Timotej Lazar
ef1b00adce
firewall: update backup route maps
...
To match the prefixes that are sent by firewalls.
2024-09-21 16:31:44 +02:00
Timotej Lazar
6c18e2ff94
firewall: add convenience nftables set for AD ports
...
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
Timotej Lazar
ae1cfd5337
exit: enable forwarding directed broadcasts for WoL
...
Must be set in IPv4 sysctls for all interfaces and every input
interface from which broadcasts are sent. These are the virtual
MLAG interfaces (bridge-*-v0), which are created dynamically.
We enable directed broadcasts for (only MLAG) interfaces enumerated by
the ifaces_directed_broadcast value in NetBox device local context.
2024-09-18 14:27:30 +02:00
Timotej Lazar
6322d5ec97
exit: add routes for VPN IPv4 addresses to outside and default VRFs
...
Like commit 7b5980f
but for VPN addresses. Also renumber some route
maps to improve consistency.
2024-09-16 17:20:43 +02:00
Timotej Lazar
6c8309f1c9
exit: leak non-NATted inside routes into default VRF
...
So we don’t have to NAT inside our own network. We still firewall.
2024-09-03 17:15:48 +02:00
Timotej Lazar
103ecae2e7
exit: leak outside routes into default VRF
...
So L3 servers can acces L2 servers.
2024-09-01 12:19:13 +02:00
Timotej Lazar
3caea81896
access: add voice VLAN support
2024-09-01 10:37:11 +02:00
Timotej Lazar
c3ff39fe72
firewall: reload nftables in mgmt VRF
...
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.
This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
2024-08-19 13:54:01 +02:00
Timotej Lazar
5032d1ac84
fabric: fix a template
...
This worked. Updated ansible. Then it didn’t.
2024-08-15 17:22:55 +02:00
Timotej Lazar
14d2e00f0b
exit: only send RAs on interfaces with FHRP addresses
...
These are the ones we are router for.
2024-08-13 19:12:29 +02:00
Timotej Lazar
7b5980f871
exit: add routes for internal IPv4 addresses to outside VRF
...
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
2024-08-13 19:02:03 +02:00
Timotej Lazar
fe8f9161d9
exit: drop redundant and now misleading comment
2024-08-12 11:46:42 +02:00
Timotej Lazar
9a56e48141
exit: allow multiple VLANs per VRF
...
Turns out that while Cumulus supports “up to” 255 VRFs, no switch it
runs on supports more than 64. So we have to turn down paranoia and
put internal networks for each tenant in the same VRF.
This commit just ensures VRF definitions are not duplicated on exits.
2024-08-04 14:12:26 +02:00
Timotej Lazar
c239b91d17
Simplify README
2024-08-03 11:48:09 +02:00
Timotej Lazar
c741b90981
fabric: disable less-than-sane Cumulus SSH default options
...
Why no ed25519 keys?
2024-07-26 14:27:34 +02:00
Timotej Lazar
82b10e8133
exit: support custom VRF imports
...
Ten minutes to set up and ten hours to convince Ansible to not be
quite so retarded. The list2dict filter seems to be the (or another)
missing piece. Now let’s rewrite everything else using it. Or not.
2024-07-15 14:22:42 +02:00
Timotej Lazar
99aef43574
exit: add DHCP relay for new server
...
Really quite shoddy as it is right now. Should get better once the old
server is retired.
2024-07-14 14:51:23 +02:00
Timotej Lazar
bb41d406f8
exit, firewall: don’t hardcode prefix length
2024-07-10 16:57:08 +02:00
Timotej Lazar
2327b42412
fabric: disable nvue-startup service
2024-07-04 15:36:02 +02:00
Timotej Lazar
48b987180a
Move firewall_master role to servers repo
2024-07-04 15:35:41 +02:00
Timotej Lazar
ff1abcb508
firewall: drop a line
...
It was rubbish.
2024-06-20 20:54:42 +02:00
Timotej Lazar
668af8bdb6
firewall: use a handler to reboot
2024-05-19 10:10:02 +02:00
Timotej Lazar
0e9dac6985
fabric: support arbitrary port breakouts
...
Not that we use anything but 1x and 4x. Mainly done so I can drop
nonexistent (because they have been broken out) interfaces from NetBox.
2024-05-13 17:44:39 +02:00
Timotej Lazar
16f34c4502
Don’t gather facts when setting them
2024-05-13 17:39:47 +02:00
Timotej Lazar
8c82af23e4
firewall: also configure VPN forwards in the app
...
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
Timotej Lazar
7656c05b2d
Revert "firewall: configure NAT from NetBox data"
...
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
Timotej Lazar
8a9d47f176
firewall: configure NAT from NetBox data
...
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
Timotej Lazar
457ab7d3b7
Query prefixes once for all hosts
...
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.
This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
Timotej Lazar
1c0709a6a6
fabric: allow all VLANs on bridge
...
Don’t try to guess what should be allowed because not all switch links
are tagged in NetBox. For now we limit mainly on access switches.
2024-04-27 11:30:20 +02:00
Timotej Lazar
c07c03a430
Set default inventory
2024-04-27 11:04:02 +02:00
Timotej Lazar
2443a90bc5
fabric: use FHRP groups for virtual router IPs
...
More realistic- and supported-like and also avoids duplicated gateway
addresses.
2024-04-14 15:15:48 +02:00
Timotej Lazar
db397cb2b1
exit: store VLAN interface addresses in NetBox
...
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.
Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
2024-04-10 14:03:50 +02:00
Timotej Lazar
ece3b8a377
exit: sort prefixes by family values
...
Because I made some seemingly unrelated changes in NetBox and they all
got flipped‐turned upside down.
2024-04-09 10:47:51 +02:00
Timotej Lazar
000f625988
Move VM secrets to a separate password store directory
2024-04-08 15:06:18 +02:00
Timotej Lazar
6dcae194d7
firewall: accept VPN connections from inside also
...
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
Timotej Lazar
c479f90669
access: move switch config templates back to this repo
...
Let’s keep it simple. Also editing templates in NetBox is a pain.
2024-04-08 14:45:39 +02:00
Timotej Lazar
1ffdea8e43
firewall: fix duplicate space in template
2024-04-05 12:00:55 +02:00
Timotej Lazar
f489555ba1
access: fix password store subdirectory for switches
2024-04-05 12:00:22 +02:00
Timotej Lazar
7ef4023424
firewall: add known IP ranges in network ipset definitions
...
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
2024-03-19 09:46:26 +01:00
Timotej Lazar
aa82e5aa18
firewall_master: don’t define ipsets for VLAN groups
...
Was a harebrained idea from the start.
2024-03-19 09:45:23 +01:00
Timotej Lazar
a97d133873
fabric: don’t set bond slaves if there are none
...
Not that that should happen except by mistake.
2024-03-05 12:46:26 +01:00
Timotej Lazar
be0cc49b33
access: ignore more non‐changes
...
Should probably move this somewhere more listy if it keeps growing.
2024-03-04 10:12:38 +01:00
Timotej Lazar
dbc00fd448
fabric: add custom field on dcim.Interface for bond mode
2024-02-27 13:35:29 +01:00
Timotej Lazar
ce7c1bd49e
fabric: consolidate interface templates
...
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
2024-02-27 13:35:29 +01:00
Timotej Lazar
5381fecaa4
fabric: fix check for peer switch
2024-02-27 13:35:29 +01:00
Timotej Lazar
65c16dbc63
Drop BGP update-delay option
...
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00
Timotej Lazar
e93877c83d
firewall_master: add newly required option to pip invocation
...
System in Schutt und Asche legen.
2024-02-27 13:35:29 +01:00
Timotej Lazar
7fe1dac008
firewall: use slurp instead of generic command to get host key
2024-02-27 13:35:29 +01:00
Timotej Lazar
cacf46c891
Lowercows
2024-02-27 13:35:10 +01:00
Gašper Fele-Žorž
2a644e7936
Eliminate the bovine infestation through ansible.cfg
2024-02-21 12:40:04 +01:00