jonas/tlu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Jonas Forsberg 2021-10-17 13:55:21 +02:00
parent d962e7bc74
commit 2c92cf35e9
13 changed files with 105 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
salt/pillars/network.sls
View File

@ -1,29 +1,34 @@
network:
domain: suse.lan
hostname: admin
netaddress: 192.168.0.0
netmask: 24
ip: 192.168.0.1
interface:
internal: eth0
bridge: br0
domain: suse.lan
interface: eth0 # to be bridged with wlan0
wireless: wlan0 # not to be managed by NetworkManager
bridge: br0 # hostapd will create this bridgeport
external: eth1
wireless: wlan0
ip: 192.168.0.1 # all networks are /24
hosts: # key=hostname to be added to /etc/hosts, value=last octate of IP
rmt: 1
ntp: 1
dns: 1
www: 1
switch: 10
harvester: 20
node1: 21
node2: 22
node3: 23
vlan:
-
id: 100
address: 192.168.100.1
netmask: 24
zone: public
-
id: 200
address: 192.168.200.1
netmask: 24
zone: public
-
id: 250
address: 192.168.250.1
netmask: 24
zone: airgap
wol:
1: 7c:10:c9:50:17:9b
2: 7c:10:c9:50:17:0a

2
salt/states/chrony/files/local.conf.jinja
View File

@ -1,2 +1,2 @@
local stratum 10
allow {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }}
allow {{ pillar['network']['ip'][0:-1] }}0/24

36
salt/states/dnsmasq/files/tlu.conf.jinja
View File

@ -1,40 +1,40 @@
bind-interfaces
server=1.1.1.1
server=1.0.0.1
#bind-interfaces
#server=1.1.1.1
#server=1.0.0.1
domain-needed
bogus-priv
#dhcp-range
dhcp-range={{ pillar['network']['interface']['internal'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
dhcp-range={{ pillar['network']['interface']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
dhcp-range={{ pillar['network']['interface'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
dhcp-range={{ pillar['network']['wireless'] }},{{ pillar['network']['ip'][0:-1] }}50,{{ pillar['network']['ip'][0:-1] }}150,12h
{% for vlan in pillar['network']['vlan'] -%}
dhcp-range={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h
dhcp-range={{ pillar['network']['interface'] }}.{{ vlan['id'] }},{{ vlan['address'][0:-1] }}50,{{ vlan['address'][0:-1] }}150,12h
{% endfor %}
#gateway
dhcp-option={{ pillar['network']['interface']['internal'] }},3,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},3,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface'] }},3,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['wireless'] }},3,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }}
dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},3,{{ vlan['address'] }}
{% endfor %}
# dns-server
dhcp-option={{ pillar['network']['interface']['internal'] }},6,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},6,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface'] }},6,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['wireless'] }},6,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }}
dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},6,{{ vlan['address'] }}
{% endfor %}
#ntp
dhcp-option={{ pillar['network']['interface']['internal'] }},option:ntp-server,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface'] }},option:ntp-server,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['wireless'] }},option:ntp-server,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }}
dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},option:ntp-server,{{ vlan['address'] }}
{% endfor %}
#PXE
dhcp-option={{ pillar['network']['interface']['internal'] }},66,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface']['wireless'] }},66,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['interface'] }},66,{{ pillar['network']['ip'] }}
dhcp-option={{ pillar['network']['wireless'] }},66,{{ pillar['network']['ip'] }}
{% for vlan in pillar['network']['vlan'] -%}
dhcp-option={{ pillar['network']['interface']['internal'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }}
dhcp-option={{ pillar['network']['interface'] }}.{{ vlan['id'] }},66,{{ vlan['address'] }}
{% endfor %}
enable-tftp
tftp-root=/srv/tftpboot

49
salt/states/firewalld/init.sls
View File

@ -13,7 +13,7 @@ Configure firewalld for external interface:
- prune_interfaces: True
- prune_sources: True
- interfaces:
- {{ pillar['network']['interface']['external'] }}
- {{ pillar['network']['external'] }}
- services:
- ssh
- wireguard
@ -26,12 +26,12 @@ Configure firewalld for internal network:
- prune_interfaces: True
- prune_sources: True
- interfaces:
- {{ pillar['network']['interface']['internal'] }}
- {{ pillar['network']['interface'] }}
- {{ pillar['wireguard']['iface'] }}
- {{ pillar['network']['interface']['wireless'] }}
- {{ pillar['network']['interface']['bridge'] }}
- {{ pillar['network']['wireless'] }}
- {{ pillar['network']['bridge'] }}
- sources:
- {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }}
- {{ pillar['network']['ip'][0:-1] }}0/24
- services:
- ssh
- dhcp
@ -41,7 +41,7 @@ Configure firewalld for internal network:
- dns
- ntp
Configure firewalld for vlan networks:
Configure firewalld for public networks:
firewalld.present:
- name: public
- prune_ports: True
@ -50,13 +50,46 @@ Configure firewalld for vlan networks:
- prune_sources: True
- interfaces:
{% for vlan in pillar['network']['vlan'] -%}
{% if vlan['zone'] == 'public' -%}
- vlan.{{ vlan['id'] }}
{% endif -%}
{% endfor %}
- sources:
{% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%}
{% set netmask = vlan['netmask'] -%}
- {{ ip[0:-1] }}0/{{ netmask }}
{% if vlan['zone'] == 'public' -%}
- {{ ip[0:-1] }}0/24
{% endif -%}
{% endfor %}
- services:
- ssh
- dhcp
- tftp
- http
- https
- dns
- ntp
Configure firewalld for airgap networks:
firewalld.present:
- name: airgap
- prune_ports: True
- prune_services: True
- prune_interfaces: True
- prune_sources: True
- interfaces:
{% for vlan in pillar['network']['vlan'] -%}
{% if vlan['zone'] == 'airgap' -%}
- vlan.{{ vlan['id'] }}
{% endif -%}
{% endfor %}
- sources:
{% for vlan in pillar['network']['vlan'] -%}
{% set ip = vlan['address'] -%}
{% if vlan['zone'] == 'airgap' -%}
- {{ ip[0:-1] }}0/24
{% endif -%}
{% endfor %}
- services:
- ssh

4
salt/states/hostapd/files/hostapd.conf.jinja
View File

@ -1,6 +1,6 @@
country_code={{ pillar['hostapd']['country_code'] }}
interface={{ pillar['network']['interface']['wireless'] }}
bridge={{ pillar['network']['interface']['bridge'] }}
interface={{ pillar['network']['wireless'] }}
bridge={{ pillar['network']['bridge'] }}
ssid={{ pillar['hostapd']['ssid'] }}
hw_mode=g
channel={{ pillar['hostapd']['channel'] }}

30
salt/states/hostapd/init.sls
View File

@ -1,12 +1,12 @@
Set {{ pillar['network']['interface']['wireless'] }} to not be managed by NetworkManager:
Set {{ pillar['network']['wireless'] }} to not be managed by NetworkManager:
cmd.run:
- name: nmcli device set {{ pillar['network']['interface']['wireless'] }} managed no
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi"
- name: nmcli device set {{ pillar['network']['wireless'] }} managed no
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['wireless'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 0; else exit 1; fi"
Delete {{ pillar['network']['interface']['internal'] }} connection:
Delete {{ pillar['network']['interface'] }} connection:
cmd.run:
- name: nmcli connection delete {{ pillar['network']['interface']['internal'] }}
- unless: nmcli connection show {{ pillar['network']['interface']['internal'] }} > /dev/null
- name: nmcli connection delete {{ pillar['network']['interface'] }}
- unless: nmcli connection show {{ pillar['network']['interface'] }} > /dev/null
Install hostapd:
pkg.installed:
@ -28,19 +28,19 @@ Start hostapd:
- watch:
- file: Configure hostapd
Set {{ pillar['network']['interface']['bridge'] }} to be managed by NetworkManager:
Set {{ pillar['network']['bridge'] }} to be managed by NetworkManager:
cmd.run:
- name: nmcli device set {{ pillar['network']['interface']['bridge'] }} managed yes
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['interface']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi"
- name: nmcli device set {{ pillar['network']['bridge'] }} managed yes
- unless: bash -c "if [[ \"$(nmcli device show {{ pillar['network']['bridge'] }} | sed -n 's/^GENERAL.STATE.*(\(.*\)).*$/\1/p')\" == \"unmanaged\" ]]; then exit 1; else exit 0; fi"
Configure {{ pillar['network']['interface']['bridge'] }} connection:
Configure {{ pillar['network']['bridge'] }} connection:
cmd.run:
- name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }} type bridge ifname {{ pillar['network']['interface']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/{{ pillar['network']['netmask'] }} ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no
- unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }} > /dev/null
- name: nmcli connection add con-name {{ pillar['network']['bridge'] }} type bridge ifname {{ pillar['network']['bridge'] }} ipv4.method manual ipv4.addresses {{ pillar['network']['ip'] }}/24 ipv4.dns "127.0.0.1, 1.1.1.1, 1.1.1.2" ipv6.method disabled connection.autoconnect yes stp no
- unless: nmcli connection show {{ pillar['network']['bridge'] }} > /dev/null
Add {{ pillar['network']['interface']['internal'] }} to bridge {{ pillar['network']['interface']['bridge'] }}:
Add {{ pillar['network']['interface'] }} to bridge {{ pillar['network']['bridge'] }}:
cmd.run:
- name: nmcli connection add con-name {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} ifname {{ pillar['network']['interface']['internal'] }} type bridge-slave master {{ pillar['network']['interface']['bridge'] }} connection.autoconnect yes
- unless: nmcli connection show {{ pillar['network']['interface']['bridge'] }}-{{ pillar['network']['interface']['internal'] }} > /dev/null
- name: nmcli connection add con-name {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} ifname {{ pillar['network']['interface'] }} type bridge-slave master {{ pillar['network']['bridge'] }} connection.autoconnect yes
- unless: nmcli connection show {{ pillar['network']['bridge'] }}-{{ pillar['network']['interface'] }} > /dev/null

0
salt/states/hostname/files/hostname.jinja → salt/states/hosts/files/hostname.jinja
View File

5
salt/states/hostname/files/hosts.jinja → salt/states/hosts/files/hosts.jinja
View File

@ -24,7 +24,6 @@ ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
{% for svc in ['rmt', 'www'] -%}
{{ ip }} {{ svc }}.{{ domain }} {{ svc }}
{% for host, ip in pillar['network']['hosts'].items() -%}
{{ pillar['network']['ip'][0:-1] }}{{ ip }} {{ host }}.{{ domain }} {{ host }}
{% endfor %}
{{ pillar['network']['ip'][0:-1] }}20 harvester.{{ domain }} harvester

4
salt/states/hostname/init.sls → salt/states/hosts/init.sls
View File

@ -1,7 +1,7 @@
Configure hosts file:
file.managed:
- name: /etc/hosts
- source: salt://hostname/files/hosts.jinja
- source: salt://hosts/files/hosts.jinja
- template: jinja
- user: root
- group: root
@ -10,7 +10,7 @@ Configure hosts file:
Configure hostname file:
file.managed:
- name: /etc/hostname
- source: salt://hostname/files/hostname.jinja
- source: salt://hosts/files/hostname.jinja
- template: jinja
- user: root
- group: root

2
salt/states/rmt/init.sls
View File

@ -61,7 +61,7 @@ Set fqdn for rmt http:
Restart nginx:
service.running:
- name: nginx
- enable: Trie
- enable: True
- watch:
- file: Remove rmt http as default site
- file: Set fqdn for rmt https

2
salt/states/top.sls
View File

@ -1,6 +1,6 @@
base:
'*':
- hostname
- hosts
- ssh
- chrony
- atftp

4
salt/states/wireguard/files/interface.conf.template
View File

@ -2,8 +2,8 @@
Address = {{ pillar['wireguard']['address'] }}
PrivateKey = {{ pillar['wireguard']['privatekey'] }}
ListenPort = {{ pillar['wireguard']['port'] }}
PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE
PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE
PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE
PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface'] }} -j MASQUERADE
{% for peer in pillar['wireguard']['peers'] -%}
[peer]

2
salt/states/wol/files/wol.jinja
View File

@ -7,7 +7,7 @@ do
case "$arg" in
{% for number, mac in pillar['network']['wol'].items() %}
{{ number }}|srv{{ number }}|server{{ number }})
sudo ether-wake -i {{ pillar['network']['interface']['bridge'] }} {{ mac }}
sudo ether-wake -i {{ pillar['network']['bridge'] }} {{ mac }}
;;
{% endfor %}