From 7d30911f771c149c0c2f169571a447f3c8b97b13 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Thu, 15 Jan 2026 14:14:42 -0700 Subject: [PATCH] Move sysctl settings (esp. net.ipv4.ip_forward=1!) to local.conf. Debian 12's Systemd installed /etc/sysctl.d/99-sysctl.conf, a symlink to /etc/sysctl.conf, so systemd-sysctl has not included sysctl.conf for a while. Debian 13 has no /etc/sysctl.d/99-* and no /etc/sysctl.conf, so Ansible's sysctl builtin was less helpful than a simple copy to /etc/sysctl.d/local.conf. --- README.org | 42 +++++++++++++++++++++++---------- roles_t/core/handlers/main.yml | 6 +++++ roles_t/core/tasks/main.yml | 8 +++---- roles_t/front/handlers/main.yml | 6 +++++ roles_t/front/tasks/main.yml | 8 +++---- roles_t/gate/handlers/main.yml | 6 +++++ roles_t/gate/tasks/main.yml | 8 +++---- 7 files changed, 60 insertions(+), 24 deletions(-) diff --git a/README.org b/README.org index c6cc5ce..cbb56d8 100644 --- a/README.org +++ b/README.org @@ -2243,10 +2243,10 @@ not exist), and enable the service. - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes @@ -2284,6 +2284,12 @@ not exist), and enable the service. #+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: @@ -3824,10 +3830,10 @@ service. - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes @@ -3870,6 +3876,12 @@ service. #+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: @@ -5302,10 +5314,10 @@ not exist), and enable the service. - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes @@ -5343,6 +5355,12 @@ not exist), and enable the service. #+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml index 074fe58..2e1513e 100644 --- a/roles_t/core/handlers/main.yml +++ b/roles_t/core/handlers/main.yml @@ -69,6 +69,12 @@ state: restarted tags: actualizer +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 4debc9a..952b651 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -659,10 +659,10 @@ - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes diff --git a/roles_t/front/handlers/main.yml b/roles_t/front/handlers/main.yml index cdd096a..68f86e2 100644 --- a/roles_t/front/handlers/main.yml +++ b/roles_t/front/handlers/main.yml @@ -39,6 +39,12 @@ state: restarted tags: actualizer +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index c31cf1e..80d8113 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -460,10 +460,10 @@ - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes diff --git a/roles_t/gate/handlers/main.yml b/roles_t/gate/handlers/main.yml index c9076eb..11cd69a 100644 --- a/roles_t/gate/handlers/main.yml +++ b/roles_t/gate/handlers/main.yml @@ -16,6 +16,12 @@ state: restarted tags: actualizer +- name: Reload sysctl. + become: yes + systemd: + service: systemd-sysctl + state: reloaded + - name: Restart WireGuard™. become: yes systemd: diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index b429b9f..d16f69c 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -132,10 +132,10 @@ - name: Enable IP forwarding. become: yes - sysctl: - name: net.ipv4.ip_forward - value: "1" - state: present + copy: + content: "net.ipv4.ip_forward = 1\n" + dest: /etc/sysctl.d/local.conf + notify: Reload sysctl. - name: Install WireGuard™. become: yes -- 2.47.3