diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2020-02-29 14:09:39 +0100 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2020-02-29 23:48:24 +0100 |
commit | ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f (patch) | |
tree | 563ec89a5690de52204379dab46556b0926d7a39 | |
parent | 543907b4fb61a529f81e0cbe86fd7e7d967b6d60 (diff) | |
download | labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.gz labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.xz labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.zip |
space_server: update to Fedora 31
24 files changed, 302 insertions, 220 deletions
diff --git a/roles/fedora/defaults/main.yml b/roles/fedora/defaults/main.yml index 2575da2..7ba53a1 100644 --- a/roles/fedora/defaults/main.yml +++ b/roles/fedora/defaults/main.yml @@ -37,7 +37,6 @@ dnf_packages_default: 'passwd': present 'vim-enhanced': present 'dnf-command(leaves)': present - 'python-unversioned-command': present dnf_packages_role: {} sudo_group: 'wheel' diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh index 218815e..44e47bd 100755 --- a/roles/space_server/bootstrap.sh +++ b/roles/space_server/bootstrap.sh @@ -36,12 +36,14 @@ # mount -o noatime,ssd,compress=lzo,subvol=/home /dev/sda2 /home # # Run this script +# ./roles/space_server/bootstrap.sh set -e set -x -release=29 +release=31 dest="/mnt/fedora$release" +secrets='./secrets.yml' if [[ -e "$dest" ]]; then echo "Destination '$dest' already exists. Aborting." >&2 exit 1 @@ -58,7 +60,7 @@ dnf \ --disablerepo='*' \ --enablerepo=fedora \ --enablerepo=updates \ - install glibc-langpack-en dnf git ansible python-unversioned-command + install glibc-langpack-en systemd-udev dnf git ansible for i in /var/lib/machines /var/lib/portables; do if [[ -d "$dest$i" ]]; then @@ -68,17 +70,22 @@ for i in /var/lib/machines /var/lib/portables; do install -o root -g root -m755 -d "$dest$i" done +if [[ -f "$secrets" ]]; then + install -o root -g root -m600 "$secrets" "$dest/root/secrets.yml" +fi + exec systemd-nspawn \ -D "$dest" \ - -M space \ + -M space.labitat.dk \ -E ANSIBLE_FORCE_COLOR=1 \ --bind /boot \ --bind /home \ -- \ ansible-pull \ - -i space.labitat.dk, \ - -c local \ - -U 'https://github.com/labitat/labitat-ansible.git' \ - space.yml + -i space.labitat.dk, \ + -c local \ + -U 'https://github.com/labitat/labitat-ansible.git' \ + -d /root/ansible \ + space.yml # vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf new file mode 100644 index 0000000..acc191c --- /dev/null +++ b/roles/space_server/files/bird.conf @@ -0,0 +1,231 @@ +# +# BIRD 2 configuration for AS205235 Labitat +# + +log syslog all; +#debug protocols all; +debug protocols { events, states }; + +watchdog warning 5 s; +watchdog timeout 30 s; + +timeformat base iso long; +timeformat log iso long; +timeformat protocol iso long; +timeformat route iso long; + +router id 185.38.175.0; + +# functions and filters + +define local_asn = 205235; +define fiberby_asn = 42541; +define asbjorn_asn = 207727; + +define local_prefixes_v4 = [ + 185.38.175.0/24, + 194.165.56.0/24, + 194.165.58.0/24 +]; + +define local_prefixes_v6 = [ + 2a01:4262:1ab::/48, + 2a10:2a80:ac::/48, + 2a10:2a80:1ab::/48 +]; + +define asbjorn_prefixes_v4 = [ + 194.165.56.0/24, + 194.165.58.0/24 +]; + +define asbjorn_prefixes_v6 = [ + 2a10:2a80:ac::/48, + 2a10:2a80:1ab::/48 +]; + +# functions and filters + +function is_default_route() { + case net.type { + NET_IP4: if net = 0.0.0.0/0 then return true; + NET_IP6: if net = ::/0 then return true; + } + return false; +} + +function is_customer_route() { + case net.type { + NET_IP4: if net ~ local_prefixes_v4 then return true; + NET_IP6: if net ~ local_prefixes_v6 then return true; + } + return false; +} + +filter kernel_export { + if source !~ [ RTS_BGP, RTS_STATIC ] then reject; + if is_default_route() then accept; + if is_customer_route() then accept; + reject; +} + +function honor_graceful_shutdown() +{ + # RFC 8326 Graceful BGP Session Shutdown + if (65535, 0) ~ bgp_community then { + bgp_local_pref = 0; + } +} + +filter transit_import { + honor_graceful_shutdown(); + accept; +} + +filter transit_export { + if is_customer_route() then accept; + reject; +} + +# generate local routes +protocol static static4 { + ipv4; + route 185.38.175.0/24 unreachable; +} + +protocol static static6 { + ipv6; + route 2a01:4262:1ab::/48 unreachable; +} + +# customer import +function customer_import(int peer_asn; prefix set peer_prefixes) { + if net !~ peer_prefixes then reject; + if bgp_path.first != peer_asn then reject; + accept; +} + +# customer export functions +function customer_export_default_only() { + if !is_default_route() then reject; + accept; +} + +function customer_export_dfz() { + if source !~ [ RTS_BGP, RTS_STATIC ] then reject; + if is_default_route() then reject; + accept; +} + +function customer_export_and_default() { + if is_default_route() then { + customer_export_default_only(); + } else { + customer_export_dfz(); + } +} + + +# define basic protocols +protocol device {} + +protocol direct { + ipv4; + ipv6; +} + +protocol kernel kernel4 { + ipv4 { + import none; + export filter kernel_export; + }; + learn; + persist; + graceful restart; + merge paths; +} + +protocol kernel kernel6 { + ipv6 { + import none; + export filter kernel_export; + }; + learn; + persist; + graceful restart; + merge paths; +} + + +# templates +template bgp bgp_customer { + default bgp_local_pref 150; +} + +template bgp bgp_transit_v4 { + default bgp_local_pref 100; + ipv4 { + import limit off; + receive limit off; + import keep filtered on; + import filter transit_import; + export filter transit_export; + }; +} + +template bgp bgp_transit_v6 { + default bgp_local_pref 100; + ipv6 { + import limit off; + receive limit off; + import keep filtered on; + import filter transit_import; + export filter transit_export; + }; +} + +# Transit +protocol bgp fiberby_tgc_v4 from bgp_transit_v4 { + local 193.106.167.41 as local_asn; + neighbor 193.106.167.40 as fiberby_asn; +} + +protocol bgp fiberby_inx_v4 from bgp_transit_v4 { + local 193.106.167.43 as local_asn; + neighbor 193.106.167.42 as fiberby_asn; +} + +protocol bgp fiberby_tgc_v6 from bgp_transit_v6 { + local 2a03:5440:1:2935:1ab:1::2 as local_asn; + neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn; +} + +protocol bgp fiberby_inx_v6 from bgp_transit_v6 { + local 2a03:5440:1:2935:1ab:2::2 as local_asn; + neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn; +} + +# BGP customer: asbjorn +protocol bgp asbjorn_ipv4 from bgp_customer { + local 185.38.175.65 as local_asn; + neighbor 185.38.175.75 as asbjorn_asn; + ipv4 { + import limit 10 action block; + receive limit 20 action disable; + import keep filtered on; + import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v4); }; + export filter { customer_export_default_only(); }; + }; +} + +protocol bgp asbjorn_ipv6 from bgp_customer { + local 2a01:4262:1ab:20::1 as local_asn; + neighbor 2a01:4262:1ab:20::75 as asbjorn_asn; + ipv6 { + import limit 10 action block; + receive limit 20 action disable; + import keep filtered on; + import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v6); }; + export filter { customer_export_default_only(); }; + }; +} diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf deleted file mode 100644 index 2ae72f0..0000000 --- a/roles/space_server/files/bird/bird.conf +++ /dev/null @@ -1,7 +0,0 @@ -router id 185.38.175.0; - -include "bird/symbol4.conf"; -include "bird/filter.conf"; -include "bird/protocols.conf"; -include "bird/templates.conf"; -include "bird/peers4.conf"; diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf deleted file mode 100644 index 91b5405..0000000 --- a/roles/space_server/files/bird/bird6.conf +++ /dev/null @@ -1,7 +0,0 @@ -router id 185.38.175.0; - -include "bird/symbol6.conf"; -include "bird/filter.conf"; -include "bird/protocols.conf"; -include "bird/templates.conf"; -include "bird/peers6.conf"; diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf deleted file mode 100644 index 3edc053..0000000 --- a/roles/space_server/files/bird/filter.conf +++ /dev/null @@ -1,31 +0,0 @@ -function accept_default_route() -{ - if net = DEFAULT_ROUTE then { - accept; - } -} - -function accept_prefixes(prefix set prefixes) -{ - if net ~ prefixes then { - accept; - } -} - -filter fallback_filter { - reject "WARNING!! no filter set, all routes will be rejected"; -} - -filter transit_import -{ - accept_default_route(); - - reject; -} - -filter transit_export -{ - accept_prefixes(LABITAT_PREFIXES); - - reject; -} diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf deleted file mode 100644 index ac4fa69..0000000 --- a/roles/space_server/files/bird/peers4.conf +++ /dev/null @@ -1,11 +0,0 @@ -template bgp fiberby from bgp_transit { -} - -protocol bgp fiberby_tgc from fiberby { - preference 90; - neighbor 193.106.167.40 as 42541; -} - -protocol bgp fiberby_inx from fiberby { - neighbor 193.106.167.42 as 42541; -} diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf deleted file mode 100644 index a78d8c6..0000000 --- a/roles/space_server/files/bird/peers6.conf +++ /dev/null @@ -1,11 +0,0 @@ -template bgp fiberby from bgp_transit { -} - -protocol bgp fiberby_tgc from fiberby { - preference 90; - neighbor 2a03:5440:1:2935:1ab:1::1 as 42541; -} - -protocol bgp fiberby_inx from fiberby { - neighbor 2a03:5440:1:2935:1ab:2::1 as 42541; -} diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf deleted file mode 100644 index f5cc85f..0000000 --- a/roles/space_server/files/bird/protocols.conf +++ /dev/null @@ -1,18 +0,0 @@ -protocol device { - scan time 10; -} - -protocol direct { -} - -protocol kernel { - metric 64; - learn; - persist; - scan time 20; - import all; - export filter { - krt_prefsrc = PREFSRC; - accept; - }; -} diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf deleted file mode 100644 index a23c865..0000000 --- a/roles/space_server/files/bird/symbol4.conf +++ /dev/null @@ -1,7 +0,0 @@ -define DEFAULT_ROUTE = 0.0.0.0/0; - -define LABITAT_PREFIXES = [ - 185.38.175.0/24 -]; - -define PREFSRC = 185.38.175.0; diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf deleted file mode 100644 index fd142c9..0000000 --- a/roles/space_server/files/bird/symbol6.conf +++ /dev/null @@ -1,7 +0,0 @@ -define DEFAULT_ROUTE = ::/0; - -define LABITAT_PREFIXES = [ - 2a01:4262:1ab::/48 -]; - -define PREFSRC = 2a01:4262:1ab::; diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf deleted file mode 100644 index 4334bd8..0000000 --- a/roles/space_server/files/bird/templates.conf +++ /dev/null @@ -1,18 +0,0 @@ -template bgp bgp_peer { - local as 205235; - import keep filtered; - import filter fallback_filter; - export filter fallback_filter; - import limit 1000 action block; - receive limit 1500 action disable; - export limit 100 action block; - hold time 60; -} - -template bgp bgp_transit from bgp_peer { - preference 100; - import limit off; - receive limit off; - import filter transit_import; - export filter transit_export; -} diff --git a/roles/space_server/files/networkd/10-lo.network b/roles/space_server/files/networkd/10-lo.network index 6457f55..ce9fdbe 100644 --- a/roles/space_server/files/networkd/10-lo.network +++ b/roles/space_server/files/networkd/10-lo.network @@ -5,11 +5,3 @@ Name=lo Address=185.38.175.0/32 Address=185.38.175.1/32 Address=2a01:4262:1ab::/128 - -[Route] -Type=unreachable -Destination=185.38.175.0/24 - -[Route] -Type=unreachable -Destination=2a01:4262:1ab::/48 diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py index e34c382..6d81be1 100755 --- a/roles/space_server/files/radius/assha.py +++ b/roles/space_server/files/radius/assha.py @@ -10,7 +10,7 @@ REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$') def authorize(p): #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') reply = ( ('Reply-Message', 'Welcome to Labitat!'), ) - config = ( ('Auth-Type', 'python'), ) + config = ( ('Auth-Type', 'python3'), ) return (radiusd.RLM_MODULE_OK, reply, config) def load_users(): @@ -30,7 +30,7 @@ def check_pwd(user, pw): assha = users[user] crypted = assha[:40] salt = assha[40:] - h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest() + h = hashlib.sha1('--{}--{}--'.format(salt, pw).encode('utf-8')).hexdigest() return h == crypted def authenticate(p): diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha deleted file mode 100644 index fa48e01..0000000 --- a/roles/space_server/files/radius/mods-available/python-assha +++ /dev/null @@ -1,17 +0,0 @@ -python { - python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/" - - module = assha - - #mod_instantiate = ${.module} - #func_instantiate = instantiate - - #mod_detach = ${.module} - #func_detach = instantiate - - mod_authorize = ${.module} - func_authorize = authorize - - mod_authenticate = ${.module} - func_authenticate = authenticate -} diff --git a/roles/space_server/files/radius/mods-available/python3-assha b/roles/space_server/files/radius/mods-available/python3-assha new file mode 100644 index 0000000..af3cf8c --- /dev/null +++ b/roles/space_server/files/radius/mods-available/python3-assha @@ -0,0 +1,15 @@ +python3 { + module = assha + + #mod_instantiate = ${.module} + #func_instantiate = instantiate + + #mod_detach = ${.module} + #func_detach = instantiate + + mod_authorize = ${.module} + func_authorize = authorize + + mod_authenticate = ${.module} + func_authenticate = authenticate +} diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf new file mode 100755 index 0000000..6a7f6ba --- /dev/null +++ b/roles/space_server/files/radius/pythonpath.conf @@ -0,0 +1,2 @@ +[Service] +Environment=PYTHONPATH='/etc/raddb/mods-config/python3' diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner index 8c099fc..d3ef9c2 100644 --- a/roles/space_server/files/radius/sites-available/labitat-inner +++ b/roles/space_server/files/radius/sites-available/labitat-inner @@ -13,7 +13,7 @@ server labitat-inner { ok = return } - python + python3 expiration logintime pap @@ -24,7 +24,7 @@ server labitat-inner { pap } - python + python3 eap } diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml index 3a92a46..0ae6ef4 100644 --- a/roles/space_server/handlers/main.yml +++ b/roles/space_server/handlers/main.yml @@ -13,11 +13,8 @@ - name: restart bird systemd: - name: '{{ item }}.service' + name: bird.service state: restarted - with_items: - - bird - - bird6 when: not chroot - name: restart dhcpd diff --git a/roles/space_server/tasks/bird.yml b/roles/space_server/tasks/bird.yml index 4ce01eb..c81176d 100644 --- a/roles/space_server/tasks/bird.yml +++ b/roles/space_server/tasks/bird.yml @@ -1,68 +1,22 @@ --- -- name: Make sure /etc/bird exists - file: - dest: '/etc/bird' - state: directory - owner: root - group: root - mode: 0755 -- name: Create bird configuration - copy: - dest: '/etc/bird/' - src: '{{ item }}' - owner: root - group: root - mode: 0644 - with_fileglob: 'bird/*' - loop_control: - label: '/etc/bird/{{ item|basename }}' - notify: - - restart bird - -- name: Create bird.conf and bird6.conf symlinks - file: - path: '/etc/{{ item }}.conf' - src: 'bird/{{ item }}.conf' - state: link - force: yes - with_items: - - bird - - bird6 - -# bird6 wants the link to have a link-local address -# when starting, so wait for it -- name: Create bird6 service drop-in directory - file: - dest: '/etc/systemd/system/bird6.service.d' - state: directory - owner: root - group: root - mode: 0755 -- name: Start bird6 after networks are configured +- name: Create /etc/bird.conf copy: - dest: '/etc/systemd/system/bird6.service.d/wait-online.conf' - src: wait-online.conf + dest: '/etc/bird.conf' + src: 'bird.conf' owner: root group: root mode: 0644 + notify: restart bird -- name: Enable bird and bird6 +- name: Enable bird.service systemd: - name: '{{ item }}.service' + name: 'bird.service' enabled: yes masked: no state: started - with_items: - - bird - - bird6 when: not chroot - name: '- when in chroot' - command: 'systemctl enable {{ item }}.service' - args: - creates: '/etc/systemd/system/multi-user.target.wants/{{ item }}.service' - with_items: - - bird - - bird6 + command: 'systemctl enable bird.service' when: chroot # vim: set ts=2 sw=2 et: diff --git a/roles/space_server/tasks/kernel.yml b/roles/space_server/tasks/kernel.yml index 9354850..db4e5d2 100644 --- a/roles/space_server/tasks/kernel.yml +++ b/roles/space_server/tasks/kernel.yml @@ -1,4 +1,12 @@ --- +- name: Make sure /boot/<machine-id> exists + file: + path: '/boot/{{ ansible_machine_id }}' + state: directory + owner: root + group: root + mode: 0755 + - name: Make sure /etc/kernel/install.d exists file: path: '{{ item }}' diff --git a/roles/space_server/tasks/radius.yml b/roles/space_server/tasks/radius.yml index a3f4183..2747d31 100644 --- a/roles/space_server/tasks/radius.yml +++ b/roles/space_server/tasks/radius.yml @@ -9,7 +9,7 @@ with_items: - radiusd.conf - mods-available/eap - - mods-available/python-assha + - mods-available/python3-assha - sites-available/labitat - sites-available/labitat-inner notify: @@ -17,7 +17,7 @@ - name: Create assha python script copy: - dest: '/etc/raddb/mods-config/python/assha.py' + dest: '/etc/raddb/mods-config/python3/assha.py' src: 'radius/assha.py' owner: root group: root @@ -42,6 +42,7 @@ state: '{{ item.state }}' owner: root group: radiusd + follow: no force: yes with_items: - { name: default, state: absent } @@ -58,11 +59,11 @@ state: '{{ item.state }}' owner: root group: radiusd + follow: no force: yes with_items: - - { name: files, state: absent } - - { name: python, state: absent } - - { name: python-assha, state: link } + - { name: files, state: absent } + - { name: python3-assha, state: link } notify: - restart radiusd @@ -116,6 +117,14 @@ group: root mode: 0644 +- name: Set PYTHONPATH for radiusd + copy: + dest: '/etc/systemd/system/radiusd.service.d/pythonpath.conf' + src: 'radius/pythonpath.conf' + owner: root + group: root + mode: 0644 + - name: Enable radiusd service systemd: name: radiusd.service diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml index 65c14a7..ed39f54 100644 --- a/roles/space_server/vars/main.yml +++ b/roles/space_server/vars/main.yml @@ -10,7 +10,6 @@ locale_default: dnf_conf_role: 'main.install_weak_deps': 'False' - 'main.best': 'True' 'main.deltarpm': 'False' dnf_packages_role: @@ -23,15 +22,15 @@ dnf_packages_role: 'htop': present 'man-db': present 'syslinux': present + 'systemd-udev': present 'systemd-container': present 'sudo': present 'nftables': present 'openssh-server': present 'openssh-clients': present 'bird': present - 'bird6': present 'dhcp-server': present - 'freeradius-python': present # pulls in radiusd + 'python3-freeradius': present # pulls in radiusd 'curl': present 'diffutils': present 'bind': present @@ -6,7 +6,10 @@ chroot: "{{ ansible_connection == 'chroot' or 'container' in ansible_env }}" tags: always - name: Load secrets - include_vars: 'secrets.yml' + include_vars: '{{ item }}' + with_first_found: + - secrets.yml + - /root/secrets.yml ignore_errors: yes tags: always roles: |