From 24bfa840ffd7b75a31255e332fa86f6ffde8d54a Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Thu, 27 Apr 2023 14:56:32 -0400
Subject: [PATCH] Starting to transition the home server to the new dynamic
 netgraph devices.

---
 .../roles/firewall/files/homeserver_pf.conf   | 24 ++---
 .../roles/firewall/files/odofreebsd_pf.conf   |  6 +-
 .../jail/files/setup_netgraph_homeserver      | 95 ++++++++-----------
 .../roles/package_manager/tasks/freebsd.yaml  | 12 +--
 4 files changed, 58 insertions(+), 79 deletions(-)

diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf
index 9653cbf..dee2303 100644
--- a/ansible/roles/firewall/files/homeserver_pf.conf
+++ b/ansible/roles/firewall/files/homeserver_pf.conf
@@ -1,6 +1,7 @@
 ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }"
-jail_net_v4 = "10.193.223.0/24"
-full_nat_v4 = "10.213.177.0/24"
+not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 
 dhcp = "{ bootpc, bootps }"
 allow = "{ wgh wgf }"
@@ -15,11 +16,8 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }"
 set skip on lo
 
 # redirections
-nat on $ext_if inet from $jail_net_v4 to { any, !$jail_net_v4 } tag ALLOWED -> (wlan0)
-nat on $ext_if inet from $full_nat_v4 to { any, !$full_nat_v4 } tag ALLOWED -> (wlan0)
-
-rdr pass on host_uplink0 inet proto {tcp, udp} from any to 10.193.223.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
-rdr pass on host_uplink1 inet proto {tcp, udp} from any to 10.213.177.1 port 53 tag ALLOWED -> 1.1.1.1 port 53
+nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0)
+rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
 
 nat pass on host_uplink0 inet proto tcp from any to any port 8081 tag ALLOWED -> (host_uplink0)
 rdr pass on $ext_if inet proto tcp from any to any port 8081 tag ALLOWED -> 10.193.223.20 port 8081
@@ -32,6 +30,10 @@ rdr pass on $ext_if inet proto {udp, tcp} from any to any port $unifi_ports tag
 block log all
 pass out on $ext_if
 
+pass in on jail_nat
+# Allow traffic from my machine to the jails/virtual machines
+pass out on jail_nat from $jail_nat_v4
+
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
 # `service pf reload` but interfaces that we `skip` will not update (I
@@ -45,8 +47,6 @@ pass on $ext_if proto icmp6 all
 pass in on $ext_if proto tcp to any port $tcp_pass_in
 pass in on $ext_if proto udp to any port $udp_pass_in
 
-pass quick on $ext_if proto udp from any port $dhcp to any port $dhcp
-
-pass in on host_uplink0 proto udp from any to any port { 53 51820 }
-pass out on host_uplink0 proto tcp from any to any port 8081
-pass on host_uplink1
+# pass in on host_uplink0 proto udp from any to any port { 53 51820 }
+# pass out on host_uplink0 proto tcp from any to any port 8081
+# pass on host_uplink1
diff --git a/ansible/roles/firewall/files/odofreebsd_pf.conf b/ansible/roles/firewall/files/odofreebsd_pf.conf
index 516cf16..559cf9a 100644
--- a/ansible/roles/firewall/files/odofreebsd_pf.conf
+++ b/ansible/roles/firewall/files/odofreebsd_pf.conf
@@ -1,7 +1,7 @@
 ext_if = "{ wlan0 }"
 not_ext_if = "{ !wlan0 }"
-jail_nat_v4 = "{ 10.193.223.0/24 10.213.177.0/24 10.215.1.0/24 }"
-not_jail_nat_v4 = "{ any, !10.193.223.0/24 !10.213.177.0/24 !10.215.1.0/24 }"
+jail_nat_v4 = "{ 10.215.1.0/24 }"
+not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
 dns_redirect = "{ 10.193.223.1 10.213.177.1 10.215.1.1 }"
 
 dhcp = "{ bootpc, bootps }"
@@ -29,7 +29,7 @@ pass out on $ext_if
 
 pass in on jail_nat
 # Allow traffic from my machine to the jails/virtual machines
-pass out on jail_nat from jail_nat
+pass out on jail_nat from $jail_nat_v4
 
 # We pass on the interfaces listed in allow rather than skipping on
 # them because changes to pass rules will update when running a
diff --git a/ansible/roles/jail/files/setup_netgraph_homeserver b/ansible/roles/jail/files/setup_netgraph_homeserver
index 1a0cef7..2b2d583 100644
--- a/ansible/roles/jail/files/setup_netgraph_homeserver
+++ b/ansible/roles/jail/files/setup_netgraph_homeserver
@@ -1,76 +1,55 @@
 #!/usr/local/bin/bash
 
 cleanup() {
-    ngctl shutdown host_link2:
-    ngctl shutdown host_uplink0:
-    ngctl shutdown host_bridge0:
-    ngctl shutdown wg_link2:
-    ngctl shutdown wg_uplink0:
-    ngctl shutdown wg_bridge0:
-    ngctl shutdown host_link3:
-    ngctl shutdown host_uplink1:
-    ngctl shutdown host_bridge1:
+    # ngctl shutdown host_link2:
+    # ngctl shutdown host_uplink0:
+    # ngctl shutdown host_bridge0:
+    # ngctl shutdown wg_link2:
+    # ngctl shutdown wg_uplink0:
+    # ngctl shutdown wg_bridge0:
+    echo ""
 }
 
 setup_netgraph_start() {
     cleanup
 
-    # Create a bridge for jails that only speak wireguard
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook host_uplink0
-EOF
+#     # Create a bridge for jails that only speak wireguard
+#     ngctl -d -f - <<EOF
+# mkpeer . eiface hook ether
+# name .:hook host_uplink0
+# EOF
 
-    ngctl -d -f - <<EOF
-mkpeer host_uplink0: bridge ether link0
-name host_uplink0:ether host_bridge0
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer host_uplink0: bridge ether link0
+# name host_uplink0:ether host_bridge0
+# EOF
 
-    ngctl -d -f - <<EOF
-mkpeer host_bridge0: eiface link2 ether
-name host_bridge0:link2 host_link2
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer host_bridge0: eiface link2 ether
+# name host_bridge0:link2 host_link2
+# EOF
 
-    ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
-    ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2
+#     ifconfig $(ngctl msg 'host_uplink0:' getifname | grep Args | cut -d '"' -f 2) name host_uplink0 10.193.223.1/24 up
+#     ifconfig $(ngctl msg 'host_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name host_link2
 
-    # Create internal bridge for jails that are forced through wireguard
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook wg_uplink0
-EOF
+#     # Create internal bridge for jails that are forced through wireguard
+#     ngctl -d -f - <<EOF
+# mkpeer . eiface hook ether
+# name .:hook wg_uplink0
+# EOF
 
-    ngctl -d -f - <<EOF
-mkpeer wg_uplink0: bridge ether link0
-name wg_uplink0:ether wg_bridge0
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer wg_uplink0: bridge ether link0
+# name wg_uplink0:ether wg_bridge0
+# EOF
 
-    ngctl -d -f - <<EOF
-mkpeer wg_bridge0: eiface link2 ether
-name wg_bridge0:link2 wg_link2
-EOF
+#     ngctl -d -f - <<EOF
+# mkpeer wg_bridge0: eiface link2 ether
+# name wg_bridge0:link2 wg_link2
+# EOF
 
-    ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
-    ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
-
-    # Create a bridge for jails given full access to NAT
-    ngctl -d -f - <<EOF
-mkpeer . eiface hook ether
-name .:hook host_uplink1
-EOF
-
-    ngctl -d -f - <<EOF
-mkpeer host_uplink1: bridge ether link0
-name host_uplink1:ether host_bridge1
-EOF
-
-    ngctl -d -f - <<EOF
-mkpeer host_bridge1: eiface link2 ether
-name host_bridge1:link2 host_link3
-EOF
-
-    ifconfig $(ngctl msg 'host_uplink1:' getifname | grep Args | cut -d '"' -f 2) name host_uplink1 10.213.177.1/24 up
-    ifconfig $(ngctl msg 'host_bridge1:link2' getifname | grep Args | cut -d '"' -f 2) name host_link3
+#     ifconfig $(ngctl msg 'wg_uplink0:' getifname | grep Args | cut -d '"' -f 2) name wg_uplink0 10.241.199.1/24 up
+#     ifconfig $(ngctl msg 'wg_bridge0:link2' getifname | grep Args | cut -d '"' -f 2) name wg_link2
 
 }
 
diff --git a/ansible/roles/package_manager/tasks/freebsd.yaml b/ansible/roles/package_manager/tasks/freebsd.yaml
index c98f0c0..ce9b8b3 100644
--- a/ansible/roles/package_manager/tasks/freebsd.yaml
+++ b/ansible/roles/package_manager/tasks/freebsd.yaml
@@ -8,6 +8,12 @@
   loop:
     - /usr/local/etc/pkg
     - /usr/local/etc/pkg/repos
+    
+- name: Install packages
+  package:
+    name:
+      - pkg-provides
+    state: present
 
 - name: Install Configuration
   register: changed_config
@@ -26,9 +32,3 @@
 # - name: Replace all packages with packages from new repo
 #   command: pkg upgrade -f -y
 #   when: changed_config.changed
-
-- name: Install packages
-  package:
-    name:
-      - pkg-provides
-    state: present