networking: add IPv6 stable privacy address
Also move 'iwd' service to runlevel 'default', so that sysctl settings are applied correctly before it starts.
This commit is contained in:
parent
1b13b408a0
commit
149a69d85a
|
@ -1,5 +1,5 @@
|
||||||
from ansible.errors import AnsibleFilterTypeError
|
from ansible.errors import AnsibleFilterTypeError
|
||||||
from ansible.module_utils.six import string_types
|
from ansible.module_utils.six import string_types, integer_types
|
||||||
|
|
||||||
|
|
||||||
# Ansible's "quote" filter is only applied to shell module
|
# Ansible's "quote" filter is only applied to shell module
|
||||||
|
@ -28,8 +28,21 @@ def quote_double(str):
|
||||||
raise AnsibleFilterTypeError(
|
raise AnsibleFilterTypeError(
|
||||||
"|quote_double expects string, got %s instead." % type(str))
|
"|quote_double expects string, got %s instead." % type(str))
|
||||||
|
|
||||||
|
def random_hex(num):
|
||||||
|
"""
|
||||||
|
Generate a random hex number within the range [0, num)
|
||||||
|
|
||||||
|
Example: random_hex(2**16 - 1) = 446c
|
||||||
|
"""
|
||||||
|
if isinstance(num, integer_types):
|
||||||
|
import random
|
||||||
|
return '{:x}'.format(random.randint(0, num))
|
||||||
|
else:
|
||||||
|
raise AnsibleFilterTypeError(
|
||||||
|
"|random_hex expects integer, got %s instead." % type(num))
|
||||||
|
|
||||||
class FilterModule(object):
|
class FilterModule(object):
|
||||||
"""Custom Ansible jinja2 filters for sysconfig playbook."""
|
"""Custom Ansible jinja2 filters for sysconfig playbook."""
|
||||||
|
|
||||||
def filters(self):
|
def filters(self):
|
||||||
return {'quote_single': quote_single, 'quote_double': quote_double}
|
return {'quote_single': quote_single, 'quote_double': quote_double, 'random_hex': random_hex}
|
||||||
|
|
|
@ -111,6 +111,10 @@ libvirt_daemons:
|
||||||
# Whether to use `iwd` or `eiwd`
|
# Whether to use `iwd` or `eiwd`
|
||||||
iwd_without_dbus: false
|
iwd_without_dbus: false
|
||||||
|
|
||||||
|
# RFC 7217: generate a stable IPv6 link-local address for SLAAC
|
||||||
|
# NOTE: this is the default for dhcpcd (slaac private), and `stable-privacy` flag doesn't appear in `ip a` in this case
|
||||||
|
ipv6_stable_privacy_addr: true
|
||||||
|
|
||||||
# Public facing network interfaces to configured
|
# Public facing network interfaces to configured
|
||||||
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
|
# - ip4_addr, ip6_addr should include netmask (e.g. 192.168.1.10/24)
|
||||||
# - don't include wireless interfaces here as they should use dhcp with iwctl
|
# - don't include wireless interfaces here as they should use dhcp with iwctl
|
||||||
|
|
|
@ -77,7 +77,6 @@
|
||||||
name: kernel.core_pattern
|
name: kernel.core_pattern
|
||||||
value: /var/tmp/core-%e.%p.%h.%t
|
value: /var/tmp/core-%e.%p.%h.%t
|
||||||
state: present
|
state: present
|
||||||
reload: false
|
|
||||||
|
|
||||||
- name: essential | Change the tty font to {{ console_font }}
|
- name: essential | Change the tty font to {{ console_font }}
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
|
@ -27,5 +27,5 @@
|
||||||
iwd_service: '{{ iwd_without_dbus | ternary("eiwd", "iwd") }}'
|
iwd_service: '{{ iwd_without_dbus | ternary("eiwd", "iwd") }}'
|
||||||
service:
|
service:
|
||||||
name: '{{ iwd_service }}'
|
name: '{{ iwd_service }}'
|
||||||
runlevel: boot
|
runlevel: default
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
|
@ -7,20 +7,26 @@
|
||||||
group: root
|
group: root
|
||||||
mode: '644'
|
mode: '644'
|
||||||
|
|
||||||
# NOTE: These only get applied on next boot
|
# NOTE: already set in /lib/sysctl.d/00-alpine.conf but it doesn't hurt re-apply
|
||||||
- name: networking | Set privacy extension for IPv6
|
- name: networking | Set IPv6 Privacy Extension (RFC 4941)
|
||||||
ansible.posix.sysctl:
|
ansible.posix.sysctl:
|
||||||
name: '{{ (item | split("=") | map("trim") | list)[0] }}'
|
name: '{{ (item | split("=") | map("trim") | list)[0] }}'
|
||||||
value: '{{ (item | split("=") | map("trim") | list)[1] | quote_single }}'
|
value: '{{ (item | split("=") | map("trim") | list)[1] }}'
|
||||||
state: present
|
state: present
|
||||||
reload: false
|
|
||||||
loop:
|
loop:
|
||||||
- net.ipv6.conf.all.use_tempaddr = 2
|
- net.ipv6.conf.all.use_tempaddr = 2
|
||||||
- net.ipv6.conf.default.use_tempaddr = 2
|
- net.ipv6.conf.default.use_tempaddr = 2
|
||||||
- net.ipv6.conf.all.temp_prefered_lft = 60
|
|
||||||
- net.ipv6.conf.default.temp_prefered_lft = 60
|
- name: networking | Set IPv6 stable privacy address (RFC 7217)
|
||||||
- net.ipv6.conf.all.temp_valid_lft = 1440
|
ansible.posix.sysctl:
|
||||||
- net.ipv6.conf.default.temp_valid_lft = 1440
|
name: '{{ (item | split("=") | map("trim") | list)[0] }}'
|
||||||
|
value: '{{ (item | split("=") | map("trim") | list)[1] }}'
|
||||||
|
state: present
|
||||||
|
loop:
|
||||||
|
- net.ipv6.conf.default.addr_gen_mode = 2
|
||||||
|
- net.ipv6.conf.all.addr_gen_mode = 2
|
||||||
|
- net.ipv6.conf.default.stable_secret = {{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }}:{{ (2**16 - 1) | random_hex }} # noqa: yaml[line-length]
|
||||||
|
when: ipv6_stable_privacy_addr | bool
|
||||||
|
|
||||||
- name: networking | Install {{ dhcp_client }}
|
- name: networking | Install {{ dhcp_client }}
|
||||||
community.general.apk:
|
community.general.apk:
|
||||||
|
|
Reference in a new issue