add bundle:sysctl

bundles/nftables/files/override.conf

@@ -0,0 +1,8 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecStart=/usr/local/sbin/apply-sysctl
+
+ExecReload=
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/local/sbin/apply-sysctl

bundles/nftables/items.py

@@ -23,6 +23,14 @@ files = {
             'svc_systemd:nftables:reload',
         },
     },
+    '/etc/systemd/system/nftables.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:nftables:reload',
+        },
+    },
+
 }
 
 svc_systemd = {

bundles/pppd/items.py

@@ -75,6 +75,9 @@ files = {
         },
         'mode': '0700',
     },
+    '/etc/sysctl.d/90-pppd.conf': {
+        'content_type': 'any',
+    },
     '/etc/systemd/system/pppoe.service': {
         'triggers': {
             'action:systemd-reload',

bundles/sysctl/files/99-sysctl.conf

@@ -0,0 +1,3 @@
+% for option, value in sorted(node.metadata.get('sysctl/options', {}).items()):
+${option}=${value}
+% endfor

bundles/sysctl/items.py

@@ -0,0 +1,31 @@
+files = {
+    '/usr/local/sbin/apply-sysctl': {
+        'content':
+            '#!/bin/sh\n'
+            '\n'
+            'cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p -',
+        'mode': '0700',
+    },
+    '/etc/sysctl.d/99-sysctl.conf': {
+        'content_type': 'mako',
+    },
+}
+
+directories = {
+    '/etc/sysctl.d': {
+        'purge': True,
+        'triggers': {
+            'action:apply-sysctl-settings',
+        },
+    },
+}
+
+actions = {
+    'apply-sysctl-settings': {
+        'command': '/usr/local/sbin/apply-sysctl',
+        'triggered': True,
+        'needs': {
+            'file:/usr/local/sbin/apply-sysctl',
+        },
+    },
+}

groups/os.py

@@ -25,6 +25,7 @@ groups['linux'] = {
         'postfix',
         'sshmon',
         'sudo',
+        'sysctl',
         'systemd',
         'systemd-networkd',
         'telegraf',

nodes/home/nas.py

@@ -140,6 +140,12 @@ nodes['home.nas'] = {
                 '/dev/disk/by-id/ata-TS64GSSD370_B807810527',
             },
         },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+            },
+        },
         'systemd-networkd': {
             'bonds': {
                 'bond0': {

nodes/home/router.py

@@ -215,6 +215,12 @@ nodes['home.router'] = {
                 },
             },
         },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'vnstat': {
             'generate-web-dashboard': True,
             'interface': 'enp1s0.100',

nodes/htz-cloud/miniserver.py

@@ -183,6 +183,13 @@ nodes['htz-cloud.miniserver'] = {
                 },
             },
         },
+        'sysctl': {
+            'options': {
+                # XXX find out if this is really needed
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'vm': {
             'cpu': 2,
             'ram': 4,

nodes/ovh/wireguard.py

@@ -23,6 +23,12 @@ nodes['ovh.wireguard'] = {
             'cpu': 1,
             'ram': 2,
         },
+        'sysctl': {
+            'options': {
+                'net.ipv4.ip_forward': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'wireguard': {
             'my_ip': '172.19.136.1/22',
             'peers': {