diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index bb023e7..55584c5 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -33,6 +33,21 @@ path: /ro/etc/ipt-firewall/main_ipv6.conf register: main_ipv6_exists +- name: Check if file '/ro/etc/ipt-firewall/interfaces_ipv4.conf' exists + stat: + path: /ro/etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + +- name: Check if file '/ro/etc/ipt-firewall/interfaces_ipv6.conf' exists + stat: + path: /ro/etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + + +# --- +# Adjust some lines +# --- + - name: addjust line 'jitsi_tcp_ports' (IPv4) lineinfile: path: /ro/etc/ipt-firewall/main_ipv4.conf @@ -239,6 +254,190 @@ - alfaview_video_conference_out_ipv6_present is changed +# --- +# WireGuard Service +# --- + +- name: Check if String 'local_wg_service..' (IPv4) is present + shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv4.conf + register: local_wg_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_wg_service_ipv4_present.rc > 1" + changed_when: "local_wg_service_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (local_wg_service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_local_net_ports' + block: | + + # ====== + # - WireGuard Service + # ====== + + # - WireGuard Service on Gateway? + # - + local_wg_service=true + wg_gw_ports="$standard_wg_port" + + # - WireGuard Services DMZ (reachable also from WAN) + # - + # - wg_server_dmz_arr=[]= + # - + # - Note: + # - Each extern interface can have only one thuch service + # - + # - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 + # - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 + # - + # - Multiple settins of this parameter is possible + # - + declare -A wg_server_dmz_arr + + # - Local WireGuard Ports + # - + # - Blank separated list + # - + wg_local_net_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" + when: + - main_ipv4_exists.stat.exists + - local_wg_service_ipv4_present is changed + +- name: Check if String 'local_wg_service..' (IPv6) is present + shell: grep -q -E "^local_wg_service=" /ro/etc/ipt-firewall/main_ipv6.conf + register: local_wg_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_wg_service_ipv6_present.rc > 1" + changed_when: "local_wg_service_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (local_wg_service) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_local_net_ports' + block: | + + # ====== + # - WireGuard Service + # ====== + + # - WireGuard Service on Gateway? + # - + local_wg_service=true + wg_gw_ports="$standard_wg_port" + + # - WireGuard Services DMZ (reachable also from WAN) + # - + # - wg_server_dmz_arr=[]= + # - + # - Note: + # - Each extern interface can have only one thuch service + # - + # - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 + # - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 + # - + # - Multiple settins of this parameter is possible + # - + declare -A wg_server_dmz_arr + + # - Local WireGuard Ports + # - + # - Blank separated list + # - + wg_local_net_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" + when: + - main_ipv6_exists.stat.exists + - local_wg_service_ipv6_present is changed + + +- name: Check if String 'allow_wg_out..' (IPv4) is present + shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv4.conf + register: allow_wg_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_wg_out_ipv4_present.rc > 1" + changed_when: "allow_wg_out_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_out_ports' + block: | + # WireGuard + # + allow_wg_out=true + wg_out_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" + when: + - main_ipv4_exists.stat.exists + - allow_wg_out_ipv4_present is changed + +- name: Check if String 'allow_wg_out..' (IPv6) is present + shell: grep -q -E "^allow_wg_out=" /ro/etc/ipt-firewall/main_ipv6.conf + register: allow_wg_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_wg_out_ipv6_present.rc > 1" + changed_when: "allow_wg_out_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_out_ports' + block: | + # WireGuard + # + allow_wg_out=true + wg_out_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" + when: + - main_ipv6_exists.stat.exists + - allow_wg_out_ipv6_present is changed + + +- name: Check if String 'wg_ifs..' (IPv4) is present + shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv4.conf + register: wg_ifs_ipv4_present + when: interfaces_ipv4_exists.stat.exists + failed_when: "wg_ifs_ipv4_present.rc > 1" + changed_when: "wg_ifs_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) + blockinfile: + path: /ro/etc/ipt-firewall/interfaces_ipv4.conf + insertafter: '^#?\s*vpn_ifs' + block: | + # - WireGuard Interfaces + # - + # - (blank separated list) + # - + wg_ifs="wg+" + marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" + when: + - interfaces_ipv4_exists.stat.exists + - wg_ifs_ipv4_present is changed + +- name: Check if String 'wg_ifs..' (IPv6) is present + shell: grep -q -E "^wg_ifs=" /ro/etc/ipt-firewall/interfaces_ipv6.conf + register: wg_ifs_ipv6_present + when: interfaces_ipv6_exists.stat.exists + failed_when: "wg_ifs_ipv6_present.rc > 1" + changed_when: "wg_ifs_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) + blockinfile: + path: /ro/etc/ipt-firewall/interfaces_ipv6.conf + insertafter: '^#?\s*vpn_ifs' + block: | + # - WireGuard Interfaces + # - + # - (blank separated list) + # - + wg_ifs="wg+" + marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" + when: + - interfaces_ipv6_exists.stat.exists + - wg_ifs_ipv6_present is changed + # --- # Allow local services from ALL extern netwoks @@ -851,7 +1050,7 @@ # Remove Marker set by blockinfile # --- -- name: Remove marker IPv4 +- name: Remove marker IPv4 (main_ipv4.conf) replace : path: /ro/etc/ipt-firewall/main_ipv4.conf regexp: "^# Marker set by modify-ipt-gateway.yml.*$" @@ -862,7 +1061,7 @@ when: - main_ipv4_exists.stat.exists -- name: Remove marker IPv6 +- name: Remove marker IPv6 (main_ipv6.conf) replace : path: /ro/etc/ipt-firewall/main_ipv6.conf regexp: "^# Marker set by modify-ipt-gateway.yml.*$" @@ -873,6 +1072,28 @@ when: - main_ipv6_exists.stat.exists +- name: Remove marker IPv4 (interfaces_ipv4.conf) + replace : + path: /ro/etc/ipt-firewall/interfaces_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - interfaces_ipv4_exists.stat.exists + +- name: Remove marker IPv6 (interfaces_ipv6.conf) + replace : + path: /ro/etc/ipt-firewall/interfaces_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - interfaces_ipv6_exists.stat.exists + # --- # Confiuration Files # --- diff --git a/roles/modify-ipt-gateway/tasks/main.yml b/roles/modify-ipt-gateway/tasks/main.yml index 80deece..bbe2c2a 100644 --- a/roles/modify-ipt-gateway/tasks/main.yml +++ b/roles/modify-ipt-gateway/tasks/main.yml @@ -29,6 +29,25 @@ notify: - Restart IPv6 Firewall +- name: Check if file '/etc/ipt-firewall/interfaces_ipv4.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv4.conf + register: interfaces_ipv4_exists + notify: + - Restart IPv4 Firewall + +- name: Check if file '/etc/ipt-firewall/interfaces_ipv6.conf' exists + stat: + path: /etc/ipt-firewall/interfaces_ipv6.conf + register: interfaces_ipv6_exists + notify: + - Restart IPv6 Firewall + + +# --- +# Adjust some lines +# --- + - name: addjust line 'jitsi_tcp_ports' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf @@ -294,6 +313,191 @@ - alfaview_video_conference_out_ipv6_present is changed +# --- +# WireGuard Service +# --- + +- name: Check if String 'local_wg_service..' (IPv4) is present + shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv4.conf + register: local_wg_service_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "local_wg_service_ipv4_present.rc > 1" + changed_when: "local_wg_service_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (local_wg_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_local_net_ports' + block: | + + # ====== + # - WireGuard Service + # ====== + + # - WireGuard Service on Gateway? + # - + local_wg_service=true + wg_gw_ports="$standard_wg_port" + + # - WireGuard Services DMZ (reachable also from WAN) + # - + # - wg_server_dmz_arr=[]= + # - + # - Note: + # - Each extern interface can have only one thuch service + # - + # - wg_server_dmz_arr[192.168.10.1]=$ext_if_dsl_2 + # - wg_server_dmz_arr[192.168.10.13]=$ext_if_dsl_1 + # - + # - Multiple settins of this parameter is possible + # - + declare -A wg_server_dmz_arr + + # - Local WireGuard Ports + # - + # - Blank separated list + # - + wg_local_net_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" + when: + - main_ipv4_exists.stat.exists + - local_wg_service_ipv4_present is changed + +- name: Check if String 'local_wg_service..' (IPv6) is present + shell: grep -q -E "^local_wg_service=" /etc/ipt-firewall/main_ipv6.conf + register: local_wg_service_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "local_wg_service_ipv6_present.rc > 1" + changed_when: "local_wg_service_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (local_wg_service) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_local_net_ports' + block: | + + # ====== + # - WireGuard Service + # ====== + + # - WireGuard Service on Gateway? + # - + local_wg_service=true + wg_gw_ports="$standard_wg_port" + + # - WireGuard Services DMZ (reachable also from WAN) + # - + # - wg_server_dmz_arr=[]= + # - + # - Note: + # - Each extern interface can have only one thuch service + # - + # - wg_server_dmz_arr[2001:6f8:107e:63::20]=$ext_if_dsl_2 + # - wg_server_dmz_arr[2001:6f8:107e:63::40]=$ext_if_dsl_1 + # - + # - Multiple settins of this parameter is possible + # - + declare -A wg_server_dmz_arr + + # - Local WireGuard Ports + # - + # - Blank separated list + # - + wg_local_net_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (local_wg_service)" + when: + - main_ipv6_exists.stat.exists + - local_wg_service_ipv6_present is changed + + +- name: Check if String 'allow_wg_out..' (IPv4) is present + shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv4.conf + register: allow_wg_out_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "allow_wg_out_ipv4_present.rc > 1" + changed_when: "allow_wg_out_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_wg_out) + blockinfile: + path: /etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*vpn_out_ports' + block: | + # WireGuard + # + allow_wg_out=true + wg_out_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" + when: + - main_ipv4_exists.stat.exists + - allow_wg_out_ipv4_present is changed + +- name: Check if String 'allow_wg_out..' (IPv6) is present + shell: grep -q -E "^allow_wg_out=" /etc/ipt-firewall/main_ipv6.conf + register: allow_wg_out_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "allow_wg_out_ipv6_present.rc > 1" + changed_when: "allow_wg_out_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_wg_out) + blockinfile: + path: /etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*vpn_out_ports' + block: | + # WireGuard + # + allow_wg_out=true + wg_out_ports="$standard_wg_port" + marker: "# Marker set by modify-ipt-gateway.yml (allow_wg_out)" + when: + - main_ipv6_exists.stat.exists + - allow_wg_out_ipv6_present is changed + + +- name: Check if String 'wg_ifs..' (IPv4) is present + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv4.conf + register: wg_ifs_ipv4_present + when: interfaces_ipv4_exists.stat.exists + failed_when: "wg_ifs_ipv4_present.rc > 1" + changed_when: "wg_ifs_ipv4_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv4.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv4.conf + insertafter: '^#?\s*vpn_ifs' + block: | + # - WireGuard Interfaces + # - + # - (blank separated list) + # - + wg_ifs="wg+" + marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" + when: + - interfaces_ipv4_exists.stat.exists + - wg_ifs_ipv4_present is changed + +- name: Check if String 'wg_ifs..' (IPv6) is present + shell: grep -q -E "^wg_ifs=" /etc/ipt-firewall/interfaces_ipv6.conf + register: wg_ifs_ipv6_present + when: interfaces_ipv6_exists.stat.exists + failed_when: "wg_ifs_ipv6_present.rc > 1" + changed_when: "wg_ifs_ipv6_present.rc > 0" + +- name: Adjust file '/etc/ipt-firewall/interfaces_ipv6.conf' (wg_ifs) + blockinfile: + path: /etc/ipt-firewall/interfaces_ipv6.conf + insertafter: '^#?\s*vpn_ifs' + block: | + # - WireGuard Interfaces + # - + # - (blank separated list) + # - + wg_ifs="wg+" + marker: "# Marker set by modify-ipt-gateway.yml (wg_ifs)" + when: + - interfaces_ipv6_exists.stat.exists + - wg_ifs_ipv6_present is changed + + # --- # Allow local services from ALL extern netwoks # --- @@ -982,7 +1186,7 @@ # Remove Marker set by blockinfile # --- -- name: Remove marker IPv4 +- name: Remove marker IPv4 (main_ipv4.conf) replace : path: /etc/ipt-firewall/main_ipv4.conf regexp: "^# Marker set by modify-ipt-gateway.yml.*$" @@ -993,7 +1197,7 @@ when: - main_ipv4_exists.stat.exists -- name: Remove marker IPv6 +- name: Remove marker IPv6 (main_ipv6.conf) replace : path: /etc/ipt-firewall/main_ipv6.conf regexp: "^# Marker set by modify-ipt-gateway.yml.*$" @@ -1004,6 +1208,28 @@ when: - main_ipv6_exists.stat.exists +- name: Remove marker IPv4 (interfaces_ipv4.conf) + replace : + path: /etc/ipt-firewall/interfaces_ipv4.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv4_removed + #failed_when: "marker_ipv4_removed.rc > 1" + #changed_when: "marker_ipv4_removed.rc < 1" + when: + - interfaces_ipv4_exists.stat.exists + +- name: Remove marker IPv6 (interfaces_ipv6.conf) + replace : + path: /etc/ipt-firewall/interfaces_ipv6.conf + regexp: "^# Marker set by modify-ipt-gateway.yml.*$" + replace: "" + register: marker_ipv6_removed + #failed_when: "marker_ipv6_removed.rc > 1" + #changed_when: "marker_ipv6_removed.rc < 1" + when: + - interfaces_ipv6_exists.stat.exists + # --- # Confiuration Files # ---