c@h: add network zone for c3voc

1 files changed, 182 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-gw-c3voc.yml b/inventory/host_vars/ch-gw-c3voc.yml
new file mode 100644
index 00000000..60d833bf
--- /dev/null
+++ b/inventory/host_vars/ch-gw-c3voc.yml
@@ -0,0 +1,182 @@
+---
+install:
+  vm:
+    memory: 64M
+    numcpus: 1
+    autostart: true
+  disks:
+    primary: /dev/sda
+    scsi:
+      sda:
+        type: image
+        path: "/srv/nvme/{{ inventory_hostname }}/root.img"
+  interfaces:
+  - bridge: br-c3voc
+  - bridge: br-svc
+
+
+openwrt_arch: x86
+openwrt_target: 64
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - dnsmasq
+  - firewall
+  - firewall4
+  - odhcpd
+  - odhcpd-ipv6only
+openwrt_packages_add:
+  - nftables
+  - kmod-nft-nat
+  - rng-tools
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S21nftables:
+    link: "../init.d/nftables"
+
+  /etc/rc.d/K89nftables:
+    link: "../init.d/nftables"
+
+  /etc/init.d/nftables:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=21
+      STOP=89
+
+      start() {
+        nft -f /etc/nftables.conf
+      }
+
+      stop() {
+        nft flush ruleset
+      }
+
+  /etc/nftables.conf:
+    content: |
+      flush ruleset
+
+      define nic_svc = eth1
+
+      define nic_c3voc = eth0
+      define prefix_c3voc = {{ network_zones.c3voc.prefix }}
+
+      table inet global {
+        ## INPUT
+        chain input_svc {
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
+        chain input_c3voc {
+          ip saddr != $prefix_c3voc drop
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          udp dport { ntp } accept
+        }
+
+        chain input {
+          type filter hook input priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iifname vmap { lo: accept, $nic_svc: jump input_svc, $nic_c3voc: jump input_c3voc }
+        }
+
+
+        ## FORWARD
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iif $nic_svc oif $nic_c3voc ip daddr $prefix_c3voc accept
+          iif $nic_c3voc ip saddr $prefix_c3voc oifname $nic_svc accept
+        }
+      }
+
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '1'
+        interface: 'c3voc'
+        server:
+          - '0.at.pool.ntp.org'
+          - '1.at.pool.ntp.org'
+          - '2.at.pool.ntp.org'
+          - '3.at.pool.ntp.org'
+
+    - name: rngd
+      options:
+        enabled: '1'
+        device: '/dev/hwrng'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port | default(22) }}'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'c3voc'
+      options:
+        device: eth0
+        proto: static
+        ipaddr: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr(network_zones.c3voc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'svc'
+      options:
+        device: eth1
+        proto: static
+        ipaddr: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.svc.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.gateway }}"
+        dns: "{{ network_zones.svc.dns }}"
+
+    - name: route 'lan'
+      options:
+        interface: svc
+        target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('network') }}"
+        netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"