From a3ee42d1dde090c5baad512ff8707f7e2c068433 Mon Sep 17 00:00:00 2001 From: uvok cheetah Date: Sun, 9 Feb 2025 17:57:14 +0100 Subject: Linting --- roles/linux-ns/README.md | 34 --------- roles/linux-ns/defaults/main.yml | 2 - roles/linux-ns/files/iptables/ip6tables.save | 38 ---------- roles/linux-ns/files/iptables/iptables.save | 24 ------ roles/linux-ns/files/systemd/dn42_bird-lg.service | 24 ------ .../files/systemd/dn42_bird-lgproxy.service | 24 ------ roles/linux-ns/files/systemd/dn42_bird.service | 25 ------- .../linux-ns/files/systemd/dn42_namespace.service | 17 ----- roles/linux-ns/files/systemd/dn42_nginx.service | 37 ---------- roles/linux-ns/files/systemd/dn42_pdns.service | 55 -------------- roles/linux-ns/files/systemd/dn42_tinc@.service | 31 -------- roles/linux-ns/files/systemd/dn42_wg@.service | 28 ------- roles/linux-ns/files/systemd/my-netns@.service | 30 -------- roles/linux-ns/files/systemd/readme.txt | 2 - roles/linux-ns/handlers/main.yml | 2 - roles/linux-ns/meta/main.yml | 15 ---- roles/linux-ns/tasks/main.yml | 2 - roles/linux-ns/templates/dn42-route-namespace.sh | 85 ---------------------- roles/linux-ns/vars/main.yml | 2 - roles/linux_ns/README.md | 34 +++++++++ roles/linux_ns/defaults/main.yml | 2 + roles/linux_ns/files/iptables/ip6tables.save | 38 ++++++++++ roles/linux_ns/files/iptables/iptables.save | 24 ++++++ roles/linux_ns/files/systemd/dn42_bird-lg.service | 24 ++++++ .../files/systemd/dn42_bird-lgproxy.service | 24 ++++++ roles/linux_ns/files/systemd/dn42_bird.service | 25 +++++++ .../linux_ns/files/systemd/dn42_namespace.service | 17 +++++ roles/linux_ns/files/systemd/dn42_nginx.service | 37 ++++++++++ roles/linux_ns/files/systemd/dn42_pdns.service | 55 ++++++++++++++ roles/linux_ns/files/systemd/dn42_tinc@.service | 31 ++++++++ roles/linux_ns/files/systemd/dn42_wg@.service | 28 +++++++ roles/linux_ns/files/systemd/my-netns@.service | 30 ++++++++ roles/linux_ns/files/systemd/readme.txt | 2 + roles/linux_ns/handlers/main.yml | 2 + roles/linux_ns/meta/main.yml | 15 ++++ roles/linux_ns/tasks/main.yml | 2 + roles/linux_ns/templates/dn42-route-namespace.sh | 85 ++++++++++++++++++++++ roles/linux_ns/vars/main.yml | 2 + roles/tinc/defaults/main.yml | 14 +++- roles/tinc/handlers/main.yml | 4 +- roles/tinc/tasks/main.yml | 4 +- roles/tinc/tasks/tinc.yml | 2 +- roles/tinc/templates/tinc-up.j2 | 6 +- roles/tinc/templates/tinc.conf.j2 | 8 +- 44 files changed, 500 insertions(+), 492 deletions(-) delete mode 100644 roles/linux-ns/README.md delete mode 100644 roles/linux-ns/defaults/main.yml delete mode 100644 roles/linux-ns/files/iptables/ip6tables.save delete mode 100644 roles/linux-ns/files/iptables/iptables.save delete mode 100644 roles/linux-ns/files/systemd/dn42_bird-lg.service delete mode 100644 roles/linux-ns/files/systemd/dn42_bird-lgproxy.service delete mode 100644 roles/linux-ns/files/systemd/dn42_bird.service delete mode 100644 roles/linux-ns/files/systemd/dn42_namespace.service delete mode 100644 roles/linux-ns/files/systemd/dn42_nginx.service delete mode 100644 roles/linux-ns/files/systemd/dn42_pdns.service delete mode 100644 roles/linux-ns/files/systemd/dn42_tinc@.service delete mode 100644 roles/linux-ns/files/systemd/dn42_wg@.service delete mode 100644 roles/linux-ns/files/systemd/my-netns@.service delete mode 100644 roles/linux-ns/files/systemd/readme.txt delete mode 100644 roles/linux-ns/handlers/main.yml delete mode 100644 roles/linux-ns/meta/main.yml delete mode 100644 roles/linux-ns/tasks/main.yml delete mode 100755 roles/linux-ns/templates/dn42-route-namespace.sh delete mode 100644 roles/linux-ns/vars/main.yml create mode 100644 roles/linux_ns/README.md create mode 100644 roles/linux_ns/defaults/main.yml create mode 100644 roles/linux_ns/files/iptables/ip6tables.save create mode 100644 roles/linux_ns/files/iptables/iptables.save create mode 100644 roles/linux_ns/files/systemd/dn42_bird-lg.service create mode 100644 roles/linux_ns/files/systemd/dn42_bird-lgproxy.service create mode 100644 roles/linux_ns/files/systemd/dn42_bird.service create mode 100644 roles/linux_ns/files/systemd/dn42_namespace.service create mode 100644 roles/linux_ns/files/systemd/dn42_nginx.service create mode 100644 roles/linux_ns/files/systemd/dn42_pdns.service create mode 100644 roles/linux_ns/files/systemd/dn42_tinc@.service create mode 100644 roles/linux_ns/files/systemd/dn42_wg@.service create mode 100644 roles/linux_ns/files/systemd/my-netns@.service create mode 100644 roles/linux_ns/files/systemd/readme.txt create mode 100644 roles/linux_ns/handlers/main.yml create mode 100644 roles/linux_ns/meta/main.yml create mode 100644 roles/linux_ns/tasks/main.yml create mode 100755 roles/linux_ns/templates/dn42-route-namespace.sh create mode 100644 roles/linux_ns/vars/main.yml (limited to 'roles') diff --git a/roles/linux-ns/README.md b/roles/linux-ns/README.md deleted file mode 100644 index cf5808e..0000000 --- a/roles/linux-ns/README.md +++ /dev/null @@ -1,34 +0,0 @@ -Linux (Network) Namespaces -========================== - -(Quick and dirty?) setup of a Linux (network) namespace. - -Requirements ------------- - -Target is Linux. - -Role Variables --------------- - -??? - -Dependencies ------------- - -None - -Example Playbook ----------------- - -None - -License -------- - -Choose your own: MIT / BSD - -Author Information ------------------- - -uvok. diff --git a/roles/linux-ns/defaults/main.yml b/roles/linux-ns/defaults/main.yml deleted file mode 100644 index f7472ec..0000000 --- a/roles/linux-ns/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for linux-ns diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save deleted file mode 100644 index 036e5a5..0000000 --- a/roles/linux-ns/files/iptables/ip6tables.save +++ /dev/null @@ -1,38 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmpv6 -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT -# BGP --A INPUT -p tcp --dport 179 -j ACCEPT -# LG --A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT --A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT - --A INPUT -j REJECT --reject-with icmp6-port-unreachable - --A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp6-port-unreachable - -COMMIT - -*mangle --A PREROUTING -i eth0 -j MARK --set-mark 0x4242 -COMMIT - -*nat --A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE -COMMIT diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save deleted file mode 100644 index 4f72cc5..0000000 --- a/roles/linux-ns/files/iptables/iptables.save +++ /dev/null @@ -1,24 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT --A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT --A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT --A INPUT -p icmp --icmp-type echo-request -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp-port-unreachable - -COMMIT diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service deleted file mode 100644 index 85c5358..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lg.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass - DN42 edition -Requires=network-online.target -After=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/lgstart.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LG_PORT=6142" -Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service deleted file mode 100644 index 273ab16..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass Proxy -Requires=network-online.target dn42_bird.service -After=network-online.target dn42_bird.service -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/start.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LGPROXY_PORT=6042" -Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service deleted file mode 100644 index cbf80f0..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=BIRD Internet Routing Daemon - DN42 daemon -After=network.target -Wants=dn42_tinc@tn_int.service -After=dn42_tinc@tn_int.service - -[Service] -EnvironmentFile=/etc/bird/envvars -ExecStartPre=/bin/sleep 3 -ExecStartPre=/usr/lib/bird/prepare-environment -ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p -ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock -ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure -Restart=on-abort - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -# rel: /var/log -# nope, doesn't work, bird must start with root -#LogsDirectory= -ReadWritePaths=/run/bird/ /var/log/bird/dn42/ - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service deleted file mode 100644 index 4034879..0000000 --- a/roles/linux-ns/files/systemd/dn42_namespace.service +++ /dev/null @@ -1,17 +0,0 @@ -# fine-adjustments, routing, etcpp - -[Unit] -Description=DN42 Network namespace -After=network-online.target my-netns@dn42.service -Requires=my-netns@dn42.service -Before=dn42_tinc@tn_int.service -WantedBy=dn42_tinc@tn_int.service - -[Install] -WantedBy=multi-user.target - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/dn42-route-namespace.sh start -ExecStop=/usr/local/bin/dn42-route-namespace.sh stop -RemainAfterExit=yes diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service deleted file mode 100644 index 43d8a67..0000000 --- a/roles/linux-ns/files/systemd/dn42_nginx.service +++ /dev/null @@ -1,37 +0,0 @@ -# Stop dance for nginx -# ======================= -# -# ExecStop sends SIGQUIT (graceful stop) to the nginx process. -# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control -# and sends SIGTERM (fast shutdown) to the main process. -# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends -# SIGKILL to all the remaining processes in the process group (KillMode=mixed). -# -# nginx signals reference doc: -# http://nginx.org/en/docs/control.html -# -[Unit] -Description=A high performance web server and a reverse proxy server -Documentation=man:nginx(8) -After=network-online.target remote-fs.target nss-lookup.target -Wants=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -Type=forking -PIDFile=/run/dn42_nginx.pid -ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload -ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid -TimeoutStopSec=5 -KillMode=mixed -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service deleted file mode 100644 index 45cc367..0000000 --- a/roles/linux-ns/files/systemd/dn42_pdns.service +++ /dev/null @@ -1,55 +0,0 @@ -[Unit] -Description=PowerDNS Authoritative Server dn42 -Documentation=man:pdns_server(1) man:pdns_control(1) -Documentation=https://doc.powerdns.com -Wants=network-online.target -After=network-online.target time-sync.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no -SyslogIdentifier=pdns_server-dn42 -User=pdns -Group=pdns -Type=notify -Restart=on-failure -RestartSec=1 -StartLimitInterval=0 -RuntimeDirectory=pdns-dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf - -# Sandboxing -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN -AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN -LockPersonality=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -# Setting PrivateUsers=true prevents us from opening our sockets -ProtectClock=true -ProtectControlGroups=true -ProtectHome=true -ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -# ProtectSystem=full will disallow write access to /etc and /usr, possibly -# not being able to write slaved-zones into sqlite3 or zonefiles. -ProtectSystem=full -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete -ProtectProc=invisible -PrivateIPC=true -RemoveIPC=true -DevicePolicy=closed -# Not enabled by default because it does not play well with LuaJIT -# MemoryDenyWriteExecute=true -NetworkNamespacePath=/run/netns/dn42 - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service deleted file mode 100644 index bf17815..0000000 --- a/roles/linux-ns/files/systemd/dn42_tinc@.service +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description=Tinc net %i in namespace dn42 -Documentation=info:tinc -Documentation=man:tinc(8) man:tinc.conf(5) -Documentation=http://tinc-vpn.org/docs/ -PartOf=tinc.service -ReloadPropagatedFrom=tinc.service - -[Service] -Type=simple -WorkingDirectory=/etc/tinc/%i -EnvironmentFile=/etc/default/tinc -ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA -ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP -KillMode=mixed -Restart=on-failure -RestartSec=5 -TimeoutStopSec=5 - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -RuntimeDirectory=./tinc/dn42/ - -PrivateTmp=true -#tun -#PrivateDevices=true -PrivateIPC=true - -#[Install] -#WantedBy=tinc.service diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service deleted file mode 100644 index 0f67fda..0000000 --- a/roles/linux-ns/files/systemd/dn42_wg@.service +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=WireGuard via wg-quick(8) for %I -PartOf=wg-quick.target -Documentation=man:wg-quick(8) -Documentation=man:wg(8) -Documentation=https://www.wireguard.com/ -Documentation=https://www.wireguard.com/quickstart/ -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 -After=dn42_namespace.service network-online.target nss-lookup.target -Requires=dn42_namespace.service network-online.target nss-lookup.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf -ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf -#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' -Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service deleted file mode 100644 index c9735b7..0000000 --- a/roles/linux-ns/files/systemd/my-netns@.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/Jamesits/systemd-named-netns - -After=network-pre.target -Before=network.target network-online.target - -[Install] -WantedBy=network-online.target -WantedBy=multi-user.target - -[Service] -Type=oneshot -RemainAfterExit=yes - -# precaution -ExecStartPre=-/usr/bin/env ip netns delete %I - -# set up netns and bind it to this service -ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I -ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I -ExecStart=/usr/bin/env ip link set veth%I up -ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0 -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up - -# remove the netns -ExecStop=/usr/bin/env ip link del veth%I -# type veth peer vethpeer%I netns %I -ExecStop=/usr/bin/env ip netns delete %I diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt deleted file mode 100644 index 99d220e..0000000 --- a/roles/linux-ns/files/systemd/readme.txt +++ /dev/null @@ -1,2 +0,0 @@ -except my-netns@.service, consider these examples, -or a "backup" for me. \ No newline at end of file diff --git a/roles/linux-ns/handlers/main.yml b/roles/linux-ns/handlers/main.yml deleted file mode 100644 index 144e1c1..0000000 --- a/roles/linux-ns/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for linux-ns diff --git a/roles/linux-ns/meta/main.yml b/roles/linux-ns/meta/main.yml deleted file mode 100644 index 20a965c..0000000 --- a/roles/linux-ns/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: uvok - description: Linux Network Namespace Setup - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - license: MIT - - min_ansible_version: 2.1 - - galaxy_tags: [] - -dependencies: [] diff --git a/roles/linux-ns/tasks/main.yml b/roles/linux-ns/tasks/main.yml deleted file mode 100644 index 6984b1f..0000000 --- a/roles/linux-ns/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# tasks file for linux-ns diff --git a/roles/linux-ns/templates/dn42-route-namespace.sh b/roles/linux-ns/templates/dn42-route-namespace.sh deleted file mode 100755 index 6822834..0000000 --- a/roles/linux-ns/templates/dn42-route-namespace.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh -x - -set -eu - -# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd -# (yes, without trailing: or ::) -hoster_prefix_v6="{{ hoster_ipv6_prefix }}" -# hardcoded: use 42 prefix -ns_prefix_v6="${hoster_prefix_v6}:42" - -# insert IPv4 address -hoster_addr_v4="{{ hoster_ipv4_address }}" -# hardcoded: net -ns_net_v4="10.42.0.0/24" -# hardcoded: peer address (inside namespace) -ns_addr_peer_v4="10.42.0.2/32" - -case $- in - *x*) debug="-x" ;; - *) debug="" ;; -esac - -case "$1" in - start) - ip netns exec dn42 sh $debug "$0" start-ns - ip route add ${ns_net_v4} dev vethdn42 - ip a add ${ns_prefix_v6}::1/128 dev vethdn42 - ip route add ${ns_prefix_v6}::2/128 dev vethdn42 - # hardcoded: route for dn42 - ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1 - ;; - start-ns) - sysctl -w net.ipv6.conf.all.forwarding=1 - - ip -4 route flush dev eth0 - ip -6 route flush dev eth0 - ip -4 a flush dev eth0 - ip -6 a flush dev eth0 - - ip a add ${ns_addr_peer_v4} dev eth0 - ip route add ${hoster_addr_v4} dev eth0 - ip route add default via ${hoster_addr_v4} dev eth0 - - ip a add ${ns_prefix_v6}::2/128 dev eth0 - ip route add ${ns_prefix_v6}::1 dev eth0 - ip route add default via ${ns_prefix_v6}::1 dev eth0 - - # hardcoded: dummy-interface with additional addresses - ifup dn42_int - - # hardcoded: Additional rules for (policy) routing. - # tables are filled by bird. - ip -6 rule add prio 31000 table 210 - ip -6 rule add prio 32000 table 250 - - # hardcoded: iptables - iptables-nft-restore < /etc/iptables/netns/dn42/iptables.save - ip6tables-nft-restore < /etc/iptables/netns/dn42/ip6tables.save - ;; - stop) - ip -6 route flush dev vethdn42 - ip -4 route flush dev vethdn42 - - ip -6 a flush dev vethdn42 - ip -4 a flush dev vethdn42 - - ip netns exec dn42 sh $debug "$0" stop-ns - ;; - stop-ns) - ifdown dn42_int - - ip -6 route flush dev eth0 - ip -6 a flush dev eth0 - - ip -4 route flush dev eth0 - ip -4 a flush dev eth0 - - ip -6 rule del prio 31000 - ip -6 rule del prio 32000 - - ;; - *) - echo "Ignore invalid parameter $1" >&2 - ;; -esac diff --git a/roles/linux-ns/vars/main.yml b/roles/linux-ns/vars/main.yml deleted file mode 100644 index 0635f6c..0000000 --- a/roles/linux-ns/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for linux-ns diff --git a/roles/linux_ns/README.md b/roles/linux_ns/README.md new file mode 100644 index 0000000..cf5808e --- /dev/null +++ b/roles/linux_ns/README.md @@ -0,0 +1,34 @@ +Linux (Network) Namespaces +========================== + +(Quick and dirty?) setup of a Linux (network) namespace. + +Requirements +------------ + +Target is Linux. + +Role Variables +-------------- + +??? + +Dependencies +------------ + +None + +Example Playbook +---------------- + +None + +License +------- + +Choose your own: MIT / BSD + +Author Information +------------------ + +uvok. diff --git a/roles/linux_ns/defaults/main.yml b/roles/linux_ns/defaults/main.yml new file mode 100644 index 0000000..f7472ec --- /dev/null +++ b/roles/linux_ns/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for linux-ns diff --git a/roles/linux_ns/files/iptables/ip6tables.save b/roles/linux_ns/files/iptables/ip6tables.save new file mode 100644 index 0000000..036e5a5 --- /dev/null +++ b/roles/linux_ns/files/iptables/ip6tables.save @@ -0,0 +1,38 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +-A INPUT -i lo -j ACCEPT +-A INPUT -i tinc_dn42 -j ACCEPT + +-A INPUT -p icmpv6 -j ACCEPT + +# traceroute +-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable +# DNS +-A INPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p tcp --dport 53 -j ACCEPT +# BGP +-A INPUT -p tcp --dport 179 -j ACCEPT +# LG +-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT +-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT + +-A INPUT -j REJECT --reject-with icmp6-port-unreachable + +-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT + +-A FORWARD -j REJECT --reject-with icmp6-port-unreachable + +COMMIT + +*mangle +-A PREROUTING -i eth0 -j MARK --set-mark 0x4242 +COMMIT + +*nat +-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE +COMMIT diff --git a/roles/linux_ns/files/iptables/iptables.save b/roles/linux_ns/files/iptables/iptables.save new file mode 100644 index 0000000..4f72cc5 --- /dev/null +++ b/roles/linux_ns/files/iptables/iptables.save @@ -0,0 +1,24 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +-A INPUT -i lo -j ACCEPT +-A INPUT -i tinc_dn42 -j ACCEPT + +-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT +-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT +-A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT + +# traceroute +-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable +# DNS +-A INPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p tcp --dport 53 -j ACCEPT + +-A FORWARD -j REJECT --reject-with icmp-port-unreachable + +COMMIT diff --git a/roles/linux_ns/files/systemd/dn42_bird-lg.service b/roles/linux_ns/files/systemd/dn42_bird-lg.service new file mode 100644 index 0000000..85c5358 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird-lg.service @@ -0,0 +1,24 @@ +[Unit] +Description=Run Bird Looking Glass - DN42 edition +Requires=network-online.target +After=network-online.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/bin/bash /home/lgproxy/lgstart.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +User=lgproxy +WorkingDirectory=/home/lgproxy/ +Environment="LG_PORT=6142" +Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" +NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=default.target + +#Type=simple diff --git a/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service new file mode 100644 index 0000000..273ab16 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird-lgproxy.service @@ -0,0 +1,24 @@ +[Unit] +Description=Run Bird Looking Glass Proxy +Requires=network-online.target dn42_bird.service +After=network-online.target dn42_bird.service +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/bin/bash /home/lgproxy/start.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +User=lgproxy +WorkingDirectory=/home/lgproxy/ +Environment="LGPROXY_PORT=6042" +Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" +NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=default.target + +#Type=simple diff --git a/roles/linux_ns/files/systemd/dn42_bird.service b/roles/linux_ns/files/systemd/dn42_bird.service new file mode 100644 index 0000000..cbf80f0 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_bird.service @@ -0,0 +1,25 @@ +[Unit] +Description=BIRD Internet Routing Daemon - DN42 daemon +After=network.target +Wants=dn42_tinc@tn_int.service +After=dn42_tinc@tn_int.service + +[Service] +EnvironmentFile=/etc/bird/envvars +ExecStartPre=/bin/sleep 3 +ExecStartPre=/usr/lib/bird/prepare-environment +ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p +ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock +ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure +Restart=on-abort + +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +# rel: /var/log +# nope, doesn't work, bird must start with root +#LogsDirectory= +ReadWritePaths=/run/bird/ /var/log/bird/dn42/ + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_namespace.service b/roles/linux_ns/files/systemd/dn42_namespace.service new file mode 100644 index 0000000..4034879 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_namespace.service @@ -0,0 +1,17 @@ +# fine-adjustments, routing, etcpp + +[Unit] +Description=DN42 Network namespace +After=network-online.target my-netns@dn42.service +Requires=my-netns@dn42.service +Before=dn42_tinc@tn_int.service +WantedBy=dn42_tinc@tn_int.service + +[Install] +WantedBy=multi-user.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/dn42-route-namespace.sh start +ExecStop=/usr/local/bin/dn42-route-namespace.sh stop +RemainAfterExit=yes diff --git a/roles/linux_ns/files/systemd/dn42_nginx.service b/roles/linux_ns/files/systemd/dn42_nginx.service new file mode 100644 index 0000000..43d8a67 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_nginx.service @@ -0,0 +1,37 @@ +# Stop dance for nginx +# ======================= +# +# ExecStop sends SIGQUIT (graceful stop) to the nginx process. +# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control +# and sends SIGTERM (fast shutdown) to the main process. +# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends +# SIGKILL to all the remaining processes in the process group (KillMode=mixed). +# +# nginx signals reference doc: +# http://nginx.org/en/docs/control.html +# +[Unit] +Description=A high performance web server and a reverse proxy server +Documentation=man:nginx(8) +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +Type=forking +PIDFile=/run/dn42_nginx.pid +ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid +TimeoutStopSec=5 +KillMode=mixed +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_pdns.service b/roles/linux_ns/files/systemd/dn42_pdns.service new file mode 100644 index 0000000..45cc367 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_pdns.service @@ -0,0 +1,55 @@ +[Unit] +Description=PowerDNS Authoritative Server dn42 +Documentation=man:pdns_server(1) man:pdns_control(1) +Documentation=https://doc.powerdns.com +Wants=network-online.target +After=network-online.target time-sync.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no +SyslogIdentifier=pdns_server-dn42 +User=pdns +Group=pdns +Type=notify +Restart=on-failure +RestartSec=1 +StartLimitInterval=0 +RuntimeDirectory=pdns-dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf + +# Sandboxing +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +# Setting PrivateUsers=true prevents us from opening our sockets +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +# ProtectSystem=full will disallow write access to /etc and /usr, possibly +# not being able to write slaved-zones into sqlite3 or zonefiles. +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible +PrivateIPC=true +RemoveIPC=true +DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true +NetworkNamespacePath=/run/netns/dn42 + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/dn42_tinc@.service b/roles/linux_ns/files/systemd/dn42_tinc@.service new file mode 100644 index 0000000..bf17815 --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_tinc@.service @@ -0,0 +1,31 @@ +[Unit] +Description=Tinc net %i in namespace dn42 +Documentation=info:tinc +Documentation=man:tinc(8) man:tinc.conf(5) +Documentation=http://tinc-vpn.org/docs/ +PartOf=tinc.service +ReloadPropagatedFrom=tinc.service + +[Service] +Type=simple +WorkingDirectory=/etc/tinc/%i +EnvironmentFile=/etc/default/tinc +ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA +ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP +KillMode=mixed +Restart=on-failure +RestartSec=5 +TimeoutStopSec=5 + +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +RuntimeDirectory=./tinc/dn42/ + +PrivateTmp=true +#tun +#PrivateDevices=true +PrivateIPC=true + +#[Install] +#WantedBy=tinc.service diff --git a/roles/linux_ns/files/systemd/dn42_wg@.service b/roles/linux_ns/files/systemd/dn42_wg@.service new file mode 100644 index 0000000..0f67fda --- /dev/null +++ b/roles/linux_ns/files/systemd/dn42_wg@.service @@ -0,0 +1,28 @@ +[Unit] +Description=WireGuard via wg-quick(8) for %I +PartOf=wg-quick.target +Documentation=man:wg-quick(8) +Documentation=man:wg(8) +Documentation=https://www.wireguard.com/ +Documentation=https://www.wireguard.com/quickstart/ +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 +After=dn42_namespace.service network-online.target nss-lookup.target +Requires=dn42_namespace.service network-online.target nss-lookup.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf +ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf +#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' +Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux_ns/files/systemd/my-netns@.service b/roles/linux_ns/files/systemd/my-netns@.service new file mode 100644 index 0000000..c9735b7 --- /dev/null +++ b/roles/linux_ns/files/systemd/my-netns@.service @@ -0,0 +1,30 @@ +[Unit] +Description=Named network namespace %I +Documentation=https://github.com/Jamesits/systemd-named-netns + +After=network-pre.target +Before=network.target network-online.target + +[Install] +WantedBy=network-online.target +WantedBy=multi-user.target + +[Service] +Type=oneshot +RemainAfterExit=yes + +# precaution +ExecStartPre=-/usr/bin/env ip netns delete %I + +# set up netns and bind it to this service +ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I +ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I +ExecStart=/usr/bin/env ip link set veth%I up +ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0 +ExecStart=/usr/bin/env ip netns exec %I ip link set lo up +ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up + +# remove the netns +ExecStop=/usr/bin/env ip link del veth%I +# type veth peer vethpeer%I netns %I +ExecStop=/usr/bin/env ip netns delete %I diff --git a/roles/linux_ns/files/systemd/readme.txt b/roles/linux_ns/files/systemd/readme.txt new file mode 100644 index 0000000..99d220e --- /dev/null +++ b/roles/linux_ns/files/systemd/readme.txt @@ -0,0 +1,2 @@ +except my-netns@.service, consider these examples, +or a "backup" for me. \ No newline at end of file diff --git a/roles/linux_ns/handlers/main.yml b/roles/linux_ns/handlers/main.yml new file mode 100644 index 0000000..144e1c1 --- /dev/null +++ b/roles/linux_ns/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for linux-ns diff --git a/roles/linux_ns/meta/main.yml b/roles/linux_ns/meta/main.yml new file mode 100644 index 0000000..088c53c --- /dev/null +++ b/roles/linux_ns/meta/main.yml @@ -0,0 +1,15 @@ +galaxy_info: + author: uvok + description: Linux Network Namespace Setup + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + license: MIT + + min_ansible_version: "2.1" + + galaxy_tags: [] + +dependencies: [] diff --git a/roles/linux_ns/tasks/main.yml b/roles/linux_ns/tasks/main.yml new file mode 100644 index 0000000..6984b1f --- /dev/null +++ b/roles/linux_ns/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for linux-ns diff --git a/roles/linux_ns/templates/dn42-route-namespace.sh b/roles/linux_ns/templates/dn42-route-namespace.sh new file mode 100755 index 0000000..6822834 --- /dev/null +++ b/roles/linux_ns/templates/dn42-route-namespace.sh @@ -0,0 +1,85 @@ +#!/bin/sh -x + +set -eu + +# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd +# (yes, without trailing: or ::) +hoster_prefix_v6="{{ hoster_ipv6_prefix }}" +# hardcoded: use 42 prefix +ns_prefix_v6="${hoster_prefix_v6}:42" + +# insert IPv4 address +hoster_addr_v4="{{ hoster_ipv4_address }}" +# hardcoded: net +ns_net_v4="10.42.0.0/24" +# hardcoded: peer address (inside namespace) +ns_addr_peer_v4="10.42.0.2/32" + +case $- in + *x*) debug="-x" ;; + *) debug="" ;; +esac + +case "$1" in + start) + ip netns exec dn42 sh $debug "$0" start-ns + ip route add ${ns_net_v4} dev vethdn42 + ip a add ${ns_prefix_v6}::1/128 dev vethdn42 + ip route add ${ns_prefix_v6}::2/128 dev vethdn42 + # hardcoded: route for dn42 + ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1 + ;; + start-ns) + sysctl -w net.ipv6.conf.all.forwarding=1 + + ip -4 route flush dev eth0 + ip -6 route flush dev eth0 + ip -4 a flush dev eth0 + ip -6 a flush dev eth0 + + ip a add ${ns_addr_peer_v4} dev eth0 + ip route add ${hoster_addr_v4} dev eth0 + ip route add default via ${hoster_addr_v4} dev eth0 + + ip a add ${ns_prefix_v6}::2/128 dev eth0 + ip route add ${ns_prefix_v6}::1 dev eth0 + ip route add default via ${ns_prefix_v6}::1 dev eth0 + + # hardcoded: dummy-interface with additional addresses + ifup dn42_int + + # hardcoded: Additional rules for (policy) routing. + # tables are filled by bird. + ip -6 rule add prio 31000 table 210 + ip -6 rule add prio 32000 table 250 + + # hardcoded: iptables + iptables-nft-restore < /etc/iptables/netns/dn42/iptables.save + ip6tables-nft-restore < /etc/iptables/netns/dn42/ip6tables.save + ;; + stop) + ip -6 route flush dev vethdn42 + ip -4 route flush dev vethdn42 + + ip -6 a flush dev vethdn42 + ip -4 a flush dev vethdn42 + + ip netns exec dn42 sh $debug "$0" stop-ns + ;; + stop-ns) + ifdown dn42_int + + ip -6 route flush dev eth0 + ip -6 a flush dev eth0 + + ip -4 route flush dev eth0 + ip -4 a flush dev eth0 + + ip -6 rule del prio 31000 + ip -6 rule del prio 32000 + + ;; + *) + echo "Ignore invalid parameter $1" >&2 + ;; +esac diff --git a/roles/linux_ns/vars/main.yml b/roles/linux_ns/vars/main.yml new file mode 100644 index 0000000..0635f6c --- /dev/null +++ b/roles/linux_ns/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for linux-ns diff --git a/roles/tinc/defaults/main.yml b/roles/tinc/defaults/main.yml index 64aa1e7..d493ac2 100644 --- a/roles/tinc/defaults/main.yml +++ b/roles/tinc/defaults/main.yml @@ -1,3 +1,11 @@ -tinc_netname: tn_int -tinc: - configure: false \ No newline at end of file +tinc_options: + configure: false + netname: tn_int + name: example + connections: [example] + address: + - fe80::/64 + - 10.0.0.1/32 + listen_on: any + extra_up: + - echo configured diff --git a/roles/tinc/handlers/main.yml b/roles/tinc/handlers/main.yml index 56b5829..1fa1217 100644 --- a/roles/tinc/handlers/main.yml +++ b/roles/tinc/handlers/main.yml @@ -5,7 +5,7 @@ - name: Stop Tinc listen: configure tinc service: - name: "tinc@{{ tinc_netname }}" + name: "tinc@{{ tinc_options.netname }}" state: stopped - name: Wait listen: configure tinc @@ -14,5 +14,5 @@ - name: Start Tinc listen: configure tinc service: - name: "tinc@{{ tinc_netname }}" + name: "tinc@{{ tinc_options.netname }}" state: started diff --git a/roles/tinc/tasks/main.yml b/roles/tinc/tasks/main.yml index 4cfc7cd..8a9b44d 100644 --- a/roles/tinc/tasks/main.yml +++ b/roles/tinc/tasks/main.yml @@ -8,5 +8,5 @@ import_tasks: tinc.yml when: - tinc is defined - - tinc.configure is defined - - tinc.configure + - tinc_options.configure is defined + - tinc_options.configure diff --git a/roles/tinc/tasks/tinc.yml b/roles/tinc/tasks/tinc.yml index 7453811..c97c180 100644 --- a/roles/tinc/tasks/tinc.yml +++ b/roles/tinc/tasks/tinc.yml @@ -38,7 +38,7 @@ - exec - name: Ensure tinc is enabled service: - name: "tinc@{{ tinc_netname }}" + name: "tinc@{{ tinc_options.netname }}" daemon_reload: true enabled: true when: ansible_os_family != "OpenWrt" diff --git a/roles/tinc/templates/tinc-up.j2 b/roles/tinc/templates/tinc-up.j2 index 92aa782..ea81512 100755 --- a/roles/tinc/templates/tinc-up.j2 +++ b/roles/tinc/templates/tinc-up.j2 @@ -1,11 +1,11 @@ #!/bin/sh ip link set $INTERFACE up ip -6 addr flush dev $INTERFACE -{% for addr in tinc.address %} +{% for addr in tinc_options.address %} ip addr add {{ addr }} dev $INTERFACE {% endfor %} -{% if tinc.extra_up is defined %} -{% for cmd in tinc.extra_up %} +{% if tinc_options.extra_up is defined %} +{% for cmd in tinc_options.extra_up %} {{ cmd }} {% endfor %} {% endif %} diff --git a/roles/tinc/templates/tinc.conf.j2 b/roles/tinc/templates/tinc.conf.j2 index b7011e1..aa639ab 100644 --- a/roles/tinc/templates/tinc.conf.j2 +++ b/roles/tinc/templates/tinc.conf.j2 @@ -1,11 +1,11 @@ -Name = {{ tinc.name }} -{% if tinc.listen_on is defined %} -AddressFamily = {{ tinc.listen_on }} +Name = {{ tinc_options.name }} +{% if tinc_options.listen_on is defined %} +AddressFamily = {{ tinc_options.listen_on }} {% else %} AddressFamily = ipv6 {% endif %} Interface = tn_int Mode = switch -{% for conn in tinc.connections %} +{% for conn in tinc_options.connections %} ConnectTo = {{ conn }} {% endfor %} -- cgit v1.2.3