diff --git a/salt-pillar/hosts/init.sls b/salt-pillar/hosts/init.sls new file mode 100644 index 000000000..40b7d30 --- /dev/null +++ b/salt-pillar/hosts/init.sls @@ -0,0 +1,13 @@ +hosts-inet: + core: + server1: 172.20.72.1 + serv-gw: 172.20.72.2 + pub-gw: 172.20.72.3 + priv1-gw: 172.20.72.4 + priv2-gw: 172.20.72.5 + upstream1: 172.20.72.6 + anon1: 172.20.72.7 + pub: + pub-gw: 172.20.76.1 + serv: + serv-gw: 172.20.73.1 diff --git a/salt-pillar/subnets/init.sls b/salt-pillar/subnets/init.sls new file mode 100644 index 000000000..a1e3bfa --- /dev/null +++ b/salt-pillar/subnets/init.sls @@ -0,0 +1,7 @@ +subnets-inet: + core: 172.20.72.0/26 + serv: 172.20.73.0/26 + pub: 172.20.76.0/23 + priv1: 172.20.74.0/28 + priv2: 172.20.75.0/28 + mgm: 10.0.0.0/24 diff --git a/salt-pillar/top.sls b/salt-pillar/top.sls new file mode 100644 index 000000000..a75d0dc --- /dev/null +++ b/salt-pillar/top.sls @@ -0,0 +1,5 @@ +base: + '*': + - hosts + - subnets + - vlans diff --git a/salt-pillar/vlans/init.sls b/salt-pillar/vlans/init.sls new file mode 100644 index 000000000..977df8b --- /dev/null +++ b/salt-pillar/vlans/init.sls @@ -0,0 +1,4 @@ +vlans: + core: 1 + server: 2 + public: 3 diff --git a/salt/lxc-containers-1/config b/salt/lxc-containers-1/config index c012cd3..c68123a 100644 --- a/salt/lxc-containers-1/config +++ b/salt/lxc-containers-1/config @@ -7,24 +7,24 @@ lxc.rootfs.backend = dir lxc.autodev = 1 lxc.kmsg = 0 -{% for interface in container.interfaces %} -lxc.network.type={{ interface['type'] }} +{%- for net, type in container.interfaces.items() %} +lxc.network.type={{ type }} lxc.network.flags=up -{% if interface['type'] == 'veth' %} -lxc.network.veth.pair={{ id }}-{{ interface['type'] }} -{% endif %} -{% if interface.get('v4') %} -lxc.network.ipv4={{ interface['v4'] }} -{% endif %} -{% if interface.get('bridge') %} -lxc.network.link={{ interface['bridge'] }} -{% endif %} -{% if interface.get('name') %} -lxc.network.name={{ interface['name'] }} -{% endif %} +{% if type == 'veth' %} +lxc.network.veth.pair={{ id }}-{{ net }} +{%- endif %} +{%- set inet_addr = pillar['hosts-inet'][net].get(id) %} +{%- if inet_addr %} +{%- set prefix_len = pillar['subnets-inet'][net].split('/')[1] %} +lxc.network.ipv4={{ inet_addr }}/{{ prefix_len }} +{%- endif %} +{%- if type == 'veth' %} +lxc.network.link=br-{{ net }} +{%- endif %} +lxc.network.name={{ net }} #lxc.network.ipv4.gateway= #lxc.network.ipv6= #lxc.network.ipv6.gateway=fe80::1 -{% endfor %} +{%- endfor %} ## TODO: limits + caps diff --git a/salt/lxc-containers-1/containers.yaml b/salt/lxc-containers-1/containers.yaml index 1ffcbb2..4d1fae0 100644 --- a/salt/lxc-containers-1/containers.yaml +++ b/salt/lxc-containers-1/containers.yaml @@ -1,38 +1,31 @@ -public: +pub-gw: interfaces: - - type: veth - bridge: br-core - name: core - v4: 172.20.72.1/26 - - type: phys - bridge: bond0.2 - name: public - v4: 172.20.76.1/23 + core: + type: veth + pub: + type: phys -servers: +serv-gw: interfaces: - - type: veth - bridge: br-core - name: core - v4: 172.20.72.2/26 + core: + type: veth -priv1: +priv1-gw: interfaces: - - type: veth - bridge: br-core - name: core - v4: 172.20.72.3/26 + core: + type: veth -priv2: +priv2-gw: interfaces: - - type: veth - bridge: br-core - name: core - v4: 172.20.72.4/26 + core: + type: veth upstream1: interfaces: - - type: veth - bridge: br-core - name: core - v4: 172.20.72.5/26 + core: + type: veth + +anon1: + interface: + core: + type: veth diff --git a/salt/lxc-containers-1/hosts b/salt/lxc-containers-1/hosts new file mode 100644 index 000000000..804e723 --- /dev/null +++ b/salt/lxc-containers-1/hosts @@ -0,0 +1,10 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback + +{% for net, hosts in pillar['hosts-inet'].items() %} +{% if hosts.get(id) %} +{{ hosts[id] }} {{ id }} +{% endif %} +{% endfor %} + +{{ pillar['hosts-inet']['core']['server1'] }} salt diff --git a/salt/lxc-containers-1/init.sls b/salt/lxc-containers-1/init.sls index 44df67e..5ba6382 100644 --- a/salt/lxc-containers-1/init.sls +++ b/salt/lxc-containers-1/init.sls @@ -7,7 +7,7 @@ lxc: /var/lib/lxc/{{ id }}: cmd.run: - - name: lxc-create -n {{ id }} -B dir -t download -- -d debian -r jessie -a amd64 -- --packages salt-minion + - name: lxc-create -n {{ id }} -B dir -t debian -- -r stretch --packages=salt-minion - require: - pkg: lxc - creates: /var/lib/lxc/{{ id }} @@ -20,6 +20,14 @@ lxc: id: {{ id }} container: {{ container }} +/var/lib/lxc/{{ id }}/rootfs/etc/hosts: + file.managed: + - source: salt://lxc-containers-1/hosts + - template: 'jinja' + - context: + id: {{ id }} + container: {{ container }} + autostart-{{ id }}: service.enabled: - name: lxc@{{ id }} diff --git a/salt/no-ssh.sls b/salt/no-ssh.sls new file mode 100644 index 000000000..06df384 --- /dev/null +++ b/salt/no-ssh.sls @@ -0,0 +1,2 @@ +openssh-server: + pkg.purged: [] diff --git a/salt/ospf/init.sls b/salt/ospf/init.sls new file mode 100644 index 000000000..1b87024 --- /dev/null +++ b/salt/ospf/init.sls @@ -0,0 +1,2 @@ +bird: + pkg.installed: [] diff --git a/salt/server1-network.sls b/salt/server1-network.sls index 2c1135e..fbddb54 100644 --- a/salt/server1-network.sls +++ b/salt/server1-network.sls @@ -27,26 +27,25 @@ bond0.{{ vlan }}: - network: bond0 {% endfor %} -br-core: +{%- for net in ['core', 'public'] %} +{%- set vlan = pillar['vlans'][net] %} +br-{{ net }}: network.managed: - type: bridge - ports: bond0.1 + ports: bond0.{{ vlan }} +{%- set ip_addr = pillar['hosts-inet'][net].get('server1') %} +{%- if ip_addr %} +{%- set prefix_len = pillar['subnets-inet'][net].split('/')[1] %} proto: manual + address: {{ ip_addr }}/{{ prefix_len }} +{%- else %} + proto: static +{%- endif %} + address: {{ pillar['subnets-inet']['core'] }} bypassfirewall: True use: - - network: bond0.1 + - network: bond0.{{ vlan }} require: - - network: bond0.1 - - -br-public: - network.managed: - - type: bridge - ports: bond0.2 - proto: manual - bypassfirewall: True - use: - - network: bond0.2 - require: - - network: bond0.2 + - network: bond0.{{ vlan}} +{%- endfor %} diff --git a/salt/top.sls b/salt/top.sls index e5ed8c4..816733a 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,3 +3,15 @@ base: - salt-master - server1-network - lxc-containers-1 + - ospf + '*-gw': + - no-ssh + - ospf + 'upstream*': + - no-ssh + - ospf + - unbound + 'anon*': + - no-ssh + - ospf + - unbound diff --git a/salt/unbound.sls b/salt/unbound.sls new file mode 100644 index 000000000..a5e5835 --- /dev/null +++ b/salt/unbound.sls @@ -0,0 +1,2 @@ +unbound: + pkg.installed: [] diff --git a/subnets.md b/subnets.md index dc57853..8bba55c 100644 --- a/subnets.md +++ b/subnets.md @@ -1,9 +1,11 @@ +Machine-readable here: [salt-pillar/subnets](./salt-pillar/subnets/init.sls) + ## 172.20.72.0/21 * 172.20.72.0-172.20.72.63/26 CORE * 172.20.72.64/26 RESERVED FOR EPXANDING CORE * 172.20.72.128/25 -* 172.20.73.0-172.20.72.63/26 SERVERS +* 172.20.73.0-172.20.73.63/26 SERVERS * 172.20.73.64/26 RESERVED FOR EXPANDING SERVERS * 172.20.73.128/25 * 172.20.74.0/24: