add bundle:sysctl

2021-06-04 07:27:49 +02:00 · 2021-06-04 07:27:49 +02:00 · 95856a2c2d
parent 8d21e15106
commit 95856a2c2d
10 changed files with 79 additions and 0 deletions
--- a/bundles/nftables/files/override.conf
+++ b/bundles/nftables/files/override.conf
@ -0,0 +1,8 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecStart=/usr/local/sbin/apply-sysctl
+
+ExecReload=
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/local/sbin/apply-sysctl
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@ -23,6 +23,14 @@ files = {
            'svc_systemd:nftables:reload',
        },
    },
+    '/etc/systemd/system/nftables.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:nftables:reload',
+        },
+    },
+
 }

 svc_systemd = {
--- a/bundles/pppd/items.py
+++ b/bundles/pppd/items.py
@ -75,6 +75,9 @@ files = {
        },
        'mode': '0700',
    },
+    '/etc/sysctl.d/90-pppd.conf': {
+        'content_type': 'any',
+    },
    '/etc/systemd/system/pppoe.service': {
        'triggers': {
            'action:systemd-reload',
--- a/bundles/sysctl/files/99-sysctl.conf
+++ b/bundles/sysctl/files/99-sysctl.conf
@ -0,0 +1,3 @@
+% for option, value in sorted(node.metadata.get('sysctl/options', {}).items()):
+${option}=${value}
+% endfor
--- a/bundles/sysctl/items.py
+++ b/bundles/sysctl/items.py
@ -0,0 +1,31 @@
+files = {
+    '/usr/local/sbin/apply-sysctl': {
+        'content':
+            '#!/bin/sh\n'
+            '\n'
+            'cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -',
+        'mode': '0700',
+    },
+    '/etc/sysctl.d/99-sysctl.conf': {
+        'content_type': 'mako',
+    },
+}
+
+directories = {
+    '/etc/sysctl.d': {
+        'purge': True,
+        'triggers': {
+            'action:apply-sysctl-settings',
+        },
+    },
+}
+
+actions = {
+    'apply-sysctl-settings': {
+        'command': '/usr/local/sbin/apply-sysctl',
+        'triggered': True,
+        'needs': {
+            'file:/usr/local/sbin/apply-sysctl',
+        },
+    },
+}
--- a/groups/os.py
+++ b/groups/os.py
@ -25,6 +25,7 @@ groups['linux'] = {
        'postfix',
        'sshmon',
        'sudo',
+        'sysctl',
        'systemd',
        'systemd-networkd',
        'telegraf',
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@ -140,6 +140,12 @@ nodes['home.nas'] = {
                '/dev/disk/by-id/ata-TS64GSSD370_B807810527',
            },
        },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+            },
+        },
        'systemd-networkd': {
            'bonds': {
                'bond0': {
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -215,6 +215,12 @@ nodes['home.router'] = {
                },
            },
        },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
        'vnstat': {
            'generate-web-dashboard': True,
            'interface': 'enp1s0.100',
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@ -183,6 +183,13 @@ nodes['htz-cloud.miniserver'] = {
                },
            },
        },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
        'vm': {
            'cpu': 2,
            'ram': 4,
--- a/nodes/ovh/wireguard.py
+++ b/nodes/ovh/wireguard.py
@ -23,6 +23,12 @@ nodes['ovh.wireguard'] = {
            'cpu': 1,
            'ram': 2,
        },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
        'wireguard': {
            'my_ip': '172.19.136.1/22',
            'peers': {