diff options
author | Christian Pointner <equinox@spreadspace.org> | 2018-05-25 02:04:16 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2018-05-25 02:04:16 +0200 |
commit | 46787e1c9b9c574a13dae748d2f8ff89e7b55b8e (patch) | |
tree | 8a6c10959f53886565d873595d3c285fefbe9039 /roles/vm/network | |
parent | move kubernetes roles to subdir (diff) |
remerge vm roles from realraum noc repo
Diffstat (limited to 'roles/vm/network')
-rw-r--r-- | roles/vm/network/tasks/lan.yml | 6 | ||||
-rw-r--r-- | roles/vm/network/tasks/main.yml | 40 | ||||
-rw-r--r-- | roles/vm/network/tasks/public.yml | 33 | ||||
-rw-r--r-- | roles/vm/network/tasks/systemd-link.yml | 15 | ||||
-rw-r--r-- | roles/vm/network/templates/firewall.sh_public.j2 | 49 | ||||
-rw-r--r-- | roles/vm/network/templates/interfaces.j2 (renamed from roles/vm/network/templates/interfaces_lan.j2) | 12 | ||||
-rw-r--r-- | roles/vm/network/templates/interfaces_public.j2 | 63 | ||||
-rw-r--r-- | roles/vm/network/templates/resolv.conf.j2 | 4 | ||||
-rw-r--r-- | roles/vm/network/templates/systemd.link.j2 | 2 |
9 files changed, 45 insertions, 179 deletions
diff --git a/roles/vm/network/tasks/lan.yml b/roles/vm/network/tasks/lan.yml deleted file mode 100644 index ec436e9b..00000000 --- a/roles/vm/network/tasks/lan.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: install interface config (LAN only) - template: - src: interfaces_lan.j2 - dest: /etc/network/interfaces - mode: 0644 diff --git a/roles/vm/network/tasks/main.yml b/roles/vm/network/tasks/main.yml index 222a350b..3d51fff2 100644 --- a/roles/vm/network/tasks/main.yml +++ b/roles/vm/network/tasks/main.yml @@ -1,9 +1,37 @@ --- -- import_tasks: systemd-link.yml - when: srv_network.systemd_link is defined +- block: + - name: remove legacy systemd.link units + with_items: + - 50-virtio-kernel-names.link + - 99-default.link + file: + name: "/etc/systemd/network/{{ item }}" + state: absent -- import_tasks: public.yml - when: srv_network.public is defined + - name: install systemd network link units + with_items: "{{ vm_network.systemd_link.interfaces }}" + loop_control: + index_var: interface_index + template: + src: systemd.link.j2 + dest: "/etc/systemd/network/{{ '%02d' | format(interface_index + 11) }}-{{ item.name }}.link" + notify: rebuild initramfs -- import_tasks: lan.yml - when: srv_network.public is not defined + when: vm_network.systemd_link is defined + +- name: install basic interface config + template: + src: interfaces.j2 + dest: /etc/network/interfaces + mode: 0644 + +- name: remove resolvconf package + apt: + name: resolvconf + state: absent + purge: yes + +- name: generate resolv.conf + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf diff --git a/roles/vm/network/tasks/public.yml b/roles/vm/network/tasks/public.yml deleted file mode 100644 index 8b0e317a..00000000 --- a/roles/vm/network/tasks/public.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: set routing table names - with_items: - - { regexp: '^89\s', line: '89 mur-default' } - - { regexp: '^212\s', line: '212 upc-default' } - lineinfile: - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - dest: /etc/iproute2/rt_tables - -- name: calculate address lists - set_fact: - srv_network_public_firewall_ipv4: - - "{{ srv_network.public.ip_mur }}" - - "{{ srv_network.public.ip_upc }}" - srv_network_public_firewall_ipv6: - - "{{ srv_network.public.ip_mur6 }}" - -- name: install firewall scripts - with_items: - - 4 - - 6 - template: - src: firewall.sh_public.j2 - dest: "/etc/network/firewall{{ item }}.sh" - mode: 0755 - when: srv_network.public.firewall is defined - -- name: install interface config (Public) - template: - src: interfaces_public.j2 - dest: /etc/network/interfaces - mode: 0644 diff --git a/roles/vm/network/tasks/systemd-link.yml b/roles/vm/network/tasks/systemd-link.yml deleted file mode 100644 index ad12cd37..00000000 --- a/roles/vm/network/tasks/systemd-link.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: remove legacy systemd.link units - file: - name: "/etc/systemd/network/{{ item }}" - state: absent - with_items: - - 50-virtio-kernel-names.link - - 99-default.link - -- name: install systemd network link units - template: - src: systemd.link.j2 - dest: "/etc/systemd/network/{{ '%02d' | format(item.idx + 10) }}-{{ item.name }}.link" - with_items: "{{ srv_network.systemd_link.interfaces }}" - notify: rebuild initramfs diff --git a/roles/vm/network/templates/firewall.sh_public.j2 b/roles/vm/network/templates/firewall.sh_public.j2 deleted file mode 100644 index df5b1373..00000000 --- a/roles/vm/network/templates/firewall.sh_public.j2 +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}" -PUBLIC_IF="$2" -TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}" -UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}" - -##### -IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables" -ICMP="icmp{% if item == 6 %}v6{% endif %}" - -case "$1" in - start) - $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT - $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT - for port in $TCP_PORTS; do - for ip in $PUBLIC_IPS; do - $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT - done - done - for port in $UDP_PORTS; do - for ip in $PUBLIC_IPS; do - $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT - done - done - $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP - ;; - stop) - $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP - for port in $UDP_PORTS; do - for ip in $PUBLIC_IPS; do - $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT - done - done - for port in $TCP_PORTS; do - for ip in $PUBLIC_IPS; do - $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT - done - done - $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT - $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT - ;; - *) - echo "Usage: $0 (start|stop)" - exit 1 - ;; -esac - -exit 0 diff --git a/roles/vm/network/templates/interfaces_lan.j2 b/roles/vm/network/templates/interfaces.j2 index 36ae2883..542e18d6 100644 --- a/roles/vm/network/templates/interfaces_lan.j2 +++ b/roles/vm/network/templates/interfaces.j2 @@ -7,11 +7,11 @@ source /etc/network/interfaces.d/* auto lo iface lo inet loopback -# The internal network interface -auto {{ srv_network.internal.interface }} -iface {{ srv_network.internal.interface }} inet static - address {{ srv_network.internal.ip }} - netmask 255.255.255.0 - gateway 192.168.1.254 +# The primary network interface +auto {{ vm_network.primary.interface }} +iface {{ vm_network.primary.interface }} inet static + address {{ vm_network.primary.ip }} + netmask {{ vm_network.primary.mask }} + gateway {{ vm_network.primary.gateway }} pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm/network/templates/interfaces_public.j2 b/roles/vm/network/templates/interfaces_public.j2 deleted file mode 100644 index 2e8583ab..00000000 --- a/roles/vm/network/templates/interfaces_public.j2 +++ /dev/null @@ -1,63 +0,0 @@ -# This file describes the network interfaces available on your system -# and how to activate them. For more information, see interfaces(5). - -source /etc/network/interfaces.d/* - -# The loopback network interface -auto lo -iface lo inet loopback - -# The internal network interface -auto {{ srv_network.internal.interface }} -iface {{ srv_network.internal.interface }} inet static - address {{ srv_network.internal.ip }} - netmask 255.255.255.0 - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf - up ip route add default via 192.168.1.254 table default - up ip rule add pref 42000 lookup default - up ip rule del pref 32767 - down ip rule add pref 32767 lookup default - down ip rule del pref 42000 - down ip route del default via 192.168.1.254 table default - - -# The public network interface -auto {{ srv_network.public.interface }} -iface {{ srv_network.public.interface }} inet static - address {{ srv_network.public.ip }} - netmask 255.255.255.0 - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf - ## mur.at - up ip addr add dev $IFACE {{ srv_network.public.ip_mur }}/28 - up ip route add default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default - up ip rule add pref 33000 from {{ srv_network.public.ip_mur }} lookup mur-default - ## upc - up ip addr add dev $IFACE {{ srv_network.public.ip_upc }}/32 - up ip route add default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default - up ip rule add pref 35000 from {{ srv_network.public.ip_upc }} lookup upc-default - ### firewall - up /etc/network/firewall4.sh start $IFACE - ########## - down /etc/network/firewall4.sh stop $IFACE - ## upc - down ip rule del pref 35000 - down ip route del default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default - down ip addr del dev $IFACE {{ srv_network.public.ip_upc }}/32 - ## mur.at - down ip rule del pref 33000 - down ip route del default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default - down ip addr del dev $IFACE {{ srv_network.public.ip_mur }}/28 - -iface {{ srv_network.public.interface }} inet6 static - address {{ srv_network.public.ip_mur6 }} - netmask 64 - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf - up ip -6 route add default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default - up ip -6 rule add pref 33000 from {{ srv_network.public.ip_mur6 }} lookup mur-default - up /etc/network/firewall6.sh start $IFACE - down /etc/network/firewall6.sh stop $IFACE - down ip -6 rule del pref 33000 - down ip -6 route del default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default diff --git a/roles/vm/network/templates/resolv.conf.j2 b/roles/vm/network/templates/resolv.conf.j2 new file mode 100644 index 00000000..86d4201e --- /dev/null +++ b/roles/vm/network/templates/resolv.conf.j2 @@ -0,0 +1,4 @@ +{% for nsrv in vm_network.nameservers %} +nameserver {{ nsrv }} +{% endfor %} +search {{ vm_network.domain }} diff --git a/roles/vm/network/templates/systemd.link.j2 b/roles/vm/network/templates/systemd.link.j2 index 753fd586..7093e164 100644 --- a/roles/vm/network/templates/systemd.link.j2 +++ b/roles/vm/network/templates/systemd.link.j2 @@ -1,5 +1,5 @@ [Match] -Path=pci-0000:01:{{ "%02d" | format(item.idx) }}.0 +Path=*pci-0000:01:{{ "%02d" | format(interface_index + 1) }}.0 [Link] Name={{ item.name }} |