wip: misc: setup infra-2

playbooks/firewall.yml

@@ -2,6 +2,7 @@
 ---
 - hosts:
     - infra-1.back.infra.auro.re
+    - infra-2.back.infra.auro.re
   vars:
     firewall__zones:
       adm-legacy:

playbooks/ifupdown2.yml

@@ -181,6 +181,7 @@
         back0:
           addresses:
             - 2a09:6840:203::1:4/64
+            - 45.66.111.211/32
             - 10.203.1.4/16
         ups0:
           ipv6_addrgen: false

playbooks/knotd.yml

@@ -376,8 +376,8 @@
             - 2a09:6840:203::1:3
             - 10.203.1.3
           infra-2.back:
-            - 10.128.10.104
+            - 2a09:6840:203::1:4
-            - 2a09:6840:128::10:104
+            - 10.203.1.4
           isp-1.back:
             - 10.128.10.5
             - 2a09:6840:128::10:5

playbooks/systemd_link.yml

@@ -79,14 +79,10 @@
         monit0: 04:00:00:72:0b:2d
         wifi0: 04:00:00:ee:42:0f
         int0: 04:00:00:21:fd:d0
-        pub0:
-          enabled: false
         sw0: 04:00:00:2e:5b:16
         bmc0: 04:00:00:bb:5a:a6
         pve0: 04:00:00:0b:2b:82
         isp0: 04:00:00:f4:4c:5d
-        mgmt0:
-          enabled: false
         ext0: 04:00:00:1d:0e:83
         vpn0: 04:00:00:02:ba:dd
       isp-1.back.infra.auro.re:

roles/firewall/tasks/main.yml

@@ -4,6 +4,7 @@
     name:
       - python3-nftables
       - python3-pydantic
+      - python3-yaml
       - nftables
 
 - name: Install script
@@ -57,11 +58,10 @@
   notify:
     - Reload firewall
 
-- name: Disable nftables service
+- name: Mask nftables service
   systemd:
     name: nftables.service
-    state: stopped
+    masked: true
-    enabled: false
 
 - name: Enable firewall service
   systemd:

roles/firewall/templates/firewall.service.j2

@@ -16,3 +16,6 @@ ProtectHome=true
 ExecStart=/usr/local/sbin/firewall /etc/firewall/rules.yml
 ExecReload=/usr/local/sbin/firewall /etc/firewall/rules.yml
 ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=sysinit.target