From: Kristof Provost <kp@FreeBSD.org>
Date: Sun, 28 Apr 2024 09:47:59 +0000 (+0200)
Subject: Add initial router role
X-Git-Url: https://git.sigsegv.be/?a=commitdiff_plain;h=0738378bc4a05509a1760905bc4c640559f1b0cf;p=pennestraat-domotica

Add initial router role

Beginnings of ansible foo for iapetus and phobos, although just the qemu one for now.
---

diff --git a/ansible/inventory-routers.yaml b/ansible/inventory-routers.yaml
new file mode 100644
index 0000000..c94adcb
--- /dev/null
+++ b/ansible/inventory-routers.yaml
@@ -0,0 +1,12 @@
+routers:
+  hosts:
+    qemu:
+      control_port: 2400
+      ansible_port: 2400
+      ansible_host: kosmos.sigsegv.be
+      lan_ip: "10.0.1.1/24"
+initial:
+  hosts:
+    poudriere-image:
+      control_port: 0
+
diff --git a/ansible/playbook-push.yaml b/ansible/playbook-push.yaml
index 49ff304..c863b9c 100644
--- a/ansible/playbook-push.yaml
+++ b/ansible/playbook-push.yaml
@@ -2,3 +2,7 @@
   import_playbook: homeassistant.yaml
 - name: libs7comm
   import_playbook: libs7comm.yaml
+- name: routers
+  hosts: routers
+  roles:
+    - router
diff --git a/ansible/roles/router/tasks/main.yaml b/ansible/roles/router/tasks/main.yaml
new file mode 100644
index 0000000..7f00809
--- /dev/null
+++ b/ansible/roles/router/tasks/main.yaml
@@ -0,0 +1,37 @@
+- name: set subnet
+  community.general.sysrc:
+    name: ifconfig_vr0
+    value: "{{ lan_ip }} up"
+  become: true
+- name: gateway enable
+  community.general.sysrc:
+    name: gateway_enable
+    value: "YES"
+  become: true
+- name: pf enable
+  community.general.sysrc:
+    name: pf_enable
+    value: "YES"
+  become: true
+- name: install pf.conf
+  template:
+    src: pf.conf
+    dest: "/etc/pf.conf"
+    owner: root
+    group: wheel
+    mode: 0644
+  become: true
+- name: unbound enable
+  community.general.sysrc:
+    name: local_unbound_enable
+    value: "YES"
+  become: true
+- name: ntp enable
+  community.general.sysrc:
+    name: ntpd_enable
+    value: "YES"
+  become: true
+- name: ntpdate enable
+  community.general.sysrc:
+    name: ntpdate_enable
+    value: "YES"
diff --git a/ansible/roles/router/templates/pf.conf b/ansible/roles/router/templates/pf.conf
new file mode 100644
index 0000000..14101c0
--- /dev/null
+++ b/ansible/roles/router/templates/pf.conf
@@ -0,0 +1,15 @@
+#!/sbin/pfctl -f
+
+#set timeout tcp.established 86400
+#set block-policy return
+
+set skip on lo0
+
+ext_if = "vr0"
+int_if = "vr1"
+
+scrub on $ext_if all fragment reassemble reassemble tcp
+
+nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
+
+pass