Add inside and outside roles for VLANs

Will probably rename inside/outside and office/server to int/ext.

roles/exit/templates/frr.conf.j2

@@ -4,7 +4,8 @@
     | map(attribute='address') %}
 {% set my_index = inventory_hostname.split('-')[1]|int %}
 {% set bridge = interfaces | selectattr('type') | selectattr('type.value', '==', 'bridge') | first %}
-{% set my_vlans = bridge.tagged_vlans | sort(attribute='vid') -%}
+{% set bridge_vlans = vlans | selectattr('vid', 'in', bridge.tagged_vlans | map(attribute='vid')) -%}
+{% set inside_vlans = bridge_vlans | selectattr('role.slug', '==', 'inside') -%}
 
 frr defaults datacenter
 log syslog informational
@@ -162,7 +163,7 @@ router bgp {{ asn.asn }} vrf inside
 {% endfor %}
 
     redistribute connected route-map loopback-inside
-{% for vlan in my_vlans %}
+{% for vlan in inside_vlans %}
     import vrf {{ vlan.name }}
 {% endfor %}
     import vrf default
@@ -184,7 +185,7 @@ router bgp {{ asn.asn }} vrf inside
 {% endfor %}
 
     redistribute connected route-map loopback-inside
-{% for vlan in my_vlans %}
+{% for vlan in inside_vlans %}
     import vrf {{ vlan.name }}
 {% endfor %}
     import vrf default
@@ -192,7 +193,7 @@ router bgp {{ asn.asn }} vrf inside
   exit-address-family
 
 
-{% for vlan in my_vlans %}
+{% for vlan in inside_vlans %}
 # VRF for L2 network {{ vlan.name }}. Imports gateway from inside VRF.
 router bgp {{ asn.asn }} vrf {{ vlan.name }}
   bgp bestpath as-path multipath-relax
@@ -218,7 +219,7 @@ ipv6 prefix-list default permit ::/0
 ip prefix-list fabric permit 10.34.0.0/24 ge 32
 ipv6 prefix-list fabric permit 2001:1470:fffd:3400::/64 ge 128
 
-{% for vlan in my_vlans %}
+{% for vlan in inside_vlans %}
 {% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true) %}
 {% for prefix in prefixes %}
 {% if prefix.family.value == 4 %}

roles/exit/templates/networks.intf.j2

@@ -1,9 +1,9 @@
 {# Note that there must be exactly one VLAN-aware bridge. #}
 {% set bridge = interfaces | selectattr('type') | selectattr('type.value', '==', 'bridge') | first %}
-{% set my_vlans = bridge.tagged_vlans | sort(attribute='vid') -%}
+{% set bridge_vlans = vlans | selectattr('vid', 'in', bridge.tagged_vlans | map(attribute='vid')) -%}
 
-# VRFs.
-{% for vlan in my_vlans %}
+# A separate VRF for each inside network so we can firewall between them.
+{% for vlan in bridge_vlans | selectattr('role.slug', '==', 'inside') %}
 auto {{ vlan.name }}
 iface {{ vlan.name }}
     vrf-table auto
@@ -11,12 +11,12 @@ iface {{ vlan.name }}
 {% endfor %}
 
 # Interfaces.
-{% for vlan in my_vlans %}
+{% for vlan in bridge_vlans %}
 {% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true)
         | map(attribute='prefix') %}
 auto {{ bridge.name }}.{{ vlan.vid }}
 iface {{ bridge.name }}.{{ vlan.vid }}
-    vrf {{ vlan.name }}
+    vrf {% if vlan.role.slug == 'outside' %}outside{% else %}{{ vlan.name }}{% endif +%}
     mtu 9216
 {% if peer is defined %}
 {% set my_index = inventory_hostname.split('-')[1]|int %}

roles/firewall/templates/frr.conf.j2

@@ -86,11 +86,11 @@ ipv6 prefix-list default permit ::/0
 
 ip prefix-list fabric permit 10.34.0.0/24 ge 32
 
-{% for vlan in vlans %}
+{% for vlan in vlans | selectattr('role.slug', '==', 'inside') %}
 {% for prefix in query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true) %}
 {% if prefix.family.value == 4 %}
 ip prefix-list office permit {{ prefix.prefix }} ge 24
-{% else %}
+{% elif prefix.family.value == 6 %}
 ipv6 prefix-list office permit {{ prefix.prefix }} ge 64
 {% endif %}
 {% endfor %}

roles/firewall/templates/networks.nft.j2

@@ -0,0 +1,9 @@
+{% for vlan in vlans %}
+set {{ vlan.name }}  {
+    type ipv4_addr; flags interval
+}
+set {{ vlan.name }}/6 {
+    type ipv6_addr; flags interval
+}
+
+{% endfor %}