188 lines
4.6 KiB
YAML
188 lines
4.6 KiB
YAML
---
|
|
- name: vnet Debian Linux Setup
|
|
hosts: all
|
|
tasks:
|
|
|
|
- name: Packages for vnet0
|
|
apt:
|
|
name:
|
|
- bridge-utils
|
|
- ufw
|
|
- dnsmasq
|
|
update_cache: no
|
|
install_recommends: no
|
|
|
|
- name: 'remove dnsmasq from startup'
|
|
command: systemctl disable dnsmasq
|
|
args:
|
|
removes: /etc/systemd/system/multi-user.target.wants/dnsmasq.service
|
|
|
|
- name: 'stop dnsmasq'
|
|
command: systemctl stop dnsmasq
|
|
args:
|
|
removes: /run/dnsmasq/dnsmasq.pid
|
|
|
|
- name: V bridge
|
|
blockinfile:
|
|
path: /etc/network/interfaces.d/vnet0
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
auto vnet0
|
|
iface vnet0 inet static
|
|
bridge_ports none
|
|
address 192.168.42.1
|
|
broadcast 192.168.42.255
|
|
netmask 255.255.255.0
|
|
notify:
|
|
- Restart vnet0
|
|
|
|
- name: start vnet0 if not exists
|
|
ansible.builtin.command: ifup vnet0
|
|
args:
|
|
creates: /proc/sys/net/ipv6/conf/vnet0/disable_ipv6
|
|
|
|
- ansible.posix.sysctl:
|
|
name: net.ipv6.conf.vnet0.disable_ipv6
|
|
value: '1'
|
|
state: present
|
|
|
|
- ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: '1'
|
|
state: present
|
|
|
|
- name: ufw firewall rules for routing to the Internet
|
|
blockinfile:
|
|
path: /etc/ufw/before.rules
|
|
create: yes
|
|
mode: "0440"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for vnet0"
|
|
insertbefore: BOF
|
|
block: |
|
|
*nat
|
|
:POSTROUTING ACCEPT - [0:0]
|
|
# Route network 192.168.42.0/24 (vnet0)
|
|
-A POSTROUTING -s 192.168.42.0/24 -j MASQUERADE
|
|
COMMIT
|
|
notify:
|
|
- Restart ufw
|
|
|
|
|
|
- name: Allow Routing
|
|
community.general.ufw:
|
|
rule: allow
|
|
route: yes
|
|
interface_in: vnet0
|
|
|
|
- name: Allow all access to tcp port 53/udp (dns)
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '53'
|
|
proto: udp
|
|
interface: vnet0
|
|
direction: in
|
|
|
|
- name: Allow access to dhcp server
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '67'
|
|
proto: udp
|
|
interface: vnet0
|
|
direction: in
|
|
|
|
- name: Allow access to NTP server
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '123'
|
|
proto: udp
|
|
interface: vnet0
|
|
direction: in
|
|
|
|
- name: Allow access to tor
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '9040'
|
|
proto: tcp
|
|
interface: vnet0
|
|
direction: in
|
|
|
|
- name: dnsmasq DNS and DHCP for vnet0
|
|
blockinfile:
|
|
path: /etc/dnsmasq-vnet0.conf
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
port=53
|
|
interface=vnet0
|
|
listen-address=192.168.42.1
|
|
bind-interfaces
|
|
except-interface=lo
|
|
domain-needed
|
|
bogus-priv
|
|
dhcp-range=192.168.42.100,192.168.42.200,255.255.255.0,12h
|
|
dhcp-option=option:ntp-server,192.168.42.1
|
|
log-queries
|
|
log-dhcp
|
|
notify:
|
|
- Restart dnsmasq-vnet0
|
|
|
|
- name: dnsmasq DNS and DHCP for vnet0 systemd
|
|
blockinfile:
|
|
path: /etc/systemd/system/dnsmasq-vnet0.service
|
|
create: yes
|
|
mode: "0444"
|
|
owner: root
|
|
group: root
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
block: |
|
|
[Unit]
|
|
Description=dnsmasq vnet0 DNS and DHCP
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=forking
|
|
ExecStart=/usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq-vnet0.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -C /etc/dnsmasq-vnet0.conf --local-service
|
|
PIDFile=/run/dnsmasq/dnsmasq-vnet0.pid
|
|
KillMode=process
|
|
Restart=on-failure
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
notify:
|
|
- Restart dnsmasq-vnet0
|
|
|
|
- name: 'add dnsmasq-vnet0 to startup'
|
|
command: systemctl enable dnsmasq-vnet0
|
|
args:
|
|
creates: /etc/systemd/system/multi-user.target.wants/dnsmasq-vnet0.service
|
|
|
|
- name: 'start dnsmasq-vnet0'
|
|
command: systemctl start dnsmasq-vnet0
|
|
args:
|
|
creates: /run/dnsmasq/dnsmasq-vnet0.pid
|
|
|
|
handlers:
|
|
|
|
- name: Restart vnet0
|
|
ansible.builtin.shell: ifup vnet0
|
|
|
|
- name: Restart dnsmasq-vnet0
|
|
service:
|
|
name: dnsmasq-vnet0
|
|
state: restarted
|
|
|
|
- name: Restart ufw
|
|
service:
|
|
name: ufw
|
|
state: restarted
|
|
|