Move IPv6 privacy extension settings to 'networking' role

Also set privacy extension to 'preferred' in connman.
2023-04-22 00:00:00 +07:00 · 2023-04-22 00:00:00 +07:00 · 1b13b408a0
parent 9ec9793663
commit 1b13b408a0
4 changed files with 20 additions and 13 deletions
--- a/roles/essential/tasks/main.yml
+++ b/roles/essential/tasks/main.yml
@ -79,14 +79,6 @@
    state: present
    reload: false

- name: essential | Set privacy extension for IPv6
-  ansible.posix.sysctl:
-    name: net.ipv6.conf.{{ item.name }}.use_tempaddr
-    value: '2'
-    state: present
-    reload: false
-  loop: '{{ network_interfaces + [{"name": "default"}, {"name": "all"}] }}'
-
 - name: essential | Change the tty font to {{ console_font }}
  lineinfile:
    path: /etc/conf.d/consolefont
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@ -7,6 +7,21 @@
    group: root
    mode: '644'

+# NOTE: These only get applied on next boot
+- name: networking | Set privacy extension for IPv6
+  ansible.posix.sysctl:
+    name: '{{ (item | split("=") | map("trim") | list)[0] }}'
+    value: '{{ (item | split("=") | map("trim") | list)[1] | quote_single }}'
+    state: present
+    reload: false
+  loop:
+    - net.ipv6.conf.all.use_tempaddr = 2
+    - net.ipv6.conf.default.use_tempaddr = 2
+    - net.ipv6.conf.all.temp_prefered_lft = 60
+    - net.ipv6.conf.default.temp_prefered_lft = 60
+    - net.ipv6.conf.all.temp_valid_lft = 1440
+    - net.ipv6.conf.default.temp_valid_lft = 1440
+
 - name: networking | Install {{ dhcp_client }}
  community.general.apk:
    name: '{{ dhcp_client }}'
--- a/roles/networking/templates/connman-service.config.j2
+++ b/roles/networking/templates/connman-service.config.j2
@ -10,12 +10,12 @@ DeviceName = {{ interface.name }}
 IPv4 = {{ interface.ip4_addr | ansible.utils.ipv4('address') }}/{{ interface.ip4_addr | ansible.utils.ipv4('netmask') }}/{{ interface.ip4_gateway | ansible.utils.ipv4('address') }}
 {% else %}
 IPv4 = {{ interface.ip4_type }}
-{% endif%}
+{% endif %}
 {% if interface.ip6_type == 'static' %}
 IPv6 = {{ interface.ip6_addr | ansible.utils.ipv6('host/prefix') }}/{{ interface.ip6_gateway | ansible.utils.ipv6('address') }}
 {% else %}
 IPv6 = {{ interface.ip6_type }}
-{% endif%}
-IPv6.Privacy = enabled
+{% endif %}
+IPv6.Privacy = preferred

-{% endfor%}
+{% endfor %}
--- a/roles/nftables/templates/nftables.j2
+++ b/roles/nftables/templates/nftables.j2
@ -173,7 +173,7 @@ table inet filter {

    chain forward_libvirt {
        # NOTE: use 10.0.0.0/8 or 172.16.0.0/12 subnets for the LAN network instead
-        # These rules naively defeat the purpose of having multiple separated subnets but I'm fine with it being on my desktops
+        # These rules naively defeat the purpose of having multiple libvirt bridges but I'm fine with it being on my desktops
        oifname "virbr*" ip daddr 192.168.0.0/16 ct state { established, related } accept
        iifname "virbr*" ip saddr 192.168.0.0/16 accept
        iifname "virbr*" oifname "virbr*" accept