iiab/roles/2-common/tasks/network.yml

- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'
  meta: noop

- name: '2021-07-27: SEE ALSO ~4 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
  meta: noop

- name: Install package networkd-dispatcher (OS's other than RaspiOS)
  package:
    name: networkd-dispatcher    # Dispatcher service for systemd-networkd connection status changes
    state: present
  when: not is_raspbian

- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
  package:
    name:
      - hostapd                # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
      - iproute2               # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
      - iptables-persistent    # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
      - netmask                # Handy utility -- helps determine network masks
    state: present

# 2021-08-17: Debian ignores this, according to 2013 post:
# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
#   template:
#     src: iptables
#     dest: /etc/network/if-pre-up.d/iptables
#     mode: '0755'

# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  with_items:
    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
    - { name: 'kernel.core_uses_pid', value: '1' }
    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
2-common/tasks/network.yml: Cleanup & network packages context 2021-07-27 18:56:20 +00:00			`- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'`
			`meta: noop`

Update network.yml 2021-07-27 21:52:53 +00:00			`- name: '2021-07-27: SEE ALSO ~4 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'`
2-common/tasks/network.yml: Cleanup & network packages context 2021-07-27 18:56:20 +00:00			`meta: noop`

2-common/tasks/network.yml: Clarify Ansible output 2021-05-28 05:03:53 +00:00			`- name: Install package networkd-dispatcher (OS's other than RaspiOS)`
ensure networkd-dispatcher is installed 2020-12-08 10:20:42 +00:00			`package:`
Update network.yml 2021-07-27 21:52:53 +00:00			`name: networkd-dispatcher # Dispatcher service for systemd-networkd connection status changes`
ensure networkd-dispatcher is installed 2020-12-08 10:20:42 +00:00			`state: present`
			`when: not is_raspbian`

Update network.yml 2021-07-27 21:52:53 +00:00			`- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask -- later used by https://github.com/iiab/iiab/tree/master/roles/network'`
indentation/syntax per new Ansible docs 2018-02-13 02:42:21 +00:00			`package:`
move network related packages 2021-04-27 23:48:03 +00:00			`name:`
Update network.yml 2021-07-27 21:52:53 +00:00			`- hostapd # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired`
			`- iproute2 # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools`
Cleaner network/templates/gateway/iiab-gen-iptables & 2-common prep 2021-08-18 05:47:03 +00:00			`- iptables-persistent # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!`
Update network.yml 2021-07-27 21:52:53 +00:00			`- netmask # Handy utility -- helps determine network masks`
indentation/syntax per new Ansible docs 2018-02-13 02:42:21 +00:00			`state: present`
initial checkin -- May 27, 2017 2017-05-27 18:09:50 +00:00
Cleaner network/templates/gateway/iiab-gen-iptables & 2-common prep 2021-08-18 05:47:03 +00:00			`# 2021-08-17: Debian ignores this, according to 2013 post:`
			`# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables`
			`# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)`
			`# template:`
			`# src: iptables`
			`# dest: /etc/network/if-pre-up.d/iptables`
			`# mode: '0755'`
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00
			`# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:`
2-common/tasks/network.yml: Explain /etc/sysctl.conf changes 2021-07-28 08:56:59 +00:00			`- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"`
2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible 2021-07-28 05:48:14 +00:00			`sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot`
			`name: "{{ item.name }}"`
			`value: "{{ item.value }}"`
			`with_items:`
			`- { name: 'net.ipv4.ip_forward', value: '1' } # Masquerading LAN->Internet`
			`- { name: 'net.ipv4.conf.default.rp_filter', value: '1' }`
			`- { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }`
			`#- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok?`
			`- { name: 'kernel.core_uses_pid', value: '1' }`
			`#- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020`
			`#- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok?`
			`- { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled`
			`#- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET`
			`#- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE`