diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2021-01-07 12:20:02 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2021-01-07 12:20:02 +0100 |
| commit | 70d0ad3c9f37e44a9504a0d7f66e412a3f3bba6f (patch) | |
| tree | 623815a975541ebba1fba8208bd2b3e984ceb9d4 | |
| parent | ede2372547db659e7b0e9cfd3b531ff542018229 (diff) | |
| download | rules-sandbox-70d0ad3c9f37e44a9504a0d7f66e412a3f3bba6f.tar.gz rules-sandbox-70d0ad3c9f37e44a9504a0d7f66e412a3f3bba6f.tar.bz2 rules-sandbox-70d0ad3c9f37e44a9504a0d7f66e412a3f3bba6f.tar.xz rules-sandbox-70d0ad3c9f37e44a9504a0d7f66e412a3f3bba6f.zip | |
More Wireguard.
Fixing broken myapps too.
24 files changed, 391 insertions, 211 deletions
diff --git a/acme-wireguard/host_vars/acme-1/wireguard.yml b/acme-wireguard/host_vars/acme-1/wireguard.yml index 7a8eb03..ed768e2 100644 --- a/acme-wireguard/host_vars/acme-1/wireguard.yml +++ b/acme-wireguard/host_vars/acme-1/wireguard.yml @@ -1,3 +1,7 @@ # Generated link_address: 192.168.10.4 -network_cidr: TODO +network_cidr: 10.55.251.0/24 +wireguard_peers: + acme-1: + - acme-3.machine.acme.com + - acme-2.machine.acme.com diff --git a/acme-wireguard/host_vars/acme-2/wireguard.yml b/acme-wireguard/host_vars/acme-2/wireguard.yml index 8ec6010..363c50b 100644 --- a/acme-wireguard/host_vars/acme-2/wireguard.yml +++ b/acme-wireguard/host_vars/acme-2/wireguard.yml @@ -1,3 +1,7 @@ # Generated link_address: 192.168.10.3 -network_cidr: TODO +network_cidr: 10.55.252.0/24 +wireguard_peers: + acme-2: + - acme-3.machine.acme.com + - acme-1.machine.acme.com diff --git a/acme-wireguard/host_vars/acme-3/wireguard.yml b/acme-wireguard/host_vars/acme-3/wireguard.yml index 56e95d2..e032cac 100644 --- a/acme-wireguard/host_vars/acme-3/wireguard.yml +++ b/acme-wireguard/host_vars/acme-3/wireguard.yml @@ -1,3 +1,7 @@ # Generated link_address: 192.168.10.2 -network_cidr: TODO +network_cidr: 10.55.253.0/24 +wireguard_peers: + acme-3: + - acme-2.machine.acme.com + - acme-1.machine.acme.com diff --git a/acme-wireguard/host_vars/ws-1/wireguard.yml b/acme-wireguard/host_vars/ws-1/wireguard.yml index ea629ed..2e4a54f 100644 --- a/acme-wireguard/host_vars/ws-1/wireguard.yml +++ b/acme-wireguard/host_vars/ws-1/wireguard.yml @@ -1,3 +1,8 @@ # Generated link_address: 192.168.10.1 -network_cidr: TODO +network_cidr: 10.55.254.0/24 +wireguard_peers: + ws-1: + - acme-3.machine.acme.com + - acme-2.machine.acme.com + - acme-1.machine.acme.com diff --git a/acme-wireguard/host_vars/ws-2/wireguard.yml b/acme-wireguard/host_vars/ws-2/wireguard.yml index 95f5f03..d3e1eb1 100644 --- a/acme-wireguard/host_vars/ws-2/wireguard.yml +++ b/acme-wireguard/host_vars/ws-2/wireguard.yml @@ -1,3 +1,8 @@ # Generated link_address: 192.168.10.0 -network_cidr: TODO +network_cidr: 10.55.255.0/24 +wireguard_peers: + ws-2: + - acme-3.machine.acme.com + - acme-2.machine.acme.com + - acme-1.machine.acme.com diff --git a/acme-wireguard/inventory.yml b/acme-wireguard/inventory.yml new file mode 100644 index 0000000..6f76480 --- /dev/null +++ b/acme-wireguard/inventory.yml @@ -0,0 +1,7 @@ +# Generated +all: + ws-2: + ws-1: + acme-3: acme-3.machine.acme.com + acme-2: acme-2.machine.acme.com + acme-1: acme-1.machine.acme.com @@ -1,14 +1,14 @@ -type: io.trygvis.acme.AcmeMyApp +type: io.trygvis.acme.apps.AcmeMyApp data: environment: ci dockerTag: development --- -type: io.trygvis.acme.AcmeMyApp +type: io.trygvis.acme.apps.AcmeMyApp data: environment: production dockerTag: master --- -type: io.trygvis.acme.AcmeOps +type: io.trygvis.acme.apps.AcmeOps --- @@ -40,4 +40,5 @@ data: name: vpn0 domain: vpn.acme.com linkCidr: 192.168.10.0/29 - networkCidr: 10.55.55.0/24 + networkCidr: 10.55.0.0/16 + networkBits: 24 diff --git a/j2/wireguard/ansible-host.j2 b/j2/wireguard/ansible-host.j2 index 63a8d51..72273ef 100644 --- a/j2/wireguard/ansible-host.j2 +++ b/j2/wireguard/ansible-host.j2 @@ -1,3 +1,8 @@ # Generated link_address: {{ link }} network_cidr: {{ network }} +wireguard_peers: + {{ host.name }}: +{%- for peer in peers %} + - {{ peer }} +{%- endfor %} diff --git a/j2/wireguard/inventory.j2 b/j2/wireguard/inventory.j2 new file mode 100644 index 0000000..c7f38ee --- /dev/null +++ b/j2/wireguard/inventory.j2 @@ -0,0 +1,5 @@ +# Generated +all: +{%- for host in hosts %} + {{ host.name }}: {{ host.fqdn }} +{%- endfor %} diff --git a/module/acme/src/main/java/io/trygvis/acme/AcmeOps.java b/module/acme/src/main/java/io/trygvis/acme/AcmeOps.java deleted file mode 100644 index 844c7f0..0000000 --- a/module/acme/src/main/java/io/trygvis/acme/AcmeOps.java +++ /dev/null @@ -1,4 +0,0 @@ -package io.trygvis.acme; - -public class AcmeOps { -} diff --git a/module/acme/src/main/java/io/trygvis/acme/AcmeMyApp.java b/module/acme/src/main/java/io/trygvis/acme/apps/AcmeMyApp.java index dfe374b..9371af2 100644 --- a/module/acme/src/main/java/io/trygvis/acme/AcmeMyApp.java +++ b/module/acme/src/main/java/io/trygvis/acme/apps/AcmeMyApp.java @@ -1,4 +1,4 @@ -package io.trygvis.acme; +package io.trygvis.acme.apps; public class AcmeMyApp { public String environment; diff --git a/module/acme/src/main/java/io/trygvis/acme/apps/AcmeOps.java b/module/acme/src/main/java/io/trygvis/acme/apps/AcmeOps.java new file mode 100644 index 0000000..be9d82b --- /dev/null +++ b/module/acme/src/main/java/io/trygvis/acme/apps/AcmeOps.java @@ -0,0 +1,4 @@ +package io.trygvis.acme.apps; + +public class AcmeOps { +} diff --git a/module/acme/src/main/resources/META-INF/kmodule.xml b/module/acme/src/main/resources/META-INF/kmodule.xml index e86da96..6bcd1db 100644 --- a/module/acme/src/main/resources/META-INF/kmodule.xml +++ b/module/acme/src/main/resources/META-INF/kmodule.xml @@ -3,11 +3,15 @@ xmlns="http://www.drools.org/xsd/kmodule" xsi:schemaLocation="http://www.drools.org/xsd/kmodule https://www.drools.org/xsd/kmodule_7_1.xsd"> - <kbase packages="io.trygvis.acme" includes="dba,engine,machine,terraform" name="acme-apps"> + <kbase name="acme-apps" packages="io.trygvis.acme.apps" includes="dba,engine,machine,terraform, acme-shared"> <ksession name="acme-apps" default="true"/> </kbase> - <kbase packages="io.trygvis.acme" includes="engine,wireguard" name="acme-wireguard"> + <kbase name="acme-wireguard" packages="io.trygvis.acme.wireguard" includes="engine,wireguard, acme-shared"> <ksession name="acme-wireguard" default="true"/> </kbase> + + <kbase packages="io.trygvis.acme" name="acme-shared"> + <ksession name="acme-shared" default="true"/> + </kbase> </kmodule> diff --git a/module/acme/src/main/resources/io/trygvis/acme/acme.drl b/module/acme/src/main/resources/io/trygvis/acme/acme.drl index d978579..66623c3 100644 --- a/module/acme/src/main/resources/io/trygvis/acme/acme.drl +++ b/module/acme/src/main/resources/io/trygvis/acme/acme.drl @@ -11,32 +11,6 @@ declare AcmeServer machine : Machine end -rule "Ops" -when - $ops: AcmeOps() -then - var cluster = new Cluster("acme-ops"); - insert(cluster); - insert(new Container(cluster, "app", "pdb", "postgresql", "11")); - insert(new Container(cluster, "app", "n8n", "n8n", "0.84.1")); -end - -rule "MyApp" -when - $app: AcmeMyApp() -then - var cluster = new Cluster("acme-" + $app.environment); - insert(cluster); - - var tag = $app.dockerTag; - insert(new Container(cluster, "app", "statera", "statera", tag)); - insert(new Container(cluster, "app", "statera-console", "statera-console", tag)); - insert(new Container(cluster, "app", "4tune-web", "4tune-web", tag)); - insert(new Container(cluster, "app", "4tune-api", "4tune-api", tag)); - insert(new Container(cluster, "db", "pdb", "postgresql", "13")); - insert(new Container(cluster, "db", "mdb", "mongodb", "3.2")); -end - rule "Create Acme servers" when $m : Machine(name.startsWith("acme-")) diff --git a/module/acme/src/main/resources/io/trygvis/acme/apps/apps.drl b/module/acme/src/main/resources/io/trygvis/acme/apps/apps.drl new file mode 100644 index 0000000..95f09c8 --- /dev/null +++ b/module/acme/src/main/resources/io/trygvis/acme/apps/apps.drl @@ -0,0 +1,33 @@ +package io.trygvis.acme.apps; + +import io.trygvis.rules.machine.Machine; +import io.trygvis.rules.dba.Cluster; +import io.trygvis.rules.dba.Container; + +dialect "mvel" + +rule "Ops" +when + $ops: AcmeOps() +then + var cluster = new Cluster("acme-ops"); + insert(cluster); + insert(new Container(cluster, "app", "pdb", "postgresql", "11")); + insert(new Container(cluster, "app", "n8n", "n8n", "0.84.1")); +end + +rule "MyApp" +when + $app: AcmeMyApp() +then + var cluster = new Cluster("acme-myapp-" + $app.environment); + insert(cluster); + + var tag = $app.dockerTag; + insert(new Container(cluster, "app", "statera", "statera", tag)); + insert(new Container(cluster, "app", "statera-console", "statera-console", tag)); + insert(new Container(cluster, "app", "4tune-web", "4tune-web", tag)); + insert(new Container(cluster, "app", "4tune-api", "4tune-api", tag)); + insert(new Container(cluster, "db", "pdb", "postgresql", "13")); + insert(new Container(cluster, "db", "mdb", "mongodb", "3.2")); +end diff --git a/module/ri-engine/src/main/java/io/trygvis/rules/engine/DbIo.java b/module/ri-engine/src/main/java/io/trygvis/rules/engine/DbIo.java index 7f946d9..3173109 100644 --- a/module/ri-engine/src/main/java/io/trygvis/rules/engine/DbIo.java +++ b/module/ri-engine/src/main/java/io/trygvis/rules/engine/DbIo.java @@ -2,6 +2,7 @@ package io.trygvis.rules.engine; import ch.qos.logback.core.util.FileUtil; import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; import com.fasterxml.jackson.databind.type.TypeFactory; import com.fasterxml.jackson.dataformat.yaml.YAMLFactory; import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator; @@ -12,6 +13,7 @@ import org.kie.api.runtime.rule.FactHandle; import java.io.File; import java.io.FileWriter; import java.io.IOException; +import java.lang.reflect.InvocationTargetException; import java.util.*; import java.util.function.Function; @@ -24,6 +26,7 @@ public class DbIo { factory.enable(YAMLGenerator.Feature.USE_NATIVE_TYPE_ID); factory.enable(YAMLGenerator.Feature.USE_NATIVE_OBJECT_ID); mapper = new ObjectMapper(factory); + mapper.disable(SerializationFeature.FAIL_ON_EMPTY_BEANS); var typeFactory = TypeFactory.defaultInstance() .withClassLoader(new AcmeClassLoader(kieBase)); mapper.setTypeFactory(typeFactory); @@ -40,8 +43,11 @@ public class DbIo { try { var type = mapper.getTypeFactory().findClass(object.type); var x = mapper.treeToValue(object.data, type); + if (x == null) { + x = type.getDeclaredConstructor().newInstance(); + } items.add(x); - } catch (ClassNotFoundException e) { + } catch (ClassNotFoundException | NoSuchMethodException | InstantiationException | IllegalAccessException | InvocationTargetException e) { // ignore } } diff --git a/module/ri-engine/src/main/java/io/trygvis/rules/machine/Machine.java b/module/ri-engine/src/main/java/io/trygvis/rules/machine/Machine.java index cc3f2ed..52721e1 100644 --- a/module/ri-engine/src/main/java/io/trygvis/rules/machine/Machine.java +++ b/module/ri-engine/src/main/java/io/trygvis/rules/machine/Machine.java @@ -10,4 +10,12 @@ public class Machine { public Machine(String name) { this.name = name; } + + public String getName() { + return name; + } + + public String getFqdn() { + return fqdn; + } } diff --git a/module/ri-engine/src/main/java/io/trygvis/rules/network/IpCalc.java b/module/ri-engine/src/main/java/io/trygvis/rules/network/IpCalc.java index e40e169..7ec344c 100644 --- a/module/ri-engine/src/main/java/io/trygvis/rules/network/IpCalc.java +++ b/module/ri-engine/src/main/java/io/trygvis/rules/network/IpCalc.java @@ -3,49 +3,4 @@ package io.trygvis.rules.network; import java.util.regex.Pattern; public class IpCalc { - private static final Pattern pattern = Pattern.compile("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})/([0-9]{1,3})"); - - public static Ipv4Cidr cidr(String cidr) { - var matcher = pattern.matcher(cidr); - if (!matcher.matches()) { - throw new IllegalArgumentException("Not a CIDR: " + cidr); - } - - var b1 = matcher.group(1); - var b2 = matcher.group(2); - var b3 = matcher.group(3); - var b4 = matcher.group(4); - - int network = parse(b1) << 24 | - parse(b2) << 16 | - parse(b3) << 8 | - parse(b4); - -// System.out.printf("network = %x%n", network); - - var l = matcher.group(5); - var bits = Integer.parseInt(l); - var hostBits = 32 - bits; - int size = 1 << hostBits; - - int netmask = (-1 >> hostBits) << hostBits; -// System.out.printf("netmask = %08x%n", netmask); - - int x = network & ~netmask; - - if (x != 0) { - throw new IllegalArgumentException("Not a CIDR: " + cidr); - } - - return new Ipv4Cidr(network, netmask, size, bits); - } - - private static int parse(String s) { - var i = Integer.parseInt(s); - if (i > 255) { - throw new IllegalArgumentException("Not a CIDR"); - } - - return i; - } } diff --git a/module/ri-engine/src/main/java/io/trygvis/rules/network/Ipv4Cidr.java b/module/ri-engine/src/main/java/io/trygvis/rules/network/Ipv4Cidr.java index e69cd02..8e812ef 100644 --- a/module/ri-engine/src/main/java/io/trygvis/rules/network/Ipv4Cidr.java +++ b/module/ri-engine/src/main/java/io/trygvis/rules/network/Ipv4Cidr.java @@ -4,22 +4,35 @@ import com.fasterxml.jackson.core.JsonGenerator; import com.fasterxml.jackson.databind.JsonSerializer; import com.fasterxml.jackson.databind.SerializerProvider; import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import org.checkerframework.checker.nullness.compatqual.NonNullType; +import javax.annotation.Nonnull; import java.io.IOException; import java.util.ArrayList; -import java.util.Collection; +import java.util.List; +import java.util.Objects; +import java.util.regex.Pattern; @JsonSerialize(using = Ipv4Cidr.Serializer.class) -public class Ipv4Cidr { +public class Ipv4Cidr implements Comparable<Ipv4Cidr> { public final int network; - public final int netmask; - public final int size; public final int bits; - public Ipv4Cidr(int network, int netmask, int size, int bits) { + public Ipv4Cidr(int network, int bits) { + if (bits < 0 || bits > 32) { + throw new IllegalArgumentException("bits must be [0, 32]"); + } + + int hostBits = 32 - bits; + int netmask = (-1 >> hostBits) << hostBits; + + int x = network & ~netmask; + + if (x != 0) { + throw new IllegalArgumentException("The host part of the address must be 0."); + } + this.network = network; - this.netmask = netmask; - this.size = size; this.bits = bits; } @@ -33,7 +46,29 @@ public class Ipv4Cidr { bits); } - public Collection<Ipv4Address> addresses() { + private String formatIpv4(int address) { + return "%d.%d.%d.%d".formatted(address >> 24 & 0xff, address >> 16 & 0xff, address >> 8 & 0xff, address & 0xff); + } + + public List<Ipv4Cidr> partition(int bits) { + if (bits <= 0 || bits <= this.bits || bits > 32) { + throw new IllegalArgumentException("Invalid new network size"); + } + + var list = new ArrayList<Ipv4Cidr>(); + + int count = 1 << (bits - this.bits); + for (int i = 0; i < count; i++) { + var network = this.network | (i << (32 - bits)); + + list.add(new Ipv4Cidr(network, bits)); + } + + return list; + } + + public List<Ipv4Address> addresses() { + int size = 1 << 32 - bits; var end = network + size; var addresses = new ArrayList<Ipv4Address>(size); for (int address = network; address < end; address++) { @@ -43,6 +78,69 @@ public class Ipv4Cidr { return addresses; } + @Override + public int compareTo(Ipv4Cidr o) { + if (this == o) { + return 0; + } + + var ret = network - o.network; + if (ret == 0) { + return ret; + } + + return bits - o.bits; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + Ipv4Cidr ipv4Cidr = (Ipv4Cidr) o; + return network == ipv4Cidr.network && bits == ipv4Cidr.bits; + } + + @Override + public int hashCode() { + return Objects.hash(network, bits); + } + + private static final Pattern pattern = Pattern.compile("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})/([0-9]{1,3})"); + + public static Ipv4Cidr parseCidr(String cidr) { + var matcher = pattern.matcher(cidr); + if (!matcher.matches()) { + throw new IllegalArgumentException("Not a CIDR: " + cidr); + } + + var b1 = matcher.group(1); + var b2 = matcher.group(2); + var b3 = matcher.group(3); + var b4 = matcher.group(4); + + int network = parse(b1) << 24 | + parse(b2) << 16 | + parse(b3) << 8 | + parse(b4); + +// System.out.printf("network = %x%n", network); + + var l = matcher.group(5); + var bits = Integer.parseInt(l); +// System.out.printf("netmask = %08x%n", netmask); + + return new Ipv4Cidr(network, bits); + } + + private static int parse(String s) { + var i = Integer.parseInt(s); + if (i > 255) { + throw new IllegalArgumentException("Not a CIDR"); + } + + return i; + } + public static class Serializer extends JsonSerializer<Ipv4Cidr> { @Override public void serialize(Ipv4Cidr value, JsonGenerator gen, SerializerProvider serializers) throws IOException { diff --git a/module/ri-engine/src/test/java/io/trygvis/rules/network/IpCalcTest.java b/module/ri-engine/src/test/java/io/trygvis/rules/network/IpCalcTest.java deleted file mode 100644 index e0642d6..0000000 --- a/module/ri-engine/src/test/java/io/trygvis/rules/network/IpCalcTest.java +++ /dev/null @@ -1,27 +0,0 @@ -package io.trygvis.rules.network; - -import org.junit.jupiter.api.Test; -import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ValueSource; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertThrows; - -class IpCalcTest { - - @Test - public void basic() { - assertThrows(IllegalArgumentException.class, () -> IpCalc.cidr("192.168.1.1/24").addresses()); - assertEquals(256, IpCalc.cidr("192.168.1.0/24").addresses().size()); - assertEquals(128, IpCalc.cidr("192.168.1.128/25").addresses().size()); - } - - @ParameterizedTest - @ValueSource(strings = { - "192.168.1.0/24", - "192.168.1.128/25", - }) - public void testParsing(String s) { - assertEquals(s, IpCalc.cidr(s).toString()); - } -} diff --git a/module/ri-engine/src/test/java/io/trygvis/rules/network/Ipv4CidrTest.java b/module/ri-engine/src/test/java/io/trygvis/rules/network/Ipv4CidrTest.java new file mode 100644 index 0000000..0d9f33e --- /dev/null +++ b/module/ri-engine/src/test/java/io/trygvis/rules/network/Ipv4CidrTest.java @@ -0,0 +1,36 @@ +package io.trygvis.rules.network; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; + +import static io.trygvis.rules.network.Ipv4Cidr.parseCidr; +import static org.junit.jupiter.api.Assertions.*; + +class Ipv4CidrTest { + + @Test + public void basic() { + assertThrows(IllegalArgumentException.class, () -> parseCidr("192.168.1.1/24").addresses()); + assertEquals(256, parseCidr("192.168.1.0/24").addresses().size()); + assertEquals(128, parseCidr("192.168.1.128/25").addresses().size()); + } + + @ParameterizedTest + @ValueSource(strings = { + "192.168.1.0/24", + "192.168.1.128/25", + }) + public void testParsing(String s) { + assertEquals(s, parseCidr(s).toString()); + } + + @Test + public void partition() { + var children = parseCidr("192.168.1.0/24").partition(26); + assertEquals(1 << 2, children.size()); + for (var cidr : children) { + assertEquals(26, cidr.bits); + } + } +} diff --git a/module/ri-wireguard/src/main/resources/io/trygvis/rules/wireguard/wireguard.drl b/module/ri-wireguard/src/main/resources/io/trygvis/rules/wireguard/wireguard.drl index 06b9bbf..2e4498f 100644 --- a/module/ri-wireguard/src/main/resources/io/trygvis/rules/wireguard/wireguard.drl +++ b/module/ri-wireguard/src/main/resources/io/trygvis/rules/wireguard/wireguard.drl @@ -17,6 +17,7 @@ declare WgNet domain : String linkCidr : String networkCidr : String + networkBits : int end declare WgIpPool @@ -25,14 +26,6 @@ declare WgIpPool cidr : Ipv4Cidr end -rule "Create link network" when - $net : WgNet() - not(Ipv4Cidr(network == IpCalc.cidr($net.linkCidr).network)) -then - insert(new WgIpPool($net.name, "link", IpCalc.cidr($net.linkCidr))) - insert(new WgIpPool($net.name, "network", IpCalc.cidr($net.networkCidr))) -end - declare WgHost name : String net : String @@ -41,6 +34,32 @@ declare WgHost networkIp : String end +declare WgConnection + host : String + to : String +end + +declare WgIpAllocation + host : String + role : String + ip : Ipv4Address +end + +declare WgNetworkAllocation + host : String + role : String + cidr : Ipv4Cidr +end + +rule "Create IP pools" when + $net : WgNet() +// not(Ipv4Cidr(network == Ipv4Cidr.parseCidr($net.linkCidr).network)) +then + System.out.println("Creating main IP pools"); + insert(new WgIpPool($net.name, "link", Ipv4Cidr.parseCidr($net.linkCidr))) + insert(new WgIpPool($net.name, "networks", Ipv4Cidr.parseCidr($net.networkCidr))) +end + rule "WgHost VPN machines" when $machine : Machine() @@ -74,31 +93,21 @@ then insert(DnsEntry.a(fqdn)) end -declare WgConnection - host : String - to : String -end - rule "Connect VPN nodes" salience -1 when $h : WgHost() $other : WgHost(publicName != null, name != $h.name) then + System.out.printf("VPN connection from %s to %s%n", $h.name, $other.name); insert(new WgConnection($h.name, $other.name)) end -declare WgIpAllocation - host : String - role : String - ip : Ipv4Address -end - -rule "Assign IP" +rule "Assign link IP" when $net : WgNet() $host : WgHost(net == $net.name) - $pool : WgIpPool(net == $net.name) + $pool : WgIpPool(net == $net.name, role == "link") not(WgIpAllocation(host == $host.name, role == $pool.role)) $ip : Ipv4Address() from $pool.cidr.addresses() not(WgIpAllocation(ip == $ip)) @@ -107,17 +116,33 @@ then insert(new WgIpAllocation($host.name, $pool.role, $ip)) end +rule "Assign network CIDR" +when + $net : WgNet() + $host : WgHost(net == $net.name) + $network : Ipv4Cidr() from Ipv4Cidr.parseCidr($net.networkCidr).partition($net.networkBits) + not(WgNetworkAllocation(host == $host.name, role == "network")) + not(WgNetworkAllocation(cidr == $network)) +then + System.out.printf("Network CIDR: net=%s, host=%s, network=%s%n", $net.name, $host.name, $network); + insert(new WgNetworkAllocation($host.name, "network", $network)) +end + rule "Generate per-net files" agenda-group "generate" salience 10 when $net : WgNet() + $names : ArrayList() from accumulate(WgHost(net == $net.name, $name: name), collectList($name)) + $hosts : ArrayList() from accumulate(Machine($names contains name, $m: this), collectList($m)) then te.template("wireguard/ansible", "wireguard-" + $net.name + ".yml", Map.of( "net", $net )); - // TODO: Generate hosts file + te.template("wireguard/inventory", "inventory.yml", Map.of( + "hosts", $hosts + )); end rule "Generate per-net, per-host files" @@ -127,10 +152,11 @@ when $net : WgNet() $host : WgHost(net == $net.name) $link : WgIpAllocation(host == $host.name, role == "link") - // Needs to be a sub-cidr of the WgNet network cidr, not a specific IP - $network : WgIpAllocation(host == $host.name, role == "network") + $network : WgNetworkAllocation(host == $host.name, role == "network") + $peerMachines : ArrayList() from accumulate(WgConnection(host == $host.name, $to: to), collectList($to)) + $peers : ArrayList() from accumulate(Machine($peerMachines contains name, $fqdn: fqdn), collectList($fqdn)) then - System.out.printf("%s : %s%n", $net.name, $host.name); + System.out.printf("Generating per-host files: net=%s, host=%s%n", $net.name, $host.name); String output = "host_vars/%s/wireguard.yml".formatted($host.name); @@ -138,6 +164,7 @@ then "net", $net, "host", $host, "link", $link.ip, - "network", "TODO" + "network", $network.cidr, + "peers", $peers )); end diff --git a/out/acme/apps.yaml b/out/acme/apps.yaml index 82050eb..9ec1663 100644 --- a/out/acme/apps.yaml +++ b/out/acme/apps.yaml @@ -1,14 +1,4 @@ --- -type: "io.trygvis.acme.AcmeMyApp" -data: - environment: "ci" - dockerTag: "development" ---- -type: "io.trygvis.acme.AcmeMyApp" -data: - environment: "production" - dockerTag: "master" ---- type: "io.trygvis.acme.AcmeServer" data: name: "acme-1" @@ -30,18 +20,35 @@ data: name: "acme-3" fqdn: "acme-3.machine.acme.com" --- +type: "io.trygvis.acme.apps.AcmeMyApp" +data: + environment: "ci" + dockerTag: "development" +--- +type: "io.trygvis.acme.apps.AcmeMyApp" +data: + environment: "production" + dockerTag: "master" +--- +type: "io.trygvis.acme.apps.AcmeOps" +data: {} +--- +type: "io.trygvis.rules.dba.Cluster" +data: + name: "acme-myapp-ci" +--- type: "io.trygvis.rules.dba.Cluster" data: - name: "acme-ci" + name: "acme-myapp-production" --- type: "io.trygvis.rules.dba.Cluster" data: - name: "acme-production" + name: "acme-ops" --- type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-myapp-ci" name: "app" machineRole: "4tune-api" image: "4tune-api" @@ -50,7 +57,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-production" name: "app" machineRole: "4tune-api" image: "4tune-api" @@ -59,7 +66,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-myapp-ci" name: "app" machineRole: "4tune-web" image: "4tune-web" @@ -68,7 +75,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-production" name: "app" machineRole: "4tune-web" image: "4tune-web" @@ -77,7 +84,25 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-ops" + name: "app" + machineRole: "n8n" + image: "n8n" + tag: "0.84.1" +--- +type: "io.trygvis.rules.dba.Container" +data: + cluster: + name: "acme-ops" + name: "app" + machineRole: "pdb" + image: "postgresql" + tag: "11" +--- +type: "io.trygvis.rules.dba.Container" +data: + cluster: + name: "acme-myapp-ci" name: "app" machineRole: "statera" image: "statera" @@ -86,7 +111,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-production" name: "app" machineRole: "statera" image: "statera" @@ -95,7 +120,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-myapp-ci" name: "app" machineRole: "statera-console" image: "statera-console" @@ -104,7 +129,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-production" name: "app" machineRole: "statera-console" image: "statera-console" @@ -113,7 +138,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-ci" name: "db" machineRole: "mdb" image: "mongodb" @@ -122,7 +147,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-myapp-production" name: "db" machineRole: "mdb" image: "mongodb" @@ -131,7 +156,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-production" + name: "acme-myapp-ci" name: "db" machineRole: "pdb" image: "postgresql" @@ -140,7 +165,7 @@ data: type: "io.trygvis.rules.dba.Container" data: cluster: - name: "acme-ci" + name: "acme-myapp-production" name: "db" machineRole: "pdb" image: "postgresql" diff --git a/out/acme/wireguard.yaml b/out/acme/wireguard.yaml index ebad93a..2a3ff80 100644 --- a/out/acme/wireguard.yaml +++ b/out/acme/wireguard.yaml @@ -158,13 +158,6 @@ data: --- type: "io.trygvis.rules.wireguard.WgIpAllocation" data: - host: "acme-1" - role: "network" - ip: - value: "10.55.55.4" ---- -type: "io.trygvis.rules.wireguard.WgIpAllocation" -data: host: "acme-2" role: "link" ip: @@ -172,13 +165,6 @@ data: --- type: "io.trygvis.rules.wireguard.WgIpAllocation" data: - host: "acme-2" - role: "network" - ip: - value: "10.55.55.3" ---- -type: "io.trygvis.rules.wireguard.WgIpAllocation" -data: host: "acme-3" role: "link" ip: @@ -186,13 +172,6 @@ data: --- type: "io.trygvis.rules.wireguard.WgIpAllocation" data: - host: "acme-3" - role: "network" - ip: - value: "10.55.55.2" ---- -type: "io.trygvis.rules.wireguard.WgIpAllocation" -data: host: "ws-1" role: "link" ip: @@ -200,25 +179,11 @@ data: --- type: "io.trygvis.rules.wireguard.WgIpAllocation" data: - host: "ws-1" - role: "network" - ip: - value: "10.55.55.1" ---- -type: "io.trygvis.rules.wireguard.WgIpAllocation" -data: host: "ws-2" role: "link" ip: value: "192.168.10.0" --- -type: "io.trygvis.rules.wireguard.WgIpAllocation" -data: - host: "ws-2" - role: "network" - ip: - value: "10.55.55.0" ---- type: "io.trygvis.rules.wireguard.WgIpPool" data: net: "vpn0" @@ -229,13 +194,49 @@ data: type: "io.trygvis.rules.wireguard.WgIpPool" data: net: "vpn0" - role: "network" + role: "networks" cidr: - value: "10.55.55.0/24" + value: "10.55.0.0/16" --- type: "io.trygvis.rules.wireguard.WgNet" data: name: "vpn0" domain: "vpn.acme.com" linkCidr: "192.168.10.0/29" - networkCidr: "10.55.55.0/24" + networkCidr: "10.55.0.0/16" + networkBits: 24 +--- +type: "io.trygvis.rules.wireguard.WgNetworkAllocation" +data: + host: "acme-1" + role: "network" + cidr: + value: "10.55.251.0/24" +--- +type: "io.trygvis.rules.wireguard.WgNetworkAllocation" +data: + host: "acme-2" + role: "network" + cidr: + value: "10.55.252.0/24" +--- +type: "io.trygvis.rules.wireguard.WgNetworkAllocation" +data: + host: "acme-3" + role: "network" + cidr: + value: "10.55.253.0/24" +--- +type: "io.trygvis.rules.wireguard.WgNetworkAllocation" +data: + host: "ws-1" + role: "network" + cidr: + value: "10.55.254.0/24" +--- +type: "io.trygvis.rules.wireguard.WgNetworkAllocation" +data: + host: "ws-2" + role: "network" + cidr: + value: "10.55.255.0/24" |