Initial commit

roles/network/README.md

@@ -0,0 +1,123 @@
+# `flyoverhead.openwrt.network`
+
+OpenWRT `network` configuration
+- create/delete/configure network devices
+- create/delete/configure network interfaces
+
+## Role Variables
+
+| Variable | Descritpion | Status | Type | Default/Example |
+| :--- | :--- | :--- | :--- | :--- |
+| `network_globals` | [Global network configuration options](https://openwrt.org/docs/guide-user/base-system/basic-networking#global_section) |  | `dictionary` |  |
+|  `network_ula_prefix` | IPv6 ULA prefix (`IPv6-prefix` or `auto`) | `optional` | `string` | `auto` |
+|  `network_packet_steering` | Enable or disable usage of every CPU to handle packet traffic | `optional` | `boolean` | `0` |
+| `network_devices` | List of [network devices](https://openwrt.org/docs/guide-user/base-system/basic-networking#device_sections) |  | `list of dictionaries` |  |
+|  `id` | Unique device ID | `required` | `string` | `guest_dev` |
+|  `name` | Unique device name | `mandatory` | `string` | `br-guest` |
+|  `state` | Device status (`present` or `absent`) | `required` | `string` | `present` |
+|  `type` | Device type (for bridge devices only) | `optional` | `string` | `bridge` |
+|  `ports` | List of ports associated with bridge device | `required` | `list` | `["eth0", "eth1"]` |
+|  `stp` | Enable the Spanning Tree Protocol (STP) which prevents network loops | `optional` | `boolean` | `0` |
+|  `igmp_snooping` | Enable IGMP snooping | `optional` | `boolean` | `0` |
+|  `ipv6` | Enable IPv6 support | `optional` | `boolean` | `0` |
+| `network_interfaces` | List of [network interfaces](https://openwrt.org/docs/guide-user/base-system/|  `igmp_snooping` | Enable IGMP snooping | `optional` | `boolean` | `0` |
+|  `id` | Unique interface ID | `mandatory` | `string` | `guest` |
+|  `state` | Interface status (`present` or `absent`) | `required` | `string` | `present` |
+|  `device` | Network device associated with the interface (for newly created interface) | `optional` | `string` | `guest_dev` |
+|  `proto` | Interface protocol | `mandatory` | `string` | `static` |
+|  `auto` | Specifies whether to bring up interface on boot | `optional` | `boolean` | `0` for proto `none`, else `1` |
+|  `force_link` | Specifies whether ip address, route, and optionally gateway are assigned to the interface regardless of the link being active ('1') or only after the link has become active ('0') | `optional` | `boolean` | `1` for protocol `static`, else `0` |
+|  `ipaddr` | IP address | `required` | `string` | `192.168.1.1` |
+|  `netmask` | Netmask | `required` | `string` | `255.255.255.0` |
+|  `gateway` | Default gateway | `optional` | `string` | `192.168.1.1` |
+|  `peerdns` | Use peer/DHCP provided DNS server(s) | `optional` | `boolean` | `1` |
+|  `dns` | Override peer/DHCP provided DNS server(s) | `optional` | `list` | `["1.1.1.1", "8.8.8.8"]` |
+|  `username` | Username for PAP/CHAP authentication | `optional` | `string` | `username` |
+|  `password` | Password for PAP/CHAP authentication | `optional` | `string` | `password` |
+|  `mtu` | MTU value | `optional` | `integer` | `1532` |
+|  `ipv6` | Enable IPv6 support | `optional` | `boolean` | `0` |
+|  `delegate` | Enable prefix delegation | `optional` | `boolean` | `0` |
+|  `ip6assign` | Assign a part of given length of every public IPv6-prefix to this interface | `optional` | `integer` | `60` |
+| `network_rules` | List of [network rules](https://openwrt.org/docs/guide-user/network/routing/ip_rules) |  | (`list of dictionaries`) |  |
+|  `id` | Unique rule ID | `mandatory` | `string` | `rule_example` |
+|  `state` | Rule status (`present` or `absent`) | `required` | `string` | `present` |
+|  `mark` | fwmark and optionally its mask to match | `optional` | `string` | `0xFF` |
+|  `in` | Incoming logical interface name | `optional` | `string` | `lan` |
+|  `out` | Outgoing logical interface name | `optional` | `string` | `wan` |
+|  `src` | Source subnet to match (CIDR notation) | `optional` | `string` | `172.16.0.0/16` |
+|  `dest` | Destination subnet to match (CIDR notation) | `optional` | `string` | `192.168.1.0/24` |
+|  `invert` | Invert the meaning of the match options | `optional` | `boolean` | `0` |
+|  `priority` | Priority of the IP rule | `optional` | `integer` | `100` |
+|  `lookup` | Protocol ID to use for the route declared in `/etc/iproute2/rt_tables` | `mandatory` | `string` | `main` |
+|  `goto` | Rule to jump to specified by its `priority` value | `optional` | `integer` | `99` |
+|  `action` | Routing action (`prohibit`, `unreachable`, `blackhole` or `throw`) | `optional` | `string` | `prohibit` |
+|  `disabled` | Disable the rule | `optional` | `boolean` | `0` |
+| `network_routes` | List of [network routes](https://openwrt.org/docs/guide-user/network/routing/routes_configuration) |  | (`list of dictionaries`) |  |
+|  `id` | Unique route ID | `mandatory` | `string` | `route_example` |
+|  `state` | Route status (`present` or `absent`) | `required` | `string` | `present` |
+|  `interface` | Logical interface name of the parent (or master) interface the route belongs to | `mandatory` | `string` | `lan` |
+|  `target` | Network address | `mandatory` | `string` | `172.16.0.10` |
+|  `netmask` | Route netmask | `optional` | `string` | `255.255.255.255` |
+|  `gateway` | Network gateway | `optional` | `string` | `172.16.0.1` |
+|  `table` | Table ID to use for the route | `optional` | `string` | `main` |
+|  `source` | Route source address in source-address dependent routes | `optional` | `boolean` | `0` |
+|  `type` | Routing type (`unicast`, `local`, `broadcast`, `multicast`, `unreachable`, `prohibit`, `blackhole` or `anycast`) | `optional` | `string` | `unicast` |
+|  `proto` | Protocol ID to use for the route declared in `/etc/iproute2/rt_tables` | `mandatory` | `string` | `main` |
+|  `disabled` | Disable the rule | `optional` | `boolean` | `0` |
+
+## Dependencies
+
+| Name | Description |
+| :--- | :--- |
+| `Ansible Role: openwrt` | [Ansible role by gekmihesg](https://github.com/gekmihesg/ansible-openwrt) for managing OpenWRT and derivatives |
+
+## Example Playbook
+
+```yaml
+- hosts: openwrt
+  roles:
+      - role: flyoverhead.openwrt.network
+```
+
+## Example Vars
+
+```yaml
+network_devices:
+  - id: "iot_dev"
+    name: "br-iot"
+    state: "present"
+    type: "bridge"
+network_interfaces:
+  - id: "lan"
+    proto: "static"
+    ipaddr: "192.168.1.1"
+    netmask: "255.255.255.0"
+  - id: "wan"
+    proto: "dhcp"
+  - id: "iot"
+    state: "present"
+    device: "br-iot"
+    proto: "static"
+    auto: "1"
+    force_link: "1"
+    ipaddr: "192.168.2.1"
+    netmask: "255.255.255.0"
+  - id: "wan6"
+    state: "absent"
+```
+
+## License
+
+[GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.txt)
+
+## Author Information
+
+fly0v3rH34D
+
+## References
+
+- https://openwrt.org/docs/guide-user/base-system/basic-networking
+- https://openwrt.org/docs/guide-user/network/ucicheatsheet
+- https://openwrt.org/docs/guide-user/network/routing/ip_rules
+- https://openwrt.org/docs/guide-user/network/routing/routes_configuration
+- https://openwrt.org/docs/guide-user/network/wan/wan_interface_protocols

roles/network/defaults/main.yml

@@ -0,0 +1,74 @@
+---
+# globals section
+# network_globals:
+#   network_ula_prefix: ""
+#   network_packet_steering: ""
+
+# #switch section
+# network_switch_vlans:
+#   - id: ""
+#     vlan: ""
+#     vid: ""
+#     ports: ""
+#     description: ""
+
+# device section
+network_devices:
+  - id: ""
+    name: ""
+    state: ""
+    type: ""
+    ports: []
+    stp: ""
+    igmp_snooping: ""
+    ipv6: ""
+
+# interface section
+network_interfaces:
+  - id: ""
+    state: ""
+    device: ""
+    proto: ""
+    auto: ""
+    force_link: ""
+    ipaddr: ""
+    netmask: ""
+    gateway: ""
+    peerdns: ""
+    dns: []
+    username: ""
+    password: ""
+    mtu: ""
+    ipv6: ""
+    delegate: ""
+    ip6assign: ""
+
+# rule section
+network_rules:
+  - id: ""
+    state: ""
+    mark: ""
+    in: ""
+    out: ""
+    src: ""
+    dest: ""
+    invert: ""
+    priority: ""
+    lookup: ""
+    goto: ""
+    action: ""
+    disabled: ""
+
+# route section
+network_routes:
+  - id: ""
+    state: ""
+    interface: ""
+    target: ""
+    netmask: ""
+    gateway: ""
+    table: ""
+    source: ""
+    type: ""
+    proto: ""
+    disabled: ""

roles/network/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+# Reload network service using nohup
+- name: Reload network
+  nohup:
+    command: /etc/init.d/network restart

roles/network/meta/main.yml

@@ -0,0 +1,12 @@
+---
+galaxy_info:
+  author: flyoverhead
+  description: Configure network settings
+  license: GPL-3.0
+  min_ansible_version: "2.13"
+  platforms:
+    - name: OpenWrt
+      versions: ["22.03"]
+  galaxy_tags: ["openwrt", "network"]
+dependencies:
+  - role: gekmihesg.openwrt

roles/network/tasks/device.yml

@@ -0,0 +1,42 @@
+---
+# Set state status for network device
+- name: Set state status for network device {{ item.id | default('@device[-1]') }}
+  ansible.builtin.set_fact:
+    network_device_state: "{{ item.state | default('present') }}"
+
+# Delete network device
+- name: Delete network device {{ item.id }}
+  when: "'absent' in network_device_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "device"
+
+# Create and configure network device
+- name: Create and configure network device
+  when: "'present' in network_device_state"
+  block:
+    # Create network device
+    - name: Create network device {{ item.id | default('@device[-1]') }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id | default('@device[-1]') }}"
+        type: "device"
+
+    # Configure network device
+    - name: Configure network device {{ item.id | default('@device[-1]') }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id | default('@device[-1]') }}"
+        type: "device"
+        value:
+          name: "{{ item.name | default(omit) }}"
+          type: "{{ item.type | default(omit) }}"
+          ports: "{{ item.ports | default([]) | join(' ') }}"
+          stp: "{{ item.stp | default(omit) }}"
+          vlan: "{{ item.vlan | default(omit) }}"
+          igmp_snooping: "{{ item.igmp_snooping | default(omit) }}"
+          ipv6: "{{ item.ipv6 | default(omit) }}"

roles/network/tasks/globals.yml

@@ -0,0 +1,11 @@
+---
+# Configure globals settings
+- name: Configure globals settings
+  uci:
+    command: "set"
+    config: "network"
+    section: "globals"
+    type: "globals"
+    value:
+      ula_prefix: "{{ network_globals.network_ula_prefix | default(omit) }}"
+      packet_steering: "{{ network_globals.network_packet_steering | default(omit) }}"

roles/network/tasks/interface.yml

@@ -0,0 +1,50 @@
+---
+# Set state status for network interface
+- name: Set state status for network interface {{ item.id }}
+  ansible.builtin.set_fact:
+    network_interface_state: "{{ item.state | default('present') }}"
+
+# Delete network interface
+- name: Delete network interface {{ item.id }}
+  when: "'absent' in network_interface_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "interface"
+
+# Create and configure network interface
+- name: Create and configure network interface
+  when: "'present' in network_interface_state"
+  block:
+    # Create network interface
+    - name: Create network interface {{ item.id }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id }}"
+        type: "interface"
+
+    # Configure network interface
+    - name: Configure network interface {{ item.id }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id }}"
+        type: "interface"
+        value:
+          device: "{{ item.device | default(omit) }}"
+          proto: "{{ item.proto | default(omit) }}"
+          auto: "{{ item.auto | default(omit) }}"
+          force_link: "{{ item.force_link | default(omit) }}"
+          ipaddr: "{{ item.ipaddr | default(omit) }}"
+          netmask: "{{ item.netmask | default(omit) }}"
+          gateway: "{{ item.gateway | default(omit) }}"
+          peerdns: "{{ item.peerdns | default(omit) }}"
+          dns: "{{ item.dns | default([]) | join(' ') }}"
+          username: "{{ item.username | default(omit) }}"
+          password: "{{ item.password | default(omit) }}"
+          mtu: "{{ item.mtu | default(omit) }}"
+          ipv6: "{{ item.ipv6 | default(omit) }}"
+          delegate: "{{ item.delegate | default(omit) }}"
+          ip6assign: "{{ item.ip6assign | default(omit) }}"

roles/network/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+# Configure globals section
+- name: Configure globals section
+  when: network_globals is defined
+  ansible.builtin.include_tasks: globals.yml
+
+# Configure swconfig switch vlan section
+- name: Configure swconfig switch vlan section
+  ansible.builtin.include_tasks: switch_swconfig.yml
+  when: network_swconfig_switch_vlans is defined
+  loop: "{{ network_swconfig_switch_vlans | default([]) }}"
+
+# Configure dsa switch vlan section
+- name: Configure dsa switch vlan section
+  ansible.builtin.include_tasks: switch_dsa.yml
+  when: network_dsa_switch_vlans is defined
+  loop: "{{ network_dsa_switch_vlans | default([]) }}"
+
+# Configure device section
+- name: Configure device section
+  ansible.builtin.include_tasks: device.yml
+  loop: "{{ network_devices | default([]) }}"
+
+# Configure interface section
+- name: Configure interface section
+  ansible.builtin.include_tasks: interface.yml
+  loop: "{{ network_interfaces | default([]) }}"
+
+# Configure rule section
+- name: Configure rule section
+  ansible.builtin.include_tasks: rule.yml
+  loop: "{{ network_rules | default([]) }}"
+
+# Configure route section
+- name: Configure route section
+  ansible.builtin.include_tasks: route.yml
+  loop: "{{ network_routes | default([]) }}"
+
+# Apply changes and reload network service
+- name: Apply changes and reload network
+  uci:
+    command: commit
+  notify: Reload network

roles/network/tasks/route.yml

@@ -0,0 +1,44 @@
+---
+# Set state status for network route
+- name: Set state status for network route {{ item.id | default('@route[-1]') }}
+  ansible.builtin.set_fact:
+    network_route_state: "{{ item.state | default('present') }}"
+
+# Delete network route
+- name: Delete network route {{ item.id }}
+  when: "'absent' in network_route_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "route"
+
+# Create and configure network route
+- name: Create and configure network route
+  when: "'present' in network_route_state"
+  block:
+    # Create network route
+    - name: Create network route {{ item.id | default('@route[-1]') }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id | default('@route[-1]') }}"
+        type: "route"
+
+    # Configure network route
+    - name: Configure network route {{ item.id | default('@route[-1]') }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id | default('@route[-1]') }}"
+        type: "route"
+        value:
+          interface: "{{ item.interface | default(omit) }}"
+          target: "{{ item.target | default(omit) }}"
+          netmask: "{{ item.netmask | default(omit) }}"
+          gateway: "{{ item.gateway | default(omit) }}"
+          table: "{{ item.table | default(omit) }}"
+          source: "{{ item.source | default(omit) }}"
+          type: "{{ item.type | default(omit) }}"
+          proto: "{{ item.proto | default(omit) }}"
+          disabled: "{{ item.disabled | default(omit) }}"

roles/network/tasks/rule.yml

@@ -0,0 +1,46 @@
+---
+# Set state status for network rule
+- name: Set state status for network rule {{ item.id | default('@rule[-1]') }}
+  ansible.builtin.set_fact:
+    network_rule_state: "{{ item.state | default('present') }}"
+
+# Delete network rule
+- name: Delete network rule {{ item.id }}
+  when: "'absent' in network_rule_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "rule"
+
+# Create and configure network rule
+- name: Create and configure network rule
+  when: "'present' in network_rule_state"
+  block:
+    # Create network rule
+    - name: Create network rule {{ item.id | default('@rule[-1]') }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id | default('@rule[-1]') }}"
+        type: "rule"
+
+    # Configure network rule
+    - name: Configure network rule {{ item.id | default('@rule[-1]') }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id | default('@rule[-1]') }}"
+        type: "rule"
+        value:
+          mark: "{{ item.mark | default(omit) }}"
+          in: "{{ item.in | default(omit) }}"
+          out: "{{ item.out | default(omit) }}"
+          src: "{{ item.src | default(omit) }}"
+          dest: "{{ item.dest | default(omit) }}"
+          invert: "{{ item.invert | default(omit) }}"
+          priority: "{{ item.priority | default(omit) }}"
+          lookup: "{{ item.lookup | default(omit) }}"
+          goto: "{{ item.goto | default([]) | join(' ') }}"
+          action: "{{ item.action | default(omit) }}"
+          disabled: "{{ item.disabled | default(omit) }}"

roles/network/tasks/switch_dsa.yml

@@ -0,0 +1,40 @@
+---
+# Set state status for switch vlan
+- name: Set state status for switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+  ansible.builtin.set_fact:
+    switch_vlan_state: "{{ item.state | default('present') }}"
+
+# Delete switch vlan
+- name: Delete switch vlan {{ item.id }}
+  when: "'absent' in switch_vlan_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "switch_vlan"
+
+# Create and configure switch vlan
+- name: Create and configure switch vlan
+  when: "'present' in switch_vlan_state"
+  block:
+    # Create switch vlan
+    - name: Create switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id | default('@switch_vlan[-1]') }}"
+        type: "switch_vlan"
+
+    # Configure switch vlan
+    - name: Configure switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id | default('@switch_vlan[-1]') }}"
+        type: "switch_vlan"
+        value:
+          device: "{{ item.device | default('switch0') }}"
+          vlan: "{{ item.vlan | mandatory }}"
+          vid: "{{ item.vid | default(item.vlan | default(omit)) }}"
+          ports: "{{ item.ports | default([]) }}"
+          description: "{{ item.description | default(omit) }}"

roles/network/tasks/switch_swconfig.yml

@@ -0,0 +1,40 @@
+---
+# Set state status for switch vlan
+- name: Set state status for switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+  ansible.builtin.set_fact:
+    switch_vlan_state: "{{ item.state | default('present') }}"
+
+# Delete switch vlan
+- name: Delete switch vlan {{ item.id }}
+  when: "'absent' in switch_vlan_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "switch_vlan"
+
+# Create and configure switch vlan
+- name: Create and configure switch vlan
+  when: "'present' in switch_vlan_state"
+  block:
+    # Create switch vlan
+    - name: Create switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id | default('@switch_vlan[-1]') }}"
+        type: "switch_vlan"
+
+    # Configure switch vlan
+    - name: Configure switch vlan {{ item.id | default('@switch_vlan[-1]') }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id | default('@switch_vlan[-1]') }}"
+        type: "switch_vlan"
+        value:
+          device: "{{ item.device | default('switch0') }}"
+          vlan: "{{ item.vlan | mandatory }}"
+          vid: "{{ item.vid | default(item.vlan | default(omit)) }}"
+          ports: "{{ item.ports | default([]) }}"
+          description: "{{ item.description | default(omit) }}"