Factor frr role from debian, ceph and proxmox

Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-18 18:35:41 +02:00 · 2024-05-18 18:35:41 +02:00 · 25bcddede1
commit 25bcddede1
parent 256dae2955
31 changed files with 167 additions and 312 deletions
--- a/roles/ceph/handlers/main.yml
+++ b/roles/ceph/handlers/main.yml
@ -1,7 +1,5 @@
- name: reboot
-  reboot:
-
 - name: reload nftables
  service:
    name: nftables
    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
--- a/roles/ceph/tasks/firewall.yml
+++ b/roles/ceph/tasks/firewall.yml
@ -1,7 +1,3 @@
- name: Retrieve service list
-  set_fact:
-    services: '{{ query("netbox.netbox.nb_lookup", "clusters", raw_data=true, api_filter="name="+cluster) | map(attribute="custom_fields.services") | flatten }}'
-
 - name: Install nftables
  package:
    name: nftables
--- a/roles/ceph/tasks/main.yml
+++ b/roles/ceph/tasks/main.yml
@ -1,7 +1,3 @@
- name: Get all nodes in my cluster
-  set_fact:
-    nodes: "{{ groups['cluster_'+cluster] | map('extract', hostvars) }}"
-
 - name: Configure /etc/hosts
  template:
    dest: /etc/hosts
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@ -46,10 +46,15 @@ table inet filter {
        iif lan0 ip6 saddr fe80::/64 accept
        iif lan1 ip6 saddr fe80::/64 accept

+        iifname mgmt accept comment "management access"
+
        ip saddr @cluster accept comment "accept connections from other nodes"
        ip6 saddr @cluster/6 accept comment "accept connections from other nodes"

-{% for service in services %}
+        ip saddr @allowed accept # TODO remove exceptions
+        ip6 saddr @allowed/6 accept # TODO remove exceptions
+
+{% for service in cluster.custom_fields.services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
 {% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
@ -63,11 +68,6 @@ table inet filter {
 {% endif %}

 {% endfor %}
-
-        iifname mgmt accept comment "management access"
-
-        ip saddr @allowed accept
-        ip6 saddr @allowed/6 accept
    }

    chain forward {