refactor(security): reworked firewall configuration and added support for DNS, HTTP and ICMP rules; added autoconf for resolv.conf to match FW rules

inventory/group_vars/all.yml

@@ -1,2 +0,0 @@
-custom_base_user_account: '{{ vault_custom_base_user_account }}'
-custom_github_token: '{{ vault_custom_github_token }}'

inventory/group_vars/all/vars.yml

@@ -0,0 +1,9 @@
+custom_base_user_account: '{{ vault_custom_base_user_account }}'
+custom_github_token: '{{ vault_custom_github_token }}'
+dns:
+  type: "dot"
+  udp: '{{ vault_groups.defaults.udp }}'
+  dot: '{{ vault_groups.defaults.dot }}'
+  doh: '{{ vault_groups.defaults.doh }}'
+network: "external"
+ip_dualstack: true

inventory/host_vars/actinium/vars.yml

@@ -0,0 +1,15 @@
+ansible_become_password: "{{ vault_root_pass }}"
+ansible_host: "{{ vault_ansible_host }}"
+ansible_user: "{{ vault_ssh_user }}"
+
+custom_security:
+  firewall:
+    mangle:
+      drop_privatenets: false
+      policy:
+        forward: accept
+dns:
+  type: "udp"
+  udp: "{{ vault_groups.network.internal }}"
+network: "internal"
+ip_dualstack: false

inventory/host_vars/lithium/vars.yml

@@ -1,3 +1,5 @@
 ansible_become_password: "{{ vault_root_pass }}"
 ansible_host: "{{ vault_ansible_host }}"
 ansible_user: "{{ vault_ssh_user }}"
+network: "external"
+ip_dualstack: true

inventory/host_vars/unobtainium/vars.yml

@@ -32,3 +32,11 @@ custom_security:
       drop_privatenets: false
       policy:
         forward: accept
+
+dns:
+  type: "udp"
+  udp:
+    dns4: "{{ vault_groups.network.internal.dns4 }}"
+    dns6: "{{ vault_groups.network.internal.dns6 }}"
+network: "internal"
+ip_dualstack: false

inventory/vault.yml.dist

@@ -1,3 +0,0 @@
-vault_custom_base_user_account: ""
-vault_custom_github_token: ""
-vault_custom_dockerhub_password: ""