diff --git a/roles/gw/README.md b/roles/gw/README.md index c396e71..de2e34c 100644 --- a/roles/gw/README.md +++ b/roles/gw/README.md @@ -1,14 +1,9 @@ # Before initial run -Generate a new ssh key for the root user, add as a deploy key to sown/network - -Then make sure you can run `ssh git@github.com` - -It will add systemd-networkd configuration for the interfaces, so ensure there's no old netplan configuration left over. +It will add systemd-networkd configuration for the interfaces, so ensure there's no old netplan configuration left over. Bring up an interface on the SOWN VLAN manually in order to run ansible against the server first, then remove it afterwards. You'll also want to ensure there's udev rules to set interface names based on MACs, so they don't reorder between reboots. -The BIRD and keepalived local configuration will be copied from ansible on the first run and then left to be locally maintained. After the first run, fill these in with the passwords (TODO we should move these to use ansible vault really). You can change the keepalived priorities to make the service active once it's ready. - +Once you're happy for the router to become active, you can change the keepalived priorities in `/etc/keepalived/local.conf` and reload keepalived. ## Vault Variables @@ -24,4 +19,4 @@ gw_nftables_external_trusted: v6: - comment: Server address: 2001:db8::1234 -``` \ No newline at end of file +``` diff --git a/roles/gw/tasks/bird.yml b/roles/gw/tasks/bird.yml index 091352c..f1a3aed 100644 --- a/roles/gw/tasks/bird.yml +++ b/roles/gw/tasks/bird.yml @@ -7,15 +7,6 @@ template: src: bird.conf dest: /etc/bird/bird.conf - mode: "644" - notify: - - Reload bird - -- name: Deploy local BIRD config - template: - src: bird.local.conf - dest: /etc/bird/local.conf - force: no # because we update the password by hand afterwards mode: "640" owner: root group: bird diff --git a/roles/gw/tasks/conntrack.yml b/roles/gw/tasks/conntrack.yml index f0a39da..478eb55 100644 --- a/roles/gw/tasks/conntrack.yml +++ b/roles/gw/tasks/conntrack.yml @@ -1,9 +1,8 @@ -- name: Install conntrack and keepalived +- name: Install conntrackd apt: name: - conntrack - conntrackd - - keepalived state: present - name: Deploy conntrackd config @@ -13,20 +12,3 @@ mode: "644" notify: - Restart conntrackd - -- name: Deploy keepalived config - template: - src: keepalived.conf - dest: /etc/keepalived/keepalived.conf - mode: "600" - notify: - - Reload keepalived - -- name: Deploy keepalived local config - template: - src: keepalived.local.conf - dest: /etc/keepalived/local.conf - mode: "600" - force: no - notify: - - Reload keepalived diff --git a/roles/gw/tasks/keepalived.yml b/roles/gw/tasks/keepalived.yml new file mode 100644 index 0000000..25a6047 --- /dev/null +++ b/roles/gw/tasks/keepalived.yml @@ -0,0 +1,22 @@ +- name: Install keepalived + apt: + name: + - keepalived + state: present + +- name: Deploy keepalived config + template: + src: keepalived.conf + dest: /etc/keepalived/keepalived.conf + mode: "600" + notify: + - Reload keepalived + +- name: Deploy keepalived local config + template: + src: keepalived.local.conf + dest: /etc/keepalived/local.conf + mode: "600" + force: no + notify: + - Reload keepalived diff --git a/roles/gw/tasks/main.yml b/roles/gw/tasks/main.yml index c066090..6ab184b 100644 --- a/roles/gw/tasks/main.yml +++ b/roles/gw/tasks/main.yml @@ -1,21 +1,3 @@ -- name: Install packages - apt: - name: - - git - state: present - -- name: Make /opt/sown - file: - state: directory - dest: /opt/sown - mode: "755" - -- name: Clone network config - git: - repo: git@github.com:sown/network.git - dest: /opt/sown/network - update: false # noqa: latest - - name: Setup sysctls include_tasks: sysctl.yml @@ -28,5 +10,8 @@ - name: Setup conntrack include_tasks: conntrack.yml +- name: Setup keepalived + include_tasks: keepalived.yml + - name: Setup interfaces include_tasks: interfaces.yml diff --git a/roles/gw/templates/bird.conf b/roles/gw/templates/bird.conf index 621965d..3e4c489 100644 --- a/roles/gw/templates/bird.conf +++ b/roles/gw/templates/bird.conf @@ -1 +1,61 @@ -include "/opt/sown/network/routing/bird.conf"; +router id {{ gw_sown_ip_v4 }}; + +protocol device { +} + +protocol static static4 { + ipv4; + route 10.5.0.0/16 unreachable; + route 152.78.103.160/27 unreachable; + + route 152.78.103.163/32 via 10.5.0.232; # data1 + route 152.78.103.164/32 via 10.5.0.243; # monitor + route 152.78.103.165/32 via 10.5.0.209; # login + route 152.78.103.166/32 via 10.5.0.239; # auth2 + route 152.78.103.168/32 via 10.5.0.208; # login2 + route 152.78.103.171/32 via 10.5.0.205; # containers-1 (dev) + route 152.78.103.172/32 via 10.5.0.204; # containers-2 (prod) + route 152.78.103.173/32 via 10.5.0.203; # containers-3 (secure) + route 152.78.103.186/32 via 10.5.0.213; # vpn + route 152.78.103.187/32 via 10.5.0.215; # monitor2 + route 152.78.103.188/32 via 10.5.0.216; # netbox + route 152.78.103.190/32 via 10.5.0.218; # zepler-websdr +} + +protocol static static6 { + ipv6; + route 2001:630:d0:f700::/56 unreachable; +} + +protocol kernel kernel4 { + ipv4 { + export all; + }; +} + +protocol kernel kernel6 { + ipv6 { + export all; + }; +} + +protocol ospf v3 ospf4 { + ipv4; + area 0 { + interface "sown" { + authentication cryptographic; + password "{{ gw_ospf_pass }}"; + }; + }; +} + +protocol ospf v3 ospf6 { + ipv6; + area 0 { + interface "sown" { + authentication cryptographic; + password "{{ gw_ospf_pass }}"; + }; + }; +} + diff --git a/roles/gw/templates/bird.local.conf b/roles/gw/templates/bird.local.conf deleted file mode 100644 index 9b17045..0000000 --- a/roles/gw/templates/bird.local.conf +++ /dev/null @@ -1,2 +0,0 @@ -router id {{gw_sown_ip_v4}}; -define OSPFPASS = "REPLACEME"; diff --git a/roles/gw/templates/keepalived.conf b/roles/gw/templates/keepalived.conf index b8cdbfc..fb974f7 100644 --- a/roles/gw/templates/keepalived.conf +++ b/roles/gw/templates/keepalived.conf @@ -7,7 +7,7 @@ vrrp_instance SOWN_v4 { advert_int 1 authentication { auth_type PASS - auth_pass $PASS + auth_pass {{ gw_keepalived_pass }} } virtual_ipaddress { 10.5.0.254/24 @@ -21,7 +21,7 @@ vrrp_instance SOWN_v6 { advert_int 1 authentication { auth_type PASS - auth_pass $PASS + auth_pass {{ gw_keepalived_pass }} } virtual_ipaddress { 2001:630:d0:f700::254/64 @@ -36,7 +36,7 @@ vrrp_instance UoS_Link_v4 { advert_int 1 authentication { auth_type PASS - auth_pass $PASS + auth_pass {{ gw_keepalived_pass }} } virtual_ipaddress { 152.78.103.238/29 @@ -50,7 +50,7 @@ vrrp_instance UoS_Link_v6 { advert_int 1 authentication { auth_type PASS - auth_pass $PASS + auth_pass {{ gw_keepalived_pass }} } virtual_ipaddress { 2001:630:d0:505::5032/64 diff --git a/roles/gw/templates/keepalived.local.conf b/roles/gw/templates/keepalived.local.conf index b0745fd..af6db88 100644 --- a/roles/gw/templates/keepalived.local.conf +++ b/roles/gw/templates/keepalived.local.conf @@ -1,2 +1 @@ $PRIORITY=1 -$KEY=CHANGEME diff --git a/roles/gw/vars/main.yml b/roles/gw/vars/main.yml new file mode 100644 index 0000000..7ffe743 --- /dev/null +++ b/roles/gw/vars/main.yml @@ -0,0 +1,14 @@ +gw_keepalived_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 63633335643839376436666263353431636334343734333163613230396564336531363532326166 + 3637643231623661613765653164313962343034653366300a333163396365366661326333383239 + 30333661616164356232353936626532363737363235623031646430333864363830336432666166 + 3063613662333238310a663439643936646133616564633135336438383139663361646231616161 + 31333633323133313265386638343863363631366232366131303830313839376563 +gw_ospf_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 64313261376339643239393061313730313433343938366463343833323563313666353136653863 + 3134363963363362386133356139386131393963386338620a333864333730383633353431663766 + 31636434313366613337343461383830353166386566646635653233313964303531366263353532 + 3230343435303733320a386563316263613733346230663361663566653637663063316438323638 + 30653636333133336263376630313633303865343030313361313336653664316235