diff options
Diffstat (limited to 'ansible')
| -rw-r--r-- | ansible/all.yml | 1 | ||||
| -rw-r--r-- | ansible/host_vars/knot/ufw.yml | 4 | ||||
| -rw-r--r-- | ansible/roles/ufw/handlers/main.yml | 4 | ||||
| -rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 24 |
4 files changed, 27 insertions, 6 deletions
diff --git a/ansible/all.yml b/ansible/all.yml index f0556f7..72bca0a 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -5,6 +5,7 @@ - superusers - packages - trygvis-base + - ufw - hosts: - knot diff --git a/ansible/host_vars/knot/ufw.yml b/ansible/host_vars/knot/ufw.yml index 4ece7f5..bb3fc6b 100644 --- a/ansible/host_vars/knot/ufw.yml +++ b/ansible/host_vars/knot/ufw.yml @@ -1,2 +1,6 @@ ufw__nat_address: 10.0.3.0 ufw__nat_prefix: 24 + +ufw__port_forwardings: +# - port: 53 +# to: 10.0.0.4 diff --git a/ansible/roles/ufw/handlers/main.yml b/ansible/roles/ufw/handlers/main.yml new file mode 100644 index 0000000..47f79ef --- /dev/null +++ b/ansible/roles/ufw/handlers/main.yml @@ -0,0 +1,4 @@ +- name: ufw reload + become: yes + ufw: + state: reloaded diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index b372eb7..0579f0a 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -2,20 +2,32 @@ - ufw become: yes block: - - when: ufw__nat_address is defined + - when: + notify: ufw reload blockinfile: path: /etc/ufw/before.rules insertbefore: "^# Don't delete these required lines" + marker: "# NAT config: {mark}" + state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}" content: | - # NAT table rules *nat :POSTROUTING ACCEPT [0:0] - - # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE + COMMIT - # don't delete the 'COMMIT' line or these nat table rules won't - # be processed + - notify: ufw reload + vars: + forwardings: "{{ ufw__port_forwardings if ufw__port_forwardings is defined else [] }}" + blockinfile: + path: /etc/ufw/before.rules + insertbefore: "^# Don't delete these required lines" + marker: "# Port forwarding: {mark}" + state: "{{ 'present' if ufw__port_forwardings is defined else 'absent' }}" + content: | + *nat + {% for pf in forwardings %} + -A PREROUTING -i eth0 {{ " -d" + pf.addr if pf.addr is defined else "" }} -p {{ pf.proto if pf.proto is defined else "tcp" }} --dport {{ pf.port }} -j DNAT --to-destination {{ pf.to }}:{{ pf.to_port if pf.to_port is defined else pf.port }} + {% endfor %} COMMIT - ufw: |