From 3bd5df7c65fc12ea4063e5cf26ec030eaf131b10 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Sun, 25 Sep 2022 16:00:40 +0200 Subject: [PATCH] Make VPN configuration more robust --- .../valkyrie/etc/network/interfaces.d/br0.j2 | 6 ++-- .../valkyrie/etc/network/interfaces.d/wg0.j2 | 6 ++-- .../usr/local/sbin/post-up-br0-inet.nft.j2 | 5 +++ ...-up-br0.nft.j2 => post-up-br0-ipv4.nft.j2} | 2 +- ...-up-wg0.nft.j2 => post-up-wg0-inet.nft.j2} | 9 +---- .../usr/local/sbin/post-up-wg0-ipv4.nft.j2 | 8 +++++ .../usr/local/sbin/pre-down-br0-inet.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-br0-ipv4.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-br0.nft.j2 | 4 --- .../usr/local/sbin/pre-down-wg0-inet.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-wg0-ipv4.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-wg0.nft.j2 | 7 ---- .../yggdrasil/etc/network/interfaces.d/br0.j2 | 6 ++-- .../yggdrasil/etc/network/interfaces.d/wg0.j2 | 6 ++-- .../usr/local/sbin/post-up-br0-inet.nft.j2 | 5 +++ ...-up-br0.nft.j2 => post-up-br0-ipv4.nft.j2} | 16 ++++----- ...-up-wg0.nft.j2 => post-up-wg0-inet.nft.j2} | 2 +- .../usr/local/sbin/post-up-wg0-ipv4.nft.j2 | 5 +++ .../usr/local/sbin/pre-down-br0-inet.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-br0-ipv4.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-br0.nft.j2 | 7 ---- .../usr/local/sbin/pre-down-wg0-inet.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-wg0-ipv4.nft.j2 | 4 +++ .../usr/local/sbin/pre-down-wg0.nft.j2 | 4 --- playbooks/hosts.yml | 6 ++-- playbooks/tasks/vpn/bridge.yml | 33 ++++++++++++++----- playbooks/tasks/vpn/wireguard.yml | 33 ++++++++++++++----- playbooks/vpn.yml | 3 +- 28 files changed, 135 insertions(+), 70 deletions(-) create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2 rename playbooks/filesystem/valkyrie/usr/local/sbin/{post-up-br0.nft.j2 => post-up-br0-ipv4.nft.j2} (94%) rename playbooks/filesystem/valkyrie/usr/local/sbin/{post-up-wg0.nft.j2 => post-up-wg0-inet.nft.j2} (56%) create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2 create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2 delete mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0.nft.j2 create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 create mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 delete mode 100644 playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0.nft.j2 create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2 rename playbooks/filesystem/yggdrasil/usr/local/sbin/{post-up-br0.nft.j2 => post-up-br0-ipv4.nft.j2} (83%) rename playbooks/filesystem/yggdrasil/usr/local/sbin/{post-up-wg0.nft.j2 => post-up-wg0-inet.nft.j2} (88%) create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2 create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2 delete mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0.nft.j2 create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 create mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 delete mode 100644 playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0.nft.j2 diff --git a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2 b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2 index 5fa3ee1..57d8276 100644 --- a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2 +++ b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2 @@ -2,9 +2,11 @@ auto br0 iface br0 inet static pre-up ip link add $IFACE type bridge - post-up /usr/local/sbin/post-up-$IFACE.nft + post-up /usr/local/sbin/post-up-$IFACE-inet.nft + post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft - pre-down /usr/local/sbin/pre-down-$IFACE.nft + pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft post-down ip link del dev $IFACE diff --git a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 index 80318e0..82e00e8 100644 --- a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 +++ b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/wg0.j2 @@ -4,11 +4,13 @@ iface wg0 inet static pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up ip link set mtu 1420 dev $IFACE - post-up /usr/local/sbin/post-up-$IFACE.nft + post-up /usr/local/sbin/post-up-$IFACE-inet.nft + post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up ip route add {{ vpn_remote_subnet }} dev $IFACE pre-down ip route del {{ vpn_remote_subnet }} dev $IFACE - pre-down /usr/local/sbin/pre-down-$IFACE.nft + pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft post-down ip link del dev $IFACE diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2 new file mode 100644 index 0000000..ba234a7 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2 @@ -0,0 +1,5 @@ +#!/usr/bin/env -S nft -f + +table inet br0_inet { + +} diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 similarity index 94% rename from playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0.nft.j2 rename to playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 index a49f136..e93c673 100644 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0.nft.j2 +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 @@ -1,6 +1,6 @@ #!/usr/bin/env -S nft -f -table ip br0_nat { +table ip br0_ipv4 { chain prerouting { type nat hook prerouting priority -100; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-inet.nft.j2 similarity index 56% rename from playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0.nft.j2 rename to playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-inet.nft.j2 index d49c693..dfd4b1d 100644 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0.nft.j2 +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-inet.nft.j2 @@ -1,16 +1,9 @@ #!/usr/bin/env -S nft -f -table inet wg0_mss_clamping { +table inet wg0_inet { chain forward { type filter hook forward priority 0; iif wg0 tcp flags syn tcp option maxseg size set rt mtu; oif wg0 tcp flags syn tcp option maxseg size set rt mtu; } } - -table ip wg0_nat { - chain postrouting { - type nat hook postrouting priority 100; - iif wg0 oif {{ ethx }} masquerade; - } -} diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 new file mode 100644 index 0000000..93b60c2 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-wg0-ipv4.nft.j2 @@ -0,0 +1,8 @@ +#!/usr/bin/env -S nft -f + +table ip wg0_ipv4 { + chain postrouting { + type nat hook postrouting priority 100; + iif wg0 oif {{ ethx }} masquerade; + } +} diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2 new file mode 100644 index 0000000..fb65935 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table ip br0_inet +delete table ip br0_inet diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2 new file mode 100644 index 0000000..34d95a9 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table ip br0_ipv4 +delete table ip br0_ipv4 diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0.nft.j2 deleted file mode 100644 index f76549c..0000000 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0.nft.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table ip br0_nat -delete table ip br0_nat diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 new file mode 100644 index 0000000..27813e2 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-inet.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table inet wg0_inet +delete table inet wg0_inet diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 new file mode 100644 index 0000000..5f6b6b0 --- /dev/null +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table ip wg0_ipv4 +delete table ip wg0_ipv4 diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0.nft.j2 deleted file mode 100644 index f4eac35..0000000 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-wg0.nft.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table inet wg0_mss_clamping -delete table inet wg0_mss_clamping - -flush table ip wg0_nat -delete table ip wg0_nat diff --git a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2 b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2 index 4bf045d..35e482b 100644 --- a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2 +++ b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2 @@ -2,13 +2,15 @@ auto br0 iface br0 inet static pre-up ip link add $IFACE type bridge - post-up /usr/local/sbin/post-up-$IFACE.nft + post-up /usr/local/sbin/post-up-$IFACE-inet.nft + post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up ip rule add dev $IFACE table 66 post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1 pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1 pre-down ip rule del dev $IFACE table 66 - pre-down /usr/local/sbin/pre-down-$IFACE.nft + pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft post-down ip link del dev $IFACE diff --git a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 index f293785..f73fe19 100644 --- a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 +++ b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/wg0.j2 @@ -4,11 +4,13 @@ iface wg0 inet static pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf pre-up ip link set mtu 1420 dev $IFACE - post-up /usr/local/sbin/post-up-$IFACE.nft + post-up /usr/local/sbin/post-up-$IFACE-inet.nft + post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft post-up ip route add default dev $IFACE table 66 pre-down ip route del default dev $IFACE table 66 - pre-down /usr/local/sbin/pre-down-$IFACE.nft + pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft + pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft post-down ip link del dev $IFACE diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2 new file mode 100644 index 0000000..ba234a7 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2 @@ -0,0 +1,5 @@ +#!/usr/bin/env -S nft -f + +table inet br0_inet { + +} diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 similarity index 83% rename from playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0.nft.j2 rename to playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 index fa6ad54..cdf2636 100644 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0.nft.j2 +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 @@ -1,19 +1,17 @@ #!/usr/bin/env -S nft -f -table inet br0_filter { - chain input { - type filter hook input priority -5; - ct state established,related accept; - iif br0 ip daddr {{ subnet }} drop; - } -} - -table ip br0_nat { +table ip br0_ipv4 { chain prerouting { type nat hook prerouting priority -100; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; } + chain input { + type filter hook input priority 0; + ct state established,related accept; + iif br0 ip daddr {{ subnet }} drop; + } + chain postrouting { type nat hook postrouting priority 100; iif br0 oif {{ ethx }} masquerade; diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 similarity index 88% rename from playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0.nft.j2 rename to playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 index 290d469..1351015 100644 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0.nft.j2 +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-inet.nft.j2 @@ -1,6 +1,6 @@ #!/usr/bin/env -S nft -f -table inet wg0_mss_clamping { +table inet wg0_inet { chain forward { type filter hook forward priority 0; iif wg0 tcp flags syn tcp option maxseg size set rt mtu; diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 new file mode 100644 index 0000000..415c126 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-wg0-ipv4.nft.j2 @@ -0,0 +1,5 @@ +#!/usr/bin/env -S nft -f + +table ip wg0_ipv4 { + +} diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2 new file mode 100644 index 0000000..e7b5064 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table inet br0_inet +delete table inet br0_inet diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2 new file mode 100644 index 0000000..34d95a9 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table ip br0_ipv4 +delete table ip br0_ipv4 diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0.nft.j2 deleted file mode 100644 index b7d677f..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0.nft.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table inet br0_filter -delete table inet br0_filter - -flush table ip br0_nat -delete table ip br0_nat diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 new file mode 100644 index 0000000..27813e2 --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-inet.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table inet wg0_inet +delete table inet wg0_inet diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 new file mode 100644 index 0000000..00f017a --- /dev/null +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env -S nft -f + +flush table inet wg0_ipv4 +delete table inet wg0_ipv4 diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0.nft.j2 deleted file mode 100644 index a0c2259..0000000 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-wg0.nft.j2 +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env -S nft -f - -flush table inet wg0_mss_clamping -delete table inet wg0_mss_clamping diff --git a/playbooks/hosts.yml b/playbooks/hosts.yml index 1d7da52..beb0c4c 100644 --- a/playbooks/hosts.yml +++ b/playbooks/hosts.yml @@ -1,5 +1,6 @@ --- -- hosts: the_nine_worlds +- name: Configure hosts + hosts: the_nine_worlds tasks: - import_tasks: tasks/hosts/sshd.yml @@ -15,7 +16,8 @@ - import_tasks: tasks/hosts/user.yml - import_tasks: tasks/hosts/root-shell.yml -- hosts: yggdrasil +- name: Configure yggdrasil extras + hosts: yggdrasil tasks: - import_tasks: tasks/hosts/systemd-mail.yml diff --git a/playbooks/tasks/vpn/bridge.yml b/playbooks/tasks/vpn/bridge.yml index a277c26..b2b401d 100644 --- a/playbooks/tasks/vpn/bridge.yml +++ b/playbooks/tasks/vpn/bridge.yml @@ -1,25 +1,40 @@ -- name: Bridge interface post-up nftables script +- name: Bridge interface post-up nftables inet script template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0.nft.j2 - dest: /usr/local/sbin/post-up-br0.nft + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2 + dest: /usr/local/sbin/post-up-br0-inet.nft mode: 0755 - register: br_intf_post_up + register: br_intf_post_up_inet + +- name: Bridge interface post-up nftables ipv4 script + template: + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2 + dest: /usr/local/sbin/post-up-br0-ipv4.nft + mode: 0755 + register: br_intf_post_up_ipv4 - name: Create bridge interface template: src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2 dest: /etc/network/interfaces.d/br0 mode: 0644 + validate: bash -c 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; then ifdown br0 ; fi' register: br_intf - name: Restart bridge interface - shell: ifdown br0 && ifup br0 + shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi when: - br_intf_post_up is changed or + br_intf_post_up_inet is changed or + br_intf_post_up_ipv4 is changed or br_intf is changed -- name: Bridge interface pre-down nftables script +- name: Bridge interface pre-down nftables inet script template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0.nft.j2 - dest: /usr/local/sbin/pre-down-br0.nft + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2 + dest: /usr/local/sbin/pre-down-br0-inet.nft + mode: 0755 + +- name: Bridge interface pre-down nftables ipv4 script + template: + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2 + dest: /usr/local/sbin/pre-down-br0-ipv4.nft mode: 0755 diff --git a/playbooks/tasks/vpn/wireguard.yml b/playbooks/tasks/vpn/wireguard.yml index fc3c3ff..37aff6d 100644 --- a/playbooks/tasks/vpn/wireguard.yml +++ b/playbooks/tasks/vpn/wireguard.yml @@ -9,29 +9,44 @@ mode: 0600 register: wg_intf_conf -- name: WireGuard interface post-up nftables script +- name: WireGuard interface post-up nftables inet script template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0.nft.j2 - dest: /usr/local/sbin/post-up-wg0.nft + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-inet.nft.j2 + dest: /usr/local/sbin/post-up-wg0-inet.nft mode: 0755 - register: wg_intf_post_up + register: wg_intf_post_up_inet + +- name: WireGuard interface post-up nftables ipv4 script + template: + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-wg0-ipv4.nft.j2 + dest: /usr/local/sbin/post-up-wg0-ipv4.nft + mode: 0755 + register: wg_intf_post_up_ipv4 - name: Create WireGuard interface template: src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/wg0.j2 dest: /etc/network/interfaces.d/wg0 mode: 0644 + validate: bash -c 'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ; then ifdown wg0 ; fi' register: wg_intf - name: Restart WireGuard interface - shell: ifdown wg0 && ifup wg0 + shell: if ip link show dev wg0 ; then ifdown wg0 && ifup wg0 ; else ifup wg0 ; fi when: wg_intf_conf is changed or - wg_intf_post_up is changed or + wg_intf_post_up_inet is changed or + wg_intf_post_up_ipv4 is changed or wg_intf is changed -- name: WireGuard interface pre-down nftables script +- name: WireGuard interface pre-down nftables inet script template: - src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0.nft.j2 - dest: /usr/local/sbin/pre-down-wg0.nft + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-inet.nft.j2 + dest: /usr/local/sbin/pre-down-wg0-inet.nft + mode: 0755 + +- name: WireGuard interface pre-down nftables ipv4 script + template: + src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-wg0-ipv4.nft.j2 + dest: /usr/local/sbin/pre-down-wg0-ipv4.nft mode: 0755 diff --git a/playbooks/vpn.yml b/playbooks/vpn.yml index 16decbf..cf589ce 100644 --- a/playbooks/vpn.yml +++ b/playbooks/vpn.yml @@ -1,5 +1,6 @@ --- -- hosts: the_nine_worlds +- name: Configure VPN network + hosts: the_nine_worlds tasks: - import_tasks: tasks/vpn/ipforward.yml