18 files changed, 435 insertions, 0 deletions

diff --git a/roles/linux-ns/README.md b/roles/linux-ns/README.md
new file mode 100644
index 0000000..cf5808e
--- /dev/null
+++ b/roles/linux-ns/README.md
@@ -0,0 +1,34 @@
+Linux (Network) Namespaces
+==========================
+
+(Quick and dirty?) setup of a Linux (network) namespace.
+
+Requirements
+------------
+
+Target is Linux.
+
+Role Variables
+--------------
+
+???
+
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+None
+
+License
+-------
+
+Choose your own: MIT / BSD
+
+Author Information
+------------------
+
+uvok.
diff --git a/roles/linux-ns/defaults/main.yml b/roles/linux-ns/defaults/main.yml
new file mode 100644
index 0000000..f7472ec
--- /dev/null
+++ b/roles/linux-ns/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for linux-ns
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
new file mode 100644
index 0000000..4c3ea11
--- /dev/null
+++ b/roles/linux-ns/files/iptables/ip6tables.save
@@ -0,0 +1,40 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i tinc_dn42 -j ACCEPT
+
+-A INPUT -p icmpv6 -j ACCEPT
+
+# traceroute
+-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
+# DNS
+-A INPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p tcp --dport 53 -j ACCEPT
+# BGP
+-A INPUT -p tcp --dport 179 -j ACCEPT
+# LG
+-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
+
+
+-A INPUT -j REJECT --reject-with icmp6-port-unreachable
+
+-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+
+COMMIT
+
+*mangle
+-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
+COMMIT
+
+*nat
+-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 80 -j DNAT --to-destination fcee::1
+-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 443 -j DNAT --to-destination fcee::1
+-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
+COMMIT
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save
new file mode 100644
index 0000000..7a4504f
--- /dev/null
+++ b/roles/linux-ns/files/iptables/iptables.save
@@ -0,0 +1,22 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i tinc_dn42 -j ACCEPT
+
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# traceroute
+-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable
+# DNS
+-A INPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p tcp --dport 53 -j ACCEPT
+
+COMMIT
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service
new file mode 100644
index 0000000..9ea081c
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_bird-lg.service
@@ -0,0 +1,21 @@
+# bird-lg service for DN42
+
+[Unit]
+Description=Run Bird Looking Glass - DN42
+Requires=network-online.target
+After=network-online.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/bin/bash /home/lgproxy/lgstart.sh
+User=lgproxy
+WorkingDirectory=/home/lgproxy/
+Environment="LG_PORT=6142"
+Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg"
+NetworkNamespacePath=/run/netns/dn42
+
+[Install]
+WantedBy=default.target
+
+#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
new file mode 100644
index 0000000..cc48ffb
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
@@ -0,0 +1,21 @@
+# bird-lgproxy service for DN42
+
+[Unit]
+Description=Run Bird Looking Glass Proxy
+Requires=network-online.target bird.service
+After=network-online.target dn42_bird.service
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/bin/bash /home/lgproxy/start.sh
+User=lgproxy
+WorkingDirectory=/home/lgproxy/
+Environment="LGPROXY_PORT=6042"
+Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg"
+NetworkNamespacePath=/run/netns/dn42
+
+[Install]
+WantedBy=default.target
+
+#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service
new file mode 100644
index 0000000..a4e74fd
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_bird.service
@@ -0,0 +1,27 @@
+# bird service for dn42
+
+[Unit]
+Description=BIRD Internet Routing Daemon - DN42 daemon
+After=network.target
+Wants=dn42_tinc@tn_int.service
+After=dn42_tinc@tn_int.service
+
+[Service]
+EnvironmentFile=/etc/bird/envvars
+ExecStartPre=/bin/sleep 3
+ExecStartPre=/usr/lib/bird/prepare-environment
+ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p
+ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock
+ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure
+Restart=on-abort
+
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+# rel: /var/log
+# nope, doesn't work, bird must start with root
+#LogsDirectory=
+ReadWritePaths=/run/bird/ /var/log/bird/dn42/
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service
new file mode 100644
index 0000000..4034879
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_namespace.service
@@ -0,0 +1,17 @@
+# fine-adjustments, routing, etcpp
+
+[Unit]
+Description=DN42 Network namespace
+After=network-online.target my-netns@dn42.service
+Requires=my-netns@dn42.service
+Before=dn42_tinc@tn_int.service
+WantedBy=dn42_tinc@tn_int.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/dn42-route-namespace.sh start
+ExecStop=/usr/local/bin/dn42-route-namespace.sh stop
+RemainAfterExit=yes
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service
new file mode 100644
index 0000000..86c61d1
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_pdns.service
@@ -0,0 +1,56 @@
+# powerdns in namespace
+
+[Unit]
+Description=PowerDNS Authoritative Server dn42
+Documentation=man:pdns_server(1) man:pdns_control(1)
+Documentation=https://doc.powerdns.com
+Wants=network-online.target
+After=network-online.target time-sync.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+SyslogIdentifier=pdns_server-dn42
+User=pdns
+Group=pdns
+Type=notify
+Restart=on-failure
+RestartSec=1
+StartLimitInterval=0
+RuntimeDirectory=pdns-dn42
+
+# Sandboxing
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+# ProtectSystem=full will disallow write access to /etc and /usr, possibly
+# not being able to write slaved-zones into sqlite3 or zonefiles.
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
+PrivateIPC=true
+RemoveIPC=true
+DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
+NetworkNamespacePath=/run/netns/dn42
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service
new file mode 100644
index 0000000..8949467
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_tinc@.service
@@ -0,0 +1,28 @@
+# tinc inside dn42 namespace
+
+[Unit]
+Description=Tinc net %i in namespace dn42
+Documentation=info:tinc
+Documentation=man:tinc(8) man:tinc.conf(5)
+Documentation=http://tinc-vpn.org/docs/
+PartOf=tinc.service
+ReloadPropagatedFrom=tinc.service
+
+[Service]
+Type=simple
+WorkingDirectory=/etc/tinc/%i
+EnvironmentFile=/etc/default/tinc
+ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA
+ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP
+KillMode=mixed
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=5
+
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+RuntimeDirectory=./tinc/dn42/
+
+#[Install]
+#WantedBy=tinc.service
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service
new file mode 100644
index 0000000..16a1ba6
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_wg@.service
@@ -0,0 +1,27 @@
+# wireguard tunnels inside the namespace
+
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+Documentation=https://www.wireguard.com/
+Documentation=https://www.wireguard.com/quickstart/
+Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
+After=dn42_namespace.service network-online.target nss-lookup.target
+Requires=dn42_namespace.service network-online.target nss-lookup.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf
+ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf
+#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service
new file mode 100644
index 0000000..7368028
--- /dev/null
+++ b/roles/linux-ns/files/systemd/my-netns@.service
@@ -0,0 +1,32 @@
+# actual setup of the minimal namespace
+
+[Unit]
+Description=Named network namespace %I
+Documentation=https://github.com/Jamesits/systemd-named-netns
+
+After=network-pre.target
+Before=network.target network-online.target
+
+[Install]
+WantedBy=network-online.target
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+# precaution
+ExecStartPre=-/usr/bin/env ip netns delete %I
+
+# set up netns and bind it to this service
+ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I
+ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I
+ExecStart=/usr/bin/env ip link set veth%I up
+ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0
+ExecStart=/usr/bin/env ip netns exec %I ip link set lo up
+ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up
+
+# remove the netns
+ExecStop=/usr/bin/env ip link del veth%I
+# type veth peer vethpeer%I netns %I
+ExecStop=/usr/bin/env ip netns delete %I
diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt
new file mode 100644
index 0000000..99d220e
--- /dev/null
+++ b/roles/linux-ns/files/systemd/readme.txt
@@ -0,0 +1,2 @@
+except my-netns@.service, consider these examples,
+or a "backup" for me.
\ No newline at end of file
diff --git a/roles/linux-ns/files/usrlocalbin/dn42-route-namespace.sh b/roles/linux-ns/files/usrlocalbin/dn42-route-namespace.sh
new file mode 100755
index 0000000..44e0e61
--- /dev/null
+++ b/roles/linux-ns/files/usrlocalbin/dn42-route-namespace.sh
@@ -0,0 +1,85 @@
+#!/bin/sh -x
+
+set -eu
+
+# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd
+# (yes, without trailing: or ::)
+hoster_prefix_v6="<insert ipv6 prefix>"
+# hardcoded: use 42 prefix
+ns_prefix_v6="${hoster_prefix_v6}:42"
+
+# insert IPv4 address
+hoster_addr_v4="<insert ipv4>"
+# hardcoded: net
+ns_net_v4="10.42.0.0/24"
+# hardcoded: peer address (inside namespace)
+ns_addr_peer_v4="10.42.0.2/32"
+
+case $- in
+  *x*) debug="-x" ;;
+  *)   debug="" ;;
+esac
+
+case "$1" in
+  start)
+    ip netns exec dn42 sh $debug "$0" start-ns
+    ip route add ${ns_net_v4} dev vethdn42
+    ip a add ${ns_prefix_v6}::1/128 dev vethdn42
+    ip route add ${ns_prefix_v6}::2/128 dev vethdn42
+    # hardcoded: route for dn42
+    ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1
+    ;;
+  start-ns)
+    sysctl -w net.ipv6.conf.all.forwarding=1
+
+    ip -4 route flush dev eth0
+    ip -6 route flush dev eth0
+    ip -4 a flush dev eth0
+    ip -6 a flush dev eth0
+
+    ip a add ${ns_addr_peer_v4} dev eth0
+    ip route add ${hoster_addr_v4} dev eth0
+    ip route add default via ${hoster_addr_v4} dev eth0
+
+    ip a add ${ns_prefix_v6}::2/128 dev eth0
+    ip route add ${ns_prefix_v6}::1 dev eth0
+    ip route add default via ${ns_prefix_v6}::1 dev eth0
+
+    # hardcoded: dummy-interface with additional addresses
+    ifup dn42_int
+
+    # hardcoded: Additional rules for (policy) routing.
+    # tables are filled by bird.
+    ip -6 rule add prio 31000 table 210
+    ip -6 rule add prio 32000 table 250
+
+    # hardcoded: iptables
+    iptables-nft-restore  < /etc/iptables/netns/dn42/iptables.save
+    ip6tables-nft-restore  < /etc/iptables/netns/dn42/ip6tables.save
+    ;;
+  stop)
+    ip -6 route flush dev vethdn42
+    ip -4 route flush dev vethdn42
+
+    ip -6 a flush dev vethdn42
+    ip -4 a flush dev vethdn42
+
+    ip netns exec dn42 sh $debug "$0" stop-ns
+    ;;
+  stop-ns)
+    ifdown dn42_int
+
+    ip -6 route flush dev eth0
+    ip -6 a flush dev eth0
+
+    ip -4 route flush dev eth0
+    ip -4 a flush dev eth0
+
+    ip -6 rule del prio 31000
+    ip -6 rule del prio 32000
+
+    ;;
+  *)
+    echo "Ignore invalid parameter $1" >&2
+    ;;
+esac
diff --git a/roles/linux-ns/handlers/main.yml b/roles/linux-ns/handlers/main.yml
new file mode 100644
index 0000000..144e1c1
--- /dev/null
+++ b/roles/linux-ns/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for linux-ns
diff --git a/roles/linux-ns/meta/main.yml b/roles/linux-ns/meta/main.yml
new file mode 100644
index 0000000..20a965c
--- /dev/null
+++ b/roles/linux-ns/meta/main.yml
@@ -0,0 +1,15 @@
+galaxy_info:
+  author: uvok
+  description: Linux Network Namespace Setup
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  license: MIT
+
+  min_ansible_version: 2.1
+
+  galaxy_tags: []
+
+dependencies: []
diff --git a/roles/linux-ns/tasks/main.yml b/roles/linux-ns/tasks/main.yml
new file mode 100644
index 0000000..6984b1f
--- /dev/null
+++ b/roles/linux-ns/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# tasks file for linux-ns
diff --git a/roles/linux-ns/vars/main.yml b/roles/linux-ns/vars/main.yml
new file mode 100644
index 0000000..0635f6c
--- /dev/null
+++ b/roles/linux-ns/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for linux-ns