The next generation ansible-managed linux router framework using all the trendy new things
Current device target is a nanopi-r5s running Armbian using a WAN port for internet, and then LAN1 and LAN2 aggregated in a Router on a stick pattern for east-west traffic.
Desire is to have a robust router config with zone firewall leveraging the following underlying components
- netplan
firewalldfoomuuri- dnsmasq
- frrouting
- wireguard
This repo is meant to be the ansible project directory.. or close to it plus documentation.. Trying to leverage off-the-shelf roles when possible. Other roles will via the clammy collection
there are better ways, but this way for now... .gitignore has been preconfigured to use namedspace ansible home ~/.clammy-ng-ansible/ and venv used in the example.
assume you have python3 and python3-venv installed
python3 venv venv
source activate venv/bin/activate
python3 -m pip install requirements.txt
ansible-galaxy install -r requirements.yml
ansible-galaxy install -r requirements-clammy-ng.yml
Naturally there's some sequencing challenges with a router.. especially out of the box. For now full.yml is the POC full sequence of operations.
in reality, this stuff will proably want to be decoupled...
I think there's going to be a generally need to decouple WAN interface-oriented operations from LAN, including firewall management.
guesses so far:
- sysctl_base config # interface specific stuff might move this
- configure wan interface
- configure lan interfaces
- configure vpn interfaces
- configure wan firewall ingress and port forwards
- configure lan/vpn zones
- configure wan/vpn zone policies
- configure DHCP / DNS (dnsmasq) # what happens if vpn needs DNS to work?
- configure advanced routing (frrouting)
- configure monitoring