stat:
+    path: /etc/ipt-firewall/ban_ipv4.list
+  register: ban_ipv4_exists
+
+- name: Copy ban_ipv4.list from sample (first install only)
+  copy:
+    src: etc/ipt-firewall/ban_ipv4.list.sample
+    dest: /etc/ipt-firewall/ban_ipv4.list
+    owner: root
+    group: root
+    mode: "0640"
+  when: not ban_ipv4_exists.stat.exists
+
+- name: Check if ban_ipv6.list exists
+  stat:
+    path: /etc/ipt-firewall/ban_ipv6.list
+  register: ban_ipv6_exists
+
+- name: Copy ban_ipv6.list from sample (first install only)
+  copy:
+    src: etc/ipt-firewall/ban_ipv6.list.sample
+    dest: /etc/ipt-firewall/ban_ipv6.list
+    owner: root
+    group: root
+    mode: "0640"
+  when: not ban_ipv6_exists.stat.exists
+
+
+# ===
+# Systemd service units
+# ===
+
+- name: Deploy ipt-firewall.service
+  copy:
+    src: etc/systemd/system/ipt-firewall.service
+    dest: /etc/systemd/system/ipt-firewall.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd daemon
+    - Restart IPv4 Firewall
+
+- name: Deploy ip6t-firewall.service
+  copy:
+    src: etc/systemd/system/ip6t-firewall.service
+    dest: /etc/systemd/system/ip6t-firewall.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd daemon
+    - Restart IPv6 Firewall
+
+
+# ===
+# Enable and start services
+# ===
+
+- name: Enable and start ipt-firewall
+  systemd:
+    name: ipt-firewall
+    enabled: true
+    state: started
+    daemon_reload: true
+
+- name: Enable and start ip6t-firewall
+  systemd:
+    name: ip6t-firewall
+    enabled: true
+    state: started
+    daemon_reload: true