WIP: new z9 ccchh router #98
21 changed files with 627 additions and 0 deletions
rt1(z9 host): create host and configure networkd and nftables
commit
50cf34e3f3
SSH key fingerprint:
SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE
198
inventories/z9/host_vars/rt1.sops.yaml
Normal file
198
inventories/z9/host_vars/rt1.sops.yaml
Normal file
|
|
@ -0,0 +1,198 @@
|
|||
secrets__secrets:
|
||||
- name: ENC[AES256_GCM,data:MmqDXUKy+U67JZFmKJTGLYAJcYPClQ8M2w==,iv:/eDx++bJCzdKXYB8YipB/GB6aM421JR3sy8i5trBKxk=,tag:/zTklys9bN839iT1qOH0UQ==,type:str]
|
||||
content: ENC[AES256_GCM,data:2ljp324rAsF2zk2631TI7bV1xKxdFr4u4NxrsPYnjWsL0PX0n0KhJ1qvJCs=,iv:0+DxsTTiNLOg5iH83bFT/d+0uW2rn6bATSm3xc5PEdE=,tag:XbBDrrjriXPedyT4+sBBwA==,type:str]
|
||||
- name: ENC[AES256_GCM,data:9i4hZU7Hv/IMlI/1oYthx8g57nrst9LHZQk=,iv:IQanD/CA64A+hVyTQBiTvWdXyY8qNF9BpehWZxI5a9c=,tag:RiY0OJe2xbFPG6wfe5XjiA==,type:str]
|
||||
content: ENC[AES256_GCM,data:lrwHaNvHkh5E94ziiQsd8ua9YvuwmhZ6iIGZS0oFnZdYKuyNh7egWOoii2o=,iv:LLRKhbiJl1GwK/SfqNdNrrJuDF17YXw3hHmuhlyI87w=,tag:DbR/a7jfy1+4yswSdYfOFA==,type:str]
|
||||
- name: ENC[AES256_GCM,data:2lJUcDJ7ECJ1bF4Fg1VwOR2tBIQ77ZvDAbFF8w==,iv:HrPWIetjN/lOyQ7Mvk0sM1w+bWldlNfWhvw7/sfqKN8=,tag:AJL0s+f0O/yR4G3RVd1IHQ==,type:str]
|
||||
content: ENC[AES256_GCM,data:68GUwG1Q2s2jH92HS0FQWrcMHJP8fHjrOqr21gsdswxKekQrpxX5B3BBFfM=,iv:HOsNUAKE5rOmKgZft2JK1NnZUuhk261d9WYWJS22nLM=,tag:3husFvB57AGVFzF7hKzLpw==,type:str]
|
||||
- name: ENC[AES256_GCM,data:ESxpEp9k9BdD1GJv+af+U3ny0+RPuaJjWDhQ,iv:DxsZLiDF8F+ixepbUdlitMJ7DLHjGNFNuxRwLl7efo8=,tag:STnv/oLzbchdiwXfKP3fow==,type:str]
|
||||
content: ENC[AES256_GCM,data:W2h5AcoT85OkekPeRkrf1m0bDdBjG/YNSbWlrcZtP7FjaPh/F+cx+J6oRRI=,iv:CLVXTqfstpIU3BX/Zdcnp9w0gWxeGDI/G1MNl6xr4ZU=,tag:yCqN4r1MV/VTWQvZ6COfIw==,type:str]
|
||||
- name: ENC[AES256_GCM,data:IRwwy+WQxgQ8cDpB8HaCLpKwJj7oC87p0XOxWRo=,iv:BLXNMcigvaOeY6y4NlLPMMWQt9XFi6nodRwIYFgAAnU=,tag:OdQalmujOgrzW8oi64xMRg==,type:str]
|
||||
content: ENC[AES256_GCM,data:C5oIcuEYtODsvjQZnbqbWVfP63mQzcRuh8f5rlBCyjwSq2mZiYGQe9t0T78=,iv:sITUDo9SKZTSwPfsMv4m4U0ruuVCcaxu7SUT52U4FSE=,tag:4CsSMJWQQPAIeK8DwUDBqg==,type:str]
|
||||
- name: ENC[AES256_GCM,data:r0sbpjaGjezoNlyl1khy+Dly+8xbbfQZNB8om/E4/tj9lmM=,iv:MLrglBJA6BrHGmFRprlQcf5/Hqh952e5OyQQ9nPxumY=,tag:Se05kMBkSQ7TRxzij7Fo8A==,type:str]
|
||||
content: ENC[AES256_GCM,data:/c1nRf1eZhbUmoQWvcj8yDaVPtyAN7Uu+S054q3C1/kXlQ7CgOe4CrMXnmk=,iv:ppar0aCKuIU3DOjwAoliZ5TOL199Z+Ffo4pCktjs0W8=,tag:nfaGutK+5KnlWBKU1MTxkQ==,type:str]
|
||||
- name: ENC[AES256_GCM,data:7mwuykEqbGISOa2n+pWb6INLsHYdjyf2HxTtWpAr5xP1,iv:NMcg+L2DFtBO1nhyPid31yzLr+ZX7DUGl/WxV1MnrqU=,tag:65/BiUEI8v5oMlQqpKNDRg==,type:str]
|
||||
content: ENC[AES256_GCM,data:SObbA3D/sGN5/i5ps4Zz3alygIXKbSgptFjfPHlwC8G588O+gKAkvKQwU/s=,iv:PY2vLfI3gInFeQbse49KC2/zZ9O4jeXAQ0fpP84GHHE=,tag:214Mb8hIYDkQ4+UkRWtc9w==,type:str]
|
||||
- name: ENC[AES256_GCM,data:bES9O6JI4wTnuZsup9gflfaozeUDkfjVGNIFn8RnZQ==,iv:98kigM3KZIN5qXNdgfLg5WLmxzAsYCjNqVzyUPco/BI=,tag:1fwEtwQ6i9QQC3OCewN0eA==,type:str]
|
||||
content: ENC[AES256_GCM,data:flO3Nb4u2WfWNVhn8k5Bgo3LmsHo2cVnLCsrz8ST9Ip7gO9FY9d27FQgphM=,iv:aiDoq+41cSjwcCZRaIPLtbltkOpc7FeuNN7swPqkHXQ=,tag:OhzcY2xKKJF2jZVRseXCFg==,type:str]
|
||||
- name: ENC[AES256_GCM,data:ERsggezMBbs1YwbIgwzKSAEHWWOWYxap8IDdn2YtEKvZexqu,iv:XbObLp2QERgt57tc/Cpha1CWXi+GttcIU8hJFGSp8e8=,tag:FqCuSbvLRERpVnQTzQsfpQ==,type:str]
|
||||
content: ENC[AES256_GCM,data:QPoZA71CwE8EFE0I+6z0z0O1bUCMQDDDG7wGNoxXKt3ovLkFt21r8WG7VhA=,iv:InX6A71f3DGTg1wO4G0ECf488+FnKgTHffVwvJ9hHQ0=,tag:EVxwJlneN1CbMLXto7uLFw==,type:str]
|
||||
sops:
|
||||
lastmodified: "2026-05-23T21:19:38Z"
|
||||
mac: ENC[AES256_GCM,data:Ded0VfGn8H2qGMk5LDyqF1gW8hajKc9FgvCynHPQkWkhMSdaHYbFwf//gWi2TjIO22HD5sPw1w9KAjPy53b57RwBCjXfMMq0JCPvuePLK40NC8uCAi+wr5Er0fAWz1JiaA+dowposoi6RxBtyHCaNHMDVGMLh1j+IL+pTOyi6fk=,iv:gssOMmR0DDQC4WjMVXTD/zqbQa8qlBr9ZZWF15W0WnE=,tag:DORTxQfCmpVjDjyGSNH7dw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAxK/JaB2/SdtAQ//bbr0oza/X6GG43ay9coZbb+0aptj3pGzQqT1ND6nsI34
|
||||
iY3IZaMZIti+j/BS5kEfmRn56WZSx6EcbSrlbiyL5NZw9R4/bGRd848rOLwMvuYO
|
||||
8Usei9jHdpHiPvKBZnZXaXGU8E27L0Y/LCxSIFOXbyHzHogjz3JmtJQsYpSC+ue6
|
||||
mIRrSAJPALrqEL+DZ2bl5UYlBIRXdtIe/jL1CFCJhULt+EjJw72T62DZK/jaNZTj
|
||||
eint63+IFZSxx5e5vrAeQB+p2EDsp6c5NbDrlgQWb8/J1q/G5bG4KxBs/0hum7OW
|
||||
/sSsIDb4Qb8U/axt5LduV6AkMXXsclNLQU/LbFAbBRcV8Lvh11f0U3V/UnqUdmvp
|
||||
efesb5VQh1x0uWjzobxaioLEV/YYbWx8binvuJ3MBHKp6E2xj7IrBTVl0MWgjEou
|
||||
ZbQDF8DvxA49xEnJyOviL2/zjnV1kXy+Q+BKZga3pr8AnBHA8Ftbsvmk6CyDEM0R
|
||||
i4FAUOVa9VWiszoOaqyn1Fl02YlweFmgzuFjd3wi74Tbi6RE37rN/vBKySbnRQYl
|
||||
rFUU3SQlztxd4UBAXBo6gQKTz5B4rehvKVye2mmqEE9bas/lCWAKVJ7+3+0NQdA2
|
||||
lp/X7h7DRSD2Qkd35SzxkJz7P86rd0LM1aOu87psxYavEWw6vFs2ErDkSeqDn1DU
|
||||
aAEJAhDb1s+jpDUa3GvVZjoiiCyutI018jfJU1vi12PGktg4KJcXBx66R/nLItO2
|
||||
ba6o66scIiAJZ+jYymW6RbJTI7XRHJp4Cs8COhpMRQeOGwEHFGGL2rpGd3KrOLQe
|
||||
0/C6EmrJvGpl
|
||||
=atNE
|
||||
-----END PGP MESSAGE-----
|
||||
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA1QflAioE8i3AQf+NkUGCBrTCkkyl+iBb6P1IWLDGqAY8s20mBZ7G3plKE/J
|
||||
UrIe947letj/8EA+yoN0uzjwEkh3rDLtZrOLTSgflq1GMpdVhdaTbS71fD3kghJQ
|
||||
P9tz0zDQEgXHBi+2q7iRrEETx/cu7UDNkSCNvQbWvDmo8MfbSBy+VFCknfupdQxj
|
||||
9hlq4kBA0pckPCY8V7E05nDhQntS8wpXIEO1SWiSuiGg+p4yFlvNzWNfhLyEFHxL
|
||||
BZHVVIU/mzyClMajjLJWjKI1LSgHXXIa28tgdrtiBZOsF+CWveYqJlRJh9NUepJI
|
||||
ZSeFNhyWmnS9ZkQu5BUyb7+oRxfq2NY51T76Xbo8gNJeAZWwyr1sj1wjubuVeNMF
|
||||
aU6FiynYWr3I35JRVghTMJ93CnPl+NTpWnQuHpq1bzEGe2u8BMFhgrTu2yMD23VQ
|
||||
eGien6SqfEbA/wAiz9ZaUgTQH8UyHpliteZ8/SQgkw==
|
||||
=UJvq
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 21C9579E6503CA815A68ABD8541F9408A813C8B7
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAz5uSgHG2iMJAQ/+O5JOJfDp/BuBCuXDQVUgJagspQO6LZ/MLrl9qH282AMf
|
||||
MdgN5M/WjbOv6WZDCMg4nfXps1XgzUEiaA/1m4PxHlMmxjEoQHAE51GMcxsXg+B1
|
||||
lM+8uJ1+js1sdDX4xsZtJpbVxJKIbPuhF7oM950oDlL2+UKhUbPlCoxeOihlkVGa
|
||||
RqHJ/M74xkyKH281oRI5bllJaAroBnXVSFIvbCxA7ts/O7YJPKBowTIj62Kye9Ra
|
||||
aHC11bPy2RlJCcFZJjPSdnXvzUMpfzEd6O72VUtMBBQZn/in7efutC8FwpRYuUW7
|
||||
vSofxUN5n6Mtb8A1XSMFD/nfXVc/pM6Cu7kdtHSwSKgbKKf6mrCeVgaM9xcG0t2W
|
||||
9yEtWvkdvOOSqz/vd1vkftbBWcCejX7bktfmD408CJAs1bjzz5CyrDoWcnYmbxFY
|
||||
6N4rhMDRMTe19VH2UQ4EvSjQjmmYCspnUW3/78zi5kU1ijyQy13UpbgwulU7tSGc
|
||||
KKtBjPoy6mLIVl0YhnEJZWD/XPIRWyW+0s+7m70YXCWSVipvCelEE8oPWjf8PLaE
|
||||
J85crlZGkSRcRO7yOP/YtB9ZnajgaF33zJU3ZWr0C/IXj2TeepZp/JUteD2H/LRf
|
||||
9YJzOFYDOFIWcdmaTzJLBEaefWcDjT6wkIf6TBqQRMLsu8JUwy9VwFcsi/d5aMXS
|
||||
XgEQqSxYb1B39OR0sS1Xpw0/CFe4imBPuG3w0tOAyM3DbPWYY1kZYIRZenV1ZIOS
|
||||
aRZJh086kuWgHYB76VoNzDK3QperWvHL/8CT2g3HuPiVGSrrXwxCYXk5+UXB9bQ=
|
||||
=Xx91
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DsZXvxFXTXoQSAQdA0rZTVdySF9nUiz7ZyFJgq1tojyLojGTgE4UIEJzFSTUw
|
||||
9y4kbGn1cWMpAqr+sE3WHV9p7v6kgm/XdUjXGN4DadpUbiYx6sQW2Jov6Km2EYhq
|
||||
0l4BawupjX25wi7c2yR5iGdxYS8oCYVmGgcAB3T96v8VsXpkAOYQAOOh7B9GQIxm
|
||||
hB3cFQLCy2un3VvBsiKGFMA2FhZYBOuaEwP/KmWnPv0IPIRH4by6LDB0xgq8MUNz
|
||||
=xoVE
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9633412309CCB83BFA39BA5F2FEF746201D7FCFE
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DerEtaFuTeewSAQdAgcGcZ3BT6lsJ8FxkMghxg5/PZLtIzNeJaEUbxN0EFhsw
|
||||
uM+Lec3k9BJSUJK8GeVmesYxQh8vP6Yi/+m2LnGjHXzkQg8Bx1HJzuC/Ap36rC6N
|
||||
0l4Bxj1URTsRD4yILEA3TY4Dn9St9uOtodJcf5YdAKvmeb3Uwy//huNnA1eK7b+v
|
||||
WRHcU2K+GgkSzLiRLZTc/nMrrCQ/P5HzwYHmP2rypFX7kxXlPd3K6yMZWTiSgYZd
|
||||
=gZLQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAxjNhCKPP69fAQ//YGOLOFtORNbOu+KFCtGcJBXQMy6Ej3/tePVuDi2vmqLD
|
||||
3Dz6stB9D+BmBbcgbFlDA+g7Vi6DD+zcze9wM10iuc9t9ucAuQ7B/ymSvJc4MrYn
|
||||
MJFvQv5IYgWJmzXLYEFYYpmZPGG3hSHSgWIPs+574wEA/L867ktguW6ZD3ZuMn3E
|
||||
yjCTeT/ZkGjuIpGqMu2/o9Wvc+RYgWlCB69D8kTHtnbFzbqEzvKU5/zte5ThchA+
|
||||
QZwFd/gk3o1G/7WOYJJ6CbBSOQaSrfm0mnb6sppNPdOAQtqHVSFVX5vX96gXsht/
|
||||
AkrvD6/2R5eNzbqRaU83cg7c5far49xoBbL6czreWY3D56yK4BJbrrg9mK7oCEfO
|
||||
GaRDFFD7R4LJPfVx2xDoIQ3Hyp4E3dz4nyJx0Kg7NSEt7soOb5MnZ+04LLAiHbaT
|
||||
qZr618V530uw3qaCsYcgHy+WsZXXlqXQey3A7jphi3u9Kvn9UjeegjNvpOrMk6g1
|
||||
RhGzv72G0wjZnzjTjPlzeROHaQ6RPgfpkZjEcVZNZkfAgAbB3XPgCFGKz4qvx9MP
|
||||
4eHIlBSJizLzSi519o+0i5PwrZdEf9L4RUVxgQgdJXMh1JaydVh5DOU+xomdStD5
|
||||
Maymkt8fSgYgDaS953YA2e04PrkXCH0EHZ62T9EMxreEoU3nYTmw/TGx7RfU+wzS
|
||||
XgEuQkLWSToJ40/Ir3obDA246yv7J2FpmPwG4oFypkM5xe1WjlMlk90b9RBhUgXk
|
||||
ylRXXLBzau6mtbPOa7LGdVyVs2DClWQo9BoK+dxEsnW+TR144O4UmZEfifJXvgQ=
|
||||
=ympd
|
||||
-----END PGP MESSAGE-----
|
||||
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA46L6MuPqfJqARAAshm2x7wX/9g3XJtSN0AnSeCwSHO1I4+ebLKOsB7zcXh8
|
||||
hrVO3694jQcU9L01H7jGYw4lNNzBd61/uVE5AvMq4Sqn9iH3MFNESbAEOWVV+TRf
|
||||
53JMg9C/aZfde8gHgHPaiVXlCBVEVY9CqHpUXUKDmEE7iRb5P4DuMxOmybDYZGzY
|
||||
4c5Ke1MFMkGRmAtsT1qLrT2vh+F0CX4JwpMkxCmOzSWAXbwrVOigJ35l5zM6vme4
|
||||
5EQu9jI8FApTxVchZbr0v3UOKxp5OebqC0jGeznZNf4qb0qnsvuowY6IIw5Tl3/q
|
||||
H4TLq5EUOVqTC1voIWY/gMjieiW1gtr6vASy4MvbswsZLc26YVE9IbHzAOUWDN2o
|
||||
f2iQ3aZYuINvniD23XtM0TKepDXWq5eF+AJpmyP/LL8sYvSnWFD+muK3O657djEu
|
||||
yGZs2EFTrkiUvhBq3apOOYiU0eOi4Aq6UeEbOsLENnQrBRXuHEm4KUSwzOitVwJ1
|
||||
ByxQTu7wzY727SOR2hzjMC0LI602WGpEQU7ech5L4uWqtMFwaBP9HnUamcofKqqt
|
||||
1vI2BevsJfQ0rtTE6GWseHt702lllTGe3RnHWc6YsMWLwUfRdBPggMW37hAPPcfO
|
||||
ytbU3RJIxx4vImRtXhkI5yvbpFQrooz1zSeXWaitPE5jmmiKe9IRStLnfiq9E2TS
|
||||
XgFVuQM8K0LgUYEoAipvafhnC3ohfGsM2AYd36EoaMNLeQ2ZZEiV06/Y3EWoI0iM
|
||||
aqRLwyBvTuDOc5BK32nCbAgUbbPJjPhqWaoNp5ymCBV76oW613gApkzoUF+OIUU=
|
||||
=KKaI
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DQrf1tCqiJxoSAQdA8YKD21h5POTLPf04KvGN93omFgkYO+Y8Kc0jM0vdqm8w
|
||||
3zYRaLsDjdh8Zd89/HhHJUfLrTp/IJ0n81sK0ZjznbXKxgkseGthMzof+L7BnPAp
|
||||
0l4BnAs9iZS4q2LZVS7ySBP89xLmF97qhK2jagMNSAwq8Afxbcw8oQAVQmeyYfxx
|
||||
X59irIHjI1ugO4o1WnTN67nTQjU5msbVBs0eALrw3jobzFHRL67fS0a4Soa59LTY
|
||||
=ZHIU
|
||||
-----END PGP MESSAGE-----
|
||||
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DzAGzViGx4qcSAQdAN7rRlv3dMoFOfj9eHgf+0H8521b32nWqySUdriEy6Tcw
|
||||
gjuReMBpKQOgUfuhIiWkHIKNtNgMrYWiC20ESOXX5b9uYZNpqHCgHQPlX0lEeGim
|
||||
0lgBOieL7mSEq4wkWLCSv4sBAmkQA+dnugBeF+TrlqKQTZsbe/Z+jNG4ZrHRvdqi
|
||||
4I5It+uaRV9Vrul1c6H7fNreRPUd4hNyJwU7gZQ+vU2WyAmgqerxE1Wb
|
||||
=gplT
|
||||
-----END PGP MESSAGE-----
|
||||
fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA2pVdGTIrZI+ARAAjWK8mU99VcnM/Ckzm+YsZFTwnz4PDAenDDdZ1OOz5IXe
|
||||
tS4SQPcQlSSOuXEkFLJMmm8QVxtUC3Gh4nF7o+7OygT+0ZXOrB7jFgg10+v/KVA9
|
||||
hSlqBdsMxcC0OzBtkGyAOXOxqnTVubuHEGyGpIryHt1/lthUUZHBbjgw7P0Tw2/U
|
||||
sYK5j5YbqhyBl20gyZorkTTq7pHfVXDVtpe75+ZkqbOg4S6HgW3/dl+v6N0TLfRs
|
||||
GVl0fUlWIK/akGCB71zdwJs2I1qTeMTlL6v+XSUdXj0YV+5fjh3wf8qzN9geIjQK
|
||||
ybxGFWDKCAgTMnqoFF5BCL23hFtnCbTtLN1wQT7/m7zpjaBKHOBXZOGXYZCMGZui
|
||||
sBsUvPANgNdfOse9H2aABQvUQh8WqFw8S73GasvrZHAwEmvnXzocMJd+kUovzmQu
|
||||
9FBk5UkcgXfmxeamoP8C700vh4zI+sKz6uEW0+AuVtLlLVqlb2w21kTc+ArZW52n
|
||||
HLolH5q3Wj6pKuuFCWKr6UgLFcq2w4QngB2p+UABHU3RbwXIra7prDXCUcNC5iCn
|
||||
ElRFY7OZ3nbHOf9oaW/MitcfszVLyl0ueoay6qxdlIGdXKRGpqxHqqr+92INV/iz
|
||||
6CRoAsTqVq1a7ZuAaUdJPvfKVAHHEHjPwlrOc9cXvykG0iQKsRzgqiOtPiGQShnU
|
||||
aAEJAhDSqCwywHDnQ7X9ZWIzPjwvqyHpEVez8zYh3vpgKpsLb9uL+JizZjV02HMe
|
||||
nhiL+4o/aNjJgGJWph1uPFhU4wO4AavnNBsHbJSiL/1yTS96hdf8d+gB41yVLU3e
|
||||
kBkDFLKkIBkU
|
||||
=aRLd
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
|
||||
- created_at: "2026-05-23T20:58:22Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DKKbvh61jX5USAQdABId/P8ozRgJ4ItF1zvxp98aH+g3LZ6UGnxjYjtDxjEIw
|
||||
VmyerznjOLnpz0EobXRRoot1Lo82Va64HQmXt26LG3gFY1HVp0WOnIZXa/CUoUb8
|
||||
1GgBCQIQloFxKcgFTiRidaJfN7hSeQLleiEe3aifZUyJj8niTmBaY29t+CSoA46N
|
||||
xZzX1AlxVjfmputhYdTyOYSJtGrj7otmnUN2P+55pjz4L2qCYAEKi1+ibqgpmJh/
|
||||
bETQsT6WKJ8FXA==
|
||||
=Ci7L
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.13.1
|
||||
6
inventories/z9/host_vars/rt1.yaml
Normal file
6
inventories/z9/host_vars/rt1.yaml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
systemd_networkd__config_dir: 'resources/z9/rt1/systemd_networkd/'
|
||||
systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/systemd_networkd_global_config.conf') }}"
|
||||
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/nftables.conf') }}"
|
||||
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
|
||||
ansible_pull__timer_randomized_delay_sec: 0min
|
||||
unbound_access_control: [ "10.89.208.0/20" ]
|
||||
|
|
@ -14,6 +14,9 @@ all:
|
|||
yate:
|
||||
ansible_host: yate.ccchh.net
|
||||
ansible_user: chaos
|
||||
rt1:
|
||||
|
|
||||
ansible_host: rt1.ccchh.net
|
||||
ansible_user: chaos
|
||||
certbot_hosts:
|
||||
hosts:
|
||||
dooris:
|
||||
|
|
@ -35,6 +38,7 @@ infrastructure_authorized_keys_hosts:
|
|||
light:
|
||||
waybackproxy:
|
||||
yate:
|
||||
rt1:
|
||||
nginx_hosts:
|
||||
hosts:
|
||||
dooris:
|
||||
|
|
@ -46,6 +50,12 @@ ola_hosts:
|
|||
proxmox_vm_template_hosts:
|
||||
hosts:
|
||||
thinkcccore0:
|
||||
systemd_networkd_hosts:
|
||||
june
commented
If we configure ansible-pull variables above, the host should also be added to the relevant host group. (However an ansible-pull age private key is still missing.) If we configure ansible-pull variables above, the host should also be added to the relevant host group. (However an ansible-pull age private key is still missing.)
|
||||
hosts:
|
||||
rt1:
|
||||
nftables_hosts:
|
||||
hosts:
|
||||
rt1:
|
||||
alloy_hosts:
|
||||
hosts:
|
||||
light:
|
||||
|
|
@ -59,3 +69,4 @@ ansible_pull_hosts:
|
|||
yate:
|
||||
secrets_hosts:
|
||||
hosts:
|
||||
rt1:
|
||||
|
|
|
|||
111
resources/z9/rt1/nftables/nftables.conf
Normal file
111
resources/z9/rt1/nftables/nftables.conf
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
## Variables
|
||||
|
||||
# Hosts
|
||||
|
||||
|
||||
# Interfaces
|
||||
define if_netwan = "netwan"
|
||||
define if_netlan = "netlan"
|
||||
define if_wg55_management = "wg55"
|
||||
define if_netwan_400_fux_uplink = "netwan.400"
|
||||
define if_netlan_51_clients = "netlan.51"
|
||||
define if_netlan_52_iot = "netlan.52"
|
||||
define if_netlan_53_public = "netlan.53"
|
||||
define if_netlan_54_management = "netlan.54"
|
||||
|
||||
# Interface Groups
|
||||
define wan_ifs = { $if_netwan_400_fux_uplink }
|
||||
define lan_ifs = { $if_netlan_51_clients,
|
||||
$if_netlan_52_iot,
|
||||
$if_netlan_53_public,
|
||||
$if_netlan_54_management }
|
||||
define v4_exposed_ifs = { $if_netlan_53_public }
|
||||
define v6_exposed_ifs = { $if_netlan_53_public }
|
||||
define v4_nat_ifs = { $if_netlan_51_clients,
|
||||
$if_netlan_52_iot,
|
||||
$if_netlan_54_management }
|
||||
|
||||
|
||||
## Rules
|
||||
|
||||
table inet reverse-path-forwarding {
|
||||
chain rpf-filter {
|
||||
type filter hook prerouting priority mangle + 10; policy drop;
|
||||
|
||||
# Only allow packets if their source address is routed via their incoming interface.
|
||||
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
|
||||
fib saddr . mark . iif oif exists accept
|
||||
}
|
||||
}
|
||||
|
||||
table inet host {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
iifname "lo" accept comment "allow loopback"
|
||||
|
||||
ct state invalid drop
|
||||
ct state established,related accept
|
||||
|
||||
ip protocol icmp accept
|
||||
|
june
commented
This seems to be using tabs for some reason, probably best to replace with spaces. This seems to be using tabs for some reason, probably best to replace with spaces.
We might want to start using `.editorconfig` files in the future.
|
||||
# ICMPv6
|
||||
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
|
||||
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
|
||||
# Error messages that are essential to the establishment and maintenance of communications:
|
||||
icmpv6 type { destination-unreachable, packet-too-big } accept
|
||||
icmpv6 type { time-exceeded } accept
|
||||
icmpv6 type { parameter-problem } accept
|
||||
# Connectivity checking messages:
|
||||
icmpv6 type { echo-request, echo-reply } accept
|
||||
# Address Configuration and Router Selection messages:
|
||||
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
|
||||
# Link-Local Multicast Receiver Notification messages:
|
||||
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
|
||||
# SEND Certificate Path Notification messages:
|
||||
icmpv6 type { 148, 149 } accept
|
||||
# Multicast Router Discovery messages:
|
||||
icmpv6 type { 151, 152, 153 } accept
|
||||
|
||||
# Allow SSH access.
|
||||
tcp dport 22 accept comment "allow ssh access"
|
||||
|
||||
# Allow WireGuard access.
|
||||
udp dport 51820 accept comment "allow WireGuard access"
|
||||
|
||||
# Allow DHCP server access.
|
||||
iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
|
||||
|
june
commented
Same indentation problem here. Same indentation problem here.
|
||||
}
|
||||
}
|
||||
|
||||
table ip v4nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
|
||||
iifname { $v4_nat_ifs, $if_wg55_management } oifname $wan_ifs masquerade
|
||||
}
|
||||
}
|
||||
|
||||
table inet forward {
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
ct state invalid drop
|
||||
ct state established,related accept
|
||||
|
||||
# Allow internet access.
|
||||
iifname { $lan_ifs, $if_wg55_management } oifname $wan_ifs accept comment "allow internet access"
|
||||
|
june
commented
Same indentation problem here. Same indentation problem here.
|
||||
|
||||
# Allow access to exposed networks from internet.
|
||||
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
|
||||
|
||||
# Allow clients and managment to most
|
||||
|
june
commented
"managment" -> "management" "managment" -> "management"
Also "Allow clients and management to lan interfaces." might be a better comment for this rule.
|
||||
iifname { $if_netlan_51_clients, $if_netlan_54_management, $if_wg55_management } oifname $lan_ifs accept comment "allow clients and managment to lan_ifs"
|
||||
}
|
||||
}
|
||||
6
resources/z9/rt1/systemd_networkd/00-netlan.link
Normal file
6
resources/z9/rt1/systemd_networkd/00-netlan.link
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:72:A3:27
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
Name=netlan
|
||||
6
resources/z9/rt1/systemd_networkd/00-netwan.link
Normal file
6
resources/z9/rt1/systemd_networkd/00-netwan.link
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:CF:65:57
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
Name=netwan
|
||||
7
resources/z9/rt1/systemd_networkd/10-netlan.51.netdev
Normal file
7
resources/z9/rt1/systemd_networkd/10-netlan.51.netdev
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
[NetDev]
|
||||
Name=netlan.51
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=51
|
||||
|
||||
7
resources/z9/rt1/systemd_networkd/10-netlan.52.netdev
Normal file
7
resources/z9/rt1/systemd_networkd/10-netlan.52.netdev
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
[NetDev]
|
||||
Name=netlan.52
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=52
|
||||
|
||||
7
resources/z9/rt1/systemd_networkd/10-netlan.53.netdev
Normal file
7
resources/z9/rt1/systemd_networkd/10-netlan.53.netdev
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
[NetDev]
|
||||
Name=netlan.53
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=53
|
||||
|
||||
7
resources/z9/rt1/systemd_networkd/10-netlan.54.netdev
Normal file
7
resources/z9/rt1/systemd_networkd/10-netlan.54.netdev
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
[NetDev]
|
||||
Name=netlan.54
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=54
|
||||
|
||||
7
resources/z9/rt1/systemd_networkd/10-netwan.400.netdev
Normal file
7
resources/z9/rt1/systemd_networkd/10-netwan.400.netdev
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
[NetDev]
|
||||
Name=netwan.400
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=400
|
||||
|
||||
90
resources/z9/rt1/systemd_networkd/10-wg55.netdev
Normal file
90
resources/z9/rt1/systemd_networkd/10-wg55.netdev
Normal file
|
|
@ -0,0 +1,90 @@
|
|||
[NetDev]
|
||||
Description=Admin-Wireguard
|
||||
Kind=wireguard
|
||||
Name=wg55
|
||||
|
||||
[WireGuard]
|
||||
ListenPort=51820
|
||||
PrivateKeyFile=/etc/ansible_secrets/wireguard_wg55_privat_key
|
||||
|
june
commented
`wireguard_wg55_privat_key` -> `wireguard_wg55_private_key`
|
||||
|
||||
# WireGuard Peers
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = stb
|
||||
AllowedIPs = 10.89.214.2/32,2a07:c481:1:37::2/128
|
||||
PublicKey = vILSL4dbaC5IaTsRhJviamV18ssxWSj+qLVyowLQ214=
|
||||
PersistentKeepalive = 30
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = fi
|
||||
AllowedIPs = 10.89.214.3/32,2a07:c481:1:37::3/128
|
||||
PublicKey = UHi/if5uW2V3+8Q3R+uk6/XpRi4fPXbw7chsKI4xlkI=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_fi_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = jtbx
|
||||
AllowedIPs = 10.89.214.4/32,2a07:c481:1:37::4/128
|
||||
PublicKey = NyyEqdWgScgsnTF8Zz/Om4Lc84fdFMwVtvaCmLEkUlQ=
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = June
|
||||
AllowedIPs = 10.89.214.6/32,2a07:c481:1:37::6/128
|
||||
PublicKey = 6jAEB+f9przBGxPhuvv9U9gvZDEBQNqpQSD0BoGqXQQ=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = Max
|
||||
AllowedIPs = 10.89.214.7/32,2a07:c481:1:37::7/128
|
||||
PublicKey = oC1hJjtlAgLX/CmbwTC+LPmd1uwluQTwsN8RaMNmHn0=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_Max_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = dario
|
||||
AllowedIPs = 10.89.214.9/32,2a07:c481:1:37::9/128
|
||||
PublicKey = bYF2EGRGpEGjiKcasi/oaWoWeLsgqsF6FGaq3Z4ERww=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_dario_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = June-mobile
|
||||
AllowedIPs = 10.89.214.11/32,2a07:c481:1:37::11/128
|
||||
PublicKey = 6edjXykegUgGjbkIG1aJyBlX1SgTKcqXXaSBVPHdKDc=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_June-mobile_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = djerun_at_ferrum.local
|
||||
AllowedIPs = 10.89.214.12/32,2a07:c481:1:37::12/128
|
||||
PublicKey = aHbdkTHhPkd+o7wWfTua9nd72aF4OVp66zGtpaoD8Fg=
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = c6ristian
|
||||
AllowedIPs = 10.89.214.13/32,2a07:c481:1:37::13/128
|
||||
PublicKey = 6ndwj3Ur6AqfUPWuyPYXIaGZs2ujJKawSQ9LEvlYzEc=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_c6ristian_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = langoor
|
||||
AllowedIPs = 10.89.214.14/32,2a07:c481:1:37::14/128
|
||||
PublicKey = qTnVQlQa1m4SucFFNli/xM6QWfsdWx2baRAit7Cg8RM=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = langoor_home
|
||||
AllowedIPs = 10.89.214.15/32,2a07:c481:1:37::15/128
|
||||
PublicKey = NeMDs2+5rHuKO5ZYXVUR76GorgdesFUnDOFECQ3RzG4=
|
||||
PresharedKeyFile = /etc/ansible_secrets/wireguard_wg55_peer_langoor_home_psk
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = lilly-lillysLaptop
|
||||
AllowedIPs = 10.89.214.16/32 #,2a07:c481:1:37::/128
|
||||
|
june
commented
IPv6 is missing the most significant bits. And is generally commented out weirdly? IPv6 is missing the most significant bits. And is generally commented out weirdly?
` #,2a07:c481:1:37::/128` -> `,2a07:c481:1:37::16/128`
bitwhisker
commented
took that directly from the opnsense config and just converted it to networkd format took that directly from the opnsense config and just converted it to networkd format
and to not produce unexpected behavior I commented the ipv6 out,
because it did not have the important part
june
commented
Ah, ye, makes sense! Would just assign an IP then as that doesn't hurt and Lilly can choose to use it or not. Ah, ye, makes sense! Would just assign an IP then as that doesn't hurt and Lilly can choose to use it or not.
|
||||
PublicKey = IBsI+N8qUNpQnDc5HnqQ2Zo/1graFM0RMIecHmAF+Vk=
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = bitwhisker
|
||||
AllowedIPs = 10.89.214.17/32,2a07:c481:1:37::a/128
|
||||
|
june
commented
If we want to count the v6 up in hex (which I think is reasonable as we do the same for the VLAN ID in the prefix), then it should also be done properly. If we want to count the v6 up in hex (which I think is reasonable as we do the same for the VLAN ID in the prefix), then it should also be done properly.
```
dec -> hex
-----------
...
15 -> f # langoor_home
16 -> 10 # lilly-lillysLaptop
17 -> 11 # bitwhisker
18 -> 10 # forestcat
```
bitwhisker
commented
took that directly from the opnsense config and just converted it to networkd format was considering it, but my reason for not doing that, was because I did not want to change the last part of the IPs that are already in use took that directly from the opnsense config and just converted it to networkd format
was considering it, but my reason for not doing that, was because I did not want to change the last part of the IPs that are already in use
june
commented
Ah, I see, yeah, okay. We would have the option now, as we change things anyway, to clean up that configuration, but I'm also fine with keeping it as is for legacy reasons. Ah, I see, yeah, okay. We would have the option now, as we change things anyway, to clean up that configuration, but I'm also fine with keeping it as is for legacy reasons.
Just something to consider.
|
||||
PublicKey = DvEGvQPGi+IxeRTIA72Gx3WNINcrV9HRNB1v7mHnhjA=
|
||||
|
||||
[WireGuardPeer]
|
||||
# friendly_name = forestcat
|
||||
AllowedIPs = 10.89.214.18/32,2a07:c481:1:37::b/128
|
||||
PublicKey = PdJ7KlIeASizj0WTY87d7oSi14/MebrhRa+L8YiPoQE=
|
||||
|
||||
12
resources/z9/rt1/systemd_networkd/20-netlan.network
Normal file
12
resources/z9/rt1/systemd_networkd/20-netlan.network
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
[Match]
|
||||
Name=netlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
VLAN=netwan.51
|
||||
VLAN=netwan.52
|
||||
VLAN=netwan.53
|
||||
VLAN=netwan.54
|
||||
|
||||
9
resources/z9/rt1/systemd_networkd/20-netwan.network
Normal file
9
resources/z9/rt1/systemd_networkd/20-netwan.network
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
[Match]
|
||||
Name=netwan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
VLAN=netwan.400
|
||||
|
||||
6
resources/z9/rt1/systemd_networkd/20-wg55.network
Normal file
6
resources/z9/rt1/systemd_networkd/20-wg55.network
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
[Match]
|
||||
Name=wg55
|
||||
|
||||
[Network]
|
||||
Address=10.89.214.1/24
|
||||
Address=2a07:c481:1:37::1/64
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
[Match]
|
||||
Name=netlan.51
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=clients
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=10.89.208.1/22
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=netwan.400
|
||||
EmitDomains=true
|
||||
Domains=ccchh.net
|
||||
|
june marked this conversation as resolved
june
commented
The search domain would be The search domain would be `z9.ccchh.net`. Unless it got decided to drop that now.
bitwhisker
commented
yes, we said yesterday, that we want to get rid of z9.ccchh.net. and z9. (tld) yes, we said yesterday, that we want to get rid of z9.ccchh.net. and z9. (tld)
|
||||
Managed=true
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a07:c481:1:33::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
||||
27
resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network
Normal file
27
resources/z9/rt1/systemd_networkd/21-netlan.52-iot.network
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
[Match]
|
||||
Name=netlan.52
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=IoT
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=10.89.212.1/24
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=netwan.400
|
||||
EmitDomains=true
|
||||
Domains=ccchh.net
|
||||
Managed=true
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a07:c481:1:34::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
[Match]
|
||||
Name=netlan.53
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=public
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=185.161.130.65/28
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=netwan.400
|
||||
EmitDomains=true
|
||||
Domains=ccchh.net
|
||||
Managed=true
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a07:c481:1:35::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
[Match]
|
||||
Name=netlan.54
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=Management
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=10.89.213.0/24
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=netwan.400
|
||||
EmitDomains=true
|
||||
Domains=ccchh.net
|
||||
Managed=true
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a07:c481:1:36::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
[Match]
|
||||
Name=netwan.400
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=fux-uplink
|
||||
|
||||
DNS=185.161.128.66
|
||||
DNS=2a07:c481:0:4::2
|
||||
DNS=185.161.128.67
|
||||
DNS=2a07:c481:0:4::3
|
||||
|
||||
IPv6AcceptRA=no
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=no
|
||||
|
||||
[Address]
|
||||
Address=185.161.129.134/25
|
||||
Address=2a07:c481::1:2/64
|
||||
|
||||
[Route]
|
||||
Gateway=185.161.129.129
|
||||
Gateway=2a07:c481::1
|
||||
3
resources/z9/rt1/systemd_networkd_global_config.conf
Normal file
3
resources/z9/rt1/systemd_networkd_global_config.conf
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
[Network]
|
||||
IPv4Forwarding=true
|
||||
IPv6Forwarding=true
|
||||
Loading…
Add table
Add a link
Reference in a new issue
It's fine, just feel like
rt1is one of those obscure names again, which gives more trouble than benefit.do you have an idea/a proposal for a better name?
maybe z9-router or something like that?
I would say it would not be a good idea to name it just router,
because of the indirect name collision with the chaosknoten router.
Oh, that totally makes sense. I'm fine with the name, if others really like it, but personally I would prefer something like
z9-routerindeed.