c@h: add network zone for c3voc

author: Christian Pointner <equinox@spreadspace.org> 2023-04-16 01:30:14 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-04-16 01:30:14 +0200
commit: 8b3620f4e036764fc6c72e27bae820c6f6a51c22 (patch)
tree: 428103ec69303bd2b65422ce4f53317571cd1242 /inventory
parent: cpu-micrcode for debain bookworm+ (diff)
8 files changed, 213 insertions, 0 deletions
diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml
index 9fea14eb..1fb4a94f 100644
--- a/inventory/group_vars/chaos-at-home/network.yml
+++ b/inventory/group_vars/chaos-at-home/network.yml
@@ -81,6 +81,7 @@ network_zones:
       ch-testvm-phoebe: 43
       ch-testvm-openwrt: 44
       ch-nic: 53
+      ch-gw-c3voc: 73
       __svc_http__: 80
       __svc_imap__: 143
       ch-mon: 230
@@ -123,6 +124,16 @@ network_zones:
     offsets:
       ch-router: 2
 
+  c3voc:
+    vlan: 1073
+    prefix: 10.73.0.0/16
+    gateway: 10.73.0.254
+    dns:
+    - 8.8.8.8
+    - 8.8.8.8
+    offsets:
+      ch-gw-c3voc: 254
+
   remote:
     prefix: 192.168.51.0/24
     offsets:
diff --git a/inventory/group_vars/vmhost-ch-phoebe/vars.yml b/inventory/group_vars/vmhost-ch-phoebe/vars.yml
index 8b1d9d1d..35e12425 100644
--- a/inventory/group_vars/vmhost-ch-phoebe/vars.yml
+++ b/inventory/group_vars/vmhost-ch-phoebe/vars.yml
@@ -3,6 +3,7 @@ __vmhost_bridge_interface_zones__:
   eno3:
   - iot
   - mgmt
+  - c3voc
   eno4:
   - magenta
 
diff --git a/inventory/host_vars/ch-gw-c3voc.yml b/inventory/host_vars/ch-gw-c3voc.yml
new file mode 100644
index 00000000..60d833bf
--- /dev/null
+++ b/inventory/host_vars/ch-gw-c3voc.yml
@@ -0,0 +1,182 @@
+---
+install:
+  vm:
+    memory: 64M
+    numcpus: 1
+    autostart: true
+  disks:
+    primary: /dev/sda
+    scsi:
+      sda:
+        type: image
+        path: "/srv/nvme/{{ inventory_hostname }}/root.img"
+  interfaces:
+  - bridge: br-c3voc
+  - bridge: br-svc
+
+
+openwrt_arch: x86
+openwrt_target: 64
+openwrt_profile: generic
+openwrt_output_image_suffixes:
+  - "{{ openwrt_profile }}-ext4-combined.img.gz"
+
+openwrt_packages_remove:
+  - ppp
+  - ppp-mod-pppoe
+  - dnsmasq
+  - firewall
+  - firewall4
+  - odhcpd
+  - odhcpd-ipv6only
+openwrt_packages_add:
+  - nftables
+  - kmod-nft-nat
+  - rng-tools
+  - htop
+  - ip
+  - less
+  - nano
+  - tcpdump-mini
+  - iperf
+  - iperf3
+  - mtr
+  - iptraf-ng
+
+openwrt_mixin:
+  /etc/dropbear/authorized_keys:
+    content: "{{ ssh_keys_root | join('\n') }}\n"
+
+  /etc/htoprc:
+    file: "{{ global_files_dir }}/common/htoprc"
+
+  /etc/rc.d/S21nftables:
+    link: "../init.d/nftables"
+
+  /etc/rc.d/K89nftables:
+    link: "../init.d/nftables"
+
+  /etc/init.d/nftables:
+    mode: "0755"
+    content: |
+      #!/bin/sh /etc/rc.common
+
+      START=21
+      STOP=89
+
+      start() {
+        nft -f /etc/nftables.conf
+      }
+
+      stop() {
+        nft flush ruleset
+      }
+
+  /etc/nftables.conf:
+    content: |
+      flush ruleset
+
+      define nic_svc = eth1
+
+      define nic_c3voc = eth0
+      define prefix_c3voc = {{ network_zones.c3voc.prefix }}
+
+      table inet global {
+        ## INPUT
+        chain input_svc {
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
+        chain input_c3voc {
+          ip saddr != $prefix_c3voc drop
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          udp dport { ntp } accept
+        }
+
+        chain input {
+          type filter hook input priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iifname vmap { lo: accept, $nic_svc: jump input_svc, $nic_c3voc: jump input_c3voc }
+        }
+
+
+        ## FORWARD
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iif $nic_svc oif $nic_c3voc ip daddr $prefix_c3voc accept
+          iif $nic_c3voc ip saddr $prefix_c3voc oifname $nic_svc accept
+        }
+      }
+
+
+openwrt_uci:
+  system:
+    - name: system
+      options:
+        hostname: '{{ host_name }}'
+        timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+        ttylogin: '0'
+        log_size: '64'
+        urandom_seed: '0'
+
+    - name: timeserver 'ntp'
+      options:
+        enabled: '1'
+        enable_server: '1'
+        interface: 'c3voc'
+        server:
+          - '0.at.pool.ntp.org'
+          - '1.at.pool.ntp.org'
+          - '2.at.pool.ntp.org'
+          - '3.at.pool.ntp.org'
+
+    - name: rngd
+      options:
+        enabled: '1'
+        device: '/dev/hwrng'
+
+  dropbear:
+    - name: dropbear
+      options:
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '{{ ansible_port | default(22) }}'
+
+  network:
+    - name: globals 'globals'
+      options:
+        ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+    - name: interface 'loopback'
+      options:
+        device: lo
+        proto: static
+        ipaddr: 127.0.0.1
+        netmask: 255.0.0.0
+
+    - name: interface 'c3voc'
+      options:
+        device: eth0
+        proto: static
+        ipaddr: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr(network_zones.c3voc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('netmask') }}"
+
+    - name: interface 'svc'
+      options:
+        device: eth1
+        proto: static
+        ipaddr: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+        netmask: "{{ network_zones.svc.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.gateway }}"
+        dns: "{{ network_zones.svc.dns }}"
+
+    - name: route 'lan'
+      options:
+        interface: svc
+        target: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('network') }}"
+        netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
diff --git a/inventory/host_vars/ch-gw-lan.yml b/inventory/host_vars/ch-gw-lan.yml
index ee6a6c38..769539b9 100644
--- a/inventory/host_vars/ch-gw-lan.yml
+++ b/inventory/host_vars/ch-gw-lan.yml
@@ -29,6 +29,9 @@ network:
     name: svc0
     address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
     gateway: "{{ network_zones.svc.gateway }}"
+    static_routes:
+    - destination: "{{ network_zones.c3voc.prefix }}"
+      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
   interfaces:
   - *_network_primary_
   - name: lan0
diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml
index 25b18b2e..7e3ef986 100644
--- a/inventory/host_vars/ch-jump.yml
+++ b/inventory/host_vars/ch-jump.yml
@@ -31,6 +31,8 @@ network:
     static_routes:
     - destination: "{{ network_zones.lan.prefix }}"
       gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
+    - destination: "{{ network_zones.c3voc.prefix }}"
+      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
   interfaces:
   - *_network_primary_
   - name: mgmt0
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index d4b6b8ea..a5bac5f3 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -165,6 +165,7 @@ openwrt_mixin:
       define prefix_remote = 192.168.51.0/24
       define prefix_svc = {{ network_zones.svc.prefix }}
       define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
+      define prefixes_natonly = { {{ network_zones.c3voc.prefix }} }
       define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}
 
       table inet global {
@@ -212,6 +213,7 @@ openwrt_mixin:
           type filter hook forward priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
           iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
+          iif $nic_internal ip saddr $prefixes_natonly oif $nic_magenta accept
           iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
           iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
           iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept
@@ -231,6 +233,7 @@ openwrt_mixin:
         chain postrouting {
           type nat hook postrouting priority srcnat; policy accept;
           ip saddr $prefixes_internal oif $nic_magenta snat to $ip_magenta
+          ip saddr $prefixes_natonly oif $nic_magenta snat to $ip_magenta
         }
       }
 
@@ -354,6 +357,13 @@ openwrt_uci:
         netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
         gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
 
+    - name: route 'c3voc'
+      options:
+        interface: svc
+        target: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('network') }}"
+        netmask: "{{ network_zones.c3voc.prefix | ansible.utils.ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
+
     - name: interface 'remote'
       options:
         proto: wireguard
diff --git a/inventory/host_vars/ch-sw0.yml b/inventory/host_vars/ch-sw0.yml
index c914d3c4..f2f6d3df 100644
--- a/inventory/host_vars/ch-sw0.yml
+++ b/inventory/host_vars/ch-sw0.yml
@@ -52,6 +52,7 @@ switch_interfaces_yaml: |
     allowed_vlans_tagged:
     - {{ network_zones.iot.vlan }}
     - {{ network_zones.mgmt.vlan }}
+    - {{ network_zones.c3voc.vlan }}
 
   - spec: Gi1/0/23
     vlan: {{ network_zones.svc.vlan }}
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index fa731e8f..f20c1a53 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -20,6 +20,7 @@ ch-router-obsd host_name=router
 ch-gw-lan host_name=gw-lan
 ch-jump host_name=jump ansible_port=2342 ansible_host=ch-jump
 ch-nic host_name=nic
+ch-gw-c3voc host_name=gw-c3voc
 ch-equinox-ws host_name=equinox-ws
 ch-equinox-t450s host_name=equinox-t450s
 ch-prometheus host_name=prometheus
@@ -308,6 +309,7 @@ ch-router
 ch-alix1d
 ch-testvm-openwrt
 ch-installsmb
+ch-gw-c3voc
 mz-ap
 mz-router
 glt-gw-r3
@@ -370,6 +372,7 @@ ch-router-obsd
 ch-jump
 ch-gw-lan
 ch-nic
+ch-gw-c3voc
 [vmhost-ch-phoebe]
 ch-phoebe
 [vmhost-ch-phoebe:children]
author	Christian Pointner <equinox@spreadspace.org>	2023-04-16 01:30:14 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-04-16 01:30:14 +0200
commit	8b3620f4e036764fc6c72e27bae820c6f6a51c22 (patch)
tree	428103ec69303bd2b65422ce4f53317571cd1242 /inventory
parent	cpu-micrcode for debain bookworm+ (diff)