# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/iptables_module.html
#

- hosts: myself

  tasks:
    - name: Pass http+https to 10.0.3.194 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.194:{{ item }}
      with_items: ['80', '443']

    - name: Pass http+https to 10.0.3.194 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        destination: 10.0.3.194
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: ['80', '443']

    - name: Pass mail (25,143,465,993,587) to 10.0.3.141 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.141:{{ item }}
      with_items: [ '25', '143', '465', '993', '587' ]

    - name: Pass mail (25,143,465,993,587) to 10.0.3.141 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: tcp
        destination_port: '{{ item }}'
        destination: 10.0.3.141
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: [ '25', '143', '465', '993', '587' ]

    - name: Pass dns+ovpn (53,1194) to 10.0.3.59 (PRE)
      iptables:
        chain: PREROUTING
        table: nat
        protocol: udp
        destination_port: '{{ item }}'
        jump: DNAT
        in_interface: ens3
        to_destination: 10.0.3.59:{{ item }}
      with_items: [ '53', '1194' ]

    - name: Pass dns+ovpn (53,1194) to 10.0.3.59 (POST)
      iptables:
        chain: POSTROUTING
        table: nat
        protocol: udp
        destination_port: '{{ item }}'
        destination: 10.0.3.59
        jump: SNAT
        out_interface: lxcbr0
        to_source: 10.0.3.1
      with_items: [ '53', '1194' ]

    # - name: mount certs on mail container
    #   mount: 
    #     path: /mnt/lxc/mail/etc/letsencrypt/
    #     src: /mnt/lxc/web/etc/letsencrypt/
    #     opts: ro, bind
    #     state: mounted
    #     fstype: none

    # - name: mount BKPDisk on web container
    #   mount: 
    #     path: /media/bkp/
    #     src: /mnt/lxc/web/BKPDisk/
    #     opts: ro, bind
    #     state: mounted
    #     fstype: none


    # - name: mount certs on mail container
    #   shell: mount --bind -o ro /mnt/lxc/web/etc/letsencrypt/ /mnt/lxc/mail/etc/letsencrypt/

    # - name: mount BKPDisk on web container
    #   shell: mount --bind /media/bkp/ /mnt/lxc/web/BKPDisk/



# iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $2 -j DNAT --to-destination $1:$2
# iptables -t nat -A POSTROUTING -o $BR_IF -p tcp --dport $2 -d $1 -j SNAT --to-source $BR_IP