From a3ee42d1dde090c5baad512ff8707f7e2c068433 Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Sun, 9 Feb 2025 17:57:14 +0100
Subject: Linting
---
deploy-reboot.yml | 15 ++--
host_vars/firstroot/public | 2 +-
host_vars/hetzner/public | 2 +-
host_vars/netcup/tinc | 2 +-
roles/linux-ns/README.md | 34 ---------
roles/linux-ns/defaults/main.yml | 2 -
roles/linux-ns/files/iptables/ip6tables.save | 38 ----------
roles/linux-ns/files/iptables/iptables.save | 24 ------
roles/linux-ns/files/systemd/dn42_bird-lg.service | 24 ------
.../files/systemd/dn42_bird-lgproxy.service | 24 ------
roles/linux-ns/files/systemd/dn42_bird.service | 25 -------
.../linux-ns/files/systemd/dn42_namespace.service | 17 -----
roles/linux-ns/files/systemd/dn42_nginx.service | 37 ----------
roles/linux-ns/files/systemd/dn42_pdns.service | 55 --------------
roles/linux-ns/files/systemd/dn42_tinc@.service | 31 --------
roles/linux-ns/files/systemd/dn42_wg@.service | 28 -------
roles/linux-ns/files/systemd/my-netns@.service | 30 --------
roles/linux-ns/files/systemd/readme.txt | 2 -
roles/linux-ns/handlers/main.yml | 2 -
roles/linux-ns/meta/main.yml | 15 ----
roles/linux-ns/tasks/main.yml | 2 -
roles/linux-ns/templates/dn42-route-namespace.sh | 85 ----------------------
roles/linux-ns/vars/main.yml | 2 -
roles/linux_ns/README.md | 34 +++++++++
roles/linux_ns/defaults/main.yml | 2 +
roles/linux_ns/files/iptables/ip6tables.save | 38 ++++++++++
roles/linux_ns/files/iptables/iptables.save | 24 ++++++
roles/linux_ns/files/systemd/dn42_bird-lg.service | 24 ++++++
.../files/systemd/dn42_bird-lgproxy.service | 24 ++++++
roles/linux_ns/files/systemd/dn42_bird.service | 25 +++++++
.../linux_ns/files/systemd/dn42_namespace.service | 17 +++++
roles/linux_ns/files/systemd/dn42_nginx.service | 37 ++++++++++
roles/linux_ns/files/systemd/dn42_pdns.service | 55 ++++++++++++++
roles/linux_ns/files/systemd/dn42_tinc@.service | 31 ++++++++
roles/linux_ns/files/systemd/dn42_wg@.service | 28 +++++++
roles/linux_ns/files/systemd/my-netns@.service | 30 ++++++++
roles/linux_ns/files/systemd/readme.txt | 2 +
roles/linux_ns/handlers/main.yml | 2 +
roles/linux_ns/meta/main.yml | 15 ++++
roles/linux_ns/tasks/main.yml | 2 +
roles/linux_ns/templates/dn42-route-namespace.sh | 85 ++++++++++++++++++++++
roles/linux_ns/vars/main.yml | 2 +
roles/tinc/defaults/main.yml | 14 +++-
roles/tinc/handlers/main.yml | 4 +-
roles/tinc/tasks/main.yml | 4 +-
roles/tinc/tasks/tinc.yml | 2 +-
roles/tinc/templates/tinc-up.j2 | 6 +-
roles/tinc/templates/tinc.conf.j2 | 8 +-
48 files changed, 511 insertions(+), 502 deletions(-)
delete mode 100644 roles/linux-ns/README.md
delete mode 100644 roles/linux-ns/defaults/main.yml
delete mode 100644 roles/linux-ns/files/iptables/ip6tables.save
delete mode 100644 roles/linux-ns/files/iptables/iptables.save
delete mode 100644 roles/linux-ns/files/systemd/dn42_bird-lg.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_bird.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_namespace.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_nginx.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_pdns.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_tinc@.service
delete mode 100644 roles/linux-ns/files/systemd/dn42_wg@.service
delete mode 100644 roles/linux-ns/files/systemd/my-netns@.service
delete mode 100644 roles/linux-ns/files/systemd/readme.txt
delete mode 100644 roles/linux-ns/handlers/main.yml
delete mode 100644 roles/linux-ns/meta/main.yml
delete mode 100644 roles/linux-ns/tasks/main.yml
delete mode 100755 roles/linux-ns/templates/dn42-route-namespace.sh
delete mode 100644 roles/linux-ns/vars/main.yml
create mode 100644 roles/linux_ns/README.md
create mode 100644 roles/linux_ns/defaults/main.yml
create mode 100644 roles/linux_ns/files/iptables/ip6tables.save
create mode 100644 roles/linux_ns/files/iptables/iptables.save
create mode 100644 roles/linux_ns/files/systemd/dn42_bird-lg.service
create mode 100644 roles/linux_ns/files/systemd/dn42_bird-lgproxy.service
create mode 100644 roles/linux_ns/files/systemd/dn42_bird.service
create mode 100644 roles/linux_ns/files/systemd/dn42_namespace.service
create mode 100644 roles/linux_ns/files/systemd/dn42_nginx.service
create mode 100644 roles/linux_ns/files/systemd/dn42_pdns.service
create mode 100644 roles/linux_ns/files/systemd/dn42_tinc@.service
create mode 100644 roles/linux_ns/files/systemd/dn42_wg@.service
create mode 100644 roles/linux_ns/files/systemd/my-netns@.service
create mode 100644 roles/linux_ns/files/systemd/readme.txt
create mode 100644 roles/linux_ns/handlers/main.yml
create mode 100644 roles/linux_ns/meta/main.yml
create mode 100644 roles/linux_ns/tasks/main.yml
create mode 100755 roles/linux_ns/templates/dn42-route-namespace.sh
create mode 100644 roles/linux_ns/vars/main.yml
diff --git a/deploy-reboot.yml b/deploy-reboot.yml
index de7bed7..078d6cd 100644
--- a/deploy-reboot.yml
+++ b/deploy-reboot.yml
@@ -1,7 +1,7 @@
---
- name: Deploy conditional reboot service and timer
hosts: all
- become: yes
+ become: true
tasks:
- name: Copy conditional-reboot.service file
@@ -14,8 +14,9 @@
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'if [ -f /var/run/reboot-required ]; then reboot; fi'
+ mode: "0640"
notify:
- - reload systemd
+ - Reload systemd
- name: Copy conditional-reboot.timer file
copy:
@@ -30,17 +31,17 @@
[Install]
WantedBy=timers.target
+ mode: "0640"
notify:
- - reload systemd
+ - Reload systemd
- name: Enable and start conditional-reboot.timer
systemd:
name: conditional-reboot.timer
- enabled: yes
+ enabled: true
state: started
handlers:
- - name: reload systemd
+ - name: Reload systemd
systemd:
- daemon_reload: yes
-
+ daemon_reload: true
diff --git a/host_vars/firstroot/public b/host_vars/firstroot/public
index 3f931d1..26ea780 100644
--- a/host_vars/firstroot/public
+++ b/host_vars/firstroot/public
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
configure: true
name: firstroot
connections: [hetzner]
diff --git a/host_vars/hetzner/public b/host_vars/hetzner/public
index 02b9c22..1c2f68f 100644
--- a/host_vars/hetzner/public
+++ b/host_vars/hetzner/public
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
configure: true
name: hetzner
connections: [netcup]
diff --git a/host_vars/netcup/tinc b/host_vars/netcup/tinc
index 9d49382..4160b55 100644
--- a/host_vars/netcup/tinc
+++ b/host_vars/netcup/tinc
@@ -1,4 +1,4 @@
-tinc:
+tinc_options:
configure: true
name: netcup
connections: [hetzner]
diff --git a/roles/linux-ns/README.md b/roles/linux-ns/README.md
deleted file mode 100644
index cf5808e..0000000
--- a/roles/linux-ns/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-Linux (Network) Namespaces
-==========================
-
-(Quick and dirty?) setup of a Linux (network) namespace.
-
-Requirements
-------------
-
-Target is Linux.
-
-Role Variables
---------------
-
-???
-
-Dependencies
-------------
-
-None
-
-Example Playbook
-----------------
-
-None
-
-License
--------
-
-Choose your own: MIT / BSD
-
-Author Information
-------------------
-
-uvok.
diff --git a/roles/linux-ns/defaults/main.yml b/roles/linux-ns/defaults/main.yml
deleted file mode 100644
index f7472ec..0000000
--- a/roles/linux-ns/defaults/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# defaults file for linux-ns
diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save
deleted file mode 100644
index 036e5a5..0000000
--- a/roles/linux-ns/files/iptables/ip6tables.save
+++ /dev/null
@@ -1,38 +0,0 @@
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -i lo -j ACCEPT
--A INPUT -i tinc_dn42 -j ACCEPT
-
--A INPUT -p icmpv6 -j ACCEPT
-
-# traceroute
--A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
-# DNS
--A INPUT -p udp --dport 53 -j ACCEPT
--A INPUT -p tcp --dport 53 -j ACCEPT
-# BGP
--A INPUT -p tcp --dport 179 -j ACCEPT
-# LG
--A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
-
--A INPUT -j REJECT --reject-with icmp6-port-unreachable
-
--A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
-
--A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-
-COMMIT
-
-*mangle
--A PREROUTING -i eth0 -j MARK --set-mark 0x4242
-COMMIT
-
-*nat
--A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
-COMMIT
diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save
deleted file mode 100644
index 4f72cc5..0000000
--- a/roles/linux-ns/files/iptables/iptables.save
+++ /dev/null
@@ -1,24 +0,0 @@
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-
--A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
--A INPUT -i lo -j ACCEPT
--A INPUT -i tinc_dn42 -j ACCEPT
-
--A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
--A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
--A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
--A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-
-# traceroute
--A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable
-# DNS
--A INPUT -p udp --dport 53 -j ACCEPT
--A INPUT -p tcp --dport 53 -j ACCEPT
-
--A FORWARD -j REJECT --reject-with icmp-port-unreachable
-
-COMMIT
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service
deleted file mode 100644
index 85c5358..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird-lg.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Run Bird Looking Glass - DN42 edition
-Requires=network-online.target
-After=network-online.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/bin/bash /home/lgproxy/lgstart.sh
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-User=lgproxy
-WorkingDirectory=/home/lgproxy/
-Environment="LG_PORT=6142"
-Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg"
-NetworkNamespacePath=/run/netns/dn42
-Type=exec
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=default.target
-
-#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
deleted file mode 100644
index 273ab16..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Run Bird Looking Glass Proxy
-Requires=network-online.target dn42_bird.service
-After=network-online.target dn42_bird.service
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/bin/bash /home/lgproxy/start.sh
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-User=lgproxy
-WorkingDirectory=/home/lgproxy/
-Environment="LGPROXY_PORT=6042"
-Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg"
-NetworkNamespacePath=/run/netns/dn42
-Type=exec
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=default.target
-
-#Type=simple
diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service
deleted file mode 100644
index cbf80f0..0000000
--- a/roles/linux-ns/files/systemd/dn42_bird.service
+++ /dev/null
@@ -1,25 +0,0 @@
-[Unit]
-Description=BIRD Internet Routing Daemon - DN42 daemon
-After=network.target
-Wants=dn42_tinc@tn_int.service
-After=dn42_tinc@tn_int.service
-
-[Service]
-EnvironmentFile=/etc/bird/envvars
-ExecStartPre=/bin/sleep 3
-ExecStartPre=/usr/lib/bird/prepare-environment
-ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p
-ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock
-ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure
-Restart=on-abort
-
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-# rel: /var/log
-# nope, doesn't work, bird must start with root
-#LogsDirectory=
-ReadWritePaths=/run/bird/ /var/log/bird/dn42/
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service
deleted file mode 100644
index 4034879..0000000
--- a/roles/linux-ns/files/systemd/dn42_namespace.service
+++ /dev/null
@@ -1,17 +0,0 @@
-# fine-adjustments, routing, etcpp
-
-[Unit]
-Description=DN42 Network namespace
-After=network-online.target my-netns@dn42.service
-Requires=my-netns@dn42.service
-Before=dn42_tinc@tn_int.service
-WantedBy=dn42_tinc@tn_int.service
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/bin/dn42-route-namespace.sh start
-ExecStop=/usr/local/bin/dn42-route-namespace.sh stop
-RemainAfterExit=yes
diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service
deleted file mode 100644
index 43d8a67..0000000
--- a/roles/linux-ns/files/systemd/dn42_nginx.service
+++ /dev/null
@@ -1,37 +0,0 @@
-# Stop dance for nginx
-# =======================
-#
-# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
-# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
-# and sends SIGTERM (fast shutdown) to the main process.
-# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
-# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
-#
-# nginx signals reference doc:
-# http://nginx.org/en/docs/control.html
-#
-[Unit]
-Description=A high performance web server and a reverse proxy server
-Documentation=man:nginx(8)
-After=network-online.target remote-fs.target nss-lookup.target
-Wants=network-online.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-Type=forking
-PIDFile=/run/dn42_nginx.pid
-ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
-ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
-ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload
-ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid
-TimeoutStopSec=5
-KillMode=mixed
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service
deleted file mode 100644
index 45cc367..0000000
--- a/roles/linux-ns/files/systemd/dn42_pdns.service
+++ /dev/null
@@ -1,55 +0,0 @@
-[Unit]
-Description=PowerDNS Authoritative Server dn42
-Documentation=man:pdns_server(1) man:pdns_control(1)
-Documentation=https://doc.powerdns.com
-Wants=network-online.target
-After=network-online.target time-sync.target
-After=dn42_namespace.service
-Requires=dn42_namespace.service
-
-[Service]
-ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
-SyslogIdentifier=pdns_server-dn42
-User=pdns
-Group=pdns
-Type=notify
-Restart=on-failure
-RestartSec=1
-StartLimitInterval=0
-RuntimeDirectory=pdns-dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-
-# Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-LockPersonality=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-# Setting PrivateUsers=true prevents us from opening our sockets
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-# ProtectSystem=full will disallow write access to /etc and /usr, possibly
-# not being able to write slaved-zones into sqlite3 or zonefiles.
-ProtectSystem=full
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-SystemCallArchitectures=native
-SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
-ProtectProc=invisible
-PrivateIPC=true
-RemoveIPC=true
-DevicePolicy=closed
-# Not enabled by default because it does not play well with LuaJIT
-# MemoryDenyWriteExecute=true
-NetworkNamespacePath=/run/netns/dn42
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service
deleted file mode 100644
index bf17815..0000000
--- a/roles/linux-ns/files/systemd/dn42_tinc@.service
+++ /dev/null
@@ -1,31 +0,0 @@
-[Unit]
-Description=Tinc net %i in namespace dn42
-Documentation=info:tinc
-Documentation=man:tinc(8) man:tinc.conf(5)
-Documentation=http://tinc-vpn.org/docs/
-PartOf=tinc.service
-ReloadPropagatedFrom=tinc.service
-
-[Service]
-Type=simple
-WorkingDirectory=/etc/tinc/%i
-EnvironmentFile=/etc/default/tinc
-ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA
-ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP
-KillMode=mixed
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=5
-
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-RuntimeDirectory=./tinc/dn42/
-
-PrivateTmp=true
-#tun
-#PrivateDevices=true
-PrivateIPC=true
-
-#[Install]
-#WantedBy=tinc.service
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service
deleted file mode 100644
index 0f67fda..0000000
--- a/roles/linux-ns/files/systemd/dn42_wg@.service
+++ /dev/null
@@ -1,28 +0,0 @@
-[Unit]
-Description=WireGuard via wg-quick(8) for %I
-PartOf=wg-quick.target
-Documentation=man:wg-quick(8)
-Documentation=man:wg(8)
-Documentation=https://www.wireguard.com/
-Documentation=https://www.wireguard.com/quickstart/
-Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
-Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
-After=dn42_namespace.service network-online.target nss-lookup.target
-Requires=dn42_namespace.service network-online.target nss-lookup.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf
-ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf
-#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
-NetworkNamespacePath=/run/netns/dn42
-BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
-ProtectSystem=strict
-PrivateTmp=true
-PrivateDevices=true
-PrivateIPC=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service
deleted file mode 100644
index c9735b7..0000000
--- a/roles/linux-ns/files/systemd/my-netns@.service
+++ /dev/null
@@ -1,30 +0,0 @@
-[Unit]
-Description=Named network namespace %I
-Documentation=https://github.com/Jamesits/systemd-named-netns
-
-After=network-pre.target
-Before=network.target network-online.target
-
-[Install]
-WantedBy=network-online.target
-WantedBy=multi-user.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-
-# precaution
-ExecStartPre=-/usr/bin/env ip netns delete %I
-
-# set up netns and bind it to this service
-ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I
-ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I
-ExecStart=/usr/bin/env ip link set veth%I up
-ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0
-ExecStart=/usr/bin/env ip netns exec %I ip link set lo up
-ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up
-
-# remove the netns
-ExecStop=/usr/bin/env ip link del veth%I
-# type veth peer vethpeer%I netns %I
-ExecStop=/usr/bin/env ip netns delete %I
diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt
deleted file mode 100644
index 99d220e..0000000
--- a/roles/linux-ns/files/systemd/readme.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-except my-netns@.service, consider these examples,
-or a "backup" for me.
\ No newline at end of file
diff --git a/roles/linux-ns/handlers/main.yml b/roles/linux-ns/handlers/main.yml
deleted file mode 100644
index 144e1c1..0000000
--- a/roles/linux-ns/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for linux-ns
diff --git a/roles/linux-ns/meta/main.yml b/roles/linux-ns/meta/main.yml
deleted file mode 100644
index 20a965c..0000000
--- a/roles/linux-ns/meta/main.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-galaxy_info:
- author: uvok
- description: Linux Network Namespace Setup
-
- # If the issue tracker for your role is not on github, uncomment the
- # next line and provide a value
- # issue_tracker_url: http://example.com/issue/tracker
-
- license: MIT
-
- min_ansible_version: 2.1
-
- galaxy_tags: []
-
-dependencies: []
diff --git a/roles/linux-ns/tasks/main.yml b/roles/linux-ns/tasks/main.yml
deleted file mode 100644
index 6984b1f..0000000
--- a/roles/linux-ns/tasks/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# tasks file for linux-ns
diff --git a/roles/linux-ns/templates/dn42-route-namespace.sh b/roles/linux-ns/templates/dn42-route-namespace.sh
deleted file mode 100755
index 6822834..0000000
--- a/roles/linux-ns/templates/dn42-route-namespace.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/sh -x
-
-set -eu
-
-# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd
-# (yes, without trailing: or ::)
-hoster_prefix_v6="{{ hoster_ipv6_prefix }}"
-# hardcoded: use 42 prefix
-ns_prefix_v6="${hoster_prefix_v6}:42"
-
-# insert IPv4 address
-hoster_addr_v4="{{ hoster_ipv4_address }}"
-# hardcoded: net
-ns_net_v4="10.42.0.0/24"
-# hardcoded: peer address (inside namespace)
-ns_addr_peer_v4="10.42.0.2/32"
-
-case $- in
- *x*) debug="-x" ;;
- *) debug="" ;;
-esac
-
-case "$1" in
- start)
- ip netns exec dn42 sh $debug "$0" start-ns
- ip route add ${ns_net_v4} dev vethdn42
- ip a add ${ns_prefix_v6}::1/128 dev vethdn42
- ip route add ${ns_prefix_v6}::2/128 dev vethdn42
- # hardcoded: route for dn42
- ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1
- ;;
- start-ns)
- sysctl -w net.ipv6.conf.all.forwarding=1
-
- ip -4 route flush dev eth0
- ip -6 route flush dev eth0
- ip -4 a flush dev eth0
- ip -6 a flush dev eth0
-
- ip a add ${ns_addr_peer_v4} dev eth0
- ip route add ${hoster_addr_v4} dev eth0
- ip route add default via ${hoster_addr_v4} dev eth0
-
- ip a add ${ns_prefix_v6}::2/128 dev eth0
- ip route add ${ns_prefix_v6}::1 dev eth0
- ip route add default via ${ns_prefix_v6}::1 dev eth0
-
- # hardcoded: dummy-interface with additional addresses
- ifup dn42_int
-
- # hardcoded: Additional rules for (policy) routing.
- # tables are filled by bird.
- ip -6 rule add prio 31000 table 210
- ip -6 rule add prio 32000 table 250
-
- # hardcoded: iptables
- iptables-nft-restore < /etc/iptables/netns/dn42/iptables.save
- ip6tables-nft-restore < /etc/iptables/netns/dn42/ip6tables.save
- ;;
- stop)
- ip -6 route flush dev vethdn42
- ip -4 route flush dev vethdn42
-
- ip -6 a flush dev vethdn42
- ip -4 a flush dev vethdn42
-
- ip netns exec dn42 sh $debug "$0" stop-ns
- ;;
- stop-ns)
- ifdown dn42_int
-
- ip -6 route flush dev eth0
- ip -6 a flush dev eth0
-
- ip -4 route flush dev eth0
- ip -4 a flush dev eth0
-
- ip -6 rule del prio 31000
- ip -6 rule del prio 32000
-
- ;;
- *)
- echo "Ignore invalid parameter $1" >&2
- ;;
-esac
diff --git a/roles/linux-ns/vars/main.yml b/roles/linux-ns/vars/main.yml
deleted file mode 100644
index 0635f6c..0000000
--- a/roles/linux-ns/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# vars file for linux-ns
diff --git a/roles/linux_ns/README.md b/roles/linux_ns/README.md
new file mode 100644
index 0000000..cf5808e
--- /dev/null
+++ b/roles/linux_ns/README.md
@@ -0,0 +1,34 @@
+Linux (Network) Namespaces
+==========================
+
+(Quick and dirty?) setup of a Linux (network) namespace.
+
+Requirements
+------------
+
+Target is Linux.
+
+Role Variables
+--------------
+
+???
+
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+None
+
+License
+-------
+
+Choose your own: MIT / BSD
+
+Author Information
+------------------
+
+uvok.
diff --git a/roles/linux_ns/defaults/main.yml b/roles/linux_ns/defaults/main.yml
new file mode 100644
index 0000000..f7472ec
--- /dev/null
+++ b/roles/linux_ns/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for linux-ns
diff --git a/roles/linux_ns/files/iptables/ip6tables.save b/roles/linux_ns/files/iptables/ip6tables.save
new file mode 100644
index 0000000..036e5a5
--- /dev/null
+++ b/roles/linux_ns/files/iptables/ip6tables.save
@@ -0,0 +1,38 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i tinc_dn42 -j ACCEPT
+
+-A INPUT -p icmpv6 -j ACCEPT
+
+# traceroute
+-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
+# DNS
+-A INPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p tcp --dport 53 -j ACCEPT
+# BGP
+-A INPUT -p tcp --dport 179 -j ACCEPT
+# LG
+-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
+
+-A INPUT -j REJECT --reject-with icmp6-port-unreachable
+
+-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
+
+-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
+
+COMMIT
+
+*mangle
+-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
+COMMIT
+
+*nat
+-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
+COMMIT
diff --git a/roles/linux_ns/files/iptables/iptables.save b/roles/linux_ns/files/iptables/iptables.save
new file mode 100644
index 0000000..4f72cc5
--- /dev/null
+++ b/roles/linux_ns/files/iptables/iptables.save
@@ -0,0 +1,24 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i tinc_dn42 -j ACCEPT
+
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# traceroute
+-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable
+# DNS
+-A INPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p tcp --dport 53 -j ACCEPT
+
+-A FORWARD -j REJECT --reject-with icmp-port-unreachable
+
+COMMIT
diff --git a/roles/linux_ns/files/systemd/dn42_bird-lg.service b/roles/linux_ns/files/systemd/dn42_bird-lg.service
new file mode 100644
index 0000000..85c5358
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_bird-lg.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Run Bird Looking Glass - DN42 edition
+Requires=network-online.target
+After=network-online.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/bin/bash /home/lgproxy/lgstart.sh
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+User=lgproxy
+WorkingDirectory=/home/lgproxy/
+Environment="LG_PORT=6142"
+Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg"
+NetworkNamespacePath=/run/netns/dn42
+Type=exec
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+
+[Install]
+WantedBy=default.target
+
+#Type=simple
diff --git a/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service
new file mode 100644
index 0000000..273ab16
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Run Bird Looking Glass Proxy
+Requires=network-online.target dn42_bird.service
+After=network-online.target dn42_bird.service
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/bin/bash /home/lgproxy/start.sh
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+User=lgproxy
+WorkingDirectory=/home/lgproxy/
+Environment="LGPROXY_PORT=6042"
+Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg"
+NetworkNamespacePath=/run/netns/dn42
+Type=exec
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+
+[Install]
+WantedBy=default.target
+
+#Type=simple
diff --git a/roles/linux_ns/files/systemd/dn42_bird.service b/roles/linux_ns/files/systemd/dn42_bird.service
new file mode 100644
index 0000000..cbf80f0
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_bird.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=BIRD Internet Routing Daemon - DN42 daemon
+After=network.target
+Wants=dn42_tinc@tn_int.service
+After=dn42_tinc@tn_int.service
+
+[Service]
+EnvironmentFile=/etc/bird/envvars
+ExecStartPre=/bin/sleep 3
+ExecStartPre=/usr/lib/bird/prepare-environment
+ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p
+ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock
+ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure
+Restart=on-abort
+
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+# rel: /var/log
+# nope, doesn't work, bird must start with root
+#LogsDirectory=
+ReadWritePaths=/run/bird/ /var/log/bird/dn42/
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux_ns/files/systemd/dn42_namespace.service b/roles/linux_ns/files/systemd/dn42_namespace.service
new file mode 100644
index 0000000..4034879
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_namespace.service
@@ -0,0 +1,17 @@
+# fine-adjustments, routing, etcpp
+
+[Unit]
+Description=DN42 Network namespace
+After=network-online.target my-netns@dn42.service
+Requires=my-netns@dn42.service
+Before=dn42_tinc@tn_int.service
+WantedBy=dn42_tinc@tn_int.service
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/dn42-route-namespace.sh start
+ExecStop=/usr/local/bin/dn42-route-namespace.sh stop
+RemainAfterExit=yes
diff --git a/roles/linux_ns/files/systemd/dn42_nginx.service b/roles/linux_ns/files/systemd/dn42_nginx.service
new file mode 100644
index 0000000..43d8a67
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_nginx.service
@@ -0,0 +1,37 @@
+# Stop dance for nginx
+# =======================
+#
+# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
+# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
+# and sends SIGTERM (fast shutdown) to the main process.
+# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
+# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
+#
+# nginx signals reference doc:
+# http://nginx.org/en/docs/control.html
+#
+[Unit]
+Description=A high performance web server and a reverse proxy server
+Documentation=man:nginx(8)
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+Type=forking
+PIDFile=/run/dn42_nginx.pid
+ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid
+TimeoutStopSec=5
+KillMode=mixed
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux_ns/files/systemd/dn42_pdns.service b/roles/linux_ns/files/systemd/dn42_pdns.service
new file mode 100644
index 0000000..45cc367
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_pdns.service
@@ -0,0 +1,55 @@
+[Unit]
+Description=PowerDNS Authoritative Server dn42
+Documentation=man:pdns_server(1) man:pdns_control(1)
+Documentation=https://doc.powerdns.com
+Wants=network-online.target
+After=network-online.target time-sync.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+SyslogIdentifier=pdns_server-dn42
+User=pdns
+Group=pdns
+Type=notify
+Restart=on-failure
+RestartSec=1
+StartLimitInterval=0
+RuntimeDirectory=pdns-dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+
+# Sandboxing
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+# ProtectSystem=full will disallow write access to /etc and /usr, possibly
+# not being able to write slaved-zones into sqlite3 or zonefiles.
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
+PrivateIPC=true
+RemoveIPC=true
+DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
+NetworkNamespacePath=/run/netns/dn42
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux_ns/files/systemd/dn42_tinc@.service b/roles/linux_ns/files/systemd/dn42_tinc@.service
new file mode 100644
index 0000000..bf17815
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_tinc@.service
@@ -0,0 +1,31 @@
+[Unit]
+Description=Tinc net %i in namespace dn42
+Documentation=info:tinc
+Documentation=man:tinc(8) man:tinc.conf(5)
+Documentation=http://tinc-vpn.org/docs/
+PartOf=tinc.service
+ReloadPropagatedFrom=tinc.service
+
+[Service]
+Type=simple
+WorkingDirectory=/etc/tinc/%i
+EnvironmentFile=/etc/default/tinc
+ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA
+ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP
+KillMode=mixed
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=5
+
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+RuntimeDirectory=./tinc/dn42/
+
+PrivateTmp=true
+#tun
+#PrivateDevices=true
+PrivateIPC=true
+
+#[Install]
+#WantedBy=tinc.service
diff --git a/roles/linux_ns/files/systemd/dn42_wg@.service b/roles/linux_ns/files/systemd/dn42_wg@.service
new file mode 100644
index 0000000..0f67fda
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_wg@.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+Documentation=https://www.wireguard.com/
+Documentation=https://www.wireguard.com/quickstart/
+Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
+Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
+After=dn42_namespace.service network-online.target nss-lookup.target
+Requires=dn42_namespace.service network-online.target nss-lookup.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf
+ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf
+#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux_ns/files/systemd/my-netns@.service b/roles/linux_ns/files/systemd/my-netns@.service
new file mode 100644
index 0000000..c9735b7
--- /dev/null
+++ b/roles/linux_ns/files/systemd/my-netns@.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=Named network namespace %I
+Documentation=https://github.com/Jamesits/systemd-named-netns
+
+After=network-pre.target
+Before=network.target network-online.target
+
+[Install]
+WantedBy=network-online.target
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+# precaution
+ExecStartPre=-/usr/bin/env ip netns delete %I
+
+# set up netns and bind it to this service
+ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I
+ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I
+ExecStart=/usr/bin/env ip link set veth%I up
+ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0
+ExecStart=/usr/bin/env ip netns exec %I ip link set lo up
+ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up
+
+# remove the netns
+ExecStop=/usr/bin/env ip link del veth%I
+# type veth peer vethpeer%I netns %I
+ExecStop=/usr/bin/env ip netns delete %I
diff --git a/roles/linux_ns/files/systemd/readme.txt b/roles/linux_ns/files/systemd/readme.txt
new file mode 100644
index 0000000..99d220e
--- /dev/null
+++ b/roles/linux_ns/files/systemd/readme.txt
@@ -0,0 +1,2 @@
+except my-netns@.service, consider these examples,
+or a "backup" for me.
\ No newline at end of file
diff --git a/roles/linux_ns/handlers/main.yml b/roles/linux_ns/handlers/main.yml
new file mode 100644
index 0000000..144e1c1
--- /dev/null
+++ b/roles/linux_ns/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for linux-ns
diff --git a/roles/linux_ns/meta/main.yml b/roles/linux_ns/meta/main.yml
new file mode 100644
index 0000000..088c53c
--- /dev/null
+++ b/roles/linux_ns/meta/main.yml
@@ -0,0 +1,15 @@
+galaxy_info:
+ author: uvok
+ description: Linux Network Namespace Setup
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ license: MIT
+
+ min_ansible_version: "2.1"
+
+ galaxy_tags: []
+
+dependencies: []
diff --git a/roles/linux_ns/tasks/main.yml b/roles/linux_ns/tasks/main.yml
new file mode 100644
index 0000000..6984b1f
--- /dev/null
+++ b/roles/linux_ns/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+# tasks file for linux-ns
diff --git a/roles/linux_ns/templates/dn42-route-namespace.sh b/roles/linux_ns/templates/dn42-route-namespace.sh
new file mode 100755
index 0000000..6822834
--- /dev/null
+++ b/roles/linux_ns/templates/dn42-route-namespace.sh
@@ -0,0 +1,85 @@
+#!/bin/sh -x
+
+set -eu
+
+# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd
+# (yes, without trailing: or ::)
+hoster_prefix_v6="{{ hoster_ipv6_prefix }}"
+# hardcoded: use 42 prefix
+ns_prefix_v6="${hoster_prefix_v6}:42"
+
+# insert IPv4 address
+hoster_addr_v4="{{ hoster_ipv4_address }}"
+# hardcoded: net
+ns_net_v4="10.42.0.0/24"
+# hardcoded: peer address (inside namespace)
+ns_addr_peer_v4="10.42.0.2/32"
+
+case $- in
+ *x*) debug="-x" ;;
+ *) debug="" ;;
+esac
+
+case "$1" in
+ start)
+ ip netns exec dn42 sh $debug "$0" start-ns
+ ip route add ${ns_net_v4} dev vethdn42
+ ip a add ${ns_prefix_v6}::1/128 dev vethdn42
+ ip route add ${ns_prefix_v6}::2/128 dev vethdn42
+ # hardcoded: route for dn42
+ ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1
+ ;;
+ start-ns)
+ sysctl -w net.ipv6.conf.all.forwarding=1
+
+ ip -4 route flush dev eth0
+ ip -6 route flush dev eth0
+ ip -4 a flush dev eth0
+ ip -6 a flush dev eth0
+
+ ip a add ${ns_addr_peer_v4} dev eth0
+ ip route add ${hoster_addr_v4} dev eth0
+ ip route add default via ${hoster_addr_v4} dev eth0
+
+ ip a add ${ns_prefix_v6}::2/128 dev eth0
+ ip route add ${ns_prefix_v6}::1 dev eth0
+ ip route add default via ${ns_prefix_v6}::1 dev eth0
+
+ # hardcoded: dummy-interface with additional addresses
+ ifup dn42_int
+
+ # hardcoded: Additional rules for (policy) routing.
+ # tables are filled by bird.
+ ip -6 rule add prio 31000 table 210
+ ip -6 rule add prio 32000 table 250
+
+ # hardcoded: iptables
+ iptables-nft-restore < /etc/iptables/netns/dn42/iptables.save
+ ip6tables-nft-restore < /etc/iptables/netns/dn42/ip6tables.save
+ ;;
+ stop)
+ ip -6 route flush dev vethdn42
+ ip -4 route flush dev vethdn42
+
+ ip -6 a flush dev vethdn42
+ ip -4 a flush dev vethdn42
+
+ ip netns exec dn42 sh $debug "$0" stop-ns
+ ;;
+ stop-ns)
+ ifdown dn42_int
+
+ ip -6 route flush dev eth0
+ ip -6 a flush dev eth0
+
+ ip -4 route flush dev eth0
+ ip -4 a flush dev eth0
+
+ ip -6 rule del prio 31000
+ ip -6 rule del prio 32000
+
+ ;;
+ *)
+ echo "Ignore invalid parameter $1" >&2
+ ;;
+esac
diff --git a/roles/linux_ns/vars/main.yml b/roles/linux_ns/vars/main.yml
new file mode 100644
index 0000000..0635f6c
--- /dev/null
+++ b/roles/linux_ns/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for linux-ns
diff --git a/roles/tinc/defaults/main.yml b/roles/tinc/defaults/main.yml
index 64aa1e7..d493ac2 100644
--- a/roles/tinc/defaults/main.yml
+++ b/roles/tinc/defaults/main.yml
@@ -1,3 +1,11 @@
-tinc_netname: tn_int
-tinc:
- configure: false
\ No newline at end of file
+tinc_options:
+ configure: false
+ netname: tn_int
+ name: example
+ connections: [example]
+ address:
+ - fe80::/64
+ - 10.0.0.1/32
+ listen_on: any
+ extra_up:
+ - echo configured
diff --git a/roles/tinc/handlers/main.yml b/roles/tinc/handlers/main.yml
index 56b5829..1fa1217 100644
--- a/roles/tinc/handlers/main.yml
+++ b/roles/tinc/handlers/main.yml
@@ -5,7 +5,7 @@
- name: Stop Tinc
listen: configure tinc
service:
- name: "tinc@{{ tinc_netname }}"
+ name: "tinc@{{ tinc_options.netname }}"
state: stopped
- name: Wait
listen: configure tinc
@@ -14,5 +14,5 @@
- name: Start Tinc
listen: configure tinc
service:
- name: "tinc@{{ tinc_netname }}"
+ name: "tinc@{{ tinc_options.netname }}"
state: started
diff --git a/roles/tinc/tasks/main.yml b/roles/tinc/tasks/main.yml
index 4cfc7cd..8a9b44d 100644
--- a/roles/tinc/tasks/main.yml
+++ b/roles/tinc/tasks/main.yml
@@ -8,5 +8,5 @@
import_tasks: tinc.yml
when:
- tinc is defined
- - tinc.configure is defined
- - tinc.configure
+ - tinc_options.configure is defined
+ - tinc_options.configure
diff --git a/roles/tinc/tasks/tinc.yml b/roles/tinc/tasks/tinc.yml
index 7453811..c97c180 100644
--- a/roles/tinc/tasks/tinc.yml
+++ b/roles/tinc/tasks/tinc.yml
@@ -38,7 +38,7 @@
- exec
- name: Ensure tinc is enabled
service:
- name: "tinc@{{ tinc_netname }}"
+ name: "tinc@{{ tinc_options.netname }}"
daemon_reload: true
enabled: true
when: ansible_os_family != "OpenWrt"
diff --git a/roles/tinc/templates/tinc-up.j2 b/roles/tinc/templates/tinc-up.j2
index 92aa782..ea81512 100755
--- a/roles/tinc/templates/tinc-up.j2
+++ b/roles/tinc/templates/tinc-up.j2
@@ -1,11 +1,11 @@
#!/bin/sh
ip link set $INTERFACE up
ip -6 addr flush dev $INTERFACE
-{% for addr in tinc.address %}
+{% for addr in tinc_options.address %}
ip addr add {{ addr }} dev $INTERFACE
{% endfor %}
-{% if tinc.extra_up is defined %}
-{% for cmd in tinc.extra_up %}
+{% if tinc_options.extra_up is defined %}
+{% for cmd in tinc_options.extra_up %}
{{ cmd }}
{% endfor %}
{% endif %}
diff --git a/roles/tinc/templates/tinc.conf.j2 b/roles/tinc/templates/tinc.conf.j2
index b7011e1..aa639ab 100644
--- a/roles/tinc/templates/tinc.conf.j2
+++ b/roles/tinc/templates/tinc.conf.j2
@@ -1,11 +1,11 @@
-Name = {{ tinc.name }}
-{% if tinc.listen_on is defined %}
-AddressFamily = {{ tinc.listen_on }}
+Name = {{ tinc_options.name }}
+{% if tinc_options.listen_on is defined %}
+AddressFamily = {{ tinc_options.listen_on }}
{% else %}
AddressFamily = ipv6
{% endif %}
Interface = tn_int
Mode = switch
-{% for conn in tinc.connections %}
+{% for conn in tinc_options.connections %}
ConnectTo = {{ conn }}
{% endfor %}
--
cgit v1.2.3