133 lines
3.2 KiB
YAML
133 lines
3.2 KiB
YAML
---
|
|
##### Firewall pre-requisites #####
|
|
- name: Enable and start systemd-networkd
|
|
ansible.builtin.systemd:
|
|
name: systemd-networkd
|
|
enabled: true
|
|
state: started
|
|
|
|
- name: Enable and start firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: firewall-cmd --get-zones
|
|
ansible.builtin.command: firewall-cmd --get-zones
|
|
register: firewalld_zones
|
|
|
|
- name: firewall-cmd --get-active-zones
|
|
ansible.builtin.command: firewall-cmd --get-active-zones
|
|
register: firewalld_zones
|
|
|
|
- name: Check existing zones
|
|
ansible.builtin.debug:
|
|
var: firewalld_zones.stdout
|
|
|
|
- name: Create firewalld core zone
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld mgmt zone
|
|
ansible.posix.firewalld:
|
|
zone: mgmt
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld dmz zone
|
|
ansible.posix.firewalld:
|
|
zone: dmz
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Reload firewalld to apply changes
|
|
ansible.builtin.command: firewall-cmd --reload
|
|
|
|
- name: Enable ssh rule in core
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
service: ssh
|
|
state: enabled
|
|
permanent: true
|
|
|
|
- name: Enable ssh rule in mgmt
|
|
ansible.posix.firewalld:
|
|
zone: mgmt
|
|
service: ssh
|
|
state: enabled
|
|
permanent: true
|
|
|
|
- name: Reload firewalld to apply changes
|
|
ansible.builtin.command: firewall-cmd --reload
|
|
|
|
#### Network config ####
|
|
- name: Ensure systemd-networkd directories exist
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
loop:
|
|
- /etc/systemd/network
|
|
- /etc/systemd/networkd.conf.d
|
|
|
|
- name: Generate default interface .network file
|
|
ansible.builtin.template:
|
|
src: default-interface.network.j2
|
|
dest: "/etc/systemd/network/{{ default_interface.prefix }}-{{ default_interface.ifname }}-{{ default_interface.name }}.network"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
notify: Restart systemd-networkd
|
|
|
|
- name: Generate auxiliary interfaces .network files
|
|
ansible.builtin.template:
|
|
src: auxiliary-interface.network.j2
|
|
dest: "/etc/systemd/network/{{ item.prefix }}-{{ item.ifname }}-{{ item.name }}.network"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
loop: "{{ network_interfaces }}"
|
|
notify: Restart systemd-networkd
|
|
|
|
# - name: Deploy .network files
|
|
# ansible.builtin.copy:
|
|
# src: "files/network/{{ item }}"
|
|
# dest: "/etc/systemd/network/{{ item }}"
|
|
# owner: root
|
|
# group: root
|
|
# mode: '0644'
|
|
# loop:
|
|
# - 10-ens18-core.network
|
|
# - 20-ens19-mgmt.network
|
|
# - 30-ens20-dmz.network
|
|
# notify: Restart systemd-networkd
|
|
|
|
- name: Deploy systemd-networkd global .conf files
|
|
ansible.builtin.copy:
|
|
src: "files/networkd.conf.d/{{ item }}"
|
|
dest: "/etc/systemd/networkd.conf.d/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
loop:
|
|
- 10-routes.conf
|
|
notify: Restart systemd-networkd
|
|
|
|
- name: Ensure NetworkManager is disabled
|
|
ansible.builtin.systemd_service:
|
|
name: NetworkManager
|
|
masked: true
|
|
enabled: false
|
|
state: stopped
|
|
|
|
- name: Ensure NetworkManager-wait-online is disabled
|
|
ansible.builtin.systemd_service:
|
|
name: NetworkManager-wait-online
|
|
masked: true
|
|
enabled: false
|
|
state: stopped
|