commit 8dd2476238d4e34f57f75752e6bd8a4e03f33215 Author: Timotej Lazar Date: Wed Apr 19 19:15:44 2023 +0200 Add role to set up base Debian server With sshd in separate management VRF and FRR to announce routes to self over unnumbered BGP. diff --git a/roles/debian/files/ssh.service-override.conf b/roles/debian/files/ssh.service-override.conf new file mode 100644 index 0000000..2ab24aa --- /dev/null +++ b/roles/debian/files/ssh.service-override.conf @@ -0,0 +1,4 @@ +[Service] +ExecStartPre=sleep 10 +ExecStart= +ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS diff --git a/roles/debian/handlers/main.yml b/roles/debian/handlers/main.yml new file mode 100644 index 0000000..9afde6e --- /dev/null +++ b/roles/debian/handlers/main.yml @@ -0,0 +1,8 @@ +- name: reboot + reboot: + +- name: reload frr + command: /usr/lib/frr/frr-reload.py --reload /etc/frr/frr.conf + +- name: restart frr + service: name=frr state=restarted diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml new file mode 100644 index 0000000..bf7863a --- /dev/null +++ b/roles/debian/tasks/main.yml @@ -0,0 +1,82 @@ +- name: Set up management interface + template: + dest: /etc/network/interfaces + src: interfaces.j2 + mode: 0644 + notify: reboot + +- name: Set up loopback interface + template: + dest: /etc/network/interfaces.d/loopback.intf + src: loopback.intf.j2 + mode: 0644 + notify: reboot + +- name: Set up fabric interfaces + template: + dest: /etc/network/interfaces.d/fabric.intf + src: fabric.intf.j2 + mode: 0644 + notify: reboot + +- name: Install ifupdown2 + package: name=ifupdown2 + notify: reboot + +- name: Create override directory for ssh service + file: + path: /etc/systemd/system/ssh.service.d + state: directory + +- name: Run ssh in mgmt VRF + copy: + dest: /etc/systemd/system/ssh.service.d/override.conf + src: ssh.service-override.conf + notify: reboot + +# With PAM enabled, login shell would run in default VRF instead of mgmt. +- name: Disable PAM for ssh + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^UsePAM .*yes' + state: absent + notify: reboot + +# Reboot here if anything changed to ensure the new VRF is up and sshd +# listens there. +- meta: flush_handlers + +- name: Set up resolv.conf + template: + dest: /etc/resolv.conf + src: resolv.conf.j2 + mode: 0644 + +- name: Install essential packages + package: name=git,rsync,vim,tmux + +- name: Install FRR + package: name=frr,frr-pythontools + +- name: Enable BGP and BFD + lineinfile: + path: /etc/frr/daemons + regexp: "^{{ item }}=" + line: "{{ item }}=yes" + loop: + - bfdd + - bgpd + notify: restart frr + +- name: Copy FRR config + template: + dest: /etc/frr/frr.conf + src: frr.conf.j2 + mode: 0644 + notify: reload frr + +- name: Enable FRR service + service: + name: frr + enabled: yes + notify: restart frr diff --git a/roles/debian/templates/fabric.intf.j2 b/roles/debian/templates/fabric.intf.j2 new file mode 100644 index 0000000..7c743b3 --- /dev/null +++ b/roles/debian/templates/fabric.intf.j2 @@ -0,0 +1,6 @@ +{% for iface in ifaces_fabric %} +auto {{ iface }} +iface {{ iface }} + mtu 9216 + +{% endfor %} \ No newline at end of file diff --git a/roles/debian/templates/frr.conf.j2 b/roles/debian/templates/frr.conf.j2 new file mode 100644 index 0000000..072340a --- /dev/null +++ b/roles/debian/templates/frr.conf.j2 @@ -0,0 +1,28 @@ +frr defaults datacenter +service integrated-vtysh-config +log syslog + +router bgp {{ asn }} + bgp bestpath as-path multipath-relax + + neighbor fabric peer-group + neighbor fabric remote-as external + neighbor fabric capability extended-nexthop + +{% for iface in ifaces_fabric %} + neighbor {{ iface }} interface peer-group fabric + neighbor {{ iface }} bfd +{% endfor %} + + address-family ipv4 unicast + redistribute connected route-map loopback + neighbor fabric activate + exit-address-family + + address-family ipv6 unicast + redistribute connected route-map loopback + neighbor fabric activate + exit-address-family + +route-map loopback permit 1 + match interface lo diff --git a/roles/debian/templates/interfaces.j2 b/roles/debian/templates/interfaces.j2 new file mode 100644 index 0000000..b97d474 --- /dev/null +++ b/roles/debian/templates/interfaces.j2 @@ -0,0 +1,14 @@ +source /etc/network/interfaces.d/* + +# Management VRF and link. +auto mgmt +iface mgmt + address 127.0.0.1/8 + address ::1/128 + vrf-table auto + +auto {{ iface_mgmt }} +iface {{ iface_mgmt }} + vrf mgmt + address {{ ansible_host }}/{{ mgmt_gw | ipaddr('prefix') }} + gateway {{ mgmt_gw | ipaddr('address') }} diff --git a/roles/debian/templates/loopback.intf.j2 b/roles/debian/templates/loopback.intf.j2 new file mode 100644 index 0000000..b736e81 --- /dev/null +++ b/roles/debian/templates/loopback.intf.j2 @@ -0,0 +1,3 @@ +auto lo +iface lo inet loopback + address {{ router_id }}/32 diff --git a/roles/debian/templates/resolv.conf.j2 b/roles/debian/templates/resolv.conf.j2 new file mode 100644 index 0000000..abfee17 --- /dev/null +++ b/roles/debian/templates/resolv.conf.j2 @@ -0,0 +1,4 @@ +search {{ domain }} +{% for server in dns %} +nameserver {{ server }} +{% endfor %} diff --git a/setup.yml b/setup.yml new file mode 100644 index 0000000..2e64e19 --- /dev/null +++ b/setup.yml @@ -0,0 +1,3 @@ +- hosts: ceph-* + roles: + - debian