aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2018-12-05 19:07:35 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2018-12-05 19:21:39 +0100
commitc624e52a8357da8db022831b86f2c85bb7bfed2f (patch)
treebfa87a875c3bd6b6cb31cec5614bdf6118d5421f
parent6827f7826451a2b9e99800d2fdb4e1793e61b968 (diff)
downloadlabitat-ansible-c624e52a8357da8db022831b86f2c85bb7bfed2f.tar.gz
labitat-ansible-c624e52a8357da8db022831b86f2c85bb7bfed2f.tar.xz
labitat-ansible-c624e52a8357da8db022831b86f2c85bb7bfed2f.zip
space_server: enable NAT64/DNS64 network
-rw-r--r--documentation/addressplan.txt1
-rw-r--r--roles/space_server/files/networkd/10-lan15.network2
-rw-r--r--roles/space_server/files/networkd/10-nat64.netdev3
-rw-r--r--roles/space_server/files/networkd/10-nat64.network15
-rw-r--r--roles/space_server/files/nftables.conf10
-rw-r--r--roles/space_server/files/nftables.service2
-rw-r--r--roles/space_server/files/tayga-labitat.conf6
-rw-r--r--roles/space_server/handlers/main.yml6
-rw-r--r--roles/space_server/tasks/main.yml2
-rw-r--r--roles/space_server/tasks/tayga.yml25
-rw-r--r--roles/space_server/templates/unbound.conf.j24
-rw-r--r--roles/space_server/vars/main.yml1
12 files changed, 72 insertions, 5 deletions
diff --git a/documentation/addressplan.txt b/documentation/addressplan.txt
index cee077d..151ffce 100644
--- a/documentation/addressplan.txt
+++ b/documentation/addressplan.txt
@@ -16,6 +16,7 @@
* 2a01:4262:1ab:0000:: - space.labitat.dk
* 2a01:4262:1ab:0000::cafe - spacewand.labitat.dk
* 2a01:4262:1ab:0000::db - spacebrain.labitat.dk
+ ********* 2a01:4262:1ab:0000:0:f::/96 - nat64/dns64 prefix
***************** 2a01:4262:1ab:000a::/64 - vlan 10 - infrastructure
***************** 2a01:4262:1ab:000b::/64 - vlan 11 - member wired
***************** 2a01:4262:1ab:000c::/64 - vlan 12 - member wireless
diff --git a/roles/space_server/files/networkd/10-lan15.network b/roles/space_server/files/networkd/10-lan15.network
index b202b9b..4c6babc 100644
--- a/roles/space_server/files/networkd/10-lan15.network
+++ b/roles/space_server/files/networkd/10-lan15.network
@@ -2,7 +2,7 @@
Name=lan15
[Link]
-ARP=no
+ARP=yes
[Network]
DHCP=no
diff --git a/roles/space_server/files/networkd/10-nat64.netdev b/roles/space_server/files/networkd/10-nat64.netdev
new file mode 100644
index 0000000..af0b249
--- /dev/null
+++ b/roles/space_server/files/networkd/10-nat64.netdev
@@ -0,0 +1,3 @@
+[NetDev]
+Name=nat64
+Kind=tun
diff --git a/roles/space_server/files/networkd/10-nat64.network b/roles/space_server/files/networkd/10-nat64.network
new file mode 100644
index 0000000..097e388
--- /dev/null
+++ b/roles/space_server/files/networkd/10-nat64.network
@@ -0,0 +1,15 @@
+[Match]
+Name=nat64
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=10.42.128.1/17
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=no
+
+[Route]
+Destination=2a01:4262:1ab:0:0:f::/96
+PreferredSource=2a01:4262:1ab::
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 0cb7c4f..8b3124c 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -38,9 +38,11 @@ define pass_ip4 = 10.42.4.1
define pass_net4 = 10.42.4.0/24
define pass_net6 = 2a01:4262:1ab:e::/64
-#define nat64_if = nat64
-#define nat64_net = 10.42.255.0/24
-#define nat64_net6 = fde2:52b4:4a19:ffff::/96
+define futu_if = lan15
+define futu_net6 = 2a01:4262:1ab:f::/64
+
+define nat64_if = nat64
+define nat64_net4 = 10.42.128.0/17
define colo_if = lan20
define colo_ip4 = 185.38.175.65
@@ -116,6 +118,7 @@ table ip filter {
iif $priv_if ip saddr $priv_net4 accept
iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
iif $pass_if ip saddr $pass_net4 accept
+ iif $nat64_if ip saddr $nat64_net4 accept
iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
oif $colo_if accept
@@ -171,6 +174,7 @@ table ip6 filter {
iif $priv_if ip6 saddr $priv_net6 accept
iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
iif $pass_if ip6 saddr $pass_net6 accept
+ iif $futu_if ip6 saddr $futu_net6 accept
iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
oif $colo_if accept
diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service
index f1c9028..89e9cfe 100644
--- a/roles/space_server/files/nftables.service
+++ b/roles/space_server/files/nftables.service
@@ -8,6 +8,7 @@ Requires=sys-devices-virtual-net-lan13.device
Requires=sys-devices-virtual-net-lan14.device
Requires=sys-devices-virtual-net-lan15.device
Requires=sys-devices-virtual-net-lan20.device
+Requires=sys-devices-virtual-net-nat64.device
After=sys-devices-virtual-net-lan10.device
After=sys-devices-virtual-net-lan11.device
After=sys-devices-virtual-net-lan12.device
@@ -15,6 +16,7 @@ After=sys-devices-virtual-net-lan13.device
After=sys-devices-virtual-net-lan14.device
After=sys-devices-virtual-net-lan15.device
After=sys-devices-virtual-net-lan20.device
+After=sys-devices-virtual-net-nat64.device
Before=network-online.target
[Service]
diff --git a/roles/space_server/files/tayga-labitat.conf b/roles/space_server/files/tayga-labitat.conf
new file mode 100644
index 0000000..f9826d9
--- /dev/null
+++ b/roles/space_server/files/tayga-labitat.conf
@@ -0,0 +1,6 @@
+tun-device nat64
+ipv4-addr 10.42.128.1
+#ipv6-addr 2a01:4262:1ab::
+prefix 2a01:4262:1ab:0:0:f::/96
+dynamic-pool 10.42.128.0/17
+data-dir /var/lib/tayga/labitat
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
index 706cc13..09e0d1d 100644
--- a/roles/space_server/handlers/main.yml
+++ b/roles/space_server/handlers/main.yml
@@ -57,4 +57,10 @@
state: restarted
when: not chroot
+- name: restart tayga
+ systemd:
+ name: tayga@labitat.service
+ state: restarted
+ when: not chroot
+
# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
index bc1b332..bfa3bc6 100644
--- a/roles/space_server/tasks/main.yml
+++ b/roles/space_server/tasks/main.yml
@@ -30,6 +30,8 @@
when: radius_passwords is defined
- import_tasks: unbound.yml
tags: unbound
+- import_tasks: tayga.yml
+ tags: tayga
- import_tasks: avahi.yml
tags: avahi
diff --git a/roles/space_server/tasks/tayga.yml b/roles/space_server/tasks/tayga.yml
new file mode 100644
index 0000000..a06703e
--- /dev/null
+++ b/roles/space_server/tasks/tayga.yml
@@ -0,0 +1,25 @@
+---
+- name: Create labitat.conf
+ copy:
+ dest: '/etc/tayga/labitat.conf'
+ src: tayga-labitat.conf
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart tayga
+
+- name: Create /etc/systemd/system/sys-devices-virtual-net-nat64.device.wants
+ file:
+ path: '/etc/systemd/system/sys-devices-virtual-net-nat64.device.wants'
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Start tayga@labitat.service when nat64 interface is up
+ file:
+ path: '/etc/systemd/system/sys-devices-virtual-net-nat64.device.wants/tayga@labitat.service'
+ src: '/usr/lib/systemd/system/tayga@.service'
+ state: link
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2
index d09d7af..26b7006 100644
--- a/roles/space_server/templates/unbound.conf.j2
+++ b/roles/space_server/templates/unbound.conf.j2
@@ -59,7 +59,9 @@ server:
rrset-roundrobin: yes
minimal-responses: yes
- module-config: "validator iterator"
+ module-config: "dns64 validator iterator"
+
+ dns64-prefix: 2a01:4262:1ab:0:0:f::/96
trust-anchor-signaling: yes
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 4b3fb14..3a7251b 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -38,6 +38,7 @@ dnf_packages:
'diffutils': present
'policycoreutils': present # needed for unbound-keygen.service
'unbound': present
+ 'tayga': present
'avahi-tools': present # pulls in avahi package
'nss-mdns': present