|
|
6dcae194d7
|
firewall: accept VPN connections from inside also
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
|
2024-04-08 15:03:29 +02:00 |
|
|
|
c479f90669
|
access: move switch config templates back to this repo
Let’s keep it simple. Also editing templates in NetBox is a pain.
|
2024-04-08 14:45:39 +02:00 |
|
|
|
1ffdea8e43
|
firewall: fix duplicate space in template
|
2024-04-05 12:00:55 +02:00 |
|
|
|
f489555ba1
|
access: fix password store subdirectory for switches
|
2024-04-05 12:00:22 +02:00 |
|
|
|
7ef4023424
|
firewall: add known IP ranges in network ipset definitions
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
|
2024-03-19 09:46:26 +01:00 |
|
|
|
aa82e5aa18
|
firewall_master: don’t define ipsets for VLAN groups
Was a harebrained idea from the start.
|
2024-03-19 09:45:23 +01:00 |
|
|
|
a97d133873
|
fabric: don’t set bond slaves if there are none
Not that that should happen except by mistake.
|
2024-03-05 12:46:26 +01:00 |
|
|
|
be0cc49b33
|
access: ignore more non‐changes
Should probably move this somewhere more listy if it keeps growing.
|
2024-03-04 10:12:38 +01:00 |
|
|
|
dbc00fd448
|
fabric: add custom field on dcim.Interface for bond mode
|
2024-02-27 13:35:29 +01:00 |
|
|
|
ce7c1bd49e
|
fabric: consolidate interface templates
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
|
2024-02-27 13:35:29 +01:00 |
|
|
|
5381fecaa4
|
fabric: fix check for peer switch
|
2024-02-27 13:35:29 +01:00 |
|
|
|
65c16dbc63
|
Drop BGP update-delay option
Dropped from Cumulus manual and advised by seniors.
|
2024-02-27 13:35:29 +01:00 |
|
|
|
e93877c83d
|
firewall_master: add newly required option to pip invocation
System in Schutt und Asche legen.
|
2024-02-27 13:35:29 +01:00 |
|
|
|
7fe1dac008
|
firewall: use slurp instead of generic command to get host key
|
2024-02-27 13:35:29 +01:00 |
|
|
|
c20c47709c
|
exit: fix keepalive configuration
There will be order or there will be chaos.
|
2024-02-18 16:28:35 +01:00 |
|
|
|
37c025e2a0
|
firewall_master: move secrets to password store
|
2024-02-13 13:13:56 +01:00 |
|
|
|
d94e79f8b7
|
certbot_dns: move secrets to password store
|
2024-02-13 13:13:43 +01:00 |
|
|
|
27dac09549
|
access: move secrets to password store
Keeping ansible-vault values in NetBox is too cumbersome and limited.
|
2024-02-13 10:33:14 +01:00 |
|
|
|
91afaec9c2
|
firewall: allow connections from master with NATted IP
|
2024-02-06 09:19:49 +01:00 |
|
|
|
f54b23f49a
|
firewall: disable forwarding for mgmt interfaces in if-pre-up
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
|
2024-01-30 13:11:35 +01:00 |
|
|
|
25289dd82f
|
firewall: fix interface renaming
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
|
2024-01-30 13:11:35 +01:00 |
|
|
|
544aa0a088
|
firewall: create empty ipsets for known networks
So we don’t crash and burn before config is set up.
|
2024-01-30 12:37:14 +01:00 |
|
|
|
161ce73be7
|
exit: restart keepalived on DHCP config update
|
2024-01-30 12:36:19 +01:00 |
|
|
|
aeb124e346
|
Add inside and outside roles for VLANs
Will probably rename inside/outside and office/server to int/ext.
|
2024-01-30 12:35:33 +01:00 |
|
|
|
0802dc8637
|
access: move templates to netbox
And adjust tasks to work with FS switches also.
|
2023-12-29 14:55:00 +01:00 |
|
|
|
be398e54fe
|
fabric: sort bridge VLANs by ID
Instead of barfing on unsortable dicts.
|
2023-12-29 13:52:05 +01:00 |
|
|
|
6fd5432b69
|
fabric: reload switchd before reloading interfaces
Don’t want to bring up a nonexisting interface.
|
2023-12-29 09:01:01 +01:00 |
|
|
|
0d24f9fdc7
|
firewall: log policy update messages to syslog
|
2023-12-18 12:55:50 +01:00 |
|
|
|
2b275c2ab4
|
exit: receive VPN IPv6 addresses from firewalls
And share them with peer over backup link.
|
2023-12-18 12:55:50 +01:00 |
|
|
|
c2d0e88996
|
firewall: set IPv6 address for wireguard interface
And advertise it.
|
2023-12-18 12:55:50 +01:00 |
|
|
|
d789e4a037
|
leaf: don’t talk BGP at bridges and bonds
|
2023-12-18 12:55:50 +01:00 |
|
|
|
9e8db74d24
|
fabric: allow setting bridge access VLANs on non-bond ports
|
2023-12-18 12:55:50 +01:00 |
|
|
|
950cd41c33
|
fabric: only add enabled ports to bridge
|
2023-12-18 12:55:50 +01:00 |
|
|
|
158e8740b8
|
Initial commit, squashed
|
2023-12-18 12:55:47 +01:00 |
|
