Timotej Lazar
c3ff39fe72
It doesn’t matter for the rules themselves as nft does not do VRFs, but DNS names can only be resolved there. This is because all nodes use the same IPs in the default VRF, so DNS replies sent from there go to the active node. This allows using DNS names in firewall rules. Not yet sure if that is actually a good idea.
42 lines
891 B
Bash
42 lines
891 B
Bash
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
apply() {
|
|
cp -R /opt/config/etc/nftables.d /etc || return 1
|
|
ip vrf exec mgmt nft -I /etc/nftables.d -f /etc/nftables.nft || return 2
|
|
cp -R /opt/config/etc/wireguard /etc || return 3
|
|
wg syncconf wg /etc/wireguard/wg.conf || return 4
|
|
}
|
|
|
|
cleanup() {
|
|
rm -fr /opt/config
|
|
}
|
|
|
|
message() {
|
|
logger "${@}"
|
|
echo "${@}"
|
|
}
|
|
|
|
# clean now and on exit
|
|
cleanup
|
|
trap cleanup EXIT
|
|
|
|
mkdir -p /opt/config
|
|
tar xz -C /opt/config --warning=no-timestamp
|
|
|
|
current="$(cat /opt/version 2>/dev/null || echo -1)"
|
|
next="$(cat /opt/config/version 2>/dev/null || echo -1)"
|
|
message "Updating config from v${current} to v${next}"
|
|
if [ "${next:-0}" -ne "${current:-0}" ] ; then
|
|
message "Applying config v${next}"
|
|
if apply ; then
|
|
echo "${next}" > /opt/version
|
|
message "Applied config v${next}"
|
|
else
|
|
error="$?"
|
|
message "Could not apply config v${next}, error ${error}"
|
|
exit "${error}"
|
|
fi
|
|
fi
|