- name: Install nftables
  apt: pkg=nftables

- name: Copy /usr/local/sbin/update-firewall
  copy: src=usr/local/sbin/update-firewall
        dest=/usr/local/sbin/update-firewall
        owner=root group=staff
        mode=0755

- name: Copy /etc/nftables.conf
  template: src=etc/nftables.conf.j2
            dest=/etc/nftables.conf
            owner=root group=root
            mode=0644

- name: Ensure the firewall is up to date
  command: /usr/local/sbin/update-firewall -c
  register: rv
  # A non-zero return value will make ansible stop and show stderr. This
  # is what we want.
  changed_when: rv.rc

- name: Enable nftables.service
  service: name=nftables enabled=yes

- name: Start nftables.service
  service: name=nftables state=started