Remove bridged network setup

2024-03-08 08:05:49 +01:00 · 2024-03-08 08:05:49 +01:00 · 7a57636bdb
commit 7a57636bdb
parent 1d4bb97fcf
8 changed files with 65 additions and 135 deletions
--- a/tasks/network.yml
+++ b/tasks/network.yml
@ -43,6 +43,7 @@
    mode: '0640'
  loop: '{{ vpn_peers }}'

+- block:
    - name: setup desktop network configuration
      become: true
      template:
@ -56,14 +57,6 @@
            src: 'templates/desktop/network/enp.network.j2',
            dest: '/etc/systemd/network/20-wired.network',
          }
-    - {
-        src: 'templates/desktop/network/vmbr0.network.j2',
-        dest: '/etc/systemd/network/30-vmbr0.network',
-      }
-    - {
-        src: 'templates/desktop/network/vmbr0.netdev.j2',
-        dest: '/etc/systemd/network/30-vmbr0.netdev',
-      }
        - {
            src: 'templates/desktop/network/wg0.network.j2',
            dest: '/etc/systemd/network/40-wg0.network',
@ -72,8 +65,17 @@
            src: 'templates/desktop/network/wg0.netdev.j2',
            dest: '/etc/systemd/network/40-wg0.netdev',
          }
+    - name: remove leftover configuration files
+      become: true
+      file:
+        path: '{{ item }}'
+        state: absent
+      loop:
+        - '/etc/systemd/network/30-vmbr0.network'
+        - '/etc/systemd/network/30-vmbr0.netdev'
  when: platform == "desktop"

+- block:
    - name: setup laptop network configuration
      become: true
      template:
@ -87,14 +89,6 @@
            src: 'templates/laptop/network/wireless.network.j2',
            dest: '/etc/systemd/network/20-wireless.network',
          }
-    - {
-        src: 'templates/laptop/network/vmbr0.network.j2',
-        dest: '/etc/systemd/network/30-vmbr0.network',
-      }
-    - {
-        src: 'templates/laptop/network/vmbr0.netdev.j2',
-        dest: '/etc/systemd/network/30-vmbr0.netdev',
-      }
        - {
            src: 'templates/laptop/network/wg0.network.j2',
            dest: '/etc/systemd/network/40-wg0.network',
@ -103,6 +97,16 @@
            src: 'templates/laptop/network/wg0.netdev.j2',
            dest: '/etc/systemd/network/40-wg0.netdev',
          }
+
+    - name: remove leftover configuration files
+      become: true
+      file:
+        path: '{{ item }}'
+        state: absent
+      loop:
+        - '/etc/systemd/network/30-vmbr0.network'
+        - '/etc/systemd/network/30-vmbr0.netdev'
+
  when: platform == "laptop"

 - name: restart systemd-networkd
--- a/templates/desktop/network/vmbr0.netdev.j2
+++ b/templates/desktop/network/vmbr0.netdev.j2
@ -1,5 +0,0 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
-
-[NetDev]
-Name=vmbr0
-Kind=bridge
--- a/templates/desktop/network/vmbr0.network.j2
+++ b/templates/desktop/network/vmbr0.network.j2
@ -1,10 +0,0 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
-
-[Match]
-Name=vmbr0
-
-[Network]
-Address=10.4.0.1/24
-DHCP=yes
-IPForward=yes
-ConfigureWithoutCarrier=yes
--- a/templates/desktop/nftables.j2
+++ b/templates/desktop/nftables.j2
@ -1,12 +1,13 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 #
+#!/usr/bin/nft -f
 # vim:set ts=2 sw=2 et:

 flush ruleset

 table inet filter {
  chain input {
-    type filter hook input priority 0;
+    type filter hook input priority 0; policy drop;

    # allow established/related connections
    ct state { established, related } accept
@ -26,15 +27,6 @@ table inet filter {

    # syncthing
    ip saddr 10.0.0.1 tcp dport 22000 accept
-
-    # allow remote pulse audio
-    ip saddr 10.0.0.1 tcp dport 4713 accept
-
-    # allow dhcp requests for bridget connections
-    iifname "vmbr0" udp dport { 53, 67 } accept
-
-    # everything else
-    reject with icmpx type port-unreachable
  }

  chain forward {
@ -43,9 +35,6 @@ table inet filter {
    ct state { established, related } accept;

    mark 1 accept
-
-    iifname "vmbr0" oifname "enp34s0" accept
-    iifname "enp34s0" oifname "vmbr0" accept
  }
 }

@ -54,16 +43,3 @@ table ip filter {
    mark set 1
  }
 }
-
-table ip nat {
-  chain prerouting {
-    type nat hook prerouting priority 0; policy accept;
-
-    # iifname "enp34s0" tcp dport { http } dnat to 10.4.0.243
-  }
-
-  chain postrouting {
-    type nat hook postrouting priority 0; policy accept;
-    oifname "enp34s0" masquerade
-  }
-}
--- a/templates/laptop/network/vmbr0.netdev.j2
+++ b/templates/laptop/network/vmbr0.netdev.j2
@ -1,5 +0,0 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
-
-[NetDev]
-Name=vmbr0
-Kind=bridge
--- a/templates/laptop/network/vmbr0.network.j2
+++ b/templates/laptop/network/vmbr0.network.j2
@ -1,10 +0,0 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
-
-[Match]
-Name=vmbr0
-
-[Network]
-Address=10.5.0.1/24
-DHCP=ipv4
-IPForward=ipv4
-ConfigureWithoutCarrier=yes
--- a/templates/laptop/nftables.j2
+++ b/templates/laptop/nftables.j2
@ -27,9 +27,6 @@ table inet filter {

    # syncthing
    ip saddr 10.0.0.1 tcp dport 22000 accept
-
-    # allow dhcp requests for bridged connections
-    iifname "vmbr0" udp dport { 53, 67 } accept
  }

  chain forward {
@ -38,9 +35,6 @@ table inet filter {
    ct state { established, related } accept;

 		mark 1 accept
-
-    iifname "vmbr0" oifname "wlan0" accept
-    iifname "wlan0" oifname "vmbr0" accept
  }
 }

@ -49,18 +43,3 @@ table ip filter {
 		mark set 1
 	}
 }
-
-table ip nat {
-  chain prerouting {
-    type nat hook prerouting priority 0; policy accept;
-
-    # iifname "wlan0" tcp dport { http } dnat to 10.4.0.243
-  }
-
-  chain postrouting {
-    type nat hook postrouting priority 0; policy accept;
-
-    oifname "wlan0" masquerade
-  }
-}
-
--- a/templates/pacman.j2
+++ b/templates/pacman.j2
@ -1,3 +1,4 @@
+# TODO: update testing libraries according to new config
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 #
 # /etc/pacman.conf