aurore-firewall: initial setup
group_vars: add apartment_block_id var dhcp: move vars to role
This commit is contained in:
parent
268c4d2419
commit
c77ae7f4c3
8 changed files with 92 additions and 1 deletions
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
apartment_block: edc
|
apartment_block: edc
|
||||||
|
apartment_block_id: 4
|
||||||
|
|
||||||
subnet_ids:
|
subnet_ids:
|
||||||
ap: 144
|
ap: 144
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
apartment_block: fleming
|
apartment_block: fleming
|
||||||
|
apartment_block_id: 1
|
||||||
|
|
||||||
subnet_ids:
|
subnet_ids:
|
||||||
ap: 141
|
ap: 141
|
||||||
|
|
3
group_vars/georgesand/main.yml
Normal file
3
group_vars/georgesand/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
apartment_block: gs
|
||||||
|
apartment_block_id: 5
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
apartment_block: pacaterie
|
apartment_block: pacaterie
|
||||||
|
apartment_block_id: 2
|
||||||
|
|
||||||
subnet_ids:
|
subnet_ids:
|
||||||
ap: 142
|
ap: 142
|
||||||
|
|
|
@ -15,12 +15,15 @@
|
||||||
- isc-dhcp-server
|
- isc-dhcp-server
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Deploy unbound DNS server (recursive).
|
# Deploy unbound DNS server (recursive).
|
||||||
- hosts: recursive_dns
|
- hosts: recursive_dns
|
||||||
roles:
|
roles:
|
||||||
- unbound
|
- unbound
|
||||||
|
|
||||||
|
- hosts: routeur-*.adm.auro.re
|
||||||
|
roles:
|
||||||
|
- aurore-firewall
|
||||||
|
|
||||||
|
|
||||||
# WIP: Deploy authoritative DNS servers
|
# WIP: Deploy authoritative DNS servers
|
||||||
# - hosts: authoritative_dns
|
# - hosts: authoritative_dns
|
||||||
|
|
18
roles/aurore-firewall/tasks/main.yml
Normal file
18
roles/aurore-firewall/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- name: Configure aurore-firewall
|
||||||
|
template:
|
||||||
|
src: firewall_config.py
|
||||||
|
dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Install corresponding re2o service
|
||||||
|
import_role:
|
||||||
|
name: re2o-service
|
||||||
|
vars:
|
||||||
|
service_repo: https://gitlab.federez.net/re2o/aurore-firewall.git
|
||||||
|
service_name: aurore-firewall
|
||||||
|
service_version: master
|
||||||
|
service_config:
|
||||||
|
hostname: re2o.auro.re
|
||||||
|
username: service-user
|
||||||
|
password: "{{ vault_serviceuser_passwd }}"
|
64
roles/aurore-firewall/templates/firewall_config.py
Normal file
64
roles/aurore-firewall/templates/firewall_config.py
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
# -*- mode: python; coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
|
||||||
|
# se veut agnostique au réseau considéré, de manière à être installable en
|
||||||
|
# quelques clics.
|
||||||
|
#
|
||||||
|
# Copyright © 2017 Gabriel Détraz
|
||||||
|
# Copyright © 2017 Goulven Kermarec
|
||||||
|
# Copyright © 2017 Augustin Lemesle
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License along
|
||||||
|
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
### Give me a role
|
||||||
|
|
||||||
|
role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
|
||||||
|
|
||||||
|
|
||||||
|
### Specify each interface role
|
||||||
|
|
||||||
|
interfaces_type = {
|
||||||
|
'routable' : ['ens20', 'ens21'],
|
||||||
|
'sortie' : ['ens19'],
|
||||||
|
'admin' : ['ens18']
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
### Specify nat settings: name, interfaces with range, and global range for nat
|
||||||
|
### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
|
||||||
|
### contain /16 range
|
||||||
|
|
||||||
|
nat = [
|
||||||
|
{
|
||||||
|
'name' : 'Wifi',
|
||||||
|
'interfaces_ip_to_nat' : {
|
||||||
|
'ens19' : '45.66.109.0/24',
|
||||||
|
},
|
||||||
|
'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16',
|
||||||
|
'extra_nat' : {}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name' : 'Filaire',
|
||||||
|
'interfaces_ip_to_nat' : {
|
||||||
|
'ens19' : '45.66.108.0/24',
|
||||||
|
},
|
||||||
|
'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
|
||||||
|
'extra_nat' : {
|
||||||
|
'10.129.{{ apartment_block_id }}.240' : '45.66.108.25{{ apartment_block_id }}'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
Loading…
Reference in a new issue