From 9e2121c98797d746c3468cee29812a055e172696 Mon Sep 17 00:00:00 2001
From: Nathan Higley <contact@nathanhigley.com>
Date: Wed, 3 Jan 2024 11:44:58 -0600
Subject: [PATCH 1/4] feat: upgrade vyos and standardize with vyos-ansible role

---
 .github/workflows/ansible-vyos.yaml           |   1 +
 .gitmodules                                   |   3 +
 ansible/Makefile                              |   5 +
 ansible/host_vars/vyos.yml                    | 627 ++++++++++--------
 .../files/lab-astr0rack-net.zone              |   0
 ansible/playbooks/tailscale_setup.yml         |  18 +
 .../templates/discord-init.sh                 |   0
 .../vyos => playbooks}/templates/named.conf   |   0
 ansible/playbooks/vyos.yml                    |  22 +
 ansible/playbooks/vyos_prep.yml               |  68 ++
 ansible/roles/vyos                            |   1 +
 ansible/roles/vyos/tasks/bw.yml               |   3 -
 ansible/roles/vyos/tasks/dhcp.yml             |  20 -
 ansible/roles/vyos/tasks/dns_setup.yml        |  71 --
 ansible/roles/vyos/tasks/env.yml              |   3 -
 ansible/roles/vyos/tasks/firewall.yml         |  58 --
 ansible/roles/vyos/tasks/general_setup.yml    |  51 --
 ansible/roles/vyos/tasks/interfaces.yml       |  72 --
 ansible/roles/vyos/tasks/main.yml             |  83 ---
 ansible/roles/vyos/tasks/nat.yml              |   7 -
 ansible/roles/vyos/tasks/save.yml             |   4 -
 ansible/roles/vyos/tasks/static-mappings.yml  |   7 -
 ansible/roles/vyos/tasks/tailscale_setup.yml  |  13 -
 ansible/roles/vyos/templates/addressbook.j2   |  12 -
 ansible/roles/vyos/templates/policy_v4.j2     |  23 -
 ansible/roles/vyos/templates/policy_v6.j2     |  23 -
 ansible/roles/vyos/templates/zones.j2         |  40 --
 ansible/{roles/vyos => }/vars/bw.yml          |   1 +
 ansible/{roles/vyos => }/vars/env.yml         |   1 +
 29 files changed, 485 insertions(+), 752 deletions(-)
 create mode 100644 .gitmodules
 rename ansible/{roles/vyos => playbooks}/files/lab-astr0rack-net.zone (100%)
 create mode 100644 ansible/playbooks/tailscale_setup.yml
 rename ansible/{roles/vyos => playbooks}/templates/discord-init.sh (100%)
 rename ansible/{roles/vyos => playbooks}/templates/named.conf (100%)
 create mode 100644 ansible/playbooks/vyos_prep.yml
 create mode 160000 ansible/roles/vyos
 delete mode 100644 ansible/roles/vyos/tasks/bw.yml
 delete mode 100644 ansible/roles/vyos/tasks/dhcp.yml
 delete mode 100644 ansible/roles/vyos/tasks/dns_setup.yml
 delete mode 100644 ansible/roles/vyos/tasks/env.yml
 delete mode 100644 ansible/roles/vyos/tasks/firewall.yml
 delete mode 100644 ansible/roles/vyos/tasks/general_setup.yml
 delete mode 100644 ansible/roles/vyos/tasks/interfaces.yml
 delete mode 100644 ansible/roles/vyos/tasks/main.yml
 delete mode 100644 ansible/roles/vyos/tasks/nat.yml
 delete mode 100644 ansible/roles/vyos/tasks/save.yml
 delete mode 100644 ansible/roles/vyos/tasks/static-mappings.yml
 delete mode 100644 ansible/roles/vyos/tasks/tailscale_setup.yml
 delete mode 100644 ansible/roles/vyos/templates/addressbook.j2
 delete mode 100644 ansible/roles/vyos/templates/policy_v4.j2
 delete mode 100644 ansible/roles/vyos/templates/policy_v6.j2
 delete mode 100644 ansible/roles/vyos/templates/zones.j2
 rename ansible/{roles/vyos => }/vars/bw.yml (77%)
 rename ansible/{roles/vyos => }/vars/env.yml (75%)

diff --git a/.github/workflows/ansible-vyos.yaml b/.github/workflows/ansible-vyos.yaml
index 5ff0bbb..2fd7a29 100644
--- a/.github/workflows/ansible-vyos.yaml
+++ b/.github/workflows/ansible-vyos.yaml
@@ -51,6 +51,7 @@ jobs:
           VY_LAB_DNS_KEY: ${{ secrets.VY_LAB_DNS_KEY }}
           VY_DISCORD_WEBHOOK: ${{ secrets.VY_DISCORD_WEBHOOK }}
           VY_TAILSCALE_AUTH_KEY: ${{ secrets.VY_TAILSCALE_AUTH_KEY }}
+          VY_USER_PASSWORD_HASH: ${{ secrets.VY_USER_PASSWORD_HASH }}
         run: ansible-playbook playbooks/vyos.yml --tags all,env --extra-vars "ansible_become_password=$ANSIBLE_BECOME_PASSWORD"
 
       - name: Logout of Tailscale
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..9a7808a
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "ansible/roles/vyos"]
+	path = ansible/roles/vyos
+	url = git@github.com:astr0n8t/vyos-ansible.git
diff --git a/ansible/Makefile b/ansible/Makefile
index 6be76ba..e724f75 100644
--- a/ansible/Makefile
+++ b/ansible/Makefile
@@ -19,6 +19,8 @@ proxmox-tf:
 
 vyos:
 	ansible-playbook playbooks/vyos.yml --tags all,bw
+vyos-dry-run:
+	ansible-playbook playbooks/vyos.yml --tags dry-run,bw --skip-tags always
 vyos-setup:
 	ansible-playbook playbooks/vyos.yml --tags setup,bw
 vyos-dns:
@@ -33,3 +35,6 @@ vyos-nat:
 	ansible-playbook playbooks/vyos.yml --tags nat,bw
 vyos-firewall:
 	ansible-playbook playbooks/vyos.yml --tags firewall,bw
+
+lint:
+	ansible-lint -x 'var-naming[no-role-prefix]'
diff --git a/ansible/host_vars/vyos.yml b/ansible/host_vars/vyos.yml
index b4c4aca..dd2d748 100644
--- a/ansible/host_vars/vyos.yml
+++ b/ansible/host_vars/vyos.yml
@@ -1,105 +1,146 @@
 ---
-zones:
-  - name: external-rack
-    description: rack
-  - name: external-tailscale
-    description: lab
-  - name: internal-lab
-    description: lab
-  - name: template-net
-    description: template
-  - name: local
-    description: local
-    local: true
+users:
+  - name: vyos
+    pw_hash: "{{ vyos_user_hash }}"
+    public_keys:
+      - name: astr0n8t@primary.yubikey
+        type: sk-ssh-ed25519@openssh.com
+        key: AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFEhLIyleqCaN3lEJ77AYc/q1uZlqsDJ4PKhBu0dXUa7AAAABHNzaDo=
+      - name: astr0n8t@secondary.yubikey
+        type: sk-ssh-ed25519@openssh.com
+        key: AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHKBaozeIJ+Gz7+J2dK2VrQPaWerVWH8a9xYIjhvygLmAAAABHNzaDo=
+      - name: astr0n8t@mobile
+        type: ecdsa-sha2-nistp256
+        key: AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGwVUk4wWGiJQjd7P2z2XZ9Gzia0GTy2faoAnyWVEF+jweR2q16C75oIzZbgE1mN3oc4BD9z8rIA1ElX
+      - name: ghactions@github.com
+        type: ssh-ed25519
+        key: AAAAC3NzaC1lZDI1NTE5AAAAIH8ts84bR4nen8+Kk6I48MDkg8WA+gnuoUFuCmG9B6Xg
 interfaces:
-  - vyos_if: "tailscale0"
-    desc: "tailscale"
-    enabled: "true"
-    external: true
-    zone: "external-tailscale"
-  - vyos_if: "eth0"
-    desc: "Rack"
-    enabled: "true"
-    zone: "external-rack"
-  - vyos_if: "eth1"
-    desc: "LABDC"
-    enabled: "true"
-    ipv4_addr: "10.0.0.1/24"
+  - name: eth0
+    type: ethernet
+    desc: Rack
+    mac: 92:07:2b:55:57:c8
+    ipv4_addr: dhcp
+    zone: external-rack
+  - name: eth1
+    type: ethernet
+    desc: LABDC
+    mac: aa:06:c0:1f:48:d1
+    ipv4_addr: 10.0.0.1/24
     dhcp:
-      subnet: "10.0.0.0/24"
-      gw: "10.0.0.1"
-      dns: "10.0.0.1"
-      domain_name: "lab.astr0rack.net"
-      start: "10.0.0.100"
-      stop: "10.0.0.200"
+      subnet: 10.0.0.0/24
+      gw: 10.0.0.1
+      dns_servers:
+        - 10.0.0.1
+      domain_name: lab.astr0rack.net
+      start: 10.0.0.100
+      stop: 10.0.0.200
       static_mappings:
         - name: dc-01
-          mac: "22:ca:a4:90:bb:04"
-          ipv4: "10.0.0.50"
+          mac: 22:ca:a4:90:bb:04
+          ipv4: 10.0.0.50
         - name: dc-02
-          mac: "ea:87:14:1a:6d:7f"
-          ipv4: "10.0.0.51"
-    zone: "internal-lab"
-  - vyos_if: "eth2"
-    desc: "LABDMZ"
-    enabled: "true"
-    ipv4_addr: "10.0.10.1/24"
+          mac: ea:87:14:1a:6d:7f
+          ipv4: 10.0.0.51
+  - name: eth2
+    type: ethernet
+    desc: LABDMZ
+    mac: a6:7e:41:70:6b:ca
+    ipv4_addr: 10.0.10.1/24
     dhcp:
-      subnet: "10.0.10.0/24"
-      gw: "10.0.10.1"
-      dns: "10.0.10.1"
-      domain_name: "lab.astr0rack.net"
-      start: "10.0.10.100"
-      stop: "10.0.10.200"
+      subnet: 10.0.10.0/24
+      gw: 10.0.10.1
+      dns_servers:
+        - 10.0.10.1
+      domain_name: lab.astr0rack.net
+      start: 10.0.10.100
+      stop: 10.0.10.200
       static_mappings:
         - name: dns-01
-          mac: "36:aa:9e:ec:02:de"
-          ipv4: "10.0.10.10"
+          mac: 36:aa:9e:ec:02:de
+          ipv4: 10.0.10.10
         - name: web-01
-          mac: "92:65:8b:40:2a:7e"
-          ipv4: "10.0.10.20"
-    zone: "internal-lab"
-  - vyos_if: "eth3"
-    desc: "LABLAN"
-    enabled: "true"
-    ipv4_addr: "10.0.20.1/24"
+          mac: 92:65:8b:40:2a:7e
+          ipv4: 10.0.10.20
+  - name: eth3
+    type: ethernet
+    desc: LABLAN
+    mac: ba:e1:dc:d6:d5:80
+    ipv4_addr: 10.0.20.1/24
     dhcp:
-      subnet: "10.0.20.0/24"
-      gw: "10.0.20.1"
-      dns: "10.0.20.1"
-      domain_name: "lab.astr0rack.net"
-      start: "10.0.20.10"
-      stop: "10.0.20.200"
-    zone: "internal-lab"
-  - vyos_if: "eth4"
-    desc: "LABC2"
-    enabled: "true"
-    ipv4_addr: "10.0.255.1/24"
+      subnet: 10.0.20.0/24
+      gw: 10.0.20.1
+      dns_servers:
+        - 10.0.20.1
+      domain_name: lab.astr0rack.net
+      start: 10.0.20.10
+      stop: 10.0.20.200
+  - name: eth4
+    type: ethernet
+    desc: LABC2
+    mac: a6:3e:71:ea:29:0d
+    ipv4_addr: 10.0.255.1/24
     dhcp:
-      subnet: "10.0.255.0/24"
-      gw: "10.0.255.1"
-      dns: "10.0.255.1"
-      domain_name: "lab.astr0rack.net"
-      start: "10.0.255.150"
-      stop: "10.0.255.200"
+      subnet: 10.0.255.0/24
+      gw: 10.0.255.1
+      dns_servers:
+        - 10.0.255.1
+      domain_name: lab.astr0rack.net
+      start: 10.0.255.150
+      stop: 10.0.255.200
       static_mappings:
         - name: c2
-          mac: "1a:f4:ef:e2:f6:fe"
-          ipv4: "10.0.255.100"
-    zone: "internal-lab"
-  - vyos_if: "eth5"
-    desc: "TEMPLATENET"
-    enabled: "true"
-    ipv4_addr: "10.0.1.1/24"
+          mac: 1a:f4:ef:e2:f6:fe
+          ipv4: 10.0.255.100
+  - name: eth5
+    type: ethernet
+    desc: TEMPLATENET
+    mac: 56:e0:3a:73:1a:1f
+    ipv4_addr: 10.0.1.1/24
     dhcp:
-      subnet: "10.0.1.0/24"
-      gw: "10.0.1.1"
-      dns: "1.1.1.1"
-      domain_name: "lab.astr0rack.net"
-      start: "10.0.1.10"
-      stop: "10.0.1.200"
-    zone: "template-net"
-fw_addresses:
+      subnet: 10.0.1.0/24
+      gw: 10.0.1.1
+      dns_servers:
+        - 1.1.1.1
+      domain_name: lab.astr0rack.net
+      start: 10.0.1.10
+      stop: 10.0.1.200
+static_routes:
+  - subnet: 0.0.0.0/0
+    dhcp_interface: eth0
+source_nat:
+  - outbound_interface: eth0
+    source_address: 10.0.0.0/16
+    translation_address: masquerade
+dns:
+  search_domain: lab.astr0rack.net
+  servers:
+    - 1.1.1.1
+    - 1.0.0.1
+  host_name: vyos-core
+  domain_name: lab.astr0rack.net
+ntp:
+  listen_address: 0.0.0.0
+  servers:
+    - 0.pool.ntp.org
+    - 1.pool.ntp.org
+    - 2.pool.ntp.org
+  allowed_clients:
+    - 10.0.0.0/16
+ssh:
+  disable_password_authentication: true
+  disable_host_validation: true
+  listen_address: 0.0.0.0
+fw_global_options:
+  - name: all-ping
+    setting: enable
+  - name: state-policy related action
+    setting: accept
+  - name: state-policy established action
+    setting: accept
+  - name: state-policy invalid action
+    setting: drop
+fw_address_groups:
   - name: dc-01
     ip: 10.0.0.50
     groups:
@@ -143,7 +184,7 @@ fw_addresses:
       - lab-external
       - lab-reachable-tailscale
   - name: rack-space
-    ip: 192.168.0.0-192.168.255.255
+    ip: 10.64.1.2-10.64.1.3
     groups:
       - rack-ip-space
   - name: lab-space
@@ -158,188 +199,250 @@ fw_addresses:
     ip: 192.168.55.4-192.168.55.254
     groups:
       - dev-space
-fw_policies:
-  mgmt:
-    ipv4:
-      - name: rack_to_local_ipv4
-        zones:
-          from: external-rack
-          to: local
-        rules:
-          - protocol: tcp
-            port: 22
-            action: accept
-  ipv4:
-    - name: rack_to_local_ipv4
-      zones:
-        from: external-rack
+fw_zones:
+  - name: external-rack
+    description: rack
+    interfaces:
+      - eth0
+  - name: external-tailscale
+    description: lab
+    interfaces:
+      - tailscale0
+  - name: internal-lab
+    description: lab
+    interfaces:
+      - eth1
+      - eth2
+      - eth3
+      - eth4
+  - name: template-net
+    description: template
+    interfaces:
+      - eth5
+  - name: local
+    description: local
+    interfaces:
+      - local-zone
+fw_rules:
+  - name: rack_to_local_ipv4
+    assignments:
+      - from: external-rack
         to: local
-      rules:
-        - protocol: tcp
-          port: 22
-          action: accept
-        - protocol: tcp
-          port: 53
-          action: accept
-        - protocol: udp
-          port: 53
-          action: accept
-        - protocol: udp
-          port: 41641
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: lab_to_rack_ipv4
-      zones:
-        from: internal-lab
+    ipv4:
+      - protocol: tcp
+        destination_port: 22
+        action: accept
+      - protocol: tcp
+        destination_port: 53
+        action: accept
+      - protocol: udp
+        destination_port: 53
+        action: accept
+      - protocol: udp
+        destination_port: 41641
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: lab_to_rack_ipv4
+    assignments:
+      - from: internal-lab
         to: external-rack
-      rules:
-        - source_groups: lab-ip-space
-          dest_groups: rack-ip-space
-          protocol: all
-          action: drop
-        - source_groups: lab-ip-space
-          protocol: tcp_udp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: local_to_rack_ipv4
-      zones:
-        from: local
+    ipv4:
+      - source_group:
+          type: address
+          name: lab-ip-space
+        destination_group:
+          type: address
+          name: rack-ip-space
+        protocol: all
+        action: drop
+      - source_group:
+          type: address
+          name: lab-ip-space
+        protocol: tcp_udp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: local_to_rack_ipv4
+    assignments:
+      - from: local
         to: external-rack
-      rules:
-        - dest_groups: lab-external
-          protocol: tcp_udp
-          action: accept
-        - dest_groups: lab-external
-          protocol: icmp
-          action: accept
-        - dest_groups: rack-ip-space
-          protocol: all
-          action: drop
-        - protocol: tcp_udp
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: local_to_lab_ipv4
-      zones:
-        from: local
+    ipv4:
+      - destination_group:
+          type: address
+          name: lab-external
+        protocol: tcp_udp
+        action: accept
+      - destination_group:
+          type: address
+          name: lab-external
+        protocol: icmp
+        action: accept
+      - destination_group:
+          type: address
+          name: rack-ip-space
+        protocol: all
+        action: drop
+      - protocol: tcp_udp
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: local_to_lab_ipv4
+    assignments:
+      - from: local
         to: internal-lab
-      rules:
-        - protocol: all
-          action: accept
-    - name: lab_to_local_ipv4
-      zones:
-        from: internal-lab
+    ipv4:
+      - protocol: all
+        action: accept
+  - name: lab_to_local_ipv4
+    assignments:
+      - from: internal-lab
         to: local
-      rules:
-        - protocol: udp
-          port: 53
-          action: accept
-        - protocol: udp
-          port: 123
-          action: accept
-        - protocol: all
-          action: drop
-    - name: tailscale_to_lab_ipv4
-      zones:
-        from: external-tailscale
+    ipv4:
+      - protocol: udp
+        destination_port: 53
+        action: accept
+      - protocol: udp
+        destination_port: 123
+        action: accept
+      - protocol: all
+        action: drop
+  - name: tailscale_to_lab_ipv4
+    assignments:
+      - from: external-tailscale
         to: internal-lab
-      rules:
-        - protocol: all
-          action: accept
-    - name: tailscale_to_external_rack_ipv4
-      zones:
-        from: external-tailscale
+    ipv4:
+      - protocol: all
+        action: accept
+  - name: tailscale_to_external_rack_ipv4
+    assignments:
+      - from: external-tailscale
         to: external-rack
-      rules:
-        - dest_groups: external-pm
-          protocol: tcp
-          port: 22
-          action: accept
-        - dest_groups: external-pm
-          protocol: tcp
-          port: 443
-          action: accept
-        - dest_groups: external-pm
-          protocol: tcp
-          port: 5432
-          action: accept
-        - dest_groups: dev-space
-          protocol: tcp_udp
-          action: accept
-        - dest_groups: lab-reachable-tailscale
-          protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: tailscale_to_local_ipv4
-      zones:
-        from: external-tailscale
-        to: local
-      rules:
-        - dest_groups: external-vyos
-          protocol: tcp_udp
-          port: 53
-          action: accept
-        - dest_groups: external-vyos
-          protocol: tcp
-          port: 22
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: local_to_tailscale_ipv4
-      zones:
-        from: local
+    ipv4:
+      - destination_group:
+          type: address
+          name: external-pm
+        protocol: tcp
+        destination_port: 22
+        action: accept
+      - destination_group:
+          type: address
+          name: external-pm
+        protocol: tcp
+        destination_port: 443
+        action: accept
+      - destination_group:
+          type: address
+          name: external-pm
+        protocol: tcp
+        destination_port: 5432
+        action: accept
+      - destination_group:
+          type: address
+          name: dev-space
+        protocol: tcp_udp
+        action: accept
+      - destination_group:
+          type: address
+          name: lab-reachable-tailscale
+        protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: tailscale_to_local_ipv4
+    assignments:
+      from: external-tailscale
+      to: local
+    ipv4:
+      - destination_group:
+          type: address
+          name: external-vyos
+        protocol: tcp_udp
+        destination_port: 53
+        action: accept
+      - destination_group:
+          type: address
+          name: external-vyos
+        protocol: tcp
+        destination_port: 22
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: local_to_tailscale_ipv4
+    assignments:
+      - from: local
         to: external-tailscale
-      rules:
-        - dest_groups: tailscale-dns
-          protocol: tcp_udp
-          port: 53
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: tailscale_to_template_net_ipv4
-      zones:
-        from: external-tailscale
+    ipv4:
+      - destination_group:
+          type: address
+          name: tailscale-dns
+        protocol: tcp_udp
+        destination_port: 53
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: tailscale_to_template_net_ipv4
+    assignments:
+      - from: external-tailscale
         to: template-net
-      rules:
-        - protocol: tcp
-          port: 22
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: template_net_to_tailscale_ipv4
-      zones:
-        from: template-net
+    ipv4:
+      - protocol: tcp
+        destination_port: 22
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: template_net_to_tailscale_ipv4
+    assignments:
+      - from: template-net
         to: external-tailscale
-      rules:
-        - protocol: tcp_udp
-          action: accept
-        - protocol: icmp
-          action: accept
-        - protocol: all
-          action: drop
-    - name: template_to_rack_ipv4
-      zones:
-        from: template-net
+    ipv4:
+      - protocol: tcp_udp
+        action: accept
+      - protocol: icmp
+        action: accept
+      - protocol: all
+        action: drop
+  - name: template_to_rack_ipv4
+    assignments:
+      - from: template-net
         to: external-rack
-      rules:
-        - dest_groups: rack-ip-space
-          protocol: all
-          action: drop
-        - source_groups: lab-ip-space
-          protocol: tcp_udp
-          action: accept
-        - protocol: all
-          action: drop
+    ipv4:
+      - destination_group:
+          type: address
+          name: rack-ip-space
+        protocol: all
+        action: drop
+      - source_group:
+          type: address
+          name: lab-ip-space
+        protocol: tcp_udp
+        action: accept
+      - protocol: all
+        action: drop
+containers:
+  - name: bind9
+    image: docker.io/ubuntu/bind9:latest
+    network: allow-host-networks
+    environment:
+      - key: BIND9_USER
+        value: root
+    volumes:
+      - name: config
+        destination: /etc/bind
+        source: /config/user-data/bind9/etc
+      - name: cache
+        destination: /var/cache/bind
+        source: /config/user-data/bind9/cache
+      - name: records
+        destination: /var/lib/bind
+        source: /config/user-data/bind9/records
diff --git a/ansible/roles/vyos/files/lab-astr0rack-net.zone b/ansible/playbooks/files/lab-astr0rack-net.zone
similarity index 100%
rename from ansible/roles/vyos/files/lab-astr0rack-net.zone
rename to ansible/playbooks/files/lab-astr0rack-net.zone
diff --git a/ansible/playbooks/tailscale_setup.yml b/ansible/playbooks/tailscale_setup.yml
new file mode 100644
index 0000000..1230d61
--- /dev/null
+++ b/ansible/playbooks/tailscale_setup.yml
@@ -0,0 +1,18 @@
+---
+- name: Setup tailscale on vyos
+  hosts: vyos
+  gather_facts: false
+  become: true
+  tasks:
+    - name: Check tailscale status
+      vyos.vyos.vyos_command:
+        commands:
+          - tailscale status
+      register: tailscale_status
+
+    - name: Login to tailscale and start
+      vyos.vyos.vyos_command:
+        commands:
+          - "sudo tailscale login --auth-key={{ tailscale_auth_key }}"
+          - "sudo tailscale up --advertise-routes=10.0.0.0/16,192.168.55.0/24"
+      when: tailscale_status.stdout is search('Logged out')
diff --git a/ansible/roles/vyos/templates/discord-init.sh b/ansible/playbooks/templates/discord-init.sh
similarity index 100%
rename from ansible/roles/vyos/templates/discord-init.sh
rename to ansible/playbooks/templates/discord-init.sh
diff --git a/ansible/roles/vyos/templates/named.conf b/ansible/playbooks/templates/named.conf
similarity index 100%
rename from ansible/roles/vyos/templates/named.conf
rename to ansible/playbooks/templates/named.conf
diff --git a/ansible/playbooks/vyos.yml b/ansible/playbooks/vyos.yml
index 5c1391a..43526fa 100644
--- a/ansible/playbooks/vyos.yml
+++ b/ansible/playbooks/vyos.yml
@@ -1,4 +1,26 @@
 ---
+- name: Get variables from bitwarden
+  hosts: vyos
+  gather_facts: false
+  tags: [never, bw]
+  tasks:
+    - name: Include variables from Bitwarden
+      ansible.builtin.include_vars: '../vars/bw.yml'
+
+- name: Get variables from env
+  hosts: vyos
+  gather_facts: false
+  tags: [never, env]
+  tasks:
+    - name: Include variables from environment
+      ansible.builtin.include_vars: '../vars/env.yml'
+
+- name: Run vyos prep
+  import_playbook: 'vyos_prep.yml'
+
+- name: Run vyos tailscale setup
+  import_playbook: 'tailscale_setup.yml'
+
 - name: Run the VyOS role
   hosts: vyos
   become: true
diff --git a/ansible/playbooks/vyos_prep.yml b/ansible/playbooks/vyos_prep.yml
new file mode 100644
index 0000000..effb9e8
--- /dev/null
+++ b/ansible/playbooks/vyos_prep.yml
@@ -0,0 +1,68 @@
+---
+- name: Prep vyos
+  hosts: vyos
+  gather_facts: false
+  become: true
+  tasks:
+    - name: Set facts for ansible ssh
+      ansible.builtin.set_fact:
+        ansible_connection: ssh
+        ansible_user: vyos
+
+    - name: Copy discord notify script
+      ansible.builtin.template:
+        src: discord-init.sh
+        dest: /config/user-data/
+        mode: "0755"
+
+    - name: Enable discord notify script
+      ansible.builtin.lineinfile:
+        path: '/config/scripts/vyos-postconfig-bootup.script'
+        regexp: '^/config/user-data/discord-init.sh'
+        line: '/config/user-data/discord-init.sh &1>/dev/null'
+
+    - name: Create bind9 config directory
+      ansible.builtin.file:
+        path: /config/user-data/bind9/etc
+        state: directory
+        mode: '0775'
+        owner: root
+        group: vyattacfg
+        recurse: true
+
+    - name: Copy the named.conf
+      ansible.builtin.template:
+        src: named.conf
+        dest: /config/user-data/bind9/etc/
+        owner: root
+        group: vyattacfg
+        mode: "0660"
+
+    - name: Copy the Zone file
+      ansible.builtin.copy:
+        src: lab-astr0rack-net.zone
+        dest: /config/user-data/bind9/etc/
+        owner: root
+        group: vyattacfg
+        mode: "0660"
+
+    - name: Create bind9 cache directory
+      ansible.builtin.file:
+        path: /config/user-data/bind9/cache
+        state: directory
+        mode: '0775'
+        owner: root
+        group: vyattacfg
+
+    - name: Create bind9 record directory
+      ansible.builtin.file:
+        path: /config/user-data/bind9/records
+        state: directory
+        mode: '0775'
+        owner: root
+
+    - name: Set facts for network connection
+      ansible.builtin.set_fact:
+        ansible_connection: ansible.netcommon.network_cli
+        ansible_network_os: vyos.vyos.vyos
+        ansible_user: vyos
diff --git a/ansible/roles/vyos b/ansible/roles/vyos
new file mode 160000
index 0000000..d446a26
--- /dev/null
+++ b/ansible/roles/vyos
@@ -0,0 +1 @@
+Subproject commit d446a262477ec5341e770b7168cfa066787f2818
diff --git a/ansible/roles/vyos/tasks/bw.yml b/ansible/roles/vyos/tasks/bw.yml
deleted file mode 100644
index be25eca..0000000
--- a/ansible/roles/vyos/tasks/bw.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Include variables from Bitwarden
-  ansible.builtin.include_vars: bw.yml
diff --git a/ansible/roles/vyos/tasks/dhcp.yml b/ansible/roles/vyos/tasks/dhcp.yml
deleted file mode 100644
index 2665dcc..0000000
--- a/ansible/roles/vyos/tasks/dhcp.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-- name: Configure DHCP
-  vyos.vyos.vyos_config:
-    lines:
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} default-router '{{ item.dhcp.gw }}'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} name-server '{{ item.dhcp.dns }}'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} domain-name '{{ item.dhcp.domain_name }}'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} domain-search '{{ item.dhcp.domain_name }}'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} lease '86400'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} range 0 start '{{ item.dhcp.start }}'"
-      - "set service dhcp-server shared-network-name {{ item.desc }} subnet {{ item.dhcp.subnet }} range 0 stop '{{ item.dhcp.stop }}'"
-  when: item.dhcp is defined
-  loop: "{{ interfaces }}"
-
-- name: Configure DHCP Static Mappings
-  ansible.builtin.include_tasks: static-mappings.yml
-  when: interface.dhcp.static_mappings is defined
-  loop: "{{ interfaces }}"
-  loop_control:
-    loop_var: interface
diff --git a/ansible/roles/vyos/tasks/dns_setup.yml b/ansible/roles/vyos/tasks/dns_setup.yml
deleted file mode 100644
index 5e5ffb9..0000000
--- a/ansible/roles/vyos/tasks/dns_setup.yml
+++ /dev/null
@@ -1,71 +0,0 @@
----
-- name: Set facts for ansible ssh
-  ansible.builtin.set_fact:
-    ansible_connection: ssh
-    ansible_user: vyos
-
-- name: Create bind9 config directory
-  ansible.builtin.file:
-    path: /config/user-data/bind9/etc
-    state: directory
-    mode: '0775'
-    owner: root
-    group: vyattacfg
-    recurse: true
-
-- name: Copy the named.conf
-  ansible.builtin.template:
-    src: named.conf
-    dest: /config/user-data/bind9/etc/
-    owner: root
-    group: vyattacfg
-    mode: "0660"
-
-- name: Copy the Zone file
-  ansible.builtin.copy:
-    src: lab-astr0rack-net.zone
-    dest: /config/user-data/bind9/etc/
-    owner: root
-    group: vyattacfg
-    mode: "0660"
-
-- name: Create bind9 cache directory
-  ansible.builtin.file:
-    path: /config/user-data/bind9/cache
-    state: directory
-    mode: '0775'
-    owner: root
-    group: vyattacfg
-
-- name: Create bind9 record directory
-  ansible.builtin.file:
-    path: /config/user-data/bind9/records
-    state: directory
-    mode: '0775'
-    owner: root
-    group: vyattacfg
-
-- name: Set facts for network connection
-  ansible.builtin.set_fact:
-    ansible_connection: ansible.netcommon.network_cli
-    ansible_network_os: vyos.vyos.vyos
-    ansible_user: vyos
-
-- name: Configure and start bind9
-  vyos.vyos.vyos_config:
-    lines:
-      - set container name bind9 image 'docker.io/ubuntu/bind9:latest'
-      - set container name bind9 allow-host-networks
-      - set container name bind9 environment BIND9_USER value 'root'
-      - set container name bind9 volume config destination '/etc/bind'
-      - set container name bind9 volume config source '/config/user-data/bind9/etc'
-      - set container name bind9 volume cache destination '/var/cache/bind'
-      - set container name bind9 volume cache source '/config/user-data/bind9/cache'
-      - set container name bind9 volume records destination '/var/lib/bind'
-      - set container name bind9 volume records source '/config/user-data/bind9/records'
-
-- name: Pull bind9 image and start container
-  vyos.vyos.vyos_command:
-    commands:
-      - update container image bind9
-      - restart container bind9
diff --git a/ansible/roles/vyos/tasks/env.yml b/ansible/roles/vyos/tasks/env.yml
deleted file mode 100644
index 1b3f717..0000000
--- a/ansible/roles/vyos/tasks/env.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: Include variables from environment
-  ansible.builtin.include_vars: env.yml
diff --git a/ansible/roles/vyos/tasks/firewall.yml b/ansible/roles/vyos/tasks/firewall.yml
deleted file mode 100644
index 98da18a..0000000
--- a/ansible/roles/vyos/tasks/firewall.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# tasks file for firewall
-# from https://gitlab.com/stuh84/network-automation-ansible/-/blob/master/vyos/roles/firewall/tasks/main.yml
-# Also retrieved templates
-#
-- name: Remove all firewall rules
-  vyos.vyos.vyos_config:
-    lines:
-      - delete firewall
-
-- name: Allow all local ICMP
-  vyos.vyos.vyos_config:
-    lines:
-      - set firewall all-ping enable
-  tags:
-    - firewall
-
-- name: Allow stateful traffic
-  vyos.vyos.vyos_config:
-    lines:
-      - set firewall state-policy established action accept
-      - set firewall state-policy related action accept
-  tags:
-    - firewall
-
-- name: Define Addresses
-  vyos.vyos.vyos_config:
-    src: addressbook.j2
-  when:
-    - fw_addresses is defined
-  tags:
-    - firewall
-
-- name: Define zones
-  vyos.vyos.vyos_config:
-    src: zones.j2
-  when:
-    - zones is defined
-  tags:
-    - firewall
-
-- name: Define Zone Policies - IPv4
-  vyos.vyos.vyos_config:
-    src: policy_v4.j2
-  when:
-    - fw_policies is defined
-    - fw_policies.ipv4 is defined
-  tags:
-    - firewall
-
-- name: Define Zone Policies - IPv6
-  vyos.vyos.vyos_config:
-    src: policy_v6.j2
-  when:
-    - fw_policies is defined
-    - fw_policies.ipv6 is defined
-  tags:
-    - firewall
diff --git a/ansible/roles/vyos/tasks/general_setup.yml b/ansible/roles/vyos/tasks/general_setup.yml
deleted file mode 100644
index 059cba0..0000000
--- a/ansible/roles/vyos/tasks/general_setup.yml
+++ /dev/null
@@ -1,51 +0,0 @@
----
-- name: Configure name servers
-  vyos.vyos.vyos_system:
-    name_servers:
-      - 1.1.1.1
-      - 1.0.0.1
-
-- name: Configure domain search suffixes
-  vyos.vyos.vyos_system:
-    domain_search:
-      - lab.astr0rack.net
-
-- name: Configure hostname and domain-name
-  vyos.vyos.vyos_system:
-    host_name: vyos-core
-    domain_name: lab.astr0rack.net
-
-- name: Configure default route
-  vyos.vyos.vyos_config:
-    lines:
-      - set protocols static route 0.0.0.0/0 dhcp-interface 'eth0'
-
-- name: Configure ntp
-  vyos.vyos.vyos_config:
-    lines:
-      - set service ntp server 192.168.55.1 prefer
-      - set service ntp listen-address 0.0.0.0
-      - set service ntp allow-client address 10.0.0.0/16
-
-- name: Set facts for ansible ssh
-  ansible.builtin.set_fact:
-    ansible_connection: ssh
-    ansible_user: vyos
-
-- name: Copy discord notify script
-  ansible.builtin.template:
-    src: discord-init.sh
-    dest: /config/user-data/
-    mode: "0755"
-
-- name: Enable discord notify script
-  ansible.builtin.lineinfile:
-    path: '/config/scripts/vyos-postconfig-bootup.script'
-    regexp: '^/config/user-data/discord-init.sh'
-    line: '/config/user-data/discord-init.sh &1>/dev/null'
-
-- name: Set facts for network connection
-  ansible.builtin.set_fact:
-    ansible_connection: ansible.netcommon.network_cli
-    ansible_network_os: vyos.vyos.vyos
-    ansible_user: vyos
diff --git a/ansible/roles/vyos/tasks/interfaces.yml b/ansible/roles/vyos/tasks/interfaces.yml
deleted file mode 100644
index 66f9baa..0000000
--- a/ansible/roles/vyos/tasks/interfaces.yml
+++ /dev/null
@@ -1,72 +0,0 @@
----
-# From https://gitlab.com/stuh84/network-automation-ansible/-/blob/master/vyos/roles/interfaces/tasks/main.yml
-# tasks file for interfaces
-- name: Configure interfaces - Status and Descriptions
-  vyos.vyos.vyos_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        description: "{{ item.desc }}"
-        enabled: "{{ item.enabled }}"
-  when:
-    - item.vif is not defined
-    - item.external is not defined
-  loop: "{{ interfaces }}"
-
-- name: Configure interfaces - Status and Descriptions - vifs
-  vyos.vyos.vyos_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        vifs:
-          - description: "{{ item.desc }}"
-            enabled: "{{ item.enabled }}"
-            vlan_id: "{{ item.vif }}"
-  when: item.vif is defined
-  loop: "{{ interfaces }}"
-
-- name: Configure interfaces - L3 IPv4
-  vyos.vyos.vyos_l3_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        ipv4:
-          - address: "{{ item.ipv4_addr }}"
-  when:
-    - item.ipv4_addr is defined
-    - item.vif is not defined
-  loop: "{{ interfaces }}"
-
-- name: Configure interfaces - L3 IPv4 - vifs
-  vyos.vyos.vyos_l3_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        vifs:
-          - ipv4:
-              - address: "{{ item.ipv4_addr }}"
-            vlan_id: "{{ item.vif }}"
-  when:
-    - item.ipv4_addr is defined
-    - item.vif is defined
-  loop: "{{ interfaces }}"
-
-- name: Configure interfaces - L3 IPv6
-  vyos.vyos.vyos_l3_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        ipv6:
-          - address: "{{ item.ipv6_addr }}"
-  when:
-    - item.ipv6_addr is defined
-    - item.vif is not defined
-  loop: "{{ interfaces }}"
-
-- name: Configure interfaces - L3 IPv6 - vifs
-  vyos.vyos.vyos_l3_interfaces:
-    config:
-      - name: "{{ item.vyos_if }}"
-        vifs:
-          - ipv6:
-              - address: "{{ item.ipv6_addr }}"
-            vlan_id: "{{ item.vif }}"
-  when:
-    - item.ipv6_addr is defined
-    - item.vif is defined
-  loop: "{{ interfaces }}"
diff --git a/ansible/roles/vyos/tasks/main.yml b/ansible/roles/vyos/tasks/main.yml
deleted file mode 100644
index 2a4549b..0000000
--- a/ansible/roles/vyos/tasks/main.yml
+++ /dev/null
@@ -1,83 +0,0 @@
----
-- name: Include secrets from environment
-  ansible.builtin.include_tasks:
-    file: env.yml
-    apply:
-      tags:
-        - env
-  tags:
-    - env
-    - never
-- name: Include secrets from bitwarden
-  ansible.builtin.include_tasks:
-    file: bw.yml
-    apply:
-      tags:
-        - bw
-  tags:
-    - bw
-    - never
-- name: Apply general setup and hardening
-  ansible.builtin.include_tasks:
-    file: general_setup.yml
-    apply:
-      tags:
-        - setup
-  tags:
-    - setup
-- name: Configure DNS Setup
-  ansible.builtin.include_tasks:
-    file: dns_setup.yml
-    apply:
-      tags:
-        - dns
-  tags:
-    - dns
-- name: Configure Tailscale
-  ansible.builtin.include_tasks:
-    file: tailscale_setup.yml
-    apply:
-      tags:
-        - tailscale
-  tags:
-    - tailscale
-- name: Configure Interfaces
-  ansible.builtin.include_tasks:
-    file: interfaces.yml
-    apply:
-      tags:
-        - interfaces
-  tags:
-    - interfaces
-- name: Configure DHCP
-  ansible.builtin.include_tasks:
-    file: dhcp.yml
-    apply:
-      tags:
-        - dhcp
-  tags:
-    - dhcp
-- name: Configure Outbound NAT
-  ansible.builtin.include_tasks:
-    file: nat.yml
-    apply:
-      tags:
-        - nat
-  tags:
-    - nat
-- name: Configure Firewall
-  ansible.builtin.include_tasks:
-    file: firewall.yml
-    apply:
-      tags:
-        - firewall
-  tags:
-    - firewall
-- name: Save Configuration
-  ansible.builtin.include_tasks:
-    file: save.yml
-    apply:
-      tags:
-        - always
-  tags:
-    - always
diff --git a/ansible/roles/vyos/tasks/nat.yml b/ansible/roles/vyos/tasks/nat.yml
deleted file mode 100644
index 5206e8a..0000000
--- a/ansible/roles/vyos/tasks/nat.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Configure interface NAT
-  vyos.vyos.vyos_config:
-    lines:
-      - set nat source rule 1 outbound-interface 'eth0'
-      - set nat source rule 1 source address '10.0.0.0/16'
-      - set nat source rule 1 translation address 'masquerade'
diff --git a/ansible/roles/vyos/tasks/save.yml b/ansible/roles/vyos/tasks/save.yml
deleted file mode 100644
index e1257ea..0000000
--- a/ansible/roles/vyos/tasks/save.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-- name: Save the configuration
-  vyos.vyos.vyos_config:
-    save: true
diff --git a/ansible/roles/vyos/tasks/static-mappings.yml b/ansible/roles/vyos/tasks/static-mappings.yml
deleted file mode 100644
index e3aba15..0000000
--- a/ansible/roles/vyos/tasks/static-mappings.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: "Configure DHCP Static Mappings: {{ interface.desc }}"
-  vyos.vyos.vyos_config:
-    lines:
-      - "set service dhcp-server shared-network-name {{ interface.desc }} subnet {{ interface.dhcp.subnet }} static-mapping {{ item.name }} mac-address '{{ item.mac }}'" # noqa: yaml[line-length]
-      - "set service dhcp-server shared-network-name {{ interface.desc }} subnet {{ interface.dhcp.subnet }} static-mapping {{ item.name }} ip-address '{{ item.ipv4 }}'" # noqa: yaml[line-length]
-  loop: "{{ interface.dhcp.static_mappings }}"
diff --git a/ansible/roles/vyos/tasks/tailscale_setup.yml b/ansible/roles/vyos/tasks/tailscale_setup.yml
deleted file mode 100644
index 2026d53..0000000
--- a/ansible/roles/vyos/tasks/tailscale_setup.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- name: Check tailscale status
-  vyos.vyos.vyos_command:
-    commands:
-      - tailscale status
-  register: tailscale_status
-
-- name: Login to tailscale and start
-  vyos.vyos.vyos_command:
-    commands:
-      - "sudo tailscale login --auth-key={{ tailscale_auth_key }}"
-      - "sudo tailscale up --advertise-routes=10.0.0.0/16,192.168.55.0/24"
-  when: tailscale_status.stdout is search('Logged out')
diff --git a/ansible/roles/vyos/templates/addressbook.j2 b/ansible/roles/vyos/templates/addressbook.j2
deleted file mode 100644
index df358ad..0000000
--- a/ansible/roles/vyos/templates/addressbook.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-{% for address in fw_addresses %}
-{% if address['groups'] is defined %}
-{% for group in address['groups'] %}
-{% if address['ip'] is defined %}
-set firewall group address-group {{ group }} address {{ address['ip'] }}
-{% endif %}
-{% if address['ipv6'] is defined %}
-set firewall group ipv6-address-group {{ group }} address {{ address['ipv6'] }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
diff --git a/ansible/roles/vyos/templates/policy_v4.j2 b/ansible/roles/vyos/templates/policy_v4.j2
deleted file mode 100644
index e74b917..0000000
--- a/ansible/roles/vyos/templates/policy_v4.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-{% for policy in fw_policies['ipv4'] %}
-{% for rule in policy['rules'] %}
-{% if rule['source_groups'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} source group address-group {{ rule['source_groups'] }}
-{% endif %}
-{% if rule['dest_groups'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} destination group address-group {{ rule['dest_groups'] }}
-{% endif %}
-{% if rule['protocol'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} protocol {{ rule['protocol'] }}
-{% endif %}
-{% if rule['port'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} destination port {{ rule['port'] }}
-{% endif %}
-{% if rule['state'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} state {{ rule['state'] }} {{ rule['action'] }}
-{% endif %}
-{% if rule['action'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} action {{ rule['action'] }}
-{% endif %}
-{% endfor %}
-set firewall zone {{ policy['zones']['to'] }} from {{ policy['zones']['from'] }} firewall name {{ policy['name'] }}
-{% endfor %}
diff --git a/ansible/roles/vyos/templates/policy_v6.j2 b/ansible/roles/vyos/templates/policy_v6.j2
deleted file mode 100644
index b267d4c..0000000
--- a/ansible/roles/vyos/templates/policy_v6.j2
+++ /dev/null
@@ -1,23 +0,0 @@
-{% for policy in fw_policies['ipv6'] %}
-{% for rule in policy['rules'] %}
-{% if rule['source_groups'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} source group address-group {{ rule['source_groups'] }}
-{% endif %}
-{% if rule['dest_groups'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} destination group address-group {{ rule['dest_groups'] }}
-{% endif %}
-{% if rule['protocol'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} protocol {{ rule['protocol'] }}
-{% endif %}
-{% if rule['port'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} destination port {{ rule['port'] }}
-{% endif %}
-{% if rule['state'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} state {{ rule['state'] }} {{ rule['action'] }}
-{% endif %}
-{% if rule['action'] is defined %}
-set firewall ipv6-name {{ policy['name'] }} rule {{ loop.index }} action {{ rule['action'] }}
-{% endif %}
-{% endfor %}
-set firewall zone {{ policy['zones']['to'] }} from {{ policy['zones']['from'] }} firewall ipv6-name {{ policy['name'] }}
-{% endfor %}
diff --git a/ansible/roles/vyos/templates/zones.j2 b/ansible/roles/vyos/templates/zones.j2
deleted file mode 100644
index 3d68ec3..0000000
--- a/ansible/roles/vyos/templates/zones.j2
+++ /dev/null
@@ -1,40 +0,0 @@
-{% for zone in zones %}
-set firewall zone {{ zone['name'] }} description "{{ zone['description'] }}"
-{% if zone['local'] is defined %}
-set firewall zone {{ zone['name'] }} local-zone
-{% endif %}
-{% endfor %}
-{% for interface in interfaces %}
-{% if interface['zone'] is defined %}
-{% if interface['vif'] is defined %}
-set firewall zone {{ interface['zone'] }} interface {{ interface['vyos_if'] }}.{{ interface['vif'] }}
-{% else %}
-set firewall zone {{ interface['zone'] }} interface {{ interface['vyos_if'] }}
-{% endif %}
-{% endif %}
-{% endfor %}
-{% if fw_policies['mgmt'] is defined %}
-{% for policy in fw_policies['mgmt']['ipv4'] %}
-{% for rule in policy['rules'] %}
-{% if policy['source_group'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} source group address-group {{ rule['source_group'] }}
-{% endif %}
-{% if rule['dest_group'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} destination group address-group {{ rule['dest_group'] }}
-{% endif %}
-{% if rule['protocol'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} protocol {{ rule['protocol'] }}
-{% endif %}
-{% if rule['port'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} destination port {{ rule['port'] }}
-{% endif %}
-{% if rule['state'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} state {{ rule['state'] }}
-{% endif %}
-{% if rule['action'] is defined %}
-set firewall name {{ policy['name'] }} rule {{ loop.index }} action {{ rule['action'] }}
-{% endif %}
-{% endfor %}
-set firewall zone {{ policy['zones']['to'] }} from {{ policy['zones']['from'] }} firewall name {{ policy['name'] }}
-{% endfor %}
-{% endif %}
diff --git a/ansible/roles/vyos/vars/bw.yml b/ansible/vars/bw.yml
similarity index 77%
rename from ansible/roles/vyos/vars/bw.yml
rename to ansible/vars/bw.yml
index 5254fea..2c3dd44 100644
--- a/ansible/roles/vyos/vars/bw.yml
+++ b/ansible/vars/bw.yml
@@ -2,3 +2,4 @@
 lab_astr0rack_dns_key: "{{ lookup('community.general.bitwarden', 'ansible-vyos-bind9-lab-astr0rack-key', field='password')[0] }}"
 discord_webhook_url: "{{ lookup('community.general.bitwarden', 'ansible-vyos-discord-webhook-url', field='password')[0] }}"
 tailscale_auth_key: "{{ lookup('community.general.bitwarden', 'ansible-vyos-tailscale-auth-key', field='password')[0] }}"
+vyos_user_hash: "{{ lookup('community.general.bitwarden', 'ansible-vyos-lab-user-hash', field='password')[0] }}"
diff --git a/ansible/roles/vyos/vars/env.yml b/ansible/vars/env.yml
similarity index 75%
rename from ansible/roles/vyos/vars/env.yml
rename to ansible/vars/env.yml
index c8cacae..466f287 100644
--- a/ansible/roles/vyos/vars/env.yml
+++ b/ansible/vars/env.yml
@@ -2,3 +2,4 @@
 lab_astr0rack_dns_key: "{{ lookup('ansible.builtin.env', 'VY_LAB_DNS_KEY') }}"
 discord_webhook_url: "{{ lookup('ansible.builtin.env', 'VY_DISCORD_WEBHOOK') }}"
 tailscale_auth_key: "{{ lookup('ansible.builtin.env', 'VY_TAILSCALE_AUTH_KEY') }}"
+vyos_user_hash: "{{ lookup('ansible.builtin.env', 'VY_USER_PASSWORD_HASH') }}"

From 1854006c590da292da46d5a9d422d84124b8e97f Mon Sep 17 00:00:00 2001
From: Nathan Higley <contact@nathanhigley.com>
Date: Wed, 3 Jan 2024 11:47:31 -0600
Subject: [PATCH 2/4] fix: recursively checkout for vyos role

---
 .github/workflows/ansible-vyos.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ansible-vyos.yaml b/.github/workflows/ansible-vyos.yaml
index 2fd7a29..ebcec7e 100644
--- a/.github/workflows/ansible-vyos.yaml
+++ b/.github/workflows/ansible-vyos.yaml
@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          submodules: recursive
 
       - name: Setup ssh key
         env:

From 7d9fb9ef62dbd0f0f27071b89b79f76b77a14679 Mon Sep 17 00:00:00 2001
From: Nathan Higley <contact@nathanhigley.com>
Date: Wed, 3 Jan 2024 11:50:09 -0600
Subject: [PATCH 3/4] fix: correct vyos image url and correct makefile

---
 ansible/Makefile                              | 20 ++++++++++++-------
 .../roles/proxmox/tasks/create_vyos_image.yml |  2 +-
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ansible/Makefile b/ansible/Makefile
index e724f75..092e324 100644
--- a/ansible/Makefile
+++ b/ansible/Makefile
@@ -18,23 +18,29 @@ proxmox-tf:
 	ansible-playbook playbooks/proxmox.yml --tags setup-terraform,bw --ask-become-pass
 
 vyos:
-	ansible-playbook playbooks/vyos.yml --tags all,bw
+	ansible-playbook playbooks/vyos.yml --tags all
 vyos-dry-run:
 	ansible-playbook playbooks/vyos.yml --tags dry-run,bw --skip-tags always
-vyos-setup:
-	ansible-playbook playbooks/vyos.yml --tags setup,bw
-vyos-dns:
-	ansible-playbook playbooks/vyos.yml --tags dns,bw
-vyos-tailscale:
-	ansible-playbook playbooks/vyos.yml --tags tailscale,bw
+vyos-prep:
+	ansible-playbook playbooks/vyos.yml --tags prep,bw
+vyos-users:
+	ansible-playbook playbooks/vyos.yml --tags users,bw
+vyos-vrf:
+	ansible-playbook playbooks/vyos.yml --tags vrf,bw
 vyos-interfaces:
 	ansible-playbook playbooks/vyos.yml --tags interfaces,bw
+vyos-services:
+	ansible-playbook playbooks/vyos.yml --tags services,bw
 vyos-dhcp:
 	ansible-playbook playbooks/vyos.yml --tags dhcp,bw
+vyos-routing:
+	ansible-playbook playbooks/vyos.yml --tags routing,bw
 vyos-nat:
 	ansible-playbook playbooks/vyos.yml --tags nat,bw
 vyos-firewall:
 	ansible-playbook playbooks/vyos.yml --tags firewall,bw
+vyos-containers:
+	ansible-playbook playbooks/vyos.yml --tags containers,bw
 
 lint:
 	ansible-lint -x 'var-naming[no-role-prefix]'
diff --git a/ansible/roles/proxmox/tasks/create_vyos_image.yml b/ansible/roles/proxmox/tasks/create_vyos_image.yml
index 971caf0..93424bf 100644
--- a/ansible/roles/proxmox/tasks/create_vyos_image.yml
+++ b/ansible/roles/proxmox/tasks/create_vyos_image.yml
@@ -7,7 +7,7 @@
 
 - name: Download latest VyOS Build
   ansible.builtin.get_url:
-    url: https://github.com/astr0n8t/vyos-tailscale-gha/releases/download/v1.4-sagitta-202312280404/vyos-qemu-1.4-sagitta-202312280404-amd64.qcow2
+    url: https://github.com/astr0n8t/vyos-tailscale-gha/releases/download/v1.4-sagitta-202401022237/vyos-qemu-1.4-sagitta-202401022237-amd64.qcow2 
     dest: /tmp/vyos-qemu-latest-amd64.qcow2
     mode: "0644"
 

From 91ab75199c6843712dc92536705db796f015d6b2 Mon Sep 17 00:00:00 2001
From: Nathan Higley <contact@nathanhigley.com>
Date: Wed, 3 Jan 2024 11:52:22 -0600
Subject: [PATCH 4/4] hotfix: satisfy lint

---
 ansible/roles/proxmox/tasks/create_vyos_image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/proxmox/tasks/create_vyos_image.yml b/ansible/roles/proxmox/tasks/create_vyos_image.yml
index 93424bf..ee10346 100644
--- a/ansible/roles/proxmox/tasks/create_vyos_image.yml
+++ b/ansible/roles/proxmox/tasks/create_vyos_image.yml
@@ -7,7 +7,7 @@
 
 - name: Download latest VyOS Build
   ansible.builtin.get_url:
-    url: https://github.com/astr0n8t/vyos-tailscale-gha/releases/download/v1.4-sagitta-202401022237/vyos-qemu-1.4-sagitta-202401022237-amd64.qcow2 
+    url: https://github.com/astr0n8t/vyos-tailscale-gha/releases/download/v1.4-sagitta-202401022237/vyos-qemu-1.4-sagitta-202401022237-amd64.qcow2
     dest: /tmp/vyos-qemu-latest-amd64.qcow2
     mode: "0644"