From 7a5cc75c309b4028c19685e47fa3bc55c3345f50 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 14 Feb 2023 22:10:06 +0100 Subject: elevate: prepare routers for e23 --- _graveyard_/dan/host_vars/ele-router.yml | 10 + _graveyard_/inventory/host_vars/ele-router.yml | 405 +++++++++++++++++++++++++ 2 files changed, 415 insertions(+) create mode 100644 _graveyard_/dan/host_vars/ele-router.yml create mode 100644 _graveyard_/inventory/host_vars/ele-router.yml (limited to '_graveyard_') diff --git a/_graveyard_/dan/host_vars/ele-router.yml b/_graveyard_/dan/host_vars/ele-router.yml new file mode 100644 index 00000000..2730423b --- /dev/null +++ b/_graveyard_/dan/host_vars/ele-router.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;dan +39333736323632303766653165323636316234343764663335303762663366626362303131376536 +3938396235396230633731613838363931323339633235360a636130306165643239333531613939 +35353134393133366236383465653161646464366539366136303833656433393332633137333766 +3730353830613236360a653135653266616638656565323230306566646465666339366361663635 +35383031326436623030633566636163343764353435376633313937363265396534356562666330 +65303234306463383538333462363166323761333433613765366163366265333035383162663061 +39626436643839343561663166646539343135363163346338313964623038376463613762343338 +31316139313531303965326635663962303864386561333864356435383463623235663862346632 +3463 diff --git a/_graveyard_/inventory/host_vars/ele-router.yml b/_graveyard_/inventory/host_vars/ele-router.yml new file mode 100644 index 00000000..bddb40e8 --- /dev/null +++ b/_graveyard_/inventory/host_vars/ele-router.yml @@ -0,0 +1,405 @@ +--- +ssh_users_root: + - equinox + - datacop + +network_mgmt_zone: "{{ network_zones.mgmt }}" + + +wireguard_keys: + gwhetzner: + pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" + priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" + +wireguard_gateway_tunnels: + wg-emc: + priv_key: "{{ wireguard_keys.gwhetzner.priv }}" + addresses: + - 192.168.254.6/30 + default_gateway: + inner: 192.168.254.5 + peers: + - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" + endpoint: + host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" + port: 51821 + keepalive_interval: 15 + allowed_ips: + - 0.0.0.0/0 + +openwrt_network_external: + - name: interface 'wanmur' + options: + device: 'eth5' + proto: static + ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + - name: rule + options: + priority: 41050 + src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" + lookup: 105 + + - name: rule + options: + priority: 41051 + mark: 105 + lookup: 105 + + - name: route 'murdefault' + options: + interface: 'wanmur' + table: 105 + target: '0.0.0.0/0' + gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" + + + - name: interface 'wanlte' + options: + device: 'eth4' + proto: static + ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + - name: rule + options: + priority: 41040 + src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" + lookup: 104 + + - name: rule + options: + priority: 41041 + mark: 104 + lookup: 104 + + - name: route 'ltedefault' + options: + interface: 'wanlte' + table: 104 + target: '0.0.0.0/0' + gateway: "{{ network_zones.datacop_lte.gateway }}" + + - name: rule + options: + priority: 50000 + lookup: 105 + + +network_internal_zone_names__wanmur: + - lan + - guest + - mixer + - infoscreens +network_internal_zone_names__wanlte: [] +network_internal_zone_names__wgemc: + - emc + +network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" +openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" +openwrt_network_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "interface '{{ zone_name }}'" + options: + device: "eth0.{{ network_zones[zone_name].vlan }}" + proto: static + ipaddr: "{{ network_zones[zone_name].gateway }}" + netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + {% endfor %} + + +openwrt_network_base: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + device: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'mgmt' + options: + device: "eth0.{{ network_mgmt_zone.vlan }}" + proto: static + ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" + accept_ra: 0 + + + +openwrt_dhcp_external: + - name: dhcp 'wanmur' + options: + interface: 'wanmur' + ignore: '1' + + - name: dhcp 'wanlte' + options: + interface: 'wanlte' + ignore: '1' + + +openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" +openwrt_dhcp_internal_yaml: | + {% for zone_name in network_internal_zone_names %} + - name: "dhcp '{{ zone_name }}'" + options: + interface: "{{ zone_name }}" + {% if 'dhcp' in network_zones[zone_name] %} + start: {{ network_zones[zone_name].dhcp.start }} + limit: {{ network_zones[zone_name].dhcp.limit }} + leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} + dhcpv6: 'disabled' + ra: 'disabled' + {% else %} + ignore: '1' + {% endif %} + {% endfor %} + + +openwrt_dhcp_base: + - name: dnsmasq + options: + domainneeded: '1' + boguspriv: '0' + filterwin2k: '0' + localise_queries: '1' + rebind_protection: '0' + rebind_localhost: '1' + local: '/lan/' + domain: 'lan' + expandhosts: '1' + nonegcache: '0' + authoritative: '1' + readethers: '1' + leasefile: '/tmp/dhcp.leases' + resolvfile: '/tmp/resolv.conf.auto' + localservice: '1' + server: + - 1.1.1.1 + + - name: odhcpd 'odhcpd' + options: + maindhcp: '0' + leasefile: '/tmp/hosts/odhcpd' + leasetrigger: '/usr/sbin/odhcpd-update' + + - name: dhcp 'mgmt' + options: + interface: 'mgmt' + ignore: '1' + + +openwrt_arch: x86 +openwrt_target: 64 +openwrt_profile: generic +openwrt_output_image_suffixes: + - "{{ openwrt_profile }}-ext4-combined.img.gz" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall + - odhcpd-ipv6only +openwrt_packages_add: + - kmod-ipt-nat + - kmod-ipt-conntrack + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - iperf3 + - mtr + - iptraf-ng + - qos-scripts + - wireguard + - prometheus-node-exporter-lua + - prometheus-node-exporter-lua-nat_traffic + - prometheus-node-exporter-lua-netstat + - prometheus-node-exporter-lua-openwrt + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/wireguard/wg-emc.priv: + content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" + mode: "0600" + + /etc/rc.d/S21network-wgemc: + link: "../init.d/network-wgemc" + + /etc/rc.d/K91network-wgemc: + link: "../init.d/network-wgemc" + + /etc/init.d/network-wgemc: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=21 + STOP=91 + + start() { + ip link add dev wg-emc type wireguard + wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv + + {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} + wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} + {% endfor %} + + {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} + ip addr add dev wg-emc {{ addr }} + {% endfor %} + ip link set up dev wg-emc + + ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static + } + + stop() { + ip link del dev wg-emc + } + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K92network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + ### management + MGMT_IF=$(uci get network.mgmt.device) + MGMT_IPADDR=$(uci get network.mgmt.ipaddr) + MGMT_NETMASK=$(uci get network.mgmt.netmask) + iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + + + ### external zones + # mur + iptables -A INPUT -i "eth5" -p icmp -j ACCEPT + iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # LTE + iptables -A INPUT -i "eth4" -p icmp -j ACCEPT + iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # Wireguard EMC + iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT + iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + + ### internal zones + {% for zone_name in network_internal_zone_names %} + # {{ zone_name }} + {% if 'dhcp' in network_zones[zone_name] %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT + {% endif %} + {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + {% endif %} + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + {% if zone_name in network_internal_zone_names__wanmur %} + {% set ext_interface = "eth5" %} + {% set rt_table = "105" %} + {% elif zone_name in network_internal_zone_names__wanlte %} + {% set ext_interface = "eth4" %} + {% set rt_table = "104" %} + {% elif zone_name in network_internal_zone_names__wgemc %} + {% set ext_interface = "wg-emc" %} + {% set rt_table = "200" %} + {% endif %} + iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT + iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE + ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} + + {% endfor %} + + ### + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + iptables -F FORWARD + iptables -t nat -F POSTROUTING + {% for zone_name in network_internal_zone_names %} + ip rule del pref {{ loop.index + 33000 }} + {% endfor %} + } + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + prometheus-node-exporter-lua: + - name: prometheus-node-exporter-lua 'main' + options: + listen_interface: 'mgmt' + listen_ipv6: '0' + listen_port: '9100' + + dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" + network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" + + +prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" +prometheus_exporters_default: + - openwrt -- cgit v1.2.3