Remove bridged network setup

2024-03-08 08:05:49 +01:00 · 2024-03-08 08:05:49 +01:00 · 7a57636bdb
commit 7a57636bdb
parent 1d4bb97fcf
8 changed files with 65 additions and 135 deletions
--- a/tasks/network.yml
+++ b/tasks/network.yml
@ -43,66 +43,70 @@
    mode: '0640'
  loop: '{{ vpn_peers }}'
- name: setup desktop network configuration
+- block:
-  become: true
+    - name: setup desktop network configuration
-  template:
+      become: true
-    src: '{{ item.src }}'
+      template:
-    dest: '{{ item.dest }}'
+        src: '{{ item.src }}'
-    owner: root
+        dest: '{{ item.dest }}'
-    group: systemd-network
+        owner: root
-    mode: '0640'
+        group: systemd-network
-  loop:
+        mode: '0640'
-    - {
+      loop:
-        src: 'templates/desktop/network/enp.network.j2',
+        - {
-        dest: '/etc/systemd/network/20-wired.network',
+            src: 'templates/desktop/network/enp.network.j2',
-      }
+            dest: '/etc/systemd/network/20-wired.network',
-    - {
+          }
-        src: 'templates/desktop/network/vmbr0.network.j2',
+        - {
-        dest: '/etc/systemd/network/30-vmbr0.network',
+            src: 'templates/desktop/network/wg0.network.j2',
-      }
+            dest: '/etc/systemd/network/40-wg0.network',
-    - {
+          }
-        src: 'templates/desktop/network/vmbr0.netdev.j2',
+        - {
-        dest: '/etc/systemd/network/30-vmbr0.netdev',
+            src: 'templates/desktop/network/wg0.netdev.j2',
-      }
+            dest: '/etc/systemd/network/40-wg0.netdev',
-    - {
+          }
-        src: 'templates/desktop/network/wg0.network.j2',
+    - name: remove leftover configuration files
-        dest: '/etc/systemd/network/40-wg0.network',
+      become: true
-      }
+      file:
-    - {
+        path: '{{ item }}'
-        src: 'templates/desktop/network/wg0.netdev.j2',
+        state: absent
-        dest: '/etc/systemd/network/40-wg0.netdev',
+      loop:
-      }
+        - '/etc/systemd/network/30-vmbr0.network'
        - '/etc/systemd/network/30-vmbr0.netdev'
  when: platform == "desktop"
- name: setup laptop network configuration
+- block:
-  become: true
+    - name: setup laptop network configuration
-  template:
+      become: true
-    src: '{{ item.src }}'
+      template:
-    dest: '{{ item.dest }}'
+        src: '{{ item.src }}'
-    owner: root
+        dest: '{{ item.dest }}'
-    group: systemd-network
+        owner: root
-    mode: '0640'
+        group: systemd-network
-  loop:
+        mode: '0640'
-    - {
+      loop:
-        src: 'templates/laptop/network/wireless.network.j2',
+        - {
-        dest: '/etc/systemd/network/20-wireless.network',
+            src: 'templates/laptop/network/wireless.network.j2',
-      }
+            dest: '/etc/systemd/network/20-wireless.network',
-    - {
+          }
-        src: 'templates/laptop/network/vmbr0.network.j2',
+        - {
-        dest: '/etc/systemd/network/30-vmbr0.network',
+            src: 'templates/laptop/network/wg0.network.j2',
-      }
+            dest: '/etc/systemd/network/40-wg0.network',
-    - {
+          }
-        src: 'templates/laptop/network/vmbr0.netdev.j2',
+        - {
-        dest: '/etc/systemd/network/30-vmbr0.netdev',
+            src: 'templates/laptop/network/wg0.netdev.j2',
-      }
+            dest: '/etc/systemd/network/40-wg0.netdev',
-    - {
+          }
-        src: 'templates/laptop/network/wg0.network.j2',
+
-        dest: '/etc/systemd/network/40-wg0.network',
+    - name: remove leftover configuration files
-      }
+      become: true
-    - {
+      file:
-        src: 'templates/laptop/network/wg0.netdev.j2',
+        path: '{{ item }}'
-        dest: '/etc/systemd/network/40-wg0.netdev',
+        state: absent
-      }
+      loop:
        - '/etc/systemd/network/30-vmbr0.network'
        - '/etc/systemd/network/30-vmbr0.netdev'
  when: platform == "laptop"
 - name: restart systemd-networkd
--- a/templates/desktop/network/vmbr0.netdev.j2
+++ b/templates/desktop/network/vmbr0.netdev.j2
@ -1,5 +0,0 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 [NetDev]
 Name=vmbr0
 Kind=bridge
--- a/templates/desktop/network/vmbr0.network.j2
+++ b/templates/desktop/network/vmbr0.network.j2
@ -1,10 +0,0 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 [Match]
 Name=vmbr0
 [Network]
 Address=10.4.0.1/24
 DHCP=yes
 IPForward=yes
 ConfigureWithoutCarrier=yes
--- a/templates/desktop/nftables.j2
+++ b/templates/desktop/nftables.j2
@ -1,12 +1,13 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 #
 #!/usr/bin/nft -f
 # vim:set ts=2 sw=2 et:
 flush ruleset
 table inet filter {
  chain input {
-    type filter hook input priority 0;
+    type filter hook input priority 0; policy drop;
    # allow established/related connections
    ct state { established, related } accept
@ -26,15 +27,6 @@ table inet filter {
    # syncthing
    ip saddr 10.0.0.1 tcp dport 22000 accept
    # allow remote pulse audio
    ip saddr 10.0.0.1 tcp dport 4713 accept
    # allow dhcp requests for bridget connections
    iifname "vmbr0" udp dport { 53, 67 } accept
    # everything else
    reject with icmpx type port-unreachable
  }
  chain forward {
@ -43,9 +35,6 @@ table inet filter {
    ct state { established, related } accept;
    mark 1 accept
    iifname "vmbr0" oifname "enp34s0" accept
    iifname "enp34s0" oifname "vmbr0" accept
  }
 }
@ -54,16 +43,3 @@ table ip filter {
    mark set 1
  }
 }
 table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
    # iifname "enp34s0" tcp dport { http } dnat to 10.4.0.243
  }
  chain postrouting {
    type nat hook postrouting priority 0; policy accept;
    oifname "enp34s0" masquerade
  }
 }
--- a/templates/laptop/network/vmbr0.netdev.j2
+++ b/templates/laptop/network/vmbr0.netdev.j2
@ -1,5 +0,0 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 [NetDev]
 Name=vmbr0
 Kind=bridge
--- a/templates/laptop/network/vmbr0.network.j2
+++ b/templates/laptop/network/vmbr0.network.j2
@ -1,10 +0,0 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 [Match]
 Name=vmbr0
 [Network]
 Address=10.5.0.1/24
 DHCP=ipv4
 IPForward=ipv4
 ConfigureWithoutCarrier=yes
--- a/templates/laptop/nftables.j2
+++ b/templates/laptop/nftables.j2
@ -27,9 +27,6 @@ table inet filter {
    # syncthing
    ip saddr 10.0.0.1 tcp dport 22000 accept
    # allow dhcp requests for bridged connections
    iifname "vmbr0" udp dport { 53, 67 } accept
  }
  chain forward {
@ -38,9 +35,6 @@ table inet filter {
    ct state { established, related } accept;
 		mark 1 accept
    iifname "vmbr0" oifname "wlan0" accept
    iifname "wlan0" oifname "vmbr0" accept
  }
 }
@ -49,18 +43,3 @@ table ip filter {
 		mark set 1
 	}
 }
 table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
    # iifname "wlan0" tcp dport { http } dnat to 10.4.0.243
  }
  chain postrouting {
    type nat hook postrouting priority 0; policy accept;
    oifname "wlan0" masquerade
  }
 }
--- a/templates/pacman.j2
+++ b/templates/pacman.j2
@ -1,3 +1,4 @@
 # TODO: update testing libraries according to new config
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 #
 # /etc/pacman.conf