current state
This commit is contained in:
parent
cb0950b383
commit
14c7c5d528
|
@ -1,4 +1,4 @@
|
|||
vlans:
|
||||
core: 1
|
||||
server: 2
|
||||
public: 3
|
||||
serv: 2
|
||||
pub: 3
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
net.ipv4.conf.all.forwarding = 1
|
||||
net.ipv4.conf.default.forwarding = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
net.ipv6.conf.default.forwarding = 1
|
|
@ -0,0 +1,9 @@
|
|||
/etc/sysctl.d/80-forwarding.conf:
|
||||
file.managed:
|
||||
- source: "salt://forwarding/forwarding.conf"
|
||||
|
||||
apply:
|
||||
cmd.run:
|
||||
- name: sysctl -p /etc/sysctl.d/80-forwarding.conf
|
||||
require:
|
||||
- file: /etc/sysctl.d/80-forwarding.conf
|
|
@ -10,7 +10,7 @@ lxc.kmsg = 0
|
|||
{%- for net, conf in container['interfaces'].items() %}
|
||||
lxc.network.type={{ conf['type'] }}
|
||||
lxc.network.flags=up
|
||||
{% if conf['type'] == 'veth' %}
|
||||
{%- if conf['type'] == 'veth' %}
|
||||
lxc.network.veth.pair={{ id }}-{{ net }}
|
||||
{%- endif %}
|
||||
{%- set inet_addr = pillar['hosts-inet'][net].get(id) %}
|
||||
|
@ -20,11 +20,16 @@ lxc.network.ipv4={{ inet_addr }}/{{ prefix_len }}
|
|||
{%- endif %}
|
||||
{%- if conf['type'] == 'veth' %}
|
||||
lxc.network.link=br-{{ net }}
|
||||
{%- elif conf['type'] == 'phys' %}
|
||||
lxc.network.link=bond0.{{ pillar['vlans'].get(net) }}
|
||||
{%- endif %}
|
||||
lxc.network.name={{ net }}
|
||||
#lxc.network.ipv4.gateway=
|
||||
{%- if net == 'core' %}
|
||||
lxc.network.ipv4.gateway=172.20.72.1
|
||||
{%- endif %}
|
||||
#lxc.network.ipv6=
|
||||
#lxc.network.ipv6.gateway=fe80::1
|
||||
{%- endfor %}
|
||||
|
||||
## TODO: limits + caps
|
||||
## TODO: include Debian.common.conf
|
|
@ -9,6 +9,8 @@ serv-gw:
|
|||
interfaces:
|
||||
core:
|
||||
type: veth
|
||||
serv:
|
||||
type: veth
|
||||
|
||||
priv1-gw:
|
||||
interfaces:
|
||||
|
|
|
@ -39,5 +39,5 @@ start-{{ id }}:
|
|||
- name: lxc@{{ id }}
|
||||
require:
|
||||
- service: autostart-{{ id }}
|
||||
|
||||
|
||||
{% endfor %}
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
'0': 0.0.0.0
|
||||
'1': 128.0.0.0
|
||||
'2': 192.0.0.0
|
||||
'3': 224.0.0.0
|
||||
'4': 240.0.0.0
|
||||
'5': 248.0.0.0
|
||||
'6': 252.0.0.0
|
||||
'7': 254.0.0.0
|
||||
'8': 255.0.0.0
|
||||
'9': 255.128.0.0
|
||||
'10': 255.192.0.0
|
||||
'11': 255.224.0.0
|
||||
'12': 255.240.0.0
|
||||
'13': 255.248.0.0
|
||||
'14': 255.252.0.0
|
||||
'15': 255.254.0.0
|
||||
'16': 255.255.0.0
|
||||
'17': 255.255.128.0
|
||||
'18': 255.255.192.0
|
||||
'19': 255.255.224.0
|
||||
'20': 255.255.240.0
|
||||
'21': 255.255.248.0
|
||||
'22': 255.255.252.0
|
||||
'23': 255.255.254.0
|
||||
'24': 255.255.255.0
|
||||
'25': 255.255.255.128
|
||||
'26': 255.255.255.192
|
||||
'27': 255.255.255.224
|
||||
'28': 255.255.255.240
|
||||
'29': 255.255.255.248
|
||||
'30': 255.255.255.252
|
||||
'31': 255.255.255.254
|
||||
'32': 255.255.255.255
|
|
@ -1,2 +1,28 @@
|
|||
bird:
|
||||
quagga:
|
||||
pkg.installed: []
|
||||
|
||||
{%- for daemon in ['zebra', 'ospfd'] %}
|
||||
/etc/systemd/system/{{ daemon }}.service:
|
||||
file.managed:
|
||||
- source: salt://ospf/{{ daemon }}.service
|
||||
|
||||
/etc/quagga/{{ daemon }}.conf:
|
||||
file.managed:
|
||||
- source: salt://ospf/{{ daemon }}.conf
|
||||
- template: 'jinja'
|
||||
|
||||
autostart-{{ daemon }}:
|
||||
service.enabled:
|
||||
- name: {{ daemon }}
|
||||
require_in:
|
||||
- file: /etc/systemd/system/{{ daemon }}.service
|
||||
- file: /etc/quagga/{{ daemon }}.conf
|
||||
|
||||
start-{{ daemon }}:
|
||||
service.running:
|
||||
- name: {{ daemon }}
|
||||
require:
|
||||
- service: autostart-{{ daemon }}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
{%- set id = salt['grains.get']('id') %}
|
||||
{%- set core_ifaces = ['br-core', 'core'] %}
|
||||
|
||||
{%- for iface in core_ifaces %}
|
||||
interface {{ iface }}
|
||||
ip ospf network multicast
|
||||
ip ospf authentication message-digest
|
||||
ip ospf authentication-key secret
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
router ospf
|
||||
router-id {{ pillar['hosts-inet']['core'][id] }}
|
||||
|
||||
passive-interface default
|
||||
{%- for iface in core_ifaces %}
|
||||
no passive-interface {{ iface }}
|
||||
{%- endfor %}
|
||||
|
||||
network {{ pillar['subnets-inet']['core'] }} area 0
|
||||
area 0 authentication message-digest
|
||||
redistribute connected
|
|
@ -0,0 +1,9 @@
|
|||
[Unit]
|
||||
Requires = zebra.service
|
||||
After = network.target
|
||||
|
||||
[Service]
|
||||
ExecStart = /usr/lib/quagga/ospfd
|
||||
|
||||
[Install]
|
||||
WantedBy = default.target
|
|
@ -0,0 +1,8 @@
|
|||
[Unit]
|
||||
After = network.target
|
||||
|
||||
[Service]
|
||||
ExecStart = /usr/lib/quagga/zebra
|
||||
|
||||
[Install]
|
||||
WantedBy = default.target
|
|
@ -1,3 +1,4 @@
|
|||
{%- import_yaml "netmasks.yaml" as netmasks -%}
|
||||
{% set bond_slaves = ['eth1', 'eth2'] %}
|
||||
|
||||
{% for slave in bond_slaves %}
|
||||
|
@ -17,17 +18,18 @@ bond0:
|
|||
slaves: {{ ' '.join(bond_slaves) }}
|
||||
miimon: 100
|
||||
|
||||
{% for vlan in range(1, 15) %}
|
||||
{% for name, vlan in pillar['vlans'].items() %}
|
||||
bond0.{{ vlan }}:
|
||||
network.managed:
|
||||
- type: vlan
|
||||
proto: manual
|
||||
use:
|
||||
- network: bond0
|
||||
require:
|
||||
- network: bond0
|
||||
{% endfor %}
|
||||
|
||||
{%- for net in ['core', 'public'] %}
|
||||
{%- for net in ['core'] %}
|
||||
{%- set vlan = pillar['vlans'][net] %}
|
||||
br-{{ net }}:
|
||||
network.managed:
|
||||
|
@ -36,13 +38,12 @@ br-{{ net }}:
|
|||
{%- set ip_addr = pillar['hosts-inet'][net].get('server1') %}
|
||||
{%- if ip_addr %}
|
||||
{%- set prefix_len = pillar['subnets-inet'][net].split('/')[1] %}
|
||||
proto: manual
|
||||
address: {{ ip_addr }}/{{ prefix_len }}
|
||||
{%- else %}
|
||||
proto: static
|
||||
address: {{ ip_addr }}
|
||||
netmask: {{ netmasks[prefix_len] }}
|
||||
{%- else %}
|
||||
proto: manual
|
||||
{%- endif %}
|
||||
address: {{ pillar['subnets-inet']['core'] }}
|
||||
bypassfirewall: True
|
||||
use:
|
||||
- network: bond0.{{ vlan }}
|
||||
require:
|
||||
|
|
|
@ -6,12 +6,15 @@ base:
|
|||
- ospf
|
||||
'*-gw':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
- ospf
|
||||
'upstream*':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
- ospf
|
||||
- unbound
|
||||
'anon*':
|
||||
- no-ssh
|
||||
- forwarding
|
||||
- ospf
|
||||
- unbound
|
||||
|
|
Loading…
Reference in New Issue