first commit
This commit is contained in:
commit
403acf1f34
187
vnet.yml
Normal file
187
vnet.yml
Normal file
@ -0,0 +1,187 @@
|
||||
---
|
||||
- name: vnet Debian Linux Setup
|
||||
hosts: defiant.dedyn.io tor-nas.dedyn.io
|
||||
tasks:
|
||||
|
||||
- name: Packages for vnet0
|
||||
apt:
|
||||
name:
|
||||
- bridge-utils
|
||||
- ufw
|
||||
- dnsmasq
|
||||
update_cache: no
|
||||
install_recommends: no
|
||||
|
||||
- name: 'remove dnsmasq from startup'
|
||||
command: systemctl disable dnsmasq
|
||||
args:
|
||||
removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
|
||||
|
||||
- name: 'stop dnsmasq'
|
||||
command: systemctl stop dnsmasq
|
||||
args:
|
||||
removes: /run/dnsmasq/dnsmasq.pid
|
||||
|
||||
- name: V bridge
|
||||
blockinfile:
|
||||
path: /etc/network/interfaces.d/vnet0
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
auto vnet0
|
||||
iface vnet0 inet static
|
||||
bridge_ports none
|
||||
address 192.168.42.1
|
||||
broadcast 192.168.42.255
|
||||
netmask 255.255.255.0
|
||||
notify:
|
||||
- Restart vnet0
|
||||
|
||||
- name: start vnet0 if not exists
|
||||
ansible.builtin.command: ifup vnet0
|
||||
args:
|
||||
creates: /proc/sys/net/ipv6/conf/vnet0/disable_ipv6
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
name: net.ipv6.conf.vnet0.disable_ipv6
|
||||
value: '1'
|
||||
state: present
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: '1'
|
||||
state: present
|
||||
|
||||
- name: ufw firewall rules for routing to the Internet
|
||||
blockinfile:
|
||||
path: /etc/ufw/before.rules
|
||||
create: yes
|
||||
mode: "0440"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK for vnet0"
|
||||
insertbefore: BOF
|
||||
block: |
|
||||
*nat
|
||||
:POSTROUTING ACCEPT - [0:0]
|
||||
# Route network 192.168.42.0/24 (vnet0)
|
||||
-A POSTROUTING -s 192.168.42.0/24 -j MASQUERADE
|
||||
COMMIT
|
||||
notify:
|
||||
- Restart ufw
|
||||
|
||||
|
||||
- name: Allow Routing
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
route: yes
|
||||
interface_in: vnet0
|
||||
|
||||
- name: Allow all access to tcp port 53/udp (dns)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '53'
|
||||
proto: udp
|
||||
interface: vnet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to dhcp server
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '67'
|
||||
proto: udp
|
||||
interface: vnet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to NTP server
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '123'
|
||||
proto: udp
|
||||
interface: vnet0
|
||||
direction: in
|
||||
|
||||
- name: Allow access to tor
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '9040'
|
||||
proto: tcp
|
||||
interface: vnet0
|
||||
direction: in
|
||||
|
||||
- name: dnsmasq DNS and DHCP for vnet0
|
||||
blockinfile:
|
||||
path: /etc/dnsmasq-vnet0.conf
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
port=53
|
||||
interface=vnet0
|
||||
listen-address=192.168.42.1
|
||||
bind-interfaces
|
||||
except-interface=lo
|
||||
domain-needed
|
||||
bogus-priv
|
||||
dhcp-range=192.168.42.100,192.168.42.200,255.255.255.0,12h
|
||||
dhcp-option=option:ntp-server,192.168.42.1
|
||||
log-queries
|
||||
log-dhcp
|
||||
notify:
|
||||
- Restart dnsmasq-vnet0
|
||||
|
||||
- name: dnsmasq DNS and DHCP for vnet0 systemd
|
||||
blockinfile:
|
||||
path: /etc/systemd/system/dnsmasq-vnet0.service
|
||||
create: yes
|
||||
mode: "0444"
|
||||
owner: root
|
||||
group: root
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
[Unit]
|
||||
Description=dnsmasq vnet0 DNS and DHCP
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-vnet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-vnet0.conf --local-service
|
||||
PIDFile=/run/dnsmasq/dnsmasq-vnet0.pid
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
notify:
|
||||
- Restart dnsmasq-vnet0
|
||||
|
||||
- name: 'add dnsmasq-vnet0 to startup'
|
||||
command: systemctl enable dnsmasq-vnet0
|
||||
args:
|
||||
creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-vnet0.service
|
||||
|
||||
- name: 'start dnsmasq-vnet0'
|
||||
command: systemctl start dnsmasq-vnet0
|
||||
args:
|
||||
creates: /run/dnsmasq/dnsmasq-vnet0.pid
|
||||
|
||||
handlers:
|
||||
|
||||
- name: Restart vnet0
|
||||
ansible.builtin.shell: ifdown vnet0 ; ifup vnet0
|
||||
|
||||
- name: Restart dnsmasq-vnet0
|
||||
service:
|
||||
name: dnsmasq-vnet0
|
||||
state: restarted
|
||||
|
||||
- name: Restart ufw
|
||||
service:
|
||||
name: ufw
|
||||
state: restarted
|
||||
|
Loading…
Reference in New Issue
Block a user