diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2017-11-21 22:28:39 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2017-11-21 22:28:39 +0100 |
| commit | 91cd5480b5a1ca1103d5e239af3d331477c41c2c (patch) | |
| tree | b495bf31e2d5da50b045838a1e8d0455db09ee65 /roles/vm-network | |
initial commit as copy from helsinki ansible repo
Diffstat (limited to 'roles/vm-network')
| -rw-r--r-- | roles/vm-network/handlers/main.yaml | 3 | ||||
| -rw-r--r-- | roles/vm-network/tasks/lan.yaml | 6 | ||||
| -rw-r--r-- | roles/vm-network/tasks/main.yaml | 9 | ||||
| -rw-r--r-- | roles/vm-network/tasks/public.yaml | 33 | ||||
| -rw-r--r-- | roles/vm-network/tasks/systemd-link.yaml | 15 | ||||
| -rw-r--r-- | roles/vm-network/templates/firewall.sh_public.j2 | 49 | ||||
| -rw-r--r-- | roles/vm-network/templates/interfaces_lan.j2 | 17 | ||||
| -rw-r--r-- | roles/vm-network/templates/interfaces_public.j2 | 63 | ||||
| -rw-r--r-- | roles/vm-network/templates/systemd.link.j2 | 5 |
9 files changed, 200 insertions, 0 deletions
diff --git a/roles/vm-network/handlers/main.yaml b/roles/vm-network/handlers/main.yaml new file mode 100644 index 00000000..f967fa86 --- /dev/null +++ b/roles/vm-network/handlers/main.yaml @@ -0,0 +1,3 @@ +--- +- name: rebuild initramfs + command: update-initramfs -u diff --git a/roles/vm-network/tasks/lan.yaml b/roles/vm-network/tasks/lan.yaml new file mode 100644 index 00000000..ec436e9b --- /dev/null +++ b/roles/vm-network/tasks/lan.yaml @@ -0,0 +1,6 @@ +--- +- name: install interface config (LAN only) + template: + src: interfaces_lan.j2 + dest: /etc/network/interfaces + mode: 0644 diff --git a/roles/vm-network/tasks/main.yaml b/roles/vm-network/tasks/main.yaml new file mode 100644 index 00000000..d41f6eb2 --- /dev/null +++ b/roles/vm-network/tasks/main.yaml @@ -0,0 +1,9 @@ +--- +- include: systemd-link.yaml + when: srv_network.systemd_link is defined + +- include: public.yaml + when: srv_network.public is defined + +- include: lan.yaml + when: srv_network.public is not defined diff --git a/roles/vm-network/tasks/public.yaml b/roles/vm-network/tasks/public.yaml new file mode 100644 index 00000000..85a057d8 --- /dev/null +++ b/roles/vm-network/tasks/public.yaml @@ -0,0 +1,33 @@ +--- +- name: set routing table names + with_items: + - { 'regexp': '^89\s', 'line': '89 mur-default' } + - { 'regexp': '^212\s', 'line': '212 upc-default' } + lineinfile: + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + dest: /etc/iproute2/rt_tables + +- name: calculate address lists + set_fact: + srv_network_public_firewall_ipv4: + - "{{ srv_network.public.ip_mur }}" + - "{{ srv_network.public.ip_upc }}" + srv_network_public_firewall_ipv6: + - "{{ srv_network.public.ip_mur6 }}" + +- name: install firewall scripts + with_items: + - 4 + - 6 + template: + src: firewall.sh_public.j2 + dest: "/etc/network/firewall{{ item }}.sh" + mode: 0755 + when: srv_network.public.firewall is defined + +- name: install interface config (Public) + template: + src: interfaces_public.j2 + dest: /etc/network/interfaces + mode: 0644 diff --git a/roles/vm-network/tasks/systemd-link.yaml b/roles/vm-network/tasks/systemd-link.yaml new file mode 100644 index 00000000..eb52474a --- /dev/null +++ b/roles/vm-network/tasks/systemd-link.yaml @@ -0,0 +1,15 @@ +--- +- name: remove legacy systemd.link units + file: + name: "/etc/systemd/network/{{ item }}" + state: absent + with_items: + - 50-virtio-kernel-names.link + - 99-default.link + +- name: install systemd network link units + template: + src: systemd.link.j2 + dest: "/etc/systemd/network/{{ '%02d' | format(item.idx + 10) }}-{{ item.name }}.link" + with_items: "{{ srv_network.systemd_link.interfaces }}" + notify: rebuild initramfs diff --git a/roles/vm-network/templates/firewall.sh_public.j2 b/roles/vm-network/templates/firewall.sh_public.j2 new file mode 100644 index 00000000..df5b1373 --- /dev/null +++ b/roles/vm-network/templates/firewall.sh_public.j2 @@ -0,0 +1,49 @@ +#!/bin/sh + +PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}" +PUBLIC_IF="$2" +TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}" +UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}" + +##### +IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables" +ICMP="icmp{% if item == 6 %}v6{% endif %}" + +case "$1" in + start) + $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP + ;; + stop) + $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + ;; + *) + echo "Usage: $0 (start|stop)" + exit 1 + ;; +esac + +exit 0 diff --git a/roles/vm-network/templates/interfaces_lan.j2 b/roles/vm-network/templates/interfaces_lan.j2 new file mode 100644 index 00000000..36ae2883 --- /dev/null +++ b/roles/vm-network/templates/interfaces_lan.j2 @@ -0,0 +1,17 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + gateway 192.168.1.254 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm-network/templates/interfaces_public.j2 b/roles/vm-network/templates/interfaces_public.j2 new file mode 100644 index 00000000..2e8583ab --- /dev/null +++ b/roles/vm-network/templates/interfaces_public.j2 @@ -0,0 +1,63 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip route add default via 192.168.1.254 table default + up ip rule add pref 42000 lookup default + up ip rule del pref 32767 + down ip rule add pref 32767 lookup default + down ip rule del pref 42000 + down ip route del default via 192.168.1.254 table default + + +# The public network interface +auto {{ srv_network.public.interface }} +iface {{ srv_network.public.interface }} inet static + address {{ srv_network.public.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + ## mur.at + up ip addr add dev $IFACE {{ srv_network.public.ip_mur }}/28 + up ip route add default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + up ip rule add pref 33000 from {{ srv_network.public.ip_mur }} lookup mur-default + ## upc + up ip addr add dev $IFACE {{ srv_network.public.ip_upc }}/32 + up ip route add default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + up ip rule add pref 35000 from {{ srv_network.public.ip_upc }} lookup upc-default + ### firewall + up /etc/network/firewall4.sh start $IFACE + ########## + down /etc/network/firewall4.sh stop $IFACE + ## upc + down ip rule del pref 35000 + down ip route del default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + down ip addr del dev $IFACE {{ srv_network.public.ip_upc }}/32 + ## mur.at + down ip rule del pref 33000 + down ip route del default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + down ip addr del dev $IFACE {{ srv_network.public.ip_mur }}/28 + +iface {{ srv_network.public.interface }} inet6 static + address {{ srv_network.public.ip_mur6 }} + netmask 64 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip -6 route add default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default + up ip -6 rule add pref 33000 from {{ srv_network.public.ip_mur6 }} lookup mur-default + up /etc/network/firewall6.sh start $IFACE + down /etc/network/firewall6.sh stop $IFACE + down ip -6 rule del pref 33000 + down ip -6 route del default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default diff --git a/roles/vm-network/templates/systemd.link.j2 b/roles/vm-network/templates/systemd.link.j2 new file mode 100644 index 00000000..753fd586 --- /dev/null +++ b/roles/vm-network/templates/systemd.link.j2 @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:{{ "%02d" | format(item.idx) }}.0 + +[Link] +Name={{ item.name }} |