forked from zentralwerk/network
this is the shit
This commit is contained in:
parent
bcb2bcbbb8
commit
1964c45369
|
@ -5,6 +5,9 @@ base:
|
||||||
- vlans
|
- vlans
|
||||||
'*gw':
|
'*gw':
|
||||||
- dhcp
|
- dhcp
|
||||||
|
'anon1':
|
||||||
|
- vpn.anon1
|
||||||
|
- upstream.anon1
|
||||||
'upstream1':
|
'upstream1':
|
||||||
- upstream.upstream1
|
- upstream.upstream1
|
||||||
'server1':
|
'server1':
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
upstream:
|
||||||
|
interface: ipredator
|
|
@ -1,2 +1,2 @@
|
||||||
upstream:
|
upstream:
|
||||||
dhcp_interface: up1
|
interface: up1
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!yaml|gpg
|
||||||
|
|
||||||
|
openvpn:
|
||||||
|
ipredator:
|
||||||
|
server: ipv6.openvpn.ipredator.se
|
||||||
|
user: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQf9H1XFAYkM7XFoStSeqeDk9b6cG3kqqN9wXEprDg5lkXc8
|
||||||
|
yhL7tF79HzzY18MQ5Cn24LRkoZtwsJkJNOaDdySpiEh34SP0m64Tuwj8gPrFGpSK
|
||||||
|
phox6e4/vpWw0BnM1hJaaQxd86qng9Ptv3U1afz98kcU0kxAKcrQZN77sTMrTF8K
|
||||||
|
Kw/6rnPPKF72PqspLcL/Sxl49MaEg8aJMO+TT26IiML4cu7N+ZEykgsfmpaoVhIG
|
||||||
|
r2xO1FBAPGjyh71G7HJWcsrBTq+y4jRMapEbIrUOusULXcOffe+hqQcOGX09Uv1Q
|
||||||
|
1B+ZkaNxwohhbrkpEqOhfL5U5JUNC9+vlSmOh5nWI9JEAcw4gMRgLjVFGgy5+txj
|
||||||
|
EkOPNYuXC/Z9HoMqKOOcGKRpgW2bvrwoJ4w+41S2RIVAKS9vbFTJ+Cbr7ID8ReJ4
|
||||||
|
mt82t1Q=
|
||||||
|
=7JHg
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
|
||||||
|
password: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQf+I2T0gFEzr26FxlYA8BefrAz0pNV4ReVMCU2TasW5NIaZ
|
||||||
|
GnOUPTDeP97M4fNfsWPIzZcyTNby83BZIY8fH7bqtC5pfhaTA0GHfJywuBVJF87b
|
||||||
|
ixiOICCd/e3r1mahqgcUWRd8NT1FbzmpVbI42AKphA8gpN6hOZds9JUx44ZE5YxJ
|
||||||
|
wg9u2koEAriaIVzUpg+BXTQr2So17H8fm/FzUgMVUWohDAmYmTxqShnrLANBqebE
|
||||||
|
8glYJFOhV+Iasu2AoOT3FkZLDvW2STaOZisqMNx0tlQQG0px1zv63GTF7JZAac+l
|
||||||
|
toUzTvpdZpVTrW1y+VwNKntrouXBWvcFnvOtrY34m9JGAT78YEZ6QUSIKF1z5sf6
|
||||||
|
rI2I1ngv8fZZgO6hJhQFemxqzbLtUp2r1+GOzBhuKb/ilB0j0l/vd1P5sbvx7Bp3
|
||||||
|
c3bTeN+KJw==
|
||||||
|
=aZ9Y
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
|
||||||
|
ca: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
|
||||||
|
VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
|
||||||
|
BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
|
||||||
|
ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
|
||||||
|
JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
|
||||||
|
NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
|
||||||
|
EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
|
||||||
|
ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
|
||||||
|
HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
|
||||||
|
aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||||
|
ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
|
||||||
|
DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
|
||||||
|
bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
|
||||||
|
d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
|
||||||
|
Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
|
||||||
|
/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
|
||||||
|
pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
|
||||||
|
Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
|
||||||
|
bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
|
||||||
|
IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
|
||||||
|
ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
|
||||||
|
ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
|
||||||
|
DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
|
||||||
|
/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
|
||||||
|
M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
|
||||||
|
tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
|
||||||
|
CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
|
||||||
|
BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
key: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQf/T4DHs16NJK69W91IS2CJWDZER8TJCeG56ArKucz+2A7I
|
||||||
|
hB6OFkf0bKINXRGSBuFYcPcTOUpQ1NrV9osCPTwChaHx7vk3S+q4tlT+CiHUygCk
|
||||||
|
nisAckkAQSSSZlSkm+zhw59afiAu3Rn0x3gffjE1W6GBnIFwkzEnmViWHO3beYqV
|
||||||
|
2sOJ9BlFTo/aJS87MoEDk58xycPinFkLUciyozToUN/TDcU+OYVOXMLmIr41nG9+
|
||||||
|
GT1OlYALROo1sHpFP2KkwdpmqE2etc2lk3kDlVBiHMcQzLXcm3MO9N63Cec0cJEj
|
||||||
|
zzj4G8DWVsl1vU2n2l6dEiBCVQ5VqCC519mCHN//UdLA7AFEksPep/gm7ro3mbBG
|
||||||
|
SM3vuumroynP7QmKWTZeLuU+R6GLc1rdjicI2AQ5cNrIPfayzGirE7nnTRUfRHSX
|
||||||
|
5nKsxJnM7M75ZOZVGWI986dQJ1pHNDqHkOIGL8QbRcrQmguZxAPgYaYbbqd9L8Yl
|
||||||
|
oHSVm2j5SKYW5Sgj6q7mlM5asZ0bbwAEL/NghwDNIV0fXQlS9ZZRzXsRxKP/PS/g
|
||||||
|
HPX41MsIPPHBoHB7Uwmpk7efjubcmvk26n/sW6UdhT4EjNNmk5lBtanqs6NpqZDb
|
||||||
|
fOSEnkIkgt9i3bwyHv1aTNf5ir4AWz/cQ7FuqJjUE6viNxap9DbY60dJgAoTtJ9v
|
||||||
|
p2nmzfGJiqi4PKYf9qrk2SlCkudb00a6b7aNZr+J7WbZyFD1Slo/tGOvFKbf2VzS
|
||||||
|
2KXoXTDykRDVoq5BAAcm9tWTf11ZuDDxaOb24RP10CcD6BXdgdQ50bB91VnjitDC
|
||||||
|
YNwQWtFEvn3XuYB+Lq074zFW+gaCCEhviCMfP5u4BO5/NVJsVTCBFyOXIX0l+xwy
|
||||||
|
Rtyed/RP7AhmyFL9Ia2zdWbBjUR9eSkC7lyQXQG7
|
||||||
|
=vxru
|
||||||
|
-----END PGP MESSAGE-----
|
|
@ -0,0 +1,9 @@
|
||||||
|
{%- set ifaces = [] %}
|
||||||
|
{%- for iface, ips in salt['grains.get']('ip_interfaces').items() %}
|
||||||
|
{%- if iface not in ['core', 'lo'] %}
|
||||||
|
{%- set ifaces = ifaces.append(iface) %}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
INTERFACESv4="{{ ' '.join(ifaces) }}"
|
||||||
|
INTERFACESv6=""
|
|
@ -5,3 +5,23 @@ isc-dhcp-server:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://dhcp/dhcpd.conf
|
- source: salt://dhcp/dhcpd.conf
|
||||||
- template: 'jinja'
|
- template: 'jinja'
|
||||||
|
|
||||||
|
/etc/default/isc-dhcp-server:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://dhcp/default
|
||||||
|
- template: 'jinja'
|
||||||
|
|
||||||
|
autostart-dhcpd:
|
||||||
|
service.enabled:
|
||||||
|
- name: isc-dhcp-server
|
||||||
|
require_in:
|
||||||
|
- file: /etc/dhcp/dhcpd.conf
|
||||||
|
- file: /etc/default/isc-dhcp-server
|
||||||
|
|
||||||
|
start-dhcpd:
|
||||||
|
service.running:
|
||||||
|
- name: isc-dhcp-server
|
||||||
|
require_in:
|
||||||
|
- file: /etc/dhcp/dhcpd.conf
|
||||||
|
- file: /etc/default/isc-dhcp-server
|
||||||
|
|
||||||
|
|
|
@ -34,4 +34,7 @@ lxc.network.ipv4.gateway={{ pillar['hosts-inet'][net][gw] }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
## TODO: limits + caps
|
## TODO: limits + caps
|
||||||
## TODO: include Debian.common.conf
|
## TODO: include Debian.common.conf
|
||||||
|
|
||||||
|
# tuntap
|
||||||
|
lxc.cgroup.devices.allow = c 10:200 rw
|
||||||
|
|
|
@ -22,6 +22,19 @@ lxc:
|
||||||
- require:
|
- require:
|
||||||
- cmd: /var/lib/lxc/{{ id }}
|
- cmd: /var/lib/lxc/{{ id }}
|
||||||
|
|
||||||
|
/var/lib/lxc/{{ id }}/rootfs/dev/net:
|
||||||
|
file.directory:
|
||||||
|
- mode: 0755
|
||||||
|
|
||||||
|
/var/lib/lxc/{{ id }}/rootfs/dev/net/tun:
|
||||||
|
file.mknod:
|
||||||
|
- ntype: 'c'
|
||||||
|
- major: 10
|
||||||
|
- minor: 200
|
||||||
|
- mode: 0666
|
||||||
|
- require:
|
||||||
|
- file: /var/lib/lxc/{{ id }}/rootfs/dev/net
|
||||||
|
|
||||||
/var/lib/lxc/{{ id }}/rootfs/etc/hosts:
|
/var/lib/lxc/{{ id }}/rootfs/etc/hosts:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://lxc-containers-1/hosts
|
- source: salt://lxc-containers-1/hosts
|
||||||
|
|
|
@ -20,3 +20,5 @@ base:
|
||||||
- no-ssh
|
- no-ssh
|
||||||
- forwarding
|
- forwarding
|
||||||
- ospf
|
- ospf
|
||||||
|
- vpn.openvpn
|
||||||
|
- upstream.masquerade
|
||||||
|
|
|
@ -1,29 +1,19 @@
|
||||||
{%- set dhcp_iface = pillar['upstream']['dhcp_interface'] %}
|
{%- set interface = pillar['upstream']['interface'] %}
|
||||||
{{ dhcp_iface }}:
|
{{ interface }}:
|
||||||
network.managed:
|
network.managed:
|
||||||
- enabled: True
|
- enabled: True
|
||||||
type: eth
|
type: eth
|
||||||
proto: dhcp
|
proto: dhcp
|
||||||
|
|
||||||
iptables:
|
include:
|
||||||
pkg.installed: []
|
- upstream.masquerade
|
||||||
|
|
||||||
/etc/network/if-pre-up.d/masquerade:
|
|
||||||
file.managed:
|
|
||||||
- source: salt://upstream/masquerade
|
|
||||||
- template: 'jinja'
|
|
||||||
- context:
|
|
||||||
upstream_iface: {{ dhcp_iface }}
|
|
||||||
- mode: 744
|
|
||||||
- require:
|
|
||||||
- pkg: iptables
|
|
||||||
|
|
||||||
/etc/network/if-pre-up.d/iptables:
|
/etc/network/if-pre-up.d/iptables:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://upstream/iptables
|
- source: salt://upstream/iptables
|
||||||
- template: 'jinja'
|
- template: 'jinja'
|
||||||
- context:
|
- context:
|
||||||
upstream_iface: {{ dhcp_iface }}
|
interface: {{ interface }}
|
||||||
- mode: 744
|
- mode: 744
|
||||||
- require:
|
- require:
|
||||||
- pkg: iptables
|
- pkg: iptables
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
if [ "$IFACE" = "{{ upstream_iface }}" ]; then
|
if [ "$IFACE" = "{{ interface }}" ]; then
|
||||||
iptables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
|
iptables -A INPUT -i "$IFACE" -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
iptables -A INPUT -i "$IFACE" -j DROP
|
iptables -A INPUT -i "$IFACE" -j DROP
|
||||||
iptables -P INPUT ACCEPT
|
iptables -P INPUT ACCEPT
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
if [ "$IFACE" = "{{ upstream_iface }}" ]; then
|
if [ "$IFACE" = "{{ interface }}" ]; then
|
||||||
iptables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
|
iptables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
{%- set interface = pillar['upstream']['interface'] %}
|
||||||
|
|
||||||
|
iptables:
|
||||||
|
pkg.installed: []
|
||||||
|
|
||||||
|
/etc/network/if-pre-up.d/masquerade:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://upstream/masquerade
|
||||||
|
- template: 'jinja'
|
||||||
|
- context:
|
||||||
|
interface: {{ interface }}
|
||||||
|
- mode: 744
|
||||||
|
- require:
|
||||||
|
- pkg: iptables
|
|
@ -0,0 +1,3 @@
|
||||||
|
{%- set conf = pillar['openvpn'][name] -%}
|
||||||
|
{{ conf['user'] }}
|
||||||
|
{{ conf['password'] }}
|
|
@ -0,0 +1,51 @@
|
||||||
|
{%- set conf = pillar['openvpn'][name] %}
|
||||||
|
client
|
||||||
|
dev {{ name }}
|
||||||
|
dev-type tun
|
||||||
|
tun-ipv6
|
||||||
|
proto udp
|
||||||
|
|
||||||
|
remote {{ conf['server'] }}
|
||||||
|
resolv-retry infinite
|
||||||
|
nobind
|
||||||
|
|
||||||
|
user nobody
|
||||||
|
group nogroup
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
|
||||||
|
log /var/log/openvpn-{{ name }}.log
|
||||||
|
|
||||||
|
#ifconfig-noexec
|
||||||
|
route 0.0.0.0 0.0.0.0
|
||||||
|
#route-nopull
|
||||||
|
#up /etc/openvpn/ipredator-up.sh
|
||||||
|
script-security 2
|
||||||
|
|
||||||
|
auth-user-pass /etc/openvpn/{{ name }}.auth
|
||||||
|
auth-retry nointeract
|
||||||
|
|
||||||
|
ca [inline]
|
||||||
|
|
||||||
|
tls-client
|
||||||
|
tls-auth [inline]
|
||||||
|
ns-cert-type server
|
||||||
|
|
||||||
|
keepalive 10 30
|
||||||
|
cipher AES-256-CBC
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
comp-lzo
|
||||||
|
|
||||||
|
|
||||||
|
passtos
|
||||||
|
verb 0
|
||||||
|
|
||||||
|
|
||||||
|
<ca>
|
||||||
|
{{ conf['ca'] }}
|
||||||
|
</ca>
|
||||||
|
|
||||||
|
<tls-auth>
|
||||||
|
{{ conf['key'] }}
|
||||||
|
</tls-auth>
|
|
@ -0,0 +1,47 @@
|
||||||
|
openvpn:
|
||||||
|
pkg.installed: []
|
||||||
|
|
||||||
|
{%- for name, conf in pillar['openvpn'].items() %}
|
||||||
|
|
||||||
|
hostroutes-{{ name }}:
|
||||||
|
network.routes:
|
||||||
|
- name: core
|
||||||
|
- routes:
|
||||||
|
{%- for a in salt.dnsutil.A(conf['server']) %}
|
||||||
|
- ipaddr: {{ a }}
|
||||||
|
netmask: 255.255.255.255
|
||||||
|
gateway: {{ pillar['hosts-inet']['core']['upstream1'] }}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
/etc/openvpn/{{ name }}.conf:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://vpn/openvpn.conf
|
||||||
|
- template: 'jinja'
|
||||||
|
- context:
|
||||||
|
name: {{ name }}
|
||||||
|
|
||||||
|
/etc/openvpn/{{ name }}.auth:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://vpn/auth
|
||||||
|
- template: 'jinja'
|
||||||
|
- context:
|
||||||
|
name: {{ name }}
|
||||||
|
- mode: 600
|
||||||
|
|
||||||
|
|
||||||
|
autostart-{{ name }}:
|
||||||
|
service.enabled:
|
||||||
|
- name: openvpn@{{ name }}
|
||||||
|
require_in:
|
||||||
|
- file: /etc/openvpn/{{ name }}.conf
|
||||||
|
- file: /etc/openvpn/{{ name }}.auth
|
||||||
|
|
||||||
|
start-{{ name }}:
|
||||||
|
service.running:
|
||||||
|
- name: openvpn@{{ name }}
|
||||||
|
require_in:
|
||||||
|
- file: /etc/openvpn/{{ name }}.conf
|
||||||
|
- file: /etc/openvpn/{{ name }}.auth
|
||||||
|
|
||||||
|
{%- endfor %}
|
||||||
|
|
Loading…
Reference in New Issue