nft -c rejects iif "wt0" when the interface is absent (container, or any host before NetBird); iifname matches by name and is robust to wt0 coming/going. Drop the ansible_host fixture override (the docker connection uses it as the container name) — molecule covers zone resolution, pytest covers service->IP.
22 lines
469 B
YAML
22 lines
469 B
YAML
---
|
|
- name: Converge
|
|
hosts: all
|
|
become: true
|
|
gather_facts: true
|
|
vars:
|
|
base__firewall_apply: false
|
|
firewall_zones:
|
|
lan: 10.30.0.0/24
|
|
srv: 10.20.0.0/24
|
|
mgmt: 10.10.0.0/24
|
|
firewall_catalog:
|
|
reverse_proxy:
|
|
host: instance
|
|
ingress:
|
|
- { from: lan, port: 443, proto: tcp }
|
|
photoprism:
|
|
host: instance
|
|
ingress:
|
|
- { from: srv, port: 2342, proto: tcp }
|
|
roles:
|
|
- role: base
|