more of the good stuff

salt-pillar/dhcp/init.sls

@@ -5,8 +5,9 @@ dhcp:
     time: 7776000
     max-time: 31536000
     opts:
-      #domain-name-servers:
       routers: 172.20.73.1
+    host-opts:
+      domain-name-servers: upstream1.core
     string-opts:
       domain-name: serv.zentralwerk.online
 
@@ -17,6 +18,8 @@ dhcp:
     max-time: 3600
     opts:
       routers: 172.20.76.1
+    host-opts:
+      domain-name-servers: upstream1.core
     string-opts:
       domain-name: pub.zentralwerk.online
 
@@ -27,6 +30,8 @@ dhcp:
     max-time: 86400
     opts:
       routers: 172.20.74.1
+    host-opts:
+      domain-name-servers: upstream1.core
     string-opts:
       domain-name: priv1.zentralwerk.online
 
@@ -37,5 +42,7 @@ dhcp:
     max-time: 86400
     opts:
       routers: 172.20.75.1
+    host-opts:
+      domain-name-servers: upstream1.core
     string-opts:
       domain-name: priv2.zentralwerk.online

salt-pillar/switches/init.sls

@@ -1,3 +1,4 @@
+#!yaml|gpg
 switches:
   switch-b1:
     model: '3com-4200G'
@@ -23,6 +24,30 @@ switches:
         vlans:
           - mgmt
           - pub
+          - up1
+          - up2
+          - up3
+          - up4
+          - up5
+          - up6
+          - up7
+          - up8
+          - iso1
+          - iso2
+          - iso3
+          - iso4
+          - iso5
+          - iso6
+          - iso7
+          - iso8
+          - iso9
+          - iso10
+          - iso11
+          - iso12
+          - iso13
+          - iso14
+          - iso15
+          - iso16
       switch-d1:
         mode: trunk
         ports:
@@ -59,6 +84,19 @@ switches:
           - '2'
           - '3'
           - '24'
+    password: |
+      -----BEGIN PGP MESSAGE-----
+      
+      hQEMA2PKcvDMvlKLAQgAlqHX0k6S4NiBxHQg6i2hdM7m5o+QNuNsEQJcJHmPJlri
+      jNnYYmv5XDyYvLX6oHSbV9eeKO+Pi9GkiRJE+hMqo3Spuu41fp8m1TnvXZFgR3F1
+      koL7M+GGZH9wA2EeFJ+/aKldppT+k/VYG55OKn9um3wzZZraP6aKv2896AOXwond
+      R/jhjGXjcdATRDZ2aeYbNW/WQxZXaPRLCKISfftZ7CNDFV3rAX/SgphHnKRP7LZS
+      xFGbSHkc/451ZXIl0DrelrKzngQMVa9dTqCCF6hfjPj/0RuCwByuIyYpDMMWcXxs
+      nnMuiY2t9OM1D2BWsVHluk7MHymn+MxayPYCPuox2dJbAd2k674qx2Kc65TIpClm
+      yMsW1bBAqU07/kEB+oKdTkqUBoAfa0pBxC+62MREA0LFl7YavBHx9ksa8at8PzU1
+      +Dfb4gaZHlR4X2oQOUinVf9qC66gkY1Ndiz7CQ==
+      =9Zfy
+      -----END PGP MESSAGE-----
   switch-b2:
     model: '3com-4200G'
     location: Haus B Souterrain
@@ -85,6 +123,20 @@ switches:
           - '24'
           - '37'
           - '48'
+    password: |
+      -----BEGIN PGP MESSAGE-----
+      
+      hQEMA2PKcvDMvlKLAQf/V8QXXiydFBlm5j8ETQ/bXzToHGZWx7I4mC2i9r1pHZA2
+      diDYSGXPEJpiNJo6PTyIRYCMOyB18cVVRX3waga/dsx0KvAC1lwAibhQiV0frPCv
+      ELQ13gHEhfNt4HJveBRBNKjH4MkUIkTgtV98KoMc6+JRk2TPkJGmvG4oV3eTYW2I
+      TnG1SB9vgYCEfQUq8hY1FH+Wo7Kl8OGN2b+QUwmxc+vR67Hp3rLXlTPoLcrGPhGj
+      Vvj5lDTt8ScVd9NKLjmlNV646+XYuMO9FyTfbAq1yTDUpWdCAfaIt25dyss7xbu5
+      rl/bJzjT20KUraYehHQqcd3c0+/40CQYoJZOVgPojdJbAU7Nlju2xM9WE0CgQHLD
+      tUjwm10xMBdBPfWEDGxlZNnITWT/bf4y2CRm60uxGpHWNO2TKab9bwobS4PQcD4M
+      4FiceoeOxxKJHQ0aJL3POfe15nXvkqsSbwfDhQ==
+      =h3Vr
+      -----END PGP MESSAGE-----
+
   switch-d1:
     model: 'TL-SG3210'
     location: Turm D Keller
@@ -108,22 +160,106 @@ switches:
         mode: access
         ports:
           - 7-8
+    password: |
+      -----BEGIN PGP MESSAGE-----
+      
+      hQEMA2PKcvDMvlKLAQf+O1OB9gG4JKnASFfKCoAE75Gb4+PD8+ROzBvg18bzqD0j
+      qjhQL9Ye39oB5R5JmPBso5zgEhGr8vIB3VN3f6vABNaEGPkTh+jf/1X1vwfS0rvW
+      rQNulEFoq+F9vUfWFolAamVoqCxXsXtf8KyJHCazIIRKGKNysHOW/O+YSvcGgG4H
+      6YH94a1lZoRQCF/2wHEmDTA6FXSqBfijM0QoO2+i+VuUHXYYMZ/FIEDPWLM/wqSB
+      aLjMgrDRyUPLvAA88CXrLDT0aO3LzJINtTPVbnohYoFMKI66mAsWwXnJzT29x4sx
+      2xXwc3KvAgLIJtEvPnuHMl2ogkJZEO9rGP5D8Iuw7dJbAR6AXwVdttVIFY39octW
+      0Tj934ZZw2GDCNGDxfmV+kn3Ei15Qop8UmK6dsuzSd0M+4yg+yr3359y+s0cDGiW
+      QwbIX6EZR2TMw6nIf21MRYsXS03gmmfeKXM6Iw==
+      =ED5P
+      -----END PGP MESSAGE-----
+
   switch-c1:
-    model: 'TL-SG3210'
-    location: Turm D Keller
+    model: 'HP-procurve-2824'
+    location: Turm C Keller
     ports:
       switch-b1:
         mode: trunk
-        ports: 1-4
+        ports: 21-24
         vlans:
           - mgmt
           - pub
+          - up1
+          - up2
+          - up3
+          - up4
+          - up5
+          - up6
+          - up7
+          - up8
+          - iso1
+          - iso2
+          - iso3
+          - iso4
+          - iso5
+          - iso6
+          - iso7
+          - iso8
+          - iso9
+          - iso10
+          - iso11
+          - iso12
+          - iso13
+          - iso14
+          - iso15
+          - iso16
+      up1:
+        mode: access
+        ports: '1'
+      up2:
+        mode: access
+        ports: '2'
+      up3:
+        mode: access
+        ports: '3'
+      up4:
+        mode: access
+        ports: '4'
+      up5:
+        mode: access
+        ports: '5'
+      up6:
+        mode: access
+        ports: '6'
+      up7:
+        mode: access
+        ports: '7'
+      up8:
+        mode: access
+        ports: '8'
+      iso1:
+        mode: access
+        ports: '9'
+      iso2:
+        mode: access
+        ports: '10'
+      iso3:
+        mode: access
+        ports: '11'
+      iso4:
+        mode: access
+        ports: '12'
       mgmt:
         mode: access
-        ports:
-          - '6'
+        ports: '20'
       pub:
         mode: access
-        ports:
-          - '5'
-          - 7-8
+        ports: 13-19
+    password: |
+      -----BEGIN PGP MESSAGE-----
+      
+      hQEMA2PKcvDMvlKLAQgAhPMG6VKUFLVNZmVfZ6P21CrXRmUeExuxIg4QIrYtKfYe
+      cxWst/IuHnDyL2TP8yGb00sjz7o0psZ9Z+zRCi/ONONyNzee103ymjXxk0Ygekid
+      1IGVeSTqskrgOl53mFZEfP4nBcOqzcNFjMkm0c5B2OmHHHOokOJ5Xzsya120SGXk
+      JnYFVsRD6GFwuF88pgQ5VrGd5/drMaIrNkJ69dyfvYdHRTd0UgtiZFOMesRYFFP7
+      +QdSW1MFoVZnjZgLeoNF/efIhHnTdClROCMZBYU5Z3pQcHAfE4GN3w+MceP/+5EY
+      z3wuSNpsuYNr8NnEDvofTJGdOLuclE6JPFvJMg1QptJKASfn3ZlOrL4ohbPGaDQ6
+      z1P+6DJXliXS7dBdxH0bsB2qRZslmcj286D9bPgTsuvCzOaxcTtkM8y76gVVOVBI
+      TN+j1/OdlXyVmTM=
+      =XUUi
+      -----END PGP MESSAGE-----

salt-pillar/vlans/init.sls

@@ -7,6 +7,10 @@ vlans:
   up2: 11
   up3: 12
   up4: 13
+  up5: 14
+  up6: 15
+  up7: 16
+  up8: 17
   priv1: 40
   priv2: 41
   priv3: 42
@@ -23,3 +27,19 @@ vlans:
   priv14: 53
   priv15: 54
   priv16: 55
+  iso1: 101
+  iso2: 102
+  iso3: 103
+  iso4: 104
+  iso5: 105
+  iso6: 106
+  iso7: 107
+  iso8: 108
+  iso9: 109
+  iso10: 110
+  iso11: 111
+  iso12: 112
+  iso13: 113
+  iso14: 114
+  iso15: 115
+  iso16: 116

salt/dhcp/dhcpd.conf

@@ -12,6 +12,11 @@ subnet {{ subnet.split('/')[0] }} netmask {{ netmasks[subnet.split('/')[1]] }} {
 {%-     for name, value in conf['opts'].items() %}
     option {{ name }} {{ value }};
 {%-     endfor %}
+{%-     for name, value in conf['host-opts'].items() %}
+{%-       set host = value.split('.')[0] %}
+{%-       set net = value.split('.')[1] %}
+    option {{ name }} {{ pillar['hosts-inet'][net][host] }};
+{%-     endfor %}
 {%-     for name, value in conf['string-opts'].items() %}
     option {{ name }} "{{ value }}";
 {%-     endfor %}

salt/switches/3com-4200G.expect

@@ -4,7 +4,7 @@
 
 spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
 expect "Password:"
-send "secret\r"
+send "{{ switch['password'] }}\r"
 expect ">"
 send "system-view\r"
 expect "]"
@@ -18,14 +18,14 @@ send "screen-length 0\r"
 expect "ui-vty0-4]"
 send "user privilege level 3\r"
 expect "ui-vty0-4]"
-send "set authentication password simple secret\r"
+send "set authentication password simple {{ switch['password'] }}\r"
 expect "ui-vty0-4]"
 send "quit\r"
 expect "{{ hostname }}]"
 
 send "local-user admin\r"
 expect -- "-luser-admin]"
-send "password simple secret\r"
+send "password simple {{ switch['password'] }}\r"
 expect -- "-luser-admin]"
 send "quit\r"
 expect "{{ hostname }}]"
@@ -70,6 +70,7 @@ send "port link-aggregation group {{ group }}\r"
 expect "]"
 send "port link-type trunk\r"
 expect "]"
+# Set dummy default vlan
 send "port trunk pvid vlan 4094\r"
 expect "]"
 {%- for vlan_name in conf['vlans'] %}

salt/switches/HP-procurve-2824.expect

@@ -0,0 +1,88 @@
+{#  #}
+{%- import_yaml "netmasks.yaml" as netmasks -%}
+#!/usr/bin/expect -f
+
+spawn ssh admin@{{ pillar['hosts-inet']['mgmt'][hostname] }}
+expect "password: "
+send "{{ switch['password'] }}\r"
+expect "Press any key to continue"
+send "\r"
+expect "# "
+send "configure terminal\r"
+expect "(config)# "
+
+send "hostname {{ hostname }}\r"
+expect "(config)# "
+send "snmp-server location \"{{ switch['location'] }}\"\r"
+expect "(config)# "
+send "snmp-server contact \"astro@spaceboyz.net\"\r"
+expect "(config)# "
+send "password manager\r"
+expect "New password for Manager: "
+send "{{ switch['password'] }}\r"
+expect "Please retype new password for Manager: "
+send "{{ switch['password'] }}\r"
+expect "(config)# "
+
+# TODO: ssh, password
+
+{%- for name, vlan in pillar['vlans'].items() %}
+send "vlan {{ vlan }}\r"
+expect "(vlan-{{ vlan }})#"
+
+send "name {{ name }}\r"
+expect "(vlan-{{ vlan }})#"
+
+{# Actually only used for mgmt_vlan, switches are not routers #}
+{%-   set net_hosts = pillar['hosts-inet'].get(name) %}
+{%-   set ipaddr = net_hosts and net_hosts.get(hostname) %}
+{%-   if ipaddr %}
+send "ip address {{ ipaddr }} {{ netmasks[pillar['subnets-inet'][name].split('/')[1]] }}\r"
+expect "(vlan-{{ vlan }})#"
+{%-   endif %}
+
+send "exit\r"
+expect "(config)# "
+
+{%-   if name == 'mgmt' %}
+send "management-vlan {{ vlan }}\r"
+expect "(config)# "
+{%-   else %}
+# If not mgmt, reset all VLAN mappings
+send "no vlan {{ vlan }} tagged all\r"
+expect "(config)# "
+send "no vlan {{ vlan }} untagged all\r"
+expect "(config)# "
+{%-   endif %}
+
+{%- endfor %}
+
+{%- set group = 0 %}
+{%- for name, conf in switch['ports'].items() %}
+{%-   if conf['mode'] == 'trunk' %}
+{%-   set group = group + 1 %}
+
+send "no trunk {{ conf['ports'] }}\r"
+expect "(config)# "
+send "trunk {{ conf['ports'] }} trk{{ group }} lacp\r"
+expect "(config)# "
+{%-   for vlan_name in conf['vlans'] %}
+send "vlan {{ pillar['vlans'][vlan_name] }} tagged trk{{ group }}\r"
+expect "(config)# "
+{%-   endfor %}
+
+{%- elif conf['mode'] == 'access' %}
+send "vlan {{ pillar['vlans'][name] }} untagged {{ conf['ports'] }}\r"
+expect "(config)# "
+
+{%-   endif %}
+{%- endfor %}
+
+send "write memory\r"
+expect "{{ hostname }}# "
+send "exit\r"
+expect "{{ hostname }}> "
+send "exit\r"
+expect "Do you want to log out "
+expect "y/n]? "
+send "y"

salt/switches/TL-SG3210.expect

@@ -6,7 +6,7 @@
 #stty raw -echo
 spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
 expect "Password:"
-send "secret\r"
+send "{{ switch['password'] }}\r"
 expect ">"
 send "\r"
 expect ">"
@@ -17,13 +17,13 @@ expect "#"
 send "configure\r"
 expect "(config)#"
 
-send "enable secret 0 secret\r"
+send "enable secret 0 {{ switch['password'] }}\r"
 expect "(config)#"
-#send "enable password 0 secret\r"
+#send "enable password 0 {{ switch['password'] }}\r"
 #expect "(config)#"
 send "service password-encryption\r"
 expect "(config)#"
-send "user name admin privilege admin secret 0 secret\r"
+send "user name admin privilege admin secret 0 {{ switch['password'] }}\r"
 expect "(config)#"
 
 send "hostname \"{{ hostname }}\"\r"
@@ -40,7 +40,7 @@ send "telnet enable\r"
 expect "(config)#"
 send "line vty 0 15\r"
 expect "(config-line)#"
-send "password 0 secret\r"
+send "password 0 {{ switch['password'] }}\r"
 expect "(config-line)#"
 send "exit\r"
 expect "(config)#"

salt/switches/init.sls

@@ -6,6 +6,6 @@
     - context:
         hostname: {{ hostname }}
         switch: {{ switch }}
-    - mode: 744
+    - mode: 755
 
 {%- endfor %}

salt/upstream/masquerade.sls

@@ -9,6 +9,6 @@ iptables:
     - template: 'jinja'
     - context:
         interface: {{ interface }}
-    - mode: 744
+    - mode: 755
     - require:
         - pkg: iptables

salt/vpn/openvpn.conf

@@ -19,7 +19,7 @@ log /var/log/openvpn-{{ name }}.log
 #ifconfig-noexec
 route 0.0.0.0 0.0.0.0
 #route-nopull
-#up /etc/openvpn/ipredator-up.sh
+up /etc/openvpn/{{ name }}.up
 script-security 2
 
 auth-user-pass /etc/openvpn/{{ name }}.auth

salt/vpn/openvpn.sls

@@ -1,6 +1,19 @@
 openvpn:
   pkg.installed: []
 
+/dev/net:
+  file.directory:
+    - mode: 0755
+
+/dev/net/tun:
+  file.mknod:
+    - ntype: 'c'
+    - major: 10
+    - minor: 200
+    - mode: 0666
+    - require:
+      - file: /dev/net
+
 {%- for name, conf in pillar['openvpn'].items() %}
 
 hostroutes-{{ name }}:
@@ -28,6 +41,14 @@ hostroutes-{{ name }}:
         name: {{ name }}
     - mode: 600
 
+/etc/openvpn/{{ name }}.up:
+  file.managed:
+    - source: salt://vpn/up
+    - template: 'jinja'
+    - context:
+        name: {{ name }}
+    - mode: 755
+
 
 autostart-{{ name }}:
   service.enabled:
@@ -35,6 +56,8 @@ autostart-{{ name }}:
         require_in:
           - file: /etc/openvpn/{{ name }}.conf
           - file: /etc/openvpn/{{ name }}.auth
+        require:
+          - file: /dev/net/tun
 
 start-{{ name }}:
   service.running:
@@ -42,6 +65,8 @@ start-{{ name }}:
         require_in:
           - file: /etc/openvpn/{{ name }}.conf
           - file: /etc/openvpn/{{ name }}.auth
+        require:
+          - file: /dev/net/tun
       
 {%- endfor %}
 

salt/vpn/up

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+export IFACE={{ name }}
+for f in /etc/network/if-pre-up.d/*; do
+    $f
+done
+for f in /etc/network/if-up.d/*; do
+    $f
+done

security.md

@@ -0,0 +1,12 @@
+## Security checklist
+
+- [ ] ssh shut from internet
+- [ ] dns shut from internet
+- [ ] no source routing
+- [ ] rp_filter
+- [ ] restrict upstream routing/dns resolvers to associated priv nets?
+- [ ] container caps dropped?
+- [ ] ssh/telnet passwords
+- [ ] no ospf outside core net
+- [ ] no traffic between vlans
+