Add role service-bird-icvpn; add python3-yaml package to server-basic
role
This commit is contained in:
parent
a2816a152e
commit
dd6d5b6ec5
9 changed files with 238 additions and 2 deletions
|
@ -7,8 +7,8 @@ routing_tables:
|
||||||
mwu: 41
|
mwu: 41
|
||||||
internet: 61
|
internet: 61
|
||||||
|
|
||||||
icvpn_ipv4_network: 10.207.0.0/16
|
icvpn_ipv4_transfer_net: 10.207.0.0/16
|
||||||
mwu_icvpn_ipv4_network: 10.207.37.0/24
|
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
|
||||||
bgp_loopback_net: 10.37.0.0/18
|
bgp_loopback_net: 10.37.0.0/18
|
||||||
bgp_ipv4_transfer_net: 10.37.0.0/18
|
bgp_ipv4_transfer_net: 10.37.0.0/18
|
||||||
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
||||||
|
|
|
@ -21,4 +21,5 @@
|
||||||
- network-fastd
|
- network-fastd
|
||||||
- network-ffrl
|
- network-ffrl
|
||||||
- service-bird
|
- service-bird
|
||||||
|
- service-bird-icvpn
|
||||||
- service-rclocal
|
- service-rclocal
|
||||||
|
|
|
@ -5,6 +5,7 @@ packages:
|
||||||
- man-db
|
- man-db
|
||||||
- mlocate
|
- mlocate
|
||||||
- mosh
|
- mosh
|
||||||
|
- python3-yaml
|
||||||
- sudo
|
- sudo
|
||||||
- sysfsutils
|
- sysfsutils
|
||||||
- vim
|
- vim
|
||||||
|
|
19
roles/service-bird-icvpn/README.md
Normal file
19
roles/service-bird-icvpn/README.md
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# Ansible role service-bird-icvpn
|
||||||
|
|
||||||
|
Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für das Freifunk Intercity VPN.
|
||||||
|
|
||||||
|
- installiert bird
|
||||||
|
- schreibt icvpn_ipv4.conf + icvpn_ipv6.conf
|
||||||
|
- schreibt initiale ICVPN peers config (nur wenn nicht vorhanden)
|
||||||
|
- schreibt initiale ICVPN ROA config (nur wenn nicht vorhanden)
|
||||||
|
|
||||||
|
## Benötigte Variablen
|
||||||
|
|
||||||
|
- Variable `icvpn_ipv4_transfer_net` # IPv4-Range des ICVPN Transfer Netzes
|
||||||
|
- Variable `icvpn_ipv6_transfer_net` # IPv6-Range des ICVPN Transfer Netzes
|
||||||
|
- Host Variable `magic`
|
||||||
|
|
||||||
|
## Benötigte roles
|
||||||
|
|
||||||
|
- git-repos
|
||||||
|
- service-bird
|
28
roles/service-bird-icvpn/handlers/main.yml
Normal file
28
roles/service-bird-icvpn/handlers/main.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
---
|
||||||
|
- name: reload bird4
|
||||||
|
systemd:
|
||||||
|
name: bird
|
||||||
|
state: reloaded
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: reload bird6
|
||||||
|
systemd:
|
||||||
|
name: bird6
|
||||||
|
state: reloaded
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: set file attrs 4
|
||||||
|
file:
|
||||||
|
path: /etc/bird/icvpn_ipv4_peers.conf
|
||||||
|
mode: 0640
|
||||||
|
owner: bird
|
||||||
|
group: bird
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: set file attrs 6
|
||||||
|
file:
|
||||||
|
path: /etc/bird/icvpn_ipv6_peers.conf
|
||||||
|
mode: 0640
|
||||||
|
owner: bird
|
||||||
|
group: bird
|
||||||
|
become: true
|
4
roles/service-bird-icvpn/meta/main.yml
Normal file
4
roles/service-bird-icvpn/meta/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- { role: git-repos }
|
||||||
|
- { role: service-bird }
|
41
roles/service-bird-icvpn/tasks/main.yml
Normal file
41
roles/service-bird-icvpn/tasks/main.yml
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
---
|
||||||
|
- name: write initial icvpn peers
|
||||||
|
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -{{ item }} -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item }}_peers.conf
|
||||||
|
args:
|
||||||
|
chdir: /home/admin/clones/icvpn-scripts
|
||||||
|
creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf
|
||||||
|
notify:
|
||||||
|
- reload bird{{ item }}
|
||||||
|
- set file attrs {{ item }}
|
||||||
|
with_items:
|
||||||
|
- 4
|
||||||
|
- 6
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: write initial icvpn roa config
|
||||||
|
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
|
||||||
|
args:
|
||||||
|
chdir: /home/admin/clones/icvpn-scripts
|
||||||
|
creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
|
||||||
|
notify:
|
||||||
|
- reload bird{{ item.key }}
|
||||||
|
- set file attrs {{ item.key }}
|
||||||
|
with_dict:
|
||||||
|
4:
|
||||||
|
max_prefix: 20
|
||||||
|
6:
|
||||||
|
max_prefix: 64
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: write icvpn bird configuration
|
||||||
|
template:
|
||||||
|
src: icvpn_ipv{{ item }}.conf.j2
|
||||||
|
dest: /etc/bird/icvpn_ipv{{ item }}.conf
|
||||||
|
mode: 0640
|
||||||
|
owner: bird
|
||||||
|
group: bird
|
||||||
|
notify: reload bird{{ item }}
|
||||||
|
with_items:
|
||||||
|
- 4
|
||||||
|
- 6
|
||||||
|
become: true
|
75
roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
Normal file
75
roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||||
|
|
||||||
|
# ROA
|
||||||
|
roa table roa_icvpn {
|
||||||
|
include "icvpn_ipv4_roa.con?";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Filters
|
||||||
|
filter icvpn_import_filter {
|
||||||
|
if is_mwu_self_nets() then reject;
|
||||||
|
if is_chaosvpn() then accept;
|
||||||
|
if roa_check(roa_icvpn) = ROA_VALID then {
|
||||||
|
if is_freifunk() then accept;
|
||||||
|
if is_dn42() then accept;
|
||||||
|
} else {
|
||||||
|
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
|
||||||
|
if is_dn42() then {
|
||||||
|
print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if is_freifunk() then {
|
||||||
|
print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if roa_check(roa_icvpn) = ROA_INVALID then {
|
||||||
|
if is_freifunk() then {
|
||||||
|
print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last;
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Protocols
|
||||||
|
protocol kernel kernel_mwu {
|
||||||
|
scan time 30;
|
||||||
|
import none;
|
||||||
|
export filter {
|
||||||
|
if is_mwu_self_nets() then
|
||||||
|
reject;
|
||||||
|
krt_prefsrc = icvpn_address;
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
kernel table ipt_icvpn;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Templates
|
||||||
|
template bgp ebgp_icvpn {
|
||||||
|
local icvpn_address as mwu_as;
|
||||||
|
import keep filtered on;
|
||||||
|
import filter icvpn_import_filter;
|
||||||
|
export filter {
|
||||||
|
if is_mwu_self_nets() then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
if is_freifunk() || is_dn42() then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
direct;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Include ICVPN IPv4 peers
|
||||||
|
include "icvpn_ipv4_peers.con?";
|
67
roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
Normal file
67
roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
define icvpn_address = {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||||
|
|
||||||
|
# ROA
|
||||||
|
roa table roa_icvpn {
|
||||||
|
include "icvpn_ipv6_roa.con?";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Filters
|
||||||
|
filter icvpn_import_filter {
|
||||||
|
if is_mwu_self_nets() then reject;
|
||||||
|
if roa_check(roa_icvpn) = ROA_VALID then {
|
||||||
|
if is_ula() then accept;
|
||||||
|
} else {
|
||||||
|
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
|
||||||
|
if is_ula() then {
|
||||||
|
print "ROA UNKNOWN for net, accepting: ", net, " ASN: ", bgp_path.last;
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if roa_check(roa_icvpn) = ROA_INVALID then {
|
||||||
|
if is_ula() then {
|
||||||
|
print "ROA INVALID for net, accept: ", net, " ASN: ", bgp_path.last;
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Protocols
|
||||||
|
protocol kernel kernel_mwu {
|
||||||
|
scan time 30;
|
||||||
|
import none;
|
||||||
|
export filter {
|
||||||
|
if is_mwu_self_nets() then
|
||||||
|
reject;
|
||||||
|
krt_prefsrc = icvpn_address;
|
||||||
|
accept;
|
||||||
|
};
|
||||||
|
kernel table ipt_icvpn;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Templates
|
||||||
|
template bgp ebgp_icvpn {
|
||||||
|
local icvpn_address as mwu_as;
|
||||||
|
import keep filtered on;
|
||||||
|
import filter icvpn_import_filter;
|
||||||
|
export filter {
|
||||||
|
if is_mwu_self_nets() then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
direct;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Include ICVPN IPv6 peers
|
||||||
|
include "icvpn_ipv6_peers.con?";
|
Loading…
Reference in a new issue