From 0c78905bb2a991fc50c97df54a9d46e60ac3ea84 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Tue, 28 Jun 2022 23:08:08 +0200 Subject: [PATCH 1/5] [thot] Fix slapd IP Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- host_vars/thot.adm.crans.org.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/thot.adm.crans.org.yml b/host_vars/thot.adm.crans.org.yml index efe08b40..0279d897 100644 --- a/host_vars/thot.adm.crans.org.yml +++ b/host_vars/thot.adm.crans.org.yml @@ -6,6 +6,6 @@ loc_borg: - /var loc_slapd: - ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}" + ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}" replica: true replica_rid: 5 -- GitLab From 66269841a77b3f1d88f4fca4370c924aa5a45aa4 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Tue, 28 Jun 2022 23:10:21 +0200 Subject: [PATCH 2/5] Create 3 different Wireguard tunnels Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- host_vars/boeing.adm.crans.org.yml | 40 +++++++++++++++++++----- host_vars/routeur-ft.adm.crans.org.yml | 18 +++++------ host_vars/routeur-thot.adm.crans.org.yml | 19 +++++------ host_vars/sputnik.adm.crans.org.yml | 2 +- 4 files changed, 53 insertions(+), 26 deletions(-) diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml index e945734b..dad7adac 100644 --- a/host_vars/boeing.adm.crans.org.yml +++ b/host_vars/boeing.adm.crans.org.yml @@ -7,7 +7,7 @@ loc_wireguard: tunnels: - name: "sputnik" listen_port: 51820 - private_key: "{{ vault.wireguard.boeing.privkey }}" + private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}" table: "off" peers: - public_key: "{{ vault.wireguard.sputnik.pubkey }}" @@ -15,23 +15,49 @@ loc_wireguard: - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128" endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820" + post_up: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "python3 /var/local/services/proxy/proxy.py --alter" + pre_down: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" + - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + - name: "viarezo" + listen_port: 51821 + private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}" + table: "off" + peers: - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 + post_up: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "python3 /var/local/services/proxy/proxy.py --alter" + pre_down: + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" + - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + - name: "aurore" + listen_port: 51822 + private_key: "{{ vault.wireguard.boeing.aurore.privkey }}" + table: "off" + peers: - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" loc_service_proxy: @@ -42,6 +68,6 @@ loc_service_proxy: filter: "adm.crans.org" proxy: default: "ens18" - viarezo: "sputnik" - aurore: "sputnik" + viarezo: "viarezo" + aurore: "aurore" ovh: "sputnik" diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml index 7b5b403f..dfabbc24 100644 --- a/host_vars/routeur-ft.adm.crans.org.yml +++ b/host_vars/routeur-ft.adm.crans.org.yml @@ -5,25 +5,25 @@ interfaces: loc_wireguard: tunnels: - - name: "wg0" + - name: "boeing" listen_port: 51820 private_key: "{{ vault.wireguard.routeur_ft.privkey }}" table: "off" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" + endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51821" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1" - - "ip route add 172.16.10.1 dev wg0 proto proxy" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "ip route add 172.16.10.1 dev %i proto proxy" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" loc_service_proxy: @@ -33,5 +33,5 @@ loc_service_proxy: protocol: "proxy" filter: "adm.crans.org" proxy: - default: "wg0" + default: "boeing" viarezo: "ens18" diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml index d5c81610..3bd9c1c5 100644 --- a/host_vars/routeur-thot.adm.crans.org.yml +++ b/host_vars/routeur-thot.adm.crans.org.yml @@ -5,27 +5,28 @@ interfaces: loc_wireguard: tunnels: - - name: "wg0" + - name: "boeing" listen_port: 51820 private_key: "{{ vault.wireguard.routeur_thot.privkey }}" table: "off" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" + endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51822" persistent_keepalive: 25 post_up: - - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1" - - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1" - - "ip route add 172.16.10.1 dev wg0 proto proxy" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=1" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1" + - "ip route add 172.16.10.1 dev %i proto proxy" - "python3 /var/local/services/proxy/proxy.py --alter" pre_down: - - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0" - - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0" + - "sysctl -w net.ipv4.conf.%i.proxy_arp=0" + - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0" - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy" + loc_service_proxy: config: ldap: @@ -33,5 +34,5 @@ loc_service_proxy: protocol: "proxy" filter: "adm.crans.org" proxy: - default: "wg0" + default: "boeing" aurore: "ens18" diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml index 356ff00d..5416e20b 100644 --- a/host_vars/sputnik.adm.crans.org.yml +++ b/host_vars/sputnik.adm.crans.org.yml @@ -17,7 +17,7 @@ loc_wireguard: listen_port: 51820 private_key: "{{ vault.wireguard.sputnik.privkey }}" peers: - - public_key: "{{ vault.wireguard.boeing.pubkey }}" + - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}" allowed_ips: - "{{ query('ldap', 'network', 'adm') }}" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" -- GitLab From 4fe189f2488e553c385da72f5ed38d848e5e5ab8 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Tue, 28 Jun 2022 23:12:03 +0200 Subject: [PATCH 3/5] [proxy] Enable IP forwarding and ARP and NDP proxies Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- group_vars/arpproxy.yml | 2 ++ plays/arpproxy.yml | 1 + roles/arpproxy/tasks/main.yml | 22 ++++++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 roles/arpproxy/tasks/main.yml diff --git a/group_vars/arpproxy.yml b/group_vars/arpproxy.yml index 172e0743..f5db4b2a 100644 --- a/group_vars/arpproxy.yml +++ b/group_vars/arpproxy.yml @@ -9,3 +9,5 @@ glob_service_proxy: cron: frequency: "* * * * *" options: "--alter" + proto_id: 201 + main_interface: ens18 diff --git a/plays/arpproxy.yml b/plays/arpproxy.yml index ddc4fdd2..dc6fd820 100755 --- a/plays/arpproxy.yml +++ b/plays/arpproxy.yml @@ -5,3 +5,4 @@ service: "{{ glob_service_proxy | default({}) | combine(loc_service_proxy | default({})) }}" roles: - service + - arpproxy diff --git a/roles/arpproxy/tasks/main.yml b/roles/arpproxy/tasks/main.yml new file mode 100644 index 00000000..0f514893 --- /dev/null +++ b/roles/arpproxy/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Register proto proxy + lineinfile: + path: /etc/iproute2/rt_protos.d/proxy.conf + regexp: "^\\d+ proxy$" + line: "{{ service.proto_id }} {{ service.config.protocol }}" + owner: root + group: root + mode: 0644 + +- name: Enable IP forward and ARP and NDP proxies + sysctl: + name: "{{ item.name }}" + value: "1" + sysctl_file: "/etc/sysctl.d/{{ item.file }}.conf" + sysctl_set: true + reload: true + loop: + - {name: "net.ipv4.ip_forward", file: "10-forwarding"} + - {name: "net.ipv6.conf.all.forwarding", file: "10-forwarding"} + - {name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}"} + - {name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}"} -- GitLab From e97a7663134af41963f082d6c5baae1a03265581 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Tue, 28 Jun 2022 23:13:44 +0200 Subject: [PATCH 4/5] Add thot servers Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- hosts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/hosts b/hosts index 3f3f03b3..a934adcb 100644 --- a/hosts +++ b/hosts @@ -6,7 +6,7 @@ zamok.adm.crans.org [arpproxy] boeing.adm.crans.org routeur-ft.adm.crans.org -#routeur-thot.adm.crans.org +routeur-thot.adm.crans.org [autoconfig] hodaur.adm.crans.org @@ -16,7 +16,7 @@ cameron.adm.crans.org [backups] backup-ft.adm.crans.org -#backup-thot.adm.crans.org +backup-thot.adm.crans.org [baie] cameron.adm.crans.org @@ -270,7 +270,7 @@ sputnik.adm.crans.org [wireguard] boeing.adm.crans.org routeur-ft.adm.crans.org -#routeur-thot.adm.crans.org +routeur-thot.adm.crans.org sputnik.adm.crans.org [crans_routeurs:children] @@ -341,8 +341,8 @@ viarezo_vm thot.adm.crans.org [aurore_vm] -#backup-thot.adm.crans.org -#routeur-thot.adm.crans.org +backup-thot.adm.crans.org +routeur-thot.adm.crans.org [aurore:children] aurore_physical @@ -357,6 +357,7 @@ ceph-storage-b.adm.crans.org tilque.adm.crans.org [crans_vm:children] +aurore_vm forget_me routeurs_vm viarezo_vm -- GitLab From 4ef3f912a949357a74c804a06fa966c242340758 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO <ynerant@crans.org> Date: Tue, 28 Jun 2022 23:25:20 +0200 Subject: [PATCH 5/5] Add missing YAML header Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> --- group_vars/virtu_adh.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/virtu_adh.yml b/group_vars/virtu_adh.yml index d3a5f3e9..8c780d09 100644 --- a/group_vars/virtu_adh.yml +++ b/group_vars/virtu_adh.yml @@ -1,3 +1,4 @@ +--- glob_service_proxmox_user: git: remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git -- GitLab