74 lines
2.1 KiB
YAML
74 lines
2.1 KiB
YAML
- name: Install and configure yggdrasil
|
|
when: "yggdrasil_enabled is true"
|
|
block:
|
|
- name: Gather package facts
|
|
package_facts:
|
|
manager: auto
|
|
|
|
- name: Install yggdrasil if not present
|
|
when: "'yggdrasil' not in ansible_facts.packages"
|
|
block:
|
|
- include_tasks: "install_{{ ansible_os_family }}.yml"
|
|
|
|
- name: Populate service facts
|
|
ansible.builtin.service_facts:
|
|
|
|
- name: Configure iptables
|
|
when: "ansible_facts.services['iptables.service'] is defined"
|
|
block:
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
in_interface: tun0
|
|
ip_version: ipv6
|
|
|
|
- name: Drop invalid connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: INVALID
|
|
jump: DROP
|
|
in_interface: tun0
|
|
ip_version: ipv6
|
|
|
|
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
|
|
when: 'yggdrasil_sshd_enabled is true'
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
destination_port: 22
|
|
ctstate: NEW
|
|
syn: match
|
|
jump: ACCEPT
|
|
ip_version: ipv6
|
|
comment: Accept new SSH connections.
|
|
|
|
- name: Set the policy for the INPUT chain to DROP
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
policy: DROP
|
|
ip_version: ipv6
|
|
|
|
- name: Set the policy for the FORWARD chain to DROP
|
|
ansible.builtin.iptables:
|
|
chain: FORWARD
|
|
policy: DROP
|
|
ip_version: ipv6
|
|
|
|
- name: Save rules with iptables-persistent v6
|
|
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
- name: Remove yggdrasil if not enabled
|
|
when: "yggdrasil_enabled is false"
|
|
block:
|
|
- name: Gather package facts
|
|
package_facts:
|
|
manager: auto
|
|
|
|
- name: Remove yggdrasil if present
|
|
when: "'yggdrasil' in ansible_facts.packages"
|
|
ansible.builtin.apt:
|
|
name: yggdrasil
|
|
state: absent
|