From a4841e6947f38943f686c4c0efd3175f6b8989c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 12:56:23 +0200 Subject: [PATCH 01/14] add radvd role, deploy in routers --- network.yml | 1 + roles/radvd/handlers/main.yml | 4 ++ roles/radvd/tasks/main.yml | 20 +++++++++ roles/radvd/templates/radvd.conf.j2 | 67 +++++++++++++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 roles/radvd/handlers/main.yml create mode 100644 roles/radvd/tasks/main.yml create mode 100644 roles/radvd/templates/radvd.conf.j2 diff --git a/network.yml b/network.yml index bca43c0..fec4170 100755 --- a/network.yml +++ b/network.yml @@ -25,6 +25,7 @@ - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router + - radvd # Radius (backup only for now) diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml new file mode 100644 index 0000000..0bc0b9d --- /dev/null +++ b/roles/radvd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart radvd + systemd: + state: restarted + name: radvd diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml new file mode 100644 index 0000000..7b68b76 --- /dev/null +++ b/roles/radvd/tasks/main.yml @@ -0,0 +1,20 @@ +--- + + +# Warning: radvd installation seems to fail if the configuration +# file doesn't already exist when the package is installed, +# so the order is important. +- name: Configure radvd + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + mode: 0644 + notify: restart radvd + +- name: Install radvd + apt: + update_cache: true + name: radvd + state: present + notify: restart radvd + diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..e2f91e2 --- /dev/null +++ b/roles/radvd/templates/radvd.conf.j2 @@ -0,0 +1,67 @@ +# -*- mode: conf-unix; coding: utf-8 -*- + +## +# Bornes Wi-Fi +## + +interface ens19 { # XXX - FIX THE INTERFACE NAME + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + + prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { + AdvRouterAddr on; + }; + + # La zone DNS + DNSSL borne.auro.re {}; + + # Les DNS récursifs + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +}; + + + + +## +# Utilisateurs filaire +## +interface ens20 { # XXX + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + AdvRouterAddr on; + }; + + DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; +}; + + +## +# Utilisateurs wifi +## +interface ens20 { # XXX: interface name + AdvSendAdvert on; + AdvLinkMTU {{ mtu }}; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + AdvRouterAddr on; + }; + + DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. + + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; +}; + From f09b0906c6a73ed7c6f68fd21ec829160eb9326b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:20:08 +0200 Subject: [PATCH 02/14] radvd: fix wifi interface, comment out APs for now --- roles/radvd/templates/radvd.conf.j2 | 46 ++++++++++++++++------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index e2f91e2..f773514 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -4,32 +4,33 @@ # Bornes Wi-Fi ## -interface ens19 { # XXX - FIX THE INTERFACE NAME - AdvSendAdvert on; - AdvLinkMTU {{ mtu }}; - AdvDefaultPreference high; - MaxRtrAdvInterval 30; - - - prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { - AdvRouterAddr on; - }; - - # La zone DNS - DNSSL borne.auro.re {}; - - # Les DNS récursifs - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; -}; - +# Not deployed yet! +# Need to add an interface for this VLAN on "routeur-*" hosts. +# interface ens19 { # XXX - FIX THE INTERFACE NAME +# AdvSendAdvert on; +# AdvLinkMTU {{ mtu }}; +# AdvDefaultPreference high; +# MaxRtrAdvInterval 30; +# +# +# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# AdvRouterAddr on; +# }; +# +# # La zone DNS +# DNSSL borne.auro.re {}; +# +# # Les DNS récursifs +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# }; ## # Utilisateurs filaire ## -interface ens20 { # XXX +interface ens20 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -49,7 +50,7 @@ interface ens20 { # XXX ## # Utilisateurs wifi ## -interface ens20 { # XXX: interface name +interface ens21 { AdvSendAdvert on; AdvLinkMTU {{ mtu }}; AdvDefaultPreference high; @@ -65,3 +66,6 @@ interface ens20 { # XXX: interface name RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; + + +# For public IPs: will use DHCPv6, deployed on routeur-aurore alone. From 468bb9abded364757acf44e56c8d2879ececd777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:22:30 +0200 Subject: [PATCH 03/14] add radvd comment --- network.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network.yml b/network.yml index fec4170..43f2297 100755 --- a/network.yml +++ b/network.yml @@ -22,6 +22,8 @@ # Déploiement du service re2o aurore-firewall et keepalived +# radvd: IPv6 SLAAC (/64 subnets, private IPs). +# Must NOT be on routeur-aurore-*, or will with DHCPv6! - hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re roles: - router From d54da8d2b91d1da97150ee7eef67b7728d6bf262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:31:49 +0200 Subject: [PATCH 04/14] add ipv6_base_prefix variable --- group_vars/all/vars.yml | 6 ++++++ roles/radvd/templates/radvd.conf.j2 | 18 +++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index c3f0502..cc30765 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -78,3 +78,9 @@ radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}" apartment_block_dhcp: "{{ apartment_block }}" + + + +# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28). +# However, we ALWAYS keep the trailing 0 to have byte alignment. +ipv6_base_prefix: "2a09:6840" diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index f773514..bf301a9 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -14,7 +14,7 @@ # MaxRtrAdvInterval 30; # # -# prefix 2a09:6840:{{ subnet_ids.ap }}::/64 { +# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; # @@ -22,8 +22,8 @@ # DNSSL borne.auro.re {}; # # # Les DNS récursifs -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; -# RDNSS 2a09:6840:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {}; +# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; @@ -36,14 +36,14 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wired }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {}; }; @@ -56,14 +56,14 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; - prefix 2a09:6840:{{ subnet_ids.users_wifi }}::/64 { + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround. - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; - RDNSS 2a09:6840:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {}; + RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {}; }; From 713c93ac44256336358105276c4df633137ff3e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 14:32:02 +0200 Subject: [PATCH 05/14] update unbound role for IPv6 --- roles/unbound/templates/recursive.conf.j2 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 62c93be..47ad938 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -11,20 +11,32 @@ server: logfile: "/var/log/unbound/unbound.log" do-ip4: yes - # FIXME: IPv6 deployment... someday... - do-ip6: no + do-ip6: yes # IP addresses on which to listen. + # + # Note: dns_host_suffix is dynamically set in this role's tasks, + # and changes depending on whether we're handling the main or backup + # recursive DNS node. + + # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + # IPv6 + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 194c19fbf33efe1769f7710622569231bb16ae7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:34:49 +0200 Subject: [PATCH 06/14] fix wrong hardcoded email for keepalived monitoring --- roles/router/templates/keepalived.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 6e51fd9..1bb305e 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -2,7 +2,7 @@ global_defs { notification_email { monitoring.aurore@lists.crans.org } - notification_email_from routeur-edc-backup@auro.re + notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re smtp_server smtp.crans.org } From 56808e4e60392acbf80c2ae51d29505f06a1c412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 15:46:41 +0200 Subject: [PATCH 07/14] wip: begin updating 'router' role for IPv6 pending: update virtual routes --- roles/router/tasks/main.yml | 6 ++++++ roles/router/templates/firewall_config.py | 2 +- roles/router/templates/keepalived.conf | 13 ++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index dd7f865..06595a2 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -6,6 +6,12 @@ value: '1' sysctl_set: yes +- name: Enable IPv6 packet forwarding + ansible.posix.sysctl: + name: net.ipv6.ip_forward + value: '1' + sysctl_set: yes + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index bd013d3..1a3579c 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,7 +25,7 @@ ### Give me a role # routeur4 = routeur IPv4 -role = ['routeur4'] +role = ['routeur4', 'routeur6'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 1bb305e..875c132 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -26,7 +26,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Timeout in seconds before failover kicks in. advert_int 2 - # Used to authenticate VRRP communication between master and backup. authentication { auth_type PASS @@ -38,18 +37,26 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global + {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global - # Public subnet: wired + + # NATed subnet: wired 45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global - # Public subnet: wifi + + # NATed subnet: wifi 45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global + # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } + + # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 From 2e6306b61e9e71b8ef9f1e87570e5b60c845234f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:05:41 +0200 Subject: [PATCH 08/14] radvd: advertise keepalived VIP --- roles/radvd/templates/radvd.conf.j2 | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index bf301a9..ab63ea8 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -12,8 +12,11 @@ # AdvLinkMTU {{ mtu }}; # AdvDefaultPreference high; # MaxRtrAdvInterval 30; -# -# +# +# AdvRASrcAddress { +# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller +# }; +# # prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 { # AdvRouterAddr on; # }; @@ -26,7 +29,6 @@ # RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {}; # }; - ## # Utilisateurs filaire ## @@ -36,6 +38,10 @@ interface ens20 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { AdvRouterAddr on; }; @@ -56,6 +62,10 @@ interface ens21 { AdvDefaultPreference high; MaxRtrAdvInterval 30; + AdvRASrcAddress { + {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + }; + prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { AdvRouterAddr on; }; From 361fd54414d34d677b2862da98cf02a2feeb2c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 16:07:27 +0200 Subject: [PATCH 09/14] keepalived: add IPv6 virtual route --- roles/router/templates/keepalived.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index 875c132..a07ec07 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -60,5 +60,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 + + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } From 3a8112bf0d70d7ce64bb7cbfccb4c76473f7bda1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 1 Aug 2020 17:48:39 +0200 Subject: [PATCH 10/14] roll out (private) IPv6 on George Sand --- group_vars/all/vars.yml | 4 +- roles/radvd/tasks/main.yml | 2 + roles/radvd/templates/radvd.conf.j2 | 4 +- roles/router/tasks/main.yml | 2 +- roles/router/templates/firewall_config.py | 4 +- roles/router/templates/keepalived.conf | 61 +++++++++++++++++++---- roles/unbound/templates/recursive.conf.j2 | 2 +- 7 files changed, 61 insertions(+), 18 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index cc30765..2b53213 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -50,8 +50,8 @@ dns_host_suffix_backup: 153 backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) -# Misc -mtu: 1400 +# Finally raised! +mtu: 1500 subnet_ids: ap: "14{{ apartment_block_id }}" diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml index 7b68b76..75c72c1 100644 --- a/roles/radvd/tasks/main.yml +++ b/roles/radvd/tasks/main.yml @@ -10,6 +10,8 @@ dest: /etc/radvd.conf mode: 0644 notify: restart radvd + tags: + - radconf - name: Install radvd apt: diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index ab63ea8..94720f5 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { @@ -63,7 +63,7 @@ interface ens21 { MaxRtrAdvInterval 30; AdvRASrcAddress { - {{{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ router_ip_suffix }}; + fe80::1; }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 { diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 06595a2..d09a2c8 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -8,7 +8,7 @@ - name: Enable IPv6 packet forwarding ansible.posix.sysctl: - name: net.ipv6.ip_forward + name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: yes diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 1a3579c..4f6b755 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -24,8 +24,8 @@ ### Give me a role -# routeur4 = routeur IPv4 -role = ['routeur4', 'routeur6'] +# previously: routeur4 = routeur IPv4 +role = ['routeur'] ### Specify each interface role diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index a07ec07..cd217f3 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -7,7 +7,7 @@ global_defs { } -vrrp_instance VI_ROUT_{{ apartment_block }} { +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { {% if 'backup' in inventory_hostname %} state BACKUP priority 100 @@ -21,7 +21,7 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { interface ens18 # Shared by MASTER and BACKUP - virtual_router_id {{ apartment_block_id }} + virtual_router_id 4{{ apartment_block_id }} # Timeout in seconds before failover kicks in. advert_int 2 @@ -37,7 +37,6 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { virtual_ipaddress { # Routing subnet 10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global - {{ ipv6_base_prefix }}:129:0::{{ apartment_block_id }}:254/64 dev ens19 scope global # NATed subnet: wired @@ -48,21 +47,63 @@ vrrp_instance VI_ROUT_{{ apartment_block }} { # Wired 10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:254/64 dev ens20 scope global # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global - {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:254/64 dev ens21 scope global } - # FIXME: update for IPv6 virtual_routes { # 10.129.0.1 is Yggdrasil src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19 - - # For IPv6, the master router is routeur-aurore, NOT yggdrasil, - # because yggdrasil doesn't support BGPv6 announcements. - src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:1 dev ens19 } } + +vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 { + {% if 'backup' in inventory_hostname %} + state BACKUP + priority 100 + {% else %} + state MASTER + priority 150 + {% endif %} + + + # Interface used for VRRP communication. + interface ens18 + + # Shared by MASTER and BACKUP + virtual_router_id 6{{ apartment_block_id }} + + # Timeout in seconds before failover kicks in. + advert_int 2 + + # Used to authenticate VRRP communication between master and backup. + authentication { + auth_type PASS + auth_pass {{ keepalived_password }} + } + + smtp_alert + + virtual_ipaddress { + # Routing subnet + fe80::1/64 dev ens19 scope global + {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global + + # Wired + fe80::1/64 dev ens20 scope global + + # Wifi + fe80::1/64 dev ens21 scope global + } + + + virtual_routes { + # For IPv6, the master router is routeur-aurore, NOT yggdrasil, + # because yggdrasil doesn't support BGPv6 announcements. + src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19 + } +} + + diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 47ad938..efdebe1 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -36,7 +36,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow - access-control: {{ ipv6_base_prefix }}::/32 # Fuck it... :) + access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} From 8360e212cc038515027756f7d6658f01aea8e94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:14:57 +0200 Subject: [PATCH 11/14] enable SSH pipelining (THE SPEED!) --- ansible.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 8d528bd..e2d6a32 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -33,3 +33,6 @@ become_ask_pass = True # TO know what changed always = yes + +[ssh_connection] +pipelining = True From de36a3bb9538fc9f0e114b5eb465f7e35a9c0a78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:15 +0200 Subject: [PATCH 12/14] announce IPv6 recursive resolver (untested) --- roles/baseconfig/templates/resolv.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/baseconfig/templates/resolv.conf b/roles/baseconfig/templates/resolv.conf index c94128f..935eeeb 100644 --- a/roles/baseconfig/templates/resolv.conf +++ b/roles/baseconfig/templates/resolv.conf @@ -1,3 +1,4 @@ domain adm.auro.re nameserver 10.128.0.253 +nameserver 2a09:6840:128::253 nameserver 80.67.169.12 From e7620914356f5ae41ce9fba6133a519f7a692571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sun, 2 Aug 2020 12:15:27 +0200 Subject: [PATCH 13/14] explain fe80::1 keepalived/radvd magic --- roles/radvd/templates/radvd.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 index 94720f5..dc5f1a2 100644 --- a/roles/radvd/templates/radvd.conf.j2 +++ b/roles/radvd/templates/radvd.conf.j2 @@ -39,7 +39,7 @@ interface ens20 { MaxRtrAdvInterval 30; AdvRASrcAddress { - fe80::1; + fe80::1; # link-local virtual IP used with keepalived }; prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 { From 30e503458ef2e7e63b092d622928fd006c061c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Thu, 6 Aug 2020 09:57:54 +0200 Subject: [PATCH 14/14] add ability to nuke radius DBs --- nuke-radius-dbs.yml | 7 +++++++ roles/radius/tasks/main.yml | 26 ++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100755 nuke-radius-dbs.yml diff --git a/nuke-radius-dbs.yml b/nuke-radius-dbs.yml new file mode 100755 index 0000000..b23f08f --- /dev/null +++ b/nuke-radius-dbs.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ~radius-(edc|fleming|pacaterie|gs).* + roles: + - radius + vars: + nuke_radius: true diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index 9172c79..ba3024e 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -15,7 +15,7 @@ git: repo: "https://gitlab.federez.net/re2o/re2o.git" dest: "/var/www/re2o" - version: "master_freeradius_python3" + version: "dev" force: true - name: Template local re2o settings @@ -118,6 +118,29 @@ password: "{{ radius_pg_replication_password }}" become_user: postgres + +- name: Nuking - Stop freeradius + systemd: + name: freeradius + state: stopped + when: nuke_radius|bool + +- name: Nuking - Remove old subscription if it exists + community.general.postgresql_subscription: + name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}" + db: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + ignore_errors: yes + +- name: Nuking - Destroy old local DB if it exists + community.general.postgresql_db: + name: re2o + state: absent + become_user: postgres + when: nuke_radius|bool + - name: Create local DB community.general.postgresql_db: name: re2o @@ -128,7 +151,6 @@ lc_ctype: 'fr_FR.UTF-8' become_user: postgres - - name: Dump radius re2o PostgreSQL database schema from master community.general.postgresql_db: name: re2o