Timotej Lazar
cf6b682cf8
Create a self-signed CA, set up group configs, add script to allow new connections through the firewall. In the base debian role, drop the default nftables forward chain with drop policy because it clashes with this. If you enable forwarding on a debian host, make sure to configure the firewall. |
||
|---|---|---|
| files | ||
| filter_plugins | ||
| roles | ||
| templates | ||
| .gitignore | ||
| ansible.cfg | ||
| inventory.yml | ||
| LICENSE | ||
| README.md | ||
| setup.yml | ||
| UNLICENSE | ||
These Ansible roles set up servers running various Linux distributions to participate in BGP routing. Device and IP address data are pulled from NetBox. A separate VRF mgmt is configured for a L2 management interface.
Setup
Each server should have the following information recorded in NetBox:
- network interfaces
mgmt*: used for management (Ansible) access; must define MAC and IP address - network interfaces
lan*: used for BGP routing; must define MAC address - network interface
lo: must define the IP address to announce over BGP, also serves as router ID
MAC addresses are used to rename interfaces in the host OS. Prefix for the management IP address should define the gateway custom field.
Run
Create a read-only token in NetBox. Define required variables:
export NETBOX_API=<url>
export NETBOX_TOKEN=<token>
Run one-off tasks with (add --key-file or other options as necessary):
ansible -m ping 'server-*'
Run a playbook with:
ansible-playbook setup.yml -l 'server-*'