--- - name: Basic Setup hosts: ch-gw-lan roles: - role: apt-repo/base - role: core/base - role: core/sshd/base - role: core/zsh - role: core/ntp - role: network/dhcp-server - role: network/nftables/base post_tasks: - name: install public service nftable rules copy: content: | # Ansible managed define nic_lan = lan0 define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }} table ip nat { chain public-services-prerouting { type nat hook prerouting priority -100; policy accept; iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" {% for name, svc in network_services.items() %} iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" {% endfor %} } chain public-services-output { type nat hook output priority -100; policy accept; ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router" {% for name, svc in network_services.items() %} ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}" {% endfor %} } } dest: /etc/nftables.d/public-services.nft notify: reload nftables - name: install etherwake apt: name: etherwake state: present - name: install wakeup scripts loop: - name: epimetheus interface: lan0 mac: 90:2b:34:35:da:88 - name: mc interface: lan0 mac: 00:1e:8c:f4:e6:d8 loop_control: label: "{{ item.name }}" copy: dest: "/usr/local/bin/wakeup-{{ item.name }}" content: | #!/bin/sh exec etherwake -i {{ item.interface }} {{ item.mac }} mode: 0755