dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
configpolicy/roles/dch-gw/tasks/main.yml

79 lines
2.0 KiB
YAML
Raw Blame History

- name: ensure outside-address dhcpcd hook is installed
copy:
src=outside-address.dhcpcd-hook
dest=/usr/libexec/dhcpcd-hooks/10-outside-address
mode=0444
notify: rebind dhcp leases
- meta: flush_handlers
- name: ensure dhcpcd unit extension directory exists
file:
path=/etc/systemd/system/dhcpcd.service.d/
mode=0755
state=directory
- name: ensure dhcpcd starts after network
copy:
src=dhcpcd-after-network.conf
dest=/etc/systemd/system/dhcpcd.service.d/after-network.conf
mode=0644
notify: reload systemd
- name: ensure ipv4 forwarding is enabled
sysctl:
name=net.ipv4.conf.all.forwarding
value=1
sysctl_file=/etc/sysctl.d/ip-forwarding.conf
state=present
- name: ensure ipv6 forwarding is enabled
sysctl:
name=net.ipv6.conf.all.forwarding
value=1
sysctl_file=/etc/sysctl.d/ip-forwarding.conf
state=present
- name: ensure inet filter rules are configured
copy:
src=inet-filter.nft
dest=/etc/nftables/ruleset.d/10_inet-filter.nft
mode=0644
notify: reload nftables
- name: ensure basic rules are defined
template:
src={{ item }}.nft.j2
dest=/etc/nftables/ruleset.d/20_{{ item }}.nft
mode=0644
with_items:
- incoming
- forward
- outgoing
notify: reload nftables
- name: ensure final reject rules are defined
template:
src=reject.nft.j2
dest=/etc/nftables/ruleset.d/90_{{ item }}-reject.nft
mode=0644
with_items:
- input
- forward
- output
notify: reload nftables
- name: ensure ipv4 nat rules are configured
copy:
src=ipv4-nat.nft
dest=/etc/nftables/ruleset.d/10_ipv4-nat.nft
mode=0644
notify: reload nftables
- name: ensure port forwards are configured
template:
src=port-forwards.nft.j2
dest=/etc/nftables/ruleset.d/70_port-forwards.nft
mode=0644
notify: reload nftables
- name: ensure ip masquerading is configured
template:
src=masquerade.nft.j2
dest=/etc/nftables/ruleset.d/90_masquerade.nft
mode=0644
notify: reload nftables
Reference in New Issue View Git Blame Copy Permalink