misc

2 months ago · 66e6c960d3
parent a004555681
commit 66e6c960d3
15 changed files with 115 additions and 31 deletions
--- a/group_vars/all/ifupdown2.yml
+++ b/group_vars/all/ifupdown2.yml
@ -16,4 +16,7 @@ ifupdown2__gateways:
  isp:
    - 2a09:6840:210::1
    - 10.210.0.1
  pub:
    - 2a09:6840:215::1
    - 45.66.111.204
 ...
--- a/group_vars/infra/bird.yml
+++ b/group_vars/infra/bird.yml
@ -25,6 +25,8 @@ bird__ospf:
        - pve0
        - isp0
        - ext0
        - pub0
        - th30
        - ups0
    1:
      broadcast:
@ -57,28 +59,28 @@ bird__bgp:
      - pref_src: "{{ bird__pref_src_addr }}"
      - accept
    export: reject
-  wg1:
+      #wg1:
-    local:
+      #local:
-      address: "{{ bird__bgp_addr.vpn }}"
+      #address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
+      #as: "{{ bird__as.aurore }}"
-    neighbor:
+      #neighbor:
-      address:
+      #address:
-        - 2a09:6840:213::1:3
+      #  - 2a09:6840:213::1:3
-        - 10.213.1.3
+      #  - 10.213.1.3
-      as: "{{ bird__as.aurore }}"
+      #as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
+      #rr_cluster_client: 10.203.1.1
-    import: reject
+      #import: reject
-    export: accept
+      #export: accept
-  wg2:
+      #wg2:
-    local:
+      #local:
-      address: "{{ bird__bgp_addr.vpn }}"
+      #address: "{{ bird__bgp_addr.vpn }}"
-      as: "{{ bird__as.aurore }}"
+      #as: "{{ bird__as.aurore }}"
-    neighbor:
+      #neighbor:
-      address:
+      #address:
-        - 2a09:6840:213::1:4
+      #  - 2a09:6840:213::1:4
-        - 10.203.1.4
+      #  - 10.203.1.4
-      as: "{{ bird__as.aurore }}"
+      #as: "{{ bird__as.aurore }}"
-    rr_cluster_client: 10.203.1.1
+      #rr_cluster_client: 10.203.1.1
-    import: reject
+      #import: reject
-    export: accept
+      #export: accept
 ...
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@ -43,8 +43,11 @@ firewall__zones:
  ext:
    addrs:
      - 2a09:6840:211::/64
      - 45.66.111.0/24
      - 10.211.0.0/16
  pub:
    addrs:
      - 2a09:6840:215::/64
      - 45.66.111.204/30
  vpn-clients:
    addrs:
      - 2a09:6840:212::/64
@ -66,6 +69,7 @@ firewall__zones:
      - pve
      - isp
      - ext
      - pub
      - vpn
  internet:
    negate: true
@ -106,6 +110,11 @@ firewall__zones:
    addrs:
      - 2a09:6840:211::1:5
      - 45.66.111.205
      - 10.128.1.5
  proxy.pub:
    addrs:
      - 2a09:6840:214::1:1
      - 45.66.111.206
 firewall__input:
  - iif:
@ -242,6 +251,19 @@ firewall__forward:
      udp:
        dport: 5121
    verdict: accept
  # Proxy web
  - dst: proxy.pub
    protocols:
      tcp:
        dport:
          - 80
          - 443
    verdict: accept
  # ICMP to public vlan
  - dst: pub
    protocols:
      icmp: true
    verdict: accept
 firewall__nat:
  - src: 10.0.0.0/8
--- a/group_vars/infra/keepalived.yml
+++ b/group_vars/infra/keepalived.yml
@ -40,13 +40,20 @@ keepalived__virtual_addresses:
    - 10.211.0.1/16
    - 2a09:6840:211::1/64
    - fe80::1/10
-
+  th30:
-keepalived__virtual_routes:
+    - 10.126.0.6/24
-  ext0:
+    - fe80::1/10
  pub0:
    - 2a09:6840:215::1/64
    - 45.66.111.204/30
    - fe80::1/10
 #keepalived__virtual_routes:
 #  ext0:
 #    - 45.66.111.204/30
 keepalived__virtual_blackholes:
-  - 45.66.111.200/30
+  - 45.66.111.200/30 # NAT
 keepalived__main: "{{ inventory_hostname_short == 'infra-1' }}"
 ...
--- a/host_vars/infra-1.back.infra.auro.re.yml
+++ b/host_vars/infra-1.back.infra.auro.re.yml
@ -11,6 +11,8 @@ systemd_link__links:
  isp0: 02:00:00:6b:53:14
  ext0: 02:00:00:32:86:60
  vpn0: 02:00:00:52:5f:85
  th30: 02:00:00:23:a7:d3
  pub0: 02:00:00:7d:34:06
 ifupdown2__interfaces:
  back0:
@ -36,10 +38,14 @@ ifupdown2__interfaces:
    ipv6_addrgen: false
  ext0:
    ipv6_addrgen: false
  pub0:
    ipv6_addrgen: false
  vpn0:
    addresses:
      - 2a09:6840:213::1:1/64
      - 10.213.1.1/16
  th30:
    ipv6_addrgen: false
 bird__router_id: 10.203.1.3
--- a/host_vars/infra-2.back.infra.auro.re.yml
+++ b/host_vars/infra-2.back.infra.auro.re.yml
@ -11,6 +11,8 @@ systemd_link__links:
  isp0: 04:00:00:f4:4c:5d
  ext0: 04:00:00:1d:0e:83
  vpn0: 04:00:00:02:ba:dd
  th30: 04:00:00:9e:8d:4f
  pub0: 04:00:00:f8:3b:9b
 ifupdown2__interfaces:
  back0:
@ -40,6 +42,10 @@ ifupdown2__interfaces:
    addresses:
      - 2a09:6840:213::1:2/64
      - 10.213.1.2/16
  th30:
    ipv6_addrgen: false
  pub0:
    ipv6_addrgen: false
 bird__router_id: 10.203.1.4
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@ -483,6 +483,9 @@ knotd__zones:
      collabora.pub:
        - 2a09:6840:128::220
        - 10.128.0.220
      proxy.pub:
        - 2a09:6840:214::1:1
        - 45.66.111.206
  108.66.45.in-addr.arpa:
    dnssec_policy: ripe
--- a/host_vars/proxy.pub.infra.auro.re.yml
+++ b/host_vars/proxy.pub.infra.auro.re.yml
@ -0,0 +1,11 @@
 ---
 systemd_link__links:
  pub0: ae:ae:ae:3a:71:0b
 ifupdown2__interfaces:
  pub0:
    addresses:
      - 2a09:6840:215::1:1/64
      - 45.66.111.206/30
    gateways: "{{ ifupdown2__gateways.pub }}"
 ...
--- a/host_vars/wg-1.vpn.infra.auro.re.yml
+++ b/host_vars/wg-1.vpn.infra.auro.re.yml
@ -1,7 +1,11 @@
 ---
 systemd_link__links:
-  vpn0: 02:00:00:b5:ca:c7
+  vpn0:
-  ext0: 02:00:00:e3:65:49
+    enabled: false
  vpn: 02:00:00:b5:ca:c7
  ext0:
    enabled: false
  ext: 02:00:00:e3:65:49
 ifupdown2__interfaces:
  ext0:
@ -16,6 +20,20 @@ ifupdown2__interfaces:
      - 10.213.1.3/16
    # FIXME: move to group_vars
    goto_table: "{{ iproute2__custom_tables.wireguard }}"
    #vrf: wg-vrf
  ext:
    gateways: "{{ ifupdown2__gateways.ext }}"
    addresses:
      - 2a09:6840:211::1:1/64
      - 10.211.1.1/16
      - 45.66.111.204/30
  vpn:
    addresses:
      - 2a09:6840:213::1:3/64
      - 10.213.1.3/16
    # FIXME: move to group_vars
    goto_table: "{{ iproute2__custom_tables.wireguard }}"
    #vrf: wg-vrf
 bird__router_id: 10.213.1.3
--- a/1
+++ b/1
@ -5,6 +5,7 @@ mx.test.infra.auro.re
 [vm_services]
 collabora.pub.infra.auro.re
 proxy.pub.infra.auro.re
 [aruba]
 eb-1.acs.sw.infra.auro.re
--- a/playbooks/chronyd.yml
+++ b/playbooks/chronyd.yml
@ -3,6 +3,7 @@
 - hosts:
    - pve_network
    - vm_network
    - vm_services
    - ntp
  roles:
    - chronyd
--- a/playbooks/hostname.yml
+++ b/playbooks/hostname.yml
@ -3,6 +3,7 @@
 - hosts:
    - pve_network
    - vm_network
    - vm_services
  roles:
    - hostname
 ...
--- a/playbooks/qemu_guest.yml
+++ b/playbooks/qemu_guest.yml
@ -2,6 +2,7 @@
 ---
 - hosts:
    - vm_network
    - vm_services
    - vm_test
  roles:
    - qemu_guest
--- a/playbooks/resolvconf.yml
+++ b/playbooks/resolvconf.yml
@ -3,6 +3,7 @@
 - hosts:
    - vm_network
    - vm_test
    - vm_services
    - pve_network
  roles:
    - resolvconf
--- a/requirements.yml
+++ b/requirements.yml
@ -3,4 +3,5 @@ collections:
  - name: community.general
  - name: community.postgresql
  - name: ansible.utils
  - name: ansible.netcommon
 ...