aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Merge branch 'ipv6' into ansible-2.10

Browse source
This commit is contained in:
Yohaï-Eliel BERREBY 2020-08-06 09:58:43 +02:00
commit d98764d88e
13 changed files with 233 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible.cfg
View file

@ -33,3 +33,6 @@ become_ask_pass = True
# TO know what changed
always = yes
[ssh_connection]
pipelining = True

10
group_vars/all/vars.yml
View file

@ -50,8 +50,8 @@ dns_host_suffix_backup: 153
backup_dns_servers:
- "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr)
# Misc
mtu: 1400
# Finally raised!
mtu: 1500
subnet_ids:
ap: "14{{ apartment_block_id }}"
@ -78,3 +78,9 @@ radius_pg_re2o_ro_password: "{{ vault_re2o_db_user_passwords.re2o_ro }}"
apartment_block_dhcp: "{{ apartment_block }}"
# Careful, this is not byte-aligned, just nibble-aligned (RIPE gave us a /28).
# However, we ALWAYS keep the trailing 0 to have byte alignment.
ipv6_base_prefix: "2a09:6840"

3
network.yml
View file

@ -22,9 +22,12 @@
# Déploiement du service re2o aurore-firewall et keepalived
# radvd: IPv6 SLAAC (/64 subnets, private IPs).
# Must NOT be on routeur-aurore-*, or will with DHCPv6!
- hosts: ~routeur-(pacaterie|edc|fleming|gs).*\.adm\.auro\.re
roles:
- router
- radvd
# Radius (backup only for now)

7
nuke-radius-dbs.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: ~radius-(edc|fleming|pacaterie|gs).*
roles:
- radius
vars:
nuke_radius: true

1
roles/baseconfig/templates/resolv.conf
View file

@ -1,3 +1,4 @@
domain adm.auro.re
nameserver 10.128.0.253
nameserver 2a09:6840:128::253
nameserver 80.67.169.12

26
roles/radius/tasks/main.yml
View file

@ -15,7 +15,7 @@
git:
repo: "https://gitlab.federez.net/re2o/re2o.git"
dest: "/var/www/re2o"
version: "master_freeradius_python3"
version: "dev"
force: true
- name: Template local re2o settings
@ -118,6 +118,29 @@
password: "{{ radius_pg_replication_password }}"
become_user: postgres
- name: Nuking - Stop freeradius
systemd:
name: freeradius
state: stopped
when: nuke_radius|bool
- name: Nuking - Remove old subscription if it exists
community.general.postgresql_subscription:
name: "re2o_subscription_{{ inventory_hostname_short | replace('-','_') }}"
db: re2o
state: absent
become_user: postgres
when: nuke_radius|bool
ignore_errors: yes
- name: Nuking - Destroy old local DB if it exists
community.general.postgresql_db:
name: re2o
state: absent
become_user: postgres
when: nuke_radius|bool
- name: Create local DB
community.general.postgresql_db:
name: re2o
@ -128,7 +151,6 @@
lc_ctype: 'fr_FR.UTF-8'
become_user: postgres
- name: Dump radius re2o PostgreSQL database schema from master
community.general.postgresql_db:
name: re2o

4
roles/radvd/handlers/main.yml Normal file
View file

@ -0,0 +1,4 @@
- name: restart radvd
systemd:
state: restarted
name: radvd

22
roles/radvd/tasks/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
# Warning: radvd installation seems to fail if the configuration
# file doesn't already exist when the package is installed,
# so the order is important.
- name: Configure radvd
template:
src: radvd.conf.j2
dest: /etc/radvd.conf
mode: 0644
notify: restart radvd
tags:
- radconf
- name: Install radvd
apt:
update_cache: true
name: radvd
state: present
notify: restart radvd

81
roles/radvd/templates/radvd.conf.j2 Normal file
View file

@ -0,0 +1,81 @@
# -*- mode: conf-unix; coding: utf-8 -*-
##
# Bornes Wi-Fi
##
# Not deployed yet!
# Need to add an interface for this VLAN on "routeur-*" hosts.
# interface ens19 { # XXX - FIX THE INTERFACE NAME
# AdvSendAdvert on;
# AdvLinkMTU {{ mtu }};
# AdvDefaultPreference high;
# MaxRtrAdvInterval 30;
#
# AdvRASrcAddress {
# {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:250; # Unifi controller
# };
#
# prefix {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::/64 {
# AdvRouterAddr on;
# };
#
# # La zone DNS
# DNSSL borne.auro.re {};
#
# # Les DNS récursifs
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_main }} {};
# RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::{{ dns_host_suffix_backup }} {};
# };
##
# Utilisateurs filaire
##
interface ens20 {
AdvSendAdvert on;
AdvLinkMTU {{ mtu }};
AdvDefaultPreference high;
MaxRtrAdvInterval 30;
AdvRASrcAddress {
fe80::1; # link-local virtual IP used with keepalived
};
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::/64 {
AdvRouterAddr on;
};
DNSSL fil.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_main }} {};
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::{{ dns_host_suffix_backup }} {};
};
##
# Utilisateurs wifi
##
interface ens21 {
AdvSendAdvert on;
AdvLinkMTU {{ mtu }};
AdvDefaultPreference high;
MaxRtrAdvInterval 30;
AdvRASrcAddress {
fe80::1;
};
prefix {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::/64 {
AdvRouterAddr on;
};
DNSSL wifi.{{ apartment_block_dhcp }}.auro.re {}; # TODO: fix this shitty workaround.
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_main }} {};
RDNSS {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::{{ dns_host_suffix_backup }} {};
};
# For public IPs: will use DHCPv6, deployed on routeur-aurore alone.

6
roles/router/tasks/main.yml
View file

@ -6,6 +6,12 @@
value: '1'
sysctl_set: yes
- name: Enable IPv6 packet forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: yes
- name: Install aurore-firewall (re2o-service)
import_role:
name: re2o-service

4
roles/router/templates/firewall_config.py
View file

@ -24,8 +24,8 @@
### Give me a role
# routeur4 = routeur IPv4
role = ['routeur4']
# previously: routeur4 = routeur IPv4
role = ['routeur']
### Specify each interface role

64
roles/router/templates/keepalived.conf
View file

@ -2,12 +2,12 @@ global_defs {
notification_email {
monitoring.aurore@lists.crans.org
}
notification_email_from routeur-edc-backup@auro.re
notification_email_from routeur-{{ apartment_block }}{% if 'backup' in inventory_hostname %}-backup{% endif %}@auro.re
smtp_server smtp.crans.org
}
vrrp_instance VI_ROUT_{{ apartment_block }} {
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
@ -21,12 +21,11 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
interface ens18
# Shared by MASTER and BACKUP
virtual_router_id {{ apartment_block_id }}
virtual_router_id 4{{ apartment_block_id }}
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
@ -39,19 +38,72 @@ vrrp_instance VI_ROUT_{{ apartment_block }} {
# Routing subnet
10.129.{{ apartment_block_id }}.254/16 brd 10.129.255.255 dev ens19 scope global
# Public subnet: wired
# NATed subnet: wired
45.66.108.25{{ apartment_block_id }}/24 brd 45.66.108.255 dev ens19 scope global
# Public subnet: wifi
# NATed subnet: wifi
45.66.109.25{{ apartment_block_id }}/24 brd 45.66.109.255 dev ens19 scope global
# Wired
10.{{ subnet_ids.users_wired }}.0.254/16 brd 10.{{ subnet_ids.users_wired }}.255.255 dev ens20 scope global
# Wifi
10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
}
virtual_routes {
# 10.129.0.1 is Yggdrasil
src 10.129.{{ apartment_block_id }}.254 to 0.0.0.0/0 via 10.129.0.1 dev ens19
}
}
vrrp_instance VI_ROUT_{{ apartment_block }}_IPv6 {
{% if 'backup' in inventory_hostname %}
state BACKUP
priority 100
{% else %}
state MASTER
priority 150
{% endif %}
# Interface used for VRRP communication.
interface ens18
# Shared by MASTER and BACKUP
virtual_router_id 6{{ apartment_block_id }}
# Timeout in seconds before failover kicks in.
advert_int 2
# Used to authenticate VRRP communication between master and backup.
authentication {
auth_type PASS
auth_pass {{ keepalived_password }}
}
smtp_alert
virtual_ipaddress {
# Routing subnet
fe80::1/64 dev ens19 scope global
{{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254/64 dev ens19 scope global
# Wired
fe80::1/64 dev ens20 scope global
# Wifi
fe80::1/64 dev ens21 scope global
}
virtual_routes {
# For IPv6, the master router is routeur-aurore, NOT yggdrasil,
# because yggdrasil doesn't support BGPv6 announcements.
src {{ ipv6_base_prefix }}:129::{{ apartment_block_id }}:254 to ::/0 via {{ ipv6_base_prefix }}:129::0:254 dev ens19
}
}

16
roles/unbound/templates/recursive.conf.j2
View file

@ -11,20 +11,32 @@ server:
logfile: "/var/log/unbound/unbound.log"
do-ip4: yes
# FIXME: IPv6 deployment... someday...
do-ip6: no
do-ip6: yes
# IP addresses on which to listen.
#
# Note: dns_host_suffix is dynamically set in this role's tasks,
# and changes depending on whether we're handling the main or backup
# recursive DNS node.
# IPv4
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
# Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }}