misc: WIP: vpn

7 months ago · 02910a8fc0
parent 061b6f1049
commit 02910a8fc0
24 changed files with 230 additions and 119 deletions
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -7,9 +7,9 @@ ifupdown2__gateways:
  int:
    - 2a09:6840:206::1
    - 10.206.0.1
-  pub:
+  ext:
-    - 2a09:6840:111::254
+    - 2a09:6840:211::1
-    - 45.66.111.254
+    - 10.211.0.1
  monit:
    - 2a09:6840:204::1
    - 10.204.0.1
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@ -57,4 +57,28 @@ bird__bgp:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
  wg1:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:3
        - 10.213.1.3
      as: "{{ bird__as.aurore }}"
    rr_cluster_client: 10.203.1.1
    import: reject
    export: accept
  wg2:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:4
        - 10.203.1.4
      as: "{{ bird__as.aurore }}"
    rr_cluster_client: 10.203.1.1
    import: reject
    export: accept
 ...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -104,7 +104,13 @@ firewall__zones:
      - 10.128.0.150
 firewall__input:
-  - src: back
+  - iif:
      - back0 # FIXME link-local
      - vpn0
    verdict: accept
  - src:
      - back
      - vpn
    verdict: accept
  - src: monit
    protocols:
--- a/group_vars/vpn/bird.yml
+++ b/group_vars/vpn/bird.yml
@ -0,0 +1,58 @@
 ---
 bird__kernel:
  kernel:
    learn: true
    import: accept
    export: accept
  vrf:
    import: reject
    export: accept
    table: wg
    kernel: "{{ iproute2__custom_protos.wireguard }}"
 bird__ospf:
  limits:
    import: 4000
    export: 4000
  table: wg
  import: accept
  export:
    protos:
      - kernel
      - wireguard
  areas:
    1:
      broadcast:
        - vpn0
 bird__tables:
  - wg
 bird__bgp:
  infra1:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:1
        - 10.213.1.1
      as: "{{ bird__as.aurore }}"
    table: wg
    import: accept
    export: reject
    next_hop_self: true
  infra2:
    local:
      address: "{{ bird__bgp_addr.vpn }}"
      as: "{{ bird__as.aurore }}"
    neighbor:
      address:
        - 2a09:6840:213::1:2
        - 10.213.1.2
      as: "{{ bird__as.aurore }}"
    table: wg
    import: accept
    export: reject
    next_hop_self: true
 ...
--- a/host_vars/vpn-1.back.infra.auro.re.yml
+++ b/host_vars/vpn-1.back.infra.auro.re.yml
@ -1,24 +1,15 @@
 ---
 ifupdown2__vrf:
  wg-vrf:
    table: "{{ iproute2__custom_tables.wireguard }}"
 ifupdown2__wireguard:
  wg0:
    private_key: "{{ vault_wireguard_wg0_private }}"
    listen_port: 5121
-    goto_table: bird
+    vrf: wg-vrf
    peer_allowed_addresses:
      - 2a09:6840:212::1:1/128
      - 10.212.1.1/32
    peer_public_key: 0kP/XjaGOpu4p9KHTAoAhkLwXzC8wJUdPIdhdpgeKhY=
 ifupdown2__interfaces:
  adm0:
    addresses:
      - 2a09:6840:128::10:11/64
      - 10.128.10.11/16
  ext0:
    addresses:
      - 45.66.111.200/30
  vpn0:
    addresses:
      - 2a09:6840:213::1:3/64
      - 10.213.1.3/16
 ...
--- a/group_vars/vpn/iproute2.yml
+++ b/group_vars/vpn/iproute2.yml
@ -0,0 +1,7 @@
 ---
 iproute2__custom_tables:
  wireguard: 2000
 iproute2__custom_protos:
  wireguard: 2000
 ...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -38,8 +38,8 @@ ifupdown2__interfaces:
    ipv6_addrgen: false
  vpn0:
    addresses:
-      - 2a09:6840:213::1:1
+      - 2a09:6840:213::1:1/64
-      - 10.213.1.1
+      - 10.213.1.1/16
 bird__router_id: 10.203.1.3
@ -47,6 +47,9 @@ bird__bgp_addr:
  back:
    - 2a09:6840:203::1:3
    - 10.203.1.3
  vpn:
    - 2a09:6840:213::1:1
    - 10.213.1.1
 bird__pref_src_addr:
  - 2a09:6840:203::1:3
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -38,8 +38,8 @@ ifupdown2__interfaces:
    ipv6_addrgen: false
  vpn0:
    addresses:
-      - 2a09:6840:213::1:2
+      - 2a09:6840:213::1:2/64
-      - 10.213.1.2
+      - 10.213.1.2/16
 bird__router_id: 10.203.1.4
@ -47,6 +47,9 @@ bird__bgp_addr:
  back:
    - 2a09:6840:203::1:4
    - 10.203.1.4
  vpn:
    - 2a09:6840:213:1:2
    - 10.213.1.2
 bird__pref_src_addr:
  - 2a09:6840:203::1:4
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -363,12 +363,12 @@ knotd__zones:
      dns-2.int:
        - 2a09:6840:206::1:2
        - 10.206.1.2
-      vpn-1.back:
+      wg-1.vpn:
-        - 10.128.10.11
+        - 2a09:6840:213::1:3
-        - 2a09:6840:128::10:11
+        - 10.213.1.3
-      vpn-2.back:
+      wg-2.vpn:
-        - 10.128.10.111
+        - 2a09:6840:213::1:4
-        - 2a09:6840:128::10:111
+        - 10.213.1.4
      infra-1.back:
        - 2a09:6840:203::1:3
        - 10.203.1.3
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@ -0,0 +1,24 @@
 ---
 systemd_link__links:
  vpn0: 02:00:00:b5:ca:c7
  ext0: 02:00:00:e3:65:49
 ifupdown2__interfaces:
  ext0:
    gateways: "{{ ifupdown2__gateways.ext }}"
    addresses:
      - 2a09:6840:211::1:1/64
      - 10.211.1.1/16
      - 45.66.111.200/30
  vpn0:
    addresses:
      - 2a09:6840:213::1:3/64
      - 10.213.1.3/16
 bird__router_id: 10.213.1.3
 bird__bgp_addr:
  vpn:
    - 2a09:6840:213::1:3
    - 10.213.1.3
 ...
--- a/24
+++ b/24
@ -19,7 +19,7 @@ eb-1.ups.infra.auro.re
 ec-1.ups.infra.auro.re
 [vpn]
-#vpn-[1:2].back.infra.auro.re
+wg-[1:2].vpn.infra.auro.re
 [dns]
 dns-[1:2].int.infra.auro.re
@ -54,17 +54,17 @@ ntp-[1:2].int.infra.auro.re
 [radius]
 radius-[1:2].isp.infra.auro.re
-[vm_network]
+[vm_network:children]
-#vpn-[1:2].back.infra.auro.re
+vpn
-edge-[1:2].back.infra.auro.re
+edge
-dhcp-[1:2].isp.infra.auro.re
+dhcp
-dns-[1:2].int.infra.auro.re
+dns
-radius-[1:2].isp.infra.auro.re
+radius
-ntp-[1:2].int.infra.auro.re
+ntp
-#ldap-[1:2].int.infra.auro.re
+#ldap
-isp-[1:2].back.infra.auro.re
+isp
-infra-[1:2].back.infra.auro.re
+infra
-prometheus-[1:2].monit.infra.auro.re
+prom
 [pve:children]
 pve_network
--- a/playbooks/bird.yml
+++ b/playbooks/bird.yml
@ -3,6 +3,7 @@
 - hosts:
    - infra
    - isp
    - vpn
  roles:
    - bird
--- a/playbooks/iproute2.yml
+++ b/playbooks/iproute2.yml
@ -1,17 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts:
-    - edge-1.back.infra.auro.re
+    - edge
-    - edge-2.back.infra.auro.re
+    - isp
-    - isp-1.back.infra.auro.re
+    - infra
-    - isp-2.back.infra.auro.re
+    - vpn
    - infra-1.back.infra.auro.re
    - infra-2.back.infra.auro.re
    - vpn-1.back.infra.auro.re
    - vpn-2.back.infra.auro.re
  vars:
    iproute2__custom_tables:
      bird: 100
  roles:
    - iproute2
 ...
--- a/playbooks/systemd_link.yml
+++ b/playbooks/systemd_link.yml
@ -11,12 +11,6 @@
    - ldap
    - isp
    - vpn
  vars:
    systemd_link__hosts:
      vpn-1.back.infra.auro.re:
        adm0: 02:00:00:3b:74:20
        vpn0: 02:00:00:b5:ca:c7
        pub0: 02:00:00:e3:65:49
  roles:
    - systemd_link
 ...
--- a/roles/bird/defaults/main.yml
+++ b/roles/bird/defaults/main.yml
@ -1,7 +1,7 @@
 ---
-bird__ospf_stub_interfaces: []
+bird__kernel: {}
-bird__ospf_stub_networks: []
+bird__pipes: {}
-bird__ospf_broadcast_interfaces: {}
+bird__tables: {}
 bird__ospf_hello: 2
 bird__ospf_retransmit: 5
 bird__ospf_wait: 10
@ -10,5 +10,5 @@ bird__radv_interfaces: {}
 bird__radv_dns_servers: []
 bird__radv_max_interval: 5
 bird__static_unreachable: []
-bird__bgp_sessions: []
+bird__bgp_sessions: {}
 ...
--- a/roles/bird/filter_plugins/bird.py
+++ b/roles/bird/filter_plugins/bird.py
@ -135,7 +135,7 @@ def str_of_condition(condition: Condition, ctx: bool) -> str:
        case Proto(protos=protos):
            protos = [quoted(bird_name(p, ctx.ipv4)) for p in protos]
-            return f"proto ~ [ {', '.join(protos)} ]"
+            return " || ".join(f"proto = {p}" for p in protos)
        case Source(sources=[source]):
            return f"krt_source = {source}"
--- a/roles/bird/templates/bird.conf.j2
+++ b/roles/bird/templates/bird.conf.j2
@ -1,9 +1,26 @@
 {{ ansible_managed | comment }}
 {% macro import_export(obj, ipv4) %}
 {{ obj.import | default([]) | bird_import(ipv4) }}
 {% if obj.limits.import is defined %}
 import limit {{ obj.limits.import }};
 {% endif %}
 {{ obj.export | default([]) | bird_export(ipv4) }}
 {% if obj.limits.export is defined %}
 export limit {{ obj.limits.export }};
 {% endif %}
 {% endmacro %}
 log syslog all;
 router id {{ bird__router_id }};
 {% for table in bird__tables %}
 {% for version in ["ipv4", "ipv6"] %}
 {{ version }} table {{ table | bird_name(version == "ipv4") }};
 {% endfor %}
 {% endfor %}
 protocol device {
    scan time 10;
 }
@ -22,45 +39,36 @@ protocol kernel {{ name | bird_name(ipv4) }} {
    persist;
 {% endif %}
    {{ version }} {
-        {{ kernel.import
+{% if kernel.table is defined %}
-           | default([])
+        table {{ kernel.table | bird_name(ipv4) }};
           | bird_import(ipv4)
           | indent(8) }}
 {% if kernel.limits.import is defined %}
        import limit {{ kernel.limits.import }};
 {% endif %}
        {{ kernel.export
           | default([])
           | bird_export(ipv4)
           | indent(8) }}
 {% if kernel.limits.export is defined %}
        export limit {{ kernel.limits.export }};
 {% endif %}
        {{ import_export(kernel, ipv4) | indent(8) }}
    };
 }
 {% endfor %}
 {% endfor %}
 {% for name, pipe in bird__pipes.items() %}
 {% for version in ["ipv4", "ipv6"] %}
 {% set ipv4 = version == "ipv4" %}
 protocol pipe {{ name | bird_name(ipv4) }} {
    table {{ pipe.table | bird_name(ipv4) }};
    peer_table {{ pipe.peer_table | bird_name(ipv4) }};
    {{ import_export(kernel, ipv4) | indent(8) }}
 }
 {% endfor %}
 {% endfor %}
 {% if bird__ospf is defined %}
 {% for version in ["ipv4", "ipv6"] %}
 {% set ipv4 = version == "ipv4" %}
 {% set ospf_version = "v2" if ipv4 else "v3" %}
 protocol ospf {{ ospf_version }} {{ "ospf" | bird_name(ipv4) }} {
    {{ version }} {
-        {{ bird__ospf.import
+{% if bird__ospf.table is defined %}
-           | default([])
+        table {{ bird__ospf.table | bird_name(ipv4) }};
           | bird_import(ipv4)
           | indent(8) }}
 {% if bird__ospf.limits.import is defined %}
        import limit {{ bird__ospf.limits.import }};
 {% endif %}
        {{ bird__ospf.export
           | default([])
           | bird_export(ipv4)
           | indent(8) }}
 {% if bird__ospf.limits.export is defined %}
        export limit {{ bird__ospf.limits.export }};
 {% endif %}
        {{ import_export(bird__ospf, ipv4) | indent(8) }}
    };
 {% for id, area in bird__ospf.areas.items() %}
    area {{ id }} {
@ -97,20 +105,13 @@ protocol bgp {{ name | bird_name(ipv4) }} {
    rr cluster id {{ bgp.rr_cluster_client }};
 {% endif %}
    {{ version }} {
-        {{ bgp.import
+{% if bgp.table is defined %}
-           | default([])
+        table {{ bgp.table | bird_name(ipv4) }};
           | bird_import(ipv4)
           | indent(8) }}
 {% if bgp.limits.import is defined %}
        import limit {{ bgp.limits.import }};
 {% endif %}
-        {{ bgp.export
+{% if bgp.next_hop_self is defined %}
-           | default([])
+        next hop self;
           | bird_export(ipv4)
           | indent(8) }}
 {% if bgp.limits.export is defined %}
        export limit {{ bgp.limits.export }};
 {% endif %}
        {{ import_export(bgp, ipv4) | indent(8) }}
    };
 }
 {% endfor %}
--- a/roles/firewall/files/firewall
+++ b/roles/firewall/files/firewall
@ -155,8 +155,8 @@ class Protocols(RestrictiveBaseModel):
 class Rule(RestrictiveBaseModel):
-    iif: str | None
+    iif: AutoSet[str] | None
-    oif: str | None
+    oif: AutoSet[str] | None
    protocols: Protocols = Protocols()
    src: AutoSet[IPvAnyNetwork | ZoneName] | None
    dst: AutoSet[IPvAnyNetwork | ZoneName] | None
--- a/roles/ifupdown2/defaults/main.yml
+++ b/roles/ifupdown2/defaults/main.yml
@ -1,6 +1,7 @@
 ---
 ifupdown2__interfaces: {}
 ifupdown2__wireguard: {}
 ifupdown2__vrf: {}
 ifupdown2__wireguard_keepalive: 0
 ifupdown2__wireguard_proto: boot
 ifupdown2__prio_base: 100
--- a/roles/ifupdown2/templates/interfaces.j2
+++ b/roles/ifupdown2/templates/interfaces.j2
@ -21,6 +21,9 @@ pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
 post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
 post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
 {% endif %}
 {% if iface.vrf is defined %}
 vrf {{ iface.vrf }}
 {% endif %}
 {% if iface.ipv6_addrgen is defined %}
 ipv6-addrgen {{ iface.ipv6_addrgen
                | ternary("yes", "no") }}
@ -63,5 +66,11 @@ iface {{ name }}
 {% for address in iface.peer_allowed_addresses | default([]) %}
    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
 {% endfor %}
 {% endfor %}
 {% for name, iface in ifupdown2__vrf.items() | sort(attribute="0") %}
 auto {{ name }}
 iface {{ name }}
    {{ iface_common(iface, index=loop.index) | indent(4) }}
    vrf-table {{ iface.table }}
 {% endfor %}
--- a/roles/iproute2/defaults/main.yml
+++ b/roles/iproute2/defaults/main.yml
@ -1,8 +1,4 @@
 ---
 iproute2__default_tables:
  local: 255
  main: 254
  default: 253
  unspec: 0
 iproute2__custom_tables: {}
 iproute2__custom_protos: {}
 ...
--- a/roles/iproute2/tasks/main.yml
+++ b/roles/iproute2/tasks/main.yml
@ -1,17 +1,12 @@
 ---
- name: Ensure that default and custom tables names don't overlap
+- name: Configure custom tables and protos
  assert:
    that: "not (iproute2__default_tables.keys()
                | intersect(iproute2__custom_tables.keys()))"
 - name: Configure rt_tables
  template:
-    src: rt_tables.j2
+    src: "{{ item }}.j2"
-    dest: /etc/iproute2/rt_tables
+    dest: "/etc/iproute2/{{ item }}.d/custom.conf"
    owner: root
    group: root
    mode: u=rw,g=r,o=r
-  vars:
+  loop:
-    iproute2__tables: "{{ iproute2__default_tables
+    - rt_tables
-                          | combine(iproute2__custom_tables) }}"
+    - rt_protos
 ...
--- a/roles/iproute2/templates/rt_protos.j2
+++ b/roles/iproute2/templates/rt_protos.j2
@ -0,0 +1,5 @@
 {{ ansible_managed | comment }}
 {% for name, id in iproute2__custom_protos.items() %}
 {{ id }} {{ name }}
 {% endfor %}
--- a/roles/iproute2/templates/rt_tables.j2
+++ b/roles/iproute2/templates/rt_tables.j2
@ -1,5 +1,5 @@
 {{ ansible_managed | comment }}
-{% for name, id in iproute2__tables.items() %}
+{% for name, id in iproute2__custom_tables.items() %}
 {{ id }} {{ name }}
 {% endfor %}