From ef69e31357ba946d0c82aa03b9a3b7c48b4402bc Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Wed, 13 Aug 2025 16:37:47 +0200 Subject: [PATCH] =?UTF-8?q?debian:=20don=E2=80=99t=20set=20up=20firewall?= =?UTF-8?q?=20for=20proxmox=20hosts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also factor firewall setup into a separate task. There is no good way to distinguish Debian and Proxmox hosts in Ansible, so we rely on the cluster_type NetBox variable. --- roles/debian/tasks/firewall.yml | 26 ++++++++++++++++++++++++++ roles/debian/tasks/main.yml | 26 +++----------------------- 2 files changed, 29 insertions(+), 23 deletions(-) create mode 100644 roles/debian/tasks/firewall.yml diff --git a/roles/debian/tasks/firewall.yml b/roles/debian/tasks/firewall.yml new file mode 100644 index 0000000..5247171 --- /dev/null +++ b/roles/debian/tasks/firewall.yml @@ -0,0 +1,26 @@ +- name: Install nftables + package: + name: nftables + +- name: Set up generic firewall rules + copy: + dest: /etc/nftables.conf + src: nftables.conf + notify: reload nftables + +- name: Create nftables include directory + file: + path: /etc/nftables.d + state: directory + +- name: Set up local firewall rules + template: + dest: /etc/nftables.d/services.nft + src: services.nft.j2 + notify: reload nftables + +- name: Enable firewall + service: + name: nftables + enabled: yes + state: started diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml index d4cf87d..70f3e7d 100644 --- a/roles/debian/tasks/main.yml +++ b/roles/debian/tasks/main.yml @@ -30,7 +30,6 @@ name: - git - ifupdown2 - - nftables - rsync - vim - tmux @@ -76,28 +75,9 @@ value: 'prohibit-password' notify: reload sshd -- name: Set up generic firewall rules - copy: - dest: /etc/nftables.conf - src: nftables.conf - notify: reload nftables - -- name: Create nftables include directory - file: - path: /etc/nftables.d - state: directory - -- name: Set up local firewall rules - template: - dest: /etc/nftables.d/services.nft - src: services.nft.j2 - notify: reload nftables - -- name: Enable firewall - service: - name: nftables - enabled: yes - state: started +- name: Set up firewall + include_tasks: firewall.yml + when: is_virtual or cluster_type != 'proxmox' # proxmox has its own firewall configuration - name: Install automatic upgrade package package: