Initial config for a router

4de5950b · Rafael László · 4de5950b · 4de5950b · 4de5950b · 4de5950b
Commit 4de5950b authored Sep 16, 2021 by Rafael László
--- a/.gitignore
+++ b/.gitignore
+.idea
+.venv
+# autogenerated
+.template
--- a/README.md
+++ b/README.md
+# Role Name
+Base role for every Kubernetes router VM.
+It will handle NAT, dhcp, bgp and has an nftables firewall.
+## License
+MIT
+## Author Information
+KSZK
--- a/bootstrap.sh
+++ b/bootstrap.sh
+#!/usr/bin/env bash
+# create virtualenv if not present
+[[ ! -d .venv ]] && python3 -m venv .venv
+source .venv/bin/activate
+pip3 install ansible ansible-lint
+ansible-galaxy install --force -r requirements.galaxy.yaml
+# to stay in our comfy virtualenv
+exec "${SHELL:bash}"
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+wan_port: ens192
+lan_port: ens224
+# ssh_port: 10022
+# nftables:
+#   wan_ip: 152.66.208.164
+#   lan_network: 192.168.1.0/24
+#   loadbalancer_network: 192.168.2.0/24
+#   dnat:
+#     - dport: 6443
+#       to: 192.168.69.1:6443
+# netplan:
+#   network:
+#     ethernets:
+#       ens192:
+#         dhcp4: yes
+#       ens224:
+#         dhcp4: no
+#         addresses:
+#           - 192.168.1.254/24
+# bgp:
+#   router_ip: "192.168.1.254"
+#   neighbors: 
+#     - "192.168.1.11"
+#     - "192.168.1.12"
+#     - "192.168.1.13"
+#     - "192.168.1.21"
+#     - "192.168.1.22"
+#     - "192.168.1.23"
+# dhcp:
+#   subnet: "192.168.1.0"
+#   netmask: "255.255.255.0"
+#   range:
+#     start: "192.168.1.100"
+#     end: "192.168.1.200"
+#   router: "192.168.1.254"
+#   name_servers: "152.66.208.1, 8.8.8.8"
+#   search: "sch.bme.hu"
+#   static_hosts:
+#     - name: name
+#       mac: "00:00:00:00:00:00" 
+#       ip: "192.168.1.11"
--- a/handlers/main.yml
+++ b/handlers/main.yml
+---
+# handlers file for myrole
--- a/meta/main.yml
+++ b/meta/main.yml
+galaxy_info:
+  author: kszk
+  description: Router role for Kubernetes routers
+  company: KSZK
+  license: MIT
+  platforms:
+    - name: Ubuntu
+      versions:
+        - all
+  min_ansible_version: 2.9
+  galaxy_tags: []
+collections:
+  - community.general
+  - ansible.posix
--- a/requirements.galaxy.yaml
+++ b/requirements.galaxy.yaml
+---
+collections:
+  - community.general
+  - ansible.posix
+roles:
+  - src: yatesr.timezone
--- a/tasks/bgp.yaml
+++ b/tasks/bgp.yaml
+---
+- name: Install required packages for bgp
+  package:
+    state: present
+    name:
+      - frr
+      - gobgpd
+- name: Create opt/gobgpd folder
+  file:
+    path: /opt/gobgpd
+    state: directory
+- name: Download gobgpd tar file and extract it
+  unarchive: 
+    src: https://github.com/osrg/gobgp/releases/download/v2.31.0/gobgp_2.31.0_linux_amd64.tar.gz
+    dest: /opt/gobgpd
+    remote_src: yes
+- name: Place frr config file
+  template:
+    src: etc/frr/daemons.j2
+    dest: /etc/frr/daemons
+    mode: 0640
+  register: frr_config_file
+- name: Ensure frr is restarted and enabled to start at boot
+  service:
+    name: frr
+    state: restarted
+    enabled: yes
+  when: frr_config_file.changed
+- name: Place gobgpd systemd service file
+  template:
+    src: etc/systemd/system/gobgpd.service.j2
+    dest: /etc/systemd/system/gobgpd.service
+    mode: 0644
+  register: gobgpd_service_config_file
+- name: Place gobgpd config file
+  template:
+    src: etc/gobgpd.conf.j2
+    dest: /etc/gobgpd.conf
+    mode: 0644
+  register: gobgpd_config_file
+- name: Force systemd to reread configs
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  when: gobgpd_service_config_file.changed
+- name: Ensure gobgpd is restarted and enabled to start at boot
+  service:
+    name: gobgpd
+    state: restarted
+    enabled: yes
+  when: gobgpd_config_file.changed or gobgpd_service_config_file.changed
--- a/tasks/dhcp-server.yaml
+++ b/tasks/dhcp-server.yaml
+---
+- name: Install isc-dhcp-server package
+  package:
+    state: present
+    name:
+      - isc-dhcp-server
+- name: Update dhcp config
+  template:
+    src: etc/dhcp/dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+    mode: 0644
+  register: dhcpd_config_file
+- name: Update dhcp interface
+  template:
+    src: etc/default/isc-dhcp-server.j2
+    dest: /etc/default/isc-dhcp-server
+    mode: 0644
+  register: dhcpd_interface_file
+- name: Ensure isc-dhcp-server is restarted and enabled at boot.
+  service:
+    name: isc-dhcp-server
+    state: restarted
+    enabled: yes
+  when: dhcpd_config_file.changed or dhcpd_interface_file.changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
+---
+# Dependent roles will be installed first
+- name: Update netplan config
+  include_tasks: netplan.yaml
+  when: netplan is defined
+- name: Setup nftables
+  include_tasks: nftables.yaml
+  when: nftables is defined
+- name: Setup dhcp server
+  include_tasks: dhcp-server.yaml
+  when: dhcp is defined
+- name: Setup bgp
+  include_tasks: bgp.yaml
+  when: bgp is defined
--- a/tasks/netplan.yaml
+++ b/tasks/netplan.yaml
+---
+- name: Disable cloud init networking
+  template:
+    src: etc/cloud/cloud.cfg.d/99-disable-network-config.cfg.j2
+    dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
+    mode: 0644
+- name: Add netplan network config
+  template:
+    src: etc/netplan/01-netcfg.yaml.j2
+    dest: /etc/netplan/01-netcfg.yaml
+    mode: 0644
+  register: netplan_config
+- name: Remove old netplan config
+  ansible.builtin.file:
+    path: /etc/netplan/50-cloud-init.yaml
+    state: absent
+  when: netplan_config.changed
+- name: Apply Netplan Configuration
+  command: netplan apply
+  when: netplan_config.changed
\ No newline at end of file
--- a/tasks/nftables.yaml
+++ b/tasks/nftables.yaml
+---
+- name: Install nftables package
+  package:
+    state: present
+    name:
+      - nftables
+- name: Enable IP Forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+- name: Ensure nftables runs and enabled
+  service:
+    name: nftables
+    state: started
+    enabled: yes
+- name: Place nftables configuration file.
+  template:
+    src: etc/nftables.conf.j2
+    dest: /etc/nftables.conf
+    mode: 0755
+  register: nftables_config_file
+- name: Load config
+  command: nft -f /etc/nftables.conf
+  when: nftables_config_file.changed
--- a/templates/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg.j2
+++ b/templates/etc/cloud/cloud.cfg.d/99-disable-network-config.cfg.j2
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+# Disable cloudinit network config
+network: {config: disabled}
--- a/templates/etc/default/isc-dhcp-server.j2
+++ b/templates/etc/default/isc-dhcp-server.j2
+# !!!
+# {{ ansible_managed }}
+# !!!
+INTERFACESv4="{{ lan_port }}"
--- a/templates/etc/dhcp/dhcpd.conf.j2
+++ b/templates/etc/dhcp/dhcpd.conf.j2
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+# option definitions common to all supported networks...
+default-lease-time 600;
+max-lease-time 7200;
+authoritative;
+subnet {{ dhcp.subnet }} netmask {{ dhcp.netmask }} {
+    range {{ dhcp.range.start }} {{ dhcp.range.end }};
+    option routers {{ dhcp.router }};
+    option domain-name-servers {{ dhcp.name_servers }};
+{% if dhcp.search %}
+    option domain-name "{{ dhcp.search }}";
+{% endif %}
+}
+{% if dhcp.static_hosts is defined %}
+{% for static_host in dhcp.static_hosts %}
+host {{ static_host.name }} {
+    hardware ethernet {{ static_host.mac }};
+    fixed-address {{ static_host.ip }};
+}
+{% endfor %}
+{% endif %}
\ No newline at end of file
--- a/templates/etc/frr/daemons.j2
+++ b/templates/etc/frr/daemons.j2
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+bgpd=no
+ospfd=no
+ospf6d=no
+ripd=no
+ripngd=no
+isisd=no
+pimd=no
+ldpd=no
+nhrpd=no
+eigrpd=no
+babeld=no
+sharpd=no
+pbrd=no
+bfdd=no
+fabricd=no
+vrrpd=no
+zebra=yes
+#
+# If this option is set the /etc/init.d/frr script automatically loads
+# the config via "vtysh -b" when the servers are started.
+# Check /etc/pam.d/frr if you intend to use "vtysh"!
+#
+vtysh_enable=yes
+zebra_options="  -A 127.0.0.1 -s 90000000"
+bgpd_options="   -A 127.0.0.1"
+ospfd_options="  -A 127.0.0.1"
+ospf6d_options=" -A ::1"
+ripd_options="   -A 127.0.0.1"
+ripngd_options=" -A ::1"
+isisd_options="  -A 127.0.0.1"
+pimd_options="   -A 127.0.0.1"
+ldpd_options="   -A 127.0.0.1"
+nhrpd_options="  -A 127.0.0.1"
+eigrpd_options=" -A 127.0.0.1"
+babeld_options=" -A 127.0.0.1"
+sharpd_options=" -A 127.0.0.1"
+pbrd_options="   -A 127.0.0.1"
+staticd_options="-A 127.0.0.1"
+bfdd_options="   -A 127.0.0.1"
+fabricd_options="-A 127.0.0.1"
+vrrpd_options="  -A 127.0.0.1"
--- a/templates/etc/gobgpd.conf.j2
+++ b/templates/etc/gobgpd.conf.j2
+# !!!
+# {{ ansible_managed }}
+# !!!
+[global.config]
+  as = 64512
+  router-id = "{{ bgp.router_ip }}"
+  local-address-list = ["{{ bgp.router_ip }}"]
+[global.use-multiple-paths.config]
+  enabled = true
+{% if bgp.neighbors is defined %}
+{% for neighbor in bgp.neighbors %}
+[[neighbors]]
+  [neighbors.config]
+    neighbor-address = "{{ neighbor }}"
+    peer-as = 64512
+{% endfor %}
+{% endif %}
+[zebra]
+  [zebra.config]
+    enabled = true
+    url = "unix:/var/run/frr/zserv.api"
+    redistribute-route-type-list = ["connect"]
+    software-name = "frr7.2"
+    version = 6
--- a/templates/etc/netplan/01-netcfg.yaml.j2
+++ b/templates/etc/netplan/01-netcfg.yaml.j2
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+network:
+  version: 2
+  renderer: networkd
+  ethernets:
+{{ netplan['network']['ethernets']|to_nice_yaml|indent(4, true) }}
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
+#!/usr/bin/nft -f
+# !!!
+# {{ ansible_managed }}
+# !!!
+flush ruleset
+define wan = {{ wan_port }}
+define lan = {{ lan_port }}
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+    ct state {established, related} accept
+    ct state invalid drop
+    iif lo accept
+    iif $lan accept
+    ip protocol icmp accept
+    tcp dport {{ ssh_port | default("10022", true) }} accept comment "SSH in"
+  }
+  chain forward {
+    type filter hook forward priority 0;
+    oif $wan accept
+    ct status dnat accept
+    iif $wan ct state related, established accept
+    iif $wan drop
+  }
+  # Allow all packets sent by the firewall
+  chain output {
+    type filter hook output priority 100; policy accept;
+  }
+}
+table ip nat {
+  chain output {
+    type nat hook output priority 0;
+    {% if nftables.dnat is defined %}
+    {% for dnat in nftables.dnat %}
+    ip daddr {{ nftables.wan_ip}} tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+    {% endfor %}
+    {% endif %}
+  }
+  chain prerouting {
+    type nat hook prerouting priority -100;
+    # Port forwarding
+    {% if nftables.dnat is defined %}
+    {% for dnat in nftables.dnat %}
+    ip daddr {{ nftables.wan_ip}} tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
+    {% endfor %}
+    {% endif %}
+  }
+  chain postrouting {
+    type nat hook postrouting priority 100;
+    # SNAT outgoing traffic
+    ip daddr {{ nftables.loadbalancer_network }} snat to {{ nftables.wan_ip }}
+    ip saddr {{ nftables.lan_network }} oif $wan snat to {{ nftables.wan_ip }}
+  }
+}
--- a/templates/etc/systemd/system/gobgpd.service.j2
+++ b/templates/etc/systemd/system/gobgpd.service.j2
+# !!!
+# {{ ansible_managed }}
+# !!!
+[Unit]
+Description=GoBGP Routing Daemon
+Documentation=file:/usr/share/doc/gobgpd/getting-started.md
+After=network.target syslog.service
+ConditionPathExists=/etc/gobgpd.conf
+[Service]
+Type=notify
+ExecStartPre=/opt/gobgpd/gobgpd -f /etc/gobgpd.conf -d
+ExecStart=/opt/gobgpd/gobgpd -f /etc/gobgpd.conf --sdnotify --disable-stdlog --syslog yes
+ExecReload=/opt/gobgpd/gobgpd -r
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+User=frr
+[Install]
+WantedBy=multi-user.target