ufw

3 files changed, 37 insertions, 2 deletions

diff --git a/ansible/host_vars/knot/ufw.yml b/ansible/host_vars/knot/ufw.yml
new file mode 100644
index 0000000..4ece7f5
--- /dev/null
+++ b/ansible/host_vars/knot/ufw.yml
@@ -0,0 +1,2 @@
+ufw__nat_address: 10.0.3.0
+ufw__nat_prefix: 24
diff --git a/ansible/knot.yml b/ansible/knot.yml
index 0eb21d3..fe729f8 100644
--- a/ansible/knot.yml
+++ b/ansible/knot.yml
@@ -1,10 +1,9 @@
 ---
 - hosts:
     - knot
-  vars_files:
-    - secrets.yml
   roles:
     - mw-frontend
+    - ufw
   tasks:
     - name: mosquitto-server
       import_role: name=mosquitto-server
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..e66ef58
--- /dev/null
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -0,0 +1,34 @@
+- tags:
+    - ufw
+  become: yes
+  block:
+    - when: ufw__nat_address is defined
+      blockinfile:
+        path: /etc/ufw/before.rules
+        insertbefore: "^# Don't delete these required lines"
+        content: |
+          # NAT table rules
+          *nat
+          :POSTROUTING ACCEPT [0:0]
+
+          # Forward traffic through eth0 - Change to match you out-interface
+          -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE
+
+          # don't delete the 'COMMIT' line or these nat table rules won't
+          # be processed
+          COMMIT
+
+#    - ufw:
+#        state: enabled
+
+#    - ufw:
+#        default: allow
+#        direction: out
+
+#    - ufw:
+#        policy: deny
+#        direction: out
+
+#    - ufw:
+#        policy: allow
+#        direction: routed