Switch from squid to apt-cacher-ng and from shorewall to firewalld.

roles/apt-cacher/files/apt.conf

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://localhost:3142";

roles/apt-cacher/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: start apt-cacher-ng
+  service: name=apt-cacher-ng state=started enabled=yes
+  listen: "start apt-cacher-ng"

roles/apt-cacher/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: install apt-cacher-ng package
+  apt:
+    name: apt-cacher-ng
+    state: latest
+
+- name: enable apt-cacher-ng for localhost
+  copy:
+    src: apt.conf
+    dest: /etc/apt/apt.conf
+    backup: yes
+  notify: "start apt-cacher-ng"
+
+- meta: flush_handlers

roles/dhcp-dns-dnsmasq/tasks/main.yml

@@ -12,6 +12,6 @@
 
 - name: configure dnsmasq
   template:
-    src: dnsmasq-transparent-proxy.j2
-    dest: /etc/dnsmasq.d/transparent-proxy
+    src: dnsmasq-dhcp.j2
+    dest: /etc/dnsmasq.d/dnsmasq-dhcp
   notify: "restart dnsmasq"

roles/preseed-installer/tasks/main.yml

@@ -9,11 +9,17 @@
     dest: "{{ tftp_root }}/d-i/{{ di_dist }}"
     force: no
 
+- name: enable apt-cacher-ng for install-clients
+  replace:
+    dest: "{{ tftp_root }}/d-i/{{ di_dist }}/preseed.cfg"
+    regexp: '^(d-i mirror/http/proxy string.*)$'
+    replace: 'd-i mirror/http/proxy string http://{{ hostname }}:3142/'
+    
 - name: make the hostname resolvable from the LAN
-  lineinfile:
+  replace:
     path: /etc/hosts
-    insertafter: '^127.0.1.1'
-    line: '{{ ipaddr_lan }}	{{ hostname }}'
+    regexp: '^(127\.0\.1\.1.*)$'
+    replace: '#\1\n{{ ipaddr_lan }}	{{ hostname }}'
 
 - name: add auto pxe boot entry to di-netboot-assistant
   blockinfile:
@@ -22,12 +28,12 @@
     block: |
       TIMEOUT 100
       LABEL autoinstall
-         MENU LABEL Debian {{ di_version }} (amd64) + preseed
+         MENU LABEL Debian {{ di_version }} (amd64) + preseed + kiosk.yml
          kernel ::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux
          append initrd=::/d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
 
          #LABEL daily
-         #MENU LABEL Debian daily (amd64) + preseed
+         #MENU LABEL Debian daily (amd64) + preseed + kiosk.yml
          #kernel ::/d-i/n-a/daily/amd64/linux
          #append initrd=::/d-i/n-a/daily/amd64/initrd.gz auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
   notify: "rebuild di-netboot-assistant menu"
@@ -37,12 +43,12 @@
     dest: /etc/di-netboot-assistant/grub.cfg.HEAD
     insertbefore: EOF
     block: |
-      menuentry 'Debian {{ di_version }} (amd64) + preseed' {
+      menuentry 'Debian {{ di_version }} (amd64) + preseed + kiosk.yml' {
          linux   /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/linux auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
          initrd  /d-i/n-pkg/images/{{ di_version }}/amd64/text/debian-installer/amd64/initrd.gz
       }
 
-      #menuentry 'Debian daily (amd64) + preseed' {
+      #menuentry 'Debian daily (amd64) + preseed + kiosk.yml' {
       #   linux   /d-i/n-a/daily/amd64/linux auto=true priority=critical url=tftp://{{ hostname }} playbook=kiosk.yml ---
       #   initrd  /d-i/n-a/daily/amd64/initrd.gz
       #}

roles/two-interface-firewalld/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart networking
+  systemd: name=networking state=restarted enabled=yes
+  listen: restart networking
+  when: not run_in_installer|default(false)|bool
+
+- name: start firewalld
+  systemd: name=firewalld state=started enabled=yes
+  listen: "start firewalld"
+  when: not run_in_installer|default(false)|bool

roles/two-interface-firewalld/tasks/main.yml

@@ -0,0 +1,69 @@
+- name: add if_lan with static address
+  template:
+    src: interfaces-static.j2
+    dest: /etc/network/interfaces.d/static
+  notify: "restart networking"
+
+- name: install firewalld package
+  apt: name=firewalld state=latest
+  notify: "start firewalld"
+
+- meta: flush_handlers
+
+
+## Do not run the following in the installer:
+
+- name: add WAN interface to zone public
+  firewalld:
+    zone: public
+    interface: "{{ if_wan }}"
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: enable masquerading
+  firewalld:
+    zone: public
+    masquerade: yes
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: add LAN interface to zone intern
+  firewalld:
+    zone: internal
+    interface: "{{ if_lan }}"
+    permanent: yes
+    state: enabled
+  when: not run_in_installer|default(false)|bool
+
+- name: enable services
+  firewalld:
+    zone: internal
+    service: "{{ item }}"
+    permanent: yes
+    state: enabled
+  with_items:
+    - dhcp
+    - dns
+    - tftp
+    - git
+  when: not run_in_installer|default(false)|bool
+
+## Use firewall-offline-cmd when run during installation:
+
+- name: add WAN interface to zone public
+  command: "firewall-offline-cmd --zone=public --add-interface={{ if_wan }}"
+  when: run_in_installer|default(false)|bool
+
+- name: enable masquerading
+  command: "firewall-offline-cmd --zone=public --add-masquerade"
+  when: run_in_installer|default(false)|bool
+
+- name: add LAN interface to zone intern
+  command: "firewall-offline-cmd --zone=internal --add-interface={{ if_lan }}"
+  when: run_in_installer|default(false)|bool
+
+- name: enable services
+  command: "firewall-offline-cmd --zone=internal --add-service=dhcp --add-service=dns --add-service=tftp --add-service=git"
+  when: run_in_installer|default(false)|bool

roles/two-interface-firewalld/templates/interfaces-static.j2

@@ -0,0 +1,4 @@
+auto {{ if_lan }}
+allow-hotplug {{ if_lan }}
+iface {{ if_lan }} inet static
+  address {{ ipaddr_lan }}/24