aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server
AgeCommit message (Collapse)Author
2021-06-18space_server: nftables: colo: accept BGP connectionsrouting-changesAsbjørn Sloth Tønnesen
Until now BGP connections have only been established when the space server has initiated the connection to the peer. It's best practice for both BGP speakers to be able to connect to one another, lowering recovery time.
2021-06-18space_server: nftables: colo: use dynamic reverse path filterAsbjørn Sloth Tønnesen
This patch changes the reverse path filtering of the labicolo VLAN to take place in the prerouting hook, using the kernel routing table, and removes the need to maintain a static prefix list. Labicolo routes are exported to the kernel routing table by BIRD, hence it should be sufficient to only have prefix lists there. This change has been tested, and it's only possible to spoof fellow labicolo members address space (same as before).
2021-06-18space_server: bird: remove old prefix listsAsbjørn Sloth Tønnesen
Now that we use communities, we don't need this prefix filter anymore, only the per-customer prefix filters.
2021-06-18space_server: bird: export prefixes based on communitiesAsbjørn Sloth Tønnesen
We only announce a prefix, if we have recieved it from a customer connection or if we originate it our self. This way we avoid announcing prefixes matching the earlier used, prefix list if we haven't recieved it via the customer connection. This is important for multi-homed labicolo customers.
2021-06-18space_server: bird: set communities on importAsbjørn Sloth Tønnesen
Assign large communities on prefix import. Later we can then use the community, to decide if we should announce it to our peers.
2021-06-18space_server: bird: prepare large communitiesAsbjørn Sloth Tønnesen
This patch prepares us for adopting Large BGP Communities (RFC 8092). Basic format of Large BGP Communities: <uint32_t asn>:<uint32_t function>:<uint32_t value> We use function 1 for storing prefix type (or relation). We then assign a value to transit, peering, customer and originated prefixes. Large BGP Communities http://largebgpcommunities.net/ https://tools.ietf.org/html/rfc8092 https://tools.ietf.org/html/rfc8195
2021-06-18space_server: bird: asbjorn: enable TTL securityAsbjørn Sloth Tønnesen
2021-06-18space_server: bird: fiberby: enable TTL securityAsbjørn Sloth Tønnesen
This protects us amount otherthings against 3rd parties resetting the TCP connection underneat our BGP sessions. This has been enabled in both ends, and this _MUST_ remain enabled, otherwise these sessions will go down. If this needs to be disabled for some reason then it must be coordinated with Fiberby. RFC 5082 - The Generalized TTL Security Mechanism https://datatracker.ietf.org/doc/html/rfc5082
2021-06-18space_server: bird: fix prefix errorHEADmasterHafnium
The prefix was only routeable on the intern network, not the whole internet, as it was not added in local_prefix_v6. The 2a0e:8f02:f034::/48 is attached to my ASN, AS211153 Commit message fixed up by Esmil
2021-06-17space_server: bird: add bgp peering for Hafnium/AS211153Hafnium
Commit message and nftables rule fixed up by Esmil
2021-06-01space_server: vars: update foodputer mac addressEmil Renner Berthing
In a heroic effort Asbjørn has replaced the old broken foodputer.
2021-06-01space_server: vars: add more convenient packagesEmil Renner Berthing
2021-01-29space_server: chrony: start chrony after we're onlineEmil Renner Berthing
2021-01-22space_server: named: add trust-ad option to resolv.confEmil Renner Berthing
2021-01-19space_server: radius: use letsencrypt certificateEmil Renner Berthing
2021-01-19space_server: certbot: get space.labitat.dk certificateEmil Renner Berthing
2021-01-19space_server: ssh: add config for switchesEmil Renner Berthing
2021-01-19space_server: chrony: run chrony ntp serverEmil Renner Berthing
2021-01-18fedora: handlers: add restart sshd handlerEmil Renner Berthing
2021-01-17space_server: update for Fedora 33Emil Renner Berthing
2021-01-16space_server: vars: add bunkerap1Emil Renner Berthing
2021-01-16space_server: vars: add bunkerswitchEmil Renner Berthing
2021-01-16space_server: vars: add description for switchEmil Renner Berthing
..and remove wrong MAC address. The switch doesn't (and shouldn't) use dhcp.
2020-11-17space_server: add static ips for pixelfluthafniumHafnium
2020-10-17space_server: nftables: drop spoofed incoming trafficEmil Renner Berthing
Discovered by IMAAL Research Lab, Brigham Young University, thank you.
2020-08-13space_server: add labicolo ipv6 range for EsmilEmil Renner Berthing
2020-06-19space_server: radius: update radiusd.confEmil Renner Berthing
2020-06-01users: rasmis: addedEmil Renner Berthing
Add Rasmus so he can jump to the foodputer and read out the drinkomatic database.
2020-03-21space_server: networkd: set NTP server on wan interfaceEmil Renner Berthing
time.cloudflare.com has much lower ping than any of the default N.fedora.pool.ntp.org servers.
2020-03-20space_server: nftables: remove traffic stats rulesEmil Renner Berthing
This used to open up for polling our old switch for traffic data, but it died and it doesn't work with the new switch so let's plug the hole.
2020-03-20users: graffen: addedJesper Hess Nielsen
2020-03-14space_server: nftables: add graffens prefixes to nftablesJesper Hess Nielsen
2020-03-14space_server: bird: add ipv4 BGP session for graffenJesper Hess Nielsen
2020-03-11space_server: bird: add bgp peering for graffen/AS209616Jesper Hess Nielsen
2020-03-07space_server: nftables: forward space.labitat.dk:17380 to jumbotronEmil Renner Berthing
2020-03-01space_server: radius: configure certificatesEmil Renner Berthing
2020-02-29space_server: update to Fedora 31Emil Renner Berthing
2020-02-29space_server: networkd: set Scope=link link addressesEmil Renner Berthing
2020-02-27roles: remove useless |bool filtersEmil Renner Berthing
This used to be a fix for some bogus warnings, but they seem to have gone in recent versions of Ansible
2020-02-27space_server: show nicer loop itemsEmil Renner Berthing
2020-02-27space_server: avahi: use shorter dict formatEmil Renner Berthing
2020-02-27space_server: move sudo tasks to fedora roleEmil Renner Berthing
..to align with debian role
2020-02-27space_server: use common secrets.yml in ansible rootEmil Renner Berthing
..and generalize and move sshd tasks to fedora role.
2020-02-27fedora: update for hash_behaviour = replaceEmil Renner Berthing
2020-02-23space_server: vars: add piscreen2.sEmil Renner Berthing
2019-07-06roles: fix warnings about bare boolean variablesEmil Renner Berthing
2019-05-02space_server: renumber Fiberby linkAsbjørn Sloth Tønnesen
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
2019-04-11space_server: dhcpd: add timezone infoEmil Renner Berthing
2019-04-07space_server: dhcpd: only do ddns for sane hostnamesEmil Renner Berthing
2019-04-05space_server: named: allow local transfer queriesEmil Renner Berthing
..so now you can see all registered dhcp hostnames with: dig axfr dhcp