proxmox: standardize interface names and set up management VRF

No idea how badly this clashes with GUI configuration.
This commit is contained in:
Timotej Lazar 2023-07-17 16:37:45 +02:00
parent aae782a66b
commit 2330edf479
8 changed files with 94 additions and 6 deletions

View file

@ -0,0 +1,16 @@
[Unit]
Description=OpenBSD Secure Shell server (management VRF)
After=network.target auditd.service
[Service]
ExecStartPre=/usr/sbin/sshd -t
ExecStart=ip vrf exec mgmt /usr/sbin/sshd -f /etc/ssh/sshd_config.mgmt
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target

View file

@ -1,2 +1,5 @@
- name: reboot
reboot:
- name: reload interfaces - name: reload interfaces
command: ifreload -a command: ifreload -a

View file

@ -13,4 +13,6 @@
apt_repository: apt_repository:
repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription' repo: 'deb http://download.proxmox.com/debian/pve {{ ansible_distribution_release }} pve-no-subscription'
- include_tasks: mgmt.yml
- include_tasks: sdn.yml - include_tasks: sdn.yml

View file

@ -0,0 +1,38 @@
# We could probably avoid rebooting in some cases, but those should never happen
# in normal operation anyway. This way all setup is done before rebooting once.
- name: Add rules to rename network interfaces
template:
dest: /etc/udev/rules.d/10-network.rules
src: 10-network.rules.j2
mode: 0644
notify: reboot
- name: Set up interfaces
template:
dest: /etc/network/interfaces
src: interfaces.j2
mode: 0644
notify: reboot
- name: Configure SSH instance in management VRF
template:
dest: /etc/ssh/sshd_config.mgmt
src: sshd_config.mgmt.j2
mode: 0644
notify: reboot
- name: Set up a SSH instance in management VRF
copy:
dest: /etc/systemd/system/
src: sshd@mgmt.service
mode: 0644
notify: reboot
- name: Enable management SSH
service:
name: sshd@mgmt
enabled: yes
notify: reboot
- meta: flush_handlers

View file

@ -1,9 +1,3 @@
- name: Install packages for SDN - name: Install packages for SDN
package: package:
name: libpve-network-perl name: libpve-network-perl
- name: Source SDN network configuration
lineinfile:
path: /etc/network/interfaces
line: 'source /etc/network/interfaces.d/*'
notify: reload interfaces

View file

@ -0,0 +1,5 @@
{% for name in hwaddr %}
{% for addr in hwaddr[name] %}
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="{{ addr }}", NAME="{{ name }}{{ loop.index0 }}"
{% endfor %}
{% endfor %}

View file

@ -0,0 +1,16 @@
auto lo
iface lo inet loopback
auto mgmt
iface mgmt
address 127.0.0.1/8
address ::1/128
vrf-table auto
auto {{ iface_mgmt }}
iface {{ iface_mgmt }}
vrf mgmt
address {{ ansible_host }}/{{ mgmt_gw | ipaddr('prefix') }}
gateway {{ mgmt_gw | ipaddr('address') }}
source /etc/network/interfaces.d/*

View file

@ -0,0 +1,14 @@
# This is for sshd in management VRF, for ansible and other not-really-OOB stuff.
PidFile none
UsePAM no
# Only allow pubkey auth.
KbdInteractiveAuthentication no
PasswordAuthentication no
PermitRootLogin prohibit-password
# Disable what we can.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no