115 lines
2.5 KiB
YAML
115 lines
2.5 KiB
YAML
---
|
|
- name: Require firewalld
|
|
apt:
|
|
name: firewalld
|
|
state: latest
|
|
|
|
- name: Add wireguard firewalld service
|
|
template:
|
|
src: firewalld/wireguard.xml.j2
|
|
dest: "/etc/firewalld/services/{{ gateway.vpn.name }}.xml"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
# - name: Ensure firewalld is enabled
|
|
# systemd:
|
|
# name: firewalld.service
|
|
# enabled: yes
|
|
# masked: no
|
|
# state: started
|
|
|
|
- name: Force all notified handlers to run at this point, not waiting for normal sync points
|
|
meta: flush_handlers
|
|
|
|
- name: Add zones
|
|
ansible.posix.firewalld:
|
|
zone: "{{ item }}"
|
|
state: present
|
|
permanent: yes
|
|
with_items:
|
|
- home
|
|
- public
|
|
- trusted
|
|
|
|
- name: Add home interface
|
|
ansible.posix.firewalld:
|
|
zone: home
|
|
interface: "{{ gateway.firewall.home_iface }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
|
|
- name: Add public interface
|
|
ansible.posix.firewalld:
|
|
zone: public
|
|
interface: "{{ gateway.firewall.public_iface|default(ppp0) }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
|
|
- name: Add vm interface
|
|
ansible.posix.firewalld:
|
|
zone: trusted
|
|
interface: "{{ gateway.firewall.vm_iface }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
|
|
- name: Enable masquerade on public interface
|
|
ansible.posix.firewalld:
|
|
zone: public
|
|
masquerade: yes
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
|
|
- name: Enable masquerade on vm interface
|
|
ansible.posix.firewalld:
|
|
zone: trusted
|
|
masquerade: yes
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
|
|
- name: Add services to public interface
|
|
ansible.posix.firewalld:
|
|
zone: public
|
|
service: "{{ item }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
with_items:
|
|
- dhcpv6-client
|
|
- http
|
|
- https
|
|
- ssh
|
|
|
|
- name: Add services to home interface
|
|
ansible.posix.firewalld:
|
|
zone: home
|
|
service: "{{ item }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
with_items:
|
|
- dhcpv6-client
|
|
- http
|
|
- https
|
|
- ssh
|
|
- "{{ gateway.vpn.name }}"
|
|
- mdns
|
|
- samba-client
|
|
- samba
|
|
|
|
- name: Forward ports to hosts
|
|
ansible.posix.firewalld:
|
|
rich_rule: "rule family=ipv4 forward-port protocol={{ item.proto }} port={{ item.from.port }} to-addr=\"{{ item.to.addr }}\" to-port={{ item.to.port|default(item.from.port) }}"
|
|
zone: "{{ item.zone }}"
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
when: gateway.firewall.forwarded_ports is defined
|
|
with_items: "{{ gateway.firewall.forwarded_ports }}"
|
|
|