250 lines
6.7 KiB
YAML
250 lines
6.7 KiB
YAML
---
|
|
- name: Enable and start firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Enable and start NetworkManager
|
|
ansible.builtin.systemd:
|
|
name: NetworkManager
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Check existing zones
|
|
ansible.builtin.command: firewall-cmd --get-zones
|
|
register: firewalld_zones
|
|
|
|
- name: Debug output
|
|
ansible.builtin.debug:
|
|
var: firewalld_zones.stdout
|
|
|
|
# - name: Create zone "core"
|
|
# ansible.builtin.command: firewall-cmd --permanent --new-zone="{{ item }}"
|
|
# loop: ["core", "mgmt"]
|
|
# # loop: "{{ firewalld_zones.stdout | split }}"
|
|
# when: item in firewalld_zones.stdout.split()
|
|
# (item != "core" and
|
|
# item != "dmz")
|
|
|
|
- name: Create firewalld core zone
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld mgmt zone
|
|
ansible.posix.firewalld:
|
|
zone: mgmt
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Create firewalld dmz zone
|
|
ansible.posix.firewalld:
|
|
zone: dmz
|
|
state: present
|
|
permanent: true
|
|
|
|
- name: Reload firewalld to apply changes
|
|
ansible.builtin.command: firewall-cmd --reload
|
|
|
|
- name: Enable ssh rule in core
|
|
ansible.posix.firewalld:
|
|
zone: core
|
|
service: ssh
|
|
state: enabled
|
|
permanent: true
|
|
|
|
- name: Enable ssh rule in mgmt
|
|
ansible.posix.firewalld:
|
|
zone: mgmt
|
|
service: ssh
|
|
state: enabled
|
|
permanent: true
|
|
|
|
- name: Reload firewalld to apply changes
|
|
ansible.builtin.command: firewall-cmd --reload
|
|
|
|
# - name: Ensure all other zones are disabled
|
|
# ansible.posix.firewalld:
|
|
# zone: "{{ item }}"
|
|
# state: disabled
|
|
# permanent: true
|
|
# when: item not in zones
|
|
# loop: "{{ firewalld_zones.stdout | split }}"
|
|
|
|
# - name: Ensure custom routing table names are present
|
|
# ansible.builtin.lineinfile:
|
|
# path: /etc/iproute2/rt_tables
|
|
# line: "{{ item.table_id }} {{ item.table_name }}"
|
|
# create: yes
|
|
# state: present
|
|
# loop: "{{ network_interfaces }}"
|
|
# loop_control:
|
|
# label: "{{ item.table_name }}"
|
|
|
|
- name: Ensure /etc/iproute2 directory exists
|
|
ansible.builtin.file:
|
|
path: /etc/iproute2
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
|
|
- name: Overwrite /etc/iproute2/rt_tables with templated content
|
|
ansible.builtin.template:
|
|
src: rt_tables.j2
|
|
dest: /etc/iproute2/rt_tables
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
force: yes
|
|
|
|
- name: Default connection
|
|
debug:
|
|
var: default_conn
|
|
|
|
- name: Configure default (CORE) connection
|
|
community.general.nmcli:
|
|
conn_name: "{{ default_conn.name | upper }}"
|
|
type: ethernet
|
|
zone: "{{ default_conn.name }}"
|
|
method4: "manual"
|
|
ip4: "{{ default_conn.ip }}/22"
|
|
ifname: "{{ default_conn.ifname }}"
|
|
dns4: "{{ default_conn.gateway }}"
|
|
dns4_search: lan.xbazzi.com
|
|
mtu: "{{ default_conn.mtu | default(1500) }}"
|
|
state: present
|
|
|
|
- name: Configure ancillary connections
|
|
community.general.nmcli:
|
|
conn_name: "{{ item.name | upper }}"
|
|
type: ethernet
|
|
zone: "{{ item.name }}"
|
|
method4: "manual"
|
|
ip4: "{{ item.ip }}/22"
|
|
ifname: "{{ item.ifname }}"
|
|
dns4: "{{ item.gateway }}"
|
|
dns4_search: lan.xbazzi.com
|
|
# table: "{{ item.table_id }}"
|
|
# table: "{{ item.table_id }}"
|
|
mtu: "{{ item.mtu | default(1500) }}"
|
|
# routes4_extended:
|
|
# - ip: "0.0.0.0/0"
|
|
# table: "{{ item.table_id }}"
|
|
# next_hop: "{{ item.gateway }}"
|
|
# mtu: "{{ item.mtu | default(1500) }}"
|
|
# metric:
|
|
# - ip: "{{ item.subnet }}"
|
|
# table: "{{ item.table_id }}"
|
|
# table: "{{ item.table_id }}"
|
|
# next_hop: "0.0.0.0"
|
|
# mtu: "{{ item.mtu | default(1500) }}"
|
|
# - "{{ item.subnet }} 0.0.0.0 {{ item.table_id }}"
|
|
# routing_rules4:
|
|
# - "priority {{ item.priority }} from {{ item.ip }} table {{ item.table_id }}"
|
|
state: present
|
|
loop: "{{ network_interfaces }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
|
|
- name: Add route-table for each interface
|
|
ansible.builtin.command: >
|
|
nmcli connection modify {{ item.name | upper }} ipv4.route-table {{ item.table_id }}
|
|
loop: "{{ network_interfaces }}"
|
|
|
|
- name: Add routes
|
|
ansible.builtin.command: >
|
|
nmcli con modify MGMT +ipv4.routes "0.0.0.0/0 {{ item.gateway }}"
|
|
loop: "{{ network_interfaces }}"
|
|
|
|
- name: Add routing rules
|
|
ansible.builtin.command: >
|
|
nmcli con modify MGMT +ipv4.routing-rules "priority {{ item.priority }} table {{ item.table_id }}"
|
|
loop: "{{ network_interfaces }}"
|
|
|
|
# -name: Add ancillary routes to main table
|
|
# sudo ip route add 10.69.0.0/22 dev ens19 proto kernel scope link table main
|
|
|
|
# - name: Set up CORE interface manually
|
|
# nmcli:
|
|
# conn_name: CORE
|
|
# zone: core
|
|
# type: ethernet
|
|
# ip4: "{{ provision_core_ip4 }}"
|
|
# gw4: "{{ core_gw4 }}"
|
|
# dns4: "{{ core_gw4 }}"
|
|
# method4: "manual"
|
|
# ifname: ens18
|
|
# dns4_search: lan.xbazzi.com
|
|
# state: present
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
# - name: Set up mgmt interface manually
|
|
# nmcli:
|
|
# conn_name: MGMT
|
|
# zone: mgmt
|
|
# type: ethernet
|
|
# ip4: "{{ provision_mgmt_ip4 }}"
|
|
# # routes4: "0.0.0.0/0 {{ mgmt_gw4 }}"
|
|
# routing_rules4:
|
|
# - "priority 2 from {{ mgmt_net }} table 200"
|
|
# route_metric4: 102
|
|
# dns4: "{{ mgmt_gw4 }}"
|
|
# method4: "manual"
|
|
# ifname: "ens19"
|
|
# dns4_search: "lan.xbazzi.com"
|
|
# state: present
|
|
# # delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
# - name: Set up dmz interface manually
|
|
# nmcli:
|
|
# conn_name: DMZ
|
|
# zone: dmz
|
|
# type: ethernet
|
|
# ip4: "{{ provision_dmz_ip4 }}"
|
|
# routes4: "0.0.0.0/0 {{ dmz_gw4 }}"
|
|
# routes4_extended:
|
|
# ip: {{ provision_dmz_ip4 }}
|
|
# routing_rules4:
|
|
# - "priority 3 from {{ dmz_net }} table 300"
|
|
# route_metric4: 103
|
|
# dns4: "{{ dmz_gw4 }}"
|
|
# method4: "manual"
|
|
# ifname: "ens20"
|
|
# dns4_search: "lan.xbazzi.com"
|
|
# state: present
|
|
# delegate_to: "{{ provision_core_ip4_no_subnet }}"
|
|
|
|
# - name: Remove ens18 default connection
|
|
# nmcli:
|
|
# conn_name: "{{ item }}"
|
|
# state: absent
|
|
# loop: ["ens18", "ens19", "ens20", "core", "Wired connection 1"]
|
|
|
|
- name: List current NetworkManager connections
|
|
ansible.builtin.shell: nmcli -t -f NAME connection show
|
|
register: nmcli_connections
|
|
|
|
- name: Show active connection names
|
|
ansible.builtin.debug:
|
|
var: nmcli_connections.stdout_lines
|
|
|
|
- name: Remove unwanted default NetworkManager connections
|
|
community.general.nmcli:
|
|
conn_name: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- ens18
|
|
- ens19
|
|
- ens20
|
|
- core
|
|
- "Wired connection 1"
|
|
ignore_errors: true # Optional: avoids failure if connection doesn't exist
|
|
|
|
- name: Restart NetworkManager
|
|
ansible.builtin.systemd_service:
|
|
name: NetworkManager
|
|
enabled: true
|
|
state: restarted |