trixie/roles/firewalld2if/tasks/main.yml

- name: add if_lan with static address
  template:
    src: interfaces-static.j2
    dest: /etc/network/interfaces.d/static
    mode: 0644
  notify: "bring up LAN interface"

- name: install firewalld package
  apt: name=firewalld state=latest # noqa package-latest
  notify: "start firewalld"

- name: flush all handlers
  meta: flush_handlers


## Do not run the following in the installer:

- name: add WAN interface to zone public
  firewalld:
    zone: public
    interface: "{{ if_wan }}"
    permanent: true
    state: enabled
    immediate: true
  when: not run_in_installer|default(false)|bool

- name: enable masquerading
  firewalld:
    zone: public
    masquerade: 'yes'
    permanent: true
    state: enabled
    immediate: true
  when: not run_in_installer|default(false)|bool

- name: add LAN interface to internal zone
  firewalld:
    zone: internal
    interface: "{{ if_lan }}"
    permanent: true
    state: enabled
    immediate: true
  when: not run_in_installer|default(false)|bool

- name: enable services
  firewalld:
    zone: internal
    service: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  with_items:
    - dhcp
    - dns
    - tftp
    - git
  when: not run_in_installer|default(false)|bool

## Use firewall-offline-cmd when run during installation:

- name: add WAN interface to zone public
  command: "firewall-offline-cmd --zone=public --add-interface={{ if_wan }}"
  when: run_in_installer|default(false)|bool

- name: enable masquerading
  command: "firewall-offline-cmd --zone=public --add-masquerade"
  when: run_in_installer|default(false)|bool

- name: add LAN interface to zone intern
  command: "firewall-offline-cmd --zone=internal --add-interface={{ if_lan }}"
  when: run_in_installer|default(false)|bool

- name: enable services
  command: >-
    firewall-offline-cmd --zone=internal
    --add-service=dhcp
    --add-service=dns
    --add-service=tftp
    --add-service=git
  when: run_in_installer|default(false)|bool
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`- name: add if_lan with static address`
			`template:`
			`src: interfaces-static.j2`
			`dest: /etc/network/interfaces.d/static`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`mode: 0644`
Fix ending up with no link on WAN interface. 2021-04-01 22:01:46 +02:00			`notify: "bring up LAN interface"`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00
			`- name: install firewalld package`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`apt: name=firewalld state=latest # noqa package-latest`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`notify: "start firewalld"`

Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`- name: flush all handlers`
			`meta: flush_handlers`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00

			`## Do not run the following in the installer:`

			`- name: add WAN interface to zone public`
			`firewalld:`
			`zone: public`
			`interface: "{{ if_wan }}"`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`permanent: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`state: enabled`
Modifications need to be applied immediately. 2021-04-02 10:34:16 +02:00			`immediate: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`when: not run_in_installer\|default(false)\|bool`

			`- name: enable masquerading`
			`firewalld:`
			`zone: public`
Cleanup and restructuring. Move pressed-installer tasks to other roles. 2019-11-25 18:26:21 +01:00			`masquerade: 'yes'`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`permanent: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`state: enabled`
Modifications need to be applied immediately. 2021-04-02 10:34:16 +02:00			`immediate: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`when: not run_in_installer\|default(false)\|bool`

Fix bind configuration. 2022-06-13 22:59:38 +02:00			`- name: add LAN interface to internal zone`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`firewalld:`
			`zone: internal`
			`interface: "{{ if_lan }}"`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`permanent: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`state: enabled`
Modifications need to be applied immediately. 2021-04-02 10:34:16 +02:00			`immediate: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`when: not run_in_installer\|default(false)\|bool`

			`- name: enable services`
			`firewalld:`
			`zone: internal`
			`service: "{{ item }}"`
Fix some ansible-lint complaints. 2022-06-11 12:42:02 +02:00			`permanent: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`state: enabled`
Modifications need to be applied immediately. 2021-04-02 10:34:16 +02:00			`immediate: true`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`with_items:`
			`- dhcp`
			`- dns`
			`- tftp`
			`- git`
			`when: not run_in_installer\|default(false)\|bool`

			`## Use firewall-offline-cmd when run during installation:`

			`- name: add WAN interface to zone public`
			`command: "firewall-offline-cmd --zone=public --add-interface={{ if_wan }}"`
			`when: run_in_installer\|default(false)\|bool`

			`- name: enable masquerading`
			`command: "firewall-offline-cmd --zone=public --add-masquerade"`
			`when: run_in_installer\|default(false)\|bool`

			`- name: add LAN interface to zone intern`
			`command: "firewall-offline-cmd --zone=internal --add-interface={{ if_lan }}"`
			`when: run_in_installer\|default(false)\|bool`

			`- name: enable services`
Add firewalld rules to service roles. 2019-11-24 20:53:54 +01:00			`command: >-`
			`firewall-offline-cmd --zone=internal`
			`--add-service=dhcp`
			`--add-service=dns`
			`--add-service=tftp`
			`--add-service=git`
Switch from squid to apt-cacher-ng and from shorewall to firewalld. 2019-10-24 20:27:35 +02:00			`when: run_in_installer\|default(false)\|bool`