diff --git a/salt-pillar/dhcp/init.sls b/salt-pillar/dhcp/init.sls index b822695..29b0046 100644 --- a/salt-pillar/dhcp/init.sls +++ b/salt-pillar/dhcp/init.sls @@ -5,8 +5,9 @@ dhcp: time: 7776000 max-time: 31536000 opts: - #domain-name-servers: routers: 172.20.73.1 + host-opts: + domain-name-servers: upstream1.core string-opts: domain-name: serv.zentralwerk.online @@ -17,6 +18,8 @@ dhcp: max-time: 3600 opts: routers: 172.20.76.1 + host-opts: + domain-name-servers: upstream1.core string-opts: domain-name: pub.zentralwerk.online @@ -27,6 +30,8 @@ dhcp: max-time: 86400 opts: routers: 172.20.74.1 + host-opts: + domain-name-servers: upstream1.core string-opts: domain-name: priv1.zentralwerk.online @@ -37,5 +42,7 @@ dhcp: max-time: 86400 opts: routers: 172.20.75.1 + host-opts: + domain-name-servers: upstream1.core string-opts: domain-name: priv2.zentralwerk.online diff --git a/salt-pillar/switches/init.sls b/salt-pillar/switches/init.sls index 3fd499f..bff1d6a 100644 --- a/salt-pillar/switches/init.sls +++ b/salt-pillar/switches/init.sls @@ -1,3 +1,4 @@ +#!yaml|gpg switches: switch-b1: model: '3com-4200G' @@ -23,6 +24,30 @@ switches: vlans: - mgmt - pub + - up1 + - up2 + - up3 + - up4 + - up5 + - up6 + - up7 + - up8 + - iso1 + - iso2 + - iso3 + - iso4 + - iso5 + - iso6 + - iso7 + - iso8 + - iso9 + - iso10 + - iso11 + - iso12 + - iso13 + - iso14 + - iso15 + - iso16 switch-d1: mode: trunk ports: @@ -59,6 +84,19 @@ switches: - '2' - '3' - '24' + password: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQgAlqHX0k6S4NiBxHQg6i2hdM7m5o+QNuNsEQJcJHmPJlri + jNnYYmv5XDyYvLX6oHSbV9eeKO+Pi9GkiRJE+hMqo3Spuu41fp8m1TnvXZFgR3F1 + koL7M+GGZH9wA2EeFJ+/aKldppT+k/VYG55OKn9um3wzZZraP6aKv2896AOXwond + R/jhjGXjcdATRDZ2aeYbNW/WQxZXaPRLCKISfftZ7CNDFV3rAX/SgphHnKRP7LZS + xFGbSHkc/451ZXIl0DrelrKzngQMVa9dTqCCF6hfjPj/0RuCwByuIyYpDMMWcXxs + nnMuiY2t9OM1D2BWsVHluk7MHymn+MxayPYCPuox2dJbAd2k674qx2Kc65TIpClm + yMsW1bBAqU07/kEB+oKdTkqUBoAfa0pBxC+62MREA0LFl7YavBHx9ksa8at8PzU1 + +Dfb4gaZHlR4X2oQOUinVf9qC66gkY1Ndiz7CQ== + =9Zfy + -----END PGP MESSAGE----- switch-b2: model: '3com-4200G' location: Haus B Souterrain @@ -85,6 +123,20 @@ switches: - '24' - '37' - '48' + password: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQf/V8QXXiydFBlm5j8ETQ/bXzToHGZWx7I4mC2i9r1pHZA2 + diDYSGXPEJpiNJo6PTyIRYCMOyB18cVVRX3waga/dsx0KvAC1lwAibhQiV0frPCv + ELQ13gHEhfNt4HJveBRBNKjH4MkUIkTgtV98KoMc6+JRk2TPkJGmvG4oV3eTYW2I + TnG1SB9vgYCEfQUq8hY1FH+Wo7Kl8OGN2b+QUwmxc+vR67Hp3rLXlTPoLcrGPhGj + Vvj5lDTt8ScVd9NKLjmlNV646+XYuMO9FyTfbAq1yTDUpWdCAfaIt25dyss7xbu5 + rl/bJzjT20KUraYehHQqcd3c0+/40CQYoJZOVgPojdJbAU7Nlju2xM9WE0CgQHLD + tUjwm10xMBdBPfWEDGxlZNnITWT/bf4y2CRm60uxGpHWNO2TKab9bwobS4PQcD4M + 4FiceoeOxxKJHQ0aJL3POfe15nXvkqsSbwfDhQ== + =h3Vr + -----END PGP MESSAGE----- + switch-d1: model: 'TL-SG3210' location: Turm D Keller @@ -108,22 +160,106 @@ switches: mode: access ports: - 7-8 + password: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQf+O1OB9gG4JKnASFfKCoAE75Gb4+PD8+ROzBvg18bzqD0j + qjhQL9Ye39oB5R5JmPBso5zgEhGr8vIB3VN3f6vABNaEGPkTh+jf/1X1vwfS0rvW + rQNulEFoq+F9vUfWFolAamVoqCxXsXtf8KyJHCazIIRKGKNysHOW/O+YSvcGgG4H + 6YH94a1lZoRQCF/2wHEmDTA6FXSqBfijM0QoO2+i+VuUHXYYMZ/FIEDPWLM/wqSB + aLjMgrDRyUPLvAA88CXrLDT0aO3LzJINtTPVbnohYoFMKI66mAsWwXnJzT29x4sx + 2xXwc3KvAgLIJtEvPnuHMl2ogkJZEO9rGP5D8Iuw7dJbAR6AXwVdttVIFY39octW + 0Tj934ZZw2GDCNGDxfmV+kn3Ei15Qop8UmK6dsuzSd0M+4yg+yr3359y+s0cDGiW + QwbIX6EZR2TMw6nIf21MRYsXS03gmmfeKXM6Iw== + =ED5P + -----END PGP MESSAGE----- + switch-c1: - model: 'TL-SG3210' - location: Turm D Keller + model: 'HP-procurve-2824' + location: Turm C Keller ports: switch-b1: mode: trunk - ports: 1-4 + ports: 21-24 vlans: - mgmt - pub + - up1 + - up2 + - up3 + - up4 + - up5 + - up6 + - up7 + - up8 + - iso1 + - iso2 + - iso3 + - iso4 + - iso5 + - iso6 + - iso7 + - iso8 + - iso9 + - iso10 + - iso11 + - iso12 + - iso13 + - iso14 + - iso15 + - iso16 + up1: + mode: access + ports: '1' + up2: + mode: access + ports: '2' + up3: + mode: access + ports: '3' + up4: + mode: access + ports: '4' + up5: + mode: access + ports: '5' + up6: + mode: access + ports: '6' + up7: + mode: access + ports: '7' + up8: + mode: access + ports: '8' + iso1: + mode: access + ports: '9' + iso2: + mode: access + ports: '10' + iso3: + mode: access + ports: '11' + iso4: + mode: access + ports: '12' mgmt: mode: access - ports: - - '6' + ports: '20' pub: mode: access - ports: - - '5' - - 7-8 + ports: 13-19 + password: | + -----BEGIN PGP MESSAGE----- + + hQEMA2PKcvDMvlKLAQgAhPMG6VKUFLVNZmVfZ6P21CrXRmUeExuxIg4QIrYtKfYe + cxWst/IuHnDyL2TP8yGb00sjz7o0psZ9Z+zRCi/ONONyNzee103ymjXxk0Ygekid + 1IGVeSTqskrgOl53mFZEfP4nBcOqzcNFjMkm0c5B2OmHHHOokOJ5Xzsya120SGXk + JnYFVsRD6GFwuF88pgQ5VrGd5/drMaIrNkJ69dyfvYdHRTd0UgtiZFOMesRYFFP7 + +QdSW1MFoVZnjZgLeoNF/efIhHnTdClROCMZBYU5Z3pQcHAfE4GN3w+MceP/+5EY + z3wuSNpsuYNr8NnEDvofTJGdOLuclE6JPFvJMg1QptJKASfn3ZlOrL4ohbPGaDQ6 + z1P+6DJXliXS7dBdxH0bsB2qRZslmcj286D9bPgTsuvCzOaxcTtkM8y76gVVOVBI + TN+j1/OdlXyVmTM= + =XUUi + -----END PGP MESSAGE----- diff --git a/salt-pillar/vlans/init.sls b/salt-pillar/vlans/init.sls index de8ffe3..dfcf7ce 100644 --- a/salt-pillar/vlans/init.sls +++ b/salt-pillar/vlans/init.sls @@ -7,6 +7,10 @@ vlans: up2: 11 up3: 12 up4: 13 + up5: 14 + up6: 15 + up7: 16 + up8: 17 priv1: 40 priv2: 41 priv3: 42 @@ -23,3 +27,19 @@ vlans: priv14: 53 priv15: 54 priv16: 55 + iso1: 101 + iso2: 102 + iso3: 103 + iso4: 104 + iso5: 105 + iso6: 106 + iso7: 107 + iso8: 108 + iso9: 109 + iso10: 110 + iso11: 111 + iso12: 112 + iso13: 113 + iso14: 114 + iso15: 115 + iso16: 116 diff --git a/salt/dhcp/dhcpd.conf b/salt/dhcp/dhcpd.conf index ae89839..93b5366 100644 --- a/salt/dhcp/dhcpd.conf +++ b/salt/dhcp/dhcpd.conf @@ -12,6 +12,11 @@ subnet {{ subnet.split('/')[0] }} netmask {{ netmasks[subnet.split('/')[1]] }} { {%- for name, value in conf['opts'].items() %} option {{ name }} {{ value }}; {%- endfor %} +{%- for name, value in conf['host-opts'].items() %} +{%- set host = value.split('.')[0] %} +{%- set net = value.split('.')[1] %} + option {{ name }} {{ pillar['hosts-inet'][net][host] }}; +{%- endfor %} {%- for name, value in conf['string-opts'].items() %} option {{ name }} "{{ value }}"; {%- endfor %} diff --git a/salt/switches/3com-4200G.expect b/salt/switches/3com-4200G.expect index 6be24de..d98d9f1 100644 --- a/salt/switches/3com-4200G.expect +++ b/salt/switches/3com-4200G.expect @@ -4,7 +4,7 @@ spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }} expect "Password:" -send "secret\r" +send "{{ switch['password'] }}\r" expect ">" send "system-view\r" expect "]" @@ -18,14 +18,14 @@ send "screen-length 0\r" expect "ui-vty0-4]" send "user privilege level 3\r" expect "ui-vty0-4]" -send "set authentication password simple secret\r" +send "set authentication password simple {{ switch['password'] }}\r" expect "ui-vty0-4]" send "quit\r" expect "{{ hostname }}]" send "local-user admin\r" expect -- "-luser-admin]" -send "password simple secret\r" +send "password simple {{ switch['password'] }}\r" expect -- "-luser-admin]" send "quit\r" expect "{{ hostname }}]" @@ -70,6 +70,7 @@ send "port link-aggregation group {{ group }}\r" expect "]" send "port link-type trunk\r" expect "]" +# Set dummy default vlan send "port trunk pvid vlan 4094\r" expect "]" {%- for vlan_name in conf['vlans'] %} diff --git a/salt/switches/HP-procurve-2824.expect b/salt/switches/HP-procurve-2824.expect new file mode 100644 index 000000000..dcbd468 --- /dev/null +++ b/salt/switches/HP-procurve-2824.expect @@ -0,0 +1,88 @@ +{# #} +{%- import_yaml "netmasks.yaml" as netmasks -%} +#!/usr/bin/expect -f + +spawn ssh admin@{{ pillar['hosts-inet']['mgmt'][hostname] }} +expect "password: " +send "{{ switch['password'] }}\r" +expect "Press any key to continue" +send "\r" +expect "# " +send "configure terminal\r" +expect "(config)# " + +send "hostname {{ hostname }}\r" +expect "(config)# " +send "snmp-server location \"{{ switch['location'] }}\"\r" +expect "(config)# " +send "snmp-server contact \"astro@spaceboyz.net\"\r" +expect "(config)# " +send "password manager\r" +expect "New password for Manager: " +send "{{ switch['password'] }}\r" +expect "Please retype new password for Manager: " +send "{{ switch['password'] }}\r" +expect "(config)# " + +# TODO: ssh, password + +{%- for name, vlan in pillar['vlans'].items() %} +send "vlan {{ vlan }}\r" +expect "(vlan-{{ vlan }})#" + +send "name {{ name }}\r" +expect "(vlan-{{ vlan }})#" + +{# Actually only used for mgmt_vlan, switches are not routers #} +{%- set net_hosts = pillar['hosts-inet'].get(name) %} +{%- set ipaddr = net_hosts and net_hosts.get(hostname) %} +{%- if ipaddr %} +send "ip address {{ ipaddr }} {{ netmasks[pillar['subnets-inet'][name].split('/')[1]] }}\r" +expect "(vlan-{{ vlan }})#" +{%- endif %} + +send "exit\r" +expect "(config)# " + +{%- if name == 'mgmt' %} +send "management-vlan {{ vlan }}\r" +expect "(config)# " +{%- else %} +# If not mgmt, reset all VLAN mappings +send "no vlan {{ vlan }} tagged all\r" +expect "(config)# " +send "no vlan {{ vlan }} untagged all\r" +expect "(config)# " +{%- endif %} + +{%- endfor %} + +{%- set group = 0 %} +{%- for name, conf in switch['ports'].items() %} +{%- if conf['mode'] == 'trunk' %} +{%- set group = group + 1 %} + +send "no trunk {{ conf['ports'] }}\r" +expect "(config)# " +send "trunk {{ conf['ports'] }} trk{{ group }} lacp\r" +expect "(config)# " +{%- for vlan_name in conf['vlans'] %} +send "vlan {{ pillar['vlans'][vlan_name] }} tagged trk{{ group }}\r" +expect "(config)# " +{%- endfor %} + +{%- elif conf['mode'] == 'access' %} +send "vlan {{ pillar['vlans'][name] }} untagged {{ conf['ports'] }}\r" +expect "(config)# " + +{%- endif %} +{%- endfor %} + +send "write memory\r" +expect "{{ hostname }}# " +send "exit\r" +expect "{{ hostname }}> " +send "exit\r" +expect "Do you want to log out " +expect "y/n]? " +send "y" diff --git a/salt/switches/TL-SG3210.expect b/salt/switches/TL-SG3210.expect index d36fb10..98037b1 100644 --- a/salt/switches/TL-SG3210.expect +++ b/salt/switches/TL-SG3210.expect @@ -6,7 +6,7 @@ #stty raw -echo spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }} expect "Password:" -send "secret\r" +send "{{ switch['password'] }}\r" expect ">" send "\r" expect ">" @@ -17,13 +17,13 @@ expect "#" send "configure\r" expect "(config)#" -send "enable secret 0 secret\r" +send "enable secret 0 {{ switch['password'] }}\r" expect "(config)#" -#send "enable password 0 secret\r" +#send "enable password 0 {{ switch['password'] }}\r" #expect "(config)#" send "service password-encryption\r" expect "(config)#" -send "user name admin privilege admin secret 0 secret\r" +send "user name admin privilege admin secret 0 {{ switch['password'] }}\r" expect "(config)#" send "hostname \"{{ hostname }}\"\r" @@ -40,7 +40,7 @@ send "telnet enable\r" expect "(config)#" send "line vty 0 15\r" expect "(config-line)#" -send "password 0 secret\r" +send "password 0 {{ switch['password'] }}\r" expect "(config-line)#" send "exit\r" expect "(config)#" diff --git a/salt/switches/init.sls b/salt/switches/init.sls index c60b572..94ae63e 100644 --- a/salt/switches/init.sls +++ b/salt/switches/init.sls @@ -6,6 +6,6 @@ - context: hostname: {{ hostname }} switch: {{ switch }} - - mode: 744 + - mode: 755 {%- endfor %} diff --git a/salt/upstream/masquerade.sls b/salt/upstream/masquerade.sls index c39322e..6860e27 100644 --- a/salt/upstream/masquerade.sls +++ b/salt/upstream/masquerade.sls @@ -9,6 +9,6 @@ iptables: - template: 'jinja' - context: interface: {{ interface }} - - mode: 744 + - mode: 755 - require: - pkg: iptables diff --git a/salt/vpn/openvpn.conf b/salt/vpn/openvpn.conf index ed5c3ef..d56e5d0 100644 --- a/salt/vpn/openvpn.conf +++ b/salt/vpn/openvpn.conf @@ -19,7 +19,7 @@ log /var/log/openvpn-{{ name }}.log #ifconfig-noexec route 0.0.0.0 0.0.0.0 #route-nopull -#up /etc/openvpn/ipredator-up.sh +up /etc/openvpn/{{ name }}.up script-security 2 auth-user-pass /etc/openvpn/{{ name }}.auth diff --git a/salt/vpn/openvpn.sls b/salt/vpn/openvpn.sls index e956acc..4111f4c 100644 --- a/salt/vpn/openvpn.sls +++ b/salt/vpn/openvpn.sls @@ -1,6 +1,19 @@ openvpn: pkg.installed: [] +/dev/net: + file.directory: + - mode: 0755 + +/dev/net/tun: + file.mknod: + - ntype: 'c' + - major: 10 + - minor: 200 + - mode: 0666 + - require: + - file: /dev/net + {%- for name, conf in pillar['openvpn'].items() %} hostroutes-{{ name }}: @@ -28,6 +41,14 @@ hostroutes-{{ name }}: name: {{ name }} - mode: 600 +/etc/openvpn/{{ name }}.up: + file.managed: + - source: salt://vpn/up + - template: 'jinja' + - context: + name: {{ name }} + - mode: 755 + autostart-{{ name }}: service.enabled: @@ -35,6 +56,8 @@ autostart-{{ name }}: require_in: - file: /etc/openvpn/{{ name }}.conf - file: /etc/openvpn/{{ name }}.auth + require: + - file: /dev/net/tun start-{{ name }}: service.running: @@ -42,6 +65,8 @@ start-{{ name }}: require_in: - file: /etc/openvpn/{{ name }}.conf - file: /etc/openvpn/{{ name }}.auth + require: + - file: /dev/net/tun {%- endfor %} diff --git a/salt/vpn/up b/salt/vpn/up new file mode 100644 index 000000000..936a62d --- /dev/null +++ b/salt/vpn/up @@ -0,0 +1,9 @@ +#!/bin/sh + +export IFACE={{ name }} +for f in /etc/network/if-pre-up.d/*; do + $f +done +for f in /etc/network/if-up.d/*; do + $f +done diff --git a/security.md b/security.md new file mode 100644 index 000000000..654717d --- /dev/null +++ b/security.md @@ -0,0 +1,12 @@ +## Security checklist + +- [ ] ssh shut from internet +- [ ] dns shut from internet +- [ ] no source routing +- [ ] rp_filter +- [ ] restrict upstream routing/dns resolvers to associated priv nets? +- [ ] container caps dropped? +- [ ] ssh/telnet passwords +- [ ] no ospf outside core net +- [ ] no traffic between vlans +