--- ##### Firewall pre-requisites ##### # - name: Enable and start firewalld # ansible.builtin.systemd: # name: firewalld # enabled: yes # state: started # - name: firewall-cmd --get-zones # ansible.builtin.command: firewall-cmd --get-zones # register: firewalld_zones # - name: firewall-cmd --get-active-zones # ansible.builtin.command: firewall-cmd --get-active-zones # register: firewalld_zones # - name: Check existing zones # ansible.builtin.debug: # var: firewalld_zones.stdout # - name: Create firewalld core zone # ansible.posix.firewalld: # zone: core # state: present # permanent: true # - name: Create firewalld mgmt zone # ansible.posix.firewalld: # zone: mgmt # state: present # permanent: true # - name: Create firewalld dmz zone # ansible.posix.firewalld: # zone: dmz # state: present # permanent: true # - name: Reload firewalld to apply changes # ansible.builtin.command: firewall-cmd --reload # - name: Enable ssh rule in core # ansible.posix.firewalld: # zone: core # service: ssh # state: enabled # permanent: true # - name: Enable ssh rule in mgmt # ansible.posix.firewalld: # zone: mgmt # service: ssh # state: enabled # permanent: true # - name: Reload firewalld to apply changes # ansible.builtin.command: firewall-cmd --reload #### Network config #### - name: Enable and start systemd-networkd ansible.builtin.systemd: name: systemd-networkd enabled: true state: started - name: Ensure systemd-networkd directories exist ansible.builtin.file: path: "{{ item }}" state: directory owner: root group: root mode: '0755' loop: - /etc/systemd/network - /etc/systemd/networkd.conf.d - name: Rename default network interface via .link files ansible.builtin.template: src: rename-default-dev.link.j2 dest: "/etc/systemd/network/1-rename-{{ default_interface.ifname }}-to-{{ default_interface.name }}.link" owner: root group: root mode: '0644' notify: Trigger udev for new interface names - name: Rename network interfaces via .link files ansible.builtin.template: src: rename-auxiliary-dev.link.j2 dest: "/etc/systemd/network/1-rename-{{ item.ifname }}-to-{{ item.name }}.link" owner: root group: root mode: '0644' loop: "{{ network_interfaces }}" notify: Trigger udev for new interface names - name: Generate default interface .network file ansible.builtin.template: src: default-interface.network.j2 dest: "/etc/systemd/network/{{ default_interface.prefix }}-{{ default_interface.ifname }}-{{ default_interface.name }}.network" owner: root group: root mode: '0644' notify: Restart systemd-networkd - name: Generate auxiliary interfaces .network files ansible.builtin.template: src: auxiliary-interface.network.j2 dest: "/etc/systemd/network/{{ item.prefix }}-{{ item.ifname }}-{{ item.name }}.network" owner: root group: root mode: '0644' loop: "{{ network_interfaces }}" notify: Restart systemd-networkd # - name: Deploy .network files # ansible.builtin.copy: # src: "files/network/{{ item }}" # dest: "/etc/systemd/network/{{ item }}" # owner: root # group: root # mode: '0644' # loop: # - 10-ens18-core.network # - 20-ens19-mgmt.network # - 30-ens20-dmz.network # notify: Restart systemd-networkd - name: Deploy systemd-networkd global .conf files ansible.builtin.copy: src: "files/networkd.conf.d/{{ item }}" dest: "/etc/systemd/networkd.conf.d/{{ item }}" owner: root group: root mode: '0644' loop: - 10-routes.conf notify: Restart systemd-networkd - name: Ensure networking is disabled ansible.builtin.systemd_service: name: networking masked: true enabled: false state: stopped ignore_errors: true - name: Ensure NetworkManager is disabled ansible.builtin.systemd_service: name: NetworkManager masked: true enabled: false state: stopped ignore_errors: true - name: Ensure NetworkManager-wait-online is disabled ansible.builtin.systemd_service: name: NetworkManager-wait-online masked: true enabled: false state: stopped ignore_errors: true