--- - name: Enable and start firewalld ansible.builtin.systemd: name: firewalld enabled: yes state: started - name: Enable and start NetworkManager ansible.builtin.systemd: name: NetworkManager enabled: yes state: started - name: Check existing zones ansible.builtin.command: firewall-cmd --get-zones register: firewalld_zones - name: Debug output ansible.builtin.debug: var: firewalld_zones.stdout # - name: Create zone "core" # ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}" # loop: ["core", "mgmt"] # # loop: "{{ firewalld_zones.stdout | split }}" # when: item in firewalld_zones.stdout.split() # (item != "core" and # item != "dmz") - name: Create firewalld core zone ansible.posix.firewalld: zone: core state: present permanent: true - name: Create firewalld mgmt zone ansible.posix.firewalld: zone: mgmt state: present permanent: true - name: Create firewalld dmz zone ansible.posix.firewalld: zone: dmz state: present permanent: true - name: Reload firewalld to apply changes ansible.builtin.command: firewall-cmd --reload - name: Enable ssh rule in core ansible.posix.firewalld: zone: core service: ssh state: enabled permanent: true - name: Enable ssh rule in mgmt ansible.posix.firewalld: zone: mgmt service: ssh state: enabled permanent: true - name: Reload firewalld to apply changes ansible.builtin.command: firewall-cmd --reload # - name: Ensure all other zones are disabled # ansible.posix.firewalld: # zone: "{{ item }}" # state: disabled # permanent: true # when: item not in zones # loop: "{{ firewalld_zones.stdout | split }}" # - name: Ensure custom routing table names are present # ansible.builtin.lineinfile: # path: /etc/iproute2/rt_tables # line: "{{ item.table_id }} {{ item.table_name }}" # create: yes # state: present # loop: "{{ network_interfaces }}" # loop_control: # label: "{{ item.table_name }}" - name: Ensure /etc/iproute2 directory exists ansible.builtin.file: path: /etc/iproute2 state: directory owner: root group: root mode: '0755' - name: Overwrite /etc/iproute2/rt_tables with templated content ansible.builtin.template: src: rt_tables.j2 dest: /etc/iproute2/rt_tables owner: root group: root mode: '0644' force: yes - name: Default connection debug: var: default_conn - name: Configure default (CORE) connection community.general.nmcli: conn_name: "{{ default_conn.name | upper }}" type: ethernet zone: "{{ default_conn.name }}" method4: "manual" ip4: "{{ default_conn.ip }}/22" ifname: "{{ default_conn.ifname }}" dns4: "{{ default_conn.gateway }}" dns4_search: lan.xbazzi.com mtu: "{{ default_conn.mtu | default(1500) }}" state: present - name: Configure ancillary connections community.general.nmcli: conn_name: "{{ item.name | upper }}" type: ethernet zone: "{{ item.name }}" method4: "manual" ip4: "{{ item.ip }}/22" ifname: "{{ item.ifname }}" dns4: "{{ item.gateway }}" dns4_search: lan.xbazzi.com # table: "{{ item.table_id }}" # table: "{{ item.table_id }}" mtu: "{{ item.mtu | default(1500) }}" # routes4_extended: # - ip: "0.0.0.0/0" # table: "{{ item.table_id }}" # next_hop: "{{ item.gateway }}" # mtu: "{{ item.mtu | default(1500) }}" # metric: # - ip: "{{ item.subnet }}" # table: "{{ item.table_id }}" # table: "{{ item.table_id }}" # next_hop: "0.0.0.0" # mtu: "{{ item.mtu | default(1500) }}" # - "{{ item.subnet }} 0.0.0.0 {{ item.table_id }}" # routing_rules4: # - "priority {{ item.priority }} from {{ item.ip }} table {{ item.table_id }}" state: present loop: "{{ network_interfaces }}" loop_control: label: "{{ item.name }}" - name: Add route-table for each interface ansible.builtin.command: > nmcli connection modify {{ item.name | upper }} ipv4.route-table {{ item.table_id }} loop: "{{ network_interfaces }}" - name: Add routes ansible.builtin.command: > nmcli con modify MGMT +ipv4.routes "0.0.0.0/0 {{ item.gateway }}" loop: "{{ network_interfaces }}" - name: Add routing rules ansible.builtin.command: > nmcli con modify MGMT +ipv4.routing-rules "priority {{ item.priority }} table {{ item.table_id }}" loop: "{{ network_interfaces }}" # -name: Add ancillary routes to main table # sudo ip route add 10.69.0.0/22 dev ens19 proto kernel scope link table main # - name: Set up CORE interface manually # nmcli: # conn_name: CORE # zone: core # type: ethernet # ip4: "{{ provision_core_ip4 }}" # gw4: "{{ core_gw4 }}" # dns4: "{{ core_gw4 }}" # method4: "manual" # ifname: ens18 # dns4_search: lan.xbazzi.com # state: present # delegate_to: "{{ provision_core_ip4_no_subnet }}" # - name: Set up mgmt interface manually # nmcli: # conn_name: MGMT # zone: mgmt # type: ethernet # ip4: "{{ provision_mgmt_ip4 }}" # # routes4: "0.0.0.0/0 {{ mgmt_gw4 }}" # routing_rules4: # - "priority 2 from {{ mgmt_net }} table 200" # route_metric4: 102 # dns4: "{{ mgmt_gw4 }}" # method4: "manual" # ifname: "ens19" # dns4_search: "lan.xbazzi.com" # state: present # # delegate_to: "{{ provision_core_ip4_no_subnet }}" # - name: Set up dmz interface manually # nmcli: # conn_name: DMZ # zone: dmz # type: ethernet # ip4: "{{ provision_dmz_ip4 }}" # routes4: "0.0.0.0/0 {{ dmz_gw4 }}" # routes4_extended: # ip: {{ provision_dmz_ip4 }} # routing_rules4: # - "priority 3 from {{ dmz_net }} table 300" # route_metric4: 103 # dns4: "{{ dmz_gw4 }}" # method4: "manual" # ifname: "ens20" # dns4_search: "lan.xbazzi.com" # state: present # delegate_to: "{{ provision_core_ip4_no_subnet }}" # - name: Remove ens18 default connection # nmcli: # conn_name: "{{ item }}" # state: absent # loop: ["ens18", "ens19", "ens20", "core", "Wired connection 1"] - name: List current NetworkManager connections ansible.builtin.shell: nmcli -t -f NAME connection show register: nmcli_connections - name: Show active connection names ansible.builtin.debug: var: nmcli_connections.stdout_lines - name: Remove unwanted default NetworkManager connections community.general.nmcli: conn_name: "{{ item }}" state: absent loop: - ens18 - ens19 - ens20 - core - "Wired connection 1" ignore_errors: true # Optional: avoids failure if connection doesn't exist - name: Restart NetworkManager ansible.builtin.systemd_service: name: NetworkManager enabled: true state: restarted