damex.incus.incus_network_acls role – Ensure Incus network ACLs.

Note

This role is part of the damex.incus collection (version 1.9.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install damex.incus.

To use it in a playbook, specify: damex.incus.incus_network_acls.

Entry point main – Ensure Incus network ACLs.

Synopsis

  • Ensure Incus network ACLs.

Parameters

Parameter

Comments

incus_network_acls

list / elements=dictionary

List of Incus network ACLs to ensure.

config

dictionary

ACL configuration key-value pairs (user.* keys only).

description

string

Description of the network ACL.

egress

list / elements=dictionary

List of egress (outbound) traffic rules.

action

string / required

Action to perform on rule match.

Choices:

  • "allow"

  • "allow-stateless"

  • "reject"

  • "drop"

description

string

Description of the rule.

destination

string

Destination address (CIDR, IP range, or selector).

destination_port

string

Destination port or port range for TCP/UDP.

icmp_code

string

ICMP code number.

icmp_type

string

ICMP type number.

protocol

string

Network protocol to match.

Choices:

  • "icmp4"

  • "icmp6"

  • "tcp"

  • "udp"

source

string

Source address (CIDR, IP range, or selector).

source_port

string

Source port or port range for TCP/UDP.

state

string

State of the rule.

Choices:

  • "enabled"

  • "disabled"

  • "logged"

ingress

list / elements=dictionary

List of ingress (inbound) traffic rules.

action

string / required

Action to perform on rule match.

Choices:

  • "allow"

  • "allow-stateless"

  • "reject"

  • "drop"

description

string

Description of the rule.

destination

string

Destination address (CIDR, IP range, or selector).

destination_port

string

Destination port or port range for TCP/UDP.

icmp_code

string

ICMP code number.

icmp_type

string

ICMP type number.

protocol

string

Network protocol to match.

Choices:

  • "icmp4"

  • "icmp6"

  • "tcp"

  • "udp"

source

string

Source address (CIDR, IP range, or selector).

source_port

string

Source port or port range for TCP/UDP.

state

string

State of the rule.

Choices:

  • "enabled"

  • "disabled"

  • "logged"

name

string / required

Name of the network ACL.

project

string

Incus project for the network ACL.

state

string

Desired state of the network ACL.

Choices:

  • "present"

  • "absent"

incus_network_acls_client_cert

string

Client certificate content for API authentication.

incus_network_acls_client_cert_path

path

Path to the TLS client certificate for API authentication.

incus_network_acls_client_key

string

Client key content for API authentication.

incus_network_acls_client_key_path

path

Path to the TLS client key for API authentication.

incus_network_acls_project

string

Default Incus project for network ACLs.

incus_network_acls_server_cert

string

Server certificate content for API verification.

incus_network_acls_server_cert_path

path

Path to the TLS server certificate for API verification.

incus_network_acls_socket_path

path

Path to the Incus Unix socket.

incus_network_acls_state

string

Default desired state of the network ACLs.

Choices:

  • "present"

  • "absent"

incus_network_acls_token

string

Authentication token for the Incus API.

incus_network_acls_url

string

URL of the Incus server API.

incus_network_acls_validate_certs

boolean

Whether to validate TLS certificates.

Choices:

  • false

  • true

Examples

- name: Ensure incus network acls
  hosts: incus
  tasks:
    - name: Ensure incus network acls
      ansible.builtin.import_role:
        name: damex.incus.incus_network_acls
      vars:
        incus_network_acls:
          - name: web
            description: Web server ACL
            ingress:
              - action: allow
                source: "@internal"
                protocol: tcp
                destination_port: "80,443"
                description: Allow HTTP and HTTPS
            egress:
              - action: allow
                destination: 8.8.8.8/32,8.8.4.4/32
                protocol: udp
                destination_port: "53"
                description: Allow DNS queries
          - name: deny-all
            ingress:
              - action: drop
            egress:
              - action: drop