aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files
diff options
context:
space:
mode:
authorEmil Renner Berthing <esmil@labitat.dk>2020-02-29 14:09:39 +0100
committerEmil Renner Berthing <esmil@labitat.dk>2020-02-29 23:48:24 +0100
commitca467c55d8bbd633870c1fcaff0677bc2c6eaa9f (patch)
tree563ec89a5690de52204379dab46556b0926d7a39 /roles/space_server/files
parent543907b4fb61a529f81e0cbe86fd7e7d967b6d60 (diff)
downloadlabitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.gz
labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.tar.xz
labitat-ansible-ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f.zip
space_server: update to Fedora 31
Diffstat (limited to 'roles/space_server/files')
-rw-r--r--roles/space_server/files/bird.conf231
-rw-r--r--roles/space_server/files/bird/bird.conf7
-rw-r--r--roles/space_server/files/bird/bird6.conf7
-rw-r--r--roles/space_server/files/bird/filter.conf31
-rw-r--r--roles/space_server/files/bird/peers4.conf11
-rw-r--r--roles/space_server/files/bird/peers6.conf11
-rw-r--r--roles/space_server/files/bird/protocols.conf18
-rw-r--r--roles/space_server/files/bird/symbol4.conf7
-rw-r--r--roles/space_server/files/bird/symbol6.conf7
-rw-r--r--roles/space_server/files/bird/templates.conf18
-rw-r--r--roles/space_server/files/networkd/10-lo.network8
-rwxr-xr-xroles/space_server/files/radius/assha.py4
-rw-r--r--roles/space_server/files/radius/mods-available/python-assha17
-rw-r--r--roles/space_server/files/radius/mods-available/python3-assha15
-rwxr-xr-xroles/space_server/files/radius/pythonpath.conf2
-rw-r--r--roles/space_server/files/radius/sites-available/labitat-inner4
16 files changed, 252 insertions, 146 deletions
diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf
new file mode 100644
index 0000000..acc191c
--- /dev/null
+++ b/roles/space_server/files/bird.conf
@@ -0,0 +1,231 @@
+#
+# BIRD 2 configuration for AS205235 Labitat
+#
+
+log syslog all;
+#debug protocols all;
+debug protocols { events, states };
+
+watchdog warning 5 s;
+watchdog timeout 30 s;
+
+timeformat base iso long;
+timeformat log iso long;
+timeformat protocol iso long;
+timeformat route iso long;
+
+router id 185.38.175.0;
+
+# functions and filters
+
+define local_asn = 205235;
+define fiberby_asn = 42541;
+define asbjorn_asn = 207727;
+
+define local_prefixes_v4 = [
+ 185.38.175.0/24,
+ 194.165.56.0/24,
+ 194.165.58.0/24
+];
+
+define local_prefixes_v6 = [
+ 2a01:4262:1ab::/48,
+ 2a10:2a80:ac::/48,
+ 2a10:2a80:1ab::/48
+];
+
+define asbjorn_prefixes_v4 = [
+ 194.165.56.0/24,
+ 194.165.58.0/24
+];
+
+define asbjorn_prefixes_v6 = [
+ 2a10:2a80:ac::/48,
+ 2a10:2a80:1ab::/48
+];
+
+# functions and filters
+
+function is_default_route() {
+ case net.type {
+ NET_IP4: if net = 0.0.0.0/0 then return true;
+ NET_IP6: if net = ::/0 then return true;
+ }
+ return false;
+}
+
+function is_customer_route() {
+ case net.type {
+ NET_IP4: if net ~ local_prefixes_v4 then return true;
+ NET_IP6: if net ~ local_prefixes_v6 then return true;
+ }
+ return false;
+}
+
+filter kernel_export {
+ if source !~ [ RTS_BGP, RTS_STATIC ] then reject;
+ if is_default_route() then accept;
+ if is_customer_route() then accept;
+ reject;
+}
+
+function honor_graceful_shutdown()
+{
+ # RFC 8326 Graceful BGP Session Shutdown
+ if (65535, 0) ~ bgp_community then {
+ bgp_local_pref = 0;
+ }
+}
+
+filter transit_import {
+ honor_graceful_shutdown();
+ accept;
+}
+
+filter transit_export {
+ if is_customer_route() then accept;
+ reject;
+}
+
+# generate local routes
+protocol static static4 {
+ ipv4;
+ route 185.38.175.0/24 unreachable;
+}
+
+protocol static static6 {
+ ipv6;
+ route 2a01:4262:1ab::/48 unreachable;
+}
+
+# customer import
+function customer_import(int peer_asn; prefix set peer_prefixes) {
+ if net !~ peer_prefixes then reject;
+ if bgp_path.first != peer_asn then reject;
+ accept;
+}
+
+# customer export functions
+function customer_export_default_only() {
+ if !is_default_route() then reject;
+ accept;
+}
+
+function customer_export_dfz() {
+ if source !~ [ RTS_BGP, RTS_STATIC ] then reject;
+ if is_default_route() then reject;
+ accept;
+}
+
+function customer_export_and_default() {
+ if is_default_route() then {
+ customer_export_default_only();
+ } else {
+ customer_export_dfz();
+ }
+}
+
+
+# define basic protocols
+protocol device {}
+
+protocol direct {
+ ipv4;
+ ipv6;
+}
+
+protocol kernel kernel4 {
+ ipv4 {
+ import none;
+ export filter kernel_export;
+ };
+ learn;
+ persist;
+ graceful restart;
+ merge paths;
+}
+
+protocol kernel kernel6 {
+ ipv6 {
+ import none;
+ export filter kernel_export;
+ };
+ learn;
+ persist;
+ graceful restart;
+ merge paths;
+}
+
+
+# templates
+template bgp bgp_customer {
+ default bgp_local_pref 150;
+}
+
+template bgp bgp_transit_v4 {
+ default bgp_local_pref 100;
+ ipv4 {
+ import limit off;
+ receive limit off;
+ import keep filtered on;
+ import filter transit_import;
+ export filter transit_export;
+ };
+}
+
+template bgp bgp_transit_v6 {
+ default bgp_local_pref 100;
+ ipv6 {
+ import limit off;
+ receive limit off;
+ import keep filtered on;
+ import filter transit_import;
+ export filter transit_export;
+ };
+}
+
+# Transit
+protocol bgp fiberby_tgc_v4 from bgp_transit_v4 {
+ local 193.106.167.41 as local_asn;
+ neighbor 193.106.167.40 as fiberby_asn;
+}
+
+protocol bgp fiberby_inx_v4 from bgp_transit_v4 {
+ local 193.106.167.43 as local_asn;
+ neighbor 193.106.167.42 as fiberby_asn;
+}
+
+protocol bgp fiberby_tgc_v6 from bgp_transit_v6 {
+ local 2a03:5440:1:2935:1ab:1::2 as local_asn;
+ neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn;
+}
+
+protocol bgp fiberby_inx_v6 from bgp_transit_v6 {
+ local 2a03:5440:1:2935:1ab:2::2 as local_asn;
+ neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn;
+}
+
+# BGP customer: asbjorn
+protocol bgp asbjorn_ipv4 from bgp_customer {
+ local 185.38.175.65 as local_asn;
+ neighbor 185.38.175.75 as asbjorn_asn;
+ ipv4 {
+ import limit 10 action block;
+ receive limit 20 action disable;
+ import keep filtered on;
+ import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v4); };
+ export filter { customer_export_default_only(); };
+ };
+}
+
+protocol bgp asbjorn_ipv6 from bgp_customer {
+ local 2a01:4262:1ab:20::1 as local_asn;
+ neighbor 2a01:4262:1ab:20::75 as asbjorn_asn;
+ ipv6 {
+ import limit 10 action block;
+ receive limit 20 action disable;
+ import keep filtered on;
+ import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v6); };
+ export filter { customer_export_default_only(); };
+ };
+}
diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf
deleted file mode 100644
index 2ae72f0..0000000
--- a/roles/space_server/files/bird/bird.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-router id 185.38.175.0;
-
-include "bird/symbol4.conf";
-include "bird/filter.conf";
-include "bird/protocols.conf";
-include "bird/templates.conf";
-include "bird/peers4.conf";
diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf
deleted file mode 100644
index 91b5405..0000000
--- a/roles/space_server/files/bird/bird6.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-router id 185.38.175.0;
-
-include "bird/symbol6.conf";
-include "bird/filter.conf";
-include "bird/protocols.conf";
-include "bird/templates.conf";
-include "bird/peers6.conf";
diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf
deleted file mode 100644
index 3edc053..0000000
--- a/roles/space_server/files/bird/filter.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-function accept_default_route()
-{
- if net = DEFAULT_ROUTE then {
- accept;
- }
-}
-
-function accept_prefixes(prefix set prefixes)
-{
- if net ~ prefixes then {
- accept;
- }
-}
-
-filter fallback_filter {
- reject "WARNING!! no filter set, all routes will be rejected";
-}
-
-filter transit_import
-{
- accept_default_route();
-
- reject;
-}
-
-filter transit_export
-{
- accept_prefixes(LABITAT_PREFIXES);
-
- reject;
-}
diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf
deleted file mode 100644
index ac4fa69..0000000
--- a/roles/space_server/files/bird/peers4.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-template bgp fiberby from bgp_transit {
-}
-
-protocol bgp fiberby_tgc from fiberby {
- preference 90;
- neighbor 193.106.167.40 as 42541;
-}
-
-protocol bgp fiberby_inx from fiberby {
- neighbor 193.106.167.42 as 42541;
-}
diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf
deleted file mode 100644
index a78d8c6..0000000
--- a/roles/space_server/files/bird/peers6.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-template bgp fiberby from bgp_transit {
-}
-
-protocol bgp fiberby_tgc from fiberby {
- preference 90;
- neighbor 2a03:5440:1:2935:1ab:1::1 as 42541;
-}
-
-protocol bgp fiberby_inx from fiberby {
- neighbor 2a03:5440:1:2935:1ab:2::1 as 42541;
-}
diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf
deleted file mode 100644
index f5cc85f..0000000
--- a/roles/space_server/files/bird/protocols.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-protocol device {
- scan time 10;
-}
-
-protocol direct {
-}
-
-protocol kernel {
- metric 64;
- learn;
- persist;
- scan time 20;
- import all;
- export filter {
- krt_prefsrc = PREFSRC;
- accept;
- };
-}
diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf
deleted file mode 100644
index a23c865..0000000
--- a/roles/space_server/files/bird/symbol4.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-define DEFAULT_ROUTE = 0.0.0.0/0;
-
-define LABITAT_PREFIXES = [
- 185.38.175.0/24
-];
-
-define PREFSRC = 185.38.175.0;
diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf
deleted file mode 100644
index fd142c9..0000000
--- a/roles/space_server/files/bird/symbol6.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-define DEFAULT_ROUTE = ::/0;
-
-define LABITAT_PREFIXES = [
- 2a01:4262:1ab::/48
-];
-
-define PREFSRC = 2a01:4262:1ab::;
diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf
deleted file mode 100644
index 4334bd8..0000000
--- a/roles/space_server/files/bird/templates.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-template bgp bgp_peer {
- local as 205235;
- import keep filtered;
- import filter fallback_filter;
- export filter fallback_filter;
- import limit 1000 action block;
- receive limit 1500 action disable;
- export limit 100 action block;
- hold time 60;
-}
-
-template bgp bgp_transit from bgp_peer {
- preference 100;
- import limit off;
- receive limit off;
- import filter transit_import;
- export filter transit_export;
-}
diff --git a/roles/space_server/files/networkd/10-lo.network b/roles/space_server/files/networkd/10-lo.network
index 6457f55..ce9fdbe 100644
--- a/roles/space_server/files/networkd/10-lo.network
+++ b/roles/space_server/files/networkd/10-lo.network
@@ -5,11 +5,3 @@ Name=lo
Address=185.38.175.0/32
Address=185.38.175.1/32
Address=2a01:4262:1ab::/128
-
-[Route]
-Type=unreachable
-Destination=185.38.175.0/24
-
-[Route]
-Type=unreachable
-Destination=2a01:4262:1ab::/48
diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py
index e34c382..6d81be1 100755
--- a/roles/space_server/files/radius/assha.py
+++ b/roles/space_server/files/radius/assha.py
@@ -10,7 +10,7 @@ REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$')
def authorize(p):
#radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
reply = ( ('Reply-Message', 'Welcome to Labitat!'), )
- config = ( ('Auth-Type', 'python'), )
+ config = ( ('Auth-Type', 'python3'), )
return (radiusd.RLM_MODULE_OK, reply, config)
def load_users():
@@ -30,7 +30,7 @@ def check_pwd(user, pw):
assha = users[user]
crypted = assha[:40]
salt = assha[40:]
- h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest()
+ h = hashlib.sha1('--{}--{}--'.format(salt, pw).encode('utf-8')).hexdigest()
return h == crypted
def authenticate(p):
diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha
deleted file mode 100644
index fa48e01..0000000
--- a/roles/space_server/files/radius/mods-available/python-assha
+++ /dev/null
@@ -1,17 +0,0 @@
-python {
- python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/"
-
- module = assha
-
- #mod_instantiate = ${.module}
- #func_instantiate = instantiate
-
- #mod_detach = ${.module}
- #func_detach = instantiate
-
- mod_authorize = ${.module}
- func_authorize = authorize
-
- mod_authenticate = ${.module}
- func_authenticate = authenticate
-}
diff --git a/roles/space_server/files/radius/mods-available/python3-assha b/roles/space_server/files/radius/mods-available/python3-assha
new file mode 100644
index 0000000..af3cf8c
--- /dev/null
+++ b/roles/space_server/files/radius/mods-available/python3-assha
@@ -0,0 +1,15 @@
+python3 {
+ module = assha
+
+ #mod_instantiate = ${.module}
+ #func_instantiate = instantiate
+
+ #mod_detach = ${.module}
+ #func_detach = instantiate
+
+ mod_authorize = ${.module}
+ func_authorize = authorize
+
+ mod_authenticate = ${.module}
+ func_authenticate = authenticate
+}
diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf
new file mode 100755
index 0000000..6a7f6ba
--- /dev/null
+++ b/roles/space_server/files/radius/pythonpath.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment=PYTHONPATH='/etc/raddb/mods-config/python3'
diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner
index 8c099fc..d3ef9c2 100644
--- a/roles/space_server/files/radius/sites-available/labitat-inner
+++ b/roles/space_server/files/radius/sites-available/labitat-inner
@@ -13,7 +13,7 @@ server labitat-inner {
ok = return
}
- python
+ python3
expiration
logintime
pap
@@ -24,7 +24,7 @@ server labitat-inner {
pap
}
- python
+ python3
eap
}