From 9454fdbff511e965e4fd9eb187b7fe432dcd437e Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Wed, 26 Sep 2018 13:16:11 +0200 Subject: space_server: drop uneccessary subdirs --- roles/space_server/files/blackhole.service | 11 ++ roles/space_server/files/blackhole.sh | 6 + .../space_server/files/blackhole/blackhole.service | 11 -- roles/space_server/files/blackhole/blackhole.sh | 6 - roles/space_server/files/network/10-lan.link | 5 + roles/space_server/files/network/10-lan.network | 19 ++ roles/space_server/files/network/10-lan10.netdev | 6 + roles/space_server/files/network/10-lan10.network | 12 ++ roles/space_server/files/network/10-lan11.netdev | 6 + roles/space_server/files/network/10-lan11.network | 19 ++ roles/space_server/files/network/10-lan12.netdev | 6 + roles/space_server/files/network/10-lan12.network | 19 ++ roles/space_server/files/network/10-lan13.netdev | 6 + roles/space_server/files/network/10-lan13.network | 19 ++ roles/space_server/files/network/10-lan14.netdev | 6 + roles/space_server/files/network/10-lan14.network | 19 ++ roles/space_server/files/network/10-lan15.netdev | 6 + roles/space_server/files/network/10-lan15.network | 14 ++ roles/space_server/files/network/10-lan20.netdev | 6 + roles/space_server/files/network/10-lan20.network | 23 +++ roles/space_server/files/network/10-lo.network | 6 + roles/space_server/files/network/10-mgt.link | 5 + roles/space_server/files/network/10-mgt.network | 19 ++ roles/space_server/files/network/10-wan.link | 5 + roles/space_server/files/network/10-wan.network | 21 ++ roles/space_server/files/networkd-no-lan-mgt.conf | 3 + .../files/networkd/network/10-lan.link | 5 - .../files/networkd/network/10-lan.network | 19 -- .../files/networkd/network/10-lan10.netdev | 6 - .../files/networkd/network/10-lan10.network | 12 -- .../files/networkd/network/10-lan11.netdev | 6 - .../files/networkd/network/10-lan11.network | 19 -- .../files/networkd/network/10-lan12.netdev | 6 - .../files/networkd/network/10-lan12.network | 19 -- .../files/networkd/network/10-lan13.netdev | 6 - .../files/networkd/network/10-lan13.network | 19 -- .../files/networkd/network/10-lan14.netdev | 6 - .../files/networkd/network/10-lan14.network | 19 -- .../files/networkd/network/10-lan15.netdev | 6 - .../files/networkd/network/10-lan15.network | 14 -- .../files/networkd/network/10-lan20.netdev | 6 - .../files/networkd/network/10-lan20.network | 23 --- .../files/networkd/network/10-lo.network | 6 - .../files/networkd/network/10-mgt.link | 5 - .../files/networkd/network/10-mgt.network | 19 -- .../files/networkd/network/10-wan.link | 5 - .../files/networkd/network/10-wan.network | 21 -- roles/space_server/files/networkd/no-lan-mgt.conf | 3 - roles/space_server/files/nftables.conf | 212 +++++++++++++++++++++ roles/space_server/files/nftables.service | 30 +++ roles/space_server/files/nftables/nftables.conf | 212 --------------------- roles/space_server/files/nftables/nftables.service | 30 --- roles/space_server/files/radvd.conf | 69 +++++++ roles/space_server/files/radvd/radvd.conf | 69 ------- roles/space_server/files/sudo/sudoers | 96 ---------- roles/space_server/files/sudoers | 96 ++++++++++ 56 files changed, 674 insertions(+), 674 deletions(-) create mode 100644 roles/space_server/files/blackhole.service create mode 100755 roles/space_server/files/blackhole.sh delete mode 100644 roles/space_server/files/blackhole/blackhole.service delete mode 100755 roles/space_server/files/blackhole/blackhole.sh create mode 100644 roles/space_server/files/network/10-lan.link create mode 100644 roles/space_server/files/network/10-lan.network create mode 100644 roles/space_server/files/network/10-lan10.netdev create mode 100644 roles/space_server/files/network/10-lan10.network create mode 100644 roles/space_server/files/network/10-lan11.netdev create mode 100644 roles/space_server/files/network/10-lan11.network create mode 100644 roles/space_server/files/network/10-lan12.netdev create mode 100644 roles/space_server/files/network/10-lan12.network create mode 100644 roles/space_server/files/network/10-lan13.netdev create mode 100644 roles/space_server/files/network/10-lan13.network create mode 100644 roles/space_server/files/network/10-lan14.netdev create mode 100644 roles/space_server/files/network/10-lan14.network create mode 100644 roles/space_server/files/network/10-lan15.netdev create mode 100644 roles/space_server/files/network/10-lan15.network create mode 100644 roles/space_server/files/network/10-lan20.netdev create mode 100644 roles/space_server/files/network/10-lan20.network create mode 100644 roles/space_server/files/network/10-lo.network create mode 100644 roles/space_server/files/network/10-mgt.link create mode 100644 roles/space_server/files/network/10-mgt.network create mode 100644 roles/space_server/files/network/10-wan.link create mode 100644 roles/space_server/files/network/10-wan.network create mode 100644 roles/space_server/files/networkd-no-lan-mgt.conf delete mode 100644 roles/space_server/files/networkd/network/10-lan.link delete mode 100644 roles/space_server/files/networkd/network/10-lan.network delete mode 100644 roles/space_server/files/networkd/network/10-lan10.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan10.network delete mode 100644 roles/space_server/files/networkd/network/10-lan11.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan11.network delete mode 100644 roles/space_server/files/networkd/network/10-lan12.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan12.network delete mode 100644 roles/space_server/files/networkd/network/10-lan13.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan13.network delete mode 100644 roles/space_server/files/networkd/network/10-lan14.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan14.network delete mode 100644 roles/space_server/files/networkd/network/10-lan15.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan15.network delete mode 100644 roles/space_server/files/networkd/network/10-lan20.netdev delete mode 100644 roles/space_server/files/networkd/network/10-lan20.network delete mode 100644 roles/space_server/files/networkd/network/10-lo.network delete mode 100644 roles/space_server/files/networkd/network/10-mgt.link delete mode 100644 roles/space_server/files/networkd/network/10-mgt.network delete mode 100644 roles/space_server/files/networkd/network/10-wan.link delete mode 100644 roles/space_server/files/networkd/network/10-wan.network delete mode 100644 roles/space_server/files/networkd/no-lan-mgt.conf create mode 100644 roles/space_server/files/nftables.conf create mode 100644 roles/space_server/files/nftables.service delete mode 100644 roles/space_server/files/nftables/nftables.conf delete mode 100644 roles/space_server/files/nftables/nftables.service create mode 100644 roles/space_server/files/radvd.conf delete mode 100644 roles/space_server/files/radvd/radvd.conf delete mode 100644 roles/space_server/files/sudo/sudoers create mode 100644 roles/space_server/files/sudoers (limited to 'roles/space_server/files') diff --git a/roles/space_server/files/blackhole.service b/roles/space_server/files/blackhole.service new file mode 100644 index 0000000..e32f642 --- /dev/null +++ b/roles/space_server/files/blackhole.service @@ -0,0 +1,11 @@ +[Unit] +Description=Blackhole routes +Wants=network.target + +[Service] +Type=oneshot +ExecStart=/etc/systemd/scripts/blackhole.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/blackhole.sh b/roles/space_server/files/blackhole.sh new file mode 100755 index 0000000..56a6c10 --- /dev/null +++ b/roles/space_server/files/blackhole.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +set -e + +ip route add unreachable 185.38.175.0/24 +ip route add unreachable 2a01:4262:1ab::/48 diff --git a/roles/space_server/files/blackhole/blackhole.service b/roles/space_server/files/blackhole/blackhole.service deleted file mode 100644 index e32f642..0000000 --- a/roles/space_server/files/blackhole/blackhole.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Blackhole routes -Wants=network.target - -[Service] -Type=oneshot -ExecStart=/etc/systemd/scripts/blackhole.sh -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/roles/space_server/files/blackhole/blackhole.sh b/roles/space_server/files/blackhole/blackhole.sh deleted file mode 100755 index 56a6c10..0000000 --- a/roles/space_server/files/blackhole/blackhole.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -set -e - -ip route add unreachable 185.38.175.0/24 -ip route add unreachable 2a01:4262:1ab::/48 diff --git a/roles/space_server/files/network/10-lan.link b/roles/space_server/files/network/10-lan.link new file mode 100644 index 0000000..996917e --- /dev/null +++ b/roles/space_server/files/network/10-lan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:02:00.0 + +[Link] +Name=lan diff --git a/roles/space_server/files/network/10-lan.network b/roles/space_server/files/network/10-lan.network new file mode 100644 index 0000000..08b85aa --- /dev/null +++ b/roles/space_server/files/network/10-lan.network @@ -0,0 +1,19 @@ +[Match] +Name=lan + +#[Link] +#ARP=no + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +LLMNR=no +MulticastDNS=no +VLAN=lan10 +VLAN=lan11 +VLAN=lan12 +VLAN=lan13 +VLAN=lan14 +VLAN=lan15 +VLAN=lan20 diff --git a/roles/space_server/files/network/10-lan10.netdev b/roles/space_server/files/network/10-lan10.netdev new file mode 100644 index 0000000..655859d --- /dev/null +++ b/roles/space_server/files/network/10-lan10.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan10 +Kind=vlan + +[VLAN] +Id=10 diff --git a/roles/space_server/files/network/10-lan10.network b/roles/space_server/files/network/10-lan10.network new file mode 100644 index 0000000..18931e0 --- /dev/null +++ b/roles/space_server/files/network/10-lan10.network @@ -0,0 +1,12 @@ +[Match] +Name=lan10 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.0.1/24 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes diff --git a/roles/space_server/files/network/10-lan11.netdev b/roles/space_server/files/network/10-lan11.netdev new file mode 100644 index 0000000..b99b50b --- /dev/null +++ b/roles/space_server/files/network/10-lan11.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan11 +Kind=vlan + +[VLAN] +Id=11 diff --git a/roles/space_server/files/network/10-lan11.network b/roles/space_server/files/network/10-lan11.network new file mode 100644 index 0000000..88d714f --- /dev/null +++ b/roles/space_server/files/network/10-lan11.network @@ -0,0 +1,19 @@ +[Match] +Name=lan11 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.1.1/24 +#Address=2a01:4262:1ab:b::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:b::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan12.netdev b/roles/space_server/files/network/10-lan12.netdev new file mode 100644 index 0000000..7229fa1 --- /dev/null +++ b/roles/space_server/files/network/10-lan12.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan12 +Kind=vlan + +[VLAN] +Id=12 diff --git a/roles/space_server/files/network/10-lan12.network b/roles/space_server/files/network/10-lan12.network new file mode 100644 index 0000000..7f48f5b --- /dev/null +++ b/roles/space_server/files/network/10-lan12.network @@ -0,0 +1,19 @@ +[Match] +Name=lan12 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.2.1/24 +#Address=2a01:4262:1ab:c::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:c::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan13.netdev b/roles/space_server/files/network/10-lan13.netdev new file mode 100644 index 0000000..ab05488 --- /dev/null +++ b/roles/space_server/files/network/10-lan13.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan13 +Kind=vlan + +[VLAN] +Id=13 diff --git a/roles/space_server/files/network/10-lan13.network b/roles/space_server/files/network/10-lan13.network new file mode 100644 index 0000000..81e3911 --- /dev/null +++ b/roles/space_server/files/network/10-lan13.network @@ -0,0 +1,19 @@ +[Match] +Name=lan13 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.3.1/24 +#Address=2a01:4262:1ab:d::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:d::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan14.netdev b/roles/space_server/files/network/10-lan14.netdev new file mode 100644 index 0000000..1956a88 --- /dev/null +++ b/roles/space_server/files/network/10-lan14.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan14 +Kind=vlan + +[VLAN] +Id=14 diff --git a/roles/space_server/files/network/10-lan14.network b/roles/space_server/files/network/10-lan14.network new file mode 100644 index 0000000..5b40bbf --- /dev/null +++ b/roles/space_server/files/network/10-lan14.network @@ -0,0 +1,19 @@ +[Match] +Name=lan14 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=10.42.4.1/24 +#Address=2a01:4262:1ab:e::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[Route] +Destination=2a01:4262:1ab:e::/64 +PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/network/10-lan15.netdev b/roles/space_server/files/network/10-lan15.netdev new file mode 100644 index 0000000..c31a650 --- /dev/null +++ b/roles/space_server/files/network/10-lan15.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan15 +Kind=vlan + +[VLAN] +Id=15 diff --git a/roles/space_server/files/network/10-lan15.network b/roles/space_server/files/network/10-lan15.network new file mode 100644 index 0000000..e3c99dd --- /dev/null +++ b/roles/space_server/files/network/10-lan15.network @@ -0,0 +1,14 @@ +[Match] +Name=lan15 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=2a01:4262:1ab:f::1/64 +Address=fe80::1/64 +IPForward=ipv6 +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes diff --git a/roles/space_server/files/network/10-lan20.netdev b/roles/space_server/files/network/10-lan20.netdev new file mode 100644 index 0000000..2b2e0d8 --- /dev/null +++ b/roles/space_server/files/network/10-lan20.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan20 +Kind=vlan + +[VLAN] +Id=20 diff --git a/roles/space_server/files/network/10-lan20.network b/roles/space_server/files/network/10-lan20.network new file mode 100644 index 0000000..06b1ff1 --- /dev/null +++ b/roles/space_server/files/network/10-lan20.network @@ -0,0 +1,23 @@ +[Match] +Name=lan20 + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=185.38.175.65/26 +Address=2a01:4262:1ab:20::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no + +[Route] +Destination=2a01:4262:1ab::cafe/128 +Gateway=2a01:4262:1ab:20::5 + +[Route] +Destination=2a01:4262:1ab::db/128 +Gateway=2a01:4262:1ab:20::6 diff --git a/roles/space_server/files/network/10-lo.network b/roles/space_server/files/network/10-lo.network new file mode 100644 index 0000000..2321ce5 --- /dev/null +++ b/roles/space_server/files/network/10-lo.network @@ -0,0 +1,6 @@ +[Match] +Name=lo + +[Network] +Address=185.38.175.0/32 +Address=2a01:4262:1ab::/128 diff --git a/roles/space_server/files/network/10-mgt.link b/roles/space_server/files/network/10-mgt.link new file mode 100644 index 0000000..715f409 --- /dev/null +++ b/roles/space_server/files/network/10-mgt.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:03:00.0 + +[Link] +Name=mgt diff --git a/roles/space_server/files/network/10-mgt.network b/roles/space_server/files/network/10-mgt.network new file mode 100644 index 0000000..9da626e --- /dev/null +++ b/roles/space_server/files/network/10-mgt.network @@ -0,0 +1,19 @@ +[Match] +Name=mgt + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=192.168.112.1/24 +#IPForward=ipv4 +DHCPServer=yes +LLMNR=yes +MulticastDNS=yes +LLDP=yes +EmitLLDP=yes + +[DHCPServer] +DNS=192.168.112.1 +EmitDNS=yes +EmitNTP=no +EmitTimezone=yes diff --git a/roles/space_server/files/network/10-wan.link b/roles/space_server/files/network/10-wan.link new file mode 100644 index 0000000..47a7270 --- /dev/null +++ b/roles/space_server/files/network/10-wan.link @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:00.0 + +[Link] +Name=wan diff --git a/roles/space_server/files/network/10-wan.network b/roles/space_server/files/network/10-wan.network new file mode 100644 index 0000000..1d14dee --- /dev/null +++ b/roles/space_server/files/network/10-wan.network @@ -0,0 +1,21 @@ +[Match] +Name=wan + +[Network] +DHCP=no +IPv6AcceptRA=no +Address=193.106.167.46/29 +Address=2a03:5440:1:2935:1ab::3/120 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no + +[Route] +Gateway=193.106.167.42 +Metric=1024 + +[Route] +Gateway=2a03:5440:1:2935:1ab::2 +Metric=1024 diff --git a/roles/space_server/files/networkd-no-lan-mgt.conf b/roles/space_server/files/networkd-no-lan-mgt.conf new file mode 100644 index 0000000..3309cf0 --- /dev/null +++ b/roles/space_server/files/networkd-no-lan-mgt.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt diff --git a/roles/space_server/files/networkd/network/10-lan.link b/roles/space_server/files/networkd/network/10-lan.link deleted file mode 100644 index 996917e..0000000 --- a/roles/space_server/files/networkd/network/10-lan.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:02:00.0 - -[Link] -Name=lan diff --git a/roles/space_server/files/networkd/network/10-lan.network b/roles/space_server/files/networkd/network/10-lan.network deleted file mode 100644 index 08b85aa..0000000 --- a/roles/space_server/files/networkd/network/10-lan.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan - -#[Link] -#ARP=no - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -LLMNR=no -MulticastDNS=no -VLAN=lan10 -VLAN=lan11 -VLAN=lan12 -VLAN=lan13 -VLAN=lan14 -VLAN=lan15 -VLAN=lan20 diff --git a/roles/space_server/files/networkd/network/10-lan10.netdev b/roles/space_server/files/networkd/network/10-lan10.netdev deleted file mode 100644 index 655859d..0000000 --- a/roles/space_server/files/networkd/network/10-lan10.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan10 -Kind=vlan - -[VLAN] -Id=10 diff --git a/roles/space_server/files/networkd/network/10-lan10.network b/roles/space_server/files/networkd/network/10-lan10.network deleted file mode 100644 index 18931e0..0000000 --- a/roles/space_server/files/networkd/network/10-lan10.network +++ /dev/null @@ -1,12 +0,0 @@ -[Match] -Name=lan10 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.0.1/24 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan11.netdev b/roles/space_server/files/networkd/network/10-lan11.netdev deleted file mode 100644 index b99b50b..0000000 --- a/roles/space_server/files/networkd/network/10-lan11.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan11 -Kind=vlan - -[VLAN] -Id=11 diff --git a/roles/space_server/files/networkd/network/10-lan11.network b/roles/space_server/files/networkd/network/10-lan11.network deleted file mode 100644 index 88d714f..0000000 --- a/roles/space_server/files/networkd/network/10-lan11.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan11 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.1.1/24 -#Address=2a01:4262:1ab:b::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:b::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan12.netdev b/roles/space_server/files/networkd/network/10-lan12.netdev deleted file mode 100644 index 7229fa1..0000000 --- a/roles/space_server/files/networkd/network/10-lan12.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan12 -Kind=vlan - -[VLAN] -Id=12 diff --git a/roles/space_server/files/networkd/network/10-lan12.network b/roles/space_server/files/networkd/network/10-lan12.network deleted file mode 100644 index 7f48f5b..0000000 --- a/roles/space_server/files/networkd/network/10-lan12.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan12 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.2.1/24 -#Address=2a01:4262:1ab:c::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:c::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan13.netdev b/roles/space_server/files/networkd/network/10-lan13.netdev deleted file mode 100644 index ab05488..0000000 --- a/roles/space_server/files/networkd/network/10-lan13.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan13 -Kind=vlan - -[VLAN] -Id=13 diff --git a/roles/space_server/files/networkd/network/10-lan13.network b/roles/space_server/files/networkd/network/10-lan13.network deleted file mode 100644 index 81e3911..0000000 --- a/roles/space_server/files/networkd/network/10-lan13.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan13 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.3.1/24 -#Address=2a01:4262:1ab:d::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:d::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan14.netdev b/roles/space_server/files/networkd/network/10-lan14.netdev deleted file mode 100644 index 1956a88..0000000 --- a/roles/space_server/files/networkd/network/10-lan14.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan14 -Kind=vlan - -[VLAN] -Id=14 diff --git a/roles/space_server/files/networkd/network/10-lan14.network b/roles/space_server/files/networkd/network/10-lan14.network deleted file mode 100644 index 5b40bbf..0000000 --- a/roles/space_server/files/networkd/network/10-lan14.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=lan14 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=10.42.4.1/24 -#Address=2a01:4262:1ab:e::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[Route] -Destination=2a01:4262:1ab:e::/64 -PreferredSource=2a01:4262:1ab:: diff --git a/roles/space_server/files/networkd/network/10-lan15.netdev b/roles/space_server/files/networkd/network/10-lan15.netdev deleted file mode 100644 index c31a650..0000000 --- a/roles/space_server/files/networkd/network/10-lan15.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan15 -Kind=vlan - -[VLAN] -Id=15 diff --git a/roles/space_server/files/networkd/network/10-lan15.network b/roles/space_server/files/networkd/network/10-lan15.network deleted file mode 100644 index e3c99dd..0000000 --- a/roles/space_server/files/networkd/network/10-lan15.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=lan15 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=2a01:4262:1ab:f::1/64 -Address=fe80::1/64 -IPForward=ipv6 -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes diff --git a/roles/space_server/files/networkd/network/10-lan20.netdev b/roles/space_server/files/networkd/network/10-lan20.netdev deleted file mode 100644 index 2b2e0d8..0000000 --- a/roles/space_server/files/networkd/network/10-lan20.netdev +++ /dev/null @@ -1,6 +0,0 @@ -[NetDev] -Name=lan20 -Kind=vlan - -[VLAN] -Id=20 diff --git a/roles/space_server/files/networkd/network/10-lan20.network b/roles/space_server/files/networkd/network/10-lan20.network deleted file mode 100644 index 06b1ff1..0000000 --- a/roles/space_server/files/networkd/network/10-lan20.network +++ /dev/null @@ -1,23 +0,0 @@ -[Match] -Name=lan20 - -[Network] -DHCP=no -IPv6AcceptRA=no -LinkLocalAddressing=no -Address=185.38.175.65/26 -Address=2a01:4262:1ab:20::1/64 -Address=fe80::1/64 -IPForward=yes -LLMNR=no -MulticastDNS=no -LLDP=yes -EmitLLDP=no - -[Route] -Destination=2a01:4262:1ab::cafe/128 -Gateway=2a01:4262:1ab:20::5 - -[Route] -Destination=2a01:4262:1ab::db/128 -Gateway=2a01:4262:1ab:20::6 diff --git a/roles/space_server/files/networkd/network/10-lo.network b/roles/space_server/files/networkd/network/10-lo.network deleted file mode 100644 index 2321ce5..0000000 --- a/roles/space_server/files/networkd/network/10-lo.network +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -Name=lo - -[Network] -Address=185.38.175.0/32 -Address=2a01:4262:1ab::/128 diff --git a/roles/space_server/files/networkd/network/10-mgt.link b/roles/space_server/files/networkd/network/10-mgt.link deleted file mode 100644 index 715f409..0000000 --- a/roles/space_server/files/networkd/network/10-mgt.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:03:00.0 - -[Link] -Name=mgt diff --git a/roles/space_server/files/networkd/network/10-mgt.network b/roles/space_server/files/networkd/network/10-mgt.network deleted file mode 100644 index 9da626e..0000000 --- a/roles/space_server/files/networkd/network/10-mgt.network +++ /dev/null @@ -1,19 +0,0 @@ -[Match] -Name=mgt - -[Network] -DHCP=no -IPv6AcceptRA=no -Address=192.168.112.1/24 -#IPForward=ipv4 -DHCPServer=yes -LLMNR=yes -MulticastDNS=yes -LLDP=yes -EmitLLDP=yes - -[DHCPServer] -DNS=192.168.112.1 -EmitDNS=yes -EmitNTP=no -EmitTimezone=yes diff --git a/roles/space_server/files/networkd/network/10-wan.link b/roles/space_server/files/networkd/network/10-wan.link deleted file mode 100644 index 47a7270..0000000 --- a/roles/space_server/files/networkd/network/10-wan.link +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Path=pci-0000:01:00.0 - -[Link] -Name=wan diff --git a/roles/space_server/files/networkd/network/10-wan.network b/roles/space_server/files/networkd/network/10-wan.network deleted file mode 100644 index 1d14dee..0000000 --- a/roles/space_server/files/networkd/network/10-wan.network +++ /dev/null @@ -1,21 +0,0 @@ -[Match] -Name=wan - -[Network] -DHCP=no -IPv6AcceptRA=no -Address=193.106.167.46/29 -Address=2a03:5440:1:2935:1ab::3/120 -IPForward=yes -LLMNR=no -MulticastDNS=no -LLDP=yes -EmitLLDP=no - -[Route] -Gateway=193.106.167.42 -Metric=1024 - -[Route] -Gateway=2a03:5440:1:2935:1ab::2 -Metric=1024 diff --git a/roles/space_server/files/networkd/no-lan-mgt.conf b/roles/space_server/files/networkd/no-lan-mgt.conf deleted file mode 100644 index 3309cf0..0000000 --- a/roles/space_server/files/networkd/no-lan-mgt.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore lan --ignore mgt diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf new file mode 100644 index 0000000..5f2f1b3 --- /dev/null +++ b/roles/space_server/files/nftables.conf @@ -0,0 +1,212 @@ +# our hosts +define ap1 = 10.42.0.5 +define ap2 = 10.42.0.6 +define labitat = 185.38.172.72 + +define spacewand4 = 185.38.175.70 +define spacewand6 = 2a01:4262:1ab::cafe + +define spacebrain4 = 185.38.175.69 +define spacebrain6 = 2a01:4262:1ab::db + +define labservers4 = { $spacewand4, $spacebrain4 } +define labservers6 = { $spacewand6, $spacebrain6 } + +# internal stuff +define ext_if = wan +define ext_ip4 = 185.38.175.0 +define ext_ip6 = 2a01:4262:1ab:: +define int_net4 = 10.42.0.0/16 +define ext_net4 = 185.38.175.0/24 +define ext_net6 = 2a01:4262:1ab::/48 +define link_net4 = 193.106.167.40/29 +define link_net6 = 2a03:5440:1:2935:1ab::/120 + +define adm_if = lan10 +define adm_ip4 = 10.42.0.1 +define adm_net4 = 10.42.0.0/24 + +define wire_if = lan11 +define wire_ip4 = 10.42.1.1 +define wire_net4 = 10.42.1.0/24 +define wire_net6 = 2a01:4262:1ab:b::/64 + +define priv_if = lan12 +define priv_ip4 = 10.42.2.1 +define priv_net4 = 10.42.2.0/24 +define priv_net6 = 2a01:4262:1ab:c::/64 + +define free_if = lan13 +define free_ip4 = 10.42.3.1 +define free_net4 = 10.42.3.0/24 +define free_net6 = 2a01:4262:1ab:d::/64 + +define pass_if = lan14 +define pass_ip4 = 10.42.4.1 +define pass_net4 = 10.42.4.0/24 +define pass_net6 = 2a01:4262:1ab:e::/64 + +define serv_if = lan20 +define serv_ip4 = 185.38.175.65 +define serv_net4 = 185.38.175.64/24 +define serv_net6 = 2a01:4262:1ab:20::/64 + +define avahi_ifs = { $wire_if, $priv_if, $pass_if } + +#define nat64_if = nat64 +#define nat64_net = 10.42.255.0/24 +#define nat64_net6 = fde2:52b4:4a19:ffff::/96 + +table ip filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip protocol icmp limit rate 100/second accept + ip protocol icmp drop + + iif lo accept + + # bird etc. on fiberby link + iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept + + # dhcp + udp sport bootpc udp dport bootps iif != $ext_if counter accept + + # radius + iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept + + # tftp + iif $wire_if ip saddr $wire_net4 udp dport 69 accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept + udp dport 53 ip saddr { $int_net4, $ext_net4 } accept + + # avahi + ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept + ip protocol igmp iif $avahi_ifs accept + + ## debugging + #iif $ext_if counter drop + #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream + #udp sport 17500 udp dport 17500 drop # Dropbox LANsync + #ip protocol igmp drop # IGMP + #counter log prefix "in4: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip daddr $labservers4 accept + + ip saddr $labitat udp dport 161 counter accept # traffic stats + + # no traffic to admin net + ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited + ip daddr $adm_net4 drop + + # local traffic + iif $adm_if ip saddr $adm_net4 accept + iif $wire_if ip saddr $wire_net4 accept + iif $priv_if ip saddr $priv_net4 accept + iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept + iif $pass_if ip saddr $pass_net4 accept + iif $serv_if ip saddr $serv_net4 accept + + ## debugging + #iif $ext_if counter drop + #counter log prefix "fw4: " drop + drop + } +} + +table ip6 filter { + chain input { + type filter hook input priority 0; + + ct state established,related accept + ct state invalid drop + + # no ping floods + ip6 nexthdr ipv6-icmp limit rate 100/second accept + ip6 nexthdr ipv6-icmp drop + + iif lo accept + iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept + + # bird etc. on fiberby link + iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept + + # ssh + tcp dport 22 accept + + # dns + tcp dport 53 ip6 saddr $ext_net6 accept + udp dport 53 ip6 saddr $ext_net6 accept + + # avahi + ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept + + ## debugging + #counter log prefix "in6: " drop + drop + } + + chain forward { + type filter hook forward priority 0; + + ct state established,related accept + ct state invalid drop + + # accept all traffic to Labitat servers + ip6 daddr $labservers6 accept + + iif $wire_if ip6 saddr $wire_net6 accept + iif $priv_if ip6 saddr $priv_net6 accept + iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept + iif $pass_if ip6 saddr $pass_net6 accept + iif $serv_if ip6 saddr $serv_net6 accept + + ## debugging + #counter log prefix "fw6: " drop + drop + } +} + +table ip nat { + chain portforward { + ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats + } + + chain prerouting { + type nat hook prerouting priority -150; + goto portforward + } + + chain output { + type nat hook output priority -150; + goto portforward + } + + chain input { + type nat hook input priority -150; + # this chain is needed to make dnat from the output chain work + } + + chain postrouting { + type nat hook postrouting priority -150; + oif $ext_if ip saddr $int_net4 snat $ext_ip4 + } +} diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service new file mode 100644 index 0000000..f1c9028 --- /dev/null +++ b/roles/space_server/files/nftables.service @@ -0,0 +1,30 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Requires=sys-devices-virtual-net-lan10.device +Requires=sys-devices-virtual-net-lan11.device +Requires=sys-devices-virtual-net-lan12.device +Requires=sys-devices-virtual-net-lan13.device +Requires=sys-devices-virtual-net-lan14.device +Requires=sys-devices-virtual-net-lan15.device +Requires=sys-devices-virtual-net-lan20.device +After=sys-devices-virtual-net-lan10.device +After=sys-devices-virtual-net-lan11.device +After=sys-devices-virtual-net-lan12.device +After=sys-devices-virtual-net-lan13.device +After=sys-devices-virtual-net-lan14.device +After=sys-devices-virtual-net-lan15.device +After=sys-devices-virtual-net-lan20.device +Before=network-online.target + +[Service] +Type=oneshot +ProtectSystem=full +ProtectHome=true +ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf +ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' +ExecStop=/sbin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/space_server/files/nftables/nftables.conf b/roles/space_server/files/nftables/nftables.conf deleted file mode 100644 index 5f2f1b3..0000000 --- a/roles/space_server/files/nftables/nftables.conf +++ /dev/null @@ -1,212 +0,0 @@ -# our hosts -define ap1 = 10.42.0.5 -define ap2 = 10.42.0.6 -define labitat = 185.38.172.72 - -define spacewand4 = 185.38.175.70 -define spacewand6 = 2a01:4262:1ab::cafe - -define spacebrain4 = 185.38.175.69 -define spacebrain6 = 2a01:4262:1ab::db - -define labservers4 = { $spacewand4, $spacebrain4 } -define labservers6 = { $spacewand6, $spacebrain6 } - -# internal stuff -define ext_if = wan -define ext_ip4 = 185.38.175.0 -define ext_ip6 = 2a01:4262:1ab:: -define int_net4 = 10.42.0.0/16 -define ext_net4 = 185.38.175.0/24 -define ext_net6 = 2a01:4262:1ab::/48 -define link_net4 = 193.106.167.40/29 -define link_net6 = 2a03:5440:1:2935:1ab::/120 - -define adm_if = lan10 -define adm_ip4 = 10.42.0.1 -define adm_net4 = 10.42.0.0/24 - -define wire_if = lan11 -define wire_ip4 = 10.42.1.1 -define wire_net4 = 10.42.1.0/24 -define wire_net6 = 2a01:4262:1ab:b::/64 - -define priv_if = lan12 -define priv_ip4 = 10.42.2.1 -define priv_net4 = 10.42.2.0/24 -define priv_net6 = 2a01:4262:1ab:c::/64 - -define free_if = lan13 -define free_ip4 = 10.42.3.1 -define free_net4 = 10.42.3.0/24 -define free_net6 = 2a01:4262:1ab:d::/64 - -define pass_if = lan14 -define pass_ip4 = 10.42.4.1 -define pass_net4 = 10.42.4.0/24 -define pass_net6 = 2a01:4262:1ab:e::/64 - -define serv_if = lan20 -define serv_ip4 = 185.38.175.65 -define serv_net4 = 185.38.175.64/24 -define serv_net6 = 2a01:4262:1ab:20::/64 - -define avahi_ifs = { $wire_if, $priv_if, $pass_if } - -#define nat64_if = nat64 -#define nat64_net = 10.42.255.0/24 -#define nat64_net6 = fde2:52b4:4a19:ffff::/96 - -table ip filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip protocol icmp limit rate 100/second accept - ip protocol icmp drop - - iif lo accept - - # bird etc. on fiberby link - iif $ext_if ip saddr $link_net4 ip daddr $link_net4 counter accept - - # dhcp - udp sport bootpc udp dport bootps iif != $ext_if counter accept - - # radius - iif $adm_if ip saddr { $ap1, $ap2 } udp dport 1812 accept - - # tftp - iif $wire_if ip saddr $wire_net4 udp dport 69 accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip saddr { $int_net4, $ext_net4 } accept - udp dport 53 ip saddr { $int_net4, $ext_net4 } accept - - # avahi - ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept - ip protocol igmp iif $avahi_ifs accept - - ## debugging - #iif $ext_if counter drop - #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream - #udp sport 17500 udp dport 17500 drop # Dropbox LANsync - #ip protocol igmp drop # IGMP - #counter log prefix "in4: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip daddr $labservers4 accept - - ip saddr $labitat udp dport 161 counter accept # traffic stats - - # no traffic to admin net - ip daddr $adm_net4 ip saddr $int_net4 reject with icmp type net-prohibited - ip daddr $adm_net4 drop - - # local traffic - iif $adm_if ip saddr $adm_net4 accept - iif $wire_if ip saddr $wire_net4 accept - iif $priv_if ip saddr $priv_net4 accept - iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept - iif $pass_if ip saddr $pass_net4 accept - iif $serv_if ip saddr $serv_net4 accept - - ## debugging - #iif $ext_if counter drop - #counter log prefix "fw4: " drop - drop - } -} - -table ip6 filter { - chain input { - type filter hook input priority 0; - - ct state established,related accept - ct state invalid drop - - # no ping floods - ip6 nexthdr ipv6-icmp limit rate 100/second accept - ip6 nexthdr ipv6-icmp drop - - iif lo accept - iif { $adm_if, $wire_if, $priv_if, $free_if, $pass_if } hbh nexthdr ipv6-icmp accept - - # bird etc. on fiberby link - iif $ext_if ip6 saddr $link_net6 ip6 daddr $link_net6 counter accept - - # ssh - tcp dport 22 accept - - # dns - tcp dport 53 ip6 saddr $ext_net6 accept - udp dport 53 ip6 saddr $ext_net6 accept - - # avahi - ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept - - ## debugging - #counter log prefix "in6: " drop - drop - } - - chain forward { - type filter hook forward priority 0; - - ct state established,related accept - ct state invalid drop - - # accept all traffic to Labitat servers - ip6 daddr $labservers6 accept - - iif $wire_if ip6 saddr $wire_net6 accept - iif $priv_if ip6 saddr $priv_net6 accept - iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept - iif $pass_if ip6 saddr $pass_net6 accept - iif $serv_if ip6 saddr $serv_net6 accept - - ## debugging - #counter log prefix "fw6: " drop - drop - } -} - -table ip nat { - chain portforward { - ip daddr $ext_ip4 udp dport 161 dnat 10.42.0.9 # traffic stats - } - - chain prerouting { - type nat hook prerouting priority -150; - goto portforward - } - - chain output { - type nat hook output priority -150; - goto portforward - } - - chain input { - type nat hook input priority -150; - # this chain is needed to make dnat from the output chain work - } - - chain postrouting { - type nat hook postrouting priority -150; - oif $ext_if ip saddr $int_net4 snat $ext_ip4 - } -} diff --git a/roles/space_server/files/nftables/nftables.service b/roles/space_server/files/nftables/nftables.service deleted file mode 100644 index f1c9028..0000000 --- a/roles/space_server/files/nftables/nftables.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Netfilter Tables -Documentation=man:nft(8) -Requires=sys-devices-virtual-net-lan10.device -Requires=sys-devices-virtual-net-lan11.device -Requires=sys-devices-virtual-net-lan12.device -Requires=sys-devices-virtual-net-lan13.device -Requires=sys-devices-virtual-net-lan14.device -Requires=sys-devices-virtual-net-lan15.device -Requires=sys-devices-virtual-net-lan20.device -After=sys-devices-virtual-net-lan10.device -After=sys-devices-virtual-net-lan11.device -After=sys-devices-virtual-net-lan12.device -After=sys-devices-virtual-net-lan13.device -After=sys-devices-virtual-net-lan14.device -After=sys-devices-virtual-net-lan15.device -After=sys-devices-virtual-net-lan20.device -Before=network-online.target - -[Service] -Type=oneshot -ProtectSystem=full -ProtectHome=true -ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf -ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' -ExecStop=/sbin/nft flush ruleset -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/roles/space_server/files/radvd.conf b/roles/space_server/files/radvd.conf new file mode 100644 index 0000000..9f994a3 --- /dev/null +++ b/roles/space_server/files/radvd.conf @@ -0,0 +1,69 @@ +# Wired +interface lan11 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:b::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Private Wifi +interface lan12 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:c::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Free Wifi +interface lan13 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:d::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# Password Protected Wifi +interface lan14 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:e::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; + +# NAT64 Wifi +interface lan15 { + AdvSendAdvert on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 6; + AdvLinkMTU 1500; + RDNSS 2a01:4262:1ab:: {}; + + prefix 2a01:4262:1ab:f::/64 { + #AdvValidLifetime 0; + #AdvPreferredLifetime 0; + }; +}; diff --git a/roles/space_server/files/radvd/radvd.conf b/roles/space_server/files/radvd/radvd.conf deleted file mode 100644 index 9f994a3..0000000 --- a/roles/space_server/files/radvd/radvd.conf +++ /dev/null @@ -1,69 +0,0 @@ -# Wired -interface lan11 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:b::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Private Wifi -interface lan12 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:c::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Free Wifi -interface lan13 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:d::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# Password Protected Wifi -interface lan14 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:e::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; - -# NAT64 Wifi -interface lan15 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 6; - AdvLinkMTU 1500; - RDNSS 2a01:4262:1ab:: {}; - - prefix 2a01:4262:1ab:f::/64 { - #AdvValidLifetime 0; - #AdvPreferredLifetime 0; - }; -}; diff --git a/roles/space_server/files/sudo/sudoers b/roles/space_server/files/sudo/sudoers deleted file mode 100644 index 069052c..0000000 --- a/roles/space_server/files/sudo/sudoers +++ /dev/null @@ -1,96 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -# %wheel ALL=(ALL) ALL - -## Same thing without a password -%wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/roles/space_server/files/sudoers b/roles/space_server/files/sudoers new file mode 100644 index 0000000..069052c --- /dev/null +++ b/roles/space_server/files/sudoers @@ -0,0 +1,96 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +## Same thing without a password +%wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d -- cgit v1.2.1