From 95856a2c2d384934a93f87c8cf450b739a93e18d Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Fri, 4 Jun 2021 07:27:49 +0200
Subject: [PATCH] add bundle:sysctl

---
 bundles/nftables/files/override.conf |  8 +++++++
 bundles/nftables/items.py            |  8 +++++++
 bundles/pppd/items.py                |  3 +++
 bundles/sysctl/files/99-sysctl.conf  |  3 +++
 bundles/sysctl/items.py              | 31 ++++++++++++++++++++++++++++
 groups/os.py                         |  1 +
 nodes/home/nas.py                    |  6 ++++++
 nodes/home/router.py                 |  6 ++++++
 nodes/htz-cloud/miniserver.py        |  7 +++++++
 nodes/ovh/wireguard.py               |  6 ++++++
 10 files changed, 79 insertions(+)
 create mode 100644 bundles/nftables/files/override.conf
 create mode 100644 bundles/sysctl/files/99-sysctl.conf
 create mode 100644 bundles/sysctl/items.py

diff --git a/bundles/nftables/files/override.conf b/bundles/nftables/files/override.conf
new file mode 100644
index 0000000..3f46553
--- /dev/null
+++ b/bundles/nftables/files/override.conf
@@ -0,0 +1,8 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecStart=/usr/local/sbin/apply-sysctl
+
+ExecReload=
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/local/sbin/apply-sysctl
diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py
index f755916..ff28e31 100644
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@@ -23,6 +23,14 @@ files = {
             'svc_systemd:nftables:reload',
         },
     },
+    '/etc/systemd/system/nftables.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:nftables:reload',
+        },
+    },
+
 }
 
 svc_systemd = {
diff --git a/bundles/pppd/items.py b/bundles/pppd/items.py
index f358b5c..0ec6ed5 100644
--- a/bundles/pppd/items.py
+++ b/bundles/pppd/items.py
@@ -75,6 +75,9 @@ files = {
         },
         'mode': '0700',
     },
+    '/etc/sysctl.d/90-pppd.conf': {
+        'content_type': 'any',
+    },
     '/etc/systemd/system/pppoe.service': {
         'triggers': {
             'action:systemd-reload',
diff --git a/bundles/sysctl/files/99-sysctl.conf b/bundles/sysctl/files/99-sysctl.conf
new file mode 100644
index 0000000..9a29a4b
--- /dev/null
+++ b/bundles/sysctl/files/99-sysctl.conf
@@ -0,0 +1,3 @@
+% for option, value in sorted(node.metadata.get('sysctl/options', {}).items()):
+${option}=${value}
+% endfor
diff --git a/bundles/sysctl/items.py b/bundles/sysctl/items.py
new file mode 100644
index 0000000..f768b4c
--- /dev/null
+++ b/bundles/sysctl/items.py
@@ -0,0 +1,31 @@
+files = {
+    '/usr/local/sbin/apply-sysctl': {
+        'content':
+            '#!/bin/sh\n'
+            '\n'
+            'cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -',
+        'mode': '0700',
+    },
+    '/etc/sysctl.d/99-sysctl.conf': {
+        'content_type': 'mako',
+    },
+}
+
+directories = {
+    '/etc/sysctl.d': {
+        'purge': True,
+        'triggers': {
+            'action:apply-sysctl-settings',
+        },
+    },
+}
+
+actions = {
+    'apply-sysctl-settings': {
+        'command': '/usr/local/sbin/apply-sysctl',
+        'triggered': True,
+        'needs': {
+            'file:/usr/local/sbin/apply-sysctl',
+        },
+    },
+}
diff --git a/groups/os.py b/groups/os.py
index d98356b..df057ed 100644
--- a/groups/os.py
+++ b/groups/os.py
@@ -25,6 +25,7 @@ groups['linux'] = {
         'postfix',
         'sshmon',
         'sudo',
+        'sysctl',
         'systemd',
         'systemd-networkd',
         'telegraf',
diff --git a/nodes/home/nas.py b/nodes/home/nas.py
index e4ef65d..cb182bb 100644
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@@ -140,6 +140,12 @@ nodes['home.nas'] = {
                 '/dev/disk/by-id/ata-TS64GSSD370_B807810527',
             },
         },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+            },
+        },
         'systemd-networkd': {
             'bonds': {
                 'bond0': {
diff --git a/nodes/home/router.py b/nodes/home/router.py
index c13d5d5..052c678 100644
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@@ -215,6 +215,12 @@ nodes['home.router'] = {
                 },
             },
         },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'vnstat': {
             'generate-web-dashboard': True,
             'interface': 'enp1s0.100',
diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py
index d893fd8..8428df9 100644
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@@ -183,6 +183,13 @@ nodes['htz-cloud.miniserver'] = {
                 },
             },
         },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'vm': {
             'cpu': 2,
             'ram': 4,
diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py
index e5d9360..7e86a9f 100644
--- a/nodes/ovh/wireguard.py
+++ b/nodes/ovh/wireguard.py
@@ -23,6 +23,12 @@ nodes['ovh.wireguard'] = {
             'cpu': 1,
             'ram': 2,
         },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'wireguard': {
             'my_ip': '172.19.136.1/22',
             'peers': {