lxc-host: Moving to its own playbook. Adding arius-test1. Only

configuring ipv4/6 forwarding for the created interface. Adding configurable ipv6 address too. wireguard: Tagging old nets with never. nftables: Trying out portforwarding on arius.
author: Trygve Laugstøl <trygvis@inamo.no> 2019-01-11 07:45:58 +0100
committer: Trygve Laugstøl <trygvis@inamo.no> 2019-01-11 07:45:58 +0100
commit: 99ce768a7d6fe9e828caf932554c4e095c1d00b2 (patch)
tree: b367f0776e0640714d6a581ba5eb0d4e2f3d1b76
parent: fca718acb8d31e3f05608fb5aedfa4c7d34c7455 (diff)
download: infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.gz
infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.bz2
infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.xz
infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.zip
10 files changed, 75 insertions, 27 deletions
diff --git a/ansible/all.yml b/ansible/all.yml
index 326417c..4acd889 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -41,10 +41,7 @@
   roles:
     - linode-dns-update
 
-- hosts:
-    - lxc-hosts
-  roles:
-    - lxc-host
+- import_playbook: lxc-host.yml
 
 - hosts:
     - borg_clients
diff --git a/ansible/group_vars/all/host_database.yml b/ansible/group_vars/all/host_database.yml
index 4342f23..c7bce07 100644
--- a/ansible/group_vars/all/host_database.yml
+++ b/ansible/group_vars/all/host_database.yml
@@ -1,13 +1,15 @@
-# Generate hwaddr with
-#  echo $(od -vN 6 -An -tx1 /dev/urandom) |tr ' ' :
 # Generate ipv6 with
 #  echo $(od -vN 8 -An -tx2 /dev/urandom) |tr ' ' :
+# Generate hwaddr with
+#  echo $(od -vN 6 -An -tx1 /dev/urandom) |tr ' ' :
 # Note that the last bit of the first byte can't be set! Keep that byte even!
 # After you boot the container you'll get the IPv6 address
 
 ipv6_networks:
   conflatorio:
     prefix: fd56:1ae9:097d:3ddd
+  arius:
+    prefix: f338:7b65:2445:ef9a
 
 host_database:
   birgitte:
@@ -87,3 +89,26 @@ host_database:
         ipv6:
           address: "{{ ipv6_networks.conflatorio.prefix }}:5375:e67b:7878:310d"
           netmask: 64
+
+  arius:
+    interfaces:
+      lxc0-int:
+        ipv4:
+          address: 10.1.1.1
+          netmask: 24
+        ipv6:
+          address: "{{ ipv6_networks.arius.prefix }}:954b:90fc:c42d:1aef"
+          netmask: 64
+
+  arius-test1:
+    interfaces:
+      veth0:
+        hwaddr: 42:bc:1e:d3:bb:c5
+        ipv4:
+          address: 10.1.1.2
+          netmask: 24
+          gateway: 10.1.1.1
+        ipv6:
+          address: "{{ ipv6_networks.arius.prefix }}:2d35:abc6:97c1:cbf3"
+          netmask: 64
+          gateway: auto
diff --git a/ansible/host_vars/fuckaduck/elasticsearch.yml b/ansible/host_vars/arius-test1/elasticsearch.yml
index 1eb42bc..1eb42bc 100644
--- a/ansible/host_vars/fuckaduck/elasticsearch.yml
+++ b/ansible/host_vars/arius-test1/elasticsearch.yml
diff --git a/ansible/host_vars/arius/lxc.yml b/ansible/host_vars/arius/lxc.yml
new file mode 100644
index 0000000..5eea54d
--- /dev/null
+++ b/ansible/host_vars/arius/lxc.yml
@@ -0,0 +1,4 @@
+lxc_host__containers:
+  test1:
+    state: started
+    host_database: arius-test1
diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml
index 6f4f167..8a276ff 100644
--- a/ansible/host_vars/arius/nftables.yml
+++ b/ansible/host_vars/arius/nftables.yml
@@ -43,3 +43,26 @@ nftables_tables:
           - position: 1
             statement: ""
 #            statement: "ip daddr 192.0.2.100 counter"
+
+  - name: nat
+    family: ip
+    chains:
+      - name: "prerouting"
+        base:
+          type: "nat"
+          hook: "prerouting"
+          priority: 0
+        rules:
+#          - position: 1
+#            statement: "iif wlp1s0 tcp dport { 2222 } dnat 192.168.10.176:22"
+          - position: 1
+            statement: ""
+
+      - name: "postrouting"
+        base:
+          type: "nat"
+          hook: "postrouting"
+          priority: 100
+        rules:
+          - position: 1
+            statement: "masquerade random,persistent"
diff --git a/ansible/inventory b/ansible/inventory
index 9b620d5..08e0fa0 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -34,6 +34,7 @@ all:
     elasticsearch-servers:
       hosts:
         conflatorio-test1:
+        arius-test1:
     modern1:
       hosts:
         arius:
@@ -44,6 +45,7 @@ all:
         numquam:
     lxc-hosts:
       hosts:
+        arius:
         birgitte:
         conflatorio:
     linode-dns-update:
diff --git a/ansible/lxc-host.yml b/ansible/lxc-host.yml
new file mode 100644
index 0000000..d1c0346
--- /dev/null
+++ b/ansible/lxc-host.yml
@@ -0,0 +1,4 @@
+- hosts:
+    - lxc-hosts
+  roles:
+    - lxc-host
diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml
index f7ae410..526fc29 100644
--- a/ansible/roles/lxc-host/tasks/networkd.yml
+++ b/ansible/roles/lxc-host/tasks/networkd.yml
@@ -10,32 +10,12 @@
     - debug: var=br_if
     - debug: var=internal_if
 
-    - name: Configure sysctl, enable ipv4 and ipv6 forwarding
-      sysctl:
-        name: "{{ item }}"
-        value: 1
-      with_items:
-        - net.ipv4.ip_forward
-        - net.ipv6.conf.all.forwarding
-
     - name: enable systemd-networkd
       service:
         name: systemd-networkd
         enabled: yes
         state: started
 
-#    - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
-#      notify: systemctl restart systemd-networkd
-#      copy:
-#        dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
-#        content: |
-#          [Match]
-#          Name={{ lxc_host__hardware_if }}
-#
-#          [Network]
-#          Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }}
-#          Gateway={{ hardware_if.ipv4.gateway }}
-
     - name: "{{ file_prefix }}-1-{{ lxc_host__internal_if }}.netdev"
       notify: systemctl restart systemd-networkd
       copy:
@@ -80,3 +60,13 @@
           {% if internal_if.ipv6 is defined %}
           Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }}
           {% endif %}
+
+    - meta: flush_handlers
+
+    - name: Configure sysctl, enable ipv4 and ipv6 forwarding for {{ br_if }}
+      sysctl:
+        name: "{{ item }}"
+        value: 1
+      with_items:
+        - net.ipv4.conf.{{ br_if }}.forwarding
+        - net.ipv6.conf.{{ br_if }}.forwarding
diff --git a/ansible/roles/lxc-host/tasks/per-host.yml b/ansible/roles/lxc-host/tasks/per-host.yml
index 3bc9d24..ca33685 100644
--- a/ansible/roles/lxc-host/tasks/per-host.yml
+++ b/ansible/roles/lxc-host/tasks/per-host.yml
@@ -60,6 +60,9 @@
           {% if lan.ipv6 is defined %}
           lxc.net.0.ipv6.address = {{ lan.ipv6.address }}/{{ lan.ipv6.netmask }}
           {% endif %}
+          {% if lan.ipv6.gateway is defined %}
+          lxc.net.0.ipv6.gateway = {{ lan.ipv6.gateway }}
+          {% endif %}
 
           # 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal.
           lxc.log.level = 1
diff --git a/ansible/wireguard.yml b/ansible/wireguard.yml
index 943b0d2..3668f02 100644
--- a/ansible/wireguard.yml
+++ b/ansible/wireguard.yml
@@ -1,6 +1,6 @@
 - hosts:
     - wireguard_wg-net1
-  tags: wg-net1
+  tags: never
   roles:
     - role: wireguard
       wireguard__state: absent
author	Trygve Laugstøl <trygvis@inamo.no>	2019-01-11 07:45:58 +0100
committer	Trygve Laugstøl <trygvis@inamo.no>	2019-01-11 07:45:58 +0100
commit	99ce768a7d6fe9e828caf932554c4e095c1d00b2 (patch)
tree	b367f0776e0640714d6a581ba5eb0d4e2f3d1b76
parent	fca718acb8d31e3f05608fb5aedfa4c7d34c7455 (diff)
download	infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.gz infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.bz2 infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.tar.xz infra-99ce768a7d6fe9e828caf932554c4e095c1d00b2.zip