remove nat64

host_vars/ff-nat64

@@ -1,18 +0,0 @@
----
-ansible_host: 2a01:4f8:a0:9395:2::3
-#ansible_host: 10.0.4.67
-wireguard_bb_name: 'nat64'
-wireguard_bb_endpoint: '2a01:4f8:a0:9395:2::3'
-wireguard_bb_priv_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          39303530363738363764303964346631313532353762343263316166383534373763303538376363
-          3733366465336331353939346464306162353938353666370a613166623931613430613333613139
-          63356231653035663232376330363763393732666135356639663537666534326136356431663264
-          6330643965613562380a623830616437653563613630663332313266623239373634643431313064
-          62306263343934616462356536613235363866303736636537633766616663346363326234323532
-          3862346431613738663665613661623236323139616639613432
-wireguard_bb_pub_key: '4f3BbS38u97CNN3LDUZS//vO3JTzAl6zRWovuIAGcQM='
-wireguard_bb_ipv4: '10.222.0.6'
-wireguard_bb_ipv6: 'fe80::ffbb:ffbb:6'
-wireguard_bb_port: 10106
-preferred_uplink: 'uplink2'

inventory.ini

@@ -28,6 +28,3 @@ ff-uplink2
 [uplink:children]
 mullvad_uplink
 ffrl_uplink
-
-[nat64]
-ff-nat64

roles/configure_iptables/templates/ip6tables.rules

@@ -10,7 +10,7 @@
 {% endfor %}
 {% endif %}
 
-{% if 'fastd' in group_names or 'nat64' in group_names %}
+{% if 'fastd' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -19,9 +19,6 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -63,7 +60,7 @@ COMMIT
 {% endfor %}
 {% endif %}
 # wireguard_backbone
-{% if 'fastd' in group_names or 'nat64' in group_names %}
+{% if 'fastd' in group_names %}
 {% for peer in groups['uplink'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -74,10 +71,6 @@ COMMIT
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
--A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT

roles/configure_iptables/templates/iptables.rules

@@ -19,9 +19,6 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -29,11 +26,6 @@
 -A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
-{% if 'nat64' in group_names %}
-{% for peer in groups['uplink'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
-{% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]

roles/install_babeld/templates/babeld.conf.j2

@@ -5,7 +5,7 @@
 ipv6-subtrees true
 
 # You must provide at least one interface for babeld to operate on.
-{% if ('fastd' in group_names) or ('nat64' in group_names) %}
+{% if ('fastd' in group_names) %}
 {% for peer in groups['uplink'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -14,9 +14,6 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% for peer in groups['fastd'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
-{% for peer in groups['nat64'] %}
-interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -45,7 +42,6 @@ in ip 10.30.0.0/18 allow
 in ip 10.222.0.0/16 allow
 in ip 2a03:2260:1016::/48 allow
 in ip 2003:46:e028::/48 allow # finzelberg
-in ip 64:ff9b::/96 allow # nat64
 in ip fd62:44e1:da::/48 allow
 in deny # ignore default routes on uplinks
 {% endif %}
@@ -67,7 +63,7 @@ redistribute ip 64:ff9b::/96 allow
 redistribute ip fd62:44e1:da::/48 allow
 redistribute local deny
 
-{% if ('fastd' in group_names or 'nat64' in group_names) and preferred_uplink is defined %}
+{% if ('fastd' in group_names) and preferred_uplink is defined %}
 {% for peer in groups['uplink'] %}
 {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %}
 in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64

roles/install_wireguard_backbone/tasks/main.yml

@@ -5,7 +5,7 @@
       dest: /etc/systemd/system/wgbackbone@.service
 
 - include_tasks: fastd_tasks.yml
-  when: "('fastd' in group_names) or ('nat64' in group_names)"
+  when: "('fastd' in group_names)"
 
 - include_tasks: uplink_tasks.yml
   when: "'uplink' in group_names"

roles/install_wireguard_backbone/tasks/uplink_tasks.yml

@@ -6,13 +6,6 @@
       mode: 0400
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard config for nat64
-  template:
-      src: wg.conf.j2
-      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
-      mode: 0400
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard config for uplinks
   template:
       src: wg.conf.j2
@@ -34,13 +27,6 @@
       mode: 0744
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard up scripts for nat64
-  template:
-      src: up.sh.j2
-      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
-      mode: 0744
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard up scripts for uplinks
   template:
       src: up.sh.j2
@@ -62,13 +48,6 @@
       mode: 0744
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard down scripts for nat64
-  template:
-      src: down.sh.j2
-      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
-      mode: 0744
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard down scripts for uplinks
   template:
       src: down.sh.j2
@@ -91,14 +70,6 @@
       daemon_reload: yes
   with_items: "{{ groups['fastd'] }}"
 
-- name: start and enable wireguard mesh for nat64
-  systemd:
-      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
-      enabled: yes
-      state: started
-      daemon_reload: yes
-  with_items: "{{ groups['nat64'] }}"
-
 - name: start and enable wireguard mesh for uplinks
   systemd:
       name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service

setup_fastd.yml

@@ -79,26 +79,3 @@
   user: root
   roles:
       - setup_ffrl_tunnel
-- name: setup nat64
-  hosts: nat64
-  user: root
-  roles:
-      - configure_journald
-      - configure_sysctl
-      - configure_iptables
-      - configure_static_routes
-      #- install_ssmtp
-      - install_cronie
-      #- install_php
-      #- install_nginx
-      - install_ntp
-      - install_haveged
-      #- setup_batman
-      #- install_bind
-      - install_wireguard
-      - install_wireguard_backbone
-      - install_babeld
-      - install_monitoring
-      - install_iperf3
-      - update_ssh_keys
-      - install_admin_packages