aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/space_server/files/network-sysctl@.service14
-rw-r--r--roles/space_server/files/networkd/10-bond0.network1
-rw-r--r--roles/space_server/files/networkd/10-locix.netdev7
-rw-r--r--roles/space_server/files/networkd/10-locix.network23
-rw-r--r--roles/space_server/files/networkd/10-locix.sysctl25
-rw-r--r--roles/space_server/files/networkd/10-wan.sysctl2
-rw-r--r--roles/space_server/tasks/networkd.yml30
7 files changed, 102 insertions, 0 deletions
diff --git a/roles/space_server/files/network-sysctl@.service b/roles/space_server/files/network-sysctl@.service
new file mode 100644
index 0000000..06902ff
--- /dev/null
+++ b/roles/space_server/files/network-sysctl@.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Apply per interface kernel variables on %I
+Documentation=man:systemd-sysctl.service(8) man:sysctl.d(5)
+DefaultDependencies=no
+After=sys-devices-virtual-net-%i.device
+Before=network-online.target
+#ConditionPathIsReadWrite=/proc/sys/net/
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/systemd-sysctl /etc/systemd/network/10-%i.sysctl
+
+[Install]
+WantedBy=sys-devices-virtual-net-%i.device
diff --git a/roles/space_server/files/networkd/10-bond0.network b/roles/space_server/files/networkd/10-bond0.network
index 39695a4..86b6ae5 100644
--- a/roles/space_server/files/networkd/10-bond0.network
+++ b/roles/space_server/files/networkd/10-bond0.network
@@ -12,6 +12,7 @@ LinkLocalAddressing=no
LLMNR=no
MulticastDNS=no
VLAN=wan
+VLAN=locix
VLAN=lan10
VLAN=lan11
VLAN=lan12
diff --git a/roles/space_server/files/networkd/10-locix.netdev b/roles/space_server/files/networkd/10-locix.netdev
new file mode 100644
index 0000000..54ebee6
--- /dev/null
+++ b/roles/space_server/files/networkd/10-locix.netdev
@@ -0,0 +1,7 @@
+[NetDev]
+Name=locix
+Kind=vlan
+MACAddress=5a:06:28:18:79:01
+
+[VLAN]
+Id=3145
diff --git a/roles/space_server/files/networkd/10-locix.network b/roles/space_server/files/networkd/10-locix.network
new file mode 100644
index 0000000..b6193c0
--- /dev/null
+++ b/roles/space_server/files/networkd/10-locix.network
@@ -0,0 +1,23 @@
+[Match]
+Name=locix
+
+[Link]
+ARP=yes
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=no
+EmitLLDP=no
+NTP=no
+
+[Address]
+Address=185.1.167.144/23
+Scope=link
+
+[Address]
+Address=2001:7f8:f2:e1:0:20:5235:1/64
+Scope=link
diff --git a/roles/space_server/files/networkd/10-locix.sysctl b/roles/space_server/files/networkd/10-locix.sysctl
new file mode 100644
index 0000000..e28f743
--- /dev/null
+++ b/roles/space_server/files/networkd/10-locix.sysctl
@@ -0,0 +1,25 @@
+# From https://www.ams-ix.net/ams/documentation/config-guide
+# file: /etc/sysctl.conf
+# These settings should be duplicated for all interfaces that are
+# on a peering LAN.
+
+# Fix the "promiscuous ARP" thing...
+net.ipv4.conf.locix.arp_ignore=1
+net.ipv4.conf.locix.arp_announce=1
+
+# Turn off RP filtering to allow asymmetric routing
+net.ipv4.conf.locix.rp_filter=0
+
+# Multiple (non-aggregated) interfaces on the same peering LAN
+# READ THE MANUAL FIRST!
+#net.ipv4.conf.ifname.arp_filter=1
+
+# Keep the IX ARP Police happy :-)
+net.ipv4.neigh.locix.base_reachable_time_ms=14400000
+net.ipv6.neigh.locix.base_reachable_time_ms=14400000
+
+# No redirects
+net.ipv4.conf.locix.accept_redirects=0
+net.ipv4.conf.locix.secure_redirects=0
+net.ipv4.conf.locix.send_redirects=0
+net.ipv6.conf.locix.accept_redirects=0
diff --git a/roles/space_server/files/networkd/10-wan.sysctl b/roles/space_server/files/networkd/10-wan.sysctl
new file mode 100644
index 0000000..8ca83b9
--- /dev/null
+++ b/roles/space_server/files/networkd/10-wan.sysctl
@@ -0,0 +1,2 @@
+# Turn off RP filtering to allow asymmetric routing
+net.ipv4.conf.wan.rp_filter=0
diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml
index 95ec4b0..305996b 100644
--- a/roles/space_server/tasks/networkd.yml
+++ b/roles/space_server/tasks/networkd.yml
@@ -30,4 +30,34 @@
state: absent
with_items: "{{ networkd_existing.files|map(attribute='path')|map('basename')|difference(networkd_created.results|map(attribute='item')|map('basename'))|list }}"
+- name: Install network-sysctl@.service
+ copy:
+ dest: '/etc/systemd/system/network-sysctl@.service'
+ src: 'network-sysctl@.service'
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable network-sysctl@.service
+ systemd:
+ name: 'network-sysctl@{{ item }}.service'
+ enabled: yes
+ masked: no
+ when: not chroot
+ with_items:
+ - wan
+ - locix
+- name: '- when in chroot'
+ command:
+ argv:
+ - 'systemctl'
+ - 'enable'
+ - 'network-sysctl@{{ item }}.service'
+ args:
+ creates: '/etc/systemd/system/sys-devices-virtual-net-{{ item }}.device.wants/network-sysctl@{{ item }}.service'
+ when: chroot
+ with_items:
+ - wan
+ - locix
+
# vim: set ts=2 sw=2 et:
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-08 21:48:30 +0000