diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2023-10-07 23:58:44 +0200 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2023-10-07 23:58:44 +0200 |
| commit | 18133a7854edec361f7699af0662027d527be540 (patch) | |
| tree | d0f1751739076e6927397c0b754a98d968983c07 | |
| parent | 6967e11d9c14554300e07fd70a6a93ffe224f8d3 (diff) | |
| download | infra-18133a7854edec361f7699af0662027d527be540.tar.gz infra-18133a7854edec361f7699af0662027d527be540.tar.bz2 infra-18133a7854edec361f7699af0662027d527be540.tar.xz infra-18133a7854edec361f7699af0662027d527be540.zip | |
bgp setup
| -rw-r--r-- | ansible/bgp/bgp.yml | 51 | ||||
| -rw-r--r-- | ansible/bgp/group_vars/all.yml | 5 | ||||
| -rw-r--r-- | ansible/bgp/host_vars/akili/bgp.yml | 9 | ||||
| -rw-r--r-- | ansible/bgp/host_vars/arius/bgp.yml | 6 | ||||
| -rw-r--r-- | ansible/bgp/host_vars/astyanax/bgp.yml | 6 | ||||
| -rw-r--r-- | ansible/bgp/host_vars/hash/bgp.yml | 4 | ||||
| -rw-r--r-- | ansible/bgp/host_vars/knot/bgp.yml | 6 | ||||
| -rw-r--r-- | ansible/bgp/templates/bird.conf.j2 | 97 | ||||
| -rw-r--r-- | ansible/bgp/templates/bird.conf2.j2 | 64 |
9 files changed, 248 insertions, 0 deletions
diff --git a/ansible/bgp/bgp.yml b/ansible/bgp/bgp.yml new file mode 100644 index 0000000..4c7787a --- /dev/null +++ b/ansible/bgp/bgp.yml @@ -0,0 +1,51 @@ +- hosts: + - akili + - arius + - astyanax + - hash + - knot + tasks: + - debug: + msg: "Hello World!" + + - debug: + var: bgp_if + + - debug: + var: bgp_peers + + - ansible.utils.update_fact: + updates: + - path: "peers[{{ idx }}]" + value: "{{ {} }}" + - path: "peers[{{ idx }}].name" + value: "{{ item }}" + - path: "peers[{{ idx }}].as" + value: "{{ hostvars[item].bgp_as }}" + - path: "peers[{{ idx }}].ip" + value: "{{ hostvars[item].bgp_ip }}" + loop: "{{ bgp_peers }}" + loop_control: + index_var: idx + vars: + peers: [] + register: out + changed_when: false + + - set_fact: + peers: "{{ out.results[-1].peers }}" + + - debug: + var: peers + + - become: yes + template: + src: bird.conf.j2 + dest: /etc/bird/bird.conf + register: template + + - systemd: + state: restarted + service: bird + when: template.changed + become: yes diff --git a/ansible/bgp/group_vars/all.yml b/ansible/bgp/group_vars/all.yml new file mode 100644 index 0000000..f6d36c6 --- /dev/null +++ b/ansible/bgp/group_vars/all.yml @@ -0,0 +1,5 @@ +bgp_if: "{{ ansible_wg0 }}" +bgp_radv: false +bgp_radv_if: None +tnet: "fdf3:aad9:a885::/48" +tnet_link: "fdf3:aad9:a885:ba3::/64" diff --git a/ansible/bgp/host_vars/akili/bgp.yml b/ansible/bgp/host_vars/akili/bgp.yml new file mode 100644 index 0000000..79fa7c0 --- /dev/null +++ b/ansible/bgp/host_vars/akili/bgp.yml @@ -0,0 +1,9 @@ +bgp_as: 4230483901 +bgp_ip: "{{ wireguard_wg0.hosts.akili.ipv6 }}" +bgp_mynet: fdf3:aad9:a885:ba64::/64 +bgp_mynet_if: virbr0 +bgp_peers: + - knot +# - hash +bgp_radv: true +bgp_radv_if: virbr0 diff --git a/ansible/bgp/host_vars/arius/bgp.yml b/ansible/bgp/host_vars/arius/bgp.yml new file mode 100644 index 0000000..7e8df08 --- /dev/null +++ b/ansible/bgp/host_vars/arius/bgp.yml @@ -0,0 +1,6 @@ +bgp_as: 4230483902 +bgp_ip: "{{ wireguard_wg0.hosts.arius.ipv6 }}" +bgp_mynet: fdf3:aad9:a885:ba66::/64 +bgp_peers: + - knot + - hash diff --git a/ansible/bgp/host_vars/astyanax/bgp.yml b/ansible/bgp/host_vars/astyanax/bgp.yml new file mode 100644 index 0000000..9bb6bad --- /dev/null +++ b/ansible/bgp/host_vars/astyanax/bgp.yml @@ -0,0 +1,6 @@ +bgp_as: 4230483903 +bgp_ip: "{{ wireguard_wg0.hosts.astyanax.ipv6 }}" +bgp_mynet: fdf3:aad9:a885:ba65::/64 +bgp_mynet_if: enp2s0 +bgp_peers: + - knot diff --git a/ansible/bgp/host_vars/hash/bgp.yml b/ansible/bgp/host_vars/hash/bgp.yml new file mode 100644 index 0000000..958f514 --- /dev/null +++ b/ansible/bgp/host_vars/hash/bgp.yml @@ -0,0 +1,4 @@ +bgp_as: 4230483905 +bgp_ip: "{{ wireguard_wg0.hosts.hash.ipv6 }}" +bgp_peers: + - knot diff --git a/ansible/bgp/host_vars/knot/bgp.yml b/ansible/bgp/host_vars/knot/bgp.yml new file mode 100644 index 0000000..fa16510 --- /dev/null +++ b/ansible/bgp/host_vars/knot/bgp.yml @@ -0,0 +1,6 @@ +bgp_as: 4230483906 +bgp_ip: "{{ wireguard_wg0.hosts.knot.ipv6 }}" +bgp_peers: + - akili + - astyanax +# - hash diff --git a/ansible/bgp/templates/bird.conf.j2 b/ansible/bgp/templates/bird.conf.j2 new file mode 100644 index 0000000..dfda44b --- /dev/null +++ b/ansible/bgp/templates/bird.conf.j2 @@ -0,0 +1,97 @@ +{% if bgp_mynet|default(false) %} +define mynet6 = {{ bgp_mynet }}; +{% endif %} +define tnet = {{ tnet }}; +define tnet_link = {{ tnet_link }}; + +log syslog all; + +debug protocols all; +{# + +filter tnet_import +{ +{% if bgp_mynet|default(false) %} + if net ~ mynet6 then reject "tnet_import reject mynet"; +{% endif %} + accept "tnet_import accept other"; +} + +filter tnet_export +{ +{% if bgp_mynet|default(false) %} + if net ~ mynet6 then accept "tnet_export accept mynet"; +{% endif %} + reject "tnet_export reject other"; +} +#} + +function is_tnet() +{ + return net ~ tnet && ! (net ~ tnet_link); +} + +protocol device { +} +{% if bgp_mynet_if|default(False) %} + +protocol direct { + interface "{{ bgp_mynet_if }}"; + ipv6 { + import all; + }; +} +{% endif %} + +protocol kernel kernel6 { + ipv6 { + import none; + export filter { +{% if bgp_mynet|default(false) %} + if net ~ mynet6 then reject "is mynet, reject"; +{% endif %} + if is_tnet() then accept "is tnet, accept"; + reject "not tnet"; + }; + }; +} +{% for peer in peers %} + +protocol bgp {{ peer.name }} { + local as {{ bgp_as }}; + neighbor {{ peer.ip }} as {{ peer.as }}; + + password "trygvis"; + + ipv6 { + import filter { + if is_tnet() then accept "from {{ peer.name }}, import accept"; + reject "from {{ peer.name }}, invalid tnet"; + }; + import keep filtered; + export filter { + if is_tnet() then accept "from {{ peer.name }}, export accept"; + reject "from {{ peer.name }}, invalid tnet"; + }; + }; +} +{% endfor %} +{% if bgp_radv %} + +protocol radv {{ bgp_radv_if }} { + ipv6 { + import all; + export all; + }; + + interface "{{ bgp_radv_if }}" { + max ra interval 600; # 10 for debugging + default lifetime 0; # No not use this as a default gateway + default preference low; + + prefix ::/0 { + #autonomous off; # So do not autoconfigure any IP + }; + }; +} +{% endif %} diff --git a/ansible/bgp/templates/bird.conf2.j2 b/ansible/bgp/templates/bird.conf2.j2 new file mode 100644 index 0000000..5ec3131 --- /dev/null +++ b/ansible/bgp/templates/bird.conf2.j2 @@ -0,0 +1,64 @@ +log syslog all; + +router id from "eth0"; + +debug protocols all; + +protocol device { +} + +protocol direct { + interface "wg0"; + ipv6 { + import filter { + if net ~ fdf3:aad9:a885::/48 then accept; + reject; + }; + }; +} + +filter tnet +{ + if net ~ fdf3:aad9:a885::/48 then accept "tnet ok"; + reject "tnet reject"; +} + +protocol kernel { + ipv6 { + import filter tnet; + export filter tnet; + }; + metric 0; +} + +protocol bgp akili { + #disabled; + local fdf3:aad9:a885:b3a::1 as 4230483679; + neighbor fdf3:aad9:a885:b3a::7 internal; + password "trygvis"; + direct; + + rr client; + + ipv6 { + import filter tnet; + import keep filtered; + export filter tnet; + }; +} + +protocol bgp astyanax { + #disabled; + local fdf3:aad9:a885:b3a::1 as 4230483679; + neighbor fdf3:aad9:a885:b3a::10 internal; + password "trygvis"; + direct; + + rr client; + + ipv6 { + import filter tnet; + import keep filtered; + export filter tnet; + }; +} |