Add role service-bird-icvpn; add python3-yaml package to server-basic

role
This commit is contained in:
Tobias Hachmer 2017-09-11 13:10:39 +02:00
parent a2816a152e
commit dd6d5b6ec5
9 changed files with 238 additions and 2 deletions

View file

@ -7,8 +7,8 @@ routing_tables:
mwu: 41 mwu: 41
internet: 61 internet: 61
icvpn_ipv4_network: 10.207.0.0/16 icvpn_ipv4_transfer_net: 10.207.0.0/16
mwu_icvpn_ipv4_network: 10.207.37.0/24 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
bgp_loopback_net: 10.37.0.0/18 bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64

View file

@ -21,4 +21,5 @@
- network-fastd - network-fastd
- network-ffrl - network-ffrl
- service-bird - service-bird
- service-bird-icvpn
- service-rclocal - service-rclocal

View file

@ -5,6 +5,7 @@ packages:
- man-db - man-db
- mlocate - mlocate
- mosh - mosh
- python3-yaml
- sudo - sudo
- sysfsutils - sysfsutils
- vim - vim

View file

@ -0,0 +1,19 @@
# Ansible role service-bird-icvpn
Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für das Freifunk Intercity VPN.
- installiert bird
- schreibt icvpn_ipv4.conf + icvpn_ipv6.conf
- schreibt initiale ICVPN peers config (nur wenn nicht vorhanden)
- schreibt initiale ICVPN ROA config (nur wenn nicht vorhanden)
## Benötigte Variablen
- Variable `icvpn_ipv4_transfer_net` # IPv4-Range des ICVPN Transfer Netzes
- Variable `icvpn_ipv6_transfer_net` # IPv6-Range des ICVPN Transfer Netzes
- Host Variable `magic`
## Benötigte roles
- git-repos
- service-bird

View file

@ -0,0 +1,28 @@
---
- name: reload bird4
systemd:
name: bird
state: reloaded
become: true
- name: reload bird6
systemd:
name: bird6
state: reloaded
become: true
- name: set file attrs 4
file:
path: /etc/bird/icvpn_ipv4_peers.conf
mode: 0640
owner: bird
group: bird
become: true
- name: set file attrs 6
file:
path: /etc/bird/icvpn_ipv6_peers.conf
mode: 0640
owner: bird
group: bird
become: true

View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: git-repos }
- { role: service-bird }

View file

@ -0,0 +1,41 @@
---
- name: write initial icvpn peers
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -{{ item }} -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item }}_peers.conf
args:
chdir: /home/admin/clones/icvpn-scripts
creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf
notify:
- reload bird{{ item }}
- set file attrs {{ item }}
with_items:
- 4
- 6
become: true
- name: write initial icvpn roa config
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
args:
chdir: /home/admin/clones/icvpn-scripts
creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf
notify:
- reload bird{{ item.key }}
- set file attrs {{ item.key }}
with_dict:
4:
max_prefix: 20
6:
max_prefix: 64
become: true
- name: write icvpn bird configuration
template:
src: icvpn_ipv{{ item }}.conf.j2
dest: /etc/bird/icvpn_ipv{{ item }}.conf
mode: 0640
owner: bird
group: bird
notify: reload bird{{ item }}
with_items:
- 4
- 6
become: true

View file

@ -0,0 +1,75 @@
#
# {{ ansible_managed }}
#
# Variables
define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
# ROA
roa table roa_icvpn {
include "icvpn_ipv4_roa.con?";
}
# Filters
filter icvpn_import_filter {
if is_mwu_self_nets() then reject;
if is_chaosvpn() then accept;
if roa_check(roa_icvpn) = ROA_VALID then {
if is_freifunk() then accept;
if is_dn42() then accept;
} else {
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
if is_dn42() then {
print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
accept;
}
if is_freifunk() then {
print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
accept;
}
}
if roa_check(roa_icvpn) = ROA_INVALID then {
if is_freifunk() then {
print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last;
accept;
}
}
reject;
}
reject;
}
# Protocols
protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
if is_mwu_self_nets() then
reject;
krt_prefsrc = icvpn_address;
accept;
};
kernel table ipt_icvpn;
};
# Templates
template bgp ebgp_icvpn {
local icvpn_address as mwu_as;
import keep filtered on;
import filter icvpn_import_filter;
export filter {
if is_mwu_self_nets() then {
accept;
}
if source = RTS_BGP then {
if is_freifunk() || is_dn42() then {
accept;
}
}
reject;
};
direct;
}
# Include ICVPN IPv4 peers
include "icvpn_ipv4_peers.con?";

View file

@ -0,0 +1,67 @@
#
# {{ ansible_managed }}
#
# Variables
define icvpn_address = {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};
# ROA
roa table roa_icvpn {
include "icvpn_ipv6_roa.con?";
}
# Filters
filter icvpn_import_filter {
if is_mwu_self_nets() then reject;
if roa_check(roa_icvpn) = ROA_VALID then {
if is_ula() then accept;
} else {
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
if is_ula() then {
print "ROA UNKNOWN for net, accepting: ", net, " ASN: ", bgp_path.last;
accept;
}
}
if roa_check(roa_icvpn) = ROA_INVALID then {
if is_ula() then {
print "ROA INVALID for net, accept: ", net, " ASN: ", bgp_path.last;
accept;
}
}
reject;
}
reject;
}
# Protocols
protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
if is_mwu_self_nets() then
reject;
krt_prefsrc = icvpn_address;
accept;
};
kernel table ipt_icvpn;
};
# Templates
template bgp ebgp_icvpn {
local icvpn_address as mwu_as;
import keep filtered on;
import filter icvpn_import_filter;
export filter {
if is_mwu_self_nets() then {
accept;
}
if source = RTS_BGP then {
accept;
}
reject;
};
direct;
}
# Include ICVPN IPv6 peers
include "icvpn_ipv6_peers.con?";