From 7939bb1b140870aee6d21b925706e0a5bda37b80 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Mon, 16 Feb 2026 17:21:12 +0100
Subject: [PATCH] feat: add static routes

---
 defaults/main.yaml     |  3 +++
 handlers/main.yaml     | 10 ++++++++++
 tasks/performance.yaml |  2 +-
 tasks/routing.yaml     | 26 +++++++++++++++++++++++---
 4 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index c3d2f4f..d62df46 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -6,3 +6,6 @@ lan_interface: "eth1"
 
 # nat rules
 nat_port_forwards: []
+
+# static routes
+static_routes: []
diff --git a/handlers/main.yaml b/handlers/main.yaml
index 737b947..dee2aa5 100644
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@@ -5,3 +5,13 @@
   ansible.builtin.service:
     name: "iptables"
     state: "restarted"
+
+# apply local routes
+- name: "apply routes"
+  ansible.builtin.shell:
+    cmd: |
+      {% for route in static_routes %}
+      ip route replace {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}
+      {% endfor %}
+  when: "static_routes | length > 0"
+  changed_when: false
diff --git a/tasks/performance.yaml b/tasks/performance.yaml
index 7a2ee80..256f934 100644
--- a/tasks/performance.yaml
+++ b/tasks/performance.yaml
@@ -1,7 +1,7 @@
 ---
 
 # tcp performance tuning
-- name: "configure tcp performance settings"
+- name: "performance - configure tcp"
   ansible.posix.sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
diff --git a/tasks/routing.yaml b/tasks/routing.yaml
index 43620c2..4995e08 100644
--- a/tasks/routing.yaml
+++ b/tasks/routing.yaml
@@ -1,7 +1,7 @@
 ---
 
 # install iptables
-- name: "install iptables"
+- name: "routing - install ptables"
   community.general.apk:
     name:
       - "iptables"
@@ -9,7 +9,7 @@
     update_cache: true
 
 # enable ipv4 forwarding
-- name: "configure ipv4 forwarding"
+- name: "routing - configure ipv4 forwarding"
   ansible.posix.sysctl:
     name: "net.ipv4.conf.all.forwarding"
     value: "1"
@@ -18,7 +18,7 @@
     reload: false
 
 # disable ipv4 redirects and source routing
-- name: "disable ipv4 redirects and source routing"
+- name: "routing - disable ipv4 redirects and source routing"
   ansible.posix.sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
@@ -34,3 +34,23 @@
       value: "0"
     - name: "net.ipv4.conf.all.log_martians"
       value: "0"
+
+# configure static routes
+- name: "routing - static routes"
+  ansible.builtin.blockinfile:
+    path: "/etc/network/interfaces"
+    marker: "  # {mark} ANSIBLE MANAGED STATIC ROUTES"
+    block: |
+      {% for route in static_routes %}
+      # {{ route.name }}
+      {% if route.metric is defined %}
+        down ip route del {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }} metric {{ route.metric }}
+        up ip route add {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }} metric {{ route.metric }}
+      {% else %}
+        down ip route del {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}
+        up ip route add {{ route.destination }} via {{ route.gateway }}{{ ' dev ' + route.interface if route.interface is defined else '' }}
+      {% endif %}
+      {% endfor %}
+    insertafter: "^iface {{ lan_interface }} inet.*\\n(\\s+.*\\n)*\\s+netmask"
+    state: "{{ 'present' if static_routes | length > 0 else 'absent' }}"
+  notify: "apply routes"