proxmox: standardize interface names and set up management VRF

No idea how badly this clashes with GUI configuration.
2023-07-17 16:37:45 +02:00 · 2023-07-17 16:37:45 +02:00 · 2330edf479
parent aae782a66b
commit 2330edf479
8 changed files with 94 additions and 6 deletions
--- a/roles/proxmox/files/sshd@mgmt.service
+++ b/roles/proxmox/files/sshd@mgmt.service
@ -0,0 +1,16 @@
+[Unit]
+Description=OpenBSD Secure Shell server (management VRF)
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
+ExecReload=/usr/sbin/sshd -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/proxmox/handlers/main.yml
+++ b/roles/proxmox/handlers/main.yml
@ -1,2 +1,5 @@
+- name: reboot
+  reboot:
+
 - name: reload interfaces
  command: ifreload -a
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@ -13,4 +13,6 @@
  apt_repository:
    repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'

+- include_tasks: mgmt.yml
+
 - include_tasks: sdn.yml
--- a/roles/proxmox/tasks/mgmt.yml
+++ b/roles/proxmox/tasks/mgmt.yml
@ -0,0 +1,38 @@
+# We could probably avoid rebooting in some cases, but those should never happen
+# in normal operation anyway. This way all setup is done before rebooting once.
+
+- name: Add rules to rename network interfaces
+  template:
+    dest: /etc/udev/rules.d/10-network.rules
+    src: 10-network.rules.j2
+    mode: 0644
+  notify: reboot
+
+- name: Set up interfaces
+  template:
+    dest: /etc/network/interfaces
+    src: interfaces.j2
+    mode: 0644
+  notify: reboot
+
+- name: Configure SSH instance in management VRF
+  template:
+    dest: /etc/ssh/sshd_config.mgmt
+    src: sshd_config.mgmt.j2
+    mode: 0644
+  notify: reboot
+
+- name: Set up a SSH instance in management VRF
+  copy:
+    dest: /etc/systemd/system/
+    src: sshd@mgmt.service
+    mode: 0644
+  notify: reboot
+
+- name: Enable management SSH
+  service:
+    name: sshd@mgmt
+    enabled: yes
+  notify: reboot
+
+- meta: flush_handlers
--- a/roles/proxmox/tasks/sdn.yml
+++ b/roles/proxmox/tasks/sdn.yml
@ -1,9 +1,3 @@
 - name: Install packages for SDN
  package:
    name: libpve-network-perl
-
- name: Source SDN network configuration
-  lineinfile:
-    path: /etc/network/interfaces
-    line: 'source /etc/network/interfaces.d/*'
-  notify: reload interfaces
--- a/roles/proxmox/templates/10-network.rules.j2
+++ b/roles/proxmox/templates/10-network.rules.j2
@ -0,0 +1,5 @@
+{% for name in hwaddr %}
+{% for addr in hwaddr[name] %}
+SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="{{ addr }}", NAME="{{ name }}{{ loop.index0 }}"
+{% endfor %}
+{% endfor %}
--- a/roles/proxmox/templates/interfaces.j2
+++ b/roles/proxmox/templates/interfaces.j2
@ -0,0 +1,16 @@
+auto lo
+iface lo inet loopback
+
+auto mgmt
+iface mgmt
+    address 127.0.0.1/8
+    address ::1/128
+    vrf-table auto
+
+auto {{ iface_mgmt }}
+iface {{ iface_mgmt }}
+    vrf mgmt
+    address {{ ansible_host }}/{{ mgmt_gw | ipaddr('prefix') }}
+    gateway {{ mgmt_gw | ipaddr('address') }}
+
+source /etc/network/interfaces.d/*
--- a/roles/proxmox/templates/sshd_config.mgmt.j2
+++ b/roles/proxmox/templates/sshd_config.mgmt.j2
@ -0,0 +1,14 @@
+# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
+
+PidFile none
+UsePAM no
+
+# Only allow pubkey auth.
+KbdInteractiveAuthentication no
+PasswordAuthentication no
+PermitRootLogin prohibit-password
+
+# Disable what we can.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no