From: Matt Birkholz Date: Mon, 27 Oct 2025 16:25:58 +0000 (-0700) Subject: Replace Netplan with SystemD's NetworkD. Punt ISC's DHCPd from Gate. X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=d4ba8d6b7f800cf1f5da48b1eeb10883b393117b;p=Institute Replace Netplan with SystemD's NetworkD. Punt ISC's DHCPd from Gate. Still using ISC's DHCP server on Core, for now. --- diff --git a/README.org b/README.org index 62e4955..59cbd07 100644 --- a/README.org +++ b/README.org @@ -953,7 +953,7 @@ With Debian freshly installed, Core needed several additional software packages. The administrator temporarily plugged Core into a cable modem and installed them as shown below. -: $ sudo apt install netplan.io systemd-resolved unattended-upgrades \ +: $ sudo apt install systemd-resolved unattended-upgrades \ : _ chrony isc-dhcp-server bind9 apache2 wireguard \ : _ postfix dovecot-imapd fetchmail expect rsync \ : _ gnupg openssh-server @@ -1117,8 +1117,8 @@ With Debian freshly installed, Gate needed a couple additional software packages. The administrator temporarily plugged Gate into a cable modem and installed them as shown below. -: $ sudo apt install netplan.io systemd-resolved unattended-upgrades \ -: _ ufw isc-dhcp-server postfix wireguard \ +: $ sudo apt install systemd-resolved unattended-upgrades \ +: _ ufw postfix wireguard \ : _ openssh-server The host then needed to be rebooted to get its name service working @@ -1167,8 +1167,8 @@ Gate was also connected to the USB Ethernet dongles cabled to the campus Wi-Fi access point and the campus ISP and the values of three variables (~gate_lan_mac~, ~gate_wild_mac~, and ~gate_isp_mac~ in [[file:private/vars.yml][=private/vars.yml=]]) match the actual hardware MAC addresses of the -dongles. (For more information, see the Gate role's [[netplan-gate][Configure Netplan]] -task.) +dongles. (For more information, see the tasks in section [[Configure +Gate NetworkD]].) At this point Gate was ready for provisioning with Ansible. @@ -2381,18 +2381,21 @@ list, and to disable its cache and stub listener. tags: actualizer #+END_SRC -** Configure Netplan +** Configure Core NetworkD -Core's network interface is statically configured using Netplan and an -=/etc/netplan/60-core.yaml= file. That file provides Core's address -on the private Ethernet, the campus name server and search domain, and -the default route through Gate to the campus ISP. A second route, -through Core itself to Front, is advertised to other hosts. +Core's network interface is statically configured using the +~systemd-networkd~ configuration file =10-ether.network= installed in +=/etc/systemd/network/=. That file provides Core's address on the +private Ethernet, the campus name server and search domain, and the +default route through Gate. A second route, through Core itself to +Front, is advertised to other hosts, and is routed through a +WireGuard™ interface connected to Front's public WireGuard™ VPN. -Core's Netplan needs the name of its main (only) Ethernet interface, -an example of which is given here. (A clever way to extract that name -from ~ansible_facts~ would be appreciated. The ~ansible_default_ipv4~ -fact was an empty hash at first boot on a simulated campus Ethernet.) +The configuration needs the name of its main (only) Ethernet +interface, an example of which is given here. (A clever way to +extract that name from ~ansible_facts~ would be appreciated. The +~ansible_default_ipv4~ fact was an empty hash at first boot on a +simulated campus Ethernet.) #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] #+BEGIN_SRC conf :tangle private/vars.yml @@ -2402,38 +2405,19 @@ core_ethernet: enp0s3 #+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml -- name: Install netplan. - become: yes - apt: pkg=netplan.io - -- name: Configure netplan. +- name: Install 10-ether.network. become: yes copy: content: | - network: - renderer: networkd - ethernets: - {{ core_ethernet }}: - dhcp4: false - addresses: [ {{ core_addr_cidr }} ] - nameservers: - search: [ {{ domain_priv }} ] - addresses: [ {{ core_addr }} ] - routes: - - to: default - via: {{ gate_addr }} - dest: /etc/netplan/60-core.yaml - mode: u=rw,g=r,o= - notify: Apply netplan. -#+END_SRC + [Match] + Name={{ core_ethernet }} -#+CAPTION: [[file:roles_t/core/handlers/main.yml][=roles_t/core/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/core/handlers/main.yml - -- name: Apply netplan. - become: yes - command: netplan apply - tags: actualizer + [Network] + Address={{ core_addr_cidr }} + Gateway={{ gate_addr }} + DNS={{ core_addr }} + Domains={{ domain_priv }} + dest: /etc/systemd/network/10-ether.network #+END_SRC ** Configure DHCP For the Private Ethernet @@ -4687,16 +4671,12 @@ The following should be familiar boilerplate by now. tags: accounts #+END_SRC -** Configure Netplan <> - -Gate's network interfaces are configured using Netplan and two files. -=/etc/netplan/60-gate.yaml= describes the static interfaces, to the -campus Ethernet and Wi-Fi. =/etc/netplan/60-isp.yaml= is expected to -be revised more frequently as the campus ISP changes. +** Configure Gate NetworkD -Netplan is configured to identify the interfaces by their MAC -addresses, which must be provided in [[file:private/vars.yml][=private/vars.yml=]], as in the -example code here. +Gate's network interfaces are configured using SystemD NetworkD +configuration files that specify their MAC addresses. (One or more +might be plug-and-play USB dongles.) These addresses are provided by +the [[file:private/vars.yml][=private/vars.yml=]] file as in the example code here. #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] #+BEGIN_SRC conf :tangle private/vars.yml @@ -4705,76 +4685,184 @@ gate_wild_mac: 08:00:27:4a:de:d2 gate_isp_mac: 08:00:27:3d:42:e5 #+END_SRC -The following tasks install the two configuration files and apply the -new network plan. +The tasks in the following sections install the necessary +configuration files. + +*** Gate's ~lan~ Interface + +The campus Ethernet interface is named ~lan~ and configured by +=10-lan.link= and =10-lan.network= files in =/etc/systemd/network/=. #+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml -- name: Install netplan (gate). - become: yes - apt: pkg=netplan.io - -- name: Configure netplan (gate). +- name: Install 10-lan.link. become: yes copy: content: | - network: - ethernets: - lan: - match: - macaddress: {{ gate_lan_mac }} - addresses: [ {{ gate_addr_cidr }} ] - set-name: lan - dhcp4: false - nameservers: - addresses: [ {{ core_addr }} ] - search: [ {{ domain_priv }} ] - routes: - - to: {{ public_wg_net_cidr }} - via: {{ core_addr }} - wild: - match: - macaddress: {{ gate_wild_mac }} - addresses: [ {{ gate_wild_addr_cidr }} ] - set-name: wild - dhcp4: false - dest: /etc/netplan/60-gate.yaml - mode: u=rw,g=r,o= - notify: Apply netplan. - -- name: Install netplan (ISP). + [Match] + MACAddress={{ gate_lan_mac }} + + [Link] + Name=lan + dest: /etc/systemd/network/10-lan.link + notify: Reload networkd. + +- name: Install 10-lan.network. become: yes copy: content: | - network: - ethernets: - isp: - match: - macaddress: {{ gate_isp_mac }} - set-name: isp - dhcp4: true - dhcp4-overrides: - use-dns: false - dest: /etc/netplan/60-isp.yaml - mode: u=rw,g=r,o= - force: no - notify: Apply netplan. + [Match] + MACAddress={{ gate_lan_mac }} + Name=lan + + [Network] + Address={{ gate_addr_cidr }} + DNS={{ core_addr }} + Domains={{ domain_priv }} + + [Route] + Destination={{ public_vpn_net_cidr }} + Gateway={{ core_addr }} + dest: /etc/systemd/network/10-lan.network + notify: Reload networkd. #+END_SRC #+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]] #+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml :mkdirp yes --- -- name: Apply netplan. +- name: Reload networkd. become: yes - command: netplan apply - tags: actualizer + command: networkctl reload +#+END_SRC + +*** Gate's ~wild~ Interface + +The institute keeps the wild ones off the campus Ethernet. Its wild +subnet is connected to Gate via a separate physical interface. To +accommodate the wild ones without re-configuring them, the institute +attempts to look like an up-link, e.g. a cable modem. A wild one is +expected to chirp for DHCP service and use the private subnet address +in its lease. Thus Gate's ~wild~ interface configuration enables the +built-in DHCP server and lists the authorized lessees. + +The wild ones are not expected to number in the dozens, so they are +simply a list of hashes in [[file:private/vars.yml][=private/vars.yml=]], as in the example code +here. Note that host number 1 is Gate. Wild ones are assigned unique +host numbers greater than 1. + +#+CAPTION: [[file:private/vars.yml][=private/vars.yml=]] +#+BEGIN_SRC conf :tangle private/vars.yml +wild_ones: +- { MAC: "94:83:c4:19:7d:57", num: 2, name: wifi-ap } +- { MAC: "94:83:c4:19:7d:58", num: 3, name: appliance } +#+END_SRC + +As with the ~lan~ interface, this interface is named ~wild~ and +configured by =10-wild.link= and =10-wild.network= files in +=/etc/systemd/network/=. The latter is generated from the hashes in +~wild_ones~ and the =wild.network= template file. + +#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml + +- name: Install 10-wild.link. + become: yes + copy: + content: | + [Match] + MACAddress={{ gate_wild_mac }} + + [Link] + Name=wild + dest: /etc/systemd/network/10-wild.link + notify: Reload networkd. + +- name: Install 10-wild.network. + become: yes + template: + src: wild.network + dest: /etc/systemd/network/10-wild.network + notify: Reload networkd. +#+END_SRC + +#+CAPTION: [[file:roles_t/gate/templates/wild.network][=roles_t/gate/templates/wild.network=]] +#+BEGIN_SRC conf :tangle roles_t/gate/templates/wild.network :mkdirp yes +[Match] +MACAddress={{ gate_wild_mac }} + +[Network] +Address={{ gate_wild_addr_cidr }} +DHCPServer=yes + +[DHCPServer] +EmitDNS=yes +EmitNTP=yes +NTP={{ core_addr }} +EmitSMTP=yes +SMTP={{ core_addr }} +{% for wild in wild_ones %} + +[DHCPServerStaticLease] +MACAddress={{ wild.MAC }} +Address={{ wild.num |ansible.utils.ipaddr('address') }} +{% endfor %} +#+END_SRC + +*** Gate's ~isp~ Interface + +The interface to the campus ISP is named ~isp~ and configured by +=10-isp.link= and =10-isp.network= files in =/etc/systemd/network/=. +The latter is not automatically generated, as it varies quite a bit +depending on the connection to the ISP: Ethernet interface, USB +tether, Wi-Fi connection, etc. + +#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] +#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml + +- name: Install 10-isp.link. + become: yes + copy: + content: | + [Match] + MACAddress={{ gate_isp_mac }} + + [Link] + Name=isp + RequiredForOnline=no + dest: /etc/systemd/network/10-isp.link + notify: Reload networkd. + +- name: Install 10-isp.network. + become: yes + copy: + src: ../private/isp.network + dest: /etc/systemd/network/10-isp.network + force: no + notify: Reload networkd. #+END_SRC Note that the =60-isp.yaml= file is only updated (created) if it does not already exist so that it can be easily modified to debug a new campus ISP without interference from Ansible. +The following example =isp.network= file recognizes an Ethernet +interface by its MAC address. + +#+CAPTION: [[file:private/isp.network][=private/isp.network=]] +#+BEGIN_SRC conf :tangle private/isp.network :tangle-mode u=rw,g=,o= +[Match] +MACAddress=08:00:27:3d:42:e5 + +[Network] +DHCP=ipv4 + +[DHCP] +RouteMetric=100 +UseMTU=true +UseDNS=false +#+END_SRC + ** UFW Rules Gate uses the Uncomplicated FireWall (UFW) to install its packet @@ -4908,127 +4996,6 @@ Gate's ~wild~ and ~isp~ networks). prepend_newline: yes #+END_SRC -** Configure DHCP For The Wild Ethernet - -To accommodate commodity Wi-Fi access points, as well as wired IoT -appliances, without re-configuring them, the institute attempts to -look like an up-link, an ISP, e.g. a cable modem (aka "router"). It -expects a wireless AP (or IoT appliance) to route non-local traffic -out its WAN (or only) Ethernet port, and to get an IP address for that -port using DHCP. Thus Gate runs ISC's DHCP daemon configured to -listen on one network interface, recognize a specific list of clients, -and provide each with an IP address and customary network parameters -(default route, time server, etc.), much as was done on Core for the -private Ethernet. - -The example configuration file, [[file:private/gate-dhcpd.conf][=private/gate-dhcpd.conf=]], unlike -[[file:private/core-dhcpd.conf][=private/core-dhcpd.conf=]], does not need RFC3442 (Classless static -routes). The wild, wired or wireless IoT need know nothing about the -private network(s). This is just an example file, with a MAC address -chosen to (probably?) match a VirtualBox test machine. In actual use -=private/core-dhcpd.conf= refers to a replacement file. - -#+CAPTION: [[file:private/gate-dhcpd.conf][=private/gate-dhcpd.conf=]] -#+BEGIN_SRC conf :tangle private/gate-dhcpd.conf :tangle-mode u=rw -default-lease-time 3600; -max-lease-time 7200; - -ddns-update-style none; - -authoritative; - -log-facility daemon; - -subnet 192.168.57.0 netmask 255.255.255.0 { - option subnet-mask 255.255.255.0; - option broadcast-address 192.168.57.255; - option routers 192.168.57.1; -} - -host campus-wifi-ap { - hardware ethernet 94:83:c4:19:7d:57; - fixed-address 192.168.57.2; -} -#+END_SRC - -Installation and configuration of the DHCP daemon follows. Note that -the daemon listens /only/ on the ~wild~ network interface. Also note -the drop-in ~Requires~ dependency, without which the DHCP server -intermittently fails, finding the ~wild~ interface has no IPv4 -addresses (or perhaps finding no ~wild~ interface at all?). - -#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml - -- name: Install DHCP server. - become: yes - apt: pkg=isc-dhcp-server - -- name: Configure DHCP interface. - become: yes - lineinfile: - path: /etc/default/isc-dhcp-server - line: INTERFACESv4="wild" - regexp: ^INTERFACESv4= - notify: Restart DHCP server. - -- name: Configure DHCP subnet. - become: yes - copy: - src: ../private/gate-dhcpd.conf - dest: /etc/dhcp/dhcpd.conf - notify: Restart DHCP server. - -- name: Configure DHCP server dependence on interface. - become: yes - copy: - content: | - [Unit] - Requires=network-online.target - dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf - notify: Reload Systemd. - -- name: Start DHCP server. - become: yes - systemd: - service: isc-dhcp-server - state: started - tags: actualizer - -- name: Enable DHCP server. - become: yes - systemd: - service: isc-dhcp-server - enabled: yes -#+END_SRC - -#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]] -#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml - -- name: Restart DHCP server. - become: yes - systemd: - service: isc-dhcp-server - state: restarted - tags: actualizer - -- name: Reload Systemd. - become: yes - systemd: - daemon-reload: yes - tags: actualizer -#+END_SRC - -If Gate is configured with ~./abbey config gate~ and then connected to -actual networks (i.e. /not/ rebooted), the following command is -executed. If a new gate was configured with ~./abbey config new-gate~ -and not rebooted, the following command would also be executed. - -: sudo systemctl start isc-dhcp-server - -If physically moved or rebooted for some other reason, the above -command would not be necessary. - ** Configure Campus WireGuard™ Subnet Gate uses WireGuard™ to provide a campus VPN service. Gate's routes @@ -7048,8 +7015,8 @@ additional software packages. # kept up-to-date. #+BEGIN_SRC sh -sudo apt install netplan.io systemd-resolved unattended-upgrades \ - ufw isc-dhcp-server postfix wireguard +sudo apt install systemd-resolved unattended-upgrades \ + ufw postfix wireguard #+END_SRC Again, the Postfix installation prompts for a couple settings. The @@ -7084,7 +7051,6 @@ values of the MAC address variables in this table. After ~gate~ boots up with its new network interfaces, the primary Ethernet interface is temporarily configured with an IP address. -(Ansible will install a Netplan soon.) #+BEGIN_SRC sh sudo ip address add 192.168.56.2/24 dev enp0s3 @@ -7114,7 +7080,7 @@ additional software packages. # kept up-to-date. #+BEGIN_SRC sh -sudo apt install netplan.io systemd-resolved unattended-upgrades \ +sudo apt install systemd-resolved unattended-upgrades \ ntp isc-dhcp-server bind9 apache2 wireguard \ postfix dovecot-imapd fetchmail expect rsync \ gnupg @@ -7150,8 +7116,7 @@ VBoxManage modifyvm core --nic1 hostonly --hostonlyadapter1 vboxnet0 #+END_SRC After ~core~ boots up with its new network connection, its primary NIC -is temporarily configured with an IP address. (Ansible will install a -Netplan soon.) +is temporarily configured with an IP address. #+BEGIN_SRC sh sudo ip address add 192.168.56.1/24 dev enp0s3 diff --git a/private/gate-dhcpd.conf b/private/gate-dhcpd.conf deleted file mode 100644 index 1b115bd..0000000 --- a/private/gate-dhcpd.conf +++ /dev/null @@ -1,19 +0,0 @@ -default-lease-time 3600; -max-lease-time 7200; - -ddns-update-style none; - -authoritative; - -log-facility daemon; - -subnet 192.168.57.0 netmask 255.255.255.0 { - option subnet-mask 255.255.255.0; - option broadcast-address 192.168.57.255; - option routers 192.168.57.1; -} - -host campus-wifi-ap { - hardware ethernet 94:83:c4:19:7d:57; - fixed-address 192.168.57.2; -} diff --git a/private/isp.network b/private/isp.network new file mode 100644 index 0000000..12a8339 --- /dev/null +++ b/private/isp.network @@ -0,0 +1,10 @@ +[Match] +MACAddress=08:00:27:3d:42:e5 + +[Network] +DHCP=ipv4 + +[DHCP] +RouteMetric=100 +UseMTU=true +UseDNS=false diff --git a/private/vars.yml b/private/vars.yml index 60ca651..dadbc54 100644 --- a/private/vars.yml +++ b/private/vars.yml @@ -54,6 +54,10 @@ gate_lan_mac: 08:00:27:f3:16:79 gate_wild_mac: 08:00:27:4a:de:d2 gate_isp_mac: 08:00:27:3d:42:e5 +wild_ones: +- { MAC: "94:83:c4:19:7d:57", num: 2, name: wifi-ap } +- { MAC: "94:83:c4:19:7d:58", num: 3, name: appliance } + front_wg_pubkey: S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= public_wg_port: 39608 diff --git a/roles_t/core/handlers/main.yml b/roles_t/core/handlers/main.yml index 7e7eda4..e834a7d 100644 --- a/roles_t/core/handlers/main.yml +++ b/roles_t/core/handlers/main.yml @@ -12,11 +12,6 @@ state: restarted tags: actualizer -- name: Apply netplan. - become: yes - command: netplan apply - tags: actualizer - - name: Restart DHCP server. become: yes systemd: diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 375b763..4b21ba5 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -40,29 +40,19 @@ - Reload Systemd. - Restart Systemd resolved. -- name: Install netplan. - become: yes - apt: pkg=netplan.io - -- name: Configure netplan. +- name: Install 10-ether.network. become: yes copy: content: | - network: - renderer: networkd - ethernets: - {{ core_ethernet }}: - dhcp4: false - addresses: [ {{ core_addr_cidr }} ] - nameservers: - search: [ {{ domain_priv }} ] - addresses: [ {{ core_addr }} ] - routes: - - to: default - via: {{ gate_addr }} - dest: /etc/netplan/60-core.yaml - mode: u=rw,g=r,o= - notify: Apply netplan. + [Match] + Name={{ core_ethernet }} + + [Network] + Address={{ core_addr_cidr }} + Gateway={{ gate_addr }} + DNS={{ core_addr }} + Domains={{ domain_priv }} + dest: /etc/systemd/network/10-ether.network - name: Install DHCP server. become: yes diff --git a/roles_t/gate/handlers/main.yml b/roles_t/gate/handlers/main.yml index 2028a59..e1ec9b4 100644 --- a/roles_t/gate/handlers/main.yml +++ b/roles_t/gate/handlers/main.yml @@ -1,21 +1,7 @@ --- -- name: Apply netplan. +- name: Reload networkd. become: yes - command: netplan apply - tags: actualizer - -- name: Restart DHCP server. - become: yes - systemd: - service: isc-dhcp-server - state: restarted - tags: actualizer - -- name: Reload Systemd. - become: yes - systemd: - daemon-reload: yes - tags: actualizer + command: networkctl reload - name: Restart WireGuard™. become: yes diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index 31b3c0b..4cfb379 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -9,55 +9,77 @@ include_vars: "{{ lookup('first_found', membership_rolls) }}" tags: accounts -- name: Install netplan (gate). +- name: Install 10-lan.link. become: yes - apt: pkg=netplan.io + copy: + content: | + [Match] + MACAddress={{ gate_lan_mac }} + + [Link] + Name=lan + dest: /etc/systemd/network/10-lan.link + notify: Reload networkd. -- name: Configure netplan (gate). +- name: Install 10-lan.network. become: yes copy: content: | - network: - ethernets: - lan: - match: - macaddress: {{ gate_lan_mac }} - addresses: [ {{ gate_addr_cidr }} ] - set-name: lan - dhcp4: false - nameservers: - addresses: [ {{ core_addr }} ] - search: [ {{ domain_priv }} ] - routes: - - to: {{ public_wg_net_cidr }} - via: {{ core_addr }} - wild: - match: - macaddress: {{ gate_wild_mac }} - addresses: [ {{ gate_wild_addr_cidr }} ] - set-name: wild - dhcp4: false - dest: /etc/netplan/60-gate.yaml - mode: u=rw,g=r,o= - notify: Apply netplan. + [Match] + MACAddress={{ gate_lan_mac }} + Name=lan + + [Network] + Address={{ gate_addr_cidr }} + DNS={{ core_addr }} + Domains={{ domain_priv }} -- name: Install netplan (ISP). + [Route] + Destination={{ public_vpn_net_cidr }} + Gateway={{ core_addr }} + dest: /etc/systemd/network/10-lan.network + notify: Reload networkd. + +- name: Install 10-wild.link. become: yes copy: content: | - network: - ethernets: - isp: - match: - macaddress: {{ gate_isp_mac }} - set-name: isp - dhcp4: true - dhcp4-overrides: - use-dns: false - dest: /etc/netplan/60-isp.yaml + [Match] + MACAddress={{ gate_wild_mac }} + + [Link] + Name=wild + dest: /etc/systemd/network/10-wild.link + notify: Reload networkd. + +- name: Install 10-wild.network. + become: yes + template: + src: wild.network + dest: /etc/systemd/network/10-wild.network + notify: Reload networkd. + +- name: Install 10-isp.link. + become: yes + copy: + content: | + [Match] + MACAddress={{ gate_isp_mac }} + + [Link] + Name=isp + RequiredForOnline=no + dest: /etc/systemd/network/10-isp.link + notify: Reload networkd. + +- name: Install 10-isp.network. + become: yes + copy: + src: ../private/isp.network + dest: /etc/systemd/network/10-isp.network mode: u=rw,g=r,o= force: no - notify: Apply netplan. + notify: Reload networkd. - name: Install UFW. become: yes @@ -105,47 +127,6 @@ insertafter: EOF prepend_newline: yes -- name: Install DHCP server. - become: yes - apt: pkg=isc-dhcp-server - -- name: Configure DHCP interface. - become: yes - lineinfile: - path: /etc/default/isc-dhcp-server - line: INTERFACESv4="wild" - regexp: ^INTERFACESv4= - notify: Restart DHCP server. - -- name: Configure DHCP subnet. - become: yes - copy: - src: ../private/gate-dhcpd.conf - dest: /etc/dhcp/dhcpd.conf - notify: Restart DHCP server. - -- name: Configure DHCP server dependence on interface. - become: yes - copy: - content: | - [Unit] - Requires=network-online.target - dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf - notify: Reload Systemd. - -- name: Start DHCP server. - become: yes - systemd: - service: isc-dhcp-server - state: started - tags: actualizer - -- name: Enable DHCP server. - become: yes - systemd: - service: isc-dhcp-server - enabled: yes - - name: Enable IP forwarding. become: yes sysctl: diff --git a/roles_t/gate/templates/wild.network b/roles_t/gate/templates/wild.network new file mode 100644 index 0000000..efa30a2 --- /dev/null +++ b/roles_t/gate/templates/wild.network @@ -0,0 +1,19 @@ +[Match] +MACAddress={{ gate_wild_mac }} + +[Network] +Address={{ gate_wild_addr_cidr }} +DHCPServer=yes + +[DHCPServer] +EmitDNS=yes +EmitNTP=yes +NTP={{ core_addr }} +EmitSMTP=yes +SMTP={{ core_addr }} +{% for wild in wild_ones %} + +[DHCPServerStaticLease] +MACAddress={{ wild.MAC }} +Address={{ wild.num |ansible.utils.ipaddr('address') }} +{% endfor %}