iptables moved to the vpn role #61

roles/security/handlers/main.yml

@@ -1,8 +1,5 @@
 - name: restart ssh
   service: name=ssh state=restarted
 
-- name: restart iptables
-  service: name=netfilter-persistent state=restarted
-
 - name: flush routing cache
   shell: echo 1 > /proc/sys/net/ipv4/route/flush

roles/security/tasks/main.yml

@@ -88,14 +88,6 @@
 - name: Do not send ICMP redirects (we are not a router)
   sysctl: name=net.ipv4.conf.all.send_redirects value=0
 
-- name: Iptables configured
-  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
-  with_items:
-    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
-    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
-  notify:
-    - restart iptables
-
 - name: SSH config
   template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
   notify:

roles/vpn/handlers/main.yml

@@ -6,13 +6,13 @@
 
 - name: restart apparmor
   service: name=apparmor state=restarted
-  
-- name: save iptables
-  shell: service netfilter-persistent save
 
 - name: save iptables
   shell: service netfilter-persistent save
 
+- name: restart iptables
+  service: name=netfilter-persistent state=restarted
+
 - name: congrats
   debug:
     msg:

roles/vpn/tasks/iptables.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Iptables configured
+  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
+  with_items:
+    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
+    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
+  notify:
+    - restart iptables

roles/vpn/tasks/main.yml

@@ -191,3 +191,7 @@
   fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
   notify:
     - congrats
+
+- include: iptables.yml
+  tags: iptables
+