this is the shit

legacy
Astro 6 years ago
parent bcb2bcbbb8
commit 1964c45369

@ -5,6 +5,9 @@ base:
- vlans
'*gw':
- dhcp
'anon1':
- vpn.anon1
- upstream.anon1
'upstream1':
- upstream.upstream1
'server1':

@ -0,0 +1,2 @@
upstream:
interface: ipredator

@ -1,2 +1,2 @@
upstream:
dhcp_interface: up1
interface: up1

@ -0,0 +1,84 @@
#!yaml|gpg
openvpn:
ipredator:
server: ipv6.openvpn.ipredator.se
user: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf9H1XFAYkM7XFoStSeqeDk9b6cG3kqqN9wXEprDg5lkXc8
yhL7tF79HzzY18MQ5Cn24LRkoZtwsJkJNOaDdySpiEh34SP0m64Tuwj8gPrFGpSK
phox6e4/vpWw0BnM1hJaaQxd86qng9Ptv3U1afz98kcU0kxAKcrQZN77sTMrTF8K
Kw/6rnPPKF72PqspLcL/Sxl49MaEg8aJMO+TT26IiML4cu7N+ZEykgsfmpaoVhIG
r2xO1FBAPGjyh71G7HJWcsrBTq+y4jRMapEbIrUOusULXcOffe+hqQcOGX09Uv1Q
1B+ZkaNxwohhbrkpEqOhfL5U5JUNC9+vlSmOh5nWI9JEAcw4gMRgLjVFGgy5+txj
EkOPNYuXC/Z9HoMqKOOcGKRpgW2bvrwoJ4w+41S2RIVAKS9vbFTJ+Cbr7ID8ReJ4
mt82t1Q=
=7JHg
-----END PGP MESSAGE-----
password: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf+I2T0gFEzr26FxlYA8BefrAz0pNV4ReVMCU2TasW5NIaZ
GnOUPTDeP97M4fNfsWPIzZcyTNby83BZIY8fH7bqtC5pfhaTA0GHfJywuBVJF87b
ixiOICCd/e3r1mahqgcUWRd8NT1FbzmpVbI42AKphA8gpN6hOZds9JUx44ZE5YxJ
wg9u2koEAriaIVzUpg+BXTQr2So17H8fm/FzUgMVUWohDAmYmTxqShnrLANBqebE
8glYJFOhV+Iasu2AoOT3FkZLDvW2STaOZisqMNx0tlQQG0px1zv63GTF7JZAac+l
toUzTvpdZpVTrW1y+VwNKntrouXBWvcFnvOtrY34m9JGAT78YEZ6QUSIKF1z5sf6
rI2I1ngv8fZZgO6hJhQFemxqzbLtUp2r1+GOzBhuKb/ilB0j0l/vd1P5sbvx7Bp3
c3bTeN+KJw==
=aZ9Y
-----END PGP MESSAGE-----
ca: |
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
-----END CERTIFICATE-----
key: |
-----BEGIN PGP MESSAGE-----
hQEMA2PKcvDMvlKLAQf/T4DHs16NJK69W91IS2CJWDZER8TJCeG56ArKucz+2A7I
hB6OFkf0bKINXRGSBuFYcPcTOUpQ1NrV9osCPTwChaHx7vk3S+q4tlT+CiHUygCk
nisAckkAQSSSZlSkm+zhw59afiAu3Rn0x3gffjE1W6GBnIFwkzEnmViWHO3beYqV
2sOJ9BlFTo/aJS87MoEDk58xycPinFkLUciyozToUN/TDcU+OYVOXMLmIr41nG9+
GT1OlYALROo1sHpFP2KkwdpmqE2etc2lk3kDlVBiHMcQzLXcm3MO9N63Cec0cJEj
zzj4G8DWVsl1vU2n2l6dEiBCVQ5VqCC519mCHN//UdLA7AFEksPep/gm7ro3mbBG
SM3vuumroynP7QmKWTZeLuU+R6GLc1rdjicI2AQ5cNrIPfayzGirE7nnTRUfRHSX
5nKsxJnM7M75ZOZVGWI986dQJ1pHNDqHkOIGL8QbRcrQmguZxAPgYaYbbqd9L8Yl
oHSVm2j5SKYW5Sgj6q7mlM5asZ0bbwAEL/NghwDNIV0fXQlS9ZZRzXsRxKP/PS/g
HPX41MsIPPHBoHB7Uwmpk7efjubcmvk26n/sW6UdhT4EjNNmk5lBtanqs6NpqZDb
fOSEnkIkgt9i3bwyHv1aTNf5ir4AWz/cQ7FuqJjUE6viNxap9DbY60dJgAoTtJ9v
p2nmzfGJiqi4PKYf9qrk2SlCkudb00a6b7aNZr+J7WbZyFD1Slo/tGOvFKbf2VzS
2KXoXTDykRDVoq5BAAcm9tWTf11ZuDDxaOb24RP10CcD6BXdgdQ50bB91VnjitDC
YNwQWtFEvn3XuYB+Lq074zFW+gaCCEhviCMfP5u4BO5/NVJsVTCBFyOXIX0l+xwy
Rtyed/RP7AhmyFL9Ia2zdWbBjUR9eSkC7lyQXQG7
=vxru
-----END PGP MESSAGE-----

@ -0,0 +1,9 @@
{%- set ifaces = [] %}
{%- for iface, ips in salt['grains.get']('ip_interfaces').items() %}
{%- if iface not in ['core', 'lo'] %}
{%- set ifaces = ifaces.append(iface) %}
{%- endif %}
{%- endfor %}
INTERFACESv4="{{ ' '.join(ifaces) }}"
INTERFACESv6=""

@ -5,3 +5,23 @@ isc-dhcp-server:
file.managed:
- source: salt://dhcp/dhcpd.conf
- template: 'jinja'
/etc/default/isc-dhcp-server:
file.managed:
- source: salt://dhcp/default
- template: 'jinja'
autostart-dhcpd:
service.enabled:
- name: isc-dhcp-server
require_in:
- file: /etc/dhcp/dhcpd.conf
- file: /etc/default/isc-dhcp-server
start-dhcpd:
service.running:
- name: isc-dhcp-server
require_in:
- file: /etc/dhcp/dhcpd.conf
- file: /etc/default/isc-dhcp-server

@ -34,4 +34,7 @@ lxc.network.ipv4.gateway={{ pillar['hosts-inet'][net][gw] }}
{%- endfor %}
## TODO: limits + caps
## TODO: include Debian.common.conf
## TODO: include Debian.common.conf
# tuntap
lxc.cgroup.devices.allow = c 10:200 rw

@ -22,6 +22,19 @@ lxc:
- require:
- cmd: /var/lib/lxc/{{ id }}
/var/lib/lxc/{{ id }}/rootfs/dev/net:
file.directory:
- mode: 0755
/var/lib/lxc/{{ id }}/rootfs/dev/net/tun:
file.mknod:
- ntype: 'c'
- major: 10
- minor: 200
- mode: 0666
- require:
- file: /var/lib/lxc/{{ id }}/rootfs/dev/net
/var/lib/lxc/{{ id }}/rootfs/etc/hosts:
file.managed:
- source: salt://lxc-containers-1/hosts

@ -20,3 +20,5 @@ base:
- no-ssh
- forwarding
- ospf
- vpn.openvpn
- upstream.masquerade

@ -1,29 +1,19 @@
{%- set dhcp_iface = pillar['upstream']['dhcp_interface'] %}
{{ dhcp_iface }}:
{%- set interface = pillar['upstream']['interface'] %}
{{ interface }}:
network.managed:
- enabled: True
type: eth
proto: dhcp
iptables:
pkg.installed: []
/etc/network/if-pre-up.d/masquerade:
file.managed:
- source: salt://upstream/masquerade
- template: 'jinja'
- context:
upstream_iface: {{ dhcp_iface }}
- mode: 744
- require:
- pkg: iptables
include:
- upstream.masquerade
/etc/network/if-pre-up.d/iptables:
file.managed:
- source: salt://upstream/iptables
- template: 'jinja'
- context:
upstream_iface: {{ dhcp_iface }}
interface: {{ interface }}
- mode: 744
- require:
- pkg: iptables

@ -1,6 +1,6 @@
#!/bin/sh
if [ "$IFACE" = "{{ upstream_iface }}" ]; then
if [ "$IFACE" = "{{ interface }}" ]; then
iptables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i "$IFACE" -j DROP
iptables -P INPUT ACCEPT

@ -1,5 +1,5 @@
#!/bin/sh
if [ "$IFACE" = "{{ upstream_iface }}" ]; then
if [ "$IFACE" = "{{ interface }}" ]; then
iptables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
fi

@ -0,0 +1,14 @@
{%- set interface = pillar['upstream']['interface'] %}
iptables:
pkg.installed: []
/etc/network/if-pre-up.d/masquerade:
file.managed:
- source: salt://upstream/masquerade
- template: 'jinja'
- context:
interface: {{ interface }}
- mode: 744
- require:
- pkg: iptables

@ -0,0 +1,3 @@
{%- set conf = pillar['openvpn'][name] -%}
{{ conf['user'] }}
{{ conf['password'] }}

@ -0,0 +1,51 @@
{%- set conf = pillar['openvpn'][name] %}
client
dev {{ name }}
dev-type tun
tun-ipv6
proto udp
remote {{ conf['server'] }}
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
log /var/log/openvpn-{{ name }}.log
#ifconfig-noexec
route 0.0.0.0 0.0.0.0
#route-nopull
#up /etc/openvpn/ipredator-up.sh
script-security 2
auth-user-pass /etc/openvpn/{{ name }}.auth
auth-retry nointeract
ca [inline]
tls-client
tls-auth [inline]
ns-cert-type server
keepalive 10 30
cipher AES-256-CBC
persist-key
persist-tun
comp-lzo
passtos
verb 0
<ca>
{{ conf['ca'] }}
</ca>
<tls-auth>
{{ conf['key'] }}
</tls-auth>

@ -0,0 +1,47 @@
openvpn:
pkg.installed: []
{%- for name, conf in pillar['openvpn'].items() %}
hostroutes-{{ name }}:
network.routes:
- name: core
- routes:
{%- for a in salt.dnsutil.A(conf['server']) %}
- ipaddr: {{ a }}
netmask: 255.255.255.255
gateway: {{ pillar['hosts-inet']['core']['upstream1'] }}
{%- endfor %}
/etc/openvpn/{{ name }}.conf:
file.managed:
- source: salt://vpn/openvpn.conf
- template: 'jinja'
- context:
name: {{ name }}
/etc/openvpn/{{ name }}.auth:
file.managed:
- source: salt://vpn/auth
- template: 'jinja'
- context:
name: {{ name }}
- mode: 600
autostart-{{ name }}:
service.enabled:
- name: openvpn@{{ name }}
require_in:
- file: /etc/openvpn/{{ name }}.conf
- file: /etc/openvpn/{{ name }}.auth
start-{{ name }}:
service.running:
- name: openvpn@{{ name }}
require_in:
- file: /etc/openvpn/{{ name }}.conf
- file: /etc/openvpn/{{ name }}.auth
{%- endfor %}
Loading…
Cancel
Save