rc/servers
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects 1 Releases Wiki Activity
Ansible scripts for FRI servers
41 commits 1 branch 0 tags 278 KiB
Jinja 88.5%
Python 7.6%
Shell 2.4%
CSS 1.5%
Go to file
Timotej Lazar e7f9132571 proxmox: set up firewall 
Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.

This also adds some helper filters that are spectacularly annoying to
implement purely in templates.

¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.
2024-04-05 06:00:50 +02:00
filter_plugins proxmox: set up firewall 2024-04-05 06:00:50 +02:00
roles proxmox: set up firewall 2024-04-05 06:00:50 +02:00
templates Add udev rules for renaming all interfaces with defined MAC address 2024-02-26 13:26:05 +01:00
ansible.cfg Add ansible.cfg 2023-11-20 12:57:41 +01:00
inventory.yml ceph: improve cluster setup 2024-03-01 08:45:51 +01:00
README.md Pox upon the NETPOX in README.md 2023-11-06 13:05:13 +01:00
setup.yml proxmox: only advertise local routes 2024-04-04 10:17:58 +02:00

README.md

These Ansible roles set up servers running various Linux distributions to participate in BGP routing. Device and IP address data are pulled from NetBox. A separate VRF mgmt is configured for a L2 management interface.

Setup

Each server should have the following information recorded in NetBox:

  • network interfaces mgmt*: used for management (Ansible) access; must define MAC and IP address
  • network interfaces lan*: used for BGP routing; must define MAC address
  • network interface lo: must define the IP address to announce over BGP, also serves as router ID

For the management IP address, another address in the same prefix should be defined with the tag gateway.

Run

Create a read-only token in NetBox. Define required variables:

# one for nb_inventory and one for nb_lookup
export NETBOX_API_KEY=<token>
export NETBOX_TOKEN="${NETBOX_API_KEY}"
# one for both
export NETBOX_API=<netbox API endpoint>

Run one-off tasks with (add --key-file or other options as necessary):

ansible -i inventory.yml -m ping 'server-*'

Run a playbook with:

ansible-playbook setup.yml -i inventory.yml -l 'server-*'