diff options
Diffstat (limited to 'ansible/roles/lxc-host/tasks/networkd.yml')
| -rw-r--r-- | ansible/roles/lxc-host/tasks/networkd.yml | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml new file mode 100644 index 0000000..41ddb3f --- /dev/null +++ b/ansible/roles/lxc-host/tasks/networkd.yml @@ -0,0 +1,119 @@ +- tags: + - lxc-host + - lxc-host-network + become: yes + vars: + hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}" + br_if: "{{ lxc_host__br_if }}" + internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}" + block: + - debug: var=hardware_if + - debug: var=br_if + - debug: var=internal_if + + - name: Configure sysctl, enable ipv4 and ipv6 forwarding + become: yes + copy: + dest: /etc/sysctl.d/99-lxc-host.conf + content: | + net.ipv4.ip_forward=1 + net.ipv6.conf.all.forwarding=1 + notify: restart sysctl + + - name: Enable UFW + become: yes + ufw: + state: enabled + + - become: yes + ufw: + policy: allow + direction: outgoing + + - become: yes + ufw: + policy: allow + direction: routed + + - become: yes + ufw: + policy: deny + direction: incoming + + - name: Enable NAT configuration through UFW + become: yes + notify: reload ufw + blockinfile: + path: /etc/ufw/before.rules + insertbefore: "# Don't delete these required lines, otherwise there will be errors" + block: | + # NAT table rules + *nat + :POSTROUTING ACCEPT [0:0] + + # Forward traffic through eth0 - Change to match you out-interface + -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE + + # don't delete the 'COMMIT' line or these nat table rules won't be processed + COMMIT + + - name: enable systemd-networkd + service: + name: systemd-networkd + enabled: yes + state: started + + - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" + content: | + [Match] + Name={{ lxc_host__hardware_if }} + + [Network] + Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }} + Gateway={{ hardware_if.ipv4.gateway }} + + - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" + content: | + [NetDev] + Name={{ lxc_host__internal_if }} + Kind=dummy + + - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + content: | + [Match] + Name={{ lxc_host__internal_if }} + + [Network] + Bridge={{ br_if }} + + - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + content: | + [NetDev] + Name={{ br_if }} + Kind=bridge + + - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + notify: systemctl restart systemd-networkd + copy: + dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + content: | + [Match] + Name={{ br_if }} + + [Network] + Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} + {% if internal_if.ipv6 is defined %} + Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }} + {% endif %} |