diff --git a/roles/proxmox/files/sshd@mgmt.service b/roles/proxmox/files/sshd@mgmt.service new file mode 100644 index 0000000..7b63f30 --- /dev/null +++ b/roles/proxmox/files/sshd@mgmt.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenBSD Secure Shell server (management VRF) +After=network.target auditd.service + +[Service] +ExecStartPre=/usr/sbin/sshd -t +ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt +ExecReload=/usr/sbin/sshd -t +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify + +[Install] +WantedBy=multi-user.target diff --git a/roles/proxmox/handlers/main.yml b/roles/proxmox/handlers/main.yml index 851b949..fce8e53 100644 --- a/roles/proxmox/handlers/main.yml +++ b/roles/proxmox/handlers/main.yml @@ -1,2 +1,5 @@ +- name: reboot + reboot: + - name: reload interfaces command: ifreload -a diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml index e53cb35..add0130 100644 --- a/roles/proxmox/tasks/main.yml +++ b/roles/proxmox/tasks/main.yml @@ -13,4 +13,6 @@ apt_repository: repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription' +- include_tasks: mgmt.yml + - include_tasks: sdn.yml diff --git a/roles/proxmox/tasks/mgmt.yml b/roles/proxmox/tasks/mgmt.yml new file mode 100644 index 0000000..10b079c --- /dev/null +++ b/roles/proxmox/tasks/mgmt.yml @@ -0,0 +1,38 @@ +# We could probably avoid rebooting in some cases, but those should never happen +# in normal operation anyway. This way all setup is done before rebooting once. + +- name: Add rules to rename network interfaces + template: + dest: /etc/udev/rules.d/10-network.rules + src: 10-network.rules.j2 + mode: 0644 + notify: reboot + +- name: Set up interfaces + template: + dest: /etc/network/interfaces + src: interfaces.j2 + mode: 0644 + notify: reboot + +- name: Configure SSH instance in management VRF + template: + dest: /etc/ssh/sshd_config.mgmt + src: sshd_config.mgmt.j2 + mode: 0644 + notify: reboot + +- name: Set up a SSH instance in management VRF + copy: + dest: /etc/systemd/system/ + src: sshd@mgmt.service + mode: 0644 + notify: reboot + +- name: Enable management SSH + service: + name: sshd@mgmt + enabled: yes + notify: reboot + +- meta: flush_handlers diff --git a/roles/proxmox/tasks/sdn.yml b/roles/proxmox/tasks/sdn.yml index 99cf402..a88c4b2 100644 --- a/roles/proxmox/tasks/sdn.yml +++ b/roles/proxmox/tasks/sdn.yml @@ -1,9 +1,3 @@ - name: Install packages for SDN package: name: libpve-network-perl - -- name: Source SDN network configuration - lineinfile: - path: /etc/network/interfaces - line: 'source /etc/network/interfaces.d/*' - notify: reload interfaces diff --git a/roles/proxmox/templates/10-network.rules.j2 b/roles/proxmox/templates/10-network.rules.j2 new file mode 100644 index 0000000..1a45f77 --- /dev/null +++ b/roles/proxmox/templates/10-network.rules.j2 @@ -0,0 +1,5 @@ +{% for name in hwaddr %} +{% for addr in hwaddr[name] %} +SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="{{ addr }}", NAME="{{ name }}{{ loop.index0 }}" +{% endfor %} +{% endfor %} diff --git a/roles/proxmox/templates/interfaces.j2 b/roles/proxmox/templates/interfaces.j2 new file mode 100644 index 0000000..086e974 --- /dev/null +++ b/roles/proxmox/templates/interfaces.j2 @@ -0,0 +1,16 @@ +auto lo +iface lo inet loopback + +auto mgmt +iface mgmt + address 127.0.0.1/8 + address ::1/128 + vrf-table auto + +auto {{ iface_mgmt }} +iface {{ iface_mgmt }} + vrf mgmt + address {{ ansible_host }}/{{ mgmt_gw | ipaddr('prefix') }} + gateway {{ mgmt_gw | ipaddr('address') }} + +source /etc/network/interfaces.d/* diff --git a/roles/proxmox/templates/sshd_config.mgmt.j2 b/roles/proxmox/templates/sshd_config.mgmt.j2 new file mode 100644 index 0000000..ac45726 --- /dev/null +++ b/roles/proxmox/templates/sshd_config.mgmt.j2 @@ -0,0 +1,14 @@ +# This is for sshd in management VRF, for ansible and other not-really-OOB stuff. + +PidFile none +UsePAM no + +# Only allow pubkey auth. +KbdInteractiveAuthentication no +PasswordAuthentication no +PermitRootLogin prohibit-password + +# Disable what we can. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no