From 97a4e95ca873a034f2eaae96792040c0f12dee10 Mon Sep 17 00:00:00 2001 From: polyfloyd Date: Sat, 8 Oct 2022 20:03:33 +0200 Subject: [PATCH] common: Sync from polyfloyd --- roles/acme/templates/nginx-snippet.conf | 1 + roles/common/tasks/main.yaml | 11 +++++++---- roles/common/tasks/network.yaml | 17 +++++++---------- roles/common/templates/network-interfaces | 12 ++++++------ 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf index 4d988bd..c57ac6a 100644 --- a/roles/acme/templates/nginx-snippet.conf +++ b/roles/acme/templates/nginx-snippet.conf @@ -2,5 +2,6 @@ location /.well-known/acme-challenge { allow all; + auth_basic off; alias /var/lib/dehydrated/acme-challenges; } diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml index 14c461f..a47b058 100644 --- a/roles/common/tasks/main.yaml +++ b/roles/common/tasks/main.yaml @@ -31,7 +31,7 @@ lineinfile: path: /etc/bash.bashrc insertafter: EOF - regexp: "^source /usr/share/doc/fzf/{{ item }}" + regexp: "^source /usr/share/doc/fzf/examples/{{ item }}" line: "source /usr/share/doc/fzf/examples/{{ item }} # Managed by Ansible" with_items: - key-bindings.bash @@ -77,12 +77,15 @@ - ipv6 notify: persist iptables -- name: Allow IPv6 ICMP +- name: Allow ICMP iptables: chain: INPUT - protocol: ipv6-icmp + protocol: "{{ item.proto }}" jump: ACCEPT - ip_version: ipv6 + ip_version: "{{ item.ip }}" + with_items: + - { ip: ipv4, proto: icmp } + - { ip: ipv6, proto: ipv6-icmp } notify: persist iptables - name: Allow related and established connections diff --git a/roles/common/tasks/network.yaml b/roles/common/tasks/network.yaml index 29bf9c2..47053a9 100644 --- a/roles/common/tasks/network.yaml +++ b/roles/common/tasks/network.yaml @@ -5,17 +5,14 @@ state: present when: network_br -- lineinfile: +- name: Configure sysctl.conf + lineinfile: path: /etc/sysctl.conf - regexp: ^#?net.ipv4.ip_forward - line: "net.ipv4.ip_forward=1 # Managed by Ansible" - notify: reboot - when: network_br - -- lineinfile: - path: /etc/sysctl.conf - regexp: ^#?net.ipv6.conf.all.forwarding - line: "net.ipv6.conf.all.forwarding=1 # Managed by Ansible" + regexp: "^#?{{ item.k }}" + line: "{{ item.k }}={{ item.v }} # Managed by Ansible" + with_items: + - { k: net.ipv4.ip_forward, v: "1" } + - { k: net.ipv6.conf.all.forwarding, v: "1" } notify: reboot when: network_br diff --git a/roles/common/templates/network-interfaces b/roles/common/templates/network-interfaces index b90590e..4799cd3 100644 --- a/roles/common/templates/network-interfaces +++ b/roles/common/templates/network-interfaces @@ -18,20 +18,20 @@ iface eth0 inet manual auto br0 iface br0 inet static - address {{ network_static.address_v4 }} - gateway {{ network_static.gateway_v4 }} + address {{ network_address_v4 }} + gateway {{ network_gateway_v4 }} bridge_ports eth0 iface br0 inet6 auto up echo -n 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping - up ip -6 addr add {{ network_static.address_v6 }} dev br0 - up ip -6 route add default via {{ network_static.gateway_v6 }} dev br0 + up ip -6 addr add {{ network_address_v6 }} dev br0 + up ip -6 route add default via {{ network_gateway_v6 }} dev br0 bridge_stp on {% elif network_static %} iface eth0 inet static - address {{ network_static.address_v4 }} - gateway {{ network_static.gateway_v4 }} + address {{ network_address_v4 }} + gateway {{ network_gateway_v4 }} {% else %} iface eth0 inet dhcp