debian: don’t set up firewall for proxmox hosts

Also factor firewall setup into a separate task. There is no good way
to distinguish Debian and Proxmox hosts in Ansible, so we rely on the
cluster_type NetBox variable.

roles/debian/tasks/firewall.yml

@@ -0,0 +1,26 @@
+- name: Install nftables
+  package:
+    name: nftables
+
+- name: Set up generic firewall rules
+  copy:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+  notify: reload nftables
+
+- name: Create nftables include directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+
+- name: Set up local firewall rules
+  template:
+    dest: /etc/nftables.d/services.nft
+    src: services.nft.j2
+  notify: reload nftables
+
+- name: Enable firewall
+  service:
+    name: nftables
+    enabled: yes
+    state: started

roles/debian/tasks/main.yml

@@ -30,7 +30,6 @@
     name:
       - git
       - ifupdown2
-      - nftables
       - rsync
       - vim
       - tmux
@@ -76,28 +75,9 @@
       value: 'prohibit-password'
   notify: reload sshd
 
-- name: Set up generic firewall rules
-  copy:
-    dest: /etc/nftables.conf
-    src: nftables.conf
-  notify: reload nftables
-
-- name: Create nftables include directory
-  file:
-    path: /etc/nftables.d
-    state: directory
-
-- name: Set up local firewall rules
-  template:
-    dest: /etc/nftables.d/services.nft
-    src: services.nft.j2
-  notify: reload nftables
-
-- name: Enable firewall
-  service:
-    name: nftables
-    enabled: yes
-    state: started
+- name: Set up firewall
+  include_tasks: firewall.yml
+  when: is_virtual or cluster_type != 'proxmox' # proxmox has its own firewall configuration
 
 - name: Install automatic upgrade package
   package: