From cc70c3640eeb06d9129cd624c0750f2db70648a7 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Fri, 4 Jan 2019 15:04:54 +0100 Subject: lxc-host: Major refactoring. o Removing radvd support, should be handled by itself. Better support for setting ipv6 addresses instead. o Moving out UFW stupport, should be moved to the ufw package. o Better variables, default and file names. --- ansible/roles/lxc-host/tasks/networkd.yml | 97 ++++++++++--------------------- 1 file changed, 30 insertions(+), 67 deletions(-) (limited to 'ansible/roles/lxc-host/tasks/networkd.yml') diff --git a/ansible/roles/lxc-host/tasks/networkd.yml b/ansible/roles/lxc-host/tasks/networkd.yml index 41ddb3f..f7ae410 100644 --- a/ansible/roles/lxc-host/tasks/networkd.yml +++ b/ansible/roles/lxc-host/tasks/networkd.yml @@ -3,59 +3,20 @@ - lxc-host-network become: yes vars: - hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}" + file_prefix: "/etc/systemd/network/{{ lxc_host__networkd_number }}-lxc-host" br_if: "{{ lxc_host__br_if }}" - internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}" + internal_if: "{{ host_database[ansible_hostname].interfaces[lxc_host__internal_if] }}" block: - - debug: var=hardware_if - debug: var=br_if - debug: var=internal_if - name: Configure sysctl, enable ipv4 and ipv6 forwarding - become: yes - copy: - dest: /etc/sysctl.d/99-lxc-host.conf - content: | - net.ipv4.ip_forward=1 - net.ipv6.conf.all.forwarding=1 - notify: restart sysctl - - - name: Enable UFW - become: yes - ufw: - state: enabled - - - become: yes - ufw: - policy: allow - direction: outgoing - - - become: yes - ufw: - policy: allow - direction: routed - - - become: yes - ufw: - policy: deny - direction: incoming - - - name: Enable NAT configuration through UFW - become: yes - notify: reload ufw - blockinfile: - path: /etc/ufw/before.rules - insertbefore: "# Don't delete these required lines, otherwise there will be errors" - block: | - # NAT table rules - *nat - :POSTROUTING ACCEPT [0:0] - - # Forward traffic through eth0 - Change to match you out-interface - -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE - - # don't delete the 'COMMIT' line or these nat table rules won't be processed - COMMIT + sysctl: + name: "{{ item }}" + value: 1 + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding - name: enable systemd-networkd service: @@ -63,31 +24,31 @@ enabled: yes state: started - - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" +# - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" +# notify: systemctl restart systemd-networkd +# copy: +# dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" +# content: | +# [Match] +# Name={{ lxc_host__hardware_if }} +# +# [Network] +# Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }} +# Gateway={{ hardware_if.ipv4.gateway }} + + - name: "{{ file_prefix }}-1-{{ lxc_host__internal_if }}.netdev" notify: systemctl restart systemd-networkd copy: - dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network" - content: | - [Match] - Name={{ lxc_host__hardware_if }} - - [Network] - Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }} - Gateway={{ hardware_if.ipv4.gateway }} - - - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" - notify: systemctl restart systemd-networkd - copy: - dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev" + dest: "{{ file_prefix }}-1-{{ lxc_host__internal_if }}.netdev" content: | [NetDev] Name={{ lxc_host__internal_if }} Kind=dummy - - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + - name: "{{ file_prefix }}-2-{{ lxc_host__internal_if }}.network" notify: systemctl restart systemd-networkd copy: - dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network" + dest: "{{ file_prefix }}-2-{{ lxc_host__internal_if }}.network" content: | [Match] Name={{ lxc_host__internal_if }} @@ -95,25 +56,27 @@ [Network] Bridge={{ br_if }} - - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + - name: "{{ file_prefix }}-3-{{ br_if }}.netdev" notify: systemctl restart systemd-networkd copy: - dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev" + dest: "{{ file_prefix }}-3-{{ br_if }}.netdev" content: | [NetDev] Name={{ br_if }} Kind=bridge - - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + - name: "{{ file_prefix }}-4-{{ br_if }}.network" notify: systemctl restart systemd-networkd copy: - dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network" + dest: "{{ file_prefix }}-4-{{ br_if }}.network" content: | [Match] Name={{ br_if }} [Network] + {% if internal_if.ipv4 is defined %} Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} + {% endif %} {% if internal_if.ipv6 is defined %} Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }} {% endif %} -- cgit v1.2.3