137 lines
3.3 KiB
YAML
137 lines
3.3 KiB
YAML
---
|
|
- name: Enable and start firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Enable and start NetworkManager
|
|
ansible.builtin.systemd:
|
|
name: NetworkManager
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Check existing zones
|
|
ansible.builtin.command: firewall-cmd --get-zones
|
|
register: firewalld_zones
|
|
|
|
- name: Debug output
|
|
ansible.builtin.debug:
|
|
var: firewalld_zones.stdout
|
|
|
|
# - name: Create zone "core"
|
|
# ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
|
|
# loop: ["core", "mgmt"]
|
|
# # loop: "{{ firewalld_zones.stdout | split }}"
|
|
# when: item in firewalld_zones.stdout.split()
|
|
# (item != "core" and
|
|
# item != "dmz")
|
|
|
|
- name: Create firewalld core zone
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld mgmt zone
|
|
ansible.posix.firewalld:
|
|
zone: mgmt
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld dmz zone
|
|
ansible.posix.firewalld:
|
|
zone: dmz
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Reload firewalld to apply changes
|
|
ansible.builtin.command: firewall-cmd --reload
|
|
|
|
- name: Enable ssh rule in core for initial ansible config
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
service: ssh
|
|
state: enabled
|
|
permanent: true
|
|
|
|
# - name: Ensure all other zones are disabled
|
|
# ansible.posix.firewalld:
|
|
# zone: "{{ item }}"
|
|
# state: disabled
|
|
# permanent: true
|
|
# when: item not in zones
|
|
# loop: "{{ firewalld_zones.stdout | split }}"
|
|
|
|
- name: Set up CORE interface manually
|
|
nmcli:
|
|
conn_name: CORE
|
|
zone: core
|
|
type: ethernet
|
|
ip4: "{{ provision_core_ip4 }}"
|
|
gw4: "{{ core_gw4 }}"
|
|
dns4: "{{ core_gw4 }}"
|
|
method4: "manual"
|
|
ifname: ens18
|
|
dns4_search: lan.xbazzi.com
|
|
state: present
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Set up mgmt interface manually
|
|
nmcli:
|
|
conn_name: MGMT
|
|
zone: mgmt
|
|
type: ethernet
|
|
ip4: "{{ provision_mgmt_ip4 }}"
|
|
routes4: "0.0.0.0/0 {{ mgmt_gw4 }}"
|
|
routing_rules4:
|
|
- "priority 2 from {{ mgmt_net }} table 200"
|
|
route_metric4: 102
|
|
dns4: "{{ mgmt_gw4 }}"
|
|
method4: "manual"
|
|
ifname: "ens19"
|
|
dns4_search: "lan.xbazzi.com"
|
|
state: present
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Set up dmz interface manually
|
|
nmcli:
|
|
conn_name: DMZ
|
|
zone: dmz
|
|
type: ethernet
|
|
ip4: "{{ provision_dmz_ip4 }}"
|
|
routes4: "0.0.0.0/0 {{ dmz_gw4 }}"
|
|
routing_rules4:
|
|
- "priority 3 from {{ dmz_net }} table 300"
|
|
route_metric4: 103
|
|
dns4: "{{ dmz_gw4 }}"
|
|
method4: "manual"
|
|
ifname: "ens20"
|
|
dns4_search: "lan.xbazzi.com"
|
|
state: present
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Remove ens18 default connection
|
|
nmcli:
|
|
conn_name: ens18
|
|
state: absent
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Remove ens19 default connection
|
|
nmcli:
|
|
conn_name: ens19
|
|
state: absent
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Remove ens20 default connection
|
|
nmcli:
|
|
conn_name: ens20
|
|
state: absent
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
- name: Remove "Wired connection 1"
|
|
nmcli:
|
|
conn_name: Wired connection 1
|
|
state: absent
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|