From 79c40fec07d7ea906cf1375fa93a4b202766ba79 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 24 May 2018 23:40:30 +0200 Subject: move vm roles to subdir --- roles/vm/network/handlers/main.yml | 3 ++ roles/vm/network/tasks/lan.yml | 6 +++ roles/vm/network/tasks/main.yml | 9 ++++ roles/vm/network/tasks/public.yml | 33 +++++++++++++ roles/vm/network/tasks/systemd-link.yml | 15 ++++++ roles/vm/network/templates/firewall.sh_public.j2 | 49 ++++++++++++++++++ roles/vm/network/templates/interfaces_lan.j2 | 17 +++++++ roles/vm/network/templates/interfaces_public.j2 | 63 ++++++++++++++++++++++++ roles/vm/network/templates/systemd.link.j2 | 5 ++ 9 files changed, 200 insertions(+) create mode 100644 roles/vm/network/handlers/main.yml create mode 100644 roles/vm/network/tasks/lan.yml create mode 100644 roles/vm/network/tasks/main.yml create mode 100644 roles/vm/network/tasks/public.yml create mode 100644 roles/vm/network/tasks/systemd-link.yml create mode 100644 roles/vm/network/templates/firewall.sh_public.j2 create mode 100644 roles/vm/network/templates/interfaces_lan.j2 create mode 100644 roles/vm/network/templates/interfaces_public.j2 create mode 100644 roles/vm/network/templates/systemd.link.j2 (limited to 'roles/vm/network') diff --git a/roles/vm/network/handlers/main.yml b/roles/vm/network/handlers/main.yml new file mode 100644 index 00000000..f967fa86 --- /dev/null +++ b/roles/vm/network/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: rebuild initramfs + command: update-initramfs -u diff --git a/roles/vm/network/tasks/lan.yml b/roles/vm/network/tasks/lan.yml new file mode 100644 index 00000000..ec436e9b --- /dev/null +++ b/roles/vm/network/tasks/lan.yml @@ -0,0 +1,6 @@ +--- +- name: install interface config (LAN only) + template: + src: interfaces_lan.j2 + dest: /etc/network/interfaces + mode: 0644 diff --git a/roles/vm/network/tasks/main.yml b/roles/vm/network/tasks/main.yml new file mode 100644 index 00000000..222a350b --- /dev/null +++ b/roles/vm/network/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- import_tasks: systemd-link.yml + when: srv_network.systemd_link is defined + +- import_tasks: public.yml + when: srv_network.public is defined + +- import_tasks: lan.yml + when: srv_network.public is not defined diff --git a/roles/vm/network/tasks/public.yml b/roles/vm/network/tasks/public.yml new file mode 100644 index 00000000..8b0e317a --- /dev/null +++ b/roles/vm/network/tasks/public.yml @@ -0,0 +1,33 @@ +--- +- name: set routing table names + with_items: + - { regexp: '^89\s', line: '89 mur-default' } + - { regexp: '^212\s', line: '212 upc-default' } + lineinfile: + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + dest: /etc/iproute2/rt_tables + +- name: calculate address lists + set_fact: + srv_network_public_firewall_ipv4: + - "{{ srv_network.public.ip_mur }}" + - "{{ srv_network.public.ip_upc }}" + srv_network_public_firewall_ipv6: + - "{{ srv_network.public.ip_mur6 }}" + +- name: install firewall scripts + with_items: + - 4 + - 6 + template: + src: firewall.sh_public.j2 + dest: "/etc/network/firewall{{ item }}.sh" + mode: 0755 + when: srv_network.public.firewall is defined + +- name: install interface config (Public) + template: + src: interfaces_public.j2 + dest: /etc/network/interfaces + mode: 0644 diff --git a/roles/vm/network/tasks/systemd-link.yml b/roles/vm/network/tasks/systemd-link.yml new file mode 100644 index 00000000..ad12cd37 --- /dev/null +++ b/roles/vm/network/tasks/systemd-link.yml @@ -0,0 +1,15 @@ +--- +- name: remove legacy systemd.link units + file: + name: "/etc/systemd/network/{{ item }}" + state: absent + with_items: + - 50-virtio-kernel-names.link + - 99-default.link + +- name: install systemd network link units + template: + src: systemd.link.j2 + dest: "/etc/systemd/network/{{ '%02d' | format(item.idx + 10) }}-{{ item.name }}.link" + with_items: "{{ srv_network.systemd_link.interfaces }}" + notify: rebuild initramfs diff --git a/roles/vm/network/templates/firewall.sh_public.j2 b/roles/vm/network/templates/firewall.sh_public.j2 new file mode 100644 index 00000000..df5b1373 --- /dev/null +++ b/roles/vm/network/templates/firewall.sh_public.j2 @@ -0,0 +1,49 @@ +#!/bin/sh + +PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}" +PUBLIC_IF="$2" +TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}" +UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}" + +##### +IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables" +ICMP="icmp{% if item == 6 %}v6{% endif %}" + +case "$1" in + start) + $IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + $IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + $IPTABLES -A INPUT -i $PUBLIC_IF -j DROP + ;; + stop) + $IPTABLES -D INPUT -i $PUBLIC_IF -j DROP + for port in $UDP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT + done + done + for port in $TCP_PORTS; do + for ip in $PUBLIC_IPS; do + $IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT + done + done + $IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT + $IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT + ;; + *) + echo "Usage: $0 (start|stop)" + exit 1 + ;; +esac + +exit 0 diff --git a/roles/vm/network/templates/interfaces_lan.j2 b/roles/vm/network/templates/interfaces_lan.j2 new file mode 100644 index 00000000..36ae2883 --- /dev/null +++ b/roles/vm/network/templates/interfaces_lan.j2 @@ -0,0 +1,17 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + gateway 192.168.1.254 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf diff --git a/roles/vm/network/templates/interfaces_public.j2 b/roles/vm/network/templates/interfaces_public.j2 new file mode 100644 index 00000000..2e8583ab --- /dev/null +++ b/roles/vm/network/templates/interfaces_public.j2 @@ -0,0 +1,63 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The internal network interface +auto {{ srv_network.internal.interface }} +iface {{ srv_network.internal.interface }} inet static + address {{ srv_network.internal.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip route add default via 192.168.1.254 table default + up ip rule add pref 42000 lookup default + up ip rule del pref 32767 + down ip rule add pref 32767 lookup default + down ip rule del pref 42000 + down ip route del default via 192.168.1.254 table default + + +# The public network interface +auto {{ srv_network.public.interface }} +iface {{ srv_network.public.interface }} inet static + address {{ srv_network.public.ip }} + netmask 255.255.255.0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + ## mur.at + up ip addr add dev $IFACE {{ srv_network.public.ip_mur }}/28 + up ip route add default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + up ip rule add pref 33000 from {{ srv_network.public.ip_mur }} lookup mur-default + ## upc + up ip addr add dev $IFACE {{ srv_network.public.ip_upc }}/32 + up ip route add default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + up ip rule add pref 35000 from {{ srv_network.public.ip_upc }} lookup upc-default + ### firewall + up /etc/network/firewall4.sh start $IFACE + ########## + down /etc/network/firewall4.sh stop $IFACE + ## upc + down ip rule del pref 35000 + down ip route del default via 192.168.3.254 src {{ srv_network.public.ip_upc }} table upc-default + down ip addr del dev $IFACE {{ srv_network.public.ip_upc }}/32 + ## mur.at + down ip rule del pref 33000 + down ip route del default via 89.106.215.14 src {{ srv_network.public.ip_mur }} table mur-default + down ip addr del dev $IFACE {{ srv_network.public.ip_mur }}/28 + +iface {{ srv_network.public.interface }} inet6 static + address {{ srv_network.public.ip_mur6 }} + netmask 64 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up ip -6 route add default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default + up ip -6 rule add pref 33000 from {{ srv_network.public.ip_mur6 }} lookup mur-default + up /etc/network/firewall6.sh start $IFACE + down /etc/network/firewall6.sh stop $IFACE + down ip -6 rule del pref 33000 + down ip -6 route del default via 2a02:3e0:2003::e src {{ srv_network.public.ip_mur6 }} table mur-default diff --git a/roles/vm/network/templates/systemd.link.j2 b/roles/vm/network/templates/systemd.link.j2 new file mode 100644 index 00000000..753fd586 --- /dev/null +++ b/roles/vm/network/templates/systemd.link.j2 @@ -0,0 +1,5 @@ +[Match] +Path=pci-0000:01:{{ "%02d" | format(item.idx) }}.0 + +[Link] +Name={{ item.name }} -- cgit v1.2.3