elevate: prepare routers for e23

2 files changed, 415 insertions, 0 deletions

diff --git a/_graveyard_/dan/host_vars/ele-router.yml b/_graveyard_/dan/host_vars/ele-router.yml
new file mode 100644
index 00000000..2730423b
--- /dev/null
+++ b/_graveyard_/dan/host_vars/ele-router.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+39333736323632303766653165323636316234343764663335303762663366626362303131376536
+3938396235396230633731613838363931323339633235360a636130306165643239333531613939
+35353134393133366236383465653161646464366539366136303833656433393332633137333766
+3730353830613236360a653135653266616638656565323230306566646465666339366361663635
+35383031326436623030633566636163343764353435376633313937363265396534356562666330
+65303234306463383538333462363166323761333433613765366163366265333035383162663061
+39626436643839343561663166646539343135363163346338313964623038376463613762343338
+31316139313531303965326635663962303864386561333864356435383463623235663862346632
+3463
diff --git a/_graveyard_/inventory/host_vars/ele-router.yml b/_graveyard_/inventory/host_vars/ele-router.yml
new file mode 100644
index 00000000..bddb40e8
--- /dev/null
+++ b/_graveyard_/inventory/host_vars/ele-router.yml
@@ -0,0 +1,405 @@
+---
+ssh_users_root:
+  - equinox
+  - datacop
+
+network_mgmt_zone: "{{ network_zones.mgmt }}"
+
+
+wireguard_keys:
+  gwhetzner:
+    pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY="
+    priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
+
+wireguard_gateway_tunnels:
+  wg-emc:
+    priv_key: "{{ wireguard_keys.gwhetzner.priv }}"
+    addresses:
+    - 192.168.254.6/30
+    default_gateway:
+      inner: 192.168.254.5
+    peers:
+    - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}"
+      endpoint:
+        host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}"
+        port: 51821
+      keepalive_interval: 15
+      allowed_ips:
+      - 0.0.0.0/0
+
+openwrt_network_external:
+  - name: interface 'wanmur'
+    options:
+      device: 'eth5'
+      proto: static
+      ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+      netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}"
+      accept_ra: 0
+
+  - name: rule
+    options:
+      priority: 41050
+      src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32"
+      lookup: 105
+
+  - name: rule
+    options:
+      priority: 41051
+      mark: 105
+      lookup: 105
+
+  - name: route 'murdefault'
+    options:
+      interface: 'wanmur'
+      table: 105
+      target: '0.0.0.0/0'
+      gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}"
+
+
+  - name: interface 'wanlte'
+    options:
+      device: 'eth4'
+      proto: static
+      ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+      netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}"
+      accept_ra: 0
+
+  - name: rule
+    options:
+      priority: 41040
+      src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32"
+      lookup: 104
+
+  - name: rule
+    options:
+      priority: 41041
+      mark: 104
+      lookup: 104
+
+  - name: route 'ltedefault'
+    options:
+      interface: 'wanlte'
+      table: 104
+      target: '0.0.0.0/0'
+      gateway: "{{ network_zones.datacop_lte.gateway }}"
+
+  - name: rule
+    options:
+      priority: 50000
+      lookup: 105
+
+
+network_internal_zone_names__wanmur:
+  - lan
+  - guest
+  - mixer
+  - infoscreens
+network_internal_zone_names__wanlte: []
+network_internal_zone_names__wgemc:
+  - emc
+
+network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}"
+openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}"
+openwrt_network_internal_yaml: |
+  {% for zone_name in network_internal_zone_names %}
+  - name: "interface '{{ zone_name }}'"
+    options:
+      device: "eth0.{{ network_zones[zone_name].vlan }}"
+      proto: static
+      ipaddr: "{{ network_zones[zone_name].gateway }}"
+      netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}"
+      accept_ra: 0
+  {% endfor %}
+
+
+openwrt_network_base:
+  - name: globals 'globals'
+    options:
+      ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+  - name: interface 'loopback'
+    options:
+      device: lo
+      proto: static
+      ipaddr: 127.0.0.1
+      netmask: 255.0.0.0
+
+  - name: interface 'mgmt'
+    options:
+      device: "eth0.{{ network_mgmt_zone.vlan }}"
+      proto: static
+      ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+      netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}"
+      accept_ra: 0
+
+
+
+openwrt_dhcp_external:
+  - name: dhcp 'wanmur'
+    options:
+      interface: 'wanmur'
+      ignore: '1'
+
+  - name: dhcp 'wanlte'
+    options:
+      interface: 'wanlte'
+      ignore: '1'
+
+
+openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}"
+openwrt_dhcp_internal_yaml: |
+  {% for zone_name in network_internal_zone_names %}
+  - name: "dhcp '{{ zone_name }}'"
+    options:
+      interface: "{{ zone_name }}"
+  {%  if 'dhcp' in network_zones[zone_name] %}
+      start: {{ network_zones[zone_name].dhcp.start }}
+      limit: {{ network_zones[zone_name].dhcp.limit }}
+      leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }}
+      dhcpv6: 'disabled'
+      ra: 'disabled'
+  {%  else %}
+      ignore: '1'
+  {%  endif %}
+  {% endfor %}
+
+
+openwrt_dhcp_base:
+  - name: dnsmasq
+    options:
+      domainneeded: '1'
+      boguspriv: '0'
+      filterwin2k: '0'
+      localise_queries: '1'
+      rebind_protection: '0'
+      rebind_localhost: '1'
+      local: '/lan/'
+      domain: 'lan'
+      expandhosts: '1'
+      nonegcache: '0'
+      authoritative: '1'
+      readethers: '1'
+      leasefile: '/tmp/dhcp.leases'
+      resolvfile: '/tmp/resolv.conf.auto'
+      localservice: '1'
+      server:
+      - 1.1.1.1
+
+  - name: odhcpd 'odhcpd'
+    options:
+      maindhcp: '0'
+      leasefile: '/tmp/hosts/odhcpd'
+      leasetrigger: '/usr/sbin/odhcpd-update'
+
+  - name: dhcp 'mgmt'
+    options:
+      interface: 'mgmt'
+      ignore: '1'
+
+
+openwrt_arch: x86
+openwrt_target: 64
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - firewall
+  - odhcpd-ipv6only
+openwrt_packages_add:
+  - kmod-ipt-nat
+  - kmod-ipt-conntrack
+  - haveged
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+  - qos-scripts
+  - wireguard
+  - prometheus-node-exporter-lua
+  - prometheus-node-exporter-lua-nat_traffic
+  - prometheus-node-exporter-lua-netstat
+  - prometheus-node-exporter-lua-openwrt
+
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/wireguard/wg-emc.priv:
+    content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n"
+    mode: "0600"
+
+  /etc/rc.d/S21network-wgemc:
+    link: "../init.d/network-wgemc"
+
+  /etc/rc.d/K91network-wgemc:
+    link: "../init.d/network-wgemc"
+
+  /etc/init.d/network-wgemc:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=21
+      STOP=91
+
+      start() {
+        ip link add dev wg-emc type wireguard
+        wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv
+
+      {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %}
+        wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }}
+      {% endfor %}
+
+      {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %}
+        ip addr add dev wg-emc {{ addr }}
+      {% endfor %}
+        ip link set up dev wg-emc
+
+        ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static
+      }
+
+      stop() {
+        ip link del dev wg-emc
+      }
+
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K92network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/init.d/network-fw:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=22
+      STOP=91
+
+      start() {
+        ### management
+        MGMT_IF=$(uci get network.mgmt.device)
+        MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+        MGMT_NETMASK=$(uci get network.mgmt.netmask)
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+
+
+        ### external zones
+        # mur
+        iptables -A INPUT -i "eth5" -p icmp -j ACCEPT
+        iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        # LTE
+        iptables -A INPUT -i "eth4" -p icmp -j ACCEPT
+        iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+        # Wireguard EMC
+        iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT
+        iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+
+
+        ### internal zones
+      {% for zone_name in network_internal_zone_names %}
+        # {{ zone_name }}
+      {%   if 'dhcp' in network_zones[zone_name] %}
+        iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT
+      {%   endif  %}
+      {%   if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %}
+        iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT
+        iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT
+      {%   endif  %}
+        iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT
+        iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+      {%   if zone_name in network_internal_zone_names__wanmur %}
+      {%     set ext_interface = "eth5" %}
+      {%     set rt_table = "105" %}
+      {%   elif zone_name in network_internal_zone_names__wanlte %}
+      {%     set ext_interface = "eth4" %}
+      {%     set rt_table = "104" %}
+      {%   elif zone_name in network_internal_zone_names__wgemc %}
+      {%     set ext_interface = "wg-emc" %}
+      {%     set rt_table = "200" %}
+      {%   endif %}
+        iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT
+        iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+        iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE
+        ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }}
+
+      {% endfor %}
+
+        ###
+        iptables -P INPUT DROP
+        iptables -P FORWARD DROP
+      }
+
+      stop() {
+        iptables -P INPUT ACCEPT
+        iptables -F INPUT
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
+      {% for zone_name in network_internal_zone_names %}
+        ip rule del pref {{ loop.index + 33000 }}
+      {% endfor %}
+      }
+
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '0'
+        server:
+          - '0.lede.pool.ntp.org'
+          - '1.lede.pool.ntp.org'
+          - '2.lede.pool.ntp.org'
+          - '3.lede.pool.ntp.org'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port }}'
+
+  prometheus-node-exporter-lua:
+    - name: prometheus-node-exporter-lua 'main'
+      options:
+        listen_interface: 'mgmt'
+        listen_ipv6: '0'
+        listen_port: '9100'
+
+  dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}"
+  network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}"
+
+
+prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100"
+prometheus_exporters_default:
+  - openwrt