jonas/tlu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Jonas Forsberg 2021-10-17 13:55:21 +02:00
parent d962e7bc74
commit 2c92cf35e9
13 changed files with 105 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
salt/pillars/network.sls
View File

@ -1,29 +1,34 @@
network: network:
domain: suse.lan
hostname: admin hostname: admin
netaddress: 192.168.0.0 domain: suse.lan
netmask: 24 interface: eth0 # to be bridged with wlan0
ip: 192.168.0.1 wireless: wlan0 # not to be managed by NetworkManager
bridge: br0 # hostapd will create this bridgeport
interface: external: eth1
internal: eth0 ip: 192.168.0.1 # all networks are /24
bridge: br0 hosts: # key=hostname to be added to /etc/hosts, value=last octate of IP
external: eth1 rmt: 1
wireless: wlan0 ntp: 1
dns: 1
www: 1
switch: 10
harvester: 20
node1: 21
node2: 22
node3: 23
vlan: vlan:
- -
id: 100 id: 100
address: 192.168.100.1 address: 192.168.100.1
netmask: 24 zone: public
- -
id: 200 id: 200
address: 192.168.200.1 address: 192.168.200.1
netmask: 24 zone: public
- -
id: 250 id: 250
address: 192.168.250.1 address: 192.168.250.1
netmask: 24 zone: airgap
wol: wol:
1: 7c:10:c9:50:17:9b 1: 7c:10:c9:50:17:9b
2: 7c:10:c9:50:17:0a 2: 7c:10:c9:50:17:0a

2
salt/states/chrony/files/local.conf.jinja
View File

@ -1,2 +1,2 @@
local stratum 10 local stratum 10
allow {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} allow {{ pillar['network']['ip'][0:-1] }}0/24

36
salt/states/dnsmasq/files/tlu.conf.jinja
View File

@ -1,40 +1,40 @@
bind-interfaces #bind-interfaces
server=1.1.1.1 #server=1.1.1.1
server=1.0.0.1 #server=1.0.0.1
domain-needed domain-needed
bogus-priv bogus-priv
#dhcp-range #dhcp-range
dhcp-range={{ pillar['network']['interface']['internal'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h dhcp-range={{ pillar['network']['interface'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
dhcp-range={{ pillar['network']['interface']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h dhcp-range={{ pillar['network']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
dhcp-range={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h dhcp-range={{ pillar['network']['interface'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h
{% endfor %} {% endfor %}
#gateway #gateway
dhcp-option={{ pillar['network']['interface']['internal'] }},3,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['interface'] }},3,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},3,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['wireless'] }},3,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }} dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }}
{% endfor %} {% endfor %}
# dns-server # dns-server
dhcp-option={{ pillar['network']['interface']['internal'] }},6,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['interface'] }},6,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},6,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['wireless'] }},6,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }} dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }}
{% endfor %} {% endfor %}
#ntp #ntp
dhcp-option={{ pillar['network']['interface']['internal'] }},option:ntp-server,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['interface'] }},option:ntp-server,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }} dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }}
{% endfor %} {% endfor %}
#PXE #PXE
dhcp-option={{ pillar['network']['interface']['internal'] }},66,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['interface'] }},66,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},66,{{ pillar['network']['ip'] }} dhcp-option={{ pillar['network']['wireless'] }},66,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }} dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }}
{% endfor %} {% endfor %}
enable-tftp enable-tftp
tftp-root=/srv/tftpboot tftp-root=/srv/tftpboot

49
salt/states/firewalld/init.sls
View File

@ -13,7 +13,7 @@ Configure firewalld for external interface:
- prune_interfaces: True - prune_interfaces: True
- prune_sources: True - prune_sources: True
- interfaces: - interfaces:
- {{ pillar['network']['interface']['external'] }} - {{ pillar['network']['external'] }}
- services: - services:
- ssh - ssh
- wireguard - wireguard
@ -26,12 +26,12 @@ Configure firewalld for internal network:
- prune_interfaces: True - prune_interfaces: True
- prune_sources: True - prune_sources: True
- interfaces: - interfaces:
- {{ pillar['network']['interface']['internal'] }} - {{ pillar['network']['interface'] }}
- {{ pillar['wireguard']['iface'] }} - {{ pillar['wireguard']['iface'] }}
- {{ pillar['network']['interface']['wireless'] }} - {{ pillar['network']['wireless'] }}
- {{ pillar['network']['interface']['bridge'] }} - {{ pillar['network']['bridge'] }}
- sources: - sources:
- {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} - {{ pillar['network']['ip'][0:-1] }}0/24
- services: - services:
- ssh - ssh
- dhcp - dhcp
@ -41,7 +41,7 @@ Configure firewalld for internal network:
- dns - dns
- ntp - ntp
Configure firewalld for vlan networks: Configure firewalld for public networks:
firewalld.present: firewalld.present:
- name: public - name: public
- prune_ports: True - prune_ports: True
@ -50,13 +50,46 @@ Configure firewalld for vlan networks:
- prune_sources: True - prune_sources: True
- interfaces: - interfaces:
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
{% if vlan['zone'] == 'public' -%}
- vlan.{{ vlan['id'] }} - vlan.{{ vlan['id'] }}
{% endif -%}
{% endfor %} {% endfor %}
- sources: - sources:
{% for vlan in pillar['network']['vlan'] -%} {% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%} {% set ip = vlan['address'] -%}
{% set netmask = vlan['netmask'] -%} {% if vlan['zone'] == 'public' -%}
- {{ ip[0:-1] }}0/{{ netmask }} - {{ ip[0:-1] }}0/24
{% endif -%}
{% endfor %}
- services:
- ssh
- dhcp
- tftp
- http
- https
- dns
- ntp
Configure firewalld for airgap networks:
firewalld.present:
- name: airgap
- prune_ports: True
- prune_services: True
- prune_interfaces: True
- prune_sources: True
- interfaces:
{% for vlan in pillar['network']['vlan'] -%}
{% if vlan['zone'] == 'airgap' -%}
- vlan.{{ vlan['id'] }}
{% endif -%}
{% endfor %}
- sources:
{% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%}
{% if vlan['zone'] == 'airgap' -%}
- {{ ip[0:-1] }}0/24
{% endif -%}
{% endfor %} {% endfor %}
- services: - services:
- ssh - ssh

4
salt/states/hostapd/files/hostapd.conf.jinja
View File

@ -1,6 +1,6 @@
country_code={{ pillar['hostapd']['country_code'] }} country_code={{ pillar['hostapd']['country_code'] }}
interface={{ pillar['network']['interface']['wireless'] }} interface={{ pillar['network']['wireless'] }}
bridge={{ pillar['network']['interface']['bridge'] }} bridge={{ pillar['network']['bridge'] }}
ssid={{ pillar['hostapd']['ssid'] }} ssid={{ pillar['hostapd']['ssid'] }}
hw_mode=g hw_mode=g
channel={{ pillar['hostapd']['channel'] }} channel={{ pillar['hostapd']['channel'] }}

30
salt/states/hostapd/init.sls
View File

@ -1,12 +1,12 @@
Set {{ pillar['network']['interface']['wireless'] }} to not be managed by NetworkManager: Set {{ pillar['network']['wireless'] }} to not be managed by NetworkManager:
cmd.run: cmd.run:
- name: nmcli device set {{ pillar['network']['interface']['wireless'] }} managed no - name: nmcli device set {{ pillar['network']['wireless'] }} managed no
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi" - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi"
Delete {{ pillar['network']['interface']['internal'] }} connection: Delete {{ pillar['network']['interface'] }} connection:
cmd.run: cmd.run:
- name: nmcli connection delete {{ pillar['network']['interface']['internal'] }} - name: nmcli connection delete {{ pillar['network']['interface'] }}
- unless: nmcli connection show {{ pillar['network']['interface']['internal'] }} > /dev/null - unless: nmcli connection show {{ pillar['network']['interface'] }} > /dev/null
Install hostapd: Install hostapd:
pkg.installed: pkg.installed:
@ -28,19 +28,19 @@ Start hostapd:
- watch: - watch:
- file: Configure hostapd - file: Configure hostapd
Set {{ pillar['network']['interface']['bridge'] }} to be managed by NetworkManager: Set {{ pillar['network']['bridge'] }} to be managed by NetworkManager:
cmd.run: cmd.run:
- name: nmcli device set {{ pillar['network']['interface']['bridge'] }} managed yes - name: nmcli device set {{ pillar['network']['bridge'] }} managed yes
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi" - unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi"
Configure {{ pillar['network']['interface']['bridge'] }} connection: Configure {{ pillar['network']['bridge'] }} connection:
cmd.run: cmd.run:
- name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }} type bridge ifname {{ pillar['network']['interface']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/{{ pillar['network']['netmask'] }} ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no - name: nmcli connection add con-name {{ pillar['network']['bridge'] }} type bridge ifname {{ pillar['network']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/24 ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no
- unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }} > /dev/null - unless: nmcli connection show {{ pillar['network']['bridge'] }} > /dev/null
Add {{ pillar['network']['interface']['internal'] }} to bridge {{ pillar['network']['interface']['bridge'] }}: Add {{ pillar['network']['interface'] }} to bridge {{ pillar['network']['bridge'] }}:
cmd.run: cmd.run:
- name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} ifname {{ pillar['network']['interface']['internal'] }} type bridge-slave master {{ pillar['network']['interface']['bridge'] }} connection.autoconnect yes - name: nmcli connection add con-name {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} ifname {{ pillar['network']['interface'] }} type bridge-slave master {{ pillar['network']['bridge'] }} connection.autoconnect yes
- unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} > /dev/null - unless: nmcli connection show {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} > /dev/null

0
salt/states/hostname/files/hostname.jinja → salt/states/hosts/files/hostname.jinja
View File

5
salt/states/hostname/files/hosts.jinja → salt/states/hosts/files/hosts.jinja
View File

@ -24,7 +24,6 @@ ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts ff02::3 ipv6-allhosts
{% for svc in ['rmt', 'www'] -%} {% for host, ip in pillar['network']['hosts'].items() -%}
{{ ip }} {{ svc }}.{{ domain }} {{ svc }} {{ pillar['network']['ip'][0:-1] }}{{ ip }} {{ host }}.{{ domain }} {{ host }}
{% endfor %} {% endfor %}
{{ pillar['network']['ip'][0:-1] }}20 harvester.{{ domain }} harvester

4
salt/states/hostname/init.sls → salt/states/hosts/init.sls
View File

@ -1,7 +1,7 @@
Configure hosts file: Configure hosts file:
file.managed: file.managed:
- name: /etc/hosts - name: /etc/hosts
- source: salt://hostname/files/hosts.jinja - source: salt://hosts/files/hosts.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root
@ -10,7 +10,7 @@ Configure hosts file:
Configure hostname file: Configure hostname file:
file.managed: file.managed:
- name: /etc/hostname - name: /etc/hostname
- source: salt://hostname/files/hostname.jinja - source: salt://hosts/files/hostname.jinja
- template: jinja - template: jinja
- user: root - user: root
- group: root - group: root

2
salt/states/rmt/init.sls
View File

@ -61,7 +61,7 @@ Set fqdn for rmt http:
Restart nginx: Restart nginx:
service.running: service.running:
- name: nginx - name: nginx
- enable: Trie - enable: True
- watch: - watch:
- file: Remove rmt http as default site - file: Remove rmt http as default site
- file: Set fqdn for rmt https - file: Set fqdn for rmt https

2
salt/states/top.sls
View File

@ -1,6 +1,6 @@
base: base:
'*': '*':
- hostname - hosts
- ssh - ssh
- chrony - chrony
- atftp - atftp

4
salt/states/wireguard/files/interface.conf.template
View File

@ -2,8 +2,8 @@
Address = {{ pillar['wireguard']['address'] }} Address = {{ pillar['wireguard']['address'] }}
PrivateKey = {{ pillar['wireguard']['privatekey'] }} PrivateKey = {{ pillar['wireguard']['privatekey'] }}
ListenPort = {{ pillar['wireguard']['port'] }} ListenPort = {{ pillar['wireguard']['port'] }}
PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE
PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE
{% for peer in pillar['wireguard']['peers'] -%} {% for peer in pillar['wireguard']['peers'] -%}
[peer] [peer]

2
salt/states/wol/files/wol.jinja
View File

@ -7,7 +7,7 @@ do
case "$arg" in case "$arg" in
{% for number, mac in pillar['network']['wol'].items() %} {% for number, mac in pillar['network']['wol'].items() %}
{{ number }}|srv{{ number }}|server{{ number }}) {{ number }}|srv{{ number }}|server{{ number }})
sudo ether-wake -i {{ pillar['network']['interface']['bridge'] }} {{ mac }} sudo ether-wake -i {{ pillar['network']['bridge'] }} {{ mac }}
;; ;;
{% endfor %} {% endfor %}