From 99ce768a7d6fe9e828caf932554c4e095c1d00b2 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Fri, 11 Jan 2019 07:45:58 +0100 Subject: lxc-host: Moving to its own playbook. Adding arius-test1. Only configuring ipv4/6 forwarding for the created interface. Adding configurable ipv6 address too. wireguard: Tagging old nets with never. nftables: Trying out portforwarding on arius. --- ansible/all.yml | 5 +---- ansible/group_vars/all/host_database.yml | 29 ++++++++++++++++++++++-- ansible/host_vars/arius-test1/elasticsearch.yml | 4 ++++ ansible/host_vars/arius/lxc.yml | 4 ++++ ansible/host_vars/arius/nftables.yml | 23 +++++++++++++++++++ ansible/host_vars/fuckaduck/elasticsearch.yml | 4 ---- ansible/inventory | 2 ++ ansible/lxc-host.yml | 4 ++++ ansible/roles/lxc-host/tasks/networkd.yml | 30 +++++++++---------------- ansible/roles/lxc-host/tasks/per-host.yml | 3 +++ ansible/wireguard.yml | 2 +- 11 files changed, 79 insertions(+), 31 deletions(-) create mode 100644 ansible/host_vars/arius-test1/elasticsearch.yml create mode 100644 ansible/host_vars/arius/lxc.yml delete mode 100644 ansible/host_vars/fuckaduck/elasticsearch.yml create mode 100644 ansible/lxc-host.yml diff --git a/ansible/all.yml b/ansible/all.yml index 326417c..4acd889 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -41,10 +41,7 @@ roles: - linode-dns-update -- hosts: - - lxc-hosts - roles: - - lxc-host +- import_playbook: lxc-host.yml - hosts: - borg_clients diff --git a/ansible/group_vars/all/host_database.yml b/ansible/group_vars/all/host_database.yml index 4342f23..c7bce07 100644 --- a/ansible/group_vars/all/host_database.yml +++ b/ansible/group_vars/all/host_database.yml @@ -1,13 +1,15 @@ -# Generate hwaddr with -# echo $(od -vN 6 -An -tx1 /dev/urandom) |tr ' ' : # Generate ipv6 with # echo $(od -vN 8 -An -tx2 /dev/urandom) |tr ' ' : +# Generate hwaddr with +# echo $(od -vN 6 -An -tx1 /dev/urandom) |tr ' ' : # Note that the last bit of the first byte can't be set! Keep that byte even! # After you boot the container you'll get the IPv6 address ipv6_networks: conflatorio: prefix: fd56:1ae9:097d:3ddd + arius: + prefix: f338:7b65:2445:ef9a host_database: birgitte: @@ -87,3 +89,26 @@ host_database: ipv6: address: "{{ ipv6_networks.conflatorio.prefix }}:5375:e67b:7878:310d" netmask: 64 + + arius: + interfaces: + lxc0-int: + ipv4: + address: 10.1.1.1 + netmask: 24 + ipv6: + address: "{{ ipv6_networks.arius.prefix }}:954b:90fc:c42d:1aef" + netmask: 64 + + arius-test1: + interfaces: + veth0: + hwaddr: 42:bc:1e:d3:bb:c5 + ipv4: + address: 10.1.1.2 + netmask: 24 + gateway: 10.1.1.1 + ipv6: + address: "{{ ipv6_networks.arius.prefix }}:2d35:abc6:97c1:cbf3" + netmask: 64 + gateway: auto diff --git a/ansible/host_vars/arius-test1/elasticsearch.yml b/ansible/host_vars/arius-test1/elasticsearch.yml new file mode 100644 index 0000000..1eb42bc --- /dev/null +++ b/ansible/host_vars/arius-test1/elasticsearch.yml @@ -0,0 +1,4 @@ +elasticsearch__state: present +elasticsearch__data_dir: /opt/elasticsearch/data +elasticsearch__http_port: 9201 +elasticsearch__tcp_port: 9301 diff --git a/ansible/host_vars/arius/lxc.yml b/ansible/host_vars/arius/lxc.yml new file mode 100644 index 0000000..5eea54d --- /dev/null +++ b/ansible/host_vars/arius/lxc.yml @@ -0,0 +1,4 @@ +lxc_host__containers: + test1: + state: started + host_database: arius-test1 diff --git a/ansible/host_vars/arius/nftables.yml b/ansible/host_vars/arius/nftables.yml index 6f4f167..8a276ff 100644 --- a/ansible/host_vars/arius/nftables.yml +++ b/ansible/host_vars/arius/nftables.yml @@ -43,3 +43,26 @@ nftables_tables: - position: 1 statement: "" # statement: "ip daddr 192.0.2.100 counter" + + - name: nat + family: ip + chains: + - name: "prerouting" + base: + type: "nat" + hook: "prerouting" + priority: 0 + rules: +# - position: 1 +# statement: "iif wlp1s0 tcp dport { 2222 } dnat 192.168.10.176:22" + - position: 1 + statement: "" + + - name: "postrouting" + base: + type: "nat" + hook: "postrouting" + priority: 100 + rules: + - position: 1 + statement: "masquerade random,persistent" diff --git a/ansible/host_vars/fuckaduck/elasticsearch.yml b/ansible/host_vars/fuckaduck/elasticsearch.yml deleted file mode 100644 index 1eb42bc..0000000 --- a/ansible/host_vars/fuckaduck/elasticsearch.yml +++ /dev/null @@ -1,4 +0,0 @@ -elasticsearch__state: present -elasticsearch__data_dir: /opt/elasticsearch/data -elasticsearch__http_port: 9201 -elasticsearch__tcp_port: 9301 diff --git a/ansible/inventory b/ansible/inventory index 9b620d5..08e0fa0 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -34,6 +34,7 @@ all: elasticsearch-servers: hosts: conflatorio-test1: + arius-test1: modern1: hosts: arius: @@ -44,6 +45,7 @@ all: numquam: lxc-hosts: hosts: + arius: birgitte: conflatorio: linode-dns-update: diff --git a/ansible/lxc-host.yml b/ansible/lxc-host.yml new file mode 100644 index 0000000..d1c0346 --- /dev/null +++ b/ansible/lxc-host.yml @@ -0,0 +1,4 @@ +- hosts: + - lxc-hosts + roles: + - lxc-host diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml index f7ae410..526fc29 100644 --- a/ansible/roles/lxc-host/tasks/networkd.yml +++ b/ansible/roles/lxc-host/tasks/networkd.yml @@ -10,32 +10,12 @@ - debug: var=br_if - debug: var=internal_if - - name: Configure sysctl, enable ipv4 and ipv6 forwarding - sysctl: - name: "{{ item }}" - value: 1 - with_items: - - net.ipv4.ip_forward - - net.ipv6.conf.all.forwarding - - name: enable systemd-networkd service: name: systemd-networkd enabled: yes state: started -# - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" -# notify: systemctl restart systemd-networkd -# copy: -# dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" -# content: | -# [Match] -# Name={{ lxc_host__hardware_if }} -# -# [Network] -# Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }} -# Gateway={{ hardware_if.ipv4.gateway }} - - name: "{{ file_prefix }}-1-{{ lxc_host__internal_if }}.netdev" notify: systemctl restart systemd-networkd copy: @@ -80,3 +60,13 @@ {% if internal_if.ipv6 is defined %} Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }} {% endif %} + + - meta: flush_handlers + + - name: Configure sysctl, enable ipv4 and ipv6 forwarding for {{ br_if }} + sysctl: + name: "{{ item }}" + value: 1 + with_items: + - net.ipv4.conf.{{ br_if }}.forwarding + - net.ipv6.conf.{{ br_if }}.forwarding diff --git a/ansible/roles/lxc-host/tasks/per-host.yml b/ansible/roles/lxc-host/tasks/per-host.yml index 3bc9d24..ca33685 100644 --- a/ansible/roles/lxc-host/tasks/per-host.yml +++ b/ansible/roles/lxc-host/tasks/per-host.yml @@ -60,6 +60,9 @@ {% if lan.ipv6 is defined %} lxc.net.0.ipv6.address = {{ lan.ipv6.address }}/{{ lan.ipv6.netmask }} {% endif %} + {% if lan.ipv6.gateway is defined %} + lxc.net.0.ipv6.gateway = {{ lan.ipv6.gateway }} + {% endif %} # 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal. lxc.log.level = 1 diff --git a/ansible/wireguard.yml b/ansible/wireguard.yml index 943b0d2..3668f02 100644 --- a/ansible/wireguard.yml +++ b/ansible/wireguard.yml @@ -1,6 +1,6 @@ - hosts: - wireguard_wg-net1 - tags: wg-net1 + tags: never roles: - role: wireguard wireguard__state: absent -- cgit v1.2.3