misc

2 months ago · 66e6c960d3
parent a004555681
commit 66e6c960d3
15 changed files with 115 additions and 31 deletions
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -16,4 +16,7 @@ ifupdown2__gateways:
  isp:
    - 2a09:6840:210::1
    - 10.210.0.1
+  pub:
+    - 2a09:6840:215::1
+    - 45.66.111.204
 ...
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@ -25,6 +25,8 @@ bird__ospf:
        - pve0
        - isp0
        - ext0
+        - pub0
+        - th30
        - ups0
    1:
      broadcast:
@ -57,28 +59,28 @@ bird__bgp:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
-  wg1:
-    local:
-      address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
-    neighbor:
-      address:
-        - 2a09:6840:213::1:3
-        - 10.213.1.3
-      as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
-    import: reject
-    export: accept
-  wg2:
-    local:
-      address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
-    neighbor:
-      address:
-        - 2a09:6840:213::1:4
-        - 10.203.1.4
-      as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
-    import: reject
-    export: accept
+      #wg1:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:3
+      #  - 10.213.1.3
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+      #wg2:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:4
+      #  - 10.203.1.4
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
 ...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -43,8 +43,11 @@ firewall__zones:
  ext:
    addrs:
      - 2a09:6840:211::/64
-      - 45.66.111.0/24
      - 10.211.0.0/16
+  pub:
+    addrs:
+      - 2a09:6840:215::/64
+      - 45.66.111.204/30
  vpn-clients:
    addrs:
      - 2a09:6840:212::/64
@ -66,6 +69,7 @@ firewall__zones:
      - pve
      - isp
      - ext
+      - pub
      - vpn
  internet:
    negate: true
@ -106,6 +110,11 @@ firewall__zones:
    addrs:
      - 2a09:6840:211::1:5
      - 45.66.111.205
+      - 10.128.1.5
+  proxy.pub:
+    addrs:
+      - 2a09:6840:214::1:1
+      - 45.66.111.206

 firewall__input:
  - iif:
@ -242,6 +251,19 @@ firewall__forward:
      udp:
        dport: 5121
    verdict: accept
+  # Proxy web
+  - dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # ICMP to public vlan
+  - dst: pub
+    protocols:
+      icmp: true
+    verdict: accept

 firewall__nat:
  - src: 10.0.0.0/8
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@ -40,13 +40,20 @@ keepalived__virtual_addresses:
    - 10.211.0.1/16
    - 2a09:6840:211::1/64
    - fe80::1/10
-
-keepalived__virtual_routes:
-  ext0:
+  th30:
+    - 10.126.0.6/24
+    - fe80::1/10
+  pub0:
+    - 2a09:6840:215::1/64
    - 45.66.111.204/30
+    - fe80::1/10
+
+#keepalived__virtual_routes:
+#  ext0:
+#    - 45.66.111.204/30

 keepalived__virtual_blackholes:
-  - 45.66.111.200/30
+  - 45.66.111.200/30 # NAT

 keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
 ...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -11,6 +11,8 @@ systemd_link__links:
  isp0: 02:00:00:6b:53:14
  ext0: 02:00:00:32:86:60
  vpn0: 02:00:00:52:5f:85
+  th30: 02:00:00:23:a7:d3
+  pub0: 02:00:00:7d:34:06

 ifupdown2__interfaces:
  back0:
@ -36,10 +38,14 @@ ifupdown2__interfaces:
    ipv6_addrgen: false
  ext0:
    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
  vpn0:
    addresses:
      - 2a09:6840:213::1:1/64
      - 10.213.1.1/16
+  th30:
+    ipv6_addrgen: false

 bird__router_id: 10.203.1.3

--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -11,6 +11,8 @@ systemd_link__links:
  isp0: 04:00:00:f4:4c:5d
  ext0: 04:00:00:1d:0e:83
  vpn0: 04:00:00:02:ba:dd
+  th30: 04:00:00:9e:8d:4f
+  pub0: 04:00:00:f8:3b:9b

 ifupdown2__interfaces:
  back0:
@ -40,6 +42,10 @@ ifupdown2__interfaces:
    addresses:
      - 2a09:6840:213::1:2/64
      - 10.213.1.2/16
+  th30:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false

 bird__router_id: 10.203.1.4

--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -483,6 +483,9 @@ knotd__zones:
      collabora.pub:
        - 2a09:6840:128::220
        - 10.128.0.220
+      proxy.pub:
+        - 2a09:6840:214::1:1
+        - 45.66.111.206

  108.66.45.in-addr.arpa:
    dnssec_policy: ripe
--- a/host_vars/proxy.pub.infra.auro.re.yml
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:3a:71:0b
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:1/64
+      - 45.66.111.206/30
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@ -1,7 +1,11 @@
 ---
 systemd_link__links:
-  vpn0: 02:00:00:b5:ca:c7
-  ext0: 02:00:00:e3:65:49
+  vpn0:
+    enabled: false
+  vpn: 02:00:00:b5:ca:c7
+  ext0:
+    enabled: false
+  ext: 02:00:00:e3:65:49

 ifupdown2__interfaces:
  ext0:
@ -16,6 +20,20 @@ ifupdown2__interfaces:
      - 10.213.1.3/16
    # FIXME: move to group_vars
    goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf
+  ext:
+    gateways: "{{ ifupdown2__gateways.ext }}"
+    addresses:
+      - 2a09:6840:211::1:1/64
+      - 10.211.1.1/16
+      - 45.66.111.204/30
+  vpn:
+    addresses:
+      - 2a09:6840:213::1:3/64
+      - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf

 bird__router_id: 10.213.1.3

--- a/1
+++ b/1
@ -5,6 +5,7 @@ mx.test.infra.auro.re

 [vm_services]
 collabora.pub.infra.auro.re
+proxy.pub.infra.auro.re

 [aruba]
 eb-1.acs.sw.infra.auro.re
--- a/playbooks/chronyd.yml
+++ b/playbooks/chronyd.yml
@ -3,6 +3,7 @@
 - hosts:
    - pve_network
    - vm_network
+    - vm_services
    - ntp
  roles:
    - chronyd
--- a/playbooks/hostname.yml
+++ b/playbooks/hostname.yml
@ -3,6 +3,7 @@
 - hosts:
    - pve_network
    - vm_network
+    - vm_services
  roles:
    - hostname
 ...
--- a/playbooks/qemu_guest.yml
+++ b/playbooks/qemu_guest.yml
@ -2,6 +2,7 @@
 ---
 - hosts:
    - vm_network
+    - vm_services
    - vm_test
  roles:
    - qemu_guest
--- a/playbooks/resolvconf.yml
+++ b/playbooks/resolvconf.yml
@ -3,6 +3,7 @@
 - hosts:
    - vm_network
    - vm_test
+    - vm_services
    - pve_network
  roles:
    - resolvconf
--- a/requirements.yml
+++ b/requirements.yml
@ -3,4 +3,5 @@ collections:
  - name: community.general
  - name: community.postgresql
  - name: ansible.utils
+  - name: ansible.netcommon
 ...