Add vpn:bridge:br0

2022-12-08 23:27:25 +01:00 · 2022-12-08 23:27:25 +01:00 · dda51db812
commit dda51db812
parent 4285e87477
19 changed files with 127 additions and 117 deletions
--- a/playbooks/01-vpn.yml
+++ b/playbooks/01-vpn.yml
@ -3,5 +3,4 @@
  hosts: asgard

  tasks:
-    - import_tasks: tasks/vpn/bridge.yml
    - import_tasks: tasks/vpn/wireguard.yml
--- a/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2
+++ b/playbooks/filesystem/valkyrie/etc/network/interfaces.d/br0.j2
@ -1,20 +0,0 @@
-auto br0
-iface br0 inet static
-    pre-up ip link add $IFACE type bridge
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
-
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    post-down ip link del dev $IFACE
-
-    bridge_stp off
-    bridge_waitport 0
-    bridge_fd 0
-    bridge_ports none
-
-    address {{ vpn_br0_address }}
-    broadcast {{ vpn_br0_broadcast }}
-    netmask {{ vpn_br0_netmask }}
--- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2
+++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2
@ -1,13 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table ip br0_ipv4 {
-        chain prerouting {
-                type nat hook prerouting priority -100;
-                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['rproxy'].address }};
-        }
-
-        chain postrouting {
-                type nat hook postrouting priority 100;
-                iif br0 oif {{ ethx }} masquerade;
-        }
-}
--- a/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2
+++ b/playbooks/filesystem/yggdrasil/etc/network/interfaces.d/br0.j2
@ -1,24 +0,0 @@
-auto br0
-iface br0 inet static
-    pre-up ip link add $IFACE type bridge
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
-    post-up ip rule add dev $IFACE table 66
-    post-up ip rule add dev $IFACE to {{ subnet }} table main priority 1
-
-    pre-down ip rule del dev $IFACE to {{ subnet }} table main priority 1
-    pre-down ip rule del dev $IFACE table 66
-    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    post-down ip link del dev $IFACE
-
-    bridge_stp off
-    bridge_waitport 0
-    bridge_fd 0
-    bridge_ports none
-
-    address {{ vpn_br0_address }}
-    broadcast {{ vpn_br0_broadcast }}
-    netmask {{ vpn_br0_netmask }}
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2
+++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-inet.nft.j2
@ -1,5 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table inet br0_inet {
-
-}
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2
+++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-inet.nft.j2
@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table inet br0_inet
-delete table inet br0_inet
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2
+++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/pre-down-br0-ipv4.nft.j2
@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table ip br0_ipv4
-delete table ip br0_ipv4
--- a/plays/system/main.yml
+++ b/plays/system/main.yml
@ -1,11 +1,11 @@
 ---
- name: "system : group:ups"
+- name: "system : ups"
  hosts: "ups"
  roles:
    - role: "ups"
      tags: "system:ups"

- name: "system : group:smart"
+- name: "system : smart"
  hosts: "smart"
  roles:
    - role: "smart"
@ -13,13 +13,13 @@
        system_base_smartd_conf_file: "files/smart/smartd.conf"
      tags: "system:smart"

- name: "system : group:zfs"
+- name: "system : zfs"
  hosts: "zfs"
  roles:
    - role: "zfs"
      tags: "system:zfs"

- name: "system : group:all"
+- name: "system : all"
  hosts: "all"
  roles:
    - role: "mail"
--- a/plays/vpn/main.yml
+++ b/plays/vpn/main.yml
@ -1,6 +1,18 @@
 ---
- name: "vpn : group:all"
+- name: "vpn : all"
  hosts: "all"
  roles:
    - role: "base"
      tags: "vpn:base"
+
+# - name: "vpn : bifrost"
+#   hosts: "bifrost"
+#   roles:
+#     - role: "gateway"
+#       tags: "vpn:gateway"
+
+- name: "vpn : asgard"
+  hosts: "asgard"
+  roles:
+    - role: "bridge"
+      tags: "vpn:bridge"
--- a/plays/vpn/roles/base/files/ip-link-add.sh
+++ b/plays/vpn/roles/base/files/ip-link-add.sh
@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -u
+
+if ! ip link show dev "${1}" > /dev/null 2>&1
+then
+    ip link add "${@}"
+fi
--- a/plays/vpn/roles/base/tasks/main.yml
+++ b/plays/vpn/roles/base/tasks/main.yml
@ -8,3 +8,9 @@
 - name: "install wireguard"
  ansible.builtin.apt:
    name: "wireguard"
+
+- name: "script for creating virtual interfaces"
+  ansible.builtin.copy:
+    src: "./ip-link-add.sh"
+    dest: "/usr/local/sbin/ip-link-add.sh"
+    mode: 0755
--- a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2
+++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-inet.nft.j2
--- a/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2
+++ b/playbooks/filesystem/valkyrie/usr/local/sbin/pre-down-br0-ipv4.nft.j2
--- a/plays/vpn/roles/bridge/meta/argument_specs.yml
+++ b/plays/vpn/roles/bridge/meta/argument_specs.yml
@ -0,0 +1,26 @@
+argument_specs:
+  main:
+    options:
+      ansible_default_ipv4:
+        interface:
+          type: "str"
+          required: true
+      local_network:
+        type: "str"
+        required: false
+      vpn_routing_table:
+        type: "int"
+        required: true
+      vpn_bridge_dnat:
+        type: "list"
+        elements: "dict"
+        required: true
+      vpn_bridge_br0_address:
+        type: "str"
+        required: true
+      vpn_bridge_br0_broadcast:
+        type: "str"
+        required: true
+      vpn_bridge_br0_netmask:
+        type: "str"
+        required: true
--- a/plays/vpn/roles/bridge/tasks/include/br0.yml
+++ b/plays/vpn/roles/bridge/tasks/include/br0.yml
@ -1,21 +1,21 @@
- name: Bridge interface post-up nftables inet script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-inet.nft.j2
-    dest: /usr/local/sbin/post-up-br0-inet.nft
+- name: "br0 : post-up nftables inet script"
+  ansible.builtin.template:
+    src: "./br0/post-up-br0-inet.nft.j2"
+    dest: "/usr/local/sbin/post-up-br0-inet.nft"
    mode: 0755
-  register: br_intf_post_up_inet
+  register: vpn_bridge_post_up_br0_inet_nft

- name: Bridge interface post-up nftables ipv4 script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/post-up-br0-ipv4.nft.j2
-    dest: /usr/local/sbin/post-up-br0-ipv4.nft
+- name: "br0 : post-up nftables ipv4 script"
+  ansible.builtin.template:
+    src: "./br0/post-up-br0-ipv4.nft.j2"
+    dest: "/usr/local/sbin/post-up-br0-ipv4.nft"
    mode: 0755
-  register: br_intf_post_up_ipv4
+  register: vpn_bridge_post_up_br0_ipv4_nft

- name: Create bridge interface
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/etc/network/interfaces.d/br0.j2
-    dest: /etc/network/interfaces.d/br0
+- name: "br0 : configure interface"
+  ansible.builtin.template:
+    src: "./br0/br0.j2"
+    dest: "/etc/network/interfaces.d/br0"
    mode: 0644
    validate: >
      bash -c
@ -23,32 +23,29 @@
       then
           ifdown br0 ;
       fi'
-  register: br_intf
-
- block:
-    - name: Restart bridge interface
-      shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
-
-    - name: Reconnect all services
-      systemd:
-        name: connect-pod-service@{{ item }}.service
-        state: started
-      with_items:
-        - "{{ host_services }}"
+  register: vpn_bridge_br0_conf

+- name: "br0 : restart interface"
+  ansible.builtin.shell: |
+    if ip link show dev br0
+    then
+        ifdown br0 && ifup br0
+    else
+        ifup br0
+    fi
  when:
-    br_intf_post_up_inet is changed or
-    br_intf_post_up_ipv4 is changed or
-    br_intf is changed
+    vpn_bridge_post_up_br0_inet_nft.changed or
+    vpn_bridge_post_up_br0_ipv4_nft.changed or
+    vpn_bridge_br0_conf.changed

- name: Bridge interface pre-down nftables inet script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-inet.nft.j2
-    dest: /usr/local/sbin/pre-down-br0-inet.nft
+- name: "br0 : pre-down nftables inet script"
+  ansible.builtin.copy:
+    src: "./br0/pre-down-br0-inet.nft"
+    dest: "/usr/local/sbin/pre-down-br0-inet.nft"
    mode: 0755

- name: Bridge interface pre-down nftables ipv4 script
-  template:
-    src: ./filesystem/{{ ansible_hostname }}/usr/local/sbin/pre-down-br0-ipv4.nft.j2
-    dest: /usr/local/sbin/pre-down-br0-ipv4.nft
+- name: "br0 : pre-down nftables ipv4 script"
+  ansible.builtin.copy:
+    src: "./br0/pre-down-br0-ipv4.nft"
+    dest: "/usr/local/sbin/pre-down-br0-ipv4.nft"
    mode: 0755
--- a/plays/vpn/roles/bridge/tasks/main.yml
+++ b/plays/vpn/roles/bridge/tasks/main.yml
@ -0,0 +1,3 @@
+- name: "play:vpn : role:bridge : tasks:br0"
+  ansible.builtin.import_tasks: "include/br0.yml"
+  tags: "vpn:bridge:br0"
--- a/plays/vpn/roles/bridge/templates/br0/br0.j2
+++ b/plays/vpn/roles/bridge/templates/br0/br0.j2
@ -0,0 +1,26 @@
+auto br0
+iface br0 inet static
+    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type bridge
+
+    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
+    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
+{% if local_network is defined %}
+    post-up ip rule add dev $IFACE table {{ vpn_routing_table }}
+    post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1
+{% endif %}
+
+{% if local_network is defined %}
+    pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1
+    pre-down ip rule del dev $IFACE table {{ vpn_routing_table }}
+{% endif %}
+    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
+    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
+
+    bridge_stp off
+    bridge_waitport 0
+    bridge_fd 0
+    bridge_ports none
+
+    address {{ vpn_bridge_br0_address }}
+    broadcast {{ vpn_bridge_br0_broadcast }}
+    netmask {{ vpn_bridge_br0_netmask }}
--- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2
+++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-inet.nft.j2
--- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2
+++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2
@ -3,18 +3,21 @@
 table ip br0_ipv4 {
        chain prerouting {
                type nat hook prerouting priority -100;
-                iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }};
-                iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }};
+{% for forward in vpn_bridge_dnat %}
+                iif {{ ansible_default_ipv4.interface }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.address }};
+{% endfor %}
        }

+{% if local_network is defined %}
        chain input {
                type filter hook input priority 0;
                ct state established,related accept;
-                iif br0 ip daddr {{ subnet }} drop;
+                iif br0 ip daddr {{ local_network }} drop;
        }

+{% endif %}
        chain postrouting {
                type nat hook postrouting priority 100;
-                iif br0 oif {{ ethx }} masquerade;
+                iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;
        }
 }