Merge pull request #89 from sown/tds/gw-bird

move bird config to ansible, closes #84
sown · Dec 1, 2024 · 7f50166 · 7f50166
2 parents 6439a75 + de8d9e0
commit 7f50166
Show file tree

Hide file tree

Showing 10 changed files with 108 additions and 62 deletions.
diff --git a/roles/gw/README.md b/roles/gw/README.md
@@ -1,14 +1,9 @@
 # Before initial run
-Generate a new ssh key for the root user, add as a deploy key to sown/network
-
-Then make sure you can run `ssh [email protected]`
-
-It will add systemd-networkd configuration for the interfaces, so ensure there's no old netplan configuration left over.
+It will add systemd-networkd configuration for the interfaces, so ensure there's no old netplan configuration left over. Bring up an interface on the SOWN VLAN manually in order to run ansible against the server first, then remove it afterwards.
 
 You'll also want to ensure there's udev rules to set interface names based on MACs, so they don't reorder between reboots.
 
-The BIRD and keepalived local configuration will be copied from ansible on the first run and then left to be locally maintained. After the first run, fill these in with the passwords (TODO we should move these to use ansible vault really). You can change the keepalived priorities to make the service active once it's ready.
-
+Once you're happy for the router to become active, you can change the keepalived priorities in `/etc/keepalived/local.conf` and reload keepalived.
 
 ## Vault Variables
 
@@ -24,4 +19,4 @@ gw_nftables_external_trusted:
     v6:
       - comment: Server
         address: 2001:db8::1234
-```
+```
diff --git a/roles/gw/tasks/bird.yml b/roles/gw/tasks/bird.yml
@@ -7,15 +7,6 @@
   template:
     src: bird.conf
     dest: /etc/bird/bird.conf
-    mode: "644"
-  notify:
-    - Reload bird
-
-- name: Deploy local BIRD config
-  template:
-    src: bird.local.conf
-    dest: /etc/bird/local.conf
-    force: no  # because we update the password by hand afterwards
     mode: "640"
     owner: root
     group: bird

diff --git a/roles/gw/tasks/conntrack.yml b/roles/gw/tasks/conntrack.yml
@@ -1,9 +1,8 @@
-- name: Install conntrack and keepalived
+- name: Install conntrackd
   apt:
     name:
       - conntrack
       - conntrackd
-      - keepalived
     state: present
 
 - name: Deploy conntrackd config
@@ -13,20 +12,3 @@
     mode: "644"
   notify:
     - Restart conntrackd
-
-- name: Deploy keepalived config
-  template:
-    src: keepalived.conf
-    dest: /etc/keepalived/keepalived.conf
-    mode: "600"
-  notify:
-    - Reload keepalived
-
-- name: Deploy keepalived local config
-  template:
-    src: keepalived.local.conf
-    dest: /etc/keepalived/local.conf
-    mode: "600"
-    force: no
-  notify:
-    - Reload keepalived
diff --git a/roles/gw/tasks/keepalived.yml b/roles/gw/tasks/keepalived.yml
@@ -0,0 +1,22 @@
+- name: Install keepalived
+  apt:
+    name:
+      - keepalived
+    state: present
+
+- name: Deploy keepalived config
+  template:
+    src: keepalived.conf
+    dest: /etc/keepalived/keepalived.conf
+    mode: "600"
+  notify:
+    - Reload keepalived
+
+- name: Deploy keepalived local config
+  template:
+    src: keepalived.local.conf
+    dest: /etc/keepalived/local.conf
+    mode: "600"
+    force: no
+  notify:
+    - Reload keepalived
diff --git a/roles/gw/tasks/main.yml b/roles/gw/tasks/main.yml
@@ -1,21 +1,3 @@
-- name: Install packages
-  apt:
-    name:
-      - git
-    state: present
-
-- name: Make /opt/sown
-  file:
-    state: directory
-    dest: /opt/sown
-    mode: "755"
-
-- name: Clone network config
-  git:
-    repo: [email protected]:sown/network.git
-    dest: /opt/sown/network
-    update: false  # noqa: latest
-
 - name: Setup sysctls
   include_tasks: sysctl.yml
 
@@ -28,5 +10,8 @@
 - name: Setup conntrack
   include_tasks: conntrack.yml
 
+- name: Setup keepalived
+  include_tasks: keepalived.yml
+
 - name: Setup interfaces
   include_tasks: interfaces.yml
diff --git a/roles/gw/templates/bird.conf b/roles/gw/templates/bird.conf
@@ -1 +1,61 @@
-include "/opt/sown/network/routing/bird.conf";
+router id {{ gw_sown_ip_v4 }};
+
+protocol device {
+}
+
+protocol static static4 {
+	ipv4;
+	route 10.5.0.0/16 unreachable;
+	route 152.78.103.160/27 unreachable;
+
+	route 152.78.103.163/32 via 10.5.0.232; # data1
+	route 152.78.103.164/32 via 10.5.0.243; # monitor
+	route 152.78.103.165/32 via 10.5.0.209; # login
+	route 152.78.103.166/32 via 10.5.0.239; # auth2
+	route 152.78.103.168/32 via 10.5.0.208; # login2
+	route 152.78.103.171/32 via 10.5.0.205; # containers-1 (dev)
+	route 152.78.103.172/32 via 10.5.0.204; # containers-2 (prod)
+	route 152.78.103.173/32 via 10.5.0.203; # containers-3 (secure)
+	route 152.78.103.186/32 via 10.5.0.213; # vpn
+	route 152.78.103.187/32 via 10.5.0.215; # monitor2
+	route 152.78.103.188/32 via 10.5.0.216; # netbox
+	route 152.78.103.190/32 via 10.5.0.218; # zepler-websdr
+}
+
+protocol static static6 {
+	ipv6;
+	route 2001:630:d0:f700::/56 unreachable;
+}
+
+protocol kernel kernel4 {
+	ipv4 {
+		export all;
+	};
+}
+
+protocol kernel kernel6 {
+	ipv6 {
+		export all;
+	};
+}
+
+protocol ospf v3 ospf4 {
+	ipv4;
+	area 0 {
+		interface "sown" {
+			authentication cryptographic;
+			password "{{ gw_ospf_pass }}";
+		};
+	};
+}
+
+protocol ospf v3 ospf6 {
+	ipv6;
+	area 0 {
+		interface "sown" {
+			authentication cryptographic;
+			password "{{ gw_ospf_pass }}";
+		};
+	};
+}
+
diff --git a/roles/gw/templates/bird.local.conf b/roles/gw/templates/bird.local.conf
diff --git a/roles/gw/templates/keepalived.conf b/roles/gw/templates/keepalived.conf
@@ -7,7 +7,7 @@ vrrp_instance SOWN_v4 {
     advert_int 1
     authentication {
         auth_type PASS
-        auth_pass $PASS
+        auth_pass {{ gw_keepalived_pass }}
     }
     virtual_ipaddress {
     	10.5.0.254/24
@@ -21,7 +21,7 @@ vrrp_instance SOWN_v6 {
     advert_int 1
     authentication {
         auth_type PASS
-        auth_pass $PASS
+        auth_pass {{ gw_keepalived_pass }}
     }
     virtual_ipaddress {
         2001:630:d0:f700::254/64
@@ -36,7 +36,7 @@ vrrp_instance UoS_Link_v4 {
     advert_int 1
     authentication {
         auth_type PASS
-        auth_pass $PASS
+        auth_pass {{ gw_keepalived_pass }}
     }
     virtual_ipaddress {
         152.78.103.238/29
@@ -50,7 +50,7 @@ vrrp_instance UoS_Link_v6 {
     advert_int 1
     authentication {
         auth_type PASS
-        auth_pass $PASS
+        auth_pass {{ gw_keepalived_pass }}
     }
     virtual_ipaddress {
         2001:630:d0:505::5032/64

diff --git a/roles/gw/templates/keepalived.local.conf b/roles/gw/templates/keepalived.local.conf
@@ -1,2 +1 @@
 $PRIORITY=1
-$KEY=CHANGEME
diff --git a/roles/gw/vars/main.yml b/roles/gw/vars/main.yml
@@ -0,0 +1,14 @@
+gw_keepalived_pass: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  63633335643839376436666263353431636334343734333163613230396564336531363532326166
+  3637643231623661613765653164313962343034653366300a333163396365366661326333383239
+  30333661616164356232353936626532363737363235623031646430333864363830336432666166
+  3063613662333238310a663439643936646133616564633135336438383139663361646231616161
+  31333633323133313265386638343863363631366232366131303830313839376563
+gw_ospf_pass: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64313261376339643239393061313730313433343938366463343833323563313666353136653863
+  3134363963363362386133356139386131393963386338620a333864333730383633353431663766
+  31636434313366613337343461383830353166386566646635653233313964303531366263353532
+  3230343435303733320a386563316263613733346230663361663566653637663063316438323638
+  30653636333133336263376630313633303865343030313361313336653664316235