--- - ansible.builtin.debug: msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network" - when: - "yggdrasil_enabled is true" - "'global.update_only' not in ansible_run_tags" block: - name: Gather package facts package_facts: manager: auto - name: Install yggdrasil if not present when: "'yggdrasil' not in ansible_facts.packages" block: - include_tasks: "install_{{ ansible_os_family }}.yml" - name: Populate service facts ansible.builtin.service_facts: - name: Configure iptables when: "ansible_facts.services['iptables.service'] is defined" block: - name: Allow related and established connections ansible.builtin.iptables: chain: INPUT ctstate: ESTABLISHED,RELATED jump: ACCEPT in_interface: tun0 ip_version: ipv6 - name: Drop invalid connections ansible.builtin.iptables: chain: INPUT ctstate: INVALID jump: DROP in_interface: tun0 ip_version: ipv6 - name: Allow new incoming SYN packets on TCP port 22 (SSH) when: 'yggdrasil_sshd_enabled is true' ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: 22 ctstate: NEW syn: match jump: ACCEPT ip_version: ipv6 comment: Accept new SSH connections. - name: Set the policy for the INPUT chain to DROP ansible.builtin.iptables: chain: INPUT policy: DROP ip_version: ipv6 - name: Set the policy for the FORWARD chain to DROP ansible.builtin.iptables: chain: FORWARD policy: DROP ip_version: ipv6 - name: Save rules with iptables-persistent v6 ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 - name: Remove yggdrasil if not enabled when: - "yggdrasil_enabled is false" - "'yggdrasil' in ansible_run_tags" - "'global.uninstall' in ansible_run_tags" - "'global.update_only' not in ansible_run_tags" block: - name: Gather package facts package_facts: manager: auto - name: Remove yggdrasil if present when: "'yggdrasil' in ansible_facts.packages" ansible.builtin.apt: name: yggdrasil state: absent - when: - "yggdrasil_enabled is true" include_tasks: "update_peers.yml"