Initial commit, squashed

roles/firewall/tasks/config.yml

@@ -0,0 +1,59 @@
+- name: Install packages for config updates
+  package:
+    name: tar
+
+- name: Limit SSH for config updates
+  copy:
+    dest: /etc/ssh/
+    src: sshd_config.friwall
+  notify: reload sshd.friwall
+
+- name: Create SSH service for config updates
+  file:
+    path: /etc/init.d/sshd.friwall
+    src: /etc/init.d/sshd
+    state: link
+
+- name: Configure SSH service for config updates
+  copy:
+    dest: /etc/conf.d/sshd.friwall
+    content: |
+      cfgfile="/etc/ssh/sshd_config.friwall"
+      vrf="default"
+  notify: restart sshd.friwall
+
+- name: Enable SSH service for config updates
+  service:
+    name: sshd.friwall
+    enabled: yes
+    state: started
+
+- name: Install config updater
+  copy:
+    dest: /usr/local/bin/
+    src: update
+    mode: 0700
+
+- name: Get master SSH key
+  delegate_to: '{{ master }}'
+  command: "cat ~friwall/.ssh/id_ed25519.pub"
+  register: master_key
+  changed_when: false
+
+- name: Deploy master key on node
+  authorized_key: "user=root key={{ master_key.stdout }}"
+
+- name: Get my host SSH key
+  command: cat /etc/ssh/ssh_host_ed25519_key.pub
+  register: node_key
+  changed_when: false
+
+- name: Introduce myself to master
+  delegate_to: '{{ master }}'
+  become: yes
+  become_user: friwall
+  become_method: su
+  become_flags: "-s /bin/sh" # no login shell for user
+  known_hosts:
+    name: "{{ inventory_hostname }}"
+    key: "{{ inventory_hostname }},{{ interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first | selectattr('role') | selectattr('role.value', '==', 'loopback') | map(attribute='address') | ipv4 | first | ipaddr('address') }} {{ node_key.stdout }}" # TODO make IP retrieval less terrifying

roles/firewall/tasks/conntrackd.yml

@@ -0,0 +1,36 @@
+- name: Install conntrack-tools
+  package:
+    name: conntrack-tools
+
+# Ensure the module is loaded before setting sysctl values.
+- name: Autoload nf_conntrack
+  lineinfile:
+    dest: /etc/modules-load.d/netfilter.conf
+    line: nf_conntrack
+    create: yes
+
+# Set required sysctl values.
+- name: Set sysctl values for conntrackd
+  copy:
+    dest: /etc/sysctl.d/
+    src: conntrackd.conf
+
+- name: Set up conntrackd
+  template:
+    dest: /etc/conntrackd/conntrackd.conf
+    src: conntrackd.conf.j2
+    mode: 0644
+  notify: restart conntrackd
+
+- name: Run conntrackd in default VRF
+  lineinfile:
+    dest: /etc/conf.d/conntrackd
+    line: 'vrf="default"'
+    regexp: '^vrf='
+  notify: restart conntrackd
+
+- name: Enable conntrackd
+  service:
+    name: conntrackd
+    enabled: yes
+    state: started

roles/firewall/tasks/frr.yml

@@ -0,0 +1,48 @@
+- name: Enable sysctl service
+  service:
+    name: sysctl
+    enabled: yes
+    runlevel: boot
+    state: started
+
+- name: Enable community package repo
+  lineinfile:
+    path: /etc/apk/repositories
+    regexp: '^# *(http.*/v[^/]*/community)'
+    line: '\1'
+    backrefs: yes
+
+- name: Install FRR
+  package:
+    name: frr,frr-pythontools
+    state: latest
+
+- name: Set datacenter defaults
+  lineinfile:
+    path: /etc/frr/daemons
+    regexp: '^frr_profile='
+    line: 'frr_profile="datacenter"'
+  notify: restart frr
+
+- name: Enable BGP and BFD
+  lineinfile:
+    path: /etc/frr/daemons
+    regexp: "^{{ item }}="
+    line: "{{ item }}=yes"
+  loop:
+    - bfdd
+    - bgpd
+  notify: restart frr
+
+- name: Enable FRR service
+  service:
+    name: frr
+    enabled: yes
+    state: started
+
+- name: Copy FRR config
+  template:
+    dest: /etc/frr/frr.conf
+    src: frr.conf.j2
+    mode: 0644
+  notify: reload frr

roles/firewall/tasks/main.yml

@@ -0,0 +1,64 @@
+- name: Update package cache
+  package:
+    update_cache: yes
+
+- name: Install packages
+  package:
+    name: bash,bonding,iproute2
+    state: latest
+
+- name: Tell mdev to rename network interfaces
+  lineinfile:
+    path: /etc/mdev.conf
+    line: '-net/.* root:root 600 @/sbin/nameif -s'
+    insertafter: '^# net devices'
+  notify: mkinitfs
+
+- name: Configure interface names
+  template:
+    dest: /etc/mactab
+    src: mactab.j2
+    mode: 0644
+
+- name: Create /etc/network/interfaces.d
+  file:
+    path: /etc/network/interfaces.d
+    state: directory
+    mode: 0755
+
+- name: Set up interfaces
+  template:
+    dest: /etc/network/interfaces
+    src: interfaces.j2
+    mode: 0644
+  notify: enable interfaces
+
+- name: Set up management interfaces
+  import_tasks: mgmt.yml
+
+- name: Set up data interfaces
+  template:
+    dest: /etc/network/interfaces.d/fabric.intf
+    src: fabric.intf.j2
+    mode: 0644
+  notify: enable interfaces
+
+- name: Set up sysctls
+  template:
+    dest: /etc/sysctl.d/firewall.conf
+    src: sysctl.conf.j2
+
+- name: Set up FRR
+  import_tasks: frr.yml
+
+- name: Set up wireguard
+  import_tasks: wireguard.yml
+
+- name: Set up nftables
+  import_tasks: nftables.yml
+
+- name: Set up conntrackd
+  import_tasks: conntrackd.yml
+
+- name: Set up configuration channel
+  import_tasks: config.yml

roles/firewall/tasks/mgmt.yml

@@ -0,0 +1,25 @@
+- name: Set up management interfaces
+  template:
+    dest: /etc/network/interfaces.d/mgmt.intf
+    src: mgmt.intf.j2
+    mode: 0644
+  register: task_mgmt_interface
+
+- name: Run SSH in management VRF
+  lineinfile:
+    path: /etc/conf.d/sshd
+    line: "vrf=\"mgmt\""
+  register: task_ssh_vrf
+
+- name: Reboot for new VRF
+  reboot:
+  when: task_mgmt_interface.changed or task_ssh_vrf.changed
+  register: task_reboot
+
+- name: Reset the connection
+  meta: reset_connection
+
+- name: Wait for the network device to reload
+  wait_for_connection:
+    delay: 10
+  when: task_reboot.changed

roles/firewall/tasks/nftables.yml

@@ -0,0 +1,25 @@
+- name: Install nftables
+  package:
+    name: nftables
+
+- name: Copy nftables config
+  template:
+    dest: /etc/nftables.nft
+    src: nftables.nft.j2
+    mode: 0644
+  notify: reload nftables
+
+- name: Copy static nftables includes
+  template:
+    dest: '/etc/nftables.d/{{ item }}'
+    src: '{{ item }}.j2'
+    mode: 0644
+  loop:
+    - interfaces.nft
+  notify: reload nftables
+
+- name: Enable nftables service
+  service:
+    name: nftables
+    enabled: yes
+    state: started

roles/firewall/tasks/wireguard.yml

@@ -0,0 +1,26 @@
+# All firewall nodes share one external IP for wireguard connections.
+# Private key and peer configuration is the same for all nodes. Peers
+# connected to each node are installed in the routing table and
+# distributed into fabric.
+
+- name: Install wireguard tools
+  package:
+    name: wireguard-tools
+
+- name: Create wireguard directory
+  file:
+    path: /etc/wireguard
+    state: directory
+
+- name: Touch wireguard config
+  file:
+    path: /etc/wireguard/wg.conf
+    state: touch
+    access_time: preserve
+    modification_time: preserve
+
+- name: Add wireguard interface
+  template:
+    dest: /etc/network/interfaces.d/wg.intf
+    src: wg.intf.j2
+  notify: enable interfaces