nftables now is enabled by default

  Until now all devices/VMs needed to be tagged with 'nftables' tag to get
  nftables pkg + rules, which was the case for basically all of them.  Now
  it is time to swap the default, so only devices which should not get the
  pkg + ruleset need to be tagged.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

nftables/init.sls

@@ -2,6 +2,8 @@
 # nftables state
 #
 
+{% if not 'no-nftables' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':tags', []) %}
+
 nftables:
   pkg.installed:
     - name: nftables
@@ -24,6 +26,8 @@ purge-iptables:
   pkg.purged:
     - pkgs:
       - iptables-persistent
-{%- if not 'docker' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
+  {%- if not 'docker' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
       - iptables
-{%- endif %}
+  {%- endif %}
+
+{% endif %}

top.sls

@@ -11,6 +11,7 @@ base:
     - mosh
     - motd
     - needrestart
+    - nftables
     - network
     - ntp
     - postfix
@@ -28,13 +29,6 @@ base:
     - unattended-upgrades
     - utils
 
-#
-# Tags
-#
-  nodes:{{ grains['id'] }}:tags:nftables:
-    - match: pillar
-    - nftables
-
 #
 # Roles
 #