From 3a8112bf0d70d7ce64bb7cbfccb4c76473f7bda1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 17:48:39 +0200 Subject: [PATCH] roll out (private) IPv6 on George Sand --- group_vars/all/vars.yml | 4 +- roles/radvd/tasks/main.yml | 2 + roles/radvd/templates/radvd.conf.j2 | 4 +- roles/router/tasks/main.yml | 2 +- roles/router/templates/firewall_config.py | 4 +- roles/router/templates/keepalived.conf | 61 +++++++++++++++++++---- roles/unbound/templates/recursive.conf.j2 | 2 +- 7 files changed, 61 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index cc30765..2b53213 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -50,8 +50,8 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) -# Misc -mtu: 1400 +# Finally raised! +mtu: 1500 subnet_ids: ap: "14{{ apartment_block_id }}" diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml index 7b68b76..75c72c1 100644 --- a/roles/radvd/tasks/main.yml +++ b/roles/radvd/tasks/main.yml @@ -10,6 +10,8 @@ dest: /etc/radvd.conf mode: 0644 notify: restart radvd + tags: + - radconf - name: Install radvd apt: diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index ab63ea8..94720f5 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { @@ -63,7 +63,7 @@ interface ens21 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 06595a2..d09a2c8 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -8,7 +8,7 @@ - name: Enable IPv6 packet forwarding ansible.posix.sysctl: - name: net.ipv6.ip_forward + name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: yes diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 1a3579c..4f6b755 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -24,8 +24,8 @@ ### Give me a role -# routeur4 = routeur IPv4 -role = ['routeur4', 'routeur6'] +# previously: routeur4 = routeur IPv4 +role = ['routeur'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index a07ec07..cd217f3 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -7,7 +7,7 @@ global_defs { } -vrrp_instance VI_ROUT_{{ apartment_block }} { +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { {% if 'backup' in inventory_hostname %} state BACKUP priority 100 @@ -21,7 +21,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { interface ens18 # Shared by MASTER and BACKUP - virtual_router_id {{ apartment_block_id }} + virtual_router_id 4{{ apartment_block_id }} # Timeout in seconds before failover kicks in. advert_int 2 @@ -37,7 +37,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global - {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global # NATed subnet: wired @@ -48,21 +47,63 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } - # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 - - # For IPv6, the master router is routeur-aurore, NOT yggdrasil, - # because yggdrasil doesn't support BGPv6 announcements. - src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } + +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id 6{{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + fe80::1/64 dev ens19 scope global + {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global + + # Wired + fe80::1/64 dev ens20 scope global + + # Wifi + fe80::1/64 dev ens21 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19 + } +} + + diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 47ad938..efdebe1 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -36,7 +36,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) + access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }}