Refactor systemctl services and timers

- Unified service templates into generic systemctl templates
- Introduced reusable filter plugins for script path handling
- Updated path variables and service/timer definitions
- Migrated roles (backup, cleanup, repair, etc.) to use systemctl role
- Added sys-daemon role for core systemd cleanup
- Simplified timer handling via sys-timer role

Note: This is a large refactor and some errors may still exist. Further testing and adjustments will be needed.

roles/svc-net-wireguard-firewalled/README.md

@@ -0,0 +1,26 @@
+# WireGuard Client behind NAT
+
+## Description
+
+This role adapts iptables rules to enable proper connectivity for a WireGuard client running behind a NAT or firewall. It ensures that traffic is forwarded correctly by applying necessary masquerading rules.
+
+## Overview
+
+Optimized for environments with network address translation (NAT), this role:
+- Executes shell commands to modify iptables rules.
+- Allows traffic from the WireGuard client interface (e.g. `wg0-client`) and sets up NAT masquerading on the external interface (e.g. `eth0`).
+- Works as an extension to the native WireGuard client role.
+
+## Purpose
+
+The primary purpose of this role is to enable proper routing and connectivity for a WireGuard client situated behind a firewall or NAT device. By adapting iptables rules, it ensures that the client can communicate effectively with external networks.
+
+## Features
+
+- **iptables Rule Adaptation:** Modifies iptables to allow forwarding and NAT masquerading for the WireGuard client.
+- **NAT Support:** Configures the external interface for proper masquerading.
+- **Role Integration:** Depends on the [svc-net-wireguard-plain](../svc-net-wireguard-plain/README.md) role to ensure that WireGuard is properly configured before applying firewall rules.
+
+## Other Resources
+- https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39
+- https://wiki.debian.org/iptables

roles/svc-net-wireguard-firewalled/meta/main.yml

@@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Adapts iptables rules to enable proper connectivity for a WireGuard client running behind a NAT or firewall, ensuring that traffic is correctly forwarded and masqueraded."
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - wireguard
+    - nat
+    - firewall
+    - iptables
+    - networking
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+dependencies:
+  - svc-net-wireguard-plain

roles/svc-net-wireguard-firewalled/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: adapt iptable rules
+  shell: iptables -A FORWARD -i wg0-client -j ACCEPT && iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

roles/svc-net-wireguard-firewalled/vars/main.yml

@@ -0,0 +1 @@
+application_id: svc-net-wireguard-firewalled