From 45d3e6c4ec198b0767d4dae552af98df8ab226f7 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 13 Aug 2025 16:29:37 +0200
Subject: [PATCH 1/4] debian: fix network interface renaming

To become one with proxmox.
---
 roles/debian/tasks/main.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
index a795319..d4cf87d 100644
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@@ -5,9 +5,12 @@
 
 - name: Add rules to rename network interfaces
   template:
-    dest: /etc/udev/rules.d/10-network.rules
-    src: 10-network.rules.j2
-    mode: 0644
+    dest: "/etc/systemd/network/10-{{ item.name }}.link"
+    src: interface.link.j2
+    mode: "0644"
+  loop: "{{ interfaces | selectattr('mac_address') }}"
+  loop_control:
+    label: "{{ item.name }}"
   notify: reboot
 
 - name: Set hostname

From ef69e31357ba946d0c82aa03b9a3b7c48b4402bc Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 13 Aug 2025 16:37:47 +0200
Subject: [PATCH 2/4] =?UTF-8?q?debian:=20don=E2=80=99t=20set=20up=20firewa?=
 =?UTF-8?q?ll=20for=20proxmox=20hosts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also factor firewall setup into a separate task. There is no good way
to distinguish Debian and Proxmox hosts in Ansible, so we rely on the
cluster_type NetBox variable.
---
 roles/debian/tasks/firewall.yml | 26 ++++++++++++++++++++++++++
 roles/debian/tasks/main.yml     | 26 +++-----------------------
 2 files changed, 29 insertions(+), 23 deletions(-)
 create mode 100644 roles/debian/tasks/firewall.yml

diff --git a/roles/debian/tasks/firewall.yml b/roles/debian/tasks/firewall.yml
new file mode 100644
index 0000000..5247171
--- /dev/null
+++ b/roles/debian/tasks/firewall.yml
@@ -0,0 +1,26 @@
+- name: Install nftables
+  package:
+    name: nftables
+
+- name: Set up generic firewall rules
+  copy:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+  notify: reload nftables
+
+- name: Create nftables include directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+
+- name: Set up local firewall rules
+  template:
+    dest: /etc/nftables.d/services.nft
+    src: services.nft.j2
+  notify: reload nftables
+
+- name: Enable firewall
+  service:
+    name: nftables
+    enabled: yes
+    state: started
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
index d4cf87d..70f3e7d 100644
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@@ -30,7 +30,6 @@
     name:
       - git
       - ifupdown2
-      - nftables
       - rsync
       - vim
       - tmux
@@ -76,28 +75,9 @@
       value: 'prohibit-password'
   notify: reload sshd
 
-- name: Set up generic firewall rules
-  copy:
-    dest: /etc/nftables.conf
-    src: nftables.conf
-  notify: reload nftables
-
-- name: Create nftables include directory
-  file:
-    path: /etc/nftables.d
-    state: directory
-
-- name: Set up local firewall rules
-  template:
-    dest: /etc/nftables.d/services.nft
-    src: services.nft.j2
-  notify: reload nftables
-
-- name: Enable firewall
-  service:
-    name: nftables
-    enabled: yes
-    state: started
+- name: Set up firewall
+  include_tasks: firewall.yml
+  when: is_virtual or cluster_type != 'proxmox' # proxmox has its own firewall configuration
 
 - name: Install automatic upgrade package
   package:

From 011a0852bb62a7a9599830ec33a9eaadfd7d7a1d Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 13 Aug 2025 17:11:09 +0200
Subject: [PATCH 3/4] proxmox: remove tasks done by debian role

---
 roles/proxmox/handlers/main.yml | 10 ---------
 roles/proxmox/tasks/main.yml    | 29 ------------------------
 roles/proxmox/tasks/network.yml | 40 ---------------------------------
 3 files changed, 79 deletions(-)

diff --git a/roles/proxmox/handlers/main.yml b/roles/proxmox/handlers/main.yml
index a48f969..2da6a81 100644
--- a/roles/proxmox/handlers/main.yml
+++ b/roles/proxmox/handlers/main.yml
@@ -1,7 +1,3 @@
-- name: reboot
-  reboot:
-  when: "'handler' not in ansible_skip_tags"
-
 - name: reload interfaces
   command: ifreload -a
   when: "'handler' not in ansible_skip_tags"
@@ -12,12 +8,6 @@
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
 
-- name: reload sshd
-  service:
-    name: sshd
-    state: reloaded
-  when: "'handler' not in ansible_skip_tags"
-
 - name: update package cache
   package:
     update_cache: yes
diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index 1141b87..98e02fd 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -3,44 +3,15 @@
   set_fact:
     is_primary: '{{ nodes is defined and inventory_hostname == (nodes | map(attribute="inventory_hostname") | sort | first) }}'
 
-- name: Set hostname
-  hostname:
-    name: '{{ inventory_hostname }}'
-
 - name: Set up hosts file
   template:
     dest: /etc/hosts
     src: hosts.j2
 
-- name: Set up resolv.conf
-  template:
-    dest: /etc/resolv.conf
-    src: resolv.conf.j2
-    mode: 0644
-
-- name: Disable SSH password authentication
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#?{{ item.key }}'
-    line: '{{ item.key }} {{ item.value }}'
-  loop:
-    - key: PasswordAuthentication
-      value: 'no'
-    - key: PermitRootLogin
-      value: 'prohibit-password'
-  notify: reload sshd
-
 - include_tasks: network.yml
 
 - include_tasks: repositories.yml
 
-- name: Install essential packages
-  package:
-    name:
-      - git
-      - vim
-      - tmux
-
 - name: Set up sysctls
   copy:
     dest: /etc/sysctl.d/local.conf
diff --git a/roles/proxmox/tasks/network.yml b/roles/proxmox/tasks/network.yml
index 75d0fae..d01656d 100644
--- a/roles/proxmox/tasks/network.yml
+++ b/roles/proxmox/tasks/network.yml
@@ -1,13 +1,3 @@
-- name: Add rules to rename network interfaces
-  template:
-    dest: "/etc/systemd/network/10-{{ item.name }}.link"
-    src: interface.link.j2
-    mode: "0644"
-  loop: "{{ interfaces | selectattr('mac_address') }}"
-  loop_control:
-    label: "{{ item.name }}"
-  notify: reboot
-
 - name: Set up bridges
   template:
     dest: /etc/network/interfaces
@@ -21,34 +11,4 @@
     src: loopback.intf.j2
   notify: reload interfaces
 
-- name: Set up physical interfaces
-  template:
-    dest: /etc/network/interfaces.d/ansible.intf
-    src: ansible.intf.j2
-    mode: 0644
-  notify: reload interfaces
-
-- name: Run SSH instance in management VRF
-  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
-  block:
-    - name: Configure SSH instance in management VRF
-      copy:
-        dest: /etc/ssh/
-        src: sshd_config.mgmt
-        mode: 0644
-      notify: reboot
-
-    - name: Set up a SSH instance in management VRF
-      copy:
-        dest: /etc/systemd/system/
-        src: sshd@mgmt.service
-        mode: 0644
-      notify: reboot
-
-    - name: Enable management SSH
-      service:
-        name: sshd@mgmt
-        enabled: yes
-      notify: reboot
-
 - meta: flush_handlers

From 246178fa5da6adf5801f1706ddc719e19034773c Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 13 Aug 2025 17:14:28 +0200
Subject: [PATCH 4/4] =?UTF-8?q?frr:=20don=E2=80=99t=20BGP=20peer=20on=20di?=
 =?UTF-8?q?sabled=20interfaces?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/frr/templates/frr.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/frr/templates/frr.conf.j2 b/roles/frr/templates/frr.conf.j2
index c185a68..98c1797 100644
--- a/roles/frr/templates/frr.conf.j2
+++ b/roles/frr/templates/frr.conf.j2
@@ -16,7 +16,7 @@ router bgp {{ asn.asn }}
   neighbor fabric remote-as external
   neighbor fabric capability extended-nexthop
 
-{% for iface in interfaces | selectattr('name', 'match', '^lan') %}
+{% for iface in interfaces | selectattr('enabled') | selectattr('name', 'match', '^lan') %}
   neighbor {{ iface.name }} interface peer-group fabric
 {% endfor %}