From 7a5cc75c309b4028c19685e47fa3bc55c3345f50 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 14 Feb 2023 22:10:06 +0100 Subject: elevate: prepare routers for e23 --- _graveyard_/dan/host_vars/ele-router.yml | 10 + _graveyard_/inventory/host_vars/ele-router.yml | 405 +++++++++++++++++++++++++ dan/host_vars/ele-router.yml | 10 - inventory/group_vars/ele-ap/vars.yml | 15 +- inventory/group_vars/elevate-festival/vars.yml | 69 +++-- inventory/host_vars/ele-calypso.yml | 2 +- inventory/host_vars/ele-router-leslie.yml | 290 ------------------ inventory/host_vars/ele-router-orpheum.yml | 290 ++++++++++++++++++ inventory/host_vars/ele-router.yml | 405 ------------------------- inventory/host_vars/ele-thetys.yml | 8 +- inventory/hosts.ini | 10 +- 11 files changed, 769 insertions(+), 745 deletions(-) create mode 100644 _graveyard_/dan/host_vars/ele-router.yml create mode 100644 _graveyard_/inventory/host_vars/ele-router.yml delete mode 100644 dan/host_vars/ele-router.yml delete mode 100644 inventory/host_vars/ele-router-leslie.yml create mode 100644 inventory/host_vars/ele-router-orpheum.yml delete mode 100644 inventory/host_vars/ele-router.yml diff --git a/_graveyard_/dan/host_vars/ele-router.yml b/_graveyard_/dan/host_vars/ele-router.yml new file mode 100644 index 00000000..2730423b --- /dev/null +++ b/_graveyard_/dan/host_vars/ele-router.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;dan +39333736323632303766653165323636316234343764663335303762663366626362303131376536 +3938396235396230633731613838363931323339633235360a636130306165643239333531613939 +35353134393133366236383465653161646464366539366136303833656433393332633137333766 +3730353830613236360a653135653266616638656565323230306566646465666339366361663635 +35383031326436623030633566636163343764353435376633313937363265396534356562666330 +65303234306463383538333462363166323761333433613765366163366265333035383162663061 +39626436643839343561663166646539343135363163346338313964623038376463613762343338 +31316139313531303965326635663962303864386561333864356435383463623235663862346632 +3463 diff --git a/_graveyard_/inventory/host_vars/ele-router.yml b/_graveyard_/inventory/host_vars/ele-router.yml new file mode 100644 index 00000000..bddb40e8 --- /dev/null +++ b/_graveyard_/inventory/host_vars/ele-router.yml @@ -0,0 +1,405 @@ +--- +ssh_users_root: + - equinox + - datacop + +network_mgmt_zone: "{{ network_zones.mgmt }}" + + +wireguard_keys: + gwhetzner: + pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" + priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" + +wireguard_gateway_tunnels: + wg-emc: + priv_key: "{{ wireguard_keys.gwhetzner.priv }}" + addresses: + - 192.168.254.6/30 + default_gateway: + inner: 192.168.254.5 + peers: + - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" + endpoint: + host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" + port: 51821 + keepalive_interval: 15 + allowed_ips: + - 0.0.0.0/0 + +openwrt_network_external: + - name: interface 'wanmur' + options: + device: 'eth5' + proto: static + ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + - name: rule + options: + priority: 41050 + src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" + lookup: 105 + + - name: rule + options: + priority: 41051 + mark: 105 + lookup: 105 + + - name: route 'murdefault' + options: + interface: 'wanmur' + table: 105 + target: '0.0.0.0/0' + gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" + + + - name: interface 'wanlte' + options: + device: 'eth4' + proto: static + ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + - name: rule + options: + priority: 41040 + src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" + lookup: 104 + + - name: rule + options: + priority: 41041 + mark: 104 + lookup: 104 + + - name: route 'ltedefault' + options: + interface: 'wanlte' + table: 104 + target: '0.0.0.0/0' + gateway: "{{ network_zones.datacop_lte.gateway }}" + + - name: rule + options: + priority: 50000 + lookup: 105 + + +network_internal_zone_names__wanmur: + - lan + - guest + - mixer + - infoscreens +network_internal_zone_names__wanlte: [] +network_internal_zone_names__wgemc: + - emc + +network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" +openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" +openwrt_network_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "interface '{{ zone_name }}'" + options: + device: "eth0.{{ network_zones[zone_name].vlan }}" + proto: static + ipaddr: "{{ network_zones[zone_name].gateway }}" + netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + {% endfor %} + + +openwrt_network_base: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + device: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + device: "eth0.{{ network_mgmt_zone.vlan }}" + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + + +openwrt_dhcp_external: + - name: dhcp 'wanmur' + options: + interface: 'wanmur' + ignore: '1' + + - name: dhcp 'wanlte' + options: + interface: 'wanlte' + ignore: '1' + + +openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" +openwrt_dhcp_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "dhcp '{{ zone_name }}'" + options: + interface: "{{ zone_name }}" + {% if 'dhcp' in network_zones[zone_name] %} + start: {{ network_zones[zone_name].dhcp.start }} + limit: {{ network_zones[zone_name].dhcp.limit }} + leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} + dhcpv6: 'disabled' + ra: 'disabled' + {% else %} + ignore: '1' + {% endif %} + {% endfor %} + + +openwrt_dhcp_base: + - name: dnsmasq + options: + domainneeded: '1' + boguspriv: '0' + filterwin2k: '0' + localise_queries: '1' + rebind_protection: '0' + rebind_localhost: '1' + local: '/lan/' + domain: 'lan' + expandhosts: '1' + nonegcache: '0' + authoritative: '1' + readethers: '1' + leasefile: '/tmp/dhcp.leases' + resolvfile: '/tmp/resolv.conf.auto' + localservice: '1' + server: + - 1.1.1.1 + + - name: odhcpd 'odhcpd' + options: + maindhcp: '0' + leasefile: '/tmp/hosts/odhcpd' + leasetrigger: '/usr/sbin/odhcpd-update' + + - name: dhcp 'mgmt' + options: + interface: 'mgmt' + ignore: '1' + + +openwrt_arch: x86 +openwrt_target: 64 +openwrt_profile: generic +openwrt_output_image_suffixes: + - "{{ openwrt_profile }}-ext4-combined.img.gz" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall + - odhcpd-ipv6only +openwrt_packages_add: + - kmod-ipt-nat + - kmod-ipt-conntrack + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - iperf3 + - mtr + - iptraf-ng + - qos-scripts + - wireguard + - prometheus-node-exporter-lua + - prometheus-node-exporter-lua-nat_traffic + - prometheus-node-exporter-lua-netstat + - prometheus-node-exporter-lua-openwrt + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/wireguard/wg-emc.priv: + content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" + mode: "0600" + + /etc/rc.d/S21network-wgemc: + link: "../init.d/network-wgemc" + + /etc/rc.d/K91network-wgemc: + link: "../init.d/network-wgemc" + + /etc/init.d/network-wgemc: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=21 + STOP=91 + + start() { + ip link add dev wg-emc type wireguard + wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv + + {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} + wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} + {% endfor %} + + {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} + ip addr add dev wg-emc {{ addr }} + {% endfor %} + ip link set up dev wg-emc + + ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static + } + + stop() { + ip link del dev wg-emc + } + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K92network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + ### management + MGMT_IF=$(uci get network.mgmt.device) + MGMT_IPADDR=$(uci get network.mgmt.ipaddr) + MGMT_NETMASK=$(uci get network.mgmt.netmask) + iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + + + ### external zones + # mur + iptables -A INPUT -i "eth5" -p icmp -j ACCEPT + iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # LTE + iptables -A INPUT -i "eth4" -p icmp -j ACCEPT + iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # Wireguard EMC + iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT + iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + + ### internal zones + {% for zone_name in network_internal_zone_names %} + # {{ zone_name }} + {% if 'dhcp' in network_zones[zone_name] %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT + {% endif %} + {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + {% endif %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + {% if zone_name in network_internal_zone_names__wanmur %} + {% set ext_interface = "eth5" %} + {% set rt_table = "105" %} + {% elif zone_name in network_internal_zone_names__wanlte %} + {% set ext_interface = "eth4" %} + {% set rt_table = "104" %} + {% elif zone_name in network_internal_zone_names__wgemc %} + {% set ext_interface = "wg-emc" %} + {% set rt_table = "200" %} + {% endif %} + iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE + ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} + + {% endfor %} + + ### + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + iptables -F FORWARD + iptables -t nat -F POSTROUTING + {% for zone_name in network_internal_zone_names %} + ip rule del pref {{ loop.index + 33000 }} + {% endfor %} + } + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + prometheus-node-exporter-lua: + - name: prometheus-node-exporter-lua 'main' + options: + listen_interface: 'mgmt' + listen_ipv6: '0' + listen_port: '9100' + + dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" + network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" + + +prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" +prometheus_exporters_default: + - openwrt diff --git a/dan/host_vars/ele-router.yml b/dan/host_vars/ele-router.yml deleted file mode 100644 index 2730423b..00000000 --- a/dan/host_vars/ele-router.yml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.2;AES256;dan -39333736323632303766653165323636316234343764663335303762663366626362303131376536 -3938396235396230633731613838363931323339633235360a636130306165643239333531613939 -35353134393133366236383465653161646464366539366136303833656433393332633137333766 -3730353830613236360a653135653266616638656565323230306566646465666339366361663635 -35383031326436623030633566636163343764353435376633313937363265396534356562666330 -65303234306463383538333462363166323761333433613765366163366265333035383162663061 -39626436643839343561663166646539343135363163346338313964623038376463613762343338 -31316139313531303965326635663962303864386561333864356435383463623235663862346632 -3463 diff --git a/inventory/group_vars/ele-ap/vars.yml b/inventory/group_vars/ele-ap/vars.yml index f7f31a37..dd9e9f6f 100644 --- a/inventory/group_vars/ele-ap/vars.yml +++ b/inventory/group_vars/ele-ap/vars.yml @@ -30,8 +30,8 @@ accesspoint_wifi_channels: ele-ap-hmtsaal1: 13 ele-ap-hmtsaal2: 9 ele-ap-hmtsaal3: 5 - ele-ap-leslie0: 3 - ele-ap-leslie1: 9 + ele-ap-orpheum0: 3 + ele-ap-orpheum1: 9 5g: # ele-ap-forum0: 40 # ele-ap-forum1: 48 @@ -51,8 +51,8 @@ accesspoint_wifi_channels: ele-ap-hmtsaal1: 48 ele-ap-hmtsaal2: 44 ele-ap-hmtsaal3: 40 - ele-ap-leslie0: 36 - ele-ap-leslie1: 48 + ele-ap-orpheum0: 36 + ele-ap-orpheum1: 48 accesspoint_wifi_txpower: 2g: @@ -74,8 +74,8 @@ accesspoint_wifi_txpower: ele-ap-hmtsaal1: 13 ele-ap-hmtsaal2: 9 ele-ap-hmtsaal3: 5 - ele-ap-leslie0: 3 - ele-ap-leslie1: 9 + ele-ap-orpheum0: 3 + ele-ap-orpheum1: 9 accesspoint_wifi_device_htmode: 2g: "HT20" @@ -97,9 +97,8 @@ accesspoint_client_steering: accesspoint_ntp_servers: -# - '{{ network_zones.mgmt.prefix | ansible.utils.ipaddr(network_zones.mgmt.offsets["ele-router"]) | ansible.utils.ipaddr("address") }}' - '{{ network_zones.mgmt.prefix | ansible.utils.ipaddr(network_zones.mgmt.offsets["ele-router-hmtsaal"]) | ansible.utils.ipaddr("address") }}' - - '{{ network_zones.mgmt.prefix | ansible.utils.ipaddr(network_zones.mgmt.offsets["ele-router-leslie"]) | ansible.utils.ipaddr("address") }}' + - '{{ network_zones.mgmt.prefix | ansible.utils.ipaddr(network_zones.mgmt.offsets["ele-router-orpheum"]) | ansible.utils.ipaddr("address") }}' prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" diff --git a/inventory/group_vars/elevate-festival/vars.yml b/inventory/group_vars/elevate-festival/vars.yml index 99ffdbcd..95c95bb1 100644 --- a/inventory/group_vars/elevate-festival/vars.yml +++ b/inventory/group_vars/elevate-festival/vars.yml @@ -106,14 +106,15 @@ network_zones: # ele-ap-kunsthaus0: 130 ### Orpheum - # ele-sw-orpheum0: 40 + ele-sw-orpheum0: 40 # ele-br-orpheum0: 49 # --> ele-br-uhrturm1 - # ele-ap-orpheum0: 140 + ele-ap-orpheum0: 140 + ele-ap-orpheum1: 141 ### Lesliehof - ele-sw-leslie0: 40 - ele-ap-leslie0: 140 - ele-ap-leslie1: 141 + # ele-sw-leslie0: 40 + # ele-ap-leslie0: 140 + # ele-ap-leslie1: 141 ### Uhrturm/Rosengarten/Uhrturm-Kasematten # ele-sw-uhrturm0: 50 @@ -161,14 +162,14 @@ network_zones: ele-ups-hmtsaal0: 210 ele-ups-hmtsaal1: 211 ele-ups-hmtsaal2: 212 - ele-ups-leslie0: 213 + ele-ups-orpheum0: 213 ### Other ele-tub: 240 datacop: 249 ch-equinox-t450s: 250 ele-router-emc: 251 - ele-router-leslie: 252 + ele-router-orpheum: 252 ele-router-hmtsaal: 253 ele-router: 254 @@ -260,32 +261,56 @@ network_zones: ssid: Dom key: "{{ vault_wifi_keys.dom_im_berg }}" - cc_leslie: - description: "citycom upstream @ Lesliehof (Fiber)" + cc_orpheum: + description: "citycom upstream @ Orpheum (Fiber)" vlan: 504 - prefix: 85.237.24.176/29 - gateway: 85.237.24.177 + # prefix: ?.?.?.?/29 + # gateway: ?.?.?.? + prefix: 192.168.28.0/24 + gateway: 192.168.28.254 dns: - - 217.29.144.65 - - 217.29.144.66 + - 1.1.1.1 + # - 217.29.144.65 + # - 217.29.144.66 offsets: ## citycom uses offset 1,2 and 3 - ele-router-leslie: 4 # 85.237.24.180 - ele-thetys: 5 # 85.237.24.181 + # ele-router-orpheum: 4 # ?.?.?.? + # ele-thetys: 5 # ?.?.?.? + ele-router-orpheum: 5 # 192.168.28.5 + ele-thetys: 6 # 192.168.28.6 + + # cc_leslie: + # description: "citycom upstream @ Lesliehof (Fiber)" + # vlan: 504 + # prefix: 85.237.24.176/29 + # gateway: 85.237.24.177 + # dns: + # - 217.29.144.65 + # - 217.29.144.66 + # offsets: + # ## citycom uses offset 1,2 and 3 + # ele-router-leslie: 4 # 85.237.24.180 + # ele-thetys: 5 # 85.237.24.181 cc_hmtsaal: description: "citycom upstream @ Heimatsaal (Fiber)" vlan: 508 - prefix: 109.73.146.224/29 - gateway: 109.73.146.225 + # prefix: 109.73.146.224/29 + # gateway: 109.73.146.225 + prefix: 192.168.28.0/24 + gateway: 192.168.28.254 dns: - - 217.29.144.65 - - 217.29.144.66 + - 1.1.1.1 + # - 217.29.144.65 + # - 217.29.144.66 offsets: ## citycom uses offset 1,2 and 3 - ele-router-hmtsaal: 4 # 109.73.146.228 - ele-router-emc: 5 # 109.73.146.229 - ele-telesto: 6 # 109.73.146.230 + # ele-router-hmtsaal: 4 # 109.73.146.228 + # ele-router-emc: 5 # 109.73.146.229 + # ele-telesto: 6 # 109.73.146.230 + ele-router-hmtsaal: 2 # 192.168.28.2 + ele-router-emc: 3 # 192.168.28.3 + ele-telesto: 4 # 192.168.28.4 funkfeuer: description: "funkfeuer access, subnet will be announced by olsr using HNA" diff --git a/inventory/host_vars/ele-calypso.yml b/inventory/host_vars/ele-calypso.yml index 74f437e5..91bcc1cd 100644 --- a/inventory/host_vars/ele-calypso.yml +++ b/inventory/host_vars/ele-calypso.yml @@ -72,7 +72,7 @@ kubernetes_standalone_cni_variant: with-portmap player_inst_name: emc-feed player_ffmpeg_image_version: bullseye-decklink11.7-2022-07-08.29 -#player_input: [ '-f', 'live_flv', '-rtmp_live', 'live', '-i', "rtmp://{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets['ele-thetys']) | ansible.utils.ipaddr('address') }}/emc-feed/full" ] +#player_input: [ '-f', 'live_flv', '-rtmp_live', 'live', '-i', "rtmp://{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets['ele-thetys']) | ansible.utils.ipaddr('address') }}/emc-feed/full" ] player_input: [ '-stream_loop', '-1', '-i', '/srv/videos/Big Buck Bunny 1080p 60fps.mp4' ] player_output: [ '-ac', '2', '-pix_fmt', 'uyvy422', '-s', '1920x1080' ,'-r', '50','-f', 'decklink', 'DeckLink Mini Monitor 4K' ] player_volume_mounts: diff --git a/inventory/host_vars/ele-router-leslie.yml b/inventory/host_vars/ele-router-leslie.yml deleted file mode 100644 index 1aa9a2b2..00000000 --- a/inventory/host_vars/ele-router-leslie.yml +++ /dev/null @@ -1,290 +0,0 @@ ---- -network_mgmt_zone: "{{ network_zones.mgmt }}" - -network_internal_zone_names: - - lan - - guest - - infoscreens - - - -openwrt_network_external: - - name: interface 'citycom' - options: - device: 'eth1' - proto: static - ipaddr: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr('netmask') }}" - gateway: "{{ network_zones.cc_leslie.gateway }}" - dns: "{{ network_zones.cc_leslie.dns }}" - accept_ra: 0 - -openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" -openwrt_network_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "interface '{{ zone_name }}'" - options: - device: "eth0.{{ network_zones[zone_name].vlan }}" - proto: static - ipaddr: "{{ network_zones[zone_name].gateway }}" - netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - {% endfor %} - - -openwrt_network_base: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - device: "eth0.{{ network_mgmt_zone.vlan }}" - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - -openwrt_dhcp_external: - - name: dhcp 'citycom' - options: - interface: 'citycom' - ignore: '1' - - -openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" -openwrt_dhcp_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "dhcp '{{ zone_name }}'" - options: - interface: "{{ zone_name }}" - {% if 'dhcp' in network_zones[zone_name] %} - start: {{ network_zones[zone_name].dhcp.start }} - limit: {{ network_zones[zone_name].dhcp.limit }} - leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} - dhcpv6: 'disabled' - ra: 'disabled' - {% else %} - ignore: '1' - {% endif %} - {% endfor %} - - -openwrt_dhcp_base: - - name: dnsmasq - options: - domainneeded: '1' - boguspriv: '0' - filterwin2k: '0' - localise_queries: '1' - rebind_protection: '0' - rebind_localhost: '1' - local: '/lan/' - domain: 'lan' - expandhosts: '1' - nonegcache: '0' - authoritative: '1' - readethers: '1' - leasefile: '/tmp/dhcp.leases' - resolvfile: '/tmp/resolv.conf.auto' - localservice: '1' - server: "{{ network_zones.cc_leslie.dns }}" - - - name: odhcpd 'odhcpd' - options: - maindhcp: '0' - leasefile: '/tmp/hosts/odhcpd' - leasetrigger: '/usr/sbin/odhcpd-update' - - - name: dhcp 'mgmt' - options: - interface: 'mgmt' - ignore: '1' - - -openwrt_arch: x86 -openwrt_target: geode -openwrt_profile: generic -openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-ext4-combined.img.gz" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - kmod-ppp - - kmod-pppoe - - kmod-pppox - - firewall - - firewall4 - - odhcpd-ipv6only -openwrt_packages_add: - - nftables - - kmod-nft-nat - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - iperf3 - - mtr - - iptraf-ng - - sqm-scripts - - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - - prometheus-node-exporter-lua-netstat - - prometheus-node-exporter-lua-openwrt - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/rc.d/S21nftables: - link: "../init.d/nftables" - - /etc/rc.d/K89nftables: - link: "../init.d/nftables" - - /etc/init.d/nftables: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=21 - STOP=89 - - start() { - nft -f /etc/nftables.conf - } - - stop() { - nft flush ruleset - } - - /etc/nftables.conf: - content: | - flush ruleset - - define nic_citycom = eth1 - define ip_citycom = {{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} - - define nic_mgmt = "eth0.{{ network_mgmt_zone.vlan }}" - define prefix_mgmt = {{ network_mgmt_zone.prefix }} - {% for zone_name in network_internal_zone_names %} - - define nic_{{ zone_name }} = eth0.{{ network_zones[zone_name].vlan }} - define prefix_{{ zone_name }} = {{ network_zones[zone_name].prefix }} - {% endfor %} - - table inet global { - ## INPUT - chain input_external { - ip protocol icmp accept - ip6 nexthdr ipv6-icmp accept - tcp dport { {{ ansible_port }} } accept - } - - chain input_internal { - ip protocol icmp accept - ip6 nexthdr ipv6-icmp accept - tcp dport { {{ ansible_port }}, domain } accept - udp dport { bootps, domain, ntp } accept - } - - chain input { - type filter hook input priority filter; policy drop; - ct state vmap { established: accept, related: accept, invalid: drop } - iifname vmap { lo: accept, $nic_mgmt: accept{% for zone_name in network_internal_zone_names %}, $nic_{{ zone_name }}: jump input_internal {% endfor %}, $nic_citycom: jump input_external } - } - - - ## FORWARD - chain forward { - type filter hook forward priority filter; policy drop; - ct state vmap { established: accept, related: accept, invalid: drop } - iifname { {{ ['$nic_'] | product(network_internal_zone_names) | map('join') | join(', ') }} } oifname $nic_citycom accept - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - ip saddr { {{ ['$prefix_'] | product(network_internal_zone_names) | map('join') | join(', ') }} } oifname $nic_citycom snat to $ip_citycom - } - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '1' - server: - - '0.at.pool.ntp.org' - - '1.at.pool.ntp.org' - - '2.at.pool.ntp.org' - - '3.at.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - uhttpd: - - name: uhttpd main - options: - enabled: '0' - - prometheus-node-exporter-lua: - - name: prometheus-node-exporter-lua 'main' - options: - listen_interface: 'mgmt' - listen_port: '9100' - - dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" - network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" - - sqm: - - name: queue 'citycom' - options: - enabled: '1' - interface: 'eth1' - download: '70000' - upload: '70000' - qdisc: 'cake' - script: 'piece_of_cake.qos' - qdisc_advanced: '0' - ingress_ecn: 'ECN' - egress_ecn: 'ECN' - qdisc_really_really_advanced: '0' - itarget: 'auto' - etarget: 'auto' - linklayer: 'ethernet' - overhead: '44 mpu 84' - -prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" -prometheus_exporters_default: - - openwrt diff --git a/inventory/host_vars/ele-router-orpheum.yml b/inventory/host_vars/ele-router-orpheum.yml new file mode 100644 index 00000000..249f5d52 --- /dev/null +++ b/inventory/host_vars/ele-router-orpheum.yml @@ -0,0 +1,290 @@ +--- +network_mgmt_zone: "{{ network_zones.mgmt }}" + +network_internal_zone_names: + - lan + - guest + - infoscreens + + + +openwrt_network_external: + - name: interface 'citycom' + options: + device: 'eth1' + proto: static + ipaddr: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr('netmask') }}" + gateway: "{{ network_zones.cc_orpheum.gateway }}" + dns: "{{ network_zones.cc_orpheum.dns }}" + accept_ra: 0 + +openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" +openwrt_network_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "interface '{{ zone_name }}'" + options: + device: "eth0.{{ network_zones[zone_name].vlan }}" + proto: static + ipaddr: "{{ network_zones[zone_name].gateway }}" + netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + {% endfor %} + + +openwrt_network_base: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + device: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + device: "eth0.{{ network_mgmt_zone.vlan }}" + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + + +openwrt_dhcp_external: + - name: dhcp 'citycom' + options: + interface: 'citycom' + ignore: '1' + + +openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" +openwrt_dhcp_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "dhcp '{{ zone_name }}'" + options: + interface: "{{ zone_name }}" + {% if 'dhcp' in network_zones[zone_name] %} + start: {{ network_zones[zone_name].dhcp.start }} + limit: {{ network_zones[zone_name].dhcp.limit }} + leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} + dhcpv6: 'disabled' + ra: 'disabled' + {% else %} + ignore: '1' + {% endif %} + {% endfor %} + + +openwrt_dhcp_base: + - name: dnsmasq + options: + domainneeded: '1' + boguspriv: '0' + filterwin2k: '0' + localise_queries: '1' + rebind_protection: '0' + rebind_localhost: '1' + local: '/lan/' + domain: 'lan' + expandhosts: '1' + nonegcache: '0' + authoritative: '1' + readethers: '1' + leasefile: '/tmp/dhcp.leases' + resolvfile: '/tmp/resolv.conf.auto' + localservice: '1' + server: "{{ network_zones.cc_orpheum.dns }}" + + - name: odhcpd 'odhcpd' + options: + maindhcp: '0' + leasefile: '/tmp/hosts/odhcpd' + leasetrigger: '/usr/sbin/odhcpd-update' + + - name: dhcp 'mgmt' + options: + interface: 'mgmt' + ignore: '1' + + +openwrt_arch: x86 +openwrt_target: geode +openwrt_profile: generic +openwrt_output_image_suffixes: + - "{{ openwrt_profile }}-ext4-combined.img.gz" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - kmod-ppp + - kmod-pppoe + - kmod-pppox + - firewall + - firewall4 + - odhcpd-ipv6only +openwrt_packages_add: + - nftables + - kmod-nft-nat + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - iperf3 + - mtr + - iptraf-ng + - sqm-scripts + - prometheus-node-exporter-lua + - prometheus-node-exporter-lua-nat_traffic + - prometheus-node-exporter-lua-netstat + - prometheus-node-exporter-lua-openwrt + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S21nftables: + link: "../init.d/nftables" + + /etc/rc.d/K89nftables: + link: "../init.d/nftables" + + /etc/init.d/nftables: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=21 + STOP=89 + + start() { + nft -f /etc/nftables.conf + } + + stop() { + nft flush ruleset + } + + /etc/nftables.conf: + content: | + flush ruleset + + define nic_citycom = eth1 + define ip_citycom = {{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }} + + define nic_mgmt = "eth0.{{ network_mgmt_zone.vlan }}" + define prefix_mgmt = {{ network_mgmt_zone.prefix }} + {% for zone_name in network_internal_zone_names %} + + define nic_{{ zone_name }} = eth0.{{ network_zones[zone_name].vlan }} + define prefix_{{ zone_name }} = {{ network_zones[zone_name].prefix }} + {% endfor %} + + table inet global { + ## INPUT + chain input_external { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { {{ ansible_port }} } accept + } + + chain input_internal { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { {{ ansible_port }}, domain } accept + udp dport { bootps, domain, ntp } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, $nic_mgmt: accept{% for zone_name in network_internal_zone_names %}, $nic_{{ zone_name }}: jump input_internal {% endfor %}, $nic_citycom: jump input_external } + } + + + ## FORWARD + chain forward { + type filter hook forward priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname { {{ ['$nic_'] | product(network_internal_zone_names) | map('join') | join(', ') }} } oifname $nic_citycom accept + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { {{ ['$prefix_'] | product(network_internal_zone_names) | map('join') | join(', ') }} } oifname $nic_citycom snat to $ip_citycom + } + } + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '1' + server: + - '0.at.pool.ntp.org' + - '1.at.pool.ntp.org' + - '2.at.pool.ntp.org' + - '3.at.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + uhttpd: + - name: uhttpd main + options: + enabled: '0' + + prometheus-node-exporter-lua: + - name: prometheus-node-exporter-lua 'main' + options: + listen_interface: 'mgmt' + listen_port: '9100' + + dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" + network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" + + sqm: + - name: queue 'citycom' + options: + enabled: '1' + interface: 'eth1' + download: '70000' + upload: '70000' + qdisc: 'cake' + script: 'piece_of_cake.qos' + qdisc_advanced: '0' + ingress_ecn: 'ECN' + egress_ecn: 'ECN' + qdisc_really_really_advanced: '0' + itarget: 'auto' + etarget: 'auto' + linklayer: 'ethernet' + overhead: '44 mpu 84' + +prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" +prometheus_exporters_default: + - openwrt diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml deleted file mode 100644 index bddb40e8..00000000 --- a/inventory/host_vars/ele-router.yml +++ /dev/null @@ -1,405 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - -network_mgmt_zone: "{{ network_zones.mgmt }}" - - -wireguard_keys: - gwhetzner: - pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" - priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" - -wireguard_gateway_tunnels: - wg-emc: - priv_key: "{{ wireguard_keys.gwhetzner.priv }}" - addresses: - - 192.168.254.6/30 - default_gateway: - inner: 192.168.254.5 - peers: - - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" - endpoint: - host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" - port: 51821 - keepalive_interval: 15 - allowed_ips: - - 0.0.0.0/0 - -openwrt_network_external: - - name: interface 'wanmur' - options: - device: 'eth5' - proto: static - ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41050 - src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 105 - - - name: rule - options: - priority: 41051 - mark: 105 - lookup: 105 - - - name: route 'murdefault' - options: - interface: 'wanmur' - table: 105 - target: '0.0.0.0/0' - gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" - - - - name: interface 'wanlte' - options: - device: 'eth4' - proto: static - ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41040 - src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 104 - - - name: rule - options: - priority: 41041 - mark: 104 - lookup: 104 - - - name: route 'ltedefault' - options: - interface: 'wanlte' - table: 104 - target: '0.0.0.0/0' - gateway: "{{ network_zones.datacop_lte.gateway }}" - - - name: rule - options: - priority: 50000 - lookup: 105 - - -network_internal_zone_names__wanmur: - - lan - - guest - - mixer - - infoscreens -network_internal_zone_names__wanlte: [] -network_internal_zone_names__wgemc: - - emc - -network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" -openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" -openwrt_network_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "interface '{{ zone_name }}'" - options: - device: "eth0.{{ network_zones[zone_name].vlan }}" - proto: static - ipaddr: "{{ network_zones[zone_name].gateway }}" - netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - {% endfor %} - - -openwrt_network_base: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - device: "eth0.{{ network_mgmt_zone.vlan }}" - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - -openwrt_dhcp_external: - - name: dhcp 'wanmur' - options: - interface: 'wanmur' - ignore: '1' - - - name: dhcp 'wanlte' - options: - interface: 'wanlte' - ignore: '1' - - -openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" -openwrt_dhcp_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "dhcp '{{ zone_name }}'" - options: - interface: "{{ zone_name }}" - {% if 'dhcp' in network_zones[zone_name] %} - start: {{ network_zones[zone_name].dhcp.start }} - limit: {{ network_zones[zone_name].dhcp.limit }} - leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} - dhcpv6: 'disabled' - ra: 'disabled' - {% else %} - ignore: '1' - {% endif %} - {% endfor %} - - -openwrt_dhcp_base: - - name: dnsmasq - options: - domainneeded: '1' - boguspriv: '0' - filterwin2k: '0' - localise_queries: '1' - rebind_protection: '0' - rebind_localhost: '1' - local: '/lan/' - domain: 'lan' - expandhosts: '1' - nonegcache: '0' - authoritative: '1' - readethers: '1' - leasefile: '/tmp/dhcp.leases' - resolvfile: '/tmp/resolv.conf.auto' - localservice: '1' - server: - - 1.1.1.1 - - - name: odhcpd 'odhcpd' - options: - maindhcp: '0' - leasefile: '/tmp/hosts/odhcpd' - leasetrigger: '/usr/sbin/odhcpd-update' - - - name: dhcp 'mgmt' - options: - interface: 'mgmt' - ignore: '1' - - -openwrt_arch: x86 -openwrt_target: 64 -openwrt_profile: generic -openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-ext4-combined.img.gz" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - firewall - - odhcpd-ipv6only -openwrt_packages_add: - - kmod-ipt-nat - - kmod-ipt-conntrack - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - iperf3 - - mtr - - iptraf-ng - - qos-scripts - - wireguard - - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - - prometheus-node-exporter-lua-netstat - - prometheus-node-exporter-lua-openwrt - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/wireguard/wg-emc.priv: - content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" - mode: "0600" - - /etc/rc.d/S21network-wgemc: - link: "../init.d/network-wgemc" - - /etc/rc.d/K91network-wgemc: - link: "../init.d/network-wgemc" - - /etc/init.d/network-wgemc: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=21 - STOP=91 - - start() { - ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv - - {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} - wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} - {% endfor %} - - {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} - ip addr add dev wg-emc {{ addr }} - {% endfor %} - ip link set up dev wg-emc - - ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static - } - - stop() { - ip link del dev wg-emc - } - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K92network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - start() { - ### management - MGMT_IF=$(uci get network.mgmt.device) - MGMT_IPADDR=$(uci get network.mgmt.ipaddr) - MGMT_NETMASK=$(uci get network.mgmt.netmask) - iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - - - ### external zones - # mur - iptables -A INPUT -i "eth5" -p icmp -j ACCEPT - iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # LTE - iptables -A INPUT -i "eth4" -p icmp -j ACCEPT - iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # Wireguard EMC - iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT - iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - - ### internal zones - {% for zone_name in network_internal_zone_names %} - # {{ zone_name }} - {% if 'dhcp' in network_zones[zone_name] %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT - {% endif %} - {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - {% endif %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - {% if zone_name in network_internal_zone_names__wanmur %} - {% set ext_interface = "eth5" %} - {% set rt_table = "105" %} - {% elif zone_name in network_internal_zone_names__wanlte %} - {% set ext_interface = "eth4" %} - {% set rt_table = "104" %} - {% elif zone_name in network_internal_zone_names__wgemc %} - {% set ext_interface = "wg-emc" %} - {% set rt_table = "200" %} - {% endif %} - iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE - ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} - - {% endfor %} - - ### - iptables -P INPUT DROP - iptables -P FORWARD DROP - } - - stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - iptables -F FORWARD - iptables -t nat -F POSTROUTING - {% for zone_name in network_internal_zone_names %} - ip rule del pref {{ loop.index + 33000 }} - {% endfor %} - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - prometheus-node-exporter-lua: - - name: prometheus-node-exporter-lua 'main' - options: - listen_interface: 'mgmt' - listen_ipv6: '0' - listen_port: '9100' - - dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" - network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" - - -prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" -prometheus_exporters_default: - - openwrt diff --git a/inventory/host_vars/ele-thetys.yml b/inventory/host_vars/ele-thetys.yml index d8a00b4d..1fee8710 100644 --- a/inventory/host_vars/ele-thetys.yml +++ b/inventory/host_vars/ele-thetys.yml @@ -8,12 +8,12 @@ install: - "consoleblank=0" network: - nameservers: "{{ network_zones.cc_leslie.dns }}" + nameservers: "{{ network_zones.cc_orpheum.dns }}" domain: "{{ host_domain }}" primary: &_network_primary_ name: eno1 - address: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) }}" - gateway: "{{ network_zones.cc_leslie.gateway }}" + address: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) }}" + gateway: "{{ network_zones.cc_orpheum.gateway }}" interfaces: - *_network_primary_ @@ -54,7 +54,7 @@ prometheus_exporter_node_textfile_collector_scripts: prometheus_job_multitarget_blackbox__probe: ele-calypso: - instance: "ssh-{{ inventory_hostname }}" - target: "{{ network_zones.cc_leslie.prefix | ansible.utils.ipaddr(network_zones.cc_leslie.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" + target: "{{ network_zones.cc_orpheum.prefix | ansible.utils.ipaddr(network_zones.cc_orpheum.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}" module: ssh_banner diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 515998aa..97b3ac21 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -192,7 +192,7 @@ env_group=dan ele-media host_name=media ele-router ele-router-hmtsaal -ele-router-leslie +ele-router-orpheum ele-router-emc ele-telesto host_name=telesto ele-thetys host_name=thetys @@ -228,7 +228,7 @@ ele-infobeamer # ele-ap-uhrturm0 # ele-ap-nextlib[0:6] ele-ap-hmtsaal[0:3] -ele-ap-leslie[0:1] +ele-ap-orpheum[0:1] [ele-ups] # ele-ups-forum[0:1] @@ -236,7 +236,7 @@ ele-ap-leslie[0:1] # ele-ups-parkhouse0 # ele-ups-nextlib[0:3] ele-ups-hmtsaal[0:2] -ele-ups-leslie0 +ele-ups-orpheum0 [ele-dolmetsch-raspi] ele-dol-raspi0 @@ -289,7 +289,7 @@ glt-gw-r3 glt-gw-tug ele-router ele-router-hmtsaal -ele-router-leslie +ele-router-orpheum ele-router-emc ele-uhrturm ele-orpheum @@ -453,7 +453,7 @@ ele-telesto #ele-router-emc #ele-ap-hmtsaal[0:3] #ele-ups-hmtsaal[0:2] -#ele-router-leslie +#ele-router-orpheum #ele-thetys [promzone-elevate-festival:children] #ele-ap -- cgit v1.2.3