ansible/roles/server/tasks/router.yaml

- name: set up IPv4 forwarding
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: true
    state: present
    reload: true

# # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- name: set up NAT table
  become: true
  ansible.builtin.iptables:
    table: nat
    chain: POSTROUTING
    jump: MASQUERADE
    in_interface: "{{ router_if }}"

# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
- name: set up forwarding from {{ router_if }} to wlo1
  become: true
  ansible.builtin.iptables:
    chain: FORWARD
    in_interface: "{{ router_if }}"
    out_interface: wlo1
    ctstate: ESTABLISHED,RELATED
    jump: ACCEPT

# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
- name: set up forwarding
  become: true
  ansible.builtin.iptables:
    chain: FORWARD
    in_interface: "{{ router_if }}"
    out_interface: wlo1
    jump: ACCEPT

- name: copy hosts
  become: true
  ansible.builtin.copy:
    src: "{{ role_path }}/files/hosts"
    dest: /etc/hosts
    mode: 0644
    owner: root
    group: root

- name: set up netplan for {{ router_if }}
  become: true
  ansible.builtin.template:
    src: "{{ role_path }}/files/20-router.yaml.j2"
    dest: /etc/netplan/20-router-{{ router_if }}.yaml
    mode: 0644
    owner: root
    group: root

- name: apply netplan
  become: true
  ansible.builtin.command:
    cmd: netplan apply

- name: copy dnsmasq.conf
  become: true
  ansible.builtin.template:
    src: "{{ role_path }}/files/dnsmasq.conf.j2"
    dest: /etc/dnsmasq.conf
    mode: 0644
    owner: root
    group: root

- name: disable systemd-resolved
  become: true
  ansible.builtin.service:
    name: systemd-resolved
    enabled: false
    state: stopped

- name: install dnsmasq
  become: true
  ansible.builtin.apt:
    name: dnsmasq
    state: present

- name: enable dnsmasq
  become: true
  ansible.builtin.service:
    name: dnsmasq
    enabled: true
    state: restarted