From dd6d5b6ec5a281b57202219ea866757d96e646c0 Mon Sep 17 00:00:00 2001
From: Tobias Hachmer <tobias@hachmer.de>
Date: Mon, 11 Sep 2017 13:10:39 +0200
Subject: [PATCH] Add role service-bird-icvpn; add python3-yaml package to
 server-basic role

---
 inventory/group_vars/all                      |  4 +-
 playbooks/gateways.yml                        |  1 +
 roles/server-basic/vars/main.yml              |  1 +
 roles/service-bird-icvpn/README.md            | 19 +++++
 roles/service-bird-icvpn/handlers/main.yml    | 28 +++++++
 roles/service-bird-icvpn/meta/main.yml        |  4 +
 roles/service-bird-icvpn/tasks/main.yml       | 41 ++++++++++
 .../templates/icvpn_ipv4.conf.j2              | 75 +++++++++++++++++++
 .../templates/icvpn_ipv6.conf.j2              | 67 +++++++++++++++++
 9 files changed, 238 insertions(+), 2 deletions(-)
 create mode 100644 roles/service-bird-icvpn/README.md
 create mode 100644 roles/service-bird-icvpn/handlers/main.yml
 create mode 100644 roles/service-bird-icvpn/meta/main.yml
 create mode 100644 roles/service-bird-icvpn/tasks/main.yml
 create mode 100644 roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
 create mode 100644 roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index effbd11..bc72b66 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -7,8 +7,8 @@ routing_tables:
   mwu: 41
   internet: 61
 
-icvpn_ipv4_network: 10.207.0.0/16
-mwu_icvpn_ipv4_network: 10.207.37.0/24
+icvpn_ipv4_transfer_net: 10.207.0.0/16
+icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
 bgp_loopback_net: 10.37.0.0/18
 bgp_ipv4_transfer_net: 10.37.0.0/18
 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml
index 9fd38ed..616cf0b 100755
--- a/playbooks/gateways.yml
+++ b/playbooks/gateways.yml
@@ -21,4 +21,5 @@
     - network-fastd
     - network-ffrl
     - service-bird
+    - service-bird-icvpn
     - service-rclocal
diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml
index 45cb744..5588e09 100644
--- a/roles/server-basic/vars/main.yml
+++ b/roles/server-basic/vars/main.yml
@@ -5,6 +5,7 @@ packages:
   - man-db
   - mlocate
   - mosh
+  - python3-yaml
   - sudo
   - sysfsutils
   - vim
diff --git a/roles/service-bird-icvpn/README.md b/roles/service-bird-icvpn/README.md
new file mode 100644
index 0000000..d999fc6
--- /dev/null
+++ b/roles/service-bird-icvpn/README.md
@@ -0,0 +1,19 @@
+# Ansible role service-bird-icvpn
+
+Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für das Freifunk Intercity VPN.
+
+- installiert bird
+- schreibt icvpn_ipv4.conf + icvpn_ipv6.conf
+- schreibt initiale ICVPN peers config (nur wenn nicht vorhanden)
+- schreibt initiale ICVPN ROA config (nur wenn nicht vorhanden)
+
+## Benötigte Variablen
+
+- Variable `icvpn_ipv4_transfer_net` # IPv4-Range des ICVPN Transfer Netzes
+- Variable `icvpn_ipv6_transfer_net` # IPv6-Range des ICVPN Transfer Netzes
+- Host Variable `magic`
+
+## Benötigte roles
+
+- git-repos
+- service-bird
diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml
new file mode 100644
index 0000000..1a37e5c
--- /dev/null
+++ b/roles/service-bird-icvpn/handlers/main.yml
@@ -0,0 +1,28 @@
+---
+- name: reload bird4
+  systemd:
+    name: bird
+    state: reloaded
+  become: true
+
+- name: reload bird6
+  systemd:
+    name: bird6
+    state: reloaded
+  become: true
+
+- name: set file attrs 4
+  file:
+    path: /etc/bird/icvpn_ipv4_peers.conf
+    mode: 0640
+    owner: bird
+    group: bird
+  become: true
+
+- name: set file attrs 6
+  file:
+    path: /etc/bird/icvpn_ipv6_peers.conf
+    mode: 0640
+    owner: bird
+    group: bird
+  become: true
diff --git a/roles/service-bird-icvpn/meta/main.yml b/roles/service-bird-icvpn/meta/main.yml
new file mode 100644
index 0000000..ad1a852
--- /dev/null
+++ b/roles/service-bird-icvpn/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: git-repos }
+  - { role: service-bird }
diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml
new file mode 100644
index 0000000..0570e41
--- /dev/null
+++ b/roles/service-bird-icvpn/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: write initial icvpn peers
+  shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -{{ item }} -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item }}_peers.conf
+  args:
+    chdir: /home/admin/clones/icvpn-scripts
+    creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf
+  notify:
+    - reload bird{{ item }}
+    - set file attrs {{ item }}
+  with_items:
+    - 4
+    - 6
+  become: true
+
+- name: write initial icvpn roa config
+  shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
+  args:
+    chdir: /home/admin/clones/icvpn-scripts
+    creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
+  notify:
+    - reload bird{{ item.key }}
+    - set file attrs {{ item.key }}
+  with_dict:
+    4:
+      max_prefix: 20
+    6:
+      max_prefix: 64
+  become: true
+
+- name: write icvpn bird configuration
+  template:
+    src: icvpn_ipv{{ item }}.conf.j2
+    dest: /etc/bird/icvpn_ipv{{ item }}.conf
+    mode: 0640
+    owner: bird
+    group: bird
+  notify: reload bird{{ item }}
+  with_items:
+    - 4
+    - 6
+  become: true
diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
new file mode 100644
index 0000000..d5409db
--- /dev/null
+++ b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
@@ -0,0 +1,75 @@
+#
+# {{ ansible_managed }}
+#
+
+# Variables
+define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
+
+# ROA
+roa table roa_icvpn {
+    include "icvpn_ipv4_roa.con?";
+}
+
+# Filters
+filter icvpn_import_filter {
+    if is_mwu_self_nets() then reject;
+    if is_chaosvpn() then accept;
+    if roa_check(roa_icvpn) = ROA_VALID then {
+        if is_freifunk() then accept;
+        if is_dn42() then accept;
+    } else {
+        if roa_check(roa_icvpn) = ROA_UNKNOWN then {
+            if is_dn42() then {
+                print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
+                accept;
+            }
+            if is_freifunk() then {
+                print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
+                accept;
+            }
+        }
+        if roa_check(roa_icvpn) = ROA_INVALID then {
+            if is_freifunk() then {
+                print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last;
+                accept;
+            }
+        }
+        reject;
+    }
+    reject;
+}
+
+# Protocols
+protocol kernel kernel_mwu {
+    scan time 30;
+    import none;
+    export filter {
+        if is_mwu_self_nets() then
+            reject;
+        krt_prefsrc = icvpn_address;
+        accept;
+    };
+    kernel table ipt_icvpn;
+};
+
+# Templates
+template bgp ebgp_icvpn {
+    local icvpn_address as mwu_as;
+    import keep filtered on;
+    import filter icvpn_import_filter;
+    export filter {
+        if is_mwu_self_nets() then {
+            accept;
+        }
+        if source = RTS_BGP then {
+            if is_freifunk() || is_dn42() then {
+                accept;
+            }
+        }
+        reject;
+    };
+    direct;
+}
+
+# Include ICVPN IPv4 peers
+include "icvpn_ipv4_peers.con?";
diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
new file mode 100644
index 0000000..eb41c3f
--- /dev/null
+++ b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
@@ -0,0 +1,67 @@
+#
+# {{ ansible_managed }}
+#
+
+# Variables
+define icvpn_address = {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};
+
+# ROA
+roa table roa_icvpn {
+    include "icvpn_ipv6_roa.con?";
+}
+
+# Filters
+filter icvpn_import_filter {
+    if is_mwu_self_nets() then reject;
+    if roa_check(roa_icvpn) = ROA_VALID then {
+        if is_ula() then accept;
+    } else {
+        if roa_check(roa_icvpn) = ROA_UNKNOWN then {
+            if is_ula() then {
+                print "ROA UNKNOWN for net, accepting: ", net, " ASN: ", bgp_path.last;
+                accept;
+            }
+        }
+        if roa_check(roa_icvpn) = ROA_INVALID then {
+            if is_ula() then {
+                print "ROA INVALID for net, accept: ", net, " ASN: ", bgp_path.last;
+                accept;
+            }
+        }
+        reject;
+    }
+    reject;
+}
+
+# Protocols
+protocol kernel kernel_mwu {
+    scan time 30;
+    import none;
+    export filter {
+        if is_mwu_self_nets() then
+            reject;
+        krt_prefsrc = icvpn_address;
+        accept;
+    };
+    kernel table ipt_icvpn;
+};
+
+# Templates
+template bgp ebgp_icvpn {
+    local icvpn_address as mwu_as;
+    import keep filtered on;
+    import filter icvpn_import_filter;
+    export filter {
+        if is_mwu_self_nets() then {
+            accept;
+        }
+        if source = RTS_BGP then {
+            accept;
+        }
+        reject;
+    };
+    direct;
+}
+
+# Include ICVPN IPv6 peers
+include "icvpn_ipv6_peers.con?";