61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: nftables
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install software
|
|
package:
|
|
name: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- nftables
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: nftables
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
- name: resolve the allowed domain names
|
|
connection: local
|
|
command: dig +short -t {{item[1]}} {{item[0]}}
|
|
with_nested:
|
|
- "{{(software_mirrors + ' ' + net_allowed_domains).split(' ')}}"
|
|
- [ 'A', 'AAAA' ]
|
|
changed_when: false
|
|
register: ips
|
|
|
|
- name: store the resolved IP addresses
|
|
set_fact:
|
|
allowed_domains_ip: "{{ips.results | map(attribute='stdout_lines') | sum(start=[]) | join(' ')}}"
|
|
|
|
- name: generate the nft script
|
|
template:
|
|
src: templates/nftables.conf.j2
|
|
dest: /etc/nftables.conf
|
|
mode: 0600
|
|
notify:
|
|
- restart nftables.service
|
|
|
|
- name: enable nftables
|
|
systemd:
|
|
daemon-reload: true
|
|
name: nftables.service
|
|
enabled: true
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: nftables
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|