Clément Désiles
c9e2ff930c
- Replace 'ufw disable && ufw --force enable' single-shot handler with a block that dry-runs the ruleset, disables, re-enables, then verifies ufw is active. No '&&' short-circuit, so failures are loud instead of leaving the host firewall-less. - Rename handler to 'Restart ufw (ip-forwarding settings changed)' to reflect that this is a full restart (required to pick up /etc/default/ufw and /etc/ufw/before.rules changes per ufw(8)). - Add NAT/masquerade tasks: enable ipv4 forwarding, set DEFAULT_FORWARD_POLICY=ACCEPT, and write a per-interface *nat block in /etc/ufw/before.rules. - Declare requires_ansible >=2.15 in meta/runtime.yml (handler uses block:, supported since 2.12; 2.15 is a safe modern floor). - README: document Ansible version requirement, port reservation rules, and Immich pgvector Q&A.
73 lines
2.6 KiB
YAML
73 lines
2.6 KiB
YAML
---
|
|
- name: Check if the interface ipv4 address is defined
|
|
ansible.builtin.debug:
|
|
msg: "Warning: iface {{ interface.name }} has no defined ipv4 address, skipping configuration"
|
|
when: interface.ipv4.address is not defined
|
|
|
|
- name: Process interface configuration
|
|
when: interface.ipv4.address is defined
|
|
block:
|
|
- name: Create systemd-netdev file for virtual interface
|
|
when:
|
|
- interface.type is defined
|
|
- interface.type != 'ethernet'
|
|
ansible.builtin.template:
|
|
src: systemd.netdev.j2
|
|
dest: /etc/systemd/network/10-{{ interface.name }}.netdev
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
register: netdev_result
|
|
|
|
- name: Create systemd-network configuration file
|
|
ansible.builtin.template:
|
|
src: systemd.network.j2
|
|
dest: /etc/systemd/network/20-{{ interface.name }}.network
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
register: network_result
|
|
|
|
- name: Notify a reload is required
|
|
ansible.builtin.set_fact:
|
|
network_reload_required: true
|
|
when: netdev_result is changed or network_result is changed
|
|
|
|
## Routing & NAT (when interface has forward + masquerade enabled)
|
|
- name: Enable IPv4 forwarding
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
state: present
|
|
sysctl_set: true
|
|
reload: true
|
|
when:
|
|
- interface.ipv4.forward | default(false)
|
|
- interface.ipv4.masquerade | default(false)
|
|
|
|
- name: Set UFW default forward policy to ACCEPT
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/ufw
|
|
regexp: "^DEFAULT_FORWARD_POLICY="
|
|
line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
|
|
when:
|
|
- interface.ipv4.forward | default(false)
|
|
- interface.ipv4.masquerade | default(false)
|
|
notify: Restart ufw (ip-forwarding settings changed)
|
|
|
|
- name: Configure NAT masquerade in UFW before.rules for {{ interface.name }}
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/ufw/before.rules
|
|
insertbefore: "^\\*filter"
|
|
marker: "# {mark} ANSIBLE MANAGED - NAT {{ interface.name }}"
|
|
block: |
|
|
*nat
|
|
:POSTROUTING ACCEPT [0:0]
|
|
-A POSTROUTING -s {{ interface.ipv4.address | ansible.utils.ipaddr('network/prefix') }} -o {{ interface.ipv4.nat_out_interface }} -j MASQUERADE
|
|
COMMIT
|
|
when:
|
|
- interface.ipv4.forward | default(false)
|
|
- interface.ipv4.masquerade | default(false)
|
|
- interface.ipv4.nat_out_interface is defined
|
|
notify: Restart ufw (ip-forwarding settings changed)
|