From c624e52a8357da8db022831b86f2c85bb7bfed2f Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Wed, 5 Dec 2018 19:07:35 +0100
Subject: space_server: enable NAT64/DNS64 network

---
 roles/space_server/files/networkd/10-lan15.network |  2 +-
 roles/space_server/files/networkd/10-nat64.netdev  |  3 +++
 roles/space_server/files/networkd/10-nat64.network | 15 +++++++++++++
 roles/space_server/files/nftables.conf             | 10 ++++++---
 roles/space_server/files/nftables.service          |  2 ++
 roles/space_server/files/tayga-labitat.conf        |  6 ++++++
 roles/space_server/handlers/main.yml               |  6 ++++++
 roles/space_server/tasks/main.yml                  |  2 ++
 roles/space_server/tasks/tayga.yml                 | 25 ++++++++++++++++++++++
 roles/space_server/templates/unbound.conf.j2       |  4 +++-
 roles/space_server/vars/main.yml                   |  1 +
 11 files changed, 71 insertions(+), 5 deletions(-)
 create mode 100644 roles/space_server/files/networkd/10-nat64.netdev
 create mode 100644 roles/space_server/files/networkd/10-nat64.network
 create mode 100644 roles/space_server/files/tayga-labitat.conf
 create mode 100644 roles/space_server/tasks/tayga.yml

(limited to 'roles')

diff --git a/roles/space_server/files/networkd/10-lan15.network b/roles/space_server/files/networkd/10-lan15.network
index b202b9b..4c6babc 100644
--- a/roles/space_server/files/networkd/10-lan15.network
+++ b/roles/space_server/files/networkd/10-lan15.network
@@ -2,7 +2,7 @@
 Name=lan15
 
 [Link]
-ARP=no
+ARP=yes
 
 [Network]
 DHCP=no
diff --git a/roles/space_server/files/networkd/10-nat64.netdev b/roles/space_server/files/networkd/10-nat64.netdev
new file mode 100644
index 0000000..af0b249
--- /dev/null
+++ b/roles/space_server/files/networkd/10-nat64.netdev
@@ -0,0 +1,3 @@
+[NetDev]
+Name=nat64
+Kind=tun
diff --git a/roles/space_server/files/networkd/10-nat64.network b/roles/space_server/files/networkd/10-nat64.network
new file mode 100644
index 0000000..097e388
--- /dev/null
+++ b/roles/space_server/files/networkd/10-nat64.network
@@ -0,0 +1,15 @@
+[Match]
+Name=nat64
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+Address=10.42.128.1/17
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=no
+
+[Route]
+Destination=2a01:4262:1ab:0:0:f::/96
+PreferredSource=2a01:4262:1ab::
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 0cb7c4f..8b3124c 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -38,9 +38,11 @@ define pass_ip4  = 10.42.4.1
 define pass_net4 = 10.42.4.0/24
 define pass_net6 = 2a01:4262:1ab:e::/64
 
-#define nat64_if   = nat64
-#define nat64_net  = 10.42.255.0/24
-#define nat64_net6 = fde2:52b4:4a19:ffff::/96
+define futu_if   = lan15
+define futu_net6 = 2a01:4262:1ab:f::/64
+
+define nat64_if   = nat64
+define nat64_net4 = 10.42.128.0/17
 
 define colo_if   = lan20
 define colo_ip4  = 185.38.175.65
@@ -116,6 +118,7 @@ table ip filter {
 		iif $priv_if ip saddr $priv_net4 accept
 		iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
 		iif $pass_if ip saddr $pass_net4 accept
+		iif $nat64_if ip saddr $nat64_net4 accept
 		iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
 		oif $colo_if accept
 
@@ -171,6 +174,7 @@ table ip6 filter {
 		iif $priv_if ip6 saddr $priv_net6 accept
 		iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
 		iif $pass_if ip6 saddr $pass_net6 accept
+		iif $futu_if ip6 saddr $futu_net6 accept
 		iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
 		oif $colo_if accept
 
diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service
index f1c9028..89e9cfe 100644
--- a/roles/space_server/files/nftables.service
+++ b/roles/space_server/files/nftables.service
@@ -8,6 +8,7 @@ Requires=sys-devices-virtual-net-lan13.device
 Requires=sys-devices-virtual-net-lan14.device
 Requires=sys-devices-virtual-net-lan15.device
 Requires=sys-devices-virtual-net-lan20.device
+Requires=sys-devices-virtual-net-nat64.device
 After=sys-devices-virtual-net-lan10.device
 After=sys-devices-virtual-net-lan11.device
 After=sys-devices-virtual-net-lan12.device
@@ -15,6 +16,7 @@ After=sys-devices-virtual-net-lan13.device
 After=sys-devices-virtual-net-lan14.device
 After=sys-devices-virtual-net-lan15.device
 After=sys-devices-virtual-net-lan20.device
+After=sys-devices-virtual-net-nat64.device
 Before=network-online.target
 
 [Service]
diff --git a/roles/space_server/files/tayga-labitat.conf b/roles/space_server/files/tayga-labitat.conf
new file mode 100644
index 0000000..f9826d9
--- /dev/null
+++ b/roles/space_server/files/tayga-labitat.conf
@@ -0,0 +1,6 @@
+tun-device nat64
+ipv4-addr 10.42.128.1
+#ipv6-addr 2a01:4262:1ab::
+prefix 2a01:4262:1ab:0:0:f::/96
+dynamic-pool 10.42.128.0/17
+data-dir /var/lib/tayga/labitat
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
index 706cc13..09e0d1d 100644
--- a/roles/space_server/handlers/main.yml
+++ b/roles/space_server/handlers/main.yml
@@ -57,4 +57,10 @@
     state: restarted
   when: not chroot
 
+- name: restart tayga
+  systemd:
+    name: tayga@labitat.service
+    state: restarted
+  when: not chroot
+
 # vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
index bc1b332..bfa3bc6 100644
--- a/roles/space_server/tasks/main.yml
+++ b/roles/space_server/tasks/main.yml
@@ -30,6 +30,8 @@
   when: radius_passwords is defined
 - import_tasks: unbound.yml
   tags: unbound
+- import_tasks: tayga.yml
+  tags: tayga
 - import_tasks: avahi.yml
   tags: avahi
 
diff --git a/roles/space_server/tasks/tayga.yml b/roles/space_server/tasks/tayga.yml
new file mode 100644
index 0000000..a06703e
--- /dev/null
+++ b/roles/space_server/tasks/tayga.yml
@@ -0,0 +1,25 @@
+---
+- name: Create labitat.conf
+  copy:
+    dest: '/etc/tayga/labitat.conf'
+    src: tayga-labitat.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart tayga
+
+- name: Create /etc/systemd/system/sys-devices-virtual-net-nat64.device.wants
+  file:
+    path: '/etc/systemd/system/sys-devices-virtual-net-nat64.device.wants'
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Start tayga@labitat.service when nat64 interface is up
+  file:
+    path: '/etc/systemd/system/sys-devices-virtual-net-nat64.device.wants/tayga@labitat.service'
+    src: '/usr/lib/systemd/system/tayga@.service'
+    state: link
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2
index d09d7af..26b7006 100644
--- a/roles/space_server/templates/unbound.conf.j2
+++ b/roles/space_server/templates/unbound.conf.j2
@@ -59,7 +59,9 @@ server:
 	rrset-roundrobin: yes
 	minimal-responses: yes
 
-	module-config: "validator iterator"
+	module-config: "dns64 validator iterator"
+
+	dns64-prefix: 2a01:4262:1ab:0:0:f::/96
 
 	trust-anchor-signaling: yes
 
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 4b3fb14..3a7251b 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -38,6 +38,7 @@ dnf_packages:
   'diffutils': present
   'policycoreutils': present # needed for unbound-keygen.service
   'unbound': present
+  'tayga': present
   'avahi-tools': present # pulls in avahi package
   'nss-mdns': present
 
-- 
cgit v1.2.1