35 files changed, 281 insertions, 140 deletions

diff --git a/chaos-at-home/ch-atlas.yml b/chaos-at-home/ch-atlas.yml
index 34fa1141..2e60943b 100644
--- a/chaos-at-home/ch-atlas.yml
+++ b/chaos-at-home/ch-atlas.yml
@@ -4,7 +4,8 @@
   roles:
   - role: core/sshd
   - role: core/zsh
-  - role: vm/host
+  - role: vm/host/base
+  - role: vm/host/network
   ## gpg on this host is too old to open the keyrings.
   ## to work around this problem the files have been manually converted
   ## applying the role would break this again!!
diff --git a/chaos-at-home/ch-gnocchi.yml b/chaos-at-home/ch-gnocchi.yml
index fd519bfd..095948ad 100644
--- a/chaos-at-home/ch-gnocchi.yml
+++ b/chaos-at-home/ch-gnocchi.yml
@@ -7,32 +7,7 @@
   - role: core/sshd
   - role: core/zsh
   - role: core/cpu-microcode
-  - role: vm/host
+  - role: vm/host/base
+  - role: vm/host/network
   - role: installer/debian/base
   - role: installer/openbsd/base
-  post_tasks:
-  # you need to reboot for changes to take effect
-  - name: install network interface config
-    copy:
-      dest: /etc/network/interfaces
-      content: |
-        # This file describes the network interfaces available on your system
-        # and how to activate them. For more information, see interfaces(5).
-
-        # The loopback network interface
-        auto lo
-        iface lo inet loopback
-        {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %}
-
-
-        auto {{ interface }}
-        iface {{ interface }} inet manual
-        {%   for zone in __vmhost_bridge_interface_zones__[interface] %}
-
-        auto {{ interface }}.{{ network_zones[zone].vlan }}
-        iface {{ interface }}.{{ network_zones[zone].vlan }} inet manual
-        {%   endfor %}
-        {% endfor %}
-
-
-        source /etc/network/interfaces.d/*
diff --git a/chaos-at-home/ch-oulu.yml b/chaos-at-home/ch-oulu.yml
new file mode 100644
index 00000000..ef508629
--- /dev/null
+++ b/chaos-at-home/ch-oulu.yml
@@ -0,0 +1,11 @@
+---
+- name: Basic Setup
+  hosts: ch-oulu
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd
+  - role: core/zsh
+  - role: core/cpu-microcode
+  - role: vm/host/base
+  - role: vm/host/network
diff --git a/common/vm-install.yml b/common/vm-install.yml
index b0c3815a..64894d1a 100644
--- a/common/vm-install.yml
+++ b/common/vm-install.yml
@@ -27,7 +27,7 @@
 - name: basic installation
   hosts: _vmhost_
   roles:
-  - role: vm/install
+  - role: vm/guest/install
 
 
 - name: wait for new vm to start up
@@ -58,14 +58,12 @@
   - name: make sure to update cached facts
     setup:
   roles:
-  - role: vm/grub
+  - role: vm/guest/base
     when: install_distro in ['debian', 'ubuntu']
-  - role: vm/network
-    when: install_distro in ['debian', 'ubuntu']
-  - role: vm/guest
+  - role: vm/guest/network
     when: install_distro in ['debian', 'ubuntu']
 
-- name: reboot and wait for VM come back
+- name: reboot and wait for VM to come back
   hosts: "{{ install_hostname }}"
   gather_facts: no
   roles:
diff --git a/dan/sk-2019vm.yml b/dan/sk-2019vm.yml
index 8859a3c2..07f4062e 100644
--- a/dan/sk-2019vm.yml
+++ b/dan/sk-2019vm.yml
@@ -12,7 +12,8 @@
   - role: zfs/base
   - role: apt-repo/spreadspace
   - role: zfs/sanoid
-  - role: vm/host
+  - role: vm/host/base
+  - role: vm/host/network
   - role: installer/debian/base
   tasks:
   - name: install post-boot script
diff --git a/dan/sk-tomnext.yml b/dan/sk-tomnext.yml
index b6c3b95a..5d72770d 100644
--- a/dan/sk-tomnext.yml
+++ b/dan/sk-tomnext.yml
@@ -12,7 +12,8 @@
   - role: zfs/base
   - role: apt-repo/spreadspace
   - role: zfs/sanoid
-  - role: vm/host
+  - role: vm/host/base
+  - role: vm/host/network
   - role: installer/debian/base
   tasks:
   - name: install post-boot script
diff --git a/inventory/group_vars/vmhost-ch-oulu/main.yml b/inventory/group_vars/vmhost-ch-oulu/main.yml
new file mode 100644
index 00000000..db5daa9c
--- /dev/null
+++ b/inventory/group_vars/vmhost-ch-oulu/main.yml
@@ -0,0 +1,21 @@
+---
+__vmhost_bridge_interface_zones__:
+  bond0:
+    - lan
+    - svc
+    - mgmt
+
+__vmhost_bridge_interface_zones_yaml__: |
+  {% for interface in (__vmhost_bridge_interface_zones__.keys() | sort) %}
+  {%   for zone in __vmhost_bridge_interface_zones__[interface] %}
+  {{ zone }}:
+    interfaces:
+      - {{ interface }}.{{ network_zones[zone].vlan }}
+  {%   endfor %}
+  {% endfor %}
+
+
+vm_host:
+  name: ch-oulu
+  network:
+    bridges: "{{ __vmhost_bridge_interface_zones_yaml__ | from_yaml }}"
diff --git a/inventory/host_vars/ch-atlas.yml b/inventory/host_vars/ch-atlas.yml
index aa2c2e0c..120e007d 100644
--- a/inventory/host_vars/ch-atlas.yml
+++ b/inventory/host_vars/ch-atlas.yml
@@ -9,3 +9,6 @@ network:
 #    address6: "{{ vm_host.network.bridges.public.prefix6 | ipaddr(vm_host.network.bridges.public.offsets6[inventory_hostname]) | ipaddr('address/prefix') }}"
     address6: "{{ vm_host.network.bridges.public.prefix6 | ipaddr(41) | ipaddr('address/prefix') }}"
     gateway6: "{{ vm_host.network.bridges.public.gateway6 }}"
+  vlans:
+    eth0:
+    - 502
diff --git a/inventory/host_vars/ch-gnocchi.yml b/inventory/host_vars/ch-gnocchi.yml
index c52a1cf4..ff27a081 100644
--- a/inventory/host_vars/ch-gnocchi.yml
+++ b/inventory/host_vars/ch-gnocchi.yml
@@ -13,6 +13,10 @@ network:
   interfaces:
   - name: br-mgmt
     address: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address/prefix') }}"
+  vlans:
+    enp1s0: "{{ __vmhost_bridge_interface_zones__['enp1s0'] | map('extract', network_zones) | map(attribute='vlan') | list }}"
+    enp2s0: "{{ __vmhost_bridge_interface_zones__['enp2s0'] | map('extract', network_zones) | map(attribute='vlan') | list }}"
+    enp3s0: "{{ __vmhost_bridge_interface_zones__['enp3s0'] | map('extract', network_zones) | map(attribute='vlan') | list }}"
 
 
 apt_repo_components:
diff --git a/inventory/host_vars/ch-oulu.yml b/inventory/host_vars/ch-oulu.yml
index e63e6f2d..f6ef0e4c 100644
--- a/inventory/host_vars/ch-oulu.yml
+++ b/inventory/host_vars/ch-oulu.yml
@@ -1,4 +1,6 @@
 ---
+install_interface: eno1
+
 install:
   efi: true
   disks:
@@ -16,8 +18,23 @@ network:
     - 9.9.9.9
   domain: "{{ host_domain }}"
   primary: &_network_primary_
-    name: eno1
+    name: br-lan
     address: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address/prefix') }}"
     gateway: "{{ network_zones.lan.gateway }}"
   interfaces:
   - *_network_primary_
+  bonds:
+  - name: bond0
+    mode: 802.3ad
+    slaves:
+    - eno1
+    - eno2
+    options:
+      miimon: 100
+  vlans:
+    bond0: "{{ __vmhost_bridge_interface_zones__['bond0'] | map('extract', network_zones) | map(attribute='vlan') | list }}"
+
+apt_repo_components:
+  - main
+  - contrib
+  - non-free ## for microcode updates
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 5d19bee4..549e494b 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -231,6 +231,13 @@ ch-atlas
 [vmhost-ch-atlas:children]
 vmhost-ch-atlas-guests
 
+[vmhost-ch-oulu-guests]
+ch-oulu-vm1
+[vmhost-ch-oulu]
+ch-oulu
+[vmhost-ch-oulu:children]
+vmhost-ch-oulu-guests
+
 [vmhost-sk-2019vm-guests]
 sk-testvm
 sk-torrent
@@ -255,12 +262,14 @@ vmhost-sk-tomnext-guests
 [kvmhosts]
 ch-gnocchi
 ch-atlas
+ch-oulu
 sk-2019vm
 sk-tomnext
 
 [kvmguests:children]
 vmhost-ch-gnocchi-guests
 vmhost-ch-atlas-guests
+vmhost-ch-oulu-guests
 vmhost-sk-2019vm-guests
 vmhost-sk-tomnext-guests
 
diff --git a/roles/vm/grub/handlers/main.yml b/roles/vm/grub/handlers/main.yml
deleted file mode 100644
index 4bddbb14..00000000
--- a/roles/vm/grub/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: update grub
-  command: /usr/sbin/update-grub
diff --git a/roles/vm/grub/tasks/main.yml b/roles/vm/grub/tasks/main.yml
deleted file mode 100644
index e663e808..00000000
--- a/roles/vm/grub/tasks/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- name: enable serial console in grub and for kernel
-  vars:
-    grub_options:
-      GRUB_TIMEOUT: 2
-      GRUB_CMDLINE_LINUX: '"console=ttyS0,115200n8"'
-      GRUB_TERMINAL: serial
-      GRUB_SERIAL_COMMAND: >-
-        "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"
-  loop: "{{ grub_options | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-  lineinfile:
-    dest: /etc/default/grub
-    regexp: "^{{ item.key }}="
-    line: "{{ item.key }}={{ item.value }}"
-  notify: update grub
diff --git a/roles/vm/guest/defaults/main.yml b/roles/vm/guest/base/defaults/main.yml
index ce072e95..ce072e95 100644
--- a/roles/vm/guest/defaults/main.yml
+++ b/roles/vm/guest/base/defaults/main.yml
diff --git a/roles/vm/guest/handlers/main.yml b/roles/vm/guest/base/handlers/main.yml
index 5b57f3bc..2dfdddcb 100644
--- a/roles/vm/guest/handlers/main.yml
+++ b/roles/vm/guest/base/handlers/main.yml
@@ -1,3 +1,7 @@
+---
+- name: update grub
+  command: /usr/sbin/update-grub
+
 - name: restart rngd
   service:
     name: rng-tools
diff --git a/roles/vm/guest/tasks/main.yml b/roles/vm/guest/base/tasks/main.yml
index e68f04df..b76ee762 100644
--- a/roles/vm/guest/tasks/main.yml
+++ b/roles/vm/guest/base/tasks/main.yml
@@ -1,3 +1,4 @@
+---
 - name: install rngd
   apt:
     name: rng-tools
@@ -40,3 +41,21 @@
         [Service]
         ExecStart=
         ExecStart=-/sbin/agetty --keep-baud 115200,38400,9600 --noclear --autologin root --login-pause --host {{ vm_host_cooked.name }} %I $TERM
+
+
+- name: enable serial console in grub and for kernel
+  vars:
+    grub_options:
+      GRUB_TIMEOUT: 2
+      GRUB_CMDLINE_LINUX: '"console=ttyS0,115200n8"'
+      GRUB_TERMINAL: serial
+      GRUB_SERIAL_COMMAND: >-
+        "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1"
+  loop: "{{ grub_options | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  lineinfile:
+    dest: /etc/default/grub
+    regexp: "^{{ item.key }}="
+    line: "{{ item.key }}={{ item.value }}"
+  notify: update grub
diff --git a/roles/vm/define/defaults/main.yml b/roles/vm/guest/define/defaults/main.yml
index f0bcc4fd..f0bcc4fd 100644
--- a/roles/vm/define/defaults/main.yml
+++ b/roles/vm/guest/define/defaults/main.yml
diff --git a/roles/vm/define/tasks/main.yml b/roles/vm/guest/define/tasks/main.yml
index d0790628..d0790628 100644
--- a/roles/vm/define/tasks/main.yml
+++ b/roles/vm/guest/define/tasks/main.yml
diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/guest/define/templates/libvirt-domain.xml.j2
index ba0dcd5a..ba0dcd5a 100644
--- a/roles/vm/define/templates/libvirt-domain.xml.j2
+++ b/roles/vm/guest/define/templates/libvirt-domain.xml.j2
diff --git a/roles/vm/install/library/wait_for_virt.py b/roles/vm/guest/install/library/wait_for_virt.py
index 6c49fae1..6c49fae1 100644
--- a/roles/vm/install/library/wait_for_virt.py
+++ b/roles/vm/guest/install/library/wait_for_virt.py
diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/guest/install/tasks/installer-debian.yml
index e0492969..e0492969 100644
--- a/roles/vm/install/tasks/installer-debian.yml
+++ b/roles/vm/guest/install/tasks/installer-debian.yml
diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/guest/install/tasks/installer-openbsd.yml
index afa17c45..afa17c45 100644
--- a/roles/vm/install/tasks/installer-openbsd.yml
+++ b/roles/vm/guest/install/tasks/installer-openbsd.yml
diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/guest/install/tasks/main.yml
index a4511459..21a13b4d 100644
--- a/roles/vm/install/tasks/main.yml
+++ b/roles/vm/guest/install/tasks/main.yml
@@ -50,11 +50,12 @@
         etype: user
         permissions: rx
 
-    - vars:
+    - name: define installer vm
+      vars:
         vm_define_installer: yes
         installer_tmpdir: "{{ tmpdir.path }}"
       import_role:
-        name: vm/define
+        name: vm/guest/define
 
     - debug:
         msg: "you can check on the status of the installer running this command 'virsh console {{ install_hostname }}' on host {{ inventory_hostname }}."
@@ -82,7 +83,8 @@
         path: "{{ tmpdir.path }}"
         state: absent
 
-- vars:
+- name: define vm
+  vars:
     vm_define_installer: no
   import_role:
-    name: vm/define
+    name: vm/guest/define
diff --git a/roles/vm/network/handlers/main.yml b/roles/vm/guest/network/handlers/main.yml
index f967fa86..f967fa86 100644
--- a/roles/vm/network/handlers/main.yml
+++ b/roles/vm/guest/network/handlers/main.yml
diff --git a/roles/vm/network/tasks/main.yml b/roles/vm/guest/network/tasks/main.yml
index 27a7682a..27a7682a 100644
--- a/roles/vm/network/tasks/main.yml
+++ b/roles/vm/guest/network/tasks/main.yml
diff --git a/roles/vm/network/templates/interfaces.j2 b/roles/vm/guest/network/templates/interfaces.j2
index 8c288669..8c288669 100644
--- a/roles/vm/network/templates/interfaces.j2
+++ b/roles/vm/guest/network/templates/interfaces.j2
diff --git a/roles/vm/network/templates/resolv.conf.j2 b/roles/vm/guest/network/templates/resolv.conf.j2
index 00aaafe3..00aaafe3 100644
--- a/roles/vm/network/templates/resolv.conf.j2
+++ b/roles/vm/guest/network/templates/resolv.conf.j2
diff --git a/roles/vm/network/templates/systemd.link.j2 b/roles/vm/guest/network/templates/systemd.link.j2
index 7093e164..7093e164 100644
--- a/roles/vm/network/templates/systemd.link.j2
+++ b/roles/vm/guest/network/templates/systemd.link.j2
diff --git a/roles/vm/host/handlers/main.yml b/roles/vm/host/base/handlers/main.yml
index 6541dd80..6541dd80 100644
--- a/roles/vm/host/handlers/main.yml
+++ b/roles/vm/host/base/handlers/main.yml
diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/base/tasks/main.yml
index 4c29970d..1a7cb7d8 100644
--- a/roles/vm/host/tasks/main.yml
+++ b/roles/vm/host/base/tasks/main.yml
@@ -18,10 +18,6 @@
     path: /etc/default/haveged
   notify: restart haveged
 
-- name: install vm-host network
-  when: "'network' in vm_host"
-  include_tasks: network.yml
-
 - name: prepare zfs volumes
   when: "'zfs' in vm_host"
   include_tasks: zfs.yml
diff --git a/roles/vm/host/tasks/zfs.yml b/roles/vm/host/base/tasks/zfs.yml
index b84f2d0d..b84f2d0d 100644
--- a/roles/vm/host/tasks/zfs.yml
+++ b/roles/vm/host/base/tasks/zfs.yml
diff --git a/roles/vm/host/network/tasks/main.yml b/roles/vm/host/network/tasks/main.yml
new file mode 100644
index 00000000..cd415d1e
--- /dev/null
+++ b/roles/vm/host/network/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+- name: configure bonds and vlans
+  when: "'bonds' in network or 'vlans' in network"
+  block:
+  - name: install ifenslave package
+    when: "'bonds' in network"
+    apt:
+      name: ifenslave
+      state: present
+
+  - name: install vlan package
+    when: "'vlans' in network"
+    apt:
+      name: vlan
+      state: present
+
+  - name: create network interfaces
+    template:
+      src: interfaces.j2
+      dest: /etc/network/interfaces
+
+- name: create network bridges
+  when: "'bridges' in vm_host.network"
+  block:
+  - name: generate bridge interface config
+    loop: "{{ vm_host.network.bridges | default({}) | dict2items }}"
+    loop_control:
+      label: "{{ item.key }}"
+    template:
+      src: bridge-interfaces.j2
+      dest: "/etc/network/interfaces.d/br-{{ item.key }}"
+    register: vmhost_bridge_config
+
+  ## We don't try to be to clever here: aka don't call ifdown before ifup because
+  ## if there are VMs running they would end up with a broken network
+  - name: bring up bridge interfaces
+    loop: "{{ vmhost_bridge_config.results }}"
+    loop_control:
+      label: "br-{{ item.item.key }}"
+    when: item is changed
+    command: "/sbin/ifup br-{{ item.item.key }}"
+    failed_when: false
diff --git a/roles/vm/host/network/templates/bridge-interfaces.j2 b/roles/vm/host/network/templates/bridge-interfaces.j2
new file mode 100644
index 00000000..05144430
--- /dev/null
+++ b/roles/vm/host/network/templates/bridge-interfaces.j2
@@ -0,0 +1,53 @@
+{% set bridge_name = 'br-'+item.key %}
+{% set bridge = item.value %}
+{% set interface = (network.interfaces | selectattr('name', 'eq', bridge_name) | first | default({})) %}
+auto {{ bridge_name }}
+{% if 'address' in interface %}
+iface {{ bridge_name }} inet static
+  address {{ interface.address | ipaddr('address') }}
+  netmask {{ interface.address | ipaddr('netmask') }}
+{%   if 'gateway' in interface %}
+  gateway {{ interface.gateway }}
+{%   endif %}
+{% else %}
+iface {{ bridge_name }} inet manual
+{% endif %}
+{% if 'interfaces' in bridge and (bridge.interfaces | length) > 0 %}
+  bridge_ports {{ bridge.interfaces | join(' ') }}
+{% else %}
+  bridge_ports none
+{% endif %}
+  bridge_stp off
+  bridge_waitport 0
+  bridge_fd 0
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+  up modprobe br_netfilter
+  up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0
+  up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0
+  up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0
+{% if 'address' in interface and 'prefix' in bridge %}
+{%   if 'nat' in bridge and bridge.nat %}
+  up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding
+  up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding
+  up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
+{%   endif %}
+{%   if 'overlay' in bridge %}
+{%     for dest, offset in (bridge.overlay.offsets | dictsort(by='value')) %}
+  up /bin/ip route add {{ (bridge.overlay.prefix | ipaddr(offset)).split('/')[0] }}/32 via {{ (bridge.prefix | ipaddr(bridge.offsets[dest])).split('/')[0] }}  # {{ dest }}
+{%     endfor %}
+  up /bin/ip route add unreachable {{ bridge.overlay.prefix }}
+  down /sbin/ip route del {{ bridge.overlay.prefix }}
+{%   endif %}
+{%   if 'nat' in bridge and bridge.nat %}
+  down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
+{%   endif %}
+{% endif %}
+{% if 'address6' in interface %}
+
+iface {{ bridge_name }} inet6 static
+  address {{ interface.address6 }}
+{%   if 'gateway6' in interface %}
+  gateway {{ interface.gateway6 }}
+{%   endif %}
+{% endif %}
diff --git a/roles/vm/host/network/templates/interfaces.j2 b/roles/vm/host/network/templates/interfaces.j2
new file mode 100644
index 00000000..fe57a024
--- /dev/null
+++ b/roles/vm/host/network/templates/interfaces.j2
@@ -0,0 +1,79 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+
+## pyhiscal interfaces
+
+{% for interface in network.bonds | default([]) | map(attribute='slaves') | flatten | union(network.vlans | default({}) | list) | difference(network.bonds | default([]) | map(attribute='name') | list) | sort | unique %}
+auto {{ interface }}
+iface {{ interface }} inet manual
+  pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+  pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+
+{% endfor %}
+
+{% for bond in network.bonds | default([]) %}
+## Bond: {{ bond.name }}
+
+{%   set tmp = network.interfaces | selectattr('name', 'eq', bond.name) | list %}
+auto {{ bond.name }}
+iface {{ bond.name }} inet {{ ((tmp | length) == 0) | ternary('manual', 'static') }}
+  bond-mode {{ bond.mode }}
+  bond-slaves {{ bond.slaves | sort | join(' ') }}
+{%   for option in (bond.options | default({}) | list | sort) %}
+  bond-{{ option }} {{ bond.options[option] }}
+{%   endfor %}
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+{%   if (tmp | length) > 0 %}
+{%     set interface = tmp | first %}
+  address {{ interface.address | ipaddr('address') }}
+  netmask {{ interface.address | ipaddr('netmask') }}
+{%     if 'gateway' in interface %}
+  gateway {{ interface.gateway }}
+{%     endif %}
+{%     for route in interface.static_routes | default([]) %}
+  up /bin/ip route add {{ route.destination }} via {{ route.gateway }}
+{%     endfor %}
+{%     for route in interface.static_routes | default([]) | reverse %}
+  down /bin/ip route del {{ route.destination }} via {{ route.gateway }}
+{%     endfor %}
+{%     if 'address6' in interface %}
+
+iface {{ interface.name }} inet6 static
+  address {{ interface.address6 }}
+{%       if 'gateway6' in interface %}
+  gateway {{ interface.gateway6 }}
+{%       endif %}
+{%       for route in interface.static_routes6 | default([]) %}
+  up /bin/ip -6 route add {{ route.destination }} via {{ route.gateway }}
+{%       endfor %}
+{%       for route in interface.static_routes6 | default([])  | reverse %}
+  down /bin/ip -6 route del {{ route.destination }} via {{ route.gateway }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+
+
+{% endfor %}
+{% for parent in network.vlans | default({}) | list | sort %}
+## vlan interfaces @ {{ parent }}
+
+{%   for vlan in network.vlans[parent] %}
+auto {{ parent }}.{{ vlan }}
+iface {{ parent }}.{{ vlan }} inet manual
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+  up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+{# TODO: add interface config like above if (network.interfaces | selectattr('name', 'eq', 'parent+'.'+vlan') | list) > 0 ... #}
+
+{%   endfor %}
+
+{% endfor %}
+
+## source bridge configs
+
+source /etc/network/interfaces.d/*
diff --git a/roles/vm/host/tasks/network.yml b/roles/vm/host/tasks/network.yml
deleted file mode 100644
index 802ffd8b..00000000
--- a/roles/vm/host/tasks/network.yml
+++ /dev/null
@@ -1,75 +0,0 @@
----
-- name: create network bridges
-  when: "'bridges' in vm_host.network"
-  block:
-    - name: generate bridge interface config
-      loop: "{{ vm_host.network.bridges | default({}) | dict2items }}"
-      loop_control:
-        label: "{{ item.key }}"
-      copy:
-        dest: "/etc/network/interfaces.d/br-{{ item.key }}"
-        content: |
-          {% set bridge_name = 'br-'+item.key %}
-          {% set bridge = item.value %}
-          {% set interface = (network.interfaces | selectattr('name', 'eq', bridge_name) | first | default({})) %}
-          auto {{ bridge_name }}
-          {% if 'address' in interface %}
-          iface {{ bridge_name }} inet static
-            address {{ interface.address | ipaddr('address') }}
-            netmask {{ interface.address | ipaddr('netmask') }}
-          {%   if 'gateway' in interface %}
-            gateway {{ interface.gateway }}
-          {%   endif %}
-          {% else %}
-          iface {{ bridge_name }} inet manual
-          {% endif %}
-          {% if 'interfaces' in bridge and (bridge.interfaces | length) > 0 %}
-            bridge_ports {{ bridge.interfaces | join(' ') }}
-          {% else %}
-            bridge_ports none
-          {% endif %}
-            bridge_stp off
-            bridge_waitport 0
-            bridge_fd 0
-            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
-            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
-            up modprobe br_netfilter
-            up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0
-            up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0
-            up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0
-          {% if 'address' in interface and 'prefix' in bridge %}
-          {%   if 'nat' in bridge and bridge.nat %}
-            up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding
-            up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding
-            up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
-          {%   endif %}
-          {%   if 'overlay' in bridge %}
-          {%     for dest, offset in (bridge.overlay.offsets | dictsort(by='value')) %}
-            up /bin/ip route add {{ (bridge.overlay.prefix | ipaddr(offset)).split('/')[0] }}/32 via {{ (bridge.prefix | ipaddr(bridge.offsets[dest])).split('/')[0] }}  # {{ dest }}
-          {%     endfor %}
-            up /bin/ip route add unreachable {{ bridge.overlay.prefix }}
-            down /sbin/ip route del {{ bridge.overlay.prefix }}
-          {%   endif %}
-          {%   if 'nat' in bridge and bridge.nat %}
-            down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
-          {%   endif %}
-          {% endif %}
-          {% if 'address6' in interface %}
-
-          iface {{ bridge_name }} inet6 static
-            address {{ interface.address6 }}
-          {%   if 'gateway6' in interface %}
-            gateway {{ interface.gateway6 }}
-          {%   endif %}
-          {% endif %}
-      register: vmhost_bridge_config
-
-    ## We don't try to be to clever here: aka don't call ifdown before ifup because
-    ## if there are VMs running they would end up with a broken network
-    - name: bring up bridge interfaces
-      loop: "{{ vmhost_bridge_config.results }}"
-      loop_control:
-        label: "br-{{ item.item.key }}"
-      when: item is changed
-      command: "/sbin/ifup br-{{ item.item.key }}"
-      failed_when: false