Add role to set up base Debian server

With sshd in separate management VRF and FRR to announce routes to
self over unnumbered BGP.

roles/debian/files/ssh.service-override.conf

@@ -0,0 +1,4 @@
+[Service]
+ExecStartPre=sleep 10
+ExecStart=
+ExecStart=/usr/bin/ip vrf exec mgmt /usr/sbin/sshd -D $SSHD_OPTS

roles/debian/handlers/main.yml

@@ -0,0 +1,8 @@
+- name: reboot
+  reboot:
+
+- name: reload frr
+  command: /usr/lib/frr/frr-reload.py --reload /etc/frr/frr.conf
+
+- name: restart frr
+  service: name=frr state=restarted

roles/debian/tasks/main.yml

@@ -0,0 +1,82 @@
+- name: Set up management interface
+  template:
+    dest: /etc/network/interfaces
+    src: interfaces.j2
+    mode: 0644
+  notify: reboot
+
+- name: Set up loopback interface
+  template:
+    dest: /etc/network/interfaces.d/loopback.intf
+    src: loopback.intf.j2
+    mode: 0644
+  notify: reboot
+
+- name: Set up fabric interfaces
+  template:
+    dest: /etc/network/interfaces.d/fabric.intf
+    src: fabric.intf.j2
+    mode: 0644
+  notify: reboot
+
+- name: Install ifupdown2
+  package: name=ifupdown2
+  notify: reboot
+
+- name: Create override directory for ssh service
+  file:
+    path: /etc/systemd/system/ssh.service.d
+    state: directory
+
+- name: Run ssh in mgmt VRF
+  copy:
+    dest: /etc/systemd/system/ssh.service.d/override.conf
+    src: ssh.service-override.conf
+  notify: reboot
+
+# With PAM enabled, login shell would run in default VRF instead of mgmt.
+- name: Disable PAM for ssh
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^UsePAM .*yes'
+    state: absent
+  notify: reboot
+
+# Reboot here if anything changed to ensure the new VRF is up and sshd
+# listens there.
+- meta: flush_handlers
+
+- name: Set up resolv.conf
+  template:
+    dest: /etc/resolv.conf
+    src: resolv.conf.j2
+    mode: 0644
+
+- name: Install essential packages
+  package: name=git,rsync,vim,tmux
+
+- name: Install FRR
+  package: name=frr,frr-pythontools
+
+- name: Enable BGP and BFD
+  lineinfile:
+    path: /etc/frr/daemons
+    regexp: "^{{ item }}="
+    line: "{{ item }}=yes"
+  loop:
+    - bfdd
+    - bgpd
+  notify: restart frr
+
+- name: Copy FRR config
+  template:
+    dest: /etc/frr/frr.conf
+    src: frr.conf.j2
+    mode: 0644
+  notify: reload frr
+
+- name: Enable FRR service
+  service:
+    name: frr
+    enabled: yes
+  notify: restart frr

roles/debian/templates/fabric.intf.j2

@@ -0,0 +1,6 @@
+{% for iface in ifaces_fabric %}
+auto {{ iface }}
+iface {{ iface }}
+    mtu 9216
+
+{% endfor %}

roles/debian/templates/frr.conf.j2

@@ -0,0 +1,28 @@
+frr defaults datacenter
+service integrated-vtysh-config
+log syslog
+
+router bgp {{ asn }}
+  bgp bestpath as-path multipath-relax
+
+  neighbor fabric peer-group
+  neighbor fabric remote-as external
+  neighbor fabric capability extended-nexthop
+
+{% for iface in ifaces_fabric %}
+  neighbor {{ iface }} interface peer-group fabric
+  neighbor {{ iface }} bfd
+{% endfor %}
+
+  address-family ipv4 unicast
+    redistribute connected route-map loopback
+    neighbor fabric activate
+  exit-address-family
+
+  address-family ipv6 unicast
+    redistribute connected route-map loopback
+    neighbor fabric activate
+  exit-address-family
+
+route-map loopback permit 1
+  match interface lo

roles/debian/templates/interfaces.j2

@@ -0,0 +1,14 @@
+source /etc/network/interfaces.d/*
+
+# Management VRF and link.
+auto mgmt
+iface mgmt
+    address 127.0.0.1/8
+    address ::1/128
+    vrf-table auto
+
+auto {{ iface_mgmt }}
+iface {{ iface_mgmt }}
+    vrf mgmt
+    address {{ ansible_host }}/{{ mgmt_gw | ipaddr('prefix') }}
+    gateway {{ mgmt_gw | ipaddr('address') }}

roles/debian/templates/loopback.intf.j2

@@ -0,0 +1,3 @@
+auto lo
+iface lo inet loopback
+    address {{ router_id }}/32

roles/debian/templates/resolv.conf.j2

@@ -0,0 +1,4 @@
+search {{ domain }}
+{% for server in dns %}
+nameserver {{ server }}
+{% endfor %}

setup.yml

@@ -0,0 +1,3 @@
+- hosts: ceph-*
+  roles:
+    - debian