--- openwrt_arch: x86 openwrt_target: 64 openwrt_profile: generic openwrt_output_image_suffixes: - "{{ openwrt_profile }}-ext4-rootfs.img.gz" - "{{ openwrt_profile }}-kernel.bin" openwrt_packages_remove: - ppp - ppp-mod-pppoe - dnsmasq - firewall - odhcpd - odhcpd-ipv6only openwrt_packages_add: - sqm-scripts - rng-tools - htop - ip - less - nano - tcpdump-mini - iperf - iperf3 - mtr - usbutils - kmod-ipt-nat - kmod-ipt-conntrack - openvpn-openssl - iptraf-ng - prometheus-node-exporter-lua - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt openwrt_mixin: /etc/openvpn/ca.crt: content: "{{ openvpn_ca_certificate }}" /etc/openvpn/dhparams: mode: "0600" content: "{{ openvpn_dhparams }}" /etc/openvpn/ta.key: mode: "0600" content: "{{ openvpn_ta_key }}" /etc/openvpn/server.crt: content: | -----BEGIN CERTIFICATE----- MIIHXDCCBUSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCQVQx DzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3Mg YXQgaG9tZTEPMA0GA1UECxMGc3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21l IENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFv cy1hdC1ob21lLm9yZzAeFw0xNTA1MDIwMTU3NDZaFw0yNTA0MjkwMTU3NDZaMIGi MQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYw FAYDVQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxEDAOBgNVBAMT B3BhbmRvcmExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2FkbWlu QGNoYW9zLWF0LWhvbWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEAvwp3VeAZ2+uWLv0ePQ+I8T+0JMQkCdpv2Hn8gEQyUe4ubPtR6SE7455mXtGS WA67M9uHmX6jleQmap7VQPweBy5UD6ge5q39oJMB5G2wug2/QRcgTZVF1r14ZEmk mI31fQBHI/8M3gtMGzB5q0ohsaOuNSEyQir/CBDlDoyOzcVKRC3hQ4DVqD1Trp2M +bxINC9jcQUQd/U5+Ui51tlSBMs/M+0gAlD0kypgcQNZcDDsLW+iTF79/XMweowp bRDv8GbabL1E5kMYL1Ii0vNV6xmjbiyI/tX4DMyKa5d2LI80X932U/ILyq01GVhq bhribfZzqfJhC7zAc09zw2NfQ2F6ZAAcTMmCK/GFTpKWgBufRl7gr93f3mNDzVP4 9KDvQa62CUKEy7ELwxpAEyAlGEkym2Nw+SfiAy2W2uHrpV5UF4uVs58MKUnq3Ktw O04comiuLnXkY9/7USrMngnuJdxcwd6kEXuk6WUZGHWhgGkdP6Ww5DE2HNicSHnT 2gJFOkvvyXO5G7rmndJgK4dlsDuTdax6obIVyVEn20L8sLhuzQwfg1Z+1rnvkZVC 0n9gYp104e36HrAhX5xYwkZ2sn1Rls/PU94ciH/7TjCXOxdOLcXw4yo2btsGNtli 9I/tjPn5GHgLWa8VCGdGBsij7XP2AqPFGnzqS2lFi28YxukCAwEAAaOCAZAwggGM MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/ DVVuzBz4Tb2mji2hC3IeOR5t7jCB4AYDVR0jBIHYMIHVgBTgUyHn3CGUn931tyDF WVoc7+gfBaGBsaSBrjCBqzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTEN MAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3MgYXQgaG9tZTEPMA0GA1UECxMG c3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21lIENBMRAwDgYDVQQpEwdFYXN5 UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFvcy1hdC1ob21lLm9yZ4IJAOGc Xf3qnvfBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDASBgNVHREE CzAJggdwYW5kb3JhMA0GCSqGSIb3DQEBCwUAA4ICAQBTa8rgGfdlmKOhrzZEPUCZ eAEICIpI1GnrHNLNAmbM4OIEO8lNPEVcsalqJSvFXaRh5lRBd4zGDhE2sehL13sX ceeZTh4Ss6xBguHWh3ZCLcZimqbritAF9zl53Aer6AeCw0lYTlgFVgZBPU9X4UXV mKqrmuorOy34vN/slRcsACrlWXonYAIrhSf6KPnTfmewp7c9LG2M8PBab05QC2tt NYy9lKN6bf6e16lTREInQcf6t29OihbgWeOur4EdFg5QuckYDvr/fbbK1D2tVFjR 9p8jgb7gJfvbqSc9oA6RoLQCr5mpTZeYrJWoCGlT943sXwTemPSL9NcDq/hr0RDY uYUGWWR7uKi4RwGt1S5TvpEsE0p1KeiEpytInC4crWUeX5eU5oHqEmwbKFTkzTXM yTj6EL4hTK5nHCGPYgY6umnPnTEc/Z7/kB9GPV4dOqu8qCWL+82+4y5PPSw/6H9B BY5WYFlE66aYHpRvAseN7HKU1lqcX09rx6vTjVKtBilga3m44pOxPPgI9FN6XYQl r43j0QX7FStrSTBkU7QgkXimU7jxJF7PczAhwQW8+Eyk2T2C9o8/w6T27UqMVByB xnw1Z7IOVbenP1JUpX+xKvweCFjkcdGHF+bQ3ufWmo3MIwsapKC1859E37ENqWaF 8ucdxgsmNPJk/dyj/4vqxQ== -----END CERTIFICATE----- /etc/openvpn/server.key: mode: "0600" content: "{{ vault_openvpn_key }}" /etc/openvpn/ipp.txt: mode: "0444" content: | pan,192.168.8.4 mimas,192.168.8.8 /etc/dropbear/authorized_keys: content: "{{ ssh_keys_root | join('\n') }}\n" /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" /etc/rc.d/S22network-fw: link: "../init.d/network-fw" /etc/rc.d/K91network-fw: link: "../init.d/network-fw" /etc/init.d/network-fw: mode: "0755" content: | #!/bin/sh /etc/rc.common START=22 STOP=91 start() { MAGENTA_IF=$(uci get network.magenta.device) MAGENTA_IPADDR=$(uci get network.magenta.ipaddr) MAGENTA_NETMASK=$(uci get network.magenta.netmask) MGMT_IF=$(uci get network.mgmt.device) MGMT_IPADDR=$(uci get network.mgmt.ipaddr) MGMT_NETMASK=$(uci get network.mgmt.netmask) SVC_IF=$(uci get "network.svc.device") SVC_IPADDR=$(uci get "network.svc.ipaddr") SVC_NETMASK=$(uci get "network.svc.netmask") SSH_PORT=$(uci get dropbear.@dropbear[0].Port) ## Local/Management Traffic # iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT ## VPN Traffic iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT ## WAN Traffic # iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT {# TODO: add these to network_services #} # ssh iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT # dns iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 53 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" -p tcp --dport 53 -j ACCEPT {% for name, svc in network_services.items() %} # {{ name }} {% for port in svc.ports %} iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "{{ port }}" -j DNAT --to "{{ svc.addr }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ svc.addr }}" -p tcp --dport "{{ port }}" -j ACCEPT {% endfor %} {% endfor %} ## LAN Traffic # iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p icmp -j ACCEPT iptables -A INPUT -i "$SVC_IF" -d "$SVC_IPADDR" -s 192.168.0.0/16 -p tcp --dport "$SSH_PORT" -j ACCEPT iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR" ## Drop all other inbound traffic # iptables -P INPUT DROP iptables -P FORWARD DROP } stop() { iptables -P INPUT ACCEPT iptables -F INPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING } openwrt_uci: system: - name: system options: hostname: '{{ host_name }}' timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' ttylogin: '0' log_size: '64' urandom_seed: '0' - name: timeserver 'ntp' options: enabled: '1' enable_server: '0' server: - '0.at.pool.ntp.org' - '1.at.pool.ntp.org' - '2.at.pool.ntp.org' - '3.at.pool.ntp.org' - name: rngd options: enabled: '1' device: '/dev/hwrng' dropbear: - name: dropbear options: PasswordAuth: 'off' RootPasswordAuth: 'off' Port: '{{ ansible_port | default(22) }}' prometheus-node-exporter-lua: - name: prometheus-node-exporter-lua 'main' options: listen_interface: 'mgmt' listen_ipv6: '0' listen_port: '9100' openvpn: - name: openvpn 'extern' options: enabled: '1' port: '1194' proto: 'udp' dev_type: 'tun' dev: 'extern0' server: '192.168.8.0 255.255.255.0' client_to_client: '1' ifconfig_pool_persist: '/etc/openvpn/ipp.txt' push: - 'route 192.168.28.0 255.255.255.0' - 'route 192.168.32.0 255.255.255.0' tls_auth: '/etc/openvpn/ta.key 0' ca: '/etc/openvpn/ca.crt' cert: '/etc/openvpn/server.crt' key: '/etc/openvpn/server.key' dh: '/etc/openvpn/dhparams' tls_cipher: 'DHE-RSA-AES256-SHA' cipher: 'AES-256-CBC' auth: 'SHA256' comp_lzo: 'yes' keepalive: '10 120' persist_key: '1' persist_tun: '1' user: 'nobody' verb: '3' network: - name: globals 'globals' options: ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - name: interface 'loopback' options: device: lo proto: static ipaddr: 127.0.0.1 netmask: 255.0.0.0 - name: interface 'svc' options: device: eth0 proto: static ipaddr: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_zones.svc.prefix | ipaddr('netmask') }}" - name: interface 'magenta' options: device: eth1 proto: static ipaddr: "{{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_zones.magenta.prefix | ipaddr('netmask') }}" gateway: "{{ network_zones.magenta.gateway }}" dns: "{{ network_zones.magenta.dns }}" - name: interface 'mgmt' options: device: eth2 proto: static ipaddr: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_zones.mgmt.prefix | ipaddr('netmask') }}" - name: route 'lan' options: interface: svc target: "{{ network_zones.lan.prefix | ipaddr('network') }}" netmask: "{{ network_zones.lan.prefix | ipaddr('netmask') }}" gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}" sqm: - name: queue 'magenta' options: enabled: '1' interface: 'eth1' download: '142000' upload: '20000' qdisc: 'cake' script: 'piece_of_cake.qos' qdisc_advanced: '0' ingress_ecn: 'ECN' egress_ecn: 'ECN' qdisc_really_really_advanced: '0' itarget: 'auto' etarget: 'auto' linklayer: 'ethernet' overhead: '18 mpu 64 noatm' virsh_domxml: | ch-router 131072 131072 2 hvm /srv/ch-router/vmlinuz console=ttyS0,115200n8 noinitrd root=/dev/vda destroy restart restart /usr/bin/kvm /dev/random
prometheus_scrape_endpoint: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}:9100" prometheus_exporters_default: - openwrt