added conditional dnsmasq setup for vmbr1 and ufw filter rules; fixed a couple of issues by removing /etc/pve/priv, no need for modifying it

1 files changed, 57 insertions, 0 deletions

diff --git a/tasks/dnsmasq_setup.yaml b/tasks/dnsmasq_setup.yaml
new file mode 100644
index 0000000..a5863ba
--- /dev/null
+++ b/tasks/dnsmasq_setup.yaml
@@ -0,0 +1,57 @@
+- name: configure and enable dnsmasq if enabled
+  when: enable_dnsmasq | bool
+  block:
+    - name: install dnsmasq
+      apt:
+        name: dnsmasq
+        state: present
+        update_cache: true
+
+    - name: remove existing /etc/dnsmasq.d directory and all contents
+      file:
+        path: /etc/dnsmasq.d
+        state: absent
+
+    - name: recreate empty /etc/dnsmasq.d directory
+      file:
+        path: /etc/dnsmasq.d
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: deploy dnsmasq config from template
+      template:
+        src: vmbr1.conf.j2
+        dest: /etc/dnsmasq.d/vmbr1.conf
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: ensure dnsmasq group exists
+      group:
+        name: dnsmasq
+        system: yes
+
+    - name: ensure dnsmasq user exists
+      user:
+        name: dnsmasq
+        group: dnsmasq
+        system: yes
+        create_home: no
+
+    - name: insert dhcp allow rules for vmbr1 into /etc/ufw/before.rules
+      blockinfile:
+        path: /etc/ufw/before.rules
+        block: |
+          -A ufw-before-input -i vmbr1 -p udp --dport 67 -j ACCEPT
+          -A ufw-before-output -o vmbr1 -p udp --sport 67 -j ACCEPT
+        marker: "# {mark} ANSIBLE MANAGED DHCP VMBR1 ALLOW RULES"
+        insertafter: '^# End required lines'
+
+    - name: enable and restart dnsmasq service
+      systemd:
+        name: dnsmasq
+        enabled: true
+        state: restarted
+      when: ansible_service_mgr == 'systemd'