From f765345da3d4288a3337b282085e21075b89d042 Mon Sep 17 00:00:00 2001 From: transcaffeine Date: Mon, 29 Dec 2025 17:16:09 +0100 Subject: [PATCH] feat(playbooks/docker_shorewall): add playbook --- playbooks/docker_shorewall.yml | 54 ++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 playbooks/docker_shorewall.yml diff --git a/playbooks/docker_shorewall.yml b/playbooks/docker_shorewall.yml new file mode 100644 index 0000000..6cbd864 --- /dev/null +++ b/playbooks/docker_shorewall.yml @@ -0,0 +1,54 @@ +--- +- name: Configure shorewall for docker egress + hosts: "{{ docker_shorewall_hosts | default('docker:&shorewall') }}" + become: "{{ docker_shorewall_become | default(true, true) }}" + tasks: + - name: Add docker interface + ansible.builtin.lineinfile: + path: /etc/shorewall/interfaces + regex: "^dock" + line: | + dock docker0 bridge + - name: Add docker routing policy + ansible.builtin.blockinfile: + path: /etc/shorewall/policy + insertbefore: "^# THE FOLLOWING POLICY MUST BE LAST" + content: | + # Docker specific configuration + dock all ACCEPT + - name: Add docker zone + ansible.builtin.lineinfile: + path: /etc/shorewall/zones + regex: "^dock" + line: | + dock ipv4 + - name: Add docker egress rules + ansible.builtin.blockinfile: + path: /etc/shorewall/rules + marker: "#{mark} ANSIBLE MANAGED BLOCK - DOCKER EGRESS" + content: | + # + # Docker egress configuration + # + ACCEPT dock all + - name: Add docker dns rules + ansible.builtin.blockinfile: + path: /etc/shorewall/rules + marker: "#{mark} ANSIBLE MANAGED BLOCK - DOCKER DNS" + content: | + # + # Docker dns configuration + # + DNS(ACCEPT) dock all + - name: Enable shorewall docker support + ansible.builtin.lineinfile: + path: /etc/shorewall/shorewall.conf + line: "DOCKER=Yes" + regex: "^DOCKER=" + - name: Ensure shorewall reloaded + community.general.systemd_service: + service: "{{ item }}" + state: reloaded + loop: + - shorewall.service + - shorewall6.service