From 2c92cf35e991a08e5a684abd73853bf2038ace9b Mon Sep 17 00:00:00 2001 From: Jonas Forsberg Date: Sun, 17 Oct 2021 13:55:21 +0200 Subject: [PATCH] . --- salt/pillars/network.sls | 33 +++++++------ salt/states/chrony/files/local.conf.jinja | 2 +- salt/states/dnsmasq/files/tlu.conf.jinja | 36 +++++++------- salt/states/firewalld/init.sls | 49 ++++++++++++++++--- salt/states/hostapd/files/hostapd.conf.jinja | 4 +- salt/states/hostapd/init.sls | 30 ++++++------ .../{hostname => hosts}/files/hostname.jinja | 0 .../{hostname => hosts}/files/hosts.jinja | 5 +- salt/states/{hostname => hosts}/init.sls | 4 +- salt/states/rmt/init.sls | 2 +- salt/states/top.sls | 2 +- .../wireguard/files/interface.conf.template | 4 +- salt/states/wol/files/wol.jinja | 2 +- 13 files changed, 105 insertions(+), 68 deletions(-) rename salt/states/{hostname => hosts}/files/hostname.jinja (100%) rename salt/states/{hostname => hosts}/files/hosts.jinja (85%) rename salt/states/{hostname => hosts}/init.sls (82%) diff --git a/salt/pillars/network.sls b/salt/pillars/network.sls index 26606f6..1866339 100644 --- a/salt/pillars/network.sls +++ b/salt/pillars/network.sls @@ -1,29 +1,34 @@ network: - domain: suse.lan hostname: admin - netaddress: 192.168.0.0 - netmask: 24 - ip: 192.168.0.1 - - interface: - internal: eth0 - bridge: br0 - external: eth1 - wireless: wlan0 - + domain: suse.lan + interface: eth0 # to be bridged with wlan0 + wireless: wlan0 # not to be managed by NetworkManager + bridge: br0 # hostapd will create this bridgeport + external: eth1 + ip: 192.168.0.1 # all networks are /24 + hosts: # key=hostname to be added to /etc/hosts, value=last octate of IP + rmt: 1 + ntp: 1 + dns: 1 + www: 1 + switch: 10 + harvester: 20 + node1: 21 + node2: 22 + node3: 23 vlan: - id: 100 address: 192.168.100.1 - netmask: 24 + zone: public - id: 200 address: 192.168.200.1 - netmask: 24 + zone: public - id: 250 address: 192.168.250.1 - netmask: 24 + zone: airgap wol: 1: 7c:10:c9:50:17:9b 2: 7c:10:c9:50:17:0a diff --git a/salt/states/chrony/files/local.conf.jinja b/salt/states/chrony/files/local.conf.jinja index a2fa433..f036f56 100644 --- a/salt/states/chrony/files/local.conf.jinja +++ b/salt/states/chrony/files/local.conf.jinja @@ -1,2 +1,2 @@ local stratum 10 -allow {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} +allow {{ pillar['network']['ip'][0:-1] }}0/24 diff --git a/salt/states/dnsmasq/files/tlu.conf.jinja b/salt/states/dnsmasq/files/tlu.conf.jinja index fe80148..cb7eab3 100644 --- a/salt/states/dnsmasq/files/tlu.conf.jinja +++ b/salt/states/dnsmasq/files/tlu.conf.jinja @@ -1,40 +1,40 @@ -bind-interfaces -server=1.1.1.1 -server=1.0.0.1 +#bind-interfaces +#server=1.1.1.1 +#server=1.0.0.1 domain-needed bogus-priv #dhcp-range -dhcp-range={{ pillar['network']['interface']['internal'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h -dhcp-range={{ pillar['network']['interface']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h +dhcp-range={{ pillar['network']['interface'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h +dhcp-range={{ pillar['network']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h {% for vlan in pillar['network']['vlan'] -%} -dhcp-range={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h +dhcp-range={{ pillar['network']['interface'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h {% endfor %} #gateway -dhcp-option={{ pillar['network']['interface']['internal'] }},3,{{ pillar['network']['ip'] }} -dhcp-option={{ pillar['network']['interface']['wireless'] }},3,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['interface'] }},3,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['wireless'] }},3,{{ pillar['network']['ip'] }} {% for vlan in pillar['network']['vlan'] -%} -dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }} +dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }} {% endfor %} # dns-server -dhcp-option={{ pillar['network']['interface']['internal'] }},6,{{ pillar['network']['ip'] }} -dhcp-option={{ pillar['network']['interface']['wireless'] }},6,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['interface'] }},6,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['wireless'] }},6,{{ pillar['network']['ip'] }} {% for vlan in pillar['network']['vlan'] -%} -dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }} +dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }} {% endfor %} #ntp -dhcp-option={{ pillar['network']['interface']['internal'] }},option:ntp-server,{{ pillar['network']['ip'] }} -dhcp-option={{ pillar['network']['interface']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['interface'] }},option:ntp-server,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }} {% for vlan in pillar['network']['vlan'] -%} -dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }} +dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }} {% endfor %} #PXE -dhcp-option={{ pillar['network']['interface']['internal'] }},66,{{ pillar['network']['ip'] }} -dhcp-option={{ pillar['network']['interface']['wireless'] }},66,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['interface'] }},66,{{ pillar['network']['ip'] }} +dhcp-option={{ pillar['network']['wireless'] }},66,{{ pillar['network']['ip'] }} {% for vlan in pillar['network']['vlan'] -%} -dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }} +dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }} {% endfor %} enable-tftp tftp-root=/srv/tftpboot diff --git a/salt/states/firewalld/init.sls b/salt/states/firewalld/init.sls index 0ca465f..f7c0b69 100644 --- a/salt/states/firewalld/init.sls +++ b/salt/states/firewalld/init.sls @@ -13,7 +13,7 @@ Configure firewalld for external interface: - prune_interfaces: True - prune_sources: True - interfaces: - - {{ pillar['network']['interface']['external'] }} + - {{ pillar['network']['external'] }} - services: - ssh - wireguard @@ -26,12 +26,12 @@ Configure firewalld for internal network: - prune_interfaces: True - prune_sources: True - interfaces: - - {{ pillar['network']['interface']['internal'] }} + - {{ pillar['network']['interface'] }} - {{ pillar['wireguard']['iface'] }} - - {{ pillar['network']['interface']['wireless'] }} - - {{ pillar['network']['interface']['bridge'] }} + - {{ pillar['network']['wireless'] }} + - {{ pillar['network']['bridge'] }} - sources: - - {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} + - {{ pillar['network']['ip'][0:-1] }}0/24 - services: - ssh - dhcp @@ -41,7 +41,7 @@ Configure firewalld for internal network: - dns - ntp -Configure firewalld for vlan networks: +Configure firewalld for public networks: firewalld.present: - name: public - prune_ports: True @@ -50,13 +50,46 @@ Configure firewalld for vlan networks: - prune_sources: True - interfaces: {% for vlan in pillar['network']['vlan'] -%} + {% if vlan['zone'] == 'public' -%} - vlan.{{ vlan['id'] }} + {% endif -%} {% endfor %} - sources: {% for vlan in pillar['network']['vlan'] -%} {% set ip = vlan['address'] -%} - {% set netmask = vlan['netmask'] -%} - - {{ ip[0:-1] }}0/{{ netmask }} + {% if vlan['zone'] == 'public' -%} + - {{ ip[0:-1] }}0/24 + {% endif -%} + {% endfor %} + - services: + - ssh + - dhcp + - tftp + - http + - https + - dns + - ntp + + +Configure firewalld for airgap networks: + firewalld.present: + - name: airgap + - prune_ports: True + - prune_services: True + - prune_interfaces: True + - prune_sources: True + - interfaces: + {% for vlan in pillar['network']['vlan'] -%} + {% if vlan['zone'] == 'airgap' -%} + - vlan.{{ vlan['id'] }} + {% endif -%} + {% endfor %} + - sources: + {% for vlan in pillar['network']['vlan'] -%} + {% set ip = vlan['address'] -%} + {% if vlan['zone'] == 'airgap' -%} + - {{ ip[0:-1] }}0/24 + {% endif -%} {% endfor %} - services: - ssh diff --git a/salt/states/hostapd/files/hostapd.conf.jinja b/salt/states/hostapd/files/hostapd.conf.jinja index e8dc03a..9839a68 100644 --- a/salt/states/hostapd/files/hostapd.conf.jinja +++ b/salt/states/hostapd/files/hostapd.conf.jinja @@ -1,6 +1,6 @@ country_code={{ pillar['hostapd']['country_code'] }} -interface={{ pillar['network']['interface']['wireless'] }} -bridge={{ pillar['network']['interface']['bridge'] }} +interface={{ pillar['network']['wireless'] }} +bridge={{ pillar['network']['bridge'] }} ssid={{ pillar['hostapd']['ssid'] }} hw_mode=g channel={{ pillar['hostapd']['channel'] }} diff --git a/salt/states/hostapd/init.sls b/salt/states/hostapd/init.sls index bf875fd..3d06f51 100644 --- a/salt/states/hostapd/init.sls +++ b/salt/states/hostapd/init.sls @@ -1,12 +1,12 @@ -Set {{ pillar['network']['interface']['wireless'] }} to not be managed by NetworkManager: +Set {{ pillar['network']['wireless'] }} to not be managed by NetworkManager: cmd.run: - - name: nmcli device set {{ pillar['network']['interface']['wireless'] }} managed no - - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi" + - name: nmcli device set {{ pillar['network']['wireless'] }} managed no + - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi" -Delete {{ pillar['network']['interface']['internal'] }} connection: +Delete {{ pillar['network']['interface'] }} connection: cmd.run: - - name: nmcli connection delete {{ pillar['network']['interface']['internal'] }} - - unless: nmcli connection show {{ pillar['network']['interface']['internal'] }} > /dev/null + - name: nmcli connection delete {{ pillar['network']['interface'] }} + - unless: nmcli connection show {{ pillar['network']['interface'] }} > /dev/null Install hostapd: pkg.installed: @@ -28,19 +28,19 @@ Start hostapd: - watch: - file: Configure hostapd -Set {{ pillar['network']['interface']['bridge'] }} to be managed by NetworkManager: +Set {{ pillar['network']['bridge'] }} to be managed by NetworkManager: cmd.run: - - name: nmcli device set {{ pillar['network']['interface']['bridge'] }} managed yes - - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi" + - name: nmcli device set {{ pillar['network']['bridge'] }} managed yes + - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi" -Configure {{ pillar['network']['interface']['bridge'] }} connection: +Configure {{ pillar['network']['bridge'] }} connection: cmd.run: - - name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }} type bridge ifname {{ pillar['network']['interface']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/{{ pillar['network']['netmask'] }} ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no - - unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }} > /dev/null + - name: nmcli connection add con-name {{ pillar['network']['bridge'] }} type bridge ifname {{ pillar['network']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/24 ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no + - unless: nmcli connection show {{ pillar['network']['bridge'] }} > /dev/null -Add {{ pillar['network']['interface']['internal'] }} to bridge {{ pillar['network']['interface']['bridge'] }}: +Add {{ pillar['network']['interface'] }} to bridge {{ pillar['network']['bridge'] }}: cmd.run: - - name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} ifname {{ pillar['network']['interface']['internal'] }} type bridge-slave master {{ pillar['network']['interface']['bridge'] }} connection.autoconnect yes - - unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} > /dev/null + - name: nmcli connection add con-name {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} ifname {{ pillar['network']['interface'] }} type bridge-slave master {{ pillar['network']['bridge'] }} connection.autoconnect yes + - unless: nmcli connection show {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} > /dev/null diff --git a/salt/states/hostname/files/hostname.jinja b/salt/states/hosts/files/hostname.jinja similarity index 100% rename from salt/states/hostname/files/hostname.jinja rename to salt/states/hosts/files/hostname.jinja diff --git a/salt/states/hostname/files/hosts.jinja b/salt/states/hosts/files/hosts.jinja similarity index 85% rename from salt/states/hostname/files/hosts.jinja rename to salt/states/hosts/files/hosts.jinja index ef2f8be..07b086c 100644 --- a/salt/states/hostname/files/hosts.jinja +++ b/salt/states/hosts/files/hosts.jinja @@ -24,7 +24,6 @@ ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts -{% for svc in ['rmt', 'www'] -%} -{{ ip }} {{ svc }}.{{ domain }} {{ svc }} +{% for host, ip in pillar['network']['hosts'].items() -%} +{{ pillar['network']['ip'][0:-1] }}{{ ip }} {{ host }}.{{ domain }} {{ host }} {% endfor %} -{{ pillar['network']['ip'][0:-1] }}20 harvester.{{ domain }} harvester diff --git a/salt/states/hostname/init.sls b/salt/states/hosts/init.sls similarity index 82% rename from salt/states/hostname/init.sls rename to salt/states/hosts/init.sls index 8261a52..08daa6c 100644 --- a/salt/states/hostname/init.sls +++ b/salt/states/hosts/init.sls @@ -1,7 +1,7 @@ Configure hosts file: file.managed: - name: /etc/hosts - - source: salt://hostname/files/hosts.jinja + - source: salt://hosts/files/hosts.jinja - template: jinja - user: root - group: root @@ -10,7 +10,7 @@ Configure hosts file: Configure hostname file: file.managed: - name: /etc/hostname - - source: salt://hostname/files/hostname.jinja + - source: salt://hosts/files/hostname.jinja - template: jinja - user: root - group: root diff --git a/salt/states/rmt/init.sls b/salt/states/rmt/init.sls index c50d720..20a497e 100644 --- a/salt/states/rmt/init.sls +++ b/salt/states/rmt/init.sls @@ -61,7 +61,7 @@ Set fqdn for rmt http: Restart nginx: service.running: - name: nginx - - enable: Trie + - enable: True - watch: - file: Remove rmt http as default site - file: Set fqdn for rmt https diff --git a/salt/states/top.sls b/salt/states/top.sls index 5776101..837fb32 100644 --- a/salt/states/top.sls +++ b/salt/states/top.sls @@ -1,6 +1,6 @@ base: '*': - - hostname + - hosts - ssh - chrony - atftp diff --git a/salt/states/wireguard/files/interface.conf.template b/salt/states/wireguard/files/interface.conf.template index 15d3ece..5f56ff3 100644 --- a/salt/states/wireguard/files/interface.conf.template +++ b/salt/states/wireguard/files/interface.conf.template @@ -2,8 +2,8 @@ Address = {{ pillar['wireguard']['address'] }} PrivateKey = {{ pillar['wireguard']['privatekey'] }} ListenPort = {{ pillar['wireguard']['port'] }} -PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE -PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE +PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE +PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE {% for peer in pillar['wireguard']['peers'] -%} [peer] diff --git a/salt/states/wol/files/wol.jinja b/salt/states/wol/files/wol.jinja index aaf4f61..fab5d6e 100644 --- a/salt/states/wol/files/wol.jinja +++ b/salt/states/wol/files/wol.jinja @@ -7,7 +7,7 @@ do case "$arg" in {% for number, mac in pillar['network']['wol'].items() %} {{ number }}|srv{{ number }}|server{{ number }}) - sudo ether-wake -i {{ pillar['network']['interface']['bridge'] }} {{ mac }} + sudo ether-wake -i {{ pillar['network']['bridge'] }} {{ mac }} ;; {% endfor %}