diff options
Diffstat (limited to 'inventory/host_vars')
-rw-r--r-- | inventory/host_vars/ele-calypso.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/ele-router-orpheum.yml (renamed from inventory/host_vars/ele-router-leslie.yml) | 12 | ||||
-rw-r--r-- | inventory/host_vars/ele-router.yml | 405 | ||||
-rw-r--r-- | inventory/host_vars/ele-thetys.yml | 8 |
4 files changed, 11 insertions, 416 deletions
diff --git a/inventory/host_vars/ele-calypso.yml b/inventory/host_vars/ele-calypso.yml index 74f437e5..91bcc1cd 100644 --- a/inventory/host_vars/ele-calypso.yml +++ b/inventory/host_vars/ele-calypso.yml @@ -72,7 +72,7 @@ kubernetes_standalone_cni_variant: with-portmap player_inst_name: emc-feed player_ffmpeg_image_version: bullseye-decklink11.7-2022-07-08.29 -#player_input: [ '-f', 'live_flv', '-rtmp_live', 'live', '-i', "rtmp://{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets['ele-thetys']) | ansible.utils.ipaddr('address') }}/emc-feed/full" ] +#player_input: [ '-f', 'live_flv', '-rtmp_live', 'live', '-i', "rtmp://{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets['ele-thetys']) | ansible.utils.ipaddr('address') }}/emc-feed/full" ] player_input: [ '-stream_loop', '-1', '-i', '/srv/videos/Big Buck Bunny 1080p 60fps.mp4' ] player_output: [ '-ac', '2', '-pix_fmt', 'uyvy422', '-s', '1920x1080' ,'-r', '50','-f', 'decklink', 'DeckLink Mini Monitor 4K' ] player_volume_mounts: diff --git a/inventory/host_vars/ele-router-leslie.yml b/inventory/host_vars/ele-router-orpheum.yml index 1aa9a2b2..249f5d52 100644 --- a/inventory/host_vars/ele-router-leslie.yml +++ b/inventory/host_vars/ele-router-orpheum.yml @@ -13,10 +13,10 @@ openwrt_network_external: options: device: 'eth1' proto: static - ipaddr: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr('netmask') }}" - gateway: "{{ network_zones.cc_leslie.gateway }}" - dns: "{{ network_zones.cc_leslie.dns }}" + ipaddr: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr('netmask') }}" + gateway: "{{ network_zones.cc_orpheum.gateway }}" + dns: "{{ network_zones.cc_orpheum.dns }}" accept_ra: 0 openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" @@ -97,7 +97,7 @@ openwrt_dhcp_base: leasefile: '/tmp/dhcp.leases' resolvfile: '/tmp/resolv.conf.auto' localservice: '1' - server: "{{ network_zones.cc_leslie.dns }}" + server: "{{ network_zones.cc_orpheum.dns }}" - name: odhcpd 'odhcpd' options: @@ -180,7 +180,7 @@ openwrt_mixin: flush ruleset define nic_citycom = eth1 - define ip_citycom = {{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} + define ip_citycom = {{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} define nic_mgmt = "eth0.{{ network_mgmt_zone.vlan }}" define prefix_mgmt = {{ network_mgmt_zone.prefix }} diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml deleted file mode 100644 index bddb40e8..00000000 --- a/inventory/host_vars/ele-router.yml +++ /dev/null @@ -1,405 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - -network_mgmt_zone: "{{ network_zones.mgmt }}" - - -wireguard_keys: - gwhetzner: - pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" - priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" - -wireguard_gateway_tunnels: - wg-emc: - priv_key: "{{ wireguard_keys.gwhetzner.priv }}" - addresses: - - 192.168.254.6/30 - default_gateway: - inner: 192.168.254.5 - peers: - - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" - endpoint: - host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" - port: 51821 - keepalive_interval: 15 - allowed_ips: - - 0.0.0.0/0 - -openwrt_network_external: - - name: interface 'wanmur' - options: - device: 'eth5' - proto: static - ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41050 - src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 105 - - - name: rule - options: - priority: 41051 - mark: 105 - lookup: 105 - - - name: route 'murdefault' - options: - interface: 'wanmur' - table: 105 - target: '0.0.0.0/0' - gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" - - - - name: interface 'wanlte' - options: - device: 'eth4' - proto: static - ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41040 - src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 104 - - - name: rule - options: - priority: 41041 - mark: 104 - lookup: 104 - - - name: route 'ltedefault' - options: - interface: 'wanlte' - table: 104 - target: '0.0.0.0/0' - gateway: "{{ network_zones.datacop_lte.gateway }}" - - - name: rule - options: - priority: 50000 - lookup: 105 - - -network_internal_zone_names__wanmur: - - lan - - guest - - mixer - - infoscreens -network_internal_zone_names__wanlte: [] -network_internal_zone_names__wgemc: - - emc - -network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" -openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" -openwrt_network_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "interface '{{ zone_name }}'" - options: - device: "eth0.{{ network_zones[zone_name].vlan }}" - proto: static - ipaddr: "{{ network_zones[zone_name].gateway }}" - netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - {% endfor %} - - -openwrt_network_base: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - device: "eth0.{{ network_mgmt_zone.vlan }}" - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - -openwrt_dhcp_external: - - name: dhcp 'wanmur' - options: - interface: 'wanmur' - ignore: '1' - - - name: dhcp 'wanlte' - options: - interface: 'wanlte' - ignore: '1' - - -openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" -openwrt_dhcp_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "dhcp '{{ zone_name }}'" - options: - interface: "{{ zone_name }}" - {% if 'dhcp' in network_zones[zone_name] %} - start: {{ network_zones[zone_name].dhcp.start }} - limit: {{ network_zones[zone_name].dhcp.limit }} - leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} - dhcpv6: 'disabled' - ra: 'disabled' - {% else %} - ignore: '1' - {% endif %} - {% endfor %} - - -openwrt_dhcp_base: - - name: dnsmasq - options: - domainneeded: '1' - boguspriv: '0' - filterwin2k: '0' - localise_queries: '1' - rebind_protection: '0' - rebind_localhost: '1' - local: '/lan/' - domain: 'lan' - expandhosts: '1' - nonegcache: '0' - authoritative: '1' - readethers: '1' - leasefile: '/tmp/dhcp.leases' - resolvfile: '/tmp/resolv.conf.auto' - localservice: '1' - server: - - 1.1.1.1 - - - name: odhcpd 'odhcpd' - options: - maindhcp: '0' - leasefile: '/tmp/hosts/odhcpd' - leasetrigger: '/usr/sbin/odhcpd-update' - - - name: dhcp 'mgmt' - options: - interface: 'mgmt' - ignore: '1' - - -openwrt_arch: x86 -openwrt_target: 64 -openwrt_profile: generic -openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-ext4-combined.img.gz" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - firewall - - odhcpd-ipv6only -openwrt_packages_add: - - kmod-ipt-nat - - kmod-ipt-conntrack - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - iperf3 - - mtr - - iptraf-ng - - qos-scripts - - wireguard - - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - - prometheus-node-exporter-lua-netstat - - prometheus-node-exporter-lua-openwrt - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/wireguard/wg-emc.priv: - content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" - mode: "0600" - - /etc/rc.d/S21network-wgemc: - link: "../init.d/network-wgemc" - - /etc/rc.d/K91network-wgemc: - link: "../init.d/network-wgemc" - - /etc/init.d/network-wgemc: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=21 - STOP=91 - - start() { - ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv - - {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} - wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} - {% endfor %} - - {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} - ip addr add dev wg-emc {{ addr }} - {% endfor %} - ip link set up dev wg-emc - - ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static - } - - stop() { - ip link del dev wg-emc - } - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K92network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - start() { - ### management - MGMT_IF=$(uci get network.mgmt.device) - MGMT_IPADDR=$(uci get network.mgmt.ipaddr) - MGMT_NETMASK=$(uci get network.mgmt.netmask) - iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - - - ### external zones - # mur - iptables -A INPUT -i "eth5" -p icmp -j ACCEPT - iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # LTE - iptables -A INPUT -i "eth4" -p icmp -j ACCEPT - iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # Wireguard EMC - iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT - iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - - ### internal zones - {% for zone_name in network_internal_zone_names %} - # {{ zone_name }} - {% if 'dhcp' in network_zones[zone_name] %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT - {% endif %} - {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - {% endif %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - {% if zone_name in network_internal_zone_names__wanmur %} - {% set ext_interface = "eth5" %} - {% set rt_table = "105" %} - {% elif zone_name in network_internal_zone_names__wanlte %} - {% set ext_interface = "eth4" %} - {% set rt_table = "104" %} - {% elif zone_name in network_internal_zone_names__wgemc %} - {% set ext_interface = "wg-emc" %} - {% set rt_table = "200" %} - {% endif %} - iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE - ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} - - {% endfor %} - - ### - iptables -P INPUT DROP - iptables -P FORWARD DROP - } - - stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - iptables -F FORWARD - iptables -t nat -F POSTROUTING - {% for zone_name in network_internal_zone_names %} - ip rule del pref {{ loop.index + 33000 }} - {% endfor %} - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - prometheus-node-exporter-lua: - - name: prometheus-node-exporter-lua 'main' - options: - listen_interface: 'mgmt' - listen_ipv6: '0' - listen_port: '9100' - - dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" - network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" - - -prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" -prometheus_exporters_default: - - openwrt diff --git a/inventory/host_vars/ele-thetys.yml b/inventory/host_vars/ele-thetys.yml index d8a00b4d..1fee8710 100644 --- a/inventory/host_vars/ele-thetys.yml +++ b/inventory/host_vars/ele-thetys.yml @@ -8,12 +8,12 @@ install: - "consoleblank=0" network: - nameservers: "{{ network_zones.cc_leslie.dns }}" + nameservers: "{{ network_zones.cc_orpheum.dns }}" domain: "{{ host_domain }}" primary: &_network_primary_ name: eno1 - address: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) }}" - gateway: "{{ network_zones.cc_leslie.gateway }}" + address: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) }}" + gateway: "{{ network_zones.cc_orpheum.gateway }}" interfaces: - *_network_primary_ @@ -54,7 +54,7 @@ prometheus_exporter_node_textfile_collector_scripts: prometheus_job_multitarget_blackbox__probe: ele-calypso: - instance: "ssh-{{ inventory_hostname }}" - target: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" + target: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner |