summaryrefslogtreecommitdiff
path: root/_graveyard_/inventory/host_vars/glt-gw-r3.yml
diff options
context:
space:
mode:
Diffstat (limited to '_graveyard_/inventory/host_vars/glt-gw-r3.yml')
-rw-r--r--_graveyard_/inventory/host_vars/glt-gw-r3.yml147
1 files changed, 147 insertions, 0 deletions
diff --git a/_graveyard_/inventory/host_vars/glt-gw-r3.yml b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
new file mode 100644
index 00000000..d5d8538e
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/glt-gw-r3.yml
@@ -0,0 +1,147 @@
+---
+openwrt_arch: x86
+openwrt_target: geode
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+ - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+ - ppp
+ - ppp-mod-pppoe
+ - firewall
+ - dnsmasq
+ - odhcpd-ipv6only
+openwrt_packages_add:
+ - kmod-ipt-nat
+ - kmod-ipt-conntrack
+ - haveged
+ - htop
+ - ip
+ - less
+ - nano
+ - tcpdump-mini
+ - iperf
+ - iperf3
+ - mtr
+ - iptraf-ng
+
+
+openwrt_mixin:
+ /etc/dropbear/authorized_keys:
+ content: "{{ ssh_keys_root | join('\n') }}\n"
+
+ /etc/htoprc:
+ file: "{{ global_files_dir }}/common/htoprc"
+
+ /etc/rc.d/S22network-fw:
+ link: "../init.d/network-fw"
+
+ /etc/rc.d/K92network-fw:
+ link: "../init.d/network-fw"
+
+ /etc/init.d/network-fw:
+ mode: "0755"
+ content: |
+ #!/bin/sh /etc/rc.common
+
+ START=22
+ STOP=91
+
+ start() {
+ WAN_IF=$(uci get network.wan.device)
+ LAN_IF=$(uci get network.lan.device)
+ LAN_IP=$(uci get network.lan.ipaddr)
+ LAN_MASK=$(uci get network.lan.netmask)
+
+ iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+
+ ### external incoming
+ iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
+ iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT
+ iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+ ### internal
+ iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT
+ iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+ iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+
+ iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+ iptables -A INPUT -i "$LAN_IF" -p tcp --dport {{ ansible_port }} -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+ iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+ iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT
+ iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+ iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE
+
+ ### default policies
+ iptables -P INPUT DROP
+ iptables -P FORWARD DROP
+ }
+
+ stop() {
+ iptables -P INPUT ACCEPT
+ iptables -F INPUT
+ iptables -P FORWARD ACCEPT
+ iptables -F FORWARD
+ iptables -t nat -F POSTROUTING
+ }
+
+openwrt_uci:
+ system:
+ - name: system
+ options:
+ hostname: '{{ host_name }}'
+ timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+ ttylogin: '0'
+ log_size: '64'
+ urandom_seed: '0'
+
+ - name: timeserver 'ntp'
+ options:
+ enabled: '1'
+ enable_server: '0'
+ server:
+ - '0.lede.pool.ntp.org'
+ - '1.lede.pool.ntp.org'
+ - '2.lede.pool.ntp.org'
+ - '3.lede.pool.ntp.org'
+
+ dropbear:
+ - name: dropbear
+ options:
+ PasswordAuth: 'off'
+ RootPasswordAuth: 'off'
+ Port: '{{ ansible_port }}'
+
+ network:
+ - name: globals 'globals'
+ options:
+ ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+ - name: interface 'loopback'
+ options:
+ device: lo
+ proto: static
+ ipaddr: 127.0.0.1
+ netmask: 255.0.0.0
+
+ - name: interface 'wan'
+ options:
+ device: eth0
+ proto: static
+ ipaddr: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr(network_zones.r3_ff.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+ netmask: "{{ network_zones.r3_ff.prefix | ansible.utils.ipaddr('netmask') }}"
+ gateway: "{{ network_zones.r3_ff.gateway }}"
+ dns: "{{ network_zones.r3_ff.dns }}"
+
+ - name: interface 'lan'
+ options:
+ device: eth1
+ proto: static
+ ipaddr: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+ netmask: "{{ network_zones.r3_lan.prefix | ansible.utils.ipaddr('netmask') }}"
+
+ - name: interface 'unused'
+ options:
+ device: eth2
+ proto: none
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 15:07:58 +0000