From 66e6c960d3c98290392143ed6c02b0010dc55d39 Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@auro.re>
Date: Sat, 9 Mar 2024 12:13:19 +0100
Subject: [PATCH] misc

---
 group_vars/all/ifupdown2.yml                  |  3 ++
 group_vars/infra/bird.yml                     | 50 ++++++++++---------
 group_vars/infra/firewall.yml                 | 24 ++++++++-
 group_vars/infra/keepalived.yml               | 15 ++++--
 host_vars/infra-1.back.infra.auro.re.yml      |  6 +++
 host_vars/infra-2.back.infra.auro.re.yml      |  6 +++
 .../ns-master.int.infra.auro.re/knotd.yml     |  3 ++
 host_vars/proxy.pub.infra.auro.re.yml         | 11 ++++
 host_vars/wg-1.vpn.infra.auro.re.yml          | 22 +++++++-
 hosts                                         |  1 +
 playbooks/chronyd.yml                         |  1 +
 playbooks/hostname.yml                        |  1 +
 playbooks/qemu_guest.yml                      |  1 +
 playbooks/resolvconf.yml                      |  1 +
 requirements.yml                              |  1 +
 15 files changed, 115 insertions(+), 31 deletions(-)
 create mode 100644 host_vars/proxy.pub.infra.auro.re.yml

diff --git a/group_vars/all/ifupdown2.yml b/group_vars/all/ifupdown2.yml
index b4949f8..21b6590 100644
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@@ -16,4 +16,7 @@ ifupdown2__gateways:
   isp:
     - 2a09:6840:210::1
     - 10.210.0.1
+  pub:
+    - 2a09:6840:215::1
+    - 45.66.111.204
 ...
diff --git a/group_vars/infra/bird.yml b/group_vars/infra/bird.yml
index 3529ec8..801316b 100644
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@@ -25,6 +25,8 @@ bird__ospf:
         - pve0
         - isp0
         - ext0
+        - pub0
+        - th30
         - ups0
     1:
       broadcast:
@@ -57,28 +59,28 @@ bird__bgp:
       - pref_src: "{{ bird__pref_src_addr }}"
       - accept
     export: reject
-  wg1:
-    local:
-      address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
-    neighbor:
-      address:
-        - 2a09:6840:213::1:3
-        - 10.213.1.3
-      as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
-    import: reject
-    export: accept
-  wg2:
-    local:
-      address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
-    neighbor:
-      address:
-        - 2a09:6840:213::1:4
-        - 10.203.1.4
-      as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
-    import: reject
-    export: accept
+      #wg1:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:3
+      #  - 10.213.1.3
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
+      #wg2:
+      #local:
+      #address: "{{ bird__bgp_addr.vpn }}"
+      #as: "{{ bird__as.aurore }}"
+      #neighbor:
+      #address:
+      #  - 2a09:6840:213::1:4
+      #  - 10.203.1.4
+      #as: "{{ bird__as.aurore }}"
+      #rr_cluster_client: 10.203.1.1
+      #import: reject
+      #export: accept
 ...
diff --git a/group_vars/infra/firewall.yml b/group_vars/infra/firewall.yml
index 7e85497..cae0ac5 100644
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@@ -43,8 +43,11 @@ firewall__zones:
   ext:
     addrs:
       - 2a09:6840:211::/64
-      - 45.66.111.0/24
       - 10.211.0.0/16
+  pub:
+    addrs:
+      - 2a09:6840:215::/64
+      - 45.66.111.204/30
   vpn-clients:
     addrs:
       - 2a09:6840:212::/64
@@ -66,6 +69,7 @@ firewall__zones:
       - pve
       - isp
       - ext
+      - pub
       - vpn
   internet:
     negate: true
@@ -106,6 +110,11 @@ firewall__zones:
     addrs:
       - 2a09:6840:211::1:5
       - 45.66.111.205
+      - 10.128.1.5
+  proxy.pub:
+    addrs:
+      - 2a09:6840:214::1:1
+      - 45.66.111.206
 
 firewall__input:
   - iif:
@@ -242,6 +251,19 @@ firewall__forward:
       udp:
         dport: 5121
     verdict: accept
+  # Proxy web
+  - dst: proxy.pub
+    protocols:
+      tcp:
+        dport:
+          - 80
+          - 443
+    verdict: accept
+  # ICMP to public vlan
+  - dst: pub
+    protocols:
+      icmp: true
+    verdict: accept
 
 firewall__nat:
   - src: 10.0.0.0/8
diff --git a/group_vars/infra/keepalived.yml b/group_vars/infra/keepalived.yml
index 7d1bd4f..b7592a7 100644
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@@ -40,13 +40,20 @@ keepalived__virtual_addresses:
     - 10.211.0.1/16
     - 2a09:6840:211::1/64
     - fe80::1/10
-
-keepalived__virtual_routes:
-  ext0:
+  th30:
+    - 10.126.0.6/24
+    - fe80::1/10
+  pub0:
+    - 2a09:6840:215::1/64
     - 45.66.111.204/30
+    - fe80::1/10
+
+#keepalived__virtual_routes:
+#  ext0:
+#    - 45.66.111.204/30
 
 keepalived__virtual_blackholes:
-  - 45.66.111.200/30
+  - 45.66.111.200/30 # NAT
 
 keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
 ...
diff --git a/host_vars/infra-1.back.infra.auro.re.yml b/host_vars/infra-1.back.infra.auro.re.yml
index 3ad96b9..3795900 100644
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@@ -11,6 +11,8 @@ systemd_link__links:
   isp0: 02:00:00:6b:53:14
   ext0: 02:00:00:32:86:60
   vpn0: 02:00:00:52:5f:85
+  th30: 02:00:00:23:a7:d3
+  pub0: 02:00:00:7d:34:06
 
 ifupdown2__interfaces:
   back0:
@@ -36,10 +38,14 @@ ifupdown2__interfaces:
     ipv6_addrgen: false
   ext0:
     ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
   vpn0:
     addresses:
       - 2a09:6840:213::1:1/64
       - 10.213.1.1/16
+  th30:
+    ipv6_addrgen: false
 
 bird__router_id: 10.203.1.3
 
diff --git a/host_vars/infra-2.back.infra.auro.re.yml b/host_vars/infra-2.back.infra.auro.re.yml
index 740408f..18782cb 100644
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@@ -11,6 +11,8 @@ systemd_link__links:
   isp0: 04:00:00:f4:4c:5d
   ext0: 04:00:00:1d:0e:83
   vpn0: 04:00:00:02:ba:dd
+  th30: 04:00:00:9e:8d:4f
+  pub0: 04:00:00:f8:3b:9b
 
 ifupdown2__interfaces:
   back0:
@@ -40,6 +42,10 @@ ifupdown2__interfaces:
     addresses:
       - 2a09:6840:213::1:2/64
       - 10.213.1.2/16
+  th30:
+    ipv6_addrgen: false
+  pub0:
+    ipv6_addrgen: false
 
 bird__router_id: 10.203.1.4
 
diff --git a/host_vars/ns-master.int.infra.auro.re/knotd.yml b/host_vars/ns-master.int.infra.auro.re/knotd.yml
index 774d99f..a89d9ab 100644
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@@ -483,6 +483,9 @@ knotd__zones:
       collabora.pub:
         - 2a09:6840:128::220
         - 10.128.0.220
+      proxy.pub:
+        - 2a09:6840:214::1:1
+        - 45.66.111.206
 
   108.66.45.in-addr.arpa:
     dnssec_policy: ripe
diff --git a/host_vars/proxy.pub.infra.auro.re.yml b/host_vars/proxy.pub.infra.auro.re.yml
new file mode 100644
index 0000000..1958cd8
--- /dev/null
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@@ -0,0 +1,11 @@
+---
+systemd_link__links:
+  pub0: ae:ae:ae:3a:71:0b
+
+ifupdown2__interfaces:
+  pub0:
+    addresses:
+      - 2a09:6840:215::1:1/64
+      - 45.66.111.206/30
+    gateways: "{{ ifupdown2__gateways.pub }}"
+...
diff --git a/host_vars/wg-1.vpn.infra.auro.re.yml b/host_vars/wg-1.vpn.infra.auro.re.yml
index 095fa22..59e0194 100644
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@@ -1,7 +1,11 @@
 ---
 systemd_link__links:
-  vpn0: 02:00:00:b5:ca:c7
-  ext0: 02:00:00:e3:65:49
+  vpn0:
+    enabled: false
+  vpn: 02:00:00:b5:ca:c7
+  ext0:
+    enabled: false
+  ext: 02:00:00:e3:65:49
 
 ifupdown2__interfaces:
   ext0:
@@ -16,6 +20,20 @@ ifupdown2__interfaces:
       - 10.213.1.3/16
     # FIXME: move to group_vars
     goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf
+  ext:
+    gateways: "{{ ifupdown2__gateways.ext }}"
+    addresses:
+      - 2a09:6840:211::1:1/64
+      - 10.211.1.1/16
+      - 45.66.111.204/30
+  vpn:
+    addresses:
+      - 2a09:6840:213::1:3/64
+      - 10.213.1.3/16
+    # FIXME: move to group_vars
+    goto_table: "{{ iproute2__custom_tables.wireguard }}"
+    #vrf: wg-vrf
 
 bird__router_id: 10.213.1.3
 
diff --git a/hosts b/hosts
index 7e39c94..300ffe6 100644
--- a/hosts
+++ b/hosts
@@ -5,6 +5,7 @@ mx.test.infra.auro.re
 
 [vm_services]
 collabora.pub.infra.auro.re
+proxy.pub.infra.auro.re
 
 [aruba]
 eb-1.acs.sw.infra.auro.re
diff --git a/playbooks/chronyd.yml b/playbooks/chronyd.yml
index 5cddf4a..9c22a87 100755
--- a/playbooks/chronyd.yml
+++ b/playbooks/chronyd.yml
@@ -3,6 +3,7 @@
 - hosts:
     - pve_network
     - vm_network
+    - vm_services
     - ntp
   roles:
     - chronyd
diff --git a/playbooks/hostname.yml b/playbooks/hostname.yml
index c31344e..d3513a7 100755
--- a/playbooks/hostname.yml
+++ b/playbooks/hostname.yml
@@ -3,6 +3,7 @@
 - hosts:
     - pve_network
     - vm_network
+    - vm_services
   roles:
     - hostname
 ...
diff --git a/playbooks/qemu_guest.yml b/playbooks/qemu_guest.yml
index 7048575..372639a 100755
--- a/playbooks/qemu_guest.yml
+++ b/playbooks/qemu_guest.yml
@@ -2,6 +2,7 @@
 ---
 - hosts:
     - vm_network
+    - vm_services
     - vm_test
   roles:
     - qemu_guest
diff --git a/playbooks/resolvconf.yml b/playbooks/resolvconf.yml
index fd21051..9c2c391 100755
--- a/playbooks/resolvconf.yml
+++ b/playbooks/resolvconf.yml
@@ -3,6 +3,7 @@
 - hosts:
     - vm_network
     - vm_test
+    - vm_services
     - pve_network
   roles:
     - resolvconf
diff --git a/requirements.yml b/requirements.yml
index 6d2eac4..cff548e 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -3,4 +3,5 @@ collections:
   - name: community.general
   - name: community.postgresql
   - name: ansible.utils
+  - name: ansible.netcommon
 ...