dch-gw: Initial commit

The *dch-gw* role, and the corresponding `dch-gw.yml` playbook, apply all of the necessary configuration to the edge router on my home network.
2018-03-23 10:14:46 -05:00
parent 5d1b646d14
commit a7ac6c586d
12 changed files with 344 additions and 0 deletions
--- a/roles/dch-gw/files/ipv4-nat.nft
+++ b/roles/dch-gw/files/ipv4-nat.nft
@@ -0,0 +1,8 @@
+#! /usr/sbin/nft -f
+
+table nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input		{ type nat hook input priority 100; }
+	chain output		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}
--- a/roles/dch-gw/files/outside-address.dhcpcd-hook
+++ b/roles/dch-gw/files/outside-address.dhcpcd-hook
@@ -0,0 +1,28 @@
+# vim: set ft=sh :
+
+(
+RULESET=/var/lib/dhcpcd/outside-address.ruleset
+
+
+reload_nftables() {
+	systemctl reload nftables
+}
+
+
+write_ruleset() {
+	install -d "${RULESET%/*}"
+	printf 'define outside_address = %s\n' "${new_ip_address}" \
+		> "${RULESET}"
+}
+
+
+if [ -n "${new_ip_address}" ]; then
+	if [ ! -f "${ruleset}" ]; then
+		write_ruleset
+		reload_nftables
+	elif [ "${new_ip_address}" != "${old_ip_address}" ]; then
+		write_ruleset
+		reload_nftables
+	fi
+fi
+)