blob: 11d65b1794710a1c2b0e8bdbb33feb3e01178609 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
---
- name: Basic Setup
hosts: ch-gw-lan
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: core/ntp
- role: network/dhcp-server
- role: network/nftables/base
post_tasks:
- name: install public service nftable rules
copy:
content: |
# Ansible managed
define nic_lan = lan0
define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
table ip nat {
chain public-services-prerouting {
type nat hook prerouting priority -100; policy accept;
iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
{% for name, svc in network_services.items() %}
iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
{% endfor %}
}
chain public-services-output {
type nat hook output priority -100; policy accept;
ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
{% for name, svc in network_services.items() %}
ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
{% endfor %}
}
}
dest: /etc/nftables.d/public-services.nft
notify: reload nftables
- name: install etherwake
apt:
name: etherwake
state: present
- name: install wakeup scripts
loop:
- name: epimetheus
interface: lan0
mac: 90:2b:34:35:da:88
- name: mc
interface: lan0
mac: 00:1e:8c:f4:e6:d8
loop_control:
label: "{{ item.name }}"
copy:
dest: "/usr/local/bin/wakeup-{{ item.name }}"
content: |
#!/bin/sh
exec etherwake -i {{ item.interface }} {{ item.mac }}
mode: 0755
|
