CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

rt1(z9 host): create host and configure networkd and nftables

Browse source
This commit is contained in:
bitwhisker 2026-05-23 23:46:00 +02:00
commit 50cf34e3f3
Signed by: bitwhisker
SSH key fingerprint: SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE
21 changed files with 627 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

198
inventories/z9/host_vars/rt1.sops.yaml Normal file
View file

@ -0,0 +1,198 @@
secrets__secrets:
- name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str]
content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str]
- name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str]
content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str]
- name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str]
content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
- name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str]
content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str]
- name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str]
content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str]
- name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str]
content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str]
- name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str]
content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str]
- name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str]
content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str]
- name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str]
content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str]
sops:
lastmodified: "2026-05-23T21:19:38Z"
mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str]
pgp:
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34
iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO
8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6
mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj
eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW
/sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp
efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou
ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R
i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl
rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2
lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU
aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2
ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe
0/C6EmrJvGpl
=atNE
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J
UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ
P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj
9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL
BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI
ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF
aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ
eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw==
=UJvq
-----END PGP MESSAGE-----
fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf
MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1
lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa
RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra
aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7
vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W
9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY
6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc
KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE
J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf
9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS
XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS
aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ=
=Xx91
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw
9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq
0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm
hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz
=xoVE
-----END PGP MESSAGE-----
fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw
uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N
0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v
WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd
=gZLQ
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD
3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn
MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E
yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+
QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/
AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO
GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT
qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1
RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP
4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5
Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS
XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk
ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ=
=ympd
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8
hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf
53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY
4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4
5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q
H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o
f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu
yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1
ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt
1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO
ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS
XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM
aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU=
=KKaI
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w
3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp
0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx
X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY
=ZHIU
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw
gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim
0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi
4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb
=gplT
-----END PGP MESSAGE-----
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe
tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9
hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U
sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs
GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK
ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui
sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu
9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n
HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn
ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz
6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU
aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe
nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e
kBkDFLKkIBkU
=aRLd
-----END PGP MESSAGE-----
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
- created_at: "2026-05-23T20:58:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw
VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8
1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N
xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/
bETQsT6WKJ8FXA==
=Ci7L
-----END PGP MESSAGE-----
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
unencrypted_suffix: _unencrypted
version: 3.13.1

6
inventories/z9/host_vars/rt1.yaml Normal file
View file

@ -0,0 +1,6 @@
systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/'
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}"
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}"
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min
unbound_access_control: [ "10.89.208.0/20" ]

11
inventories/z9/hosts.yaml
View file

@ -14,6 +14,9 @@ all:
yate:
ansible_host: yate.ccchh.net
ansible_user: chaos
rt1:
ansible_host: rt1.ccchh.net
ansible_user: chaos
certbot_hosts:
hosts:
dooris:
@ -35,6 +38,7 @@ infrastructure_authorized_keys_hosts:
light:
waybackproxy:
yate:
rt1:
nginx_hosts:
hosts:
dooris:
@ -46,6 +50,12 @@ ola_hosts:
proxmox_vm_template_hosts:
hosts:
thinkcccore0:
systemd_networkd_hosts:
hosts:
rt1:
nftables_hosts:
hosts:
rt1:
alloy_hosts:
hosts:
light:
@ -59,3 +69,4 @@ ansible_pull_hosts:
yate:
secrets_hosts:
hosts:
rt1:

111
resources/z9/rt1/nftables/nftables.conf Normal file
View file

@ -0,0 +1,111 @@
#!/usr/sbin/nft -f
## Variables
# Hosts
# Interfaces
define if_netwan = "netwan"
define if_netlan = "netlan"
define if_wg55_management = "wg55"
define if_netwan_400_fux_uplink = "netwan.400"
define if_netlan_51_clients = "netlan.51"
define if_netlan_52_iot = "netlan.52"
define if_netlan_53_public = "netlan.53"
define if_netlan_54_management = "netlan.54"
# Interface Groups
define wan_ifs = { $if_netwan_400_fux_uplink }
define lan_ifs = { $if_netlan_51_clients,
$if_netlan_52_iot,
$if_netlan_53_public,
$if_netlan_54_management }
define v4_exposed_ifs = { $if_netlan_53_public }
define v6_exposed_ifs = { $if_netlan_53_public }
define v4_nat_ifs = { $if_netlan_51_clients,
$if_netlan_52_iot,
$if_netlan_54_management }
## Rules
table inet reverse-path-forwarding {
chain rpf-filter {
type filter hook prerouting priority mangle + 10; policy drop;
# Only allow packets if their source address is routed via their incoming interface.
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
fib saddr . mark . iif oif exists accept
}
}
table inet host {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "allow loopback"
ct state invalid drop
ct state established,related accept
ip protocol icmp accept
# ICMPv6
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
# Error messages that are essential to the establishment and maintenance of communications:
icmpv6 type { destination-unreachable, packet-too-big } accept
icmpv6 type { time-exceeded } accept
icmpv6 type { parameter-problem } accept
# Connectivity checking messages:
icmpv6 type { echo-request, echo-reply } accept
# Address Configuration and Router Selection messages:
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
# Link-Local Multicast Receiver Notification messages:
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
# SEND Certificate Path Notification messages:
icmpv6 type { 148, 149 } accept
# Multicast Router Discovery messages:
icmpv6 type { 151, 152, 153 } accept
# Allow SSH access.
tcp dport 22 accept comment "allow ssh access"
# Allow WireGuard access.
udp dport 51820 accept comment "allow WireGuard access"
# Allow DHCP server access.
iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
}
}
table ip v4nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
}
}
table inet forward {
chain forward {
type filter hook forward priority filter; policy drop;
ct state invalid drop
ct state established,related accept
# Allow internet access.
iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
# Allow access to exposed networks from internet.
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
# Allow clients and managment to most
iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs"
}
}

6
resources/z9/rt1/systemd_networkd/00-netlan.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:72:A3:27
Type=ether
[Link]
Name=netlan

6
resources/z9/rt1/systemd_networkd/00-netwan.link Normal file
View file

@ -0,0 +1,6 @@
[Match]
MACAddress=BC:24:11:CF:65:57
Type=ether
[Link]
Name=netwan

7
resources/z9/rt1/systemd_networkd/10-netlan.51.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.51
Kind=vlan
[VLAN]
Id=51

7
resources/z9/rt1/systemd_networkd/10-netlan.52.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.52
Kind=vlan
[VLAN]
Id=52

7
resources/z9/rt1/systemd_networkd/10-netlan.53.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.53
Kind=vlan
[VLAN]
Id=53

7
resources/z9/rt1/systemd_networkd/10-netlan.54.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netlan.54
Kind=vlan
[VLAN]
Id=54

7
resources/z9/rt1/systemd_networkd/10-netwan.400.netdev Normal file
View file

@ -0,0 +1,7 @@
[NetDev]
Name=netwan.400
Kind=vlan
[VLAN]
Id=400

90
resources/z9/rt1/systemd_networkd/10-wg55.netdev Normal file
View file

@ -0,0 +1,90 @@
[NetDev]
Description=Admin-Wireguard
Kind=wireguard
Name=wg55
[WireGuard]
ListenPort=51820
PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key
# WireGuard Peers
[WireGuardPeer]
# friendly_name = stb
AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
PersistentKeepalive = 30
[WireGuardPeer]
# friendly_name = fi
AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
[WireGuardPeer]
# friendly_name = jtbx
AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
[WireGuardPeer]
# friendly_name = June
AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
[WireGuardPeer]
# friendly_name = Max
AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
[WireGuardPeer]
# friendly_name = dario
AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
[WireGuardPeer]
# friendly_name = June-mobile
AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
[WireGuardPeer]
# friendly_name = djerun_at_ferrum.local
AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
[WireGuardPeer]
# friendly_name = c6ristian
AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
[WireGuardPeer]
# friendly_name = langoor
AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
[WireGuardPeer]
# friendly_name = langoor_home
AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
[WireGuardPeer]
# friendly_name = lilly-lillysLaptop
AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128
PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
[WireGuardPeer]
# friendly_name = bitwhisker
AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
[WireGuardPeer]
# friendly_name = forestcat
AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=

12
resources/z9/rt1/systemd_networkd/20-netlan.network Normal file
View file

@ -0,0 +1,12 @@
[Match]
Name=netlan
[Link]
RequiredForOnline=no
[Network]
VLAN=netwan.51
VLAN=netwan.52
VLAN=netwan.53
VLAN=netwan.54

9
resources/z9/rt1/systemd_networkd/20-netwan.network Normal file
View file

@ -0,0 +1,9 @@
[Match]
Name=netwan
[Link]
RequiredForOnline=no
[Network]
VLAN=netwan.400

6
resources/z9/rt1/systemd_networkd/20-wg55.network Normal file
View file

@ -0,0 +1,6 @@
[Match]
Name=wg55
[Network]
Address=10.89.214.1/24
Address=2a07:c481:1:37::1/64

27
resources/z9/rt1/systemd_networkd/21-netlan.51-clients.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.51
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=clients
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.208.1/22
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:33::/64
Assign=true
Token=static:::1

27
resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.52
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=IoT
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.212.1/24
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:34::/64
Assign=true
Token=static:::1

27
resources/z9/rt1/systemd_networkd/21-netlan.53-public.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.53
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=public
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=185.161.130.65/28
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:35::/64
Assign=true
Token=static:::1

27
resources/z9/rt1/systemd_networkd/21-netlan.54-management.network Normal file
View file

@ -0,0 +1,27 @@
[Match]
Name=netlan.54
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=Management
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=yes
[Address]
Address=10.89.213.0/24
[IPv6SendRA]
UplinkInterface=netwan.400
EmitDomains=true
Domains=ccchh.net
Managed=true
[IPv6Prefix]
Prefix=2a07:c481:1:36::/64
Assign=true
Token=static:::1

26
resources/z9/rt1/systemd_networkd/21-netwan.400-fux_uplink.network Normal file
View file

@ -0,0 +1,26 @@
[Match]
Name=netwan.400
Type=vlan
[Link]
RequiredForOnline=no
[Network]
Description=fux-uplink
DNS=185.161.128.66
DNS=2a07:c481:0:4::2
DNS=185.161.128.67
DNS=2a07:c481:0:4::3
IPv6AcceptRA=no
# Masquerading done in nftables (nftables.conf).
IPv6SendRA=no
[Address]
Address=185.161.129.134/25
Address=2a07:c481::1:2/64
[Route]
Gateway=185.161.129.129
Gateway=2a07:c481::1

3
resources/z9/rt1/systemd_networkd_global_config.conf Normal file
View file

@ -0,0 +1,3 @@
[Network]
IPv4Forwarding=true
IPv6Forwarding=true