d93a661ae4
It's the only part of base that's important to run when we run a service. Run it in the service playbooks and get rid of the dependency on infra-prod-base. Continue running it in base so that new nodes are brought up with iptables in place. Bump the timeout for the mirror job, because the iptables addition seems to have just bumped it over the edge. Change-Id: I4608216f7a59cfa96d3bdb191edd9bc7bb9cca39
52 lines
1.1 KiB
YAML
52 lines
1.1 KiB
YAML
- name: Include OS-specific variables
|
|
include_vars: "{{ lookup('first_found', params) }}"
|
|
vars:
|
|
params:
|
|
files: "{{ distro_lookup_path }}"
|
|
paths:
|
|
- 'vars'
|
|
|
|
- name: Install iptables
|
|
package:
|
|
name: '{{ package_name }}'
|
|
state: present
|
|
|
|
- name: Ensure iptables rules directory
|
|
file:
|
|
state: directory
|
|
path: '{{ rules_dir }}'
|
|
|
|
- name: Install IPv4 rules files
|
|
template:
|
|
src: rules.v4.j2
|
|
dest: '{{ ipv4_rules }}'
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
setype: '{{ setype | default(omit) }}'
|
|
notify:
|
|
- Reload iptables
|
|
|
|
- name: Install IPv6 rules files
|
|
template:
|
|
src: rules.v6.j2
|
|
dest: '{{ ipv6_rules }}'
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
setype: '{{ setype | default(omit) }}'
|
|
notify:
|
|
- Reload iptables
|
|
|
|
- name: Include OS specific tasks
|
|
include_tasks: "{{ item }}"
|
|
vars:
|
|
params:
|
|
files: "{{ distro_lookup_path }}"
|
|
loop: "{{ query('first_found', params, errors='ignore') }}"
|
|
|
|
- name: Enable iptables service
|
|
service:
|
|
name: '{{ service_name }}'
|
|
enabled: true
|