From 7a5cc75c309b4028c19685e47fa3bc55c3345f50 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 14 Feb 2023 22:10:06 +0100 Subject: elevate: prepare routers for e23 --- inventory/host_vars/ele-router.yml | 405 ------------------------------------- 1 file changed, 405 deletions(-) delete mode 100644 inventory/host_vars/ele-router.yml (limited to 'inventory/host_vars/ele-router.yml') diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml deleted file mode 100644 index bddb40e8..00000000 --- a/inventory/host_vars/ele-router.yml +++ /dev/null @@ -1,405 +0,0 @@ ---- -ssh_users_root: - - equinox - - datacop - -network_mgmt_zone: "{{ network_zones.mgmt }}" - - -wireguard_keys: - gwhetzner: - pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" - priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" - -wireguard_gateway_tunnels: - wg-emc: - priv_key: "{{ wireguard_keys.gwhetzner.priv }}" - addresses: - - 192.168.254.6/30 - default_gateway: - inner: 192.168.254.5 - peers: - - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" - endpoint: - host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" - port: 51821 - keepalive_interval: 15 - allowed_ips: - - 0.0.0.0/0 - -openwrt_network_external: - - name: interface 'wanmur' - options: - device: 'eth5' - proto: static - ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41050 - src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 105 - - - name: rule - options: - priority: 41051 - mark: 105 - lookup: 105 - - - name: route 'murdefault' - options: - interface: 'wanmur' - table: 105 - target: '0.0.0.0/0' - gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" - - - - name: interface 'wanlte' - options: - device: 'eth4' - proto: static - ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - name: rule - options: - priority: 41040 - src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" - lookup: 104 - - - name: rule - options: - priority: 41041 - mark: 104 - lookup: 104 - - - name: route 'ltedefault' - options: - interface: 'wanlte' - table: 104 - target: '0.0.0.0/0' - gateway: "{{ network_zones.datacop_lte.gateway }}" - - - name: rule - options: - priority: 50000 - lookup: 105 - - -network_internal_zone_names__wanmur: - - lan - - guest - - mixer - - infoscreens -network_internal_zone_names__wanlte: [] -network_internal_zone_names__wgemc: - - emc - -network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" -openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" -openwrt_network_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "interface '{{ zone_name }}'" - options: - device: "eth0.{{ network_zones[zone_name].vlan }}" - proto: static - ipaddr: "{{ network_zones[zone_name].gateway }}" - netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - {% endfor %} - - -openwrt_network_base: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: interface 'mgmt' - options: - device: "eth0.{{ network_mgmt_zone.vlan }}" - proto: static - ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" - netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" - accept_ra: 0 - - - -openwrt_dhcp_external: - - name: dhcp 'wanmur' - options: - interface: 'wanmur' - ignore: '1' - - - name: dhcp 'wanlte' - options: - interface: 'wanlte' - ignore: '1' - - -openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" -openwrt_dhcp_internal_yaml: | - {% for zone_name in network_internal_zone_names %} - - name: "dhcp '{{ zone_name }}'" - options: - interface: "{{ zone_name }}" - {% if 'dhcp' in network_zones[zone_name] %} - start: {{ network_zones[zone_name].dhcp.start }} - limit: {{ network_zones[zone_name].dhcp.limit }} - leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} - dhcpv6: 'disabled' - ra: 'disabled' - {% else %} - ignore: '1' - {% endif %} - {% endfor %} - - -openwrt_dhcp_base: - - name: dnsmasq - options: - domainneeded: '1' - boguspriv: '0' - filterwin2k: '0' - localise_queries: '1' - rebind_protection: '0' - rebind_localhost: '1' - local: '/lan/' - domain: 'lan' - expandhosts: '1' - nonegcache: '0' - authoritative: '1' - readethers: '1' - leasefile: '/tmp/dhcp.leases' - resolvfile: '/tmp/resolv.conf.auto' - localservice: '1' - server: - - 1.1.1.1 - - - name: odhcpd 'odhcpd' - options: - maindhcp: '0' - leasefile: '/tmp/hosts/odhcpd' - leasetrigger: '/usr/sbin/odhcpd-update' - - - name: dhcp 'mgmt' - options: - interface: 'mgmt' - ignore: '1' - - -openwrt_arch: x86 -openwrt_target: 64 -openwrt_profile: generic -openwrt_output_image_suffixes: - - "{{ openwrt_profile }}-ext4-combined.img.gz" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - firewall - - odhcpd-ipv6only -openwrt_packages_add: - - kmod-ipt-nat - - kmod-ipt-conntrack - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - iperf3 - - mtr - - iptraf-ng - - qos-scripts - - wireguard - - prometheus-node-exporter-lua - - prometheus-node-exporter-lua-nat_traffic - - prometheus-node-exporter-lua-netstat - - prometheus-node-exporter-lua-openwrt - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /etc/wireguard/wg-emc.priv: - content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" - mode: "0600" - - /etc/rc.d/S21network-wgemc: - link: "../init.d/network-wgemc" - - /etc/rc.d/K91network-wgemc: - link: "../init.d/network-wgemc" - - /etc/init.d/network-wgemc: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=21 - STOP=91 - - start() { - ip link add dev wg-emc type wireguard - wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv - - {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} - wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} - {% endfor %} - - {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} - ip addr add dev wg-emc {{ addr }} - {% endfor %} - ip link set up dev wg-emc - - ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static - } - - stop() { - ip link del dev wg-emc - } - - /etc/rc.d/S22network-fw: - link: "../init.d/network-fw" - - /etc/rc.d/K92network-fw: - link: "../init.d/network-fw" - - /etc/init.d/network-fw: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=22 - STOP=91 - - start() { - ### management - MGMT_IF=$(uci get network.mgmt.device) - MGMT_IPADDR=$(uci get network.mgmt.ipaddr) - MGMT_NETMASK=$(uci get network.mgmt.netmask) - iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT - - - ### external zones - # mur - iptables -A INPUT -i "eth5" -p icmp -j ACCEPT - iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # LTE - iptables -A INPUT -i "eth4" -p icmp -j ACCEPT - iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - # Wireguard EMC - iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT - iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT - iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - - - ### internal zones - {% for zone_name in network_internal_zone_names %} - # {{ zone_name }} - {% if 'dhcp' in network_zones[zone_name] %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT - {% endif %} - {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - {% endif %} - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - - {% if zone_name in network_internal_zone_names__wanmur %} - {% set ext_interface = "eth5" %} - {% set rt_table = "105" %} - {% elif zone_name in network_internal_zone_names__wanlte %} - {% set ext_interface = "eth4" %} - {% set rt_table = "104" %} - {% elif zone_name in network_internal_zone_names__wgemc %} - {% set ext_interface = "wg-emc" %} - {% set rt_table = "200" %} - {% endif %} - iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT - iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE - ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} - - {% endfor %} - - ### - iptables -P INPUT DROP - iptables -P FORWARD DROP - } - - stop() { - iptables -P INPUT ACCEPT - iptables -F INPUT - iptables -P FORWARD ACCEPT - iptables -F FORWARD - iptables -t nat -F POSTROUTING - {% for zone_name in network_internal_zone_names %} - ip rule del pref {{ loop.index + 33000 }} - {% endfor %} - } - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '0.lede.pool.ntp.org' - - '1.lede.pool.ntp.org' - - '2.lede.pool.ntp.org' - - '3.lede.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - prometheus-node-exporter-lua: - - name: prometheus-node-exporter-lua 'main' - options: - listen_interface: 'mgmt' - listen_ipv6: '0' - listen_port: '9100' - - dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" - network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" - - -prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" -prometheus_exporters_default: - - openwrt -- cgit v1.2.3