diff --git a/tasks/network.yml b/tasks/network.yml index 4ebaa73..1163846 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -43,66 +43,70 @@ mode: '0640' loop: '{{ vpn_peers }}' -- name: setup desktop network configuration - become: true - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: systemd-network - mode: '0640' - loop: - - { - src: 'templates/desktop/network/enp.network.j2', - dest: '/etc/systemd/network/20-wired.network', - } - - { - src: 'templates/desktop/network/vmbr0.network.j2', - dest: '/etc/systemd/network/30-vmbr0.network', - } - - { - src: 'templates/desktop/network/vmbr0.netdev.j2', - dest: '/etc/systemd/network/30-vmbr0.netdev', - } - - { - src: 'templates/desktop/network/wg0.network.j2', - dest: '/etc/systemd/network/40-wg0.network', - } - - { - src: 'templates/desktop/network/wg0.netdev.j2', - dest: '/etc/systemd/network/40-wg0.netdev', - } +- block: + - name: setup desktop network configuration + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { + src: 'templates/desktop/network/enp.network.j2', + dest: '/etc/systemd/network/20-wired.network', + } + - { + src: 'templates/desktop/network/wg0.network.j2', + dest: '/etc/systemd/network/40-wg0.network', + } + - { + src: 'templates/desktop/network/wg0.netdev.j2', + dest: '/etc/systemd/network/40-wg0.netdev', + } + - name: remove leftover configuration files + become: true + file: + path: '{{ item }}' + state: absent + loop: + - '/etc/systemd/network/30-vmbr0.network' + - '/etc/systemd/network/30-vmbr0.netdev' when: platform == "desktop" -- name: setup laptop network configuration - become: true - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: systemd-network - mode: '0640' - loop: - - { - src: 'templates/laptop/network/wireless.network.j2', - dest: '/etc/systemd/network/20-wireless.network', - } - - { - src: 'templates/laptop/network/vmbr0.network.j2', - dest: '/etc/systemd/network/30-vmbr0.network', - } - - { - src: 'templates/laptop/network/vmbr0.netdev.j2', - dest: '/etc/systemd/network/30-vmbr0.netdev', - } - - { - src: 'templates/laptop/network/wg0.network.j2', - dest: '/etc/systemd/network/40-wg0.network', - } - - { - src: 'templates/laptop/network/wg0.netdev.j2', - dest: '/etc/systemd/network/40-wg0.netdev', - } +- block: + - name: setup laptop network configuration + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { + src: 'templates/laptop/network/wireless.network.j2', + dest: '/etc/systemd/network/20-wireless.network', + } + - { + src: 'templates/laptop/network/wg0.network.j2', + dest: '/etc/systemd/network/40-wg0.network', + } + - { + src: 'templates/laptop/network/wg0.netdev.j2', + dest: '/etc/systemd/network/40-wg0.netdev', + } + + - name: remove leftover configuration files + become: true + file: + path: '{{ item }}' + state: absent + loop: + - '/etc/systemd/network/30-vmbr0.network' + - '/etc/systemd/network/30-vmbr0.netdev' + when: platform == "laptop" - name: restart systemd-networkd diff --git a/templates/desktop/network/vmbr0.netdev.j2 b/templates/desktop/network/vmbr0.netdev.j2 deleted file mode 100644 index 54f171b..0000000 --- a/templates/desktop/network/vmbr0.netdev.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} - -[NetDev] -Name=vmbr0 -Kind=bridge diff --git a/templates/desktop/network/vmbr0.network.j2 b/templates/desktop/network/vmbr0.network.j2 deleted file mode 100644 index a3ca139..0000000 --- a/templates/desktop/network/vmbr0.network.j2 +++ /dev/null @@ -1,10 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} - -[Match] -Name=vmbr0 - -[Network] -Address=10.4.0.1/24 -DHCP=yes -IPForward=yes -ConfigureWithoutCarrier=yes diff --git a/templates/desktop/nftables.j2 b/templates/desktop/nftables.j2 index 502770a..cdea740 100644 --- a/templates/desktop/nftables.j2 +++ b/templates/desktop/nftables.j2 @@ -1,12 +1,13 @@ # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} # +#!/usr/bin/nft -f # vim:set ts=2 sw=2 et: flush ruleset table inet filter { chain input { - type filter hook input priority 0; + type filter hook input priority 0; policy drop; # allow established/related connections ct state { established, related } accept @@ -26,15 +27,6 @@ table inet filter { # syncthing ip saddr 10.0.0.1 tcp dport 22000 accept - - # allow remote pulse audio - ip saddr 10.0.0.1 tcp dport 4713 accept - - # allow dhcp requests for bridget connections - iifname "vmbr0" udp dport { 53, 67 } accept - - # everything else - reject with icmpx type port-unreachable } chain forward { @@ -43,9 +35,6 @@ table inet filter { ct state { established, related } accept; mark 1 accept - - iifname "vmbr0" oifname "enp34s0" accept - iifname "enp34s0" oifname "vmbr0" accept } } @@ -54,16 +43,3 @@ table ip filter { mark set 1 } } - -table ip nat { - chain prerouting { - type nat hook prerouting priority 0; policy accept; - - # iifname "enp34s0" tcp dport { http } dnat to 10.4.0.243 - } - - chain postrouting { - type nat hook postrouting priority 0; policy accept; - oifname "enp34s0" masquerade - } -} diff --git a/templates/laptop/network/vmbr0.netdev.j2 b/templates/laptop/network/vmbr0.netdev.j2 deleted file mode 100644 index 54f171b..0000000 --- a/templates/laptop/network/vmbr0.netdev.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} - -[NetDev] -Name=vmbr0 -Kind=bridge diff --git a/templates/laptop/network/vmbr0.network.j2 b/templates/laptop/network/vmbr0.network.j2 deleted file mode 100644 index 4bbbfa2..0000000 --- a/templates/laptop/network/vmbr0.network.j2 +++ /dev/null @@ -1,10 +0,0 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} - -[Match] -Name=vmbr0 - -[Network] -Address=10.5.0.1/24 -DHCP=ipv4 -IPForward=ipv4 -ConfigureWithoutCarrier=yes diff --git a/templates/laptop/nftables.j2 b/templates/laptop/nftables.j2 index 7d01d39..8c01f2a 100644 --- a/templates/laptop/nftables.j2 +++ b/templates/laptop/nftables.j2 @@ -27,9 +27,6 @@ table inet filter { # syncthing ip saddr 10.0.0.1 tcp dport 22000 accept - - # allow dhcp requests for bridged connections - iifname "vmbr0" udp dport { 53, 67 } accept } chain forward { @@ -38,9 +35,6 @@ table inet filter { ct state { established, related } accept; mark 1 accept - - iifname "vmbr0" oifname "wlan0" accept - iifname "wlan0" oifname "vmbr0" accept } } @@ -49,18 +43,3 @@ table ip filter { mark set 1 } } - -table ip nat { - chain prerouting { - type nat hook prerouting priority 0; policy accept; - - # iifname "wlan0" tcp dport { http } dnat to 10.4.0.243 - } - - chain postrouting { - type nat hook postrouting priority 0; policy accept; - - oifname "wlan0" masquerade - } -} - diff --git a/templates/pacman.j2 b/templates/pacman.j2 index 683ec24..becd0db 100644 --- a/templates/pacman.j2 +++ b/templates/pacman.j2 @@ -1,3 +1,4 @@ +# TODO: update testing libraries according to new config # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} # # /etc/pacman.conf