df9937f0c3
- k0s bootstrap with Cilium and OpenEBS - ArgoCD apps for infra, CAPI, Tinkerbell, and Netris - Ansible playbooks for virtual baremetal lab and Netris switches - CAPI provider manifests for k0smotron and Tinkerbell
121 lines
3.5 KiB
YAML
121 lines
3.5 KiB
YAML
---
|
|
- name: Configure br-mgmt bridge for libvirt and Tinkerbell
|
|
hosts: local
|
|
become: true
|
|
gather_facts: false
|
|
|
|
vars:
|
|
br_mgmt_name: br-mgmt
|
|
br_mgmt_ip: 172.16.81.254
|
|
br_mgmt_cidr: 24
|
|
br_mgmt_netmask: 255.255.255.0
|
|
|
|
tasks:
|
|
- name: Ensure bridge-utils is installed
|
|
ansible.builtin.apt:
|
|
name: bridge-utils
|
|
state: present
|
|
update_cache: false
|
|
|
|
- name: Create bridge interface configuration file
|
|
ansible.builtin.copy:
|
|
dest: /etc/network/interfaces.d/br-mgmt
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
content: |
|
|
# Management bridge for libvirt VMs and Tinkerbell
|
|
# This bridge provides the 172.16.81.0/24 network for bare metal provisioning
|
|
|
|
auto {{ br_mgmt_name }}
|
|
iface {{ br_mgmt_name }} inet static
|
|
address {{ br_mgmt_ip }}
|
|
netmask {{ br_mgmt_netmask }}
|
|
bridge_ports none
|
|
bridge_stp off
|
|
bridge_fd 0
|
|
bridge_maxwait 0
|
|
|
|
- name: Check if bridge already exists
|
|
ansible.builtin.command: ip link show {{ br_mgmt_name }}
|
|
register: bridge_exists
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Create bridge interface
|
|
ansible.builtin.command: ip link add name {{ br_mgmt_name }} type bridge
|
|
when: bridge_exists.rc != 0
|
|
|
|
- name: Set bridge interface up
|
|
ansible.builtin.command: ip link set {{ br_mgmt_name }} up
|
|
when: bridge_exists.rc != 0
|
|
|
|
- name: Check current IP on bridge
|
|
ansible.builtin.shell: ip addr show {{ br_mgmt_name }} | grep -q '{{ br_mgmt_ip }}'
|
|
register: ip_configured
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Assign IP address to bridge
|
|
ansible.builtin.command: ip addr add {{ br_mgmt_ip }}/{{ br_mgmt_cidr }} dev {{ br_mgmt_name }}
|
|
when: ip_configured.rc != 0
|
|
|
|
- name: Enable IP forwarding
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
sysctl_set: true
|
|
state: present
|
|
reload: true
|
|
|
|
- name: Install iptables-persistent
|
|
ansible.builtin.apt:
|
|
name: iptables-persistent
|
|
state: present
|
|
update_cache: false
|
|
environment:
|
|
DEBIAN_FRONTEND: noninteractive
|
|
|
|
- name: Configure NAT masquerade for br-mgmt network
|
|
ansible.builtin.iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
source: 172.16.81.0/24
|
|
out_interface: enp41s0
|
|
jump: MASQUERADE
|
|
comment: "NAT for br-mgmt network"
|
|
|
|
- name: Allow forwarding from br-mgmt to external
|
|
ansible.builtin.iptables:
|
|
chain: FORWARD
|
|
in_interface: "{{ br_mgmt_name }}"
|
|
out_interface: enp41s0
|
|
jump: ACCEPT
|
|
comment: "Forward br-mgmt to internet"
|
|
|
|
- name: Allow forwarding return traffic to br-mgmt
|
|
ansible.builtin.iptables:
|
|
chain: FORWARD
|
|
in_interface: enp41s0
|
|
out_interface: "{{ br_mgmt_name }}"
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
comment: "Return traffic to br-mgmt"
|
|
|
|
- name: Save iptables rules
|
|
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
|
|
|
|
- name: Display bridge status
|
|
ansible.builtin.shell: |
|
|
echo "=== Bridge Status ==="
|
|
ip addr show {{ br_mgmt_name }}
|
|
echo ""
|
|
echo "=== Bridge Details ==="
|
|
brctl show {{ br_mgmt_name }}
|
|
register: bridge_status
|
|
changed_when: false
|
|
|
|
- name: Show bridge status
|
|
ansible.builtin.debug:
|
|
var: bridge_status.stdout_lines
|