On lut 14, Demetri A. Mkobaranov wrote: > I'm facing a particular situation and I need ipv6 to be disabled. > > For this I use ipv6.disable=1 as kernel parameter at boot but I could even > use > > - "net.ipv6.conf.all.disable_ipv6": True > - "net.ipv6.conf.default.disable_ipv6": True > - "net.ipv6.conf.lo.disable_ipv6": True > > in the sysctl.yml file. > > However the point is that roles like ferm are not aware that I've disabled > ipv6. > > How can I make debops aware of the fact that I need ipv6 disabled for a > specific host? The roles use Ansible facts to determine if IPv6 configuration should be enabled or not. For example the 'ferm' role checks[1] if the 'ansible_all_ipv6_addresses' variable has any elements, and if not, it should disable the support (only 'ip' "domain" should be active). [1]: https://github.com/debops/debops/blob/master/ansible/roles/ferm/defaults/... Of course even link-local IPv6 address can enable this support again, I'm not sure if ipv6.disable=1 as the kernel parameter disables link-local IPv6 addresses. This configuration was implemented long before 'ipadd("link-local")' filter was present in Ansible, so this could be an improvement that could help manage this situation. For now, you should be able to define ferm__domains: [ 'ip' ] in the inventory and that should tell the 'ferm' role to disable IPv6 support. As for other DebOps roles, they usually do similar thing, ie. check if 'ansible_all_ipv6_addresses' has any entries. So I would start there - check if you really don't have any IPv6 addresses on the host and if Ansible correctly recognizes that.

I'm of course open about fixing any issues that come with it on different roles, or implementing a way to disable IPv6

if a given role does not currently support that. Let me know if you find any more issues.