From fa87d9789dfacf3d08102a7939a991478a44d1c1 Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@auro.re>
Date: Sat, 16 Sep 2023 01:52:35 +0200
Subject: [PATCH] wip: misc: setup infra-2

---
 playbooks/firewall.yml                       | 1 +
 playbooks/ifupdown2.yml                      | 1 +
 playbooks/knotd.yml                          | 4 ++--
 playbooks/systemd_link.yml                   | 4 ----
 roles/firewall/tasks/main.yml                | 6 +++---
 roles/firewall/templates/firewall.service.j2 | 3 +++
 6 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/playbooks/firewall.yml b/playbooks/firewall.yml
index f9b9eea..da03b34 100755
--- a/playbooks/firewall.yml
+++ b/playbooks/firewall.yml
@@ -2,6 +2,7 @@
 ---
 - hosts:
     - infra-1.back.infra.auro.re
+    - infra-2.back.infra.auro.re
   vars:
     firewall__zones:
       adm-legacy:
diff --git a/playbooks/ifupdown2.yml b/playbooks/ifupdown2.yml
index 709ab71..678e12d 100755
--- a/playbooks/ifupdown2.yml
+++ b/playbooks/ifupdown2.yml
@@ -181,6 +181,7 @@
         back0:
           addresses:
             - 2a09:6840:203::1:4/64
+            - 45.66.111.211/32
             - 10.203.1.4/16
         ups0:
           ipv6_addrgen: false
diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml
index 8819f5a..10c0598 100755
--- a/playbooks/knotd.yml
+++ b/playbooks/knotd.yml
@@ -376,8 +376,8 @@
             - 2a09:6840:203::1:3
             - 10.203.1.3
           infra-2.back:
-            - 10.128.10.104
-            - 2a09:6840:128::10:104
+            - 2a09:6840:203::1:4
+            - 10.203.1.4
           isp-1.back:
             - 10.128.10.5
             - 2a09:6840:128::10:5
diff --git a/playbooks/systemd_link.yml b/playbooks/systemd_link.yml
index b2f2e39..78e166b 100755
--- a/playbooks/systemd_link.yml
+++ b/playbooks/systemd_link.yml
@@ -79,14 +79,10 @@
         monit0: 04:00:00:72:0b:2d
         wifi0: 04:00:00:ee:42:0f
         int0: 04:00:00:21:fd:d0
-        pub0:
-          enabled: false
         sw0: 04:00:00:2e:5b:16
         bmc0: 04:00:00:bb:5a:a6
         pve0: 04:00:00:0b:2b:82
         isp0: 04:00:00:f4:4c:5d
-        mgmt0:
-          enabled: false
         ext0: 04:00:00:1d:0e:83
         vpn0: 04:00:00:02:ba:dd
       isp-1.back.infra.auro.re:
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index c39b6f7..c28b83f 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -4,6 +4,7 @@
     name:
       - python3-nftables
       - python3-pydantic
+      - python3-yaml
       - nftables
 
 - name: Install script
@@ -57,11 +58,10 @@
   notify:
     - Reload firewall
 
-- name: Disable nftables service
+- name: Mask nftables service
   systemd:
     name: nftables.service
-    state: stopped
-    enabled: false
+    masked: true
 
 - name: Enable firewall service
   systemd:
diff --git a/roles/firewall/templates/firewall.service.j2 b/roles/firewall/templates/firewall.service.j2
index 069b4f7..5a04016 100644
--- a/roles/firewall/templates/firewall.service.j2
+++ b/roles/firewall/templates/firewall.service.j2
@@ -16,3 +16,6 @@ ProtectHome=true
 ExecStart=/usr/local/sbin/firewall /etc/firewall/rules.yml
 ExecReload=/usr/local/sbin/firewall /etc/firewall/rules.yml
 ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=sysinit.target