added working wg setup + internal access

1 files changed, 23 insertions, 1 deletions

diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
index 0f769e8..757c7b4 100644
--- a/tasks/pve_configure.yaml
+++ b/tasks/pve_configure.yaml
@@ -32,10 +32,17 @@
     block: |
       *nat
       :POSTROUTING ACCEPT [0:0]
-      -A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE
+      -A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE
       COMMIT
     marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
 
+- name: set DEFAULT_FORWARD_POLICY to ACCEPT
+  lineinfile:
+    path: /etc/default/ufw
+    regexp: '^DEFAULT_FORWARD_POLICY='
+    line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
+    backrefs: yes
+
 - name: enable ipv4 forwarding persistently
   sysctl:
     name: net.ipv4.ip_forward
@@ -58,6 +65,21 @@
     enabled: true
   when: ansible_service_mgr == 'systemd'
 
+- name: allow pve port 
+  ufw:
+    rule: allow
+    port: 8006
+    proto: tcp
+
+- name: deploy static /etc/resolv.conf
+  copy:
+    src: files/resolv.conf
+    dest: /etc/resolv.conf
+    mode: '0644'
+
+- name: make /etc/resolv.conf immutable with chattr
+  command: chattr +i /etc/resolv.conf
+
 - name: generate secure 32-character password
   set_fact:
     pve_admin_user: "pveadmin@pve"