From 80c6cf0de448f8fdf10c1e4be82cc7e0ef42abc5 Mon Sep 17 00:00:00 2001 From: Hafnium Date: Tue, 11 Oct 2022 20:17:39 +0200 Subject: space_server: networkd: add LocIX connection systemd mechanics reworked by Esmil Co-developed-by: Emil Renner Berthing --- roles/space_server/files/network-sysctl@.service | 14 ++++++++++ roles/space_server/files/networkd/10-bond0.network | 1 + roles/space_server/files/networkd/10-locix.netdev | 7 +++++ roles/space_server/files/networkd/10-locix.network | 23 +++++++++++++++++ roles/space_server/files/networkd/10-locix.sysctl | 25 ++++++++++++++++++ roles/space_server/files/networkd/10-wan.sysctl | 2 ++ roles/space_server/tasks/networkd.yml | 30 ++++++++++++++++++++++ 7 files changed, 102 insertions(+) create mode 100644 roles/space_server/files/network-sysctl@.service create mode 100644 roles/space_server/files/networkd/10-locix.netdev create mode 100644 roles/space_server/files/networkd/10-locix.network create mode 100644 roles/space_server/files/networkd/10-locix.sysctl create mode 100644 roles/space_server/files/networkd/10-wan.sysctl (limited to 'roles/space_server') diff --git a/roles/space_server/files/network-sysctl@.service b/roles/space_server/files/network-sysctl@.service new file mode 100644 index 0000000..06902ff --- /dev/null +++ b/roles/space_server/files/network-sysctl@.service @@ -0,0 +1,14 @@ +[Unit] +Description=Apply per interface kernel variables on %I +Documentation=man:systemd-sysctl.service(8) man:sysctl.d(5) +DefaultDependencies=no +After=sys-devices-virtual-net-%i.device +Before=network-online.target +#ConditionPathIsReadWrite=/proc/sys/net/ + +[Service] +Type=oneshot +ExecStart=/usr/lib/systemd/systemd-sysctl /etc/systemd/network/10-%i.sysctl + +[Install] +WantedBy=sys-devices-virtual-net-%i.device diff --git a/roles/space_server/files/networkd/10-bond0.network b/roles/space_server/files/networkd/10-bond0.network index 39695a4..86b6ae5 100644 --- a/roles/space_server/files/networkd/10-bond0.network +++ b/roles/space_server/files/networkd/10-bond0.network @@ -12,6 +12,7 @@ LinkLocalAddressing=no LLMNR=no MulticastDNS=no VLAN=wan +VLAN=locix VLAN=lan10 VLAN=lan11 VLAN=lan12 diff --git a/roles/space_server/files/networkd/10-locix.netdev b/roles/space_server/files/networkd/10-locix.netdev new file mode 100644 index 0000000..54ebee6 --- /dev/null +++ b/roles/space_server/files/networkd/10-locix.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name=locix +Kind=vlan +MACAddress=5a:06:28:18:79:01 + +[VLAN] +Id=3145 diff --git a/roles/space_server/files/networkd/10-locix.network b/roles/space_server/files/networkd/10-locix.network new file mode 100644 index 0000000..b6193c0 --- /dev/null +++ b/roles/space_server/files/networkd/10-locix.network @@ -0,0 +1,23 @@ +[Match] +Name=locix + +[Link] +ARP=yes + +[Network] +DHCP=no +IPv6AcceptRA=no +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=no +EmitLLDP=no +NTP=no + +[Address] +Address=185.1.167.144/23 +Scope=link + +[Address] +Address=2001:7f8:f2:e1:0:20:5235:1/64 +Scope=link diff --git a/roles/space_server/files/networkd/10-locix.sysctl b/roles/space_server/files/networkd/10-locix.sysctl new file mode 100644 index 0000000..e28f743 --- /dev/null +++ b/roles/space_server/files/networkd/10-locix.sysctl @@ -0,0 +1,25 @@ +# From https://www.ams-ix.net/ams/documentation/config-guide +# file: /etc/sysctl.conf +# These settings should be duplicated for all interfaces that are +# on a peering LAN. + +# Fix the "promiscuous ARP" thing... +net.ipv4.conf.locix.arp_ignore=1 +net.ipv4.conf.locix.arp_announce=1 + +# Turn off RP filtering to allow asymmetric routing +net.ipv4.conf.locix.rp_filter=0 + +# Multiple (non-aggregated) interfaces on the same peering LAN +# READ THE MANUAL FIRST! +#net.ipv4.conf.ifname.arp_filter=1 + +# Keep the IX ARP Police happy :-) +net.ipv4.neigh.locix.base_reachable_time_ms=14400000 +net.ipv6.neigh.locix.base_reachable_time_ms=14400000 + +# No redirects +net.ipv4.conf.locix.accept_redirects=0 +net.ipv4.conf.locix.secure_redirects=0 +net.ipv4.conf.locix.send_redirects=0 +net.ipv6.conf.locix.accept_redirects=0 diff --git a/roles/space_server/files/networkd/10-wan.sysctl b/roles/space_server/files/networkd/10-wan.sysctl new file mode 100644 index 0000000..8ca83b9 --- /dev/null +++ b/roles/space_server/files/networkd/10-wan.sysctl @@ -0,0 +1,2 @@ +# Turn off RP filtering to allow asymmetric routing +net.ipv4.conf.wan.rp_filter=0 diff --git a/roles/space_server/tasks/networkd.yml b/roles/space_server/tasks/networkd.yml index 95ec4b0..305996b 100644 --- a/roles/space_server/tasks/networkd.yml +++ b/roles/space_server/tasks/networkd.yml @@ -30,4 +30,34 @@ state: absent with_items: "{{ networkd_existing.files|map(attribute='path')|map('basename')|difference(networkd_created.results|map(attribute='item')|map('basename'))|list }}" +- name: Install network-sysctl@.service + copy: + dest: '/etc/systemd/system/network-sysctl@.service' + src: 'network-sysctl@.service' + owner: root + group: root + mode: 0644 + +- name: Enable network-sysctl@.service + systemd: + name: 'network-sysctl@{{ item }}.service' + enabled: yes + masked: no + when: not chroot + with_items: + - wan + - locix +- name: '- when in chroot' + command: + argv: + - 'systemctl' + - 'enable' + - 'network-sysctl@{{ item }}.service' + args: + creates: '/etc/systemd/system/sys-devices-virtual-net-{{ item }}.device.wants/network-sysctl@{{ item }}.service' + when: chroot + with_items: + - wan + - locix + # vim: set ts=2 sw=2 et: -- cgit v1.2.1