diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml deleted file mode 100644 index 134d29f..0000000 --- a/inventories/chaosknoten/host_vars/router.yaml +++ /dev/null @@ -1,2 +0,0 @@ -systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' -nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index e592d23..b9e6358 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -51,9 +51,6 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos - router: - ansible_host: router.hamburg.ccc.de - ansible_user: chaos wiki: ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos @@ -91,19 +88,12 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: - router: tickets: wiki: zammad: ntfy: sunders: renovate: -systemd_networkd_hosts: - hosts: - router: -nftables_hosts: - hosts: - router: docker_compose_hosts: hosts: ccchoir: @@ -183,7 +173,6 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: - router: wiki: zammad: ntfy: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index f416b91..d7bacac 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -4,16 +4,6 @@ roles: - base_config -- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts - hosts: systemd_networkd_hosts - roles: - - systemd_networkd - -- name: Ensure nftables deployment on nftables_hosts - hosts: nftables_hosts - roles: - - nftables - - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf deleted file mode 100644 index 6bc6cbe..0000000 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/sbin/nft -f - -## Variables - -# Interfaces -define if_net1_v4_wan = "net1" -define if_net2_v6_wan = "net2" -define if_net0_2_v4_nat = "net0.2" -define if_net0_3_ci_runner = "net0.3" - -# Interface Groups -define wan_ifs = { $if_net1_v4_wan, - $if_net2_v6_wan } -define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } - - -## Rules - -table inet reverse-path-forwarding { - chain rpf-filter { - type filter hook prerouting priority mangle + 10; policy drop; - - # Only allow packets if their source address is routed via their incoming interface. - # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 - fib saddr . mark . iif oif exists accept - } -} - -table inet host { - chain input { - type filter hook input priority filter; policy drop; - - iifname "lo" accept comment "allow loopback" - - ct state invalid drop - ct state established,related accept - - ip protocol icmp accept - ip6 nexthdr icmpv6 accept - - # Allow SSH access. - tcp dport 22 accept comment "allow ssh access" - - # Allow DHCP server access. - iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" - } -} - -table ip v4nat { - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - - oifname $if_net1_v4_wan masquerade - } -} - -table inet forward { - chain forward { - type filter hook forward priority filter; policy drop; - - ct state invalid drop - ct state established,related accept - - # Allow internet access. - meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" - meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" - } -} diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link deleted file mode 100644 index 0c55d13..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net0.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:54:11:15 -Type=ether - -[Link] -Name=net0 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link deleted file mode 100644 index ef04d04..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net1.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:9A:FB:34 -Type=ether - -[Link] -Name=net1 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link deleted file mode 100644 index 2a56f72..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net2.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:AE:C7:04 -Type=ether - -[Link] -Name=net2 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev deleted file mode 100644 index a46afb4..0000000 --- a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev +++ /dev/null @@ -1,7 +0,0 @@ -[NetDev] -Name=net0.2 -Kind=vlan - -[VLAN] -Id=2 - diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev deleted file mode 100644 index 0cd60db..0000000 --- a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev +++ /dev/null @@ -1,7 +0,0 @@ -[NetDev] -Name=net0.3 -Kind=vlan - -[VLAN] -Id=3 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network deleted file mode 100644 index a32d75e..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ /dev/null @@ -1,12 +0,0 @@ -[Match] -Name=net0 - -[Link] -RequiredForOnline=no - -[Network] -VLAN=net0.2 -VLAN=net0.3 - -LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network deleted file mode 100644 index c8bffc1..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=net1 - -[Network] -DNS=212.12.50.158 -IPForward=ipv4 -IPv6AcceptRA=no - -[Address] -Address=212.12.48.123/24 - -[Route] -Gateway=212.12.48.55 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network deleted file mode 100644 index b3f497d..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=net2 - -[Network] -#DNS=212.12.50.158 -IPForward=ipv6 -IPv6AcceptRA=no - -[Address] -Address=2a00:14b0:4200:3500::130:2/112 - -[Route] -Gateway=2a00:14b0:4200:3500::130:1 - diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network deleted file mode 100644 index c7fd9a7..0000000 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ /dev/null @@ -1,23 +0,0 @@ -[Match] -Name=net0.2 -Type=vlan - -[Link] -RequiredForOnline=no - -[Network] -Description=v4-NAT - -# Masquerading done in nftables (nftables.conf). -IPv6SendRA=yes - -[Address] -Address=10.32.2.1/24 - -[IPv6SendRA] -UplinkInterface=net2 - -[IPv6Prefix] -Prefix=2a00:14b0:42:102::/64 -Assign=true -Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network deleted file mode 100644 index 9caca86..0000000 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network +++ /dev/null @@ -1,29 +0,0 @@ -[Match] -Name=net0.3 -Type=vlan - -[Link] -RequiredForOnline=no - -[Network] -Description=ci-runners - -# Masquerading done in nftables (nftables.conf). -IPv6SendRA=yes - -DHCPServer=true - -[DHCPServer] -PoolOffset=100 -PoolSize=150 - -[Address] -Address=10.32.3.1/24 - -[IPv6SendRA] -UplinkInterface=net2 - -[IPv6Prefix] -Prefix=2a00:14b0:42:103::/64 -Assign=true -Token=static:::1 diff --git a/roles/nftables/README.md b/roles/nftables/README.md deleted file mode 100644 index 81d8871..0000000 --- a/roles/nftables/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Role `nftables` - -Deploys nftables. - -## Support Distributions - -Should work on Debian-based distributions. - -## Required Arguments - -- `nftables__config`: nftables configuration to deploy. diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml deleted file mode 100644 index 3b72c54..0000000 --- a/roles/nftables/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Restart nftables service - ansible.builtin.systemd_service: - name: nftables - state: restarted - become: true diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml deleted file mode 100644 index aa56223..0000000 --- a/roles/nftables/meta/argument_specs.yaml +++ /dev/null @@ -1,6 +0,0 @@ -argument_specs: - main: - options: - nftables__config: - type: str - required: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml deleted file mode 100644 index 46ea18d..0000000 --- a/roles/nftables/tasks/main.yaml +++ /dev/null @@ -1,15 +0,0 @@ -- name: ensure nftables is installed - ansible.builtin.apt: - name: nftables - state: present - become: true - -- name: deploy nftables configuration - ansible.builtin.copy: - content: "{{ nftables__config }}" - dest: "/etc/nftables.conf" - mode: "0644" - owner: root - group: root - become: true - notify: Restart nftables service diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md deleted file mode 100644 index 3297c47..0000000 --- a/roles/systemd_networkd/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Role `systemd_networkd` - -Deploys the given systemd-networkd configuration files. - -## Support Distributions - -Should work on Debian-based distributions. - -## Required Arguments - -- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml deleted file mode 100644 index 81b046a..0000000 --- a/roles/systemd_networkd/meta/argument_specs.yaml +++ /dev/null @@ -1,6 +0,0 @@ -argument_specs: - main: - options: - systemd_networkd__config_dir: - type: path - required: true diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml deleted file mode 100644 index f88ed14..0000000 --- a/roles/systemd_networkd/tasks/main.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- name: ensure rsync is installed - ansible.builtin.apt: - name: rsync - state: present - become: true - -- name: synchronize systemd-networkd configs - ansible.posix.synchronize: - src: "{{ systemd_networkd__config_dir }}" - dest: "/etc/systemd/network" - archive: false - recursive: true - delete: true - become: true