firewall: create empty ipsets for known networks

So we don’t crash and burn before config is set up.

roles/firewall/tasks/nftables.yml

@@ -16,6 +16,7 @@
     mode: 0644
   loop:
     - interfaces.nft
+    - networks.nft
   notify: reload nftables
 
 - name: Enable nftables service

roles/firewall/templates/nftables.nft.j2

@@ -5,6 +5,7 @@ flush ruleset
 
 table inet filter {
     include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
     include "/etc/nftables.d/sets.nft*"
 
     set link {
@@ -92,6 +93,7 @@ table inet filter {
 
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
     include "/etc/nftables.d/sets.nft*"
     include "/etc/nftables.d/netmap.nft*"