Commit graph

50 commits

Author SHA1 Message Date
Timotej Lazar 16f34c4502 Don’t gather facts when setting them 2024-05-13 17:39:47 +02:00
Timotej Lazar 8c82af23e4 firewall: also configure VPN forwards in the app
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
Timotej Lazar 7656c05b2d Revert "firewall: configure NAT from NetBox data"
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
Timotej Lazar 8a9d47f176 firewall: configure NAT from NetBox data
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
Timotej Lazar 457ab7d3b7 Query prefixes once for all hosts
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
Timotej Lazar 1c0709a6a6 fabric: allow all VLANs on bridge
Don’t try to guess what should be allowed because not all switch links
are tagged in NetBox. For now we limit mainly on access switches.
2024-04-27 11:30:20 +02:00
Timotej Lazar c07c03a430 Set default inventory 2024-04-27 11:04:02 +02:00
Timotej Lazar 2443a90bc5 fabric: use FHRP groups for virtual router IPs
More realistic- and supported-like and also avoids duplicated gateway
addresses.
2024-04-14 15:15:48 +02:00
Timotej Lazar db397cb2b1 exit: store VLAN interface addresses in NetBox
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.

Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
2024-04-10 14:03:50 +02:00
Timotej Lazar ece3b8a377 exit: sort prefixes by family values
Because I made some seemingly unrelated changes in NetBox and they all
got flipped‐turned upside down.
2024-04-09 10:47:51 +02:00
Timotej Lazar 000f625988 Move VM secrets to a separate password store directory 2024-04-08 15:06:18 +02:00
Timotej Lazar 6dcae194d7 firewall: accept VPN connections from inside also
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
Timotej Lazar c479f90669 access: move switch config templates back to this repo
Let’s keep it simple. Also editing templates in NetBox is a pain.
2024-04-08 14:45:39 +02:00
Timotej Lazar 1ffdea8e43 firewall: fix duplicate space in template 2024-04-05 12:00:55 +02:00
Timotej Lazar f489555ba1 access: fix password store subdirectory for switches 2024-04-05 12:00:22 +02:00
Timotej Lazar 7ef4023424 firewall: add known IP ranges in network ipset definitions
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
2024-03-19 09:46:26 +01:00
Timotej Lazar aa82e5aa18 firewall_master: don’t define ipsets for VLAN groups
Was a harebrained idea from the start.
2024-03-19 09:45:23 +01:00
Timotej Lazar a97d133873 fabric: don’t set bond slaves if there are none
Not that that should happen except by mistake.
2024-03-05 12:46:26 +01:00
Timotej Lazar be0cc49b33 access: ignore more non‐changes
Should probably move this somewhere more listy if it keeps growing.
2024-03-04 10:12:38 +01:00
Timotej Lazar dbc00fd448 fabric: add custom field on dcim.Interface for bond mode 2024-02-27 13:35:29 +01:00
Timotej Lazar ce7c1bd49e fabric: consolidate interface templates
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
2024-02-27 13:35:29 +01:00
Timotej Lazar 5381fecaa4 fabric: fix check for peer switch 2024-02-27 13:35:29 +01:00
Timotej Lazar 65c16dbc63 Drop BGP update-delay option
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00
Timotej Lazar e93877c83d firewall_master: add newly required option to pip invocation
System in Schutt und Asche legen.
2024-02-27 13:35:29 +01:00
Timotej Lazar 7fe1dac008 firewall: use slurp instead of generic command to get host key 2024-02-27 13:35:29 +01:00
Timotej Lazar cacf46c891 Lowercows 2024-02-27 13:35:10 +01:00
Gašper Fele-Žorž 2a644e7936 Eliminate the bovine infestation through ansible.cfg 2024-02-21 12:40:04 +01:00
Timotej Lazar c20c47709c exit: fix keepalive configuration
There will be order or there will be chaos.
2024-02-18 16:28:35 +01:00
Timotej Lazar 37c025e2a0 firewall_master: move secrets to password store 2024-02-13 13:13:56 +01:00
Timotej Lazar d94e79f8b7 certbot_dns: move secrets to password store 2024-02-13 13:13:43 +01:00
Timotej Lazar 27dac09549 access: move secrets to password store
Keeping ansible-vault values in NetBox is too cumbersome and limited.
2024-02-13 10:33:14 +01:00
Timotej Lazar 91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
Timotej Lazar f54b23f49a firewall: disable forwarding for mgmt interfaces in if-pre-up
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
2024-01-30 13:11:35 +01:00
Timotej Lazar 25289dd82f firewall: fix interface renaming
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
2024-01-30 13:11:35 +01:00
Timotej Lazar 544aa0a088 firewall: create empty ipsets for known networks
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
Timotej Lazar 161ce73be7 exit: restart keepalived on DHCP config update 2024-01-30 12:36:19 +01:00
Timotej Lazar aeb124e346 Add inside and outside roles for VLANs
Will probably rename inside/outside and office/server to int/ext.
2024-01-30 12:35:33 +01:00
Timotej Lazar 0802dc8637 access: move templates to netbox
And adjust tasks to work with FS switches also.
2023-12-29 14:55:00 +01:00
Timotej Lazar be398e54fe fabric: sort bridge VLANs by ID
Instead of barfing on unsortable dicts.
2023-12-29 13:52:05 +01:00
Timotej Lazar 6fd5432b69 fabric: reload switchd before reloading interfaces
Don’t want to bring up a nonexisting interface.
2023-12-29 09:01:01 +01:00
Timotej Lazar 0d24f9fdc7 firewall: log policy update messages to syslog 2023-12-18 12:55:50 +01:00
Timotej Lazar 2b275c2ab4 exit: receive VPN IPv6 addresses from firewalls
And share them with peer over backup link.
2023-12-18 12:55:50 +01:00
Timotej Lazar c2d0e88996 firewall: set IPv6 address for wireguard interface
And advertise it.
2023-12-18 12:55:50 +01:00
Timotej Lazar d789e4a037 leaf: don’t talk BGP at bridges and bonds 2023-12-18 12:55:50 +01:00
Timotej Lazar 9e8db74d24 fabric: allow setting bridge access VLANs on non-bond ports 2023-12-18 12:55:50 +01:00
Timotej Lazar 950cd41c33 fabric: only add enabled ports to bridge 2023-12-18 12:55:50 +01:00
Timotej Lazar b2e42bfb30 Add DC access switches 2023-12-18 12:55:50 +01:00
Timotej Lazar 786fa37e4f Add requirements 2023-12-18 12:55:50 +01:00
Timotej Lazar 6574219bfb Add .gitignore 2023-12-18 12:55:50 +01:00
Timotej Lazar 158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00