common: Sync from polyfloyd

2022-10-08 20:03:33 +02:00 · 2022-10-08 20:03:33 +02:00 · 97a4e95ca8
commit 97a4e95ca8
parent b1add6ce2c
4 changed files with 21 additions and 20 deletions
--- a/roles/acme/templates/nginx-snippet.conf
+++ b/roles/acme/templates/nginx-snippet.conf
@ -2,5 +2,6 @@

 location /.well-known/acme-challenge {
 	allow all;
+	auth_basic off;
 	alias /var/lib/dehydrated/acme-challenges;
 }
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@ -31,7 +31,7 @@
  lineinfile:
    path: /etc/bash.bashrc
    insertafter: EOF
-    regexp: "^source /usr/share/doc/fzf/{{ item }}"
+    regexp: "^source /usr/share/doc/fzf/examples/{{ item }}"
    line: "source /usr/share/doc/fzf/examples/{{ item }} # Managed by Ansible"
  with_items:
    - key-bindings.bash
@ -77,12 +77,15 @@
    - ipv6
  notify: persist iptables

- name: Allow IPv6 ICMP
+- name: Allow ICMP
  iptables:
    chain: INPUT
-    protocol: ipv6-icmp
+    protocol: "{{ item.proto }}"
    jump: ACCEPT
-    ip_version: ipv6
+    ip_version: "{{ item.ip }}"
+  with_items:
+    - { ip: ipv4, proto: icmp }
+    - { ip: ipv6, proto: ipv6-icmp }
  notify: persist iptables

 - name: Allow related and established connections
--- a/roles/common/tasks/network.yaml
+++ b/roles/common/tasks/network.yaml
@ -5,17 +5,14 @@
    state: present
  when: network_br

- lineinfile:
+- name: Configure sysctl.conf
+  lineinfile:
    path: /etc/sysctl.conf
-    regexp: ^#?net.ipv4.ip_forward
-    line: "net.ipv4.ip_forward=1 # Managed by Ansible"
-  notify: reboot
-  when: network_br
-
- lineinfile:
-    path: /etc/sysctl.conf
-    regexp: ^#?net.ipv6.conf.all.forwarding
-    line: "net.ipv6.conf.all.forwarding=1 # Managed by Ansible"
+    regexp: "^#?{{ item.k }}"
+    line: "{{ item.k }}={{ item.v }} # Managed by Ansible"
+  with_items:
+    - { k: net.ipv4.ip_forward, v: "1" }
+    - { k: net.ipv6.conf.all.forwarding, v: "1" }
  notify: reboot
  when: network_br

--- a/roles/common/templates/network-interfaces
+++ b/roles/common/templates/network-interfaces
@ -18,20 +18,20 @@ iface eth0 inet manual

 auto br0
 iface br0 inet static
-	address {{ network_static.address_v4 }}
-	gateway {{ network_static.gateway_v4 }}
+	address {{ network_address_v4 }}
+	gateway {{ network_gateway_v4 }}
 	bridge_ports eth0

 iface br0 inet6 auto
 	up echo -n 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping
-	up ip -6 addr add {{ network_static.address_v6 }} dev br0
-	up ip -6 route add default via {{ network_static.gateway_v6 }} dev br0
+	up ip -6 addr add {{ network_address_v6 }} dev br0
+	up ip -6 route add default via {{ network_gateway_v6 }} dev br0
 	bridge_stp on

 {% elif network_static %}
 iface eth0 inet static
-	address {{ network_static.address_v4 }}
-	gateway {{ network_static.gateway_v4 }}
+	address {{ network_address_v4 }}
+	gateway {{ network_gateway_v4 }}

 {% else %}
 iface eth0 inet dhcp