From 9454fdbff511e965e4fd9eb187b7fe432dcd437e Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Wed, 26 Sep 2018 13:16:11 +0200 Subject: space_server: drop uneccessary subdirs --- roles/space_server/files/blackhole.service | 11 ++ roles/space_server/files/blackhole.sh | 6 + .../space_server/files/blackhole/blackhole.service | 11 -- roles/space_server/files/blackhole/blackhole.sh | 6 - roles/space_server/files/network/10-lan.link | 5 + roles/space_server/files/network/10-lan.network | 19 ++ roles/space_server/files/network/10-lan10.netdev | 6 + roles/space_server/files/network/10-lan10.network | 12 ++ roles/space_server/files/network/10-lan11.netdev | 6 + roles/space_server/files/network/10-lan11.network | 19 ++ roles/space_server/files/network/10-lan12.netdev | 6 + roles/space_server/files/network/10-lan12.network | 19 ++ roles/space_server/files/network/10-lan13.netdev | 6 + roles/space_server/files/network/10-lan13.network | 19 ++ roles/space_server/files/network/10-lan14.netdev | 6 + roles/space_server/files/network/10-lan14.network | 19 ++ roles/space_server/files/network/10-lan15.netdev | 6 + roles/space_server/files/network/10-lan15.network | 14 ++ roles/space_server/files/network/10-lan20.netdev | 6 + roles/space_server/files/network/10-lan20.network | 23 +++ roles/space_server/files/network/10-lo.network | 6 + roles/space_server/files/network/10-mgt.link | 5 + roles/space_server/files/network/10-mgt.network | 19 ++ roles/space_server/files/network/10-wan.link | 5 + roles/space_server/files/network/10-wan.network | 21 ++ roles/space_server/files/networkd-no-lan-mgt.conf | 3 + .../files/networkd/network/10-lan.link | 5 - .../files/networkd/network/10-lan.network | 19 -- .../files/networkd/network/10-lan10.netdev | 6 - .../files/networkd/network/10-lan10.network | 12 -- .../files/networkd/network/10-lan11.netdev | 6 - .../files/networkd/network/10-lan11.network | 19 -- .../files/networkd/network/10-lan12.netdev | 6 - .../files/networkd/network/10-lan12.network | 19 -- .../files/networkd/network/10-lan13.netdev | 6 - .../files/networkd/network/10-lan13.network | 19 -- .../files/networkd/network/10-lan14.netdev | 6 - .../files/networkd/network/10-lan14.network | 19 -- .../files/networkd/network/10-lan15.netdev | 6 - .../files/networkd/network/10-lan15.network | 14 -- .../files/networkd/network/10-lan20.netdev | 6 - .../files/networkd/network/10-lan20.network | 23 --- .../files/networkd/network/10-lo.network | 6 - .../files/networkd/network/10-mgt.link | 5 - .../files/networkd/network/10-mgt.network | 19 -- .../files/networkd/network/10-wan.link | 5 - .../files/networkd/network/10-wan.network | 21 -- roles/space_server/files/networkd/no-lan-mgt.conf | 3 - roles/space_server/files/nftables.conf | 212 +++++++++++++++++++++ roles/space_server/files/nftables.service | 30 +++ roles/space_server/files/nftables/nftables.conf | 212 --------------------- roles/space_server/files/nftables/nftables.service | 30 --- roles/space_server/files/radvd.conf | 69 +++++++ roles/space_server/files/radvd/radvd.conf | 69 ------- roles/space_server/files/sudo/sudoers | 96 ---------- roles/space_server/files/sudoers | 96 ++++++++++ roles/space_server/tasks/avahi.yml | 2 +- roles/space_server/tasks/blackhole.yml | 4 +- roles/space_server/tasks/dhcpd.yml | 2 +- roles/space_server/tasks/networkd.yml | 4 +- roles/space_server/tasks/nftables.yml | 4 +- roles/space_server/tasks/radvd.yml | 2 +- roles/space_server/tasks/sudo.yml | 2 +- roles/space_server/tasks/unbound.yml | 2 +- roles/space_server/templates/avahi-hosts.j2 | 14 ++ roles/space_server/templates/avahi/hosts.j2 | 14 -- roles/space_server/templates/dhcpd.conf.j2 | 203 ++++++++++++++++++++ roles/space_server/templates/dhcpd/dhcpd.conf.j2 | 203 -------------------- roles/space_server/templates/unbound.conf.j2 | 126 ++++++++++++ .../space_server/templates/unbound/unbound.conf.j2 | 126 ------------ 70 files changed, 1028 insertions(+), 1028 deletions(-) create mode 100644 roles/space_server/files/blackhole.service create mode 100755 roles/space_server/files/blackhole.sh delete mode 100644 roles/space_server/files/blackhole/blackhole.service delete mode 100755 roles/space_server/files/blackhole/blackhole.sh create mode 100644 roles/space_server/files/network/10-lan.link create mode 100644 roles/space_server/files/network/10-lan.network create mode 100644 roles/space_server/files/network/10-lan10.netdev create mode 100644 roles/space_server/files/network/10-lan10.network create mode 100644 roles/space_server/files/network/10-lan11.netdev create mode 100644 roles/space_server/files/network/10-lan11.network create mode 100644 roles/space_server/files/network/10-lan12.netdev create mode 100644 roles/space_server/files/network/10-lan12.network create mode 100644 roles/space_server/files/network/10-lan13.netdev create mode 100644 roles/space_server/files/network/10-lan13.network create mode 100644 roles/space_server/files/network/10-lan14.netdev create mode 100644 roles/space_server/files/network/10-lan14.network create mode 100644 roles/space_server/files/network/10-lan15.netdev create mode 100644 roles/space_server/files/network/10-lan15.network create mode 100644 roles/space_server/files/network/10-lan20.netdev create mode 100644 roles/space_server/files/network/10-lan20.network create mode 100644 roles/space_server/files/network/10-lo.network create mode 100644 roles/space_server/files/network/10-mgt.link create mode 100644 roles/space_server/files/network/10-mgt.network create mode 100644 roles/space_server/files/network/10-wan.link create mode 100644 roles/space_server/files/network/10-wan.network create mode 100644 roles/space_server/files/networkd-no-lan-mgt.conf delete mode 100644 roles/space_server/files/networkd/network/10-lan.link delete mode 100644 roles/space_server/files/networkd/network/10-lan.network delete mode 100644 roles/space_server/files/networkd/network/10-lan10.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan10.network delete mode 100644 roles/space_server/files/networkd/network/10-lan11.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan11.network delete mode 100644 roles/space_server/files/networkd/network/10-lan12.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan12.network delete mode 100644 roles/space_server/files/networkd/network/10-lan13.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan13.network delete mode 100644 roles/space_server/files/networkd/network/10-lan14.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan14.network delete mode 100644 roles/space_server/files/networkd/network/10-lan15.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan15.network delete mode 100644 roles/space_server/files/networkd/network/10-lan20.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan20.network delete mode 100644 roles/space_server/files/networkd/network/10-lo.network delete mode 100644 roles/space_server/files/networkd/network/10-mgt.link delete mode 100644 roles/space_server/files/networkd/network/10-mgt.network delete mode 100644 roles/space_server/files/networkd/network/10-wan.link delete mode 100644 roles/space_server/files/networkd/network/10-wan.network delete mode 100644 roles/space_server/files/networkd/no-lan-mgt.conf create mode 100644 roles/space_server/files/nftables.conf create mode 100644 roles/space_server/files/nftables.service delete mode 100644 roles/space_server/files/nftables/nftables.conf delete mode 100644 roles/space_server/files/nftables/nftables.service create mode 100644 roles/space_server/files/radvd.conf delete mode 100644 roles/space_server/files/radvd/radvd.conf delete mode 100644 roles/space_server/files/sudo/sudoers create mode 100644 roles/space_server/files/sudoers create mode 100644 roles/space_server/templates/avahi-hosts.j2 delete mode 100644 roles/space_server/templates/avahi/hosts.j2 create mode 100644 roles/space_server/templates/dhcpd.conf.j2 delete mode 100644 roles/space_server/templates/dhcpd/dhcpd.conf.j2 create mode 100644 roles/space_server/templates/unbound.conf.j2 delete mode 100644 roles/space_server/templates/unbound/unbound.conf.j2 diff --git a/roles/space_server/files/blackhole.service b/roles/space_server/files/blackhole.service new file mode 100644 index 0000000..e32f642 --- /dev/null +++ b/roles/space_server/files/blackhole.service @@ -0,0 +1,11 @@ +[Unit] +Description=Blackhole routes +Wants=network.target + +[Service] +Type=oneshot +ExecStart=/etc/systemd/scripts/blackhole.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/blackhole.sh b/roles/space_server/files/blackhole.sh new file mode 100755 index 0000000..56a6c10 --- /dev/null +++ b/roles/space_server/files/blackhole.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +set -e + +ip route add unreachable 185.38.175.0/24 +ip route add unreachable 2a01:4262:1ab::/48 diff --git a/roles/space_server/files/blackhole/blackhole.service b/roles/space_server/files/blackhole/blackhole.service deleted file mode 100644 index e32f642..0000000 --- a/roles/space_server/files/blackhole/blackhole.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Blackhole routes -Wants=network.target - -[Service] -Type=oneshot -ExecStart=/etc/systemd/scripts/blackhole.sh -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/roles/space_server/files/blackhole/blackhole.sh b/roles/space_server/files/blackhole/blackhole.sh deleted file mode 100755 index 56a6c10..0000000 --- a/roles/space_server/files/blackhole/blackhole.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -set -e - -ip route add unreachable 185.38.175.0/24 -ip route add unreachable 2a01:4262:1ab::/48 diff --git a/roles/space_server/files/network/10-lan.link b/roles/space_server/files/network/10-lan.link new file mode 100644 index 0000000..996917e --- /dev/null +++ b/roles/space_server/files/network/10-lan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:02:00.0 + +[Link] +Name=lan diff --git a/roles/space_server/files/network/10-lan.network b/roles/space_server/files/network/10-lan.network new file mode 100644 index 0000000..08b85aa --- /dev/null +++ b/roles/space_server/files/network/10-lan.network @@ -0,0 +1,19 @@ +[Match] +Name=lan + +#[Link] +#ARP=no + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +LLMNR=no +MulticastDNS=no +VLAN=lan10 +VLAN=lan11 +VLAN=lan12 +VLAN=lan13 +VLAN=lan14 +VLAN=lan15 +VLAN=lan20 diff --git a/roles/space_server/files/network/10-lan10.netdev b/roles/space_server/files/network/10-lan10.netdev new file mode 100644 index 0000000..655859d --- /dev/null +++ b/roles/space_server/files/network/10-lan10.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan10 +Kind=vlan + +[VLAN] +Id=10 diff --git a/roles/space_server/files/network/10-lan10.network b/roles/space_server/files/network/10-lan10.network new file mode 100644 index 0000000..18931e0 --- /dev/null +++ b/roles/space_server/files/network/10-lan10.network @@ -0,0 +1,12 @@ +[Match] +Name=lan10 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.0.1/24 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes diff --git a/roles/space_server/files/network/10-lan11.netdev b/roles/space_server/files/network/10-lan11.netdev new file mode 100644 index 0000000..b99b50b --- /dev/null +++ b/roles/space_server/files/network/10-lan11.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan11 +Kind=vlan + +[VLAN] +Id=11 diff --git a/roles/space_server/files/network/10-lan11.network b/roles/space_server/files/network/10-lan11.network new file mode 100644 index 0000000..88d714f --- /dev/null +++ b/roles/space_server/files/network/10-lan11.network @@ -0,0 +1,19 @@ +[Match] +Name=lan11 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.1.1/24 +#Address=2a01:4262:1ab:b::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:b::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan12.netdev b/roles/space_server/files/network/10-lan12.netdev new file mode 100644 index 0000000..7229fa1 --- /dev/null +++ b/roles/space_server/files/network/10-lan12.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan12 +Kind=vlan + +[VLAN] +Id=12 diff --git a/roles/space_server/files/network/10-lan12.network b/roles/space_server/files/network/10-lan12.network new file mode 100644 index 0000000..7f48f5b --- /dev/null +++ b/roles/space_server/files/network/10-lan12.network @@ -0,0 +1,19 @@ +[Match] +Name=lan12 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.2.1/24 +#Address=2a01:4262:1ab:c::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:c::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan13.netdev b/roles/space_server/files/network/10-lan13.netdev new file mode 100644 index 0000000..ab05488 --- /dev/null +++ b/roles/space_server/files/network/10-lan13.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan13 +Kind=vlan + +[VLAN] +Id=13 diff --git a/roles/space_server/files/network/10-lan13.network b/roles/space_server/files/network/10-lan13.network new file mode 100644 index 0000000..81e3911 --- /dev/null +++ b/roles/space_server/files/network/10-lan13.network @@ -0,0 +1,19 @@ +[Match] +Name=lan13 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.3.1/24 +#Address=2a01:4262:1ab:d::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:d::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan14.netdev b/roles/space_server/files/network/10-lan14.netdev new file mode 100644 index 0000000..1956a88 --- /dev/null +++ b/roles/space_server/files/network/10-lan14.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan14 +Kind=vlan + +[VLAN] +Id=14 diff --git a/roles/space_server/files/network/10-lan14.network b/roles/space_server/files/network/10-lan14.network new file mode 100644 index 0000000..5b40bbf --- /dev/null +++ b/roles/space_server/files/network/10-lan14.network @@ -0,0 +1,19 @@ +[Match] +Name=lan14 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.4.1/24 +#Address=2a01:4262:1ab:e::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:e::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan15.netdev b/roles/space_server/files/network/10-lan15.netdev new file mode 100644 index 0000000..c31a650 --- /dev/null +++ b/roles/space_server/files/network/10-lan15.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan15 +Kind=vlan + +[VLAN] +Id=15 diff --git a/roles/space_server/files/network/10-lan15.network b/roles/space_server/files/network/10-lan15.network new file mode 100644 index 0000000..e3c99dd --- /dev/null +++ b/roles/space_server/files/network/10-lan15.network @@ -0,0 +1,14 @@ +[Match] +Name=lan15 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=2a01:4262:1ab:f::1/64 +Address=fe80::1/64 +IPForward=ipv6 +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes diff --git a/roles/space_server/files/network/10-lan20.netdev b/roles/space_server/files/network/10-lan20.netdev new file mode 100644 index 0000000..2b2e0d8 --- /dev/null +++ b/roles/space_server/files/network/10-lan20.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan20 +Kind=vlan + +[VLAN] +Id=20 diff --git a/roles/space_server/files/network/10-lan20.network b/roles/space_server/files/network/10-lan20.network new file mode 100644 index 0000000..06b1ff1 --- /dev/null +++ b/roles/space_server/files/network/10-lan20.network @@ -0,0 +1,23 @@ +[Match] +Name=lan20 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=185.38.175.65/26 +Address=2a01:4262:1ab:20::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no + +[Route] +Destination=2a01:4262:1ab::cafe/128 +Gateway=2a01:4262:1ab:20::5 + +[Route] +Destination=2a01:4262:1ab::db/128 +Gateway=2a01:4262:1ab:20::6 diff --git a/roles/space_server/files/network/10-lo.network b/roles/space_server/files/network/10-lo.network new file mode 100644 index 0000000..2321ce5 --- /dev/null +++ b/roles/space_server/files/network/10-lo.network @@ -0,0 +1,6 @@ +[Match] +Name=lo + +[Network] +Address=185.38.175.0/32 +Address=2a01:4262:1ab::/128 diff --git a/roles/space_server/files/network/10-mgt.link b/roles/space_server/files/network/10-mgt.link new file mode 100644 index 0000000..715f409 --- /dev/null +++ b/roles/space_server/files/network/10-mgt.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:03:00.0 + +[Link] +Name=mgt diff --git a/roles/space_server/files/network/10-mgt.network b/roles/space_server/files/network/10-mgt.network new file mode 100644 index 0000000..9da626e --- /dev/null +++ b/roles/space_server/files/network/10-mgt.network @@ -0,0 +1,19 @@ +[Match] +Name=mgt + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=192.168.112.1/24 +#IPForward=ipv4 +DHCPServer=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[DHCPServer] +DNS=192.168.112.1 +EmitDNS=yes +EmitNTP=no +EmitTimezone=yes diff --git a/roles/space_server/files/network/10-wan.link b/roles/space_server/files/network/10-wan.link new file mode 100644 index 0000000..47a7270 --- /dev/null +++ b/roles/space_server/files/network/10-wan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:00.0 + +[Link] +Name=wan diff --git a/roles/space_server/files/network/10-wan.network b/roles/space_server/files/network/10-wan.network new file mode 100644 index 0000000..1d14dee --- /dev/null +++ b/roles/space_server/files/network/10-wan.network @@ -0,0 +1,21 @@ +[Match] +Name=wan + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=193.106.167.46/29 +Address=2a03:5440:1:2935:1ab::3/120 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no + +[Route] +Gateway=193.106.167.42 +Metric=1024 + +[Route] +Gateway=2a03:5440:1:2935:1ab::2 +Metric=1024 diff --git a/roles/space_server/files/networkd-no-lan-mgt.conf b/roles/space_server/files/networkd-no-lan-mgt.conf new file mode 100644 index 0000000..3309cf0 --- /dev/null +++ b/roles/space_server/files/networkd-no-lan-mgt.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt diff --git a/roles/space_server/files/networkd/network/10-lan.link b/roles/space_server/files/networkd/network/10-lan.link deleted file mode 100644 index 996917e..0000000 --- a/roles/space_server/files/networkd/network/10-lan.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:02:00.0 - -[Link] -Name=lan diff --git a/roles/space_server/files/networkd/network/10-lan.network b/roles/space_server/files/networkd/network/10-lan.network deleted file mode 100644 index 08b85aa..0000000 --- a/roles/space_server/files/networkd/network/10-lan.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan - -#[Link] -#ARP=no - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -LLMNR=no -MulticastDNS=no -VLAN=lan10 -VLAN=lan11 -VLAN=lan12 -VLAN=lan13 -VLAN=lan14 -VLAN=lan15 -VLAN=lan20 diff --git a/roles/space_server/files/networkd/network/10-lan10.netdev b/roles/space_server/files/networkd/network/10-lan10.netdev deleted file mode 100644 index 655859d..0000000 --- a/roles/space_server/files/networkd/network/10-lan10.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan10 -Kind=vlan - -[VLAN] -Id=10 diff --git a/roles/space_server/files/networkd/network/10-lan10.network b/roles/space_server/files/networkd/network/10-lan10.network deleted file mode 100644 index 18931e0..0000000 --- a/roles/space_server/files/networkd/network/10-lan10.network +++ /dev/null @@ -1,12 +0,0 @@ -[Match] -Name=lan10 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.0.1/24 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan11.netdev b/roles/space_server/files/networkd/network/10-lan11.netdev deleted file mode 100644 index b99b50b..0000000 --- a/roles/space_server/files/networkd/network/10-lan11.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan11 -Kind=vlan - -[VLAN] -Id=11 diff --git a/roles/space_server/files/networkd/network/10-lan11.network b/roles/space_server/files/networkd/network/10-lan11.network deleted file mode 100644 index 88d714f..0000000 --- a/roles/space_server/files/networkd/network/10-lan11.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan11 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.1.1/24 -#Address=2a01:4262:1ab:b::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:b::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan12.netdev b/roles/space_server/files/networkd/network/10-lan12.netdev deleted file mode 100644 index 7229fa1..0000000 --- a/roles/space_server/files/networkd/network/10-lan12.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan12 -Kind=vlan - -[VLAN] -Id=12 diff --git a/roles/space_server/files/networkd/network/10-lan12.network b/roles/space_server/files/networkd/network/10-lan12.network deleted file mode 100644 index 7f48f5b..0000000 --- a/roles/space_server/files/networkd/network/10-lan12.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan12 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.2.1/24 -#Address=2a01:4262:1ab:c::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:c::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan13.netdev b/roles/space_server/files/networkd/network/10-lan13.netdev deleted file mode 100644 index ab05488..0000000 --- a/roles/space_server/files/networkd/network/10-lan13.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan13 -Kind=vlan - -[VLAN] -Id=13 diff --git a/roles/space_server/files/networkd/network/10-lan13.network b/roles/space_server/files/networkd/network/10-lan13.network deleted file mode 100644 index 81e3911..0000000 --- a/roles/space_server/files/networkd/network/10-lan13.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan13 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.3.1/24 -#Address=2a01:4262:1ab:d::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:d::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan14.netdev b/roles/space_server/files/networkd/network/10-lan14.netdev deleted file mode 100644 index 1956a88..0000000 --- a/roles/space_server/files/networkd/network/10-lan14.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan14 -Kind=vlan - -[VLAN] -Id=14 diff --git a/roles/space_server/files/networkd/network/10-lan14.network b/roles/space_server/files/networkd/network/10-lan14.network deleted file mode 100644 index 5b40bbf..0000000 --- a/roles/space_server/files/networkd/network/10-lan14.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan14 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.4.1/24 -#Address=2a01:4262:1ab:e::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:e::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan15.netdev b/roles/space_server/files/networkd/network/10-lan15.netdev deleted file mode 100644 index c31a650..0000000 --- a/roles/space_server/files/networkd/network/10-lan15.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan15 -Kind=vlan - -[VLAN] -Id=15 diff --git a/roles/space_server/files/networkd/network/10-lan15.network b/roles/space_server/files/networkd/network/10-lan15.network deleted file mode 100644 index e3c99dd..0000000 --- a/roles/space_server/files/networkd/network/10-lan15.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=lan15 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=2a01:4262:1ab:f::1/64 -Address=fe80::1/64 -IPForward=ipv6 -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan20.netdev b/roles/space_server/files/networkd/network/10-lan20.netdev deleted file mode 100644 index 2b2e0d8..0000000 --- a/roles/space_server/files/networkd/network/10-lan20.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan20 -Kind=vlan - -[VLAN] -Id=20 diff --git a/roles/space_server/files/networkd/network/10-lan20.network b/roles/space_server/files/networkd/network/10-lan20.network deleted file mode 100644 index 06b1ff1..0000000 --- a/roles/space_server/files/networkd/network/10-lan20.network +++ /dev/null @@ -1,23 +0,0 @@ -[Match] -Name=lan20 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=185.38.175.65/26 -Address=2a01:4262:1ab:20::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=no -MulticastDNS=no -LLDP=yes -EmitLLDP=no - -[Route] -Destination=2a01:4262:1ab::cafe/128 -Gateway=2a01:4262:1ab:20::5 - -[Route] -Destination=2a01:4262:1ab::db/128 -Gateway=2a01:4262:1ab:20::6 diff --git a/roles/space_server/files/networkd/network/10-lo.network b/roles/space_server/files/networkd/network/10-lo.network deleted file mode 100644 index 2321ce5..0000000 --- a/roles/space_server/files/networkd/network/10-lo.network +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -Name=lo - -[Network] -Address=185.38.175.0/32 -Address=2a01:4262:1ab::/128 diff --git a/roles/space_server/files/networkd/network/10-mgt.link b/roles/space_server/files/networkd/network/10-mgt.link deleted file mode 100644 index 715f409..0000000 --- a/roles/space_server/files/networkd/network/10-mgt.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:03:00.0 - -[Link] -Name=mgt diff --git a/roles/space_server/files/networkd/network/10-mgt.network b/roles/space_server/files/networkd/network/10-mgt.network deleted file mode 100644 index 9da626e..0000000 --- a/roles/space_server/files/networkd/network/10-mgt.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=mgt - -[Network] -DHCP=no -IPv6AcceptRA=no -Address=192.168.112.1/24 -#IPForward=ipv4 -DHCPServer=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[DHCPServer] -DNS=192.168.112.1 -EmitDNS=yes -EmitNTP=no -EmitTimezone=yes diff --git a/roles/space_server/files/networkd/network/10-wan.link b/roles/space_server/files/networkd/network/10-wan.link deleted file mode 100644 index 47a7270..0000000 --- a/roles/space_server/files/networkd/network/10-wan.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:01:00.0 - -[Link] -Name=wan diff --git a/roles/space_server/files/networkd/network/10-wan.network b/roles/space_server/files/networkd/network/10-wan.network deleted file mode 100644 index 1d14dee..0000000 --- a/roles/space_server/files/networkd/network/10-wan.network +++ /dev/null @@ -1,21 +0,0 @@ -[Match] -Name=wan - -[Network] -DHCP=no -IPv6AcceptRA=no -Address=193.106.167.46/29 -Address=2a03:5440:1:2935:1ab::3/120 -IPForward=yes -LLMNR=no -MulticastDNS=no -LLDP=yes -EmitLLDP=no - -[Route] -Gateway=193.106.167.42 -Metric=1024 - -[Route] -Gateway=2a03:5440:1:2935:1ab::2 -Metric=1024 diff --git a/roles/space_server/files/networkd/no-lan-mgt.conf b/roles/space_server/files/networkd/no-lan-mgt.conf deleted file mode 100644 index 3309cf0..0000000 --- a/roles/space_server/files/networkd/no-lan-mgt.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf new file mode 100644 index 0000000..5f2f1b3 --- /dev/null +++ b/roles/space_server/files/nftables.conf @@ -0,0 +1,212 @@ +# our hosts +define ap1 = 10.42.0.5 +define ap2 = 10.42.0.6 +define labitat = 185.38.172.72 + +define spacewand4 = 185.38.175.70 +define spacewand6 = 2a01:4262:1ab::cafe + +define spacebrain4 = 185.38.175.69 +define spacebrain6 = 2a01:4262:1ab::db + +define labservers4 = { $spacewand4, $spacebrain4 } +define labservers6 = { $spacewand6, $spacebrain6 } + +# internal stuff +define ext_if = wan +define ext_ip4 = 185.38.175.0 +define ext_ip6 = 2a01:4262:1ab:: +define int_net4 = 10.42.0.0/16 +define ext_net4 = 185.38.175.0/24 +define ext_net6 = 2a01:4262:1ab::/48 +define link_net4 = 193.106.167.40/29 +define link_net6 = 2a03:5440:1:2935:1ab::/120 + +define adm_if = lan10 +define adm_ip4 = 10.42.0.1 +define adm_net4 = 10.42.0.0/24 + +define wire_if = lan11 +define wire_ip4 = 10.42.1.1 +define wire_net4 = 10.42.1.0/24 +define wire_net6 = 2a01:4262:1ab:b::/64 + +define priv_if = lan12 +define priv_ip4 = 10.42.2.1 +define priv_net4 = 10.42.2.0/24 +define priv_net6 = 2a01:4262:1ab:c::/64 + +define free_if = lan13 +define free_ip4 = 10.42.3.1 +define free_net4 = 10.42.3.0/24 +define free_net6 = 2a01:4262:1ab:d::/64 + +define pass_if = lan14 +define pass_ip4 = 10.42.4.1 +define pass_net4 = 10.42.4.0/24 +define pass_net6 = 2a01:4262:1ab:e::/64 + +define serv_if = lan20 +define serv_ip4 = 185.38.175.65 +define serv_net4 = 185.38.175.64/24 +define serv_net6 = 2a01:4262:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + +#define nat64_if = nat64 +#define nat64_net = 10.42.255.0/24 +#define nat64_net6 = fde2:52b4:4a19:ffff::/96 + +table ip filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + iif lo accept + + # bird etc. on fiberby link + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + + # dhcp + udp sport bootpc udp dport bootps iif != $ext_if counter accept + + # radius + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept + + # tftp + iif $wire_if ip saddr $wire_net4 udp dport 69 accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept + udp dport 53 ip saddr { $int_net4, $ext_net4 } accept + + # avahi + ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept + ip protocol igmp iif $avahi_ifs accept + + ## debugging + #iif $ext_if counter drop + #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream + #udp sport 17500 udp dport 17500 drop # Dropbox LANsync + #ip protocol igmp drop # IGMP + #counter log prefix "in4: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip daddr $labservers4 accept + + ip saddr $labitat udp dport 161 counter accept # traffic stats + + # no traffic to admin net + ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited + ip daddr $adm_net4 drop + + # local traffic + iif $adm_if ip saddr $adm_net4 accept + iif $wire_if ip saddr $wire_net4 accept + iif $priv_if ip saddr $priv_net4 accept + iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept + iif $pass_if ip saddr $pass_net4 accept + iif $serv_if ip saddr $serv_net4 accept + + ## debugging + #iif $ext_if counter drop + #counter log prefix "fw4: " drop + drop + } +} + +table ip6 filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr ipv6-icmp limit rate 100/second accept + ip6 nexthdr ipv6-icmp drop + + iif lo accept + iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept + + # bird etc. on fiberby link + iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip6 saddr $ext_net6 accept + udp dport 53 ip6 saddr $ext_net6 accept + + # avahi + ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept + + ## debugging + #counter log prefix "in6: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip6 daddr $labservers6 accept + + iif $wire_if ip6 saddr $wire_net6 accept + iif $priv_if ip6 saddr $priv_net6 accept + iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept + iif $pass_if ip6 saddr $pass_net6 accept + iif $serv_if ip6 saddr $serv_net6 accept + + ## debugging + #counter log prefix "fw6: " drop + drop + } +} + +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if ip saddr $int_net4 snat $ext_ip4 + } +} diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service new file mode 100644 index 0000000..f1c9028 --- /dev/null +++ b/roles/space_server/files/nftables.service @@ -0,0 +1,30 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Requires=sys-devices-virtual-net-lan10.device +Requires=sys-devices-virtual-net-lan11.device +Requires=sys-devices-virtual-net-lan12.device +Requires=sys-devices-virtual-net-lan13.device +Requires=sys-devices-virtual-net-lan14.device +Requires=sys-devices-virtual-net-lan15.device +Requires=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan10.device +After=sys-devices-virtual-net-lan11.device +After=sys-devices-virtual-net-lan12.device +After=sys-devices-virtual-net-lan13.device +After=sys-devices-virtual-net-lan14.device +After=sys-devices-virtual-net-lan15.device +After=sys-devices-virtual-net-lan20.device +Before=network-online.target + +[Service] +Type=oneshot +ProtectSystem=full +ProtectHome=true +ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf +ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' +ExecStop=/sbin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf deleted file mode 100644 index 5f2f1b3..0000000 --- a/roles/space_server/files/nftables/nftables.conf +++ /dev/null @@ -1,212 +0,0 @@ -# our hosts -define ap1 = 10.42.0.5 -define ap2 = 10.42.0.6 -define labitat = 185.38.172.72 - -define spacewand4 = 185.38.175.70 -define spacewand6 = 2a01:4262:1ab::cafe - -define spacebrain4 = 185.38.175.69 -define spacebrain6 = 2a01:4262:1ab::db - -define labservers4 = { $spacewand4, $spacebrain4 } -define labservers6 = { $spacewand6, $spacebrain6 } - -# internal stuff -define ext_if = wan -define ext_ip4 = 185.38.175.0 -define ext_ip6 = 2a01:4262:1ab:: -define int_net4 = 10.42.0.0/16 -define ext_net4 = 185.38.175.0/24 -define ext_net6 = 2a01:4262:1ab::/48 -define link_net4 = 193.106.167.40/29 -define link_net6 = 2a03:5440:1:2935:1ab::/120 - -define adm_if = lan10 -define adm_ip4 = 10.42.0.1 -define adm_net4 = 10.42.0.0/24 - -define wire_if = lan11 -define wire_ip4 = 10.42.1.1 -define wire_net4 = 10.42.1.0/24 -define wire_net6 = 2a01:4262:1ab:b::/64 - -define priv_if = lan12 -define priv_ip4 = 10.42.2.1 -define priv_net4 = 10.42.2.0/24 -define priv_net6 = 2a01:4262:1ab:c::/64 - -define free_if = lan13 -define free_ip4 = 10.42.3.1 -define free_net4 = 10.42.3.0/24 -define free_net6 = 2a01:4262:1ab:d::/64 - -define pass_if = lan14 -define pass_ip4 = 10.42.4.1 -define pass_net4 = 10.42.4.0/24 -define pass_net6 = 2a01:4262:1ab:e::/64 - -define serv_if = lan20 -define serv_ip4 = 185.38.175.65 -define serv_net4 = 185.38.175.64/24 -define serv_net6 = 2a01:4262:1ab:20::/64 - -define avahi_ifs = { $wire_if, $priv_if, $pass_if } - -#define nat64_if = nat64 -#define nat64_net = 10.42.255.0/24 -#define nat64_net6 = fde2:52b4:4a19:ffff::/96 - -table ip filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip protocol icmp limit rate 100/second accept - ip protocol icmp drop - - iif lo accept - - # bird etc. on fiberby link - iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept - - # dhcp - udp sport bootpc udp dport bootps iif != $ext_if counter accept - - # radius - iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept - - # tftp - iif $wire_if ip saddr $wire_net4 udp dport 69 accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept - udp dport 53 ip saddr { $int_net4, $ext_net4 } accept - - # avahi - ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept - ip protocol igmp iif $avahi_ifs accept - - ## debugging - #iif $ext_if counter drop - #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream - #udp sport 17500 udp dport 17500 drop # Dropbox LANsync - #ip protocol igmp drop # IGMP - #counter log prefix "in4: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip daddr $labservers4 accept - - ip saddr $labitat udp dport 161 counter accept # traffic stats - - # no traffic to admin net - ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited - ip daddr $adm_net4 drop - - # local traffic - iif $adm_if ip saddr $adm_net4 accept - iif $wire_if ip saddr $wire_net4 accept - iif $priv_if ip saddr $priv_net4 accept - iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept - iif $pass_if ip saddr $pass_net4 accept - iif $serv_if ip saddr $serv_net4 accept - - ## debugging - #iif $ext_if counter drop - #counter log prefix "fw4: " drop - drop - } -} - -table ip6 filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip6 nexthdr ipv6-icmp limit rate 100/second accept - ip6 nexthdr ipv6-icmp drop - - iif lo accept - iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept - - # bird etc. on fiberby link - iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip6 saddr $ext_net6 accept - udp dport 53 ip6 saddr $ext_net6 accept - - # avahi - ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept - - ## debugging - #counter log prefix "in6: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip6 daddr $labservers6 accept - - iif $wire_if ip6 saddr $wire_net6 accept - iif $priv_if ip6 saddr $priv_net6 accept - iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept - iif $pass_if ip6 saddr $pass_net6 accept - iif $serv_if ip6 saddr $serv_net6 accept - - ## debugging - #counter log prefix "fw6: " drop - drop - } -} - -table ip nat { - chain portforward { - ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats - } - - chain prerouting { - type nat hook prerouting priority -150; - goto portforward - } - - chain output { - type nat hook output priority -150; - goto portforward - } - - chain input { - type nat hook input priority -150; - # this chain is needed to make dnat from the output chain work - } - - chain postrouting { - type nat hook postrouting priority -150; - oif $ext_if ip saddr $int_net4 snat $ext_ip4 - } -} diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service deleted file mode 100644 index f1c9028..0000000 --- a/roles/space_server/files/nftables/nftables.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Netfilter Tables -Documentation=man:nft(8) -Requires=sys-devices-virtual-net-lan10.device -Requires=sys-devices-virtual-net-lan11.device -Requires=sys-devices-virtual-net-lan12.device -Requires=sys-devices-virtual-net-lan13.device -Requires=sys-devices-virtual-net-lan14.device -Requires=sys-devices-virtual-net-lan15.device -Requires=sys-devices-virtual-net-lan20.device -After=sys-devices-virtual-net-lan10.device -After=sys-devices-virtual-net-lan11.device -After=sys-devices-virtual-net-lan12.device -After=sys-devices-virtual-net-lan13.device -After=sys-devices-virtual-net-lan14.device -After=sys-devices-virtual-net-lan15.device -After=sys-devices-virtual-net-lan20.device -Before=network-online.target - -[Service] -Type=oneshot -ProtectSystem=full -ProtectHome=true -ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf -ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' -ExecStop=/sbin/nft flush ruleset -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/roles/space_server/files/radvd.conf b/roles/space_server/files/radvd.conf new file mode 100644 index 0000000..9f994a3 --- /dev/null +++ b/roles/space_server/files/radvd.conf @@ -0,0 +1,69 @@ +# Wired +interface lan11 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:b::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Private Wifi +interface lan12 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:c::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Free Wifi +interface lan13 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:d::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Password Protected Wifi +interface lan14 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:e::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# NAT64 Wifi +interface lan15 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:f::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; diff --git a/roles/space_server/files/radvd/radvd.conf b/roles/space_server/files/radvd/radvd.conf deleted file mode 100644 index 9f994a3..0000000 --- a/roles/space_server/files/radvd/radvd.conf +++ /dev/null @@ -1,69 +0,0 @@ -# Wired -interface lan11 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:b::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Private Wifi -interface lan12 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:c::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Free Wifi -interface lan13 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:d::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Password Protected Wifi -interface lan14 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:e::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# NAT64 Wifi -interface lan15 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:f::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; diff --git a/roles/space_server/files/sudo/sudoers b/roles/space_server/files/sudo/sudoers deleted file mode 100644 index 069052c..0000000 --- a/roles/space_server/files/sudo/sudoers +++ /dev/null @@ -1,96 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL - -## Same thing without a password -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/roles/space_server/files/sudoers b/roles/space_server/files/sudoers new file mode 100644 index 0000000..069052c --- /dev/null +++ b/roles/space_server/files/sudoers @@ -0,0 +1,96 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +## Same thing without a password +%wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/roles/space_server/tasks/avahi.yml b/roles/space_server/tasks/avahi.yml index a725b58..1161863 100644 --- a/roles/space_server/tasks/avahi.yml +++ b/roles/space_server/tasks/avahi.yml @@ -77,7 +77,7 @@ - name: Configure hosts template: dest: '/etc/avahi/hosts' - src: avahi/hosts.j2 + src: avahi-hosts.j2 owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/blackhole.yml b/roles/space_server/tasks/blackhole.yml index 7c3b510..cb139f7 100644 --- a/roles/space_server/tasks/blackhole.yml +++ b/roles/space_server/tasks/blackhole.yml @@ -9,7 +9,7 @@ - name: Install blackhole script copy: dest: '/etc/systemd/scripts/blackhole.sh' - src: blackhole/blackhole.sh + src: blackhole.sh owner: root group: root mode: 0755 @@ -19,7 +19,7 @@ - name: Install blackhole service copy: dest: '/etc/systemd/system/blackhole.service' - src: blackhole/blackhole.service + src: blackhole.service owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml index cd09a04..29d5bc5 100644 --- a/roles/space_server/tasks/dhcpd.yml +++ b/roles/space_server/tasks/dhcpd.yml @@ -9,7 +9,7 @@ - name: Configure dhcpd template: dest: '/etc/dhcp/dhcpd.conf' - src: dhcpd/dhcpd.conf.j2 + src: dhcpd.conf.j2 owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml index 318fbb5..6b0ff48 100644 --- a/roles/space_server/tasks/networkd.yml +++ b/roles/space_server/tasks/networkd.yml @@ -19,7 +19,7 @@ owner: root group: root mode: 0644 - with_fileglob: 'networkd/network/*' + with_fileglob: 'network/*' register: networkd_created - name: Delete unneeded network configuration @@ -39,7 +39,7 @@ - name: Don't wait for lan and mgt interfaces to come online copy: dest: '/etc/systemd/system/systemd-networkd-wait-online.service.d/no-lan-mgt.conf' - src: networkd/no-lan-mgt.conf + src: networkd-no-lan-mgt.conf owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/nftables.yml b/roles/space_server/tasks/nftables.yml index 73e9251..1f56a93 100644 --- a/roles/space_server/tasks/nftables.yml +++ b/roles/space_server/tasks/nftables.yml @@ -2,7 +2,7 @@ - name: Install our nftables service copy: dest: '/etc/systemd/system/nftables.service' - src: nftables/nftables.service + src: nftables.service owner: root group: root mode: 0644 @@ -25,7 +25,7 @@ - name: Configure nftables copy: dest: '/etc/nftables.conf' - src: nftables/nftables.conf + src: nftables.conf owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/radvd.yml b/roles/space_server/tasks/radvd.yml index a3346eb..1c39213 100644 --- a/roles/space_server/tasks/radvd.yml +++ b/roles/space_server/tasks/radvd.yml @@ -9,7 +9,7 @@ - name: Configure radvd copy: dest: '/etc/radvd.conf' - src: radvd/radvd.conf + src: radvd.conf owner: root group: root mode: 0644 diff --git a/roles/space_server/tasks/sudo.yml b/roles/space_server/tasks/sudo.yml index f5f0444..9db1d55 100644 --- a/roles/space_server/tasks/sudo.yml +++ b/roles/space_server/tasks/sudo.yml @@ -9,7 +9,7 @@ - name: Install sudoers file copy: dest: '/etc/sudoers' - src: sudo/sudoers + src: sudoers owner: root group: root mode: 0440 diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml index c384635..81199b9 100644 --- a/roles/space_server/tasks/unbound.yml +++ b/roles/space_server/tasks/unbound.yml @@ -9,7 +9,7 @@ - name: Configure unbound template: dest: '/etc/unbound/unbound.conf' - src: unbound/unbound.conf.j2 + src: unbound.conf.j2 owner: root group: root mode: 0644 diff --git a/roles/space_server/templates/avahi-hosts.j2 b/roles/space_server/templates/avahi-hosts.j2 new file mode 100644 index 0000000..f87ad4b --- /dev/null +++ b/roles/space_server/templates/avahi-hosts.j2 @@ -0,0 +1,14 @@ +{% for host in local_hosts %} +{% if 'mdns' not in host or host.mdns %} +{% for ip in host.ips | ipv4 %} +{% if loop.index <= 1 %} +{{ ip }} {{ host.name }}.local +{% endif %} +{% endfor %} +{% for ip in host.ips | ipv6 %} +{% if loop.index <= 1 %} +{{ ip }} {{ host.name }}.local +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} diff --git a/roles/space_server/templates/avahi/hosts.j2 b/roles/space_server/templates/avahi/hosts.j2 deleted file mode 100644 index f87ad4b..0000000 --- a/roles/space_server/templates/avahi/hosts.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{% for host in local_hosts %} -{% if 'mdns' not in host or host.mdns %} -{% for ip in host.ips | ipv4 %} -{% if loop.index <= 1 %} -{{ ip }} {{ host.name }}.local -{% endif %} -{% endfor %} -{% for ip in host.ips | ipv6 %} -{% if loop.index <= 1 %} -{{ ip }} {{ host.name }}.local -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} diff --git a/roles/space_server/templates/dhcpd.conf.j2 b/roles/space_server/templates/dhcpd.conf.j2 new file mode 100644 index 0000000..1b832e1 --- /dev/null +++ b/roles/space_server/templates/dhcpd.conf.j2 @@ -0,0 +1,203 @@ +# +# DHCP Server Configuration file. +# see /usr/share/doc/dhcp/dhcpd.conf.example +# see dhcpd.conf(5) man page +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +#option domain-name "labitat.dk"; +default-lease-time 3600; +max-lease-time 7200; +min-lease-time 600; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility daemon; + + +# Admin net +subnet 10.42.0.0 netmask 255.255.255.0 { + range 10.42.0.50 10.42.0.69; + range 10.42.0.71 10.42.0.250; + option routers 10.42.0.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.0.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} + + host spacewand { + hardware ethernet 00:1f:7b:b4:0e:00; + fixed-address 10.42.0.70; + } +} + + +# Wired net +subnet 10.42.1.0 netmask 255.255.255.0 { + range dynamic-bootp 10.42.1.50 10.42.1.250; + option routers 10.42.1.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.1.1; + filename "pxelinux.0"; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.1.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + + +# Private wifi +subnet 10.42.2.0 netmask 255.255.255.0 { + range 10.42.2.50 10.42.2.250; + option routers 10.42.2.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.2.1; + filename "pxelinux.0"; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.2.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + +# Free wifi +subnet 10.42.3.0 netmask 255.255.255.0 { + range 10.42.3.50 10.42.3.250; + option routers 10.42.3.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.3.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + +# Password protected wifi +subnet 10.42.4.0 netmask 255.255.255.0 { + range 10.42.4.50 10.42.4.250; + option routers 10.42.4.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.4.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} diff --git a/roles/space_server/templates/dhcpd/dhcpd.conf.j2 b/roles/space_server/templates/dhcpd/dhcpd.conf.j2 deleted file mode 100644 index 1b832e1..0000000 --- a/roles/space_server/templates/dhcpd/dhcpd.conf.j2 +++ /dev/null @@ -1,203 +0,0 @@ -# -# DHCP Server Configuration file. -# see /usr/share/doc/dhcp/dhcpd.conf.example -# see dhcpd.conf(5) man page -# - -# The ddns-updates-style parameter controls whether or not the server will -# attempt to do a DNS update when a lease is confirmed. We default to the -# behavior of the version 2 packages ('none', since DHCP v2 didn't -# have support for DDNS.) -ddns-update-style none; - -# option definitions common to all supported networks... -#option domain-name "labitat.dk"; -default-lease-time 3600; -max-lease-time 7200; -min-lease-time 600; - -# If this DHCP server is the official DHCP server for the local -# network, the authoritative directive should be uncommented. -authoritative; - -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -log-facility daemon; - - -# Admin net -subnet 10.42.0.0 netmask 255.255.255.0 { - range 10.42.0.50 10.42.0.69; - range 10.42.0.71 10.42.0.250; - option routers 10.42.0.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; -{% for host in local_hosts %} -{% if host.ips | ipaddr('10.42.0.0/24') %} -{% if 'mac' in host %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - host {{ host.name }} { - hardware ethernet {{ host.mac }}; - fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; -{% if 'filename' in host %} - filename "{{ host.filename }}"; -{% endif %} - } -{% else %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - #host {{ host.name }} { - # fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; - #} -{% endif %} -{% endif %} -{% endfor %} - - host spacewand { - hardware ethernet 00:1f:7b:b4:0e:00; - fixed-address 10.42.0.70; - } -} - - -# Wired net -subnet 10.42.1.0 netmask 255.255.255.0 { - range dynamic-bootp 10.42.1.50 10.42.1.250; - option routers 10.42.1.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - next-server 10.42.1.1; - filename "pxelinux.0"; -{% for host in local_hosts %} -{% if host.ips | ipaddr('10.42.1.0/24') %} -{% if 'mac' in host %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - host {{ host.name }} { - hardware ethernet {{ host.mac }}; - fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; -{% if 'filename' in host %} - filename "{{ host.filename }}"; -{% endif %} - } -{% else %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - #host {{ host.name }} { - # fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; - #} -{% endif %} -{% endif %} -{% endfor %} -} - - -# Private wifi -subnet 10.42.2.0 netmask 255.255.255.0 { - range 10.42.2.50 10.42.2.250; - option routers 10.42.2.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - next-server 10.42.2.1; - filename "pxelinux.0"; -{% for host in local_hosts %} -{% if host.ips | ipaddr('10.42.2.0/24') %} -{% if 'mac' in host %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - host {{ host.name }} { - hardware ethernet {{ host.mac }}; - fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; -{% if 'filename' in host %} - filename "{{ host.filename }}"; -{% endif %} - } -{% else %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - #host {{ host.name }} { - # fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; - #} -{% endif %} -{% endif %} -{% endfor %} -} - -# Free wifi -subnet 10.42.3.0 netmask 255.255.255.0 { - range 10.42.3.50 10.42.3.250; - option routers 10.42.3.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; -{% for host in local_hosts %} -{% if host.ips | ipaddr('10.42.3.0/24') %} -{% if 'mac' in host %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - host {{ host.name }} { - hardware ethernet {{ host.mac }}; - fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; -{% if 'filename' in host %} - filename "{{ host.filename }}"; -{% endif %} - } -{% else %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - #host {{ host.name }} { - # fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; - #} -{% endif %} -{% endif %} -{% endfor %} -} - -# Password protected wifi -subnet 10.42.4.0 netmask 255.255.255.0 { - range 10.42.4.50 10.42.4.250; - option routers 10.42.4.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; -{% for host in local_hosts %} -{% if host.ips | ipaddr('10.42.4.0/24') %} -{% if 'mac' in host %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - host {{ host.name }} { - hardware ethernet {{ host.mac }}; - fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; -{% if 'filename' in host %} - filename "{{ host.filename }}"; -{% endif %} - } -{% else %} - -{% if 'description' in host %} - # {{ host.description }} -{% endif %} - #host {{ host.name }} { - # fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; - #} -{% endif %} -{% endif %} -{% endfor %} -} diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2 new file mode 100644 index 0000000..d09d7af --- /dev/null +++ b/roles/space_server/templates/unbound.conf.j2 @@ -0,0 +1,126 @@ +server: + pidfile: "/run/unbound/unbound.pid" + verbosity: 1 + statistics-interval: 0 + statistics-cumulative: no + extended-statistics: yes + num-threads: 1 + + define-tag: "local" + + interface: 127.0.0.1 + interface: ::1 + interface: 185.38.175.0 + interface: 2a01:4262:1ab:: + + outgoing-interface: 185.38.175.0 + outgoing-interface: 2a01:4262:1ab:: + outgoing-port-permit: 32768-60999 + outgoing-port-avoid: 0-32767 + + so-reuseport: yes + ip-transparent: yes + max-udp-size: 3072 + + access-control-tag: 127.0.0.1/32 "local" + access-control-tag: ::1/128 "local" + + access-control: 185.38.175.0/24 allow + access-control: 10.42.0.0/16 allow + access-control-tag: 10.42.0.0/24 "local" + access-control-tag: 10.42.1.0/24 "local" + access-control-tag: 10.42.2.0/24 "local" + # not free wifi 10.42.3.0/24 + access-control-tag: 10.42.4.0/24 "local" + access-control-tag: 10.42.5.0/24 "local" + access-control: 2a01:4262:1ab::/48 allow + access-control-tag: 2a01:4262:1ab:a::/64 "local" + access-control-tag: 2a01:4262:1ab:b::/64 "local" + access-control-tag: 2a01:4262:1ab:c::/64 "local" + # not free wifi 2a01:4262:1ab:d::/64 + access-control-tag: 2a01:4262:1ab:e::/64 "local" + access-control-tag: 2a01:4262:1ab:f::/64 "local" + + chroot: "" + username: "unbound" + directory: "/etc/unbound" + + use-syslog: yes + log-time-ascii: yes + + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + qname-minimisation: yes + + prefetch: yes + prefetch-key: yes + rrset-roundrobin: yes + minimal-responses: yes + + module-config: "validator iterator" + + trust-anchor-signaling: yes + + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + val-clean-additional: yes + val-permissive-mode: no + serve-expired: yes + val-log-level: 1 + + local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: s. static + local-zone-tag: s. "local" + local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" + local-data: "s. IN NS space.labitat.dk." + local-data: "s. IN A 10.42.1.1" + local-data: "s. IN AAAA 2a01:4262:1ab::" + local-data: "labitrack.s. IN A 185.38.175.70" + local-data: "labitrack.s. IN AAAA 2a01:4262:1ab::cafe" + local-data: "track.s. IN A 185.38.175.70" + local-data: "track.s. IN AAAA 2a01:4262:1ab::cafe" +{% for host in local_hosts %} +{% for ip in host.ips | ipv4 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN A {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% for ip in host.ips | ipv6 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% endfor %} + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: "/run/unbound/control" diff --git a/roles/space_server/templates/unbound/unbound.conf.j2 b/roles/space_server/templates/unbound/unbound.conf.j2 deleted file mode 100644 index d09d7af..0000000 --- a/roles/space_server/templates/unbound/unbound.conf.j2 +++ /dev/null @@ -1,126 +0,0 @@ -server: - pidfile: "/run/unbound/unbound.pid" - verbosity: 1 - statistics-interval: 0 - statistics-cumulative: no - extended-statistics: yes - num-threads: 1 - - define-tag: "local" - - interface: 127.0.0.1 - interface: ::1 - interface: 185.38.175.0 - interface: 2a01:4262:1ab:: - - outgoing-interface: 185.38.175.0 - outgoing-interface: 2a01:4262:1ab:: - outgoing-port-permit: 32768-60999 - outgoing-port-avoid: 0-32767 - - so-reuseport: yes - ip-transparent: yes - max-udp-size: 3072 - - access-control-tag: 127.0.0.1/32 "local" - access-control-tag: ::1/128 "local" - - access-control: 185.38.175.0/24 allow - access-control: 10.42.0.0/16 allow - access-control-tag: 10.42.0.0/24 "local" - access-control-tag: 10.42.1.0/24 "local" - access-control-tag: 10.42.2.0/24 "local" - # not free wifi 10.42.3.0/24 - access-control-tag: 10.42.4.0/24 "local" - access-control-tag: 10.42.5.0/24 "local" - access-control: 2a01:4262:1ab::/48 allow - access-control-tag: 2a01:4262:1ab:a::/64 "local" - access-control-tag: 2a01:4262:1ab:b::/64 "local" - access-control-tag: 2a01:4262:1ab:c::/64 "local" - # not free wifi 2a01:4262:1ab:d::/64 - access-control-tag: 2a01:4262:1ab:e::/64 "local" - access-control-tag: 2a01:4262:1ab:f::/64 "local" - - chroot: "" - username: "unbound" - directory: "/etc/unbound" - - use-syslog: yes - log-time-ascii: yes - - harden-glue: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes - harden-referral-path: yes - qname-minimisation: yes - - prefetch: yes - prefetch-key: yes - rrset-roundrobin: yes - minimal-responses: yes - - module-config: "validator iterator" - - trust-anchor-signaling: yes - - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - val-clean-additional: yes - val-permissive-mode: no - serve-expired: yes - val-log-level: 1 - - local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: s. static - local-zone-tag: s. "local" - local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" - local-data: "s. IN NS space.labitat.dk." - local-data: "s. IN A 10.42.1.1" - local-data: "s. IN AAAA 2a01:4262:1ab::" - local-data: "labitrack.s. IN A 185.38.175.70" - local-data: "labitrack.s. IN AAAA 2a01:4262:1ab::cafe" - local-data: "track.s. IN A 185.38.175.70" - local-data: "track.s. IN AAAA 2a01:4262:1ab::cafe" -{% for host in local_hosts %} -{% for ip in host.ips | ipv4 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN A {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% for ip in host.ips | ipv6 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% endfor %} - -remote-control: - control-enable: yes - control-use-cert: no - control-interface: "/run/unbound/control" -- cgit v1.2.1