more of the good stuff
This commit is contained in:
parent
1964c45369
commit
77bddb3d78
|
@ -5,8 +5,9 @@ dhcp:
|
||||||
time: 7776000
|
time: 7776000
|
||||||
max-time: 31536000
|
max-time: 31536000
|
||||||
opts:
|
opts:
|
||||||
#domain-name-servers:
|
|
||||||
routers: 172.20.73.1
|
routers: 172.20.73.1
|
||||||
|
host-opts:
|
||||||
|
domain-name-servers: upstream1.core
|
||||||
string-opts:
|
string-opts:
|
||||||
domain-name: serv.zentralwerk.online
|
domain-name: serv.zentralwerk.online
|
||||||
|
|
||||||
|
@ -17,6 +18,8 @@ dhcp:
|
||||||
max-time: 3600
|
max-time: 3600
|
||||||
opts:
|
opts:
|
||||||
routers: 172.20.76.1
|
routers: 172.20.76.1
|
||||||
|
host-opts:
|
||||||
|
domain-name-servers: upstream1.core
|
||||||
string-opts:
|
string-opts:
|
||||||
domain-name: pub.zentralwerk.online
|
domain-name: pub.zentralwerk.online
|
||||||
|
|
||||||
|
@ -27,6 +30,8 @@ dhcp:
|
||||||
max-time: 86400
|
max-time: 86400
|
||||||
opts:
|
opts:
|
||||||
routers: 172.20.74.1
|
routers: 172.20.74.1
|
||||||
|
host-opts:
|
||||||
|
domain-name-servers: upstream1.core
|
||||||
string-opts:
|
string-opts:
|
||||||
domain-name: priv1.zentralwerk.online
|
domain-name: priv1.zentralwerk.online
|
||||||
|
|
||||||
|
@ -37,5 +42,7 @@ dhcp:
|
||||||
max-time: 86400
|
max-time: 86400
|
||||||
opts:
|
opts:
|
||||||
routers: 172.20.75.1
|
routers: 172.20.75.1
|
||||||
|
host-opts:
|
||||||
|
domain-name-servers: upstream1.core
|
||||||
string-opts:
|
string-opts:
|
||||||
domain-name: priv2.zentralwerk.online
|
domain-name: priv2.zentralwerk.online
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
#!yaml|gpg
|
||||||
switches:
|
switches:
|
||||||
switch-b1:
|
switch-b1:
|
||||||
model: '3com-4200G'
|
model: '3com-4200G'
|
||||||
|
@ -23,6 +24,30 @@ switches:
|
||||||
vlans:
|
vlans:
|
||||||
- mgmt
|
- mgmt
|
||||||
- pub
|
- pub
|
||||||
|
- up1
|
||||||
|
- up2
|
||||||
|
- up3
|
||||||
|
- up4
|
||||||
|
- up5
|
||||||
|
- up6
|
||||||
|
- up7
|
||||||
|
- up8
|
||||||
|
- iso1
|
||||||
|
- iso2
|
||||||
|
- iso3
|
||||||
|
- iso4
|
||||||
|
- iso5
|
||||||
|
- iso6
|
||||||
|
- iso7
|
||||||
|
- iso8
|
||||||
|
- iso9
|
||||||
|
- iso10
|
||||||
|
- iso11
|
||||||
|
- iso12
|
||||||
|
- iso13
|
||||||
|
- iso14
|
||||||
|
- iso15
|
||||||
|
- iso16
|
||||||
switch-d1:
|
switch-d1:
|
||||||
mode: trunk
|
mode: trunk
|
||||||
ports:
|
ports:
|
||||||
|
@ -59,6 +84,19 @@ switches:
|
||||||
- '2'
|
- '2'
|
||||||
- '3'
|
- '3'
|
||||||
- '24'
|
- '24'
|
||||||
|
password: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQgAlqHX0k6S4NiBxHQg6i2hdM7m5o+QNuNsEQJcJHmPJlri
|
||||||
|
jNnYYmv5XDyYvLX6oHSbV9eeKO+Pi9GkiRJE+hMqo3Spuu41fp8m1TnvXZFgR3F1
|
||||||
|
koL7M+GGZH9wA2EeFJ+/aKldppT+k/VYG55OKn9um3wzZZraP6aKv2896AOXwond
|
||||||
|
R/jhjGXjcdATRDZ2aeYbNW/WQxZXaPRLCKISfftZ7CNDFV3rAX/SgphHnKRP7LZS
|
||||||
|
xFGbSHkc/451ZXIl0DrelrKzngQMVa9dTqCCF6hfjPj/0RuCwByuIyYpDMMWcXxs
|
||||||
|
nnMuiY2t9OM1D2BWsVHluk7MHymn+MxayPYCPuox2dJbAd2k674qx2Kc65TIpClm
|
||||||
|
yMsW1bBAqU07/kEB+oKdTkqUBoAfa0pBxC+62MREA0LFl7YavBHx9ksa8at8PzU1
|
||||||
|
+Dfb4gaZHlR4X2oQOUinVf9qC66gkY1Ndiz7CQ==
|
||||||
|
=9Zfy
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
switch-b2:
|
switch-b2:
|
||||||
model: '3com-4200G'
|
model: '3com-4200G'
|
||||||
location: Haus B Souterrain
|
location: Haus B Souterrain
|
||||||
|
@ -85,6 +123,20 @@ switches:
|
||||||
- '24'
|
- '24'
|
||||||
- '37'
|
- '37'
|
||||||
- '48'
|
- '48'
|
||||||
|
password: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQf/V8QXXiydFBlm5j8ETQ/bXzToHGZWx7I4mC2i9r1pHZA2
|
||||||
|
diDYSGXPEJpiNJo6PTyIRYCMOyB18cVVRX3waga/dsx0KvAC1lwAibhQiV0frPCv
|
||||||
|
ELQ13gHEhfNt4HJveBRBNKjH4MkUIkTgtV98KoMc6+JRk2TPkJGmvG4oV3eTYW2I
|
||||||
|
TnG1SB9vgYCEfQUq8hY1FH+Wo7Kl8OGN2b+QUwmxc+vR67Hp3rLXlTPoLcrGPhGj
|
||||||
|
Vvj5lDTt8ScVd9NKLjmlNV646+XYuMO9FyTfbAq1yTDUpWdCAfaIt25dyss7xbu5
|
||||||
|
rl/bJzjT20KUraYehHQqcd3c0+/40CQYoJZOVgPojdJbAU7Nlju2xM9WE0CgQHLD
|
||||||
|
tUjwm10xMBdBPfWEDGxlZNnITWT/bf4y2CRm60uxGpHWNO2TKab9bwobS4PQcD4M
|
||||||
|
4FiceoeOxxKJHQ0aJL3POfe15nXvkqsSbwfDhQ==
|
||||||
|
=h3Vr
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
|
||||||
switch-d1:
|
switch-d1:
|
||||||
model: 'TL-SG3210'
|
model: 'TL-SG3210'
|
||||||
location: Turm D Keller
|
location: Turm D Keller
|
||||||
|
@ -108,22 +160,106 @@ switches:
|
||||||
mode: access
|
mode: access
|
||||||
ports:
|
ports:
|
||||||
- 7-8
|
- 7-8
|
||||||
|
password: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQf+O1OB9gG4JKnASFfKCoAE75Gb4+PD8+ROzBvg18bzqD0j
|
||||||
|
qjhQL9Ye39oB5R5JmPBso5zgEhGr8vIB3VN3f6vABNaEGPkTh+jf/1X1vwfS0rvW
|
||||||
|
rQNulEFoq+F9vUfWFolAamVoqCxXsXtf8KyJHCazIIRKGKNysHOW/O+YSvcGgG4H
|
||||||
|
6YH94a1lZoRQCF/2wHEmDTA6FXSqBfijM0QoO2+i+VuUHXYYMZ/FIEDPWLM/wqSB
|
||||||
|
aLjMgrDRyUPLvAA88CXrLDT0aO3LzJINtTPVbnohYoFMKI66mAsWwXnJzT29x4sx
|
||||||
|
2xXwc3KvAgLIJtEvPnuHMl2ogkJZEO9rGP5D8Iuw7dJbAR6AXwVdttVIFY39octW
|
||||||
|
0Tj934ZZw2GDCNGDxfmV+kn3Ei15Qop8UmK6dsuzSd0M+4yg+yr3359y+s0cDGiW
|
||||||
|
QwbIX6EZR2TMw6nIf21MRYsXS03gmmfeKXM6Iw==
|
||||||
|
=ED5P
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
|
||||||
switch-c1:
|
switch-c1:
|
||||||
model: 'TL-SG3210'
|
model: 'HP-procurve-2824'
|
||||||
location: Turm D Keller
|
location: Turm C Keller
|
||||||
ports:
|
ports:
|
||||||
switch-b1:
|
switch-b1:
|
||||||
mode: trunk
|
mode: trunk
|
||||||
ports: 1-4
|
ports: 21-24
|
||||||
vlans:
|
vlans:
|
||||||
- mgmt
|
- mgmt
|
||||||
- pub
|
- pub
|
||||||
|
- up1
|
||||||
|
- up2
|
||||||
|
- up3
|
||||||
|
- up4
|
||||||
|
- up5
|
||||||
|
- up6
|
||||||
|
- up7
|
||||||
|
- up8
|
||||||
|
- iso1
|
||||||
|
- iso2
|
||||||
|
- iso3
|
||||||
|
- iso4
|
||||||
|
- iso5
|
||||||
|
- iso6
|
||||||
|
- iso7
|
||||||
|
- iso8
|
||||||
|
- iso9
|
||||||
|
- iso10
|
||||||
|
- iso11
|
||||||
|
- iso12
|
||||||
|
- iso13
|
||||||
|
- iso14
|
||||||
|
- iso15
|
||||||
|
- iso16
|
||||||
|
up1:
|
||||||
|
mode: access
|
||||||
|
ports: '1'
|
||||||
|
up2:
|
||||||
|
mode: access
|
||||||
|
ports: '2'
|
||||||
|
up3:
|
||||||
|
mode: access
|
||||||
|
ports: '3'
|
||||||
|
up4:
|
||||||
|
mode: access
|
||||||
|
ports: '4'
|
||||||
|
up5:
|
||||||
|
mode: access
|
||||||
|
ports: '5'
|
||||||
|
up6:
|
||||||
|
mode: access
|
||||||
|
ports: '6'
|
||||||
|
up7:
|
||||||
|
mode: access
|
||||||
|
ports: '7'
|
||||||
|
up8:
|
||||||
|
mode: access
|
||||||
|
ports: '8'
|
||||||
|
iso1:
|
||||||
|
mode: access
|
||||||
|
ports: '9'
|
||||||
|
iso2:
|
||||||
|
mode: access
|
||||||
|
ports: '10'
|
||||||
|
iso3:
|
||||||
|
mode: access
|
||||||
|
ports: '11'
|
||||||
|
iso4:
|
||||||
|
mode: access
|
||||||
|
ports: '12'
|
||||||
mgmt:
|
mgmt:
|
||||||
mode: access
|
mode: access
|
||||||
ports:
|
ports: '20'
|
||||||
- '6'
|
|
||||||
pub:
|
pub:
|
||||||
mode: access
|
mode: access
|
||||||
ports:
|
ports: 13-19
|
||||||
- '5'
|
password: |
|
||||||
- 7-8
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQEMA2PKcvDMvlKLAQgAhPMG6VKUFLVNZmVfZ6P21CrXRmUeExuxIg4QIrYtKfYe
|
||||||
|
cxWst/IuHnDyL2TP8yGb00sjz7o0psZ9Z+zRCi/ONONyNzee103ymjXxk0Ygekid
|
||||||
|
1IGVeSTqskrgOl53mFZEfP4nBcOqzcNFjMkm0c5B2OmHHHOokOJ5Xzsya120SGXk
|
||||||
|
JnYFVsRD6GFwuF88pgQ5VrGd5/drMaIrNkJ69dyfvYdHRTd0UgtiZFOMesRYFFP7
|
||||||
|
+QdSW1MFoVZnjZgLeoNF/efIhHnTdClROCMZBYU5Z3pQcHAfE4GN3w+MceP/+5EY
|
||||||
|
z3wuSNpsuYNr8NnEDvofTJGdOLuclE6JPFvJMg1QptJKASfn3ZlOrL4ohbPGaDQ6
|
||||||
|
z1P+6DJXliXS7dBdxH0bsB2qRZslmcj286D9bPgTsuvCzOaxcTtkM8y76gVVOVBI
|
||||||
|
TN+j1/OdlXyVmTM=
|
||||||
|
=XUUi
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
|
|
@ -7,6 +7,10 @@ vlans:
|
||||||
up2: 11
|
up2: 11
|
||||||
up3: 12
|
up3: 12
|
||||||
up4: 13
|
up4: 13
|
||||||
|
up5: 14
|
||||||
|
up6: 15
|
||||||
|
up7: 16
|
||||||
|
up8: 17
|
||||||
priv1: 40
|
priv1: 40
|
||||||
priv2: 41
|
priv2: 41
|
||||||
priv3: 42
|
priv3: 42
|
||||||
|
@ -23,3 +27,19 @@ vlans:
|
||||||
priv14: 53
|
priv14: 53
|
||||||
priv15: 54
|
priv15: 54
|
||||||
priv16: 55
|
priv16: 55
|
||||||
|
iso1: 101
|
||||||
|
iso2: 102
|
||||||
|
iso3: 103
|
||||||
|
iso4: 104
|
||||||
|
iso5: 105
|
||||||
|
iso6: 106
|
||||||
|
iso7: 107
|
||||||
|
iso8: 108
|
||||||
|
iso9: 109
|
||||||
|
iso10: 110
|
||||||
|
iso11: 111
|
||||||
|
iso12: 112
|
||||||
|
iso13: 113
|
||||||
|
iso14: 114
|
||||||
|
iso15: 115
|
||||||
|
iso16: 116
|
||||||
|
|
|
@ -12,6 +12,11 @@ subnet {{ subnet.split('/')[0] }} netmask {{ netmasks[subnet.split('/')[1]] }} {
|
||||||
{%- for name, value in conf['opts'].items() %}
|
{%- for name, value in conf['opts'].items() %}
|
||||||
option {{ name }} {{ value }};
|
option {{ name }} {{ value }};
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
{%- for name, value in conf['host-opts'].items() %}
|
||||||
|
{%- set host = value.split('.')[0] %}
|
||||||
|
{%- set net = value.split('.')[1] %}
|
||||||
|
option {{ name }} {{ pillar['hosts-inet'][net][host] }};
|
||||||
|
{%- endfor %}
|
||||||
{%- for name, value in conf['string-opts'].items() %}
|
{%- for name, value in conf['string-opts'].items() %}
|
||||||
option {{ name }} "{{ value }}";
|
option {{ name }} "{{ value }}";
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||||
expect "Password:"
|
expect "Password:"
|
||||||
send "secret\r"
|
send "{{ switch['password'] }}\r"
|
||||||
expect ">"
|
expect ">"
|
||||||
send "system-view\r"
|
send "system-view\r"
|
||||||
expect "]"
|
expect "]"
|
||||||
|
@ -18,14 +18,14 @@ send "screen-length 0\r"
|
||||||
expect "ui-vty0-4]"
|
expect "ui-vty0-4]"
|
||||||
send "user privilege level 3\r"
|
send "user privilege level 3\r"
|
||||||
expect "ui-vty0-4]"
|
expect "ui-vty0-4]"
|
||||||
send "set authentication password simple secret\r"
|
send "set authentication password simple {{ switch['password'] }}\r"
|
||||||
expect "ui-vty0-4]"
|
expect "ui-vty0-4]"
|
||||||
send "quit\r"
|
send "quit\r"
|
||||||
expect "{{ hostname }}]"
|
expect "{{ hostname }}]"
|
||||||
|
|
||||||
send "local-user admin\r"
|
send "local-user admin\r"
|
||||||
expect -- "-luser-admin]"
|
expect -- "-luser-admin]"
|
||||||
send "password simple secret\r"
|
send "password simple {{ switch['password'] }}\r"
|
||||||
expect -- "-luser-admin]"
|
expect -- "-luser-admin]"
|
||||||
send "quit\r"
|
send "quit\r"
|
||||||
expect "{{ hostname }}]"
|
expect "{{ hostname }}]"
|
||||||
|
@ -70,6 +70,7 @@ send "port link-aggregation group {{ group }}\r"
|
||||||
expect "]"
|
expect "]"
|
||||||
send "port link-type trunk\r"
|
send "port link-type trunk\r"
|
||||||
expect "]"
|
expect "]"
|
||||||
|
# Set dummy default vlan
|
||||||
send "port trunk pvid vlan 4094\r"
|
send "port trunk pvid vlan 4094\r"
|
||||||
expect "]"
|
expect "]"
|
||||||
{%- for vlan_name in conf['vlans'] %}
|
{%- for vlan_name in conf['vlans'] %}
|
||||||
|
|
|
@ -0,0 +1,88 @@
|
||||||
|
{# #}
|
||||||
|
{%- import_yaml "netmasks.yaml" as netmasks -%}
|
||||||
|
#!/usr/bin/expect -f
|
||||||
|
|
||||||
|
spawn ssh admin@{{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||||
|
expect "password: "
|
||||||
|
send "{{ switch['password'] }}\r"
|
||||||
|
expect "Press any key to continue"
|
||||||
|
send "\r"
|
||||||
|
expect "# "
|
||||||
|
send "configure terminal\r"
|
||||||
|
expect "(config)# "
|
||||||
|
|
||||||
|
send "hostname {{ hostname }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
send "snmp-server location \"{{ switch['location'] }}\"\r"
|
||||||
|
expect "(config)# "
|
||||||
|
send "snmp-server contact \"astro@spaceboyz.net\"\r"
|
||||||
|
expect "(config)# "
|
||||||
|
send "password manager\r"
|
||||||
|
expect "New password for Manager: "
|
||||||
|
send "{{ switch['password'] }}\r"
|
||||||
|
expect "Please retype new password for Manager: "
|
||||||
|
send "{{ switch['password'] }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
|
||||||
|
# TODO: ssh, password
|
||||||
|
|
||||||
|
{%- for name, vlan in pillar['vlans'].items() %}
|
||||||
|
send "vlan {{ vlan }}\r"
|
||||||
|
expect "(vlan-{{ vlan }})#"
|
||||||
|
|
||||||
|
send "name {{ name }}\r"
|
||||||
|
expect "(vlan-{{ vlan }})#"
|
||||||
|
|
||||||
|
{# Actually only used for mgmt_vlan, switches are not routers #}
|
||||||
|
{%- set net_hosts = pillar['hosts-inet'].get(name) %}
|
||||||
|
{%- set ipaddr = net_hosts and net_hosts.get(hostname) %}
|
||||||
|
{%- if ipaddr %}
|
||||||
|
send "ip address {{ ipaddr }} {{ netmasks[pillar['subnets-inet'][name].split('/')[1]] }}\r"
|
||||||
|
expect "(vlan-{{ vlan }})#"
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
send "exit\r"
|
||||||
|
expect "(config)# "
|
||||||
|
|
||||||
|
{%- if name == 'mgmt' %}
|
||||||
|
send "management-vlan {{ vlan }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
{%- else %}
|
||||||
|
# If not mgmt, reset all VLAN mappings
|
||||||
|
send "no vlan {{ vlan }} tagged all\r"
|
||||||
|
expect "(config)# "
|
||||||
|
send "no vlan {{ vlan }} untagged all\r"
|
||||||
|
expect "(config)# "
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
{%- set group = 0 %}
|
||||||
|
{%- for name, conf in switch['ports'].items() %}
|
||||||
|
{%- if conf['mode'] == 'trunk' %}
|
||||||
|
{%- set group = group + 1 %}
|
||||||
|
|
||||||
|
send "no trunk {{ conf['ports'] }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
send "trunk {{ conf['ports'] }} trk{{ group }} lacp\r"
|
||||||
|
expect "(config)# "
|
||||||
|
{%- for vlan_name in conf['vlans'] %}
|
||||||
|
send "vlan {{ pillar['vlans'][vlan_name] }} tagged trk{{ group }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
{%- elif conf['mode'] == 'access' %}
|
||||||
|
send "vlan {{ pillar['vlans'][name] }} untagged {{ conf['ports'] }}\r"
|
||||||
|
expect "(config)# "
|
||||||
|
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
send "write memory\r"
|
||||||
|
expect "{{ hostname }}# "
|
||||||
|
send "exit\r"
|
||||||
|
expect "{{ hostname }}> "
|
||||||
|
send "exit\r"
|
||||||
|
expect "Do you want to log out "
|
||||||
|
expect "y/n]? "
|
||||||
|
send "y"
|
|
@ -6,7 +6,7 @@
|
||||||
#stty raw -echo
|
#stty raw -echo
|
||||||
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||||
expect "Password:"
|
expect "Password:"
|
||||||
send "secret\r"
|
send "{{ switch['password'] }}\r"
|
||||||
expect ">"
|
expect ">"
|
||||||
send "\r"
|
send "\r"
|
||||||
expect ">"
|
expect ">"
|
||||||
|
@ -17,13 +17,13 @@ expect "#"
|
||||||
send "configure\r"
|
send "configure\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
|
|
||||||
send "enable secret 0 secret\r"
|
send "enable secret 0 {{ switch['password'] }}\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
#send "enable password 0 secret\r"
|
#send "enable password 0 {{ switch['password'] }}\r"
|
||||||
#expect "(config)#"
|
#expect "(config)#"
|
||||||
send "service password-encryption\r"
|
send "service password-encryption\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
send "user name admin privilege admin secret 0 secret\r"
|
send "user name admin privilege admin secret 0 {{ switch['password'] }}\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
|
|
||||||
send "hostname \"{{ hostname }}\"\r"
|
send "hostname \"{{ hostname }}\"\r"
|
||||||
|
@ -40,7 +40,7 @@ send "telnet enable\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
send "line vty 0 15\r"
|
send "line vty 0 15\r"
|
||||||
expect "(config-line)#"
|
expect "(config-line)#"
|
||||||
send "password 0 secret\r"
|
send "password 0 {{ switch['password'] }}\r"
|
||||||
expect "(config-line)#"
|
expect "(config-line)#"
|
||||||
send "exit\r"
|
send "exit\r"
|
||||||
expect "(config)#"
|
expect "(config)#"
|
||||||
|
|
|
@ -6,6 +6,6 @@
|
||||||
- context:
|
- context:
|
||||||
hostname: {{ hostname }}
|
hostname: {{ hostname }}
|
||||||
switch: {{ switch }}
|
switch: {{ switch }}
|
||||||
- mode: 744
|
- mode: 755
|
||||||
|
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
|
@ -9,6 +9,6 @@ iptables:
|
||||||
- template: 'jinja'
|
- template: 'jinja'
|
||||||
- context:
|
- context:
|
||||||
interface: {{ interface }}
|
interface: {{ interface }}
|
||||||
- mode: 744
|
- mode: 755
|
||||||
- require:
|
- require:
|
||||||
- pkg: iptables
|
- pkg: iptables
|
||||||
|
|
|
@ -19,7 +19,7 @@ log /var/log/openvpn-{{ name }}.log
|
||||||
#ifconfig-noexec
|
#ifconfig-noexec
|
||||||
route 0.0.0.0 0.0.0.0
|
route 0.0.0.0 0.0.0.0
|
||||||
#route-nopull
|
#route-nopull
|
||||||
#up /etc/openvpn/ipredator-up.sh
|
up /etc/openvpn/{{ name }}.up
|
||||||
script-security 2
|
script-security 2
|
||||||
|
|
||||||
auth-user-pass /etc/openvpn/{{ name }}.auth
|
auth-user-pass /etc/openvpn/{{ name }}.auth
|
||||||
|
|
|
@ -1,6 +1,19 @@
|
||||||
openvpn:
|
openvpn:
|
||||||
pkg.installed: []
|
pkg.installed: []
|
||||||
|
|
||||||
|
/dev/net:
|
||||||
|
file.directory:
|
||||||
|
- mode: 0755
|
||||||
|
|
||||||
|
/dev/net/tun:
|
||||||
|
file.mknod:
|
||||||
|
- ntype: 'c'
|
||||||
|
- major: 10
|
||||||
|
- minor: 200
|
||||||
|
- mode: 0666
|
||||||
|
- require:
|
||||||
|
- file: /dev/net
|
||||||
|
|
||||||
{%- for name, conf in pillar['openvpn'].items() %}
|
{%- for name, conf in pillar['openvpn'].items() %}
|
||||||
|
|
||||||
hostroutes-{{ name }}:
|
hostroutes-{{ name }}:
|
||||||
|
@ -28,6 +41,14 @@ hostroutes-{{ name }}:
|
||||||
name: {{ name }}
|
name: {{ name }}
|
||||||
- mode: 600
|
- mode: 600
|
||||||
|
|
||||||
|
/etc/openvpn/{{ name }}.up:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://vpn/up
|
||||||
|
- template: 'jinja'
|
||||||
|
- context:
|
||||||
|
name: {{ name }}
|
||||||
|
- mode: 755
|
||||||
|
|
||||||
|
|
||||||
autostart-{{ name }}:
|
autostart-{{ name }}:
|
||||||
service.enabled:
|
service.enabled:
|
||||||
|
@ -35,6 +56,8 @@ autostart-{{ name }}:
|
||||||
require_in:
|
require_in:
|
||||||
- file: /etc/openvpn/{{ name }}.conf
|
- file: /etc/openvpn/{{ name }}.conf
|
||||||
- file: /etc/openvpn/{{ name }}.auth
|
- file: /etc/openvpn/{{ name }}.auth
|
||||||
|
require:
|
||||||
|
- file: /dev/net/tun
|
||||||
|
|
||||||
start-{{ name }}:
|
start-{{ name }}:
|
||||||
service.running:
|
service.running:
|
||||||
|
@ -42,6 +65,8 @@ start-{{ name }}:
|
||||||
require_in:
|
require_in:
|
||||||
- file: /etc/openvpn/{{ name }}.conf
|
- file: /etc/openvpn/{{ name }}.conf
|
||||||
- file: /etc/openvpn/{{ name }}.auth
|
- file: /etc/openvpn/{{ name }}.auth
|
||||||
|
require:
|
||||||
|
- file: /dev/net/tun
|
||||||
|
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
export IFACE={{ name }}
|
||||||
|
for f in /etc/network/if-pre-up.d/*; do
|
||||||
|
$f
|
||||||
|
done
|
||||||
|
for f in /etc/network/if-up.d/*; do
|
||||||
|
$f
|
||||||
|
done
|
|
@ -0,0 +1,12 @@
|
||||||
|
## Security checklist
|
||||||
|
|
||||||
|
- [ ] ssh shut from internet
|
||||||
|
- [ ] dns shut from internet
|
||||||
|
- [ ] no source routing
|
||||||
|
- [ ] rp_filter
|
||||||
|
- [ ] restrict upstream routing/dns resolvers to associated priv nets?
|
||||||
|
- [ ] container caps dropped?
|
||||||
|
- [ ] ssh/telnet passwords
|
||||||
|
- [ ] no ospf outside core net
|
||||||
|
- [ ] no traffic between vlans
|
||||||
|
|
Loading…
Reference in New Issue