Commit graph

29 commits

Author SHA1 Message Date
Timotej Lazar aa82e5aa18 firewall_master: don’t define ipsets for VLAN groups
Was a harebrained idea from the start.
2024-03-19 09:45:23 +01:00
Timotej Lazar a97d133873 fabric: don’t set bond slaves if there are none
Not that that should happen except by mistake.
2024-03-05 12:46:26 +01:00
Timotej Lazar be0cc49b33 access: ignore more non‐changes
Should probably move this somewhere more listy if it keeps growing.
2024-03-04 10:12:38 +01:00
Timotej Lazar dbc00fd448 fabric: add custom field on dcim.Interface for bond mode 2024-02-27 13:35:29 +01:00
Timotej Lazar ce7c1bd49e fabric: consolidate interface templates
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
2024-02-27 13:35:29 +01:00
Timotej Lazar 5381fecaa4 fabric: fix check for peer switch 2024-02-27 13:35:29 +01:00
Timotej Lazar 65c16dbc63 Drop BGP update-delay option
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00
Timotej Lazar e93877c83d firewall_master: add newly required option to pip invocation
System in Schutt und Asche legen.
2024-02-27 13:35:29 +01:00
Timotej Lazar 7fe1dac008 firewall: use slurp instead of generic command to get host key 2024-02-27 13:35:29 +01:00
Timotej Lazar c20c47709c exit: fix keepalive configuration
There will be order or there will be chaos.
2024-02-18 16:28:35 +01:00
Timotej Lazar 37c025e2a0 firewall_master: move secrets to password store 2024-02-13 13:13:56 +01:00
Timotej Lazar d94e79f8b7 certbot_dns: move secrets to password store 2024-02-13 13:13:43 +01:00
Timotej Lazar 27dac09549 access: move secrets to password store
Keeping ansible-vault values in NetBox is too cumbersome and limited.
2024-02-13 10:33:14 +01:00
Timotej Lazar 91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
Timotej Lazar f54b23f49a firewall: disable forwarding for mgmt interfaces in if-pre-up
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
2024-01-30 13:11:35 +01:00
Timotej Lazar 25289dd82f firewall: fix interface renaming
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
2024-01-30 13:11:35 +01:00
Timotej Lazar 544aa0a088 firewall: create empty ipsets for known networks
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
Timotej Lazar 161ce73be7 exit: restart keepalived on DHCP config update 2024-01-30 12:36:19 +01:00
Timotej Lazar aeb124e346 Add inside and outside roles for VLANs
Will probably rename inside/outside and office/server to int/ext.
2024-01-30 12:35:33 +01:00
Timotej Lazar 0802dc8637 access: move templates to netbox
And adjust tasks to work with FS switches also.
2023-12-29 14:55:00 +01:00
Timotej Lazar be398e54fe fabric: sort bridge VLANs by ID
Instead of barfing on unsortable dicts.
2023-12-29 13:52:05 +01:00
Timotej Lazar 6fd5432b69 fabric: reload switchd before reloading interfaces
Don’t want to bring up a nonexisting interface.
2023-12-29 09:01:01 +01:00
Timotej Lazar 0d24f9fdc7 firewall: log policy update messages to syslog 2023-12-18 12:55:50 +01:00
Timotej Lazar 2b275c2ab4 exit: receive VPN IPv6 addresses from firewalls
And share them with peer over backup link.
2023-12-18 12:55:50 +01:00
Timotej Lazar c2d0e88996 firewall: set IPv6 address for wireguard interface
And advertise it.
2023-12-18 12:55:50 +01:00
Timotej Lazar d789e4a037 leaf: don’t talk BGP at bridges and bonds 2023-12-18 12:55:50 +01:00
Timotej Lazar 9e8db74d24 fabric: allow setting bridge access VLANs on non-bond ports 2023-12-18 12:55:50 +01:00
Timotej Lazar 950cd41c33 fabric: only add enabled ports to bridge 2023-12-18 12:55:50 +01:00
Timotej Lazar 158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00