more of the good stuff
This commit is contained in:
parent
1964c45369
commit
77bddb3d78
|
@ -5,8 +5,9 @@ dhcp:
|
|||
time: 7776000
|
||||
max-time: 31536000
|
||||
opts:
|
||||
#domain-name-servers:
|
||||
routers: 172.20.73.1
|
||||
host-opts:
|
||||
domain-name-servers: upstream1.core
|
||||
string-opts:
|
||||
domain-name: serv.zentralwerk.online
|
||||
|
||||
|
@ -17,6 +18,8 @@ dhcp:
|
|||
max-time: 3600
|
||||
opts:
|
||||
routers: 172.20.76.1
|
||||
host-opts:
|
||||
domain-name-servers: upstream1.core
|
||||
string-opts:
|
||||
domain-name: pub.zentralwerk.online
|
||||
|
||||
|
@ -27,6 +30,8 @@ dhcp:
|
|||
max-time: 86400
|
||||
opts:
|
||||
routers: 172.20.74.1
|
||||
host-opts:
|
||||
domain-name-servers: upstream1.core
|
||||
string-opts:
|
||||
domain-name: priv1.zentralwerk.online
|
||||
|
||||
|
@ -37,5 +42,7 @@ dhcp:
|
|||
max-time: 86400
|
||||
opts:
|
||||
routers: 172.20.75.1
|
||||
host-opts:
|
||||
domain-name-servers: upstream1.core
|
||||
string-opts:
|
||||
domain-name: priv2.zentralwerk.online
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
#!yaml|gpg
|
||||
switches:
|
||||
switch-b1:
|
||||
model: '3com-4200G'
|
||||
|
@ -23,6 +24,30 @@ switches:
|
|||
vlans:
|
||||
- mgmt
|
||||
- pub
|
||||
- up1
|
||||
- up2
|
||||
- up3
|
||||
- up4
|
||||
- up5
|
||||
- up6
|
||||
- up7
|
||||
- up8
|
||||
- iso1
|
||||
- iso2
|
||||
- iso3
|
||||
- iso4
|
||||
- iso5
|
||||
- iso6
|
||||
- iso7
|
||||
- iso8
|
||||
- iso9
|
||||
- iso10
|
||||
- iso11
|
||||
- iso12
|
||||
- iso13
|
||||
- iso14
|
||||
- iso15
|
||||
- iso16
|
||||
switch-d1:
|
||||
mode: trunk
|
||||
ports:
|
||||
|
@ -59,6 +84,19 @@ switches:
|
|||
- '2'
|
||||
- '3'
|
||||
- '24'
|
||||
password: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA2PKcvDMvlKLAQgAlqHX0k6S4NiBxHQg6i2hdM7m5o+QNuNsEQJcJHmPJlri
|
||||
jNnYYmv5XDyYvLX6oHSbV9eeKO+Pi9GkiRJE+hMqo3Spuu41fp8m1TnvXZFgR3F1
|
||||
koL7M+GGZH9wA2EeFJ+/aKldppT+k/VYG55OKn9um3wzZZraP6aKv2896AOXwond
|
||||
R/jhjGXjcdATRDZ2aeYbNW/WQxZXaPRLCKISfftZ7CNDFV3rAX/SgphHnKRP7LZS
|
||||
xFGbSHkc/451ZXIl0DrelrKzngQMVa9dTqCCF6hfjPj/0RuCwByuIyYpDMMWcXxs
|
||||
nnMuiY2t9OM1D2BWsVHluk7MHymn+MxayPYCPuox2dJbAd2k674qx2Kc65TIpClm
|
||||
yMsW1bBAqU07/kEB+oKdTkqUBoAfa0pBxC+62MREA0LFl7YavBHx9ksa8at8PzU1
|
||||
+Dfb4gaZHlR4X2oQOUinVf9qC66gkY1Ndiz7CQ==
|
||||
=9Zfy
|
||||
-----END PGP MESSAGE-----
|
||||
switch-b2:
|
||||
model: '3com-4200G'
|
||||
location: Haus B Souterrain
|
||||
|
@ -85,6 +123,20 @@ switches:
|
|||
- '24'
|
||||
- '37'
|
||||
- '48'
|
||||
password: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA2PKcvDMvlKLAQf/V8QXXiydFBlm5j8ETQ/bXzToHGZWx7I4mC2i9r1pHZA2
|
||||
diDYSGXPEJpiNJo6PTyIRYCMOyB18cVVRX3waga/dsx0KvAC1lwAibhQiV0frPCv
|
||||
ELQ13gHEhfNt4HJveBRBNKjH4MkUIkTgtV98KoMc6+JRk2TPkJGmvG4oV3eTYW2I
|
||||
TnG1SB9vgYCEfQUq8hY1FH+Wo7Kl8OGN2b+QUwmxc+vR67Hp3rLXlTPoLcrGPhGj
|
||||
Vvj5lDTt8ScVd9NKLjmlNV646+XYuMO9FyTfbAq1yTDUpWdCAfaIt25dyss7xbu5
|
||||
rl/bJzjT20KUraYehHQqcd3c0+/40CQYoJZOVgPojdJbAU7Nlju2xM9WE0CgQHLD
|
||||
tUjwm10xMBdBPfWEDGxlZNnITWT/bf4y2CRm60uxGpHWNO2TKab9bwobS4PQcD4M
|
||||
4FiceoeOxxKJHQ0aJL3POfe15nXvkqsSbwfDhQ==
|
||||
=h3Vr
|
||||
-----END PGP MESSAGE-----
|
||||
|
||||
switch-d1:
|
||||
model: 'TL-SG3210'
|
||||
location: Turm D Keller
|
||||
|
@ -108,22 +160,106 @@ switches:
|
|||
mode: access
|
||||
ports:
|
||||
- 7-8
|
||||
password: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA2PKcvDMvlKLAQf+O1OB9gG4JKnASFfKCoAE75Gb4+PD8+ROzBvg18bzqD0j
|
||||
qjhQL9Ye39oB5R5JmPBso5zgEhGr8vIB3VN3f6vABNaEGPkTh+jf/1X1vwfS0rvW
|
||||
rQNulEFoq+F9vUfWFolAamVoqCxXsXtf8KyJHCazIIRKGKNysHOW/O+YSvcGgG4H
|
||||
6YH94a1lZoRQCF/2wHEmDTA6FXSqBfijM0QoO2+i+VuUHXYYMZ/FIEDPWLM/wqSB
|
||||
aLjMgrDRyUPLvAA88CXrLDT0aO3LzJINtTPVbnohYoFMKI66mAsWwXnJzT29x4sx
|
||||
2xXwc3KvAgLIJtEvPnuHMl2ogkJZEO9rGP5D8Iuw7dJbAR6AXwVdttVIFY39octW
|
||||
0Tj934ZZw2GDCNGDxfmV+kn3Ei15Qop8UmK6dsuzSd0M+4yg+yr3359y+s0cDGiW
|
||||
QwbIX6EZR2TMw6nIf21MRYsXS03gmmfeKXM6Iw==
|
||||
=ED5P
|
||||
-----END PGP MESSAGE-----
|
||||
|
||||
switch-c1:
|
||||
model: 'TL-SG3210'
|
||||
location: Turm D Keller
|
||||
model: 'HP-procurve-2824'
|
||||
location: Turm C Keller
|
||||
ports:
|
||||
switch-b1:
|
||||
mode: trunk
|
||||
ports: 1-4
|
||||
ports: 21-24
|
||||
vlans:
|
||||
- mgmt
|
||||
- pub
|
||||
- up1
|
||||
- up2
|
||||
- up3
|
||||
- up4
|
||||
- up5
|
||||
- up6
|
||||
- up7
|
||||
- up8
|
||||
- iso1
|
||||
- iso2
|
||||
- iso3
|
||||
- iso4
|
||||
- iso5
|
||||
- iso6
|
||||
- iso7
|
||||
- iso8
|
||||
- iso9
|
||||
- iso10
|
||||
- iso11
|
||||
- iso12
|
||||
- iso13
|
||||
- iso14
|
||||
- iso15
|
||||
- iso16
|
||||
up1:
|
||||
mode: access
|
||||
ports: '1'
|
||||
up2:
|
||||
mode: access
|
||||
ports: '2'
|
||||
up3:
|
||||
mode: access
|
||||
ports: '3'
|
||||
up4:
|
||||
mode: access
|
||||
ports: '4'
|
||||
up5:
|
||||
mode: access
|
||||
ports: '5'
|
||||
up6:
|
||||
mode: access
|
||||
ports: '6'
|
||||
up7:
|
||||
mode: access
|
||||
ports: '7'
|
||||
up8:
|
||||
mode: access
|
||||
ports: '8'
|
||||
iso1:
|
||||
mode: access
|
||||
ports: '9'
|
||||
iso2:
|
||||
mode: access
|
||||
ports: '10'
|
||||
iso3:
|
||||
mode: access
|
||||
ports: '11'
|
||||
iso4:
|
||||
mode: access
|
||||
ports: '12'
|
||||
mgmt:
|
||||
mode: access
|
||||
ports:
|
||||
- '6'
|
||||
ports: '20'
|
||||
pub:
|
||||
mode: access
|
||||
ports:
|
||||
- '5'
|
||||
- 7-8
|
||||
ports: 13-19
|
||||
password: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQEMA2PKcvDMvlKLAQgAhPMG6VKUFLVNZmVfZ6P21CrXRmUeExuxIg4QIrYtKfYe
|
||||
cxWst/IuHnDyL2TP8yGb00sjz7o0psZ9Z+zRCi/ONONyNzee103ymjXxk0Ygekid
|
||||
1IGVeSTqskrgOl53mFZEfP4nBcOqzcNFjMkm0c5B2OmHHHOokOJ5Xzsya120SGXk
|
||||
JnYFVsRD6GFwuF88pgQ5VrGd5/drMaIrNkJ69dyfvYdHRTd0UgtiZFOMesRYFFP7
|
||||
+QdSW1MFoVZnjZgLeoNF/efIhHnTdClROCMZBYU5Z3pQcHAfE4GN3w+MceP/+5EY
|
||||
z3wuSNpsuYNr8NnEDvofTJGdOLuclE6JPFvJMg1QptJKASfn3ZlOrL4ohbPGaDQ6
|
||||
z1P+6DJXliXS7dBdxH0bsB2qRZslmcj286D9bPgTsuvCzOaxcTtkM8y76gVVOVBI
|
||||
TN+j1/OdlXyVmTM=
|
||||
=XUUi
|
||||
-----END PGP MESSAGE-----
|
||||
|
|
|
@ -7,6 +7,10 @@ vlans:
|
|||
up2: 11
|
||||
up3: 12
|
||||
up4: 13
|
||||
up5: 14
|
||||
up6: 15
|
||||
up7: 16
|
||||
up8: 17
|
||||
priv1: 40
|
||||
priv2: 41
|
||||
priv3: 42
|
||||
|
@ -23,3 +27,19 @@ vlans:
|
|||
priv14: 53
|
||||
priv15: 54
|
||||
priv16: 55
|
||||
iso1: 101
|
||||
iso2: 102
|
||||
iso3: 103
|
||||
iso4: 104
|
||||
iso5: 105
|
||||
iso6: 106
|
||||
iso7: 107
|
||||
iso8: 108
|
||||
iso9: 109
|
||||
iso10: 110
|
||||
iso11: 111
|
||||
iso12: 112
|
||||
iso13: 113
|
||||
iso14: 114
|
||||
iso15: 115
|
||||
iso16: 116
|
||||
|
|
|
@ -12,6 +12,11 @@ subnet {{ subnet.split('/')[0] }} netmask {{ netmasks[subnet.split('/')[1]] }} {
|
|||
{%- for name, value in conf['opts'].items() %}
|
||||
option {{ name }} {{ value }};
|
||||
{%- endfor %}
|
||||
{%- for name, value in conf['host-opts'].items() %}
|
||||
{%- set host = value.split('.')[0] %}
|
||||
{%- set net = value.split('.')[1] %}
|
||||
option {{ name }} {{ pillar['hosts-inet'][net][host] }};
|
||||
{%- endfor %}
|
||||
{%- for name, value in conf['string-opts'].items() %}
|
||||
option {{ name }} "{{ value }}";
|
||||
{%- endfor %}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||
expect "Password:"
|
||||
send "secret\r"
|
||||
send "{{ switch['password'] }}\r"
|
||||
expect ">"
|
||||
send "system-view\r"
|
||||
expect "]"
|
||||
|
@ -18,14 +18,14 @@ send "screen-length 0\r"
|
|||
expect "ui-vty0-4]"
|
||||
send "user privilege level 3\r"
|
||||
expect "ui-vty0-4]"
|
||||
send "set authentication password simple secret\r"
|
||||
send "set authentication password simple {{ switch['password'] }}\r"
|
||||
expect "ui-vty0-4]"
|
||||
send "quit\r"
|
||||
expect "{{ hostname }}]"
|
||||
|
||||
send "local-user admin\r"
|
||||
expect -- "-luser-admin]"
|
||||
send "password simple secret\r"
|
||||
send "password simple {{ switch['password'] }}\r"
|
||||
expect -- "-luser-admin]"
|
||||
send "quit\r"
|
||||
expect "{{ hostname }}]"
|
||||
|
@ -70,6 +70,7 @@ send "port link-aggregation group {{ group }}\r"
|
|||
expect "]"
|
||||
send "port link-type trunk\r"
|
||||
expect "]"
|
||||
# Set dummy default vlan
|
||||
send "port trunk pvid vlan 4094\r"
|
||||
expect "]"
|
||||
{%- for vlan_name in conf['vlans'] %}
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
{# #}
|
||||
{%- import_yaml "netmasks.yaml" as netmasks -%}
|
||||
#!/usr/bin/expect -f
|
||||
|
||||
spawn ssh admin@{{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||
expect "password: "
|
||||
send "{{ switch['password'] }}\r"
|
||||
expect "Press any key to continue"
|
||||
send "\r"
|
||||
expect "# "
|
||||
send "configure terminal\r"
|
||||
expect "(config)# "
|
||||
|
||||
send "hostname {{ hostname }}\r"
|
||||
expect "(config)# "
|
||||
send "snmp-server location \"{{ switch['location'] }}\"\r"
|
||||
expect "(config)# "
|
||||
send "snmp-server contact \"astro@spaceboyz.net\"\r"
|
||||
expect "(config)# "
|
||||
send "password manager\r"
|
||||
expect "New password for Manager: "
|
||||
send "{{ switch['password'] }}\r"
|
||||
expect "Please retype new password for Manager: "
|
||||
send "{{ switch['password'] }}\r"
|
||||
expect "(config)# "
|
||||
|
||||
# TODO: ssh, password
|
||||
|
||||
{%- for name, vlan in pillar['vlans'].items() %}
|
||||
send "vlan {{ vlan }}\r"
|
||||
expect "(vlan-{{ vlan }})#"
|
||||
|
||||
send "name {{ name }}\r"
|
||||
expect "(vlan-{{ vlan }})#"
|
||||
|
||||
{# Actually only used for mgmt_vlan, switches are not routers #}
|
||||
{%- set net_hosts = pillar['hosts-inet'].get(name) %}
|
||||
{%- set ipaddr = net_hosts and net_hosts.get(hostname) %}
|
||||
{%- if ipaddr %}
|
||||
send "ip address {{ ipaddr }} {{ netmasks[pillar['subnets-inet'][name].split('/')[1]] }}\r"
|
||||
expect "(vlan-{{ vlan }})#"
|
||||
{%- endif %}
|
||||
|
||||
send "exit\r"
|
||||
expect "(config)# "
|
||||
|
||||
{%- if name == 'mgmt' %}
|
||||
send "management-vlan {{ vlan }}\r"
|
||||
expect "(config)# "
|
||||
{%- else %}
|
||||
# If not mgmt, reset all VLAN mappings
|
||||
send "no vlan {{ vlan }} tagged all\r"
|
||||
expect "(config)# "
|
||||
send "no vlan {{ vlan }} untagged all\r"
|
||||
expect "(config)# "
|
||||
{%- endif %}
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
{%- set group = 0 %}
|
||||
{%- for name, conf in switch['ports'].items() %}
|
||||
{%- if conf['mode'] == 'trunk' %}
|
||||
{%- set group = group + 1 %}
|
||||
|
||||
send "no trunk {{ conf['ports'] }}\r"
|
||||
expect "(config)# "
|
||||
send "trunk {{ conf['ports'] }} trk{{ group }} lacp\r"
|
||||
expect "(config)# "
|
||||
{%- for vlan_name in conf['vlans'] %}
|
||||
send "vlan {{ pillar['vlans'][vlan_name] }} tagged trk{{ group }}\r"
|
||||
expect "(config)# "
|
||||
{%- endfor %}
|
||||
|
||||
{%- elif conf['mode'] == 'access' %}
|
||||
send "vlan {{ pillar['vlans'][name] }} untagged {{ conf['ports'] }}\r"
|
||||
expect "(config)# "
|
||||
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
|
||||
send "write memory\r"
|
||||
expect "{{ hostname }}# "
|
||||
send "exit\r"
|
||||
expect "{{ hostname }}> "
|
||||
send "exit\r"
|
||||
expect "Do you want to log out "
|
||||
expect "y/n]? "
|
||||
send "y"
|
|
@ -6,7 +6,7 @@
|
|||
#stty raw -echo
|
||||
spawn telnet {{ pillar['hosts-inet']['mgmt'][hostname] }}
|
||||
expect "Password:"
|
||||
send "secret\r"
|
||||
send "{{ switch['password'] }}\r"
|
||||
expect ">"
|
||||
send "\r"
|
||||
expect ">"
|
||||
|
@ -17,13 +17,13 @@ expect "#"
|
|||
send "configure\r"
|
||||
expect "(config)#"
|
||||
|
||||
send "enable secret 0 secret\r"
|
||||
send "enable secret 0 {{ switch['password'] }}\r"
|
||||
expect "(config)#"
|
||||
#send "enable password 0 secret\r"
|
||||
#send "enable password 0 {{ switch['password'] }}\r"
|
||||
#expect "(config)#"
|
||||
send "service password-encryption\r"
|
||||
expect "(config)#"
|
||||
send "user name admin privilege admin secret 0 secret\r"
|
||||
send "user name admin privilege admin secret 0 {{ switch['password'] }}\r"
|
||||
expect "(config)#"
|
||||
|
||||
send "hostname \"{{ hostname }}\"\r"
|
||||
|
@ -40,7 +40,7 @@ send "telnet enable\r"
|
|||
expect "(config)#"
|
||||
send "line vty 0 15\r"
|
||||
expect "(config-line)#"
|
||||
send "password 0 secret\r"
|
||||
send "password 0 {{ switch['password'] }}\r"
|
||||
expect "(config-line)#"
|
||||
send "exit\r"
|
||||
expect "(config)#"
|
||||
|
|
|
@ -6,6 +6,6 @@
|
|||
- context:
|
||||
hostname: {{ hostname }}
|
||||
switch: {{ switch }}
|
||||
- mode: 744
|
||||
- mode: 755
|
||||
|
||||
{%- endfor %}
|
||||
|
|
|
@ -9,6 +9,6 @@ iptables:
|
|||
- template: 'jinja'
|
||||
- context:
|
||||
interface: {{ interface }}
|
||||
- mode: 744
|
||||
- mode: 755
|
||||
- require:
|
||||
- pkg: iptables
|
||||
|
|
|
@ -19,7 +19,7 @@ log /var/log/openvpn-{{ name }}.log
|
|||
#ifconfig-noexec
|
||||
route 0.0.0.0 0.0.0.0
|
||||
#route-nopull
|
||||
#up /etc/openvpn/ipredator-up.sh
|
||||
up /etc/openvpn/{{ name }}.up
|
||||
script-security 2
|
||||
|
||||
auth-user-pass /etc/openvpn/{{ name }}.auth
|
||||
|
|
|
@ -1,6 +1,19 @@
|
|||
openvpn:
|
||||
pkg.installed: []
|
||||
|
||||
/dev/net:
|
||||
file.directory:
|
||||
- mode: 0755
|
||||
|
||||
/dev/net/tun:
|
||||
file.mknod:
|
||||
- ntype: 'c'
|
||||
- major: 10
|
||||
- minor: 200
|
||||
- mode: 0666
|
||||
- require:
|
||||
- file: /dev/net
|
||||
|
||||
{%- for name, conf in pillar['openvpn'].items() %}
|
||||
|
||||
hostroutes-{{ name }}:
|
||||
|
@ -28,6 +41,14 @@ hostroutes-{{ name }}:
|
|||
name: {{ name }}
|
||||
- mode: 600
|
||||
|
||||
/etc/openvpn/{{ name }}.up:
|
||||
file.managed:
|
||||
- source: salt://vpn/up
|
||||
- template: 'jinja'
|
||||
- context:
|
||||
name: {{ name }}
|
||||
- mode: 755
|
||||
|
||||
|
||||
autostart-{{ name }}:
|
||||
service.enabled:
|
||||
|
@ -35,6 +56,8 @@ autostart-{{ name }}:
|
|||
require_in:
|
||||
- file: /etc/openvpn/{{ name }}.conf
|
||||
- file: /etc/openvpn/{{ name }}.auth
|
||||
require:
|
||||
- file: /dev/net/tun
|
||||
|
||||
start-{{ name }}:
|
||||
service.running:
|
||||
|
@ -42,6 +65,8 @@ start-{{ name }}:
|
|||
require_in:
|
||||
- file: /etc/openvpn/{{ name }}.conf
|
||||
- file: /etc/openvpn/{{ name }}.auth
|
||||
require:
|
||||
- file: /dev/net/tun
|
||||
|
||||
{%- endfor %}
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
|
||||
export IFACE={{ name }}
|
||||
for f in /etc/network/if-pre-up.d/*; do
|
||||
$f
|
||||
done
|
||||
for f in /etc/network/if-up.d/*; do
|
||||
$f
|
||||
done
|
|
@ -0,0 +1,12 @@
|
|||
## Security checklist
|
||||
|
||||
- [ ] ssh shut from internet
|
||||
- [ ] dns shut from internet
|
||||
- [ ] no source routing
|
||||
- [ ] rp_filter
|
||||
- [ ] restrict upstream routing/dns resolvers to associated priv nets?
|
||||
- [ ] container caps dropped?
|
||||
- [ ] ssh/telnet passwords
|
||||
- [ ] no ospf outside core net
|
||||
- [ ] no traffic between vlans
|
||||
|
Loading…
Reference in New Issue