ansible/group_vars/isp/firewall.yml

---
firewall__zones:
  internet:
    negate: true
    addrs:
      - 2a09:6840::/32
      - 2a09:6841::/32
      - 2a09:6842::/32
      - 45.66.108.0/22
      - 10.0.0.0/8
      - 100.64.0.0/10
  clients:
    addrs:
      - 100.64.0.0/10
  non_clients:
    negate: true
    zones: clients
  allowed_clients:
    file:
      path: /var/run/firewall/allowed_clients.yml
      default: []

firewall__input:
  - verdict: accept

firewall__output:
  - verdict: accept

firewall__forward:
  - src: allowed_clients
    dst: non_clients
    verdict: accept

firewall__nat:
  - src: clients
    dst: internet
    protocols: null
    snat:
      addr: 45.66.111.220
...
misc: move variables to {host,group}_vars 2023-09-17 20:32:05 +02:00			`---`
			`firewall__zones:`
			`internet:`
			`negate: true`
			`addrs:`
			`- 2a09:6840::/32`
			`- 2a09:6841::/32`
			`- 2a09:6842::/32`
			`- 45.66.108.0/22`
			`- 10.0.0.0/8`
			`- 100.64.0.0/10`
			`clients:`
			`addrs:`
			`- 100.64.0.0/10`
			`non_clients:`
			`negate: true`
			`zones: clients`
			`allowed_clients:`
			`file:`
			`path: /var/run/firewall/allowed_clients.yml`
			`default: []`

			`firewall__input:`
			`- verdict: accept`

			`firewall__output:`
			`- verdict: accept`

			`firewall__forward:`
			`- src: allowed_clients`
			`dst: non_clients`
			`verdict: accept`

			`firewall__nat:`
			`- src: clients`
			`dst: internet`
			`protocols: null`
			`snat:`
			`addr: 45.66.111.220`
			`...`