Commit graph

31 commits

Author SHA1 Message Date
Timotej Lazar 2e3d7d180d proxmox: set mail relay 2024-09-10 10:18:40 +02:00
Gašper Fele-Žorž e2edd63efe proxmox: add dependency for ldap sync script
Install python3-ldap3.
2024-09-05 10:56:50 +02:00
Timotej Lazar 17c8e84498 proxmox: support certificate renewals with ACME
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
2024-09-04 16:54:47 +02:00
Timotej Lazar 1c1dd52325 proxmox: support public services for firewall
If no allowed IPs are set for a service, allow connections from anywhere.
2024-09-04 16:44:46 +02:00
Timotej Lazar 211d4bdb9a Deconsolidate network setup for proxmox and debian roles
They are just different enough to be annoying.
2024-08-28 12:43:14 +02:00
Timotej Lazar c3d1a6c4b1 proxmox: fix handling empty values in LDAP sync script
Don’t put "None" for email and such.
2024-08-20 15:08:57 +02:00
Timotej Lazar 036f7c8b74 Support custom allowed_ips field for services
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
2024-08-03 11:44:03 +02:00
Timotej Lazar f10d94612f Factor out password store retrieval 2024-07-04 15:31:57 +02:00
Timotej Lazar 29598ef4bb Rework service handling
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.

Would prefer not to access network from filter plugins, so maybe do
that at some point also.
2024-06-19 13:33:32 +02:00
Timotej Lazar 25bcddede1 Factor frr role from debian, ceph and proxmox
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
2024-05-19 14:21:25 +02:00
Timotej Lazar be915dcf69 proxmox: only install firewall rules on one node
And let the cluster take care of distribution.
2024-05-14 12:40:33 +02:00
Timotej Lazar 3f53c84865 proxmox: add LDAP user sync script
Since OIDC auth doesn’t support groups, get them from AD over LDAP.

Add a script to fetch user and groups, and update /etc/pve/user.cfg. The
script is only installed on one node (first alphabetically), with a cron
job to run it daily.

The script is installed for clusters with the sync-ldap context key set
to a corresponding OIDC realm. The keys ldap_user and ldap_pass must be
present in the password store under cluster/<name>.
2024-05-14 12:04:35 +02:00
Timotej Lazar 5a7fa02909 proxmox: don’t route host traffic over VNIs
Very bad, much slow.
2024-05-05 12:58:54 +02:00
Timotej Lazar a637da5c21 proxmox: set vxlan-local-tunnelip for loopback interface
Oops. Not sure why stuff apparently worked without it. Especially
switchd on exits which worked itself into a bit of a frenzy.
2024-04-22 13:30:35 +02:00
Timotej Lazar 923d877208 proxmox: use inner L3 info for ECMP hashing
I’m sure I saw fib_multipath_hash_policy=2 (or =1 from last commit)
actually working once, but cannot reproduce. Maybe revisit this at
some point.
2024-04-08 08:49:16 +02:00
Timotej Lazar f404922d6b proxmox: use L4 info for ECMP hashing
This should make VXLAN-encapsulated traffic multipath.
2024-04-05 10:28:15 +02:00
Timotej Lazar e7f9132571 proxmox: set up firewall
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.

This also adds some helper filters that are spectacularly annoying to
implement purely in templates.

¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
Timotej Lazar 2095494531 proxmox: only advertise local routes
Of course.
2024-04-04 10:17:58 +02:00
Timotej Lazar 14439048fa proxmox: set datacenter defaults for frr 2024-03-22 18:51:29 +01:00
Timotej Lazar 0af8474e52 proxmox: consolidate interface templates 2024-02-26 16:52:01 +01:00
Timotej Lazar fbfdc83ee5 proxmox: use multiple non-VLAN-aware bridges
The Proxmox SDN feature does not play nice with our FRR and VXLAN setup.
With a single bridge we can’t have interface aliases. So use a bridge
for each VLAN. Actually don’t even have VLANs, just bridges mainlined
into VXLAN tunnels.

Read the list of VLANs carried by Proxmox nodes from a custom field on
the cluster in NetBox. Remove the vmbr0 device from individual nodes.
2024-02-20 16:43:47 +01:00
Timotej Lazar d399fc0a24 proxmox: simplify interface setup tasks 2023-11-20 14:13:46 +01:00
Timotej Lazar 2d89cd730c proxmox: get all data from netbox 2023-11-20 12:56:34 +01:00
Timotej Lazar 62a3dc5121 proxmox: fix SFTP in management VRF 2023-11-20 12:55:52 +01:00
Timotej Lazar c9479cc786 proxmox: set hostname 2023-10-20 09:05:54 +02:00
Timotej Lazar 68efa7adcf proxmox: simplify bridge definition 2023-10-19 10:18:50 +02:00
Timotej Lazar 0c1cc14e01 proxmox: add initial support for L2 VXLAN
I heard we like L2 so I put some L2 in our L3 so we can L2 as we L3 on L2.
2023-10-18 15:02:36 +02:00
Timotej Lazar ce2d0f3cd4 proxmox: add interfaces for fabric links
Same as debian.
2023-10-05 12:43:35 +02:00
Timotej Lazar a324da076b Consolidate interface setup for debian and proxmox roles 2023-07-20 13:46:13 +02:00
Timotej Lazar 2330edf479 proxmox: standardize interface names and set up management VRF
No idea how badly this clashes with GUI configuration.
2023-07-17 16:39:40 +02:00
Timotej Lazar aae782a66b Add role to set up base Proxmox server 2023-07-14 16:12:03 +02:00