wip

author: Trygve Laugstøl <trygvis@inamo.no> 2024-06-12 21:14:09 +0200
committer: Trygve Laugstøl <trygvis@inamo.no> 2024-06-12 21:14:09 +0200
commit: b49b58d2749d50a42b25d39a744b0edc8d24bf77 (patch)
tree: a4aa115c23dde1cc02057b48e29be3336185718c
parent: d1114cdc45c69ae8ae633790e85afe0e9d633015 (diff)
download: infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.gz
infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.bz2
infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.xz
infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.zip
31 files changed, 407 insertions, 6 deletions
diff --git a/ansible/inventory b/ansible/inventory
index d099e8a..f94f73a 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -41,9 +41,15 @@ all:
     biwia:
       ansible_host: biwia.vpn.trygvis.io
     lhn2pi:
+      ansible_host: lhn2pi.vpn.trygvis.io
     lhn2ix:
     kv24ix:
 
+    node1:
+      ansible_host: 9859f51e-1e3e-4c05-a826-b7fbe18d91be.pub.instances.scw.cloud
+    node2:
+      ansible_host: 927624a8-7824-444d-903d-8507eb1e0669.pub.instances.scw.cloud
+
     zh2569.rsync.net:
       ansible_user: zh2569
 
@@ -166,15 +172,21 @@ all:
     tnet:
       hosts:
         akili:
+        astyanax:
         hash:
         knot:
         kv24ix:
         lhn2ix:
+        lhn2pi:
+        node1:
+        node2:
 
     tnet_bgp:
       hosts:
         akili:
         hash:
         knot:
+        node1:
+        node2:
 
 # vim: set filetype=yaml:
diff --git a/tnet/bird-gen.yml b/tnet/bird-gen.yml
new file mode 100644
index 0000000..4a3e19d
--- /dev/null
+++ b/tnet/bird-gen.yml
@@ -0,0 +1,11 @@
+- name: Generate Bird configuration
+  hosts: tnet
+  connection: local
+  gather_facts: False
+  tasks:
+    - file:
+        path: files/{{ inventory_hostname }}
+        state: directory
+    - template:
+        src: bird.conf.j2
+        dest: files/{{ inventory_hostname }}/bird.conf
diff --git a/tnet/files/hash/bird.conf b/tnet/files/hash/bird.conf
new file mode 100644
index 0000000..8cf210a
--- /dev/null
+++ b/tnet/files/hash/bird.conf
@@ -0,0 +1,49 @@
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+  rr client;
+
+  password "trygvis";
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": import reject, reason=not tnet"; reject;
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": export reject, reason=not tnet"; reject;
+    };
+  };
+}
+
+protocol bgp tnet_astyanax from tnet_tpl {
+  neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b517;
+  interface "tnet-astyanax";
+}
+
+protocol bgp tnet_knot from tnet_tpl {
+  neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c;
+  interface "tnet-knot";
+}
+
+protocol bgp tnet_node1 from tnet_tpl {
+  neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df;
+  interface "tnet-node1";
+}
+
+protocol bgp tnet_node2 from tnet_tpl {
+  neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d;
+  interface "tnet-node2";
+}
diff --git a/tnet/files/knot/bird.conf b/tnet/files/knot/bird.conf
new file mode 100644
index 0000000..cb70e94
--- /dev/null
+++ b/tnet/files/knot/bird.conf
@@ -0,0 +1,39 @@
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+  rr client;
+
+  password "trygvis";
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": import reject, reason=not tnet"; reject;
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": export reject, reason=not tnet"; reject;
+    };
+  };
+}
+
+protocol bgp tnet_hash from tnet_tpl {
+  neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d;
+  interface "tnet-hash";
+}
+
+protocol bgp tnet_node1 from tnet_tpl {
+  neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3;
+  interface "tnet-node1";
+}
diff --git a/tnet/files/node1/bird.conf b/tnet/files/node1/bird.conf
new file mode 100644
index 0000000..1ac0335
--- /dev/null
+++ b/tnet/files/node1/bird.conf
@@ -0,0 +1,39 @@
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+  rr client;
+
+  password "trygvis";
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": import reject, reason=not tnet"; reject;
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": export reject, reason=not tnet"; reject;
+    };
+  };
+}
+
+protocol bgp tnet_hash from tnet_tpl {
+  neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de;
+  interface "tnet-hash";
+}
+
+protocol bgp tnet_knot from tnet_tpl {
+  neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2;
+  interface "tnet-knot";
+}
diff --git a/tnet/files/node2/bird.conf b/tnet/files/node2/bird.conf
new file mode 100644
index 0000000..e1f1898
--- /dev/null
+++ b/tnet/files/node2/bird.conf
@@ -0,0 +1,39 @@
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+  rr client;
+
+  password "trygvis";
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": import reject, reason=not tnet"; reject;
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": export reject, reason=not tnet"; reject;
+    };
+  };
+}
+
+protocol bgp tnet_hash from tnet_tpl {
+  neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c;
+  interface "tnet-hash";
+}
+
+protocol bgp tnet_knot from tnet_tpl {
+  neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da;
+  interface "tnet-knot";
+}
diff --git a/tnet/host_vars/akili/bird.yml b/tnet/host_vars/akili/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/akili/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/astyanax/bird.yml b/tnet/host_vars/astyanax/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/astyanax/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/astyanax/wg.yml b/tnet/host_vars/astyanax/wg.yml
index dd446a0..e12db34 100644
--- a/tnet/host_vars/astyanax/wg.yml
+++ b/tnet/host_vars/astyanax/wg.yml
@@ -1,7 +1,7 @@
 tnet_wg:
   knot:
     endpoint: knot.inamo.no:51006
-    address: fdb1:4242:3538:ffff:c32d:ad30:541d:ab31
+    address: fe80:6728:53fc:fc81:40b3:9beb:8336:ba57
   hash:
     endpoint: hash.trygvis.io:51004
-    address: fdb1:4242:3538:ffff:b383:bc11:c452:eaf5
+    address: fe80:a0fd:89e4:42c6:f617:7398:abf4:b517
diff --git a/tnet/host_vars/hash/bird.yml b/tnet/host_vars/hash/bird.yml
new file mode 100644
index 0000000..9176312
--- /dev/null
+++ b/tnet/host_vars/hash/bird.yml
@@ -0,0 +1,5 @@
+tnet_bird_peers:
+  knot:
+  node1:
+  node2:
+  astyanax:
diff --git a/tnet/host_vars/hash/wg.yml b/tnet/host_vars/hash/wg.yml
index bdd1800..c7d9363 100644
--- a/tnet/host_vars/hash/wg.yml
+++ b/tnet/host_vars/hash/wg.yml
@@ -12,4 +12,10 @@ tnet_wg:
     address: fe80:6195:1d43:9655:35f7:9dba:798c:26b8
   astyanax:
     port: 51004
-    address: fdb1:4242:3538:ffff:b383:bc11:c452:eaf4
+    address: fe80:a0fd:89e4:42c6:f617:7398:abf4:b516
+  node1:
+    port: 51005
+    address: fe80:a026:6ec2:b356:21c5:b51:22b9:a1de
+  node2:
+    port: 51006
+    address: fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c
diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml
new file mode 100644
index 0000000..e8b20e7
--- /dev/null
+++ b/tnet/host_vars/knot/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  node1:
diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml
index 48053fc..6fe932e 100644
--- a/tnet/host_vars/knot/wg.yml
+++ b/tnet/host_vars/knot/wg.yml
@@ -19,4 +19,10 @@ tnet_wg:
     address: fdb1:4242:3538:ffff:374e:2c7d:319e:e526
   astyanax:
     port: 51006
-    address: fdb1:4242:3538:ffff:c32d:ad30:541d:ab30
+    address: fe80:6728:53fc:fc81:40b3:9beb:8336:ba56
+  node1:
+    port: 51007
+    address: fe80:58eb:3930:1815:2a6d:8918:70c9:96f2
+  node2:
+    port: 51008
+    address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da
diff --git a/tnet/host_vars/kv24ix/bird.yml b/tnet/host_vars/kv24ix/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/kv24ix/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/lhn2ix/bird.yml b/tnet/host_vars/lhn2ix/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/lhn2ix/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/lhn2pi/bird.yml b/tnet/host_vars/lhn2pi/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/lhn2pi/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/node1/bird.yml b/tnet/host_vars/node1/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/node1/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/node1/wg.yml b/tnet/host_vars/node1/wg.yml
index 6ce5e8b..dfacbf2 100644
--- a/tnet/host_vars/node1/wg.yml
+++ b/tnet/host_vars/node1/wg.yml
@@ -1,3 +1,7 @@
 tnet_wg:
   knot:
+    endpoint: knot.inamo.no:51007
+    address: fe80:58eb:3930:1815:2a6d:8918:70c9:96f3
   hash:
+    endpoint: hash.trygvis.io:51005
+    address: fe80:a026:6ec2:b356:21c5:b51:22b9:a1df
diff --git a/tnet/host_vars/node2/bird.yml b/tnet/host_vars/node2/bird.yml
new file mode 100644
index 0000000..b59526c
--- /dev/null
+++ b/tnet/host_vars/node2/bird.yml
@@ -0,0 +1,3 @@
+tnet_bird_peers:
+  hash:
+  knot:
diff --git a/tnet/host_vars/node2/wg.yml b/tnet/host_vars/node2/wg.yml
index 6ce5e8b..891c15a 100644
--- a/tnet/host_vars/node2/wg.yml
+++ b/tnet/host_vars/node2/wg.yml
@@ -1,3 +1,7 @@
 tnet_wg:
   knot:
+    endpoint: knot.inamo.no:51008
+    address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db
   hash:
+    endpoint: hash.trygvis.io:51006
+    address: fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d
diff --git a/tnet/keys/wg-hash-node1.pub b/tnet/keys/wg-hash-node1.pub
new file mode 100644
index 0000000..8e33ba3
--- /dev/null
+++ b/tnet/keys/wg-hash-node1.pub
@@ -0,0 +1 @@
+1cNynnx5gPRzgr6JNCPqzlfQP1SuRc4XN3wlWxbIVF4=
+\ No newline at end of file
diff --git a/tnet/keys/wg-hash-node1.sops.key b/tnet/keys/wg-hash-node1.sops.key
new file mode 100644
index 0000000..7982e74
--- /dev/null
+++ b/tnet/keys/wg-hash-node1.sops.key
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:J4ZEwFTTSOcMCUNbBxeufrHRg75BmlTVv0gPs7xVdB9RtnQ+G859ZdDARSk=,iv:dEqxGTSmnWjZzc8kirfyTkJfewUVcPejbzG9RDQnG4Y=,tag:SdiX98tkWOW7oAcxLMJv9g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUkYyZjZ2NUd2dXd1QWZk\nYms0UDJKajYyb3VnOHdCVDVZVWdVTGF0VDNzCkE4V2dIN2V4MWUycXBLem94aFNu\nTERTZ0xHN1FwK0w0SVNkMGJOcUx6aGMKLS0tIG9OdG1xL1pLM1NtS2pQV0J2bGFR\nZ1dJWDhjcnNkREh3aXlHa29teUU4UWcKj62Piukjg3hk2MWvXRhkmAznsQgclqST\no6gored5zOcjZg+RFZd5RgLvNQxxwR/5dfZPyBXfjPIQi2+g7UJDfQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ems3RGdWZ0V5NVVMdHpa\nZDM4Nm05QTJjMWx6QXZqbUIxZFlIOUF0WDJZCkV0OWxIOXJUcnc0R3BMNEFSTks2\nbjRCb0lIRWJqRkcwc25nVDArNWRtSmMKLS0tIHZEbzl5N2NaNGduQ1ROK2Mvand4\naTQrbFA0L05hbGxUNDRQb0lScll3NjAKTjRRiBpoHW9kLZS0YiZ3ZKK+gjBzErNU\n64/LLgZIsKrWnXDxM1szVf0wDfx5j2VvzjE8yDszd0N4iXzobjwt9w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbGl4bnZNNHVXQmxtNjZy\nenpyYXBobEwwQUx0Z05DSzNvM2pkb281NkY4ClV5djRJTm91MmQvNE1JY0QrNXNj\nN1YxNldBZFdhRVlLSmROaitKMzkzWDAKLS0tIElNbm5lbGFDMHE1N1owMTFhektq\nY0Y2VU5SeVQ5c09wRm41dVhxZW5VMEUKKCL9H1dKgWaFg6KpDjPy4QXAQDAYfO6W\nxh/eX5I3OvpAHSVvTGL0LVQVBI9Md27f9UZIKIXOEMrrborMtmTqjg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-11T08:37:25Z",
+		"mac": "ENC[AES256_GCM,data:d2q6CE/Um1sEZ+Tbg0xYTSvl3/aEUdo0M+8rAh24IlM3p4au9mEHGk4WzT+fyxYnmAAeLFyf+XMcGP4nil7dut0Z22fTOBrgehpkMobbHEIqOhMa3d3I9WyV4h4AQHMyWWjZhTVk7uVCym7qiRD91ucR3vG/ax3aKRb43OYx+ZE=,iv:GauMpvYiClHwjQEYPlI5/vaUst6+eOdo5+8L8b7VZeY=,tag:kNJ2fSH5Z++PehOWQYJMSw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
+\ No newline at end of file
diff --git a/tnet/keys/wg-hash-node2.pub b/tnet/keys/wg-hash-node2.pub
new file mode 100644
index 0000000..877b702
--- /dev/null
+++ b/tnet/keys/wg-hash-node2.pub
@@ -0,0 +1 @@
+X2rEOlHyKs62HW0nAaIHEZFTprGXhLb2de/hAQcbFng=
+\ No newline at end of file
diff --git a/tnet/keys/wg-hash-node2.sops.key b/tnet/keys/wg-hash-node2.sops.key
new file mode 100644
index 0000000..4fc6c33
--- /dev/null
+++ b/tnet/keys/wg-hash-node2.sops.key
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:4GvFf7qZz4uH4scmvpSN0x5ei8XoDW/raxwIRPH1Y6+9wnj7zmVELIPytCI=,iv:7S16T48B5x8B28WXCpNwVArVIucDeGOilOgw/nUBdN4=,tag:oOHo2KT044rDhvRQnvsB+A==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQTJ4ZEFKN3IyY0VLVU1R\ndnZadTByc3I2d1h3Q2xZQkZPL1FNcWI0V2dJClVOdnNIaTljNXQzQU4xZXNIMFBi\nR01mZHVtWjZUTjVtZGN3SkJYWTk0NW8KLS0tIFBMdnl2Rk91aGhOd0FWMytFblow\ncWlKN0FhN2ZsRWJtMFNnU2llK21HWHcKPOP3SG4DdnseZjaOPQXBsqtxYo2NBQfK\n9hyqlhD02AzP7XGrf++YS8FJ3nqOrJ/NV5cYeOEDCMTDqQ1DVwLXFg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Q1hNbVZ3UjJlL2RLUTY2\ndHNWZTVlaHpuM3djWE9UTzlBN1VmSVBBaW1ZCnM4M0hrblI0UmxJYXhjT2lmTWlU\nVkVIdVIzUWN1LzV3Q0hVM3lkcWgwejAKLS0tIEFPSit5UGRCeks4NXhDSE9XNXFE\nc3FTYmUyaW1GdW5YbHFhN2U3Yis2QTgKuJAdQqbxWrm86Lsn+xv5XQNxiE+krq9z\n6PoViqeLVqP54D4TGsQ7HBWD5k+mK1IbHdiSrf6lCw2AIiZOQXACdw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpSUJIVVNlN3Bac3M4cFlS\nVHUwM2FNRnY1bFFxb1Z4RE1aYnVoK3NxT1djCmVnSUJ0cGZ0WStPZXY4Y05LVkxt\nd1hIQ0V6VWYwWi9WVnVpUVExbU5tZzAKLS0tIDgzcmEzUnMvcXNES2kxKzlHRUpt\nRERyelpQaXVVTHI3WitXT3hkbFhmOGsKq4MW9Pdngt2L0/Jyhj9IRIT8t2/a0OXQ\nhpi1zBq8pyyqgsOXTornPYHmRAtPNULetzFbV3l+JWajHeemCA7jLA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-11T08:37:26Z",
+		"mac": "ENC[AES256_GCM,data:hMv9t+1GswxvoHlNUEH+EGJesDRTolk2PMWDkk9GggOxbkMxZS+Unl/79Hj+nheclsWkxIAI6CG1Sr4/qiGdB3yX39s7O/LgiXnNV6yYirVJ+Qrs3T3oRM1HCk9Y5odb42bqW+QoCdEhn4pJk1oL1n8ZrjpEzE1cf9ChAhNRRzY=,iv:JzmYGLYfH920z0XZJVH+ZNCr+FlRu+VnC2iPnCiydHg=,tag:YclQ/r9YlgC2xb9Ng4UIQQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
+\ No newline at end of file
diff --git a/tnet/keys/wg-knot-node1.pub b/tnet/keys/wg-knot-node1.pub
new file mode 100644
index 0000000..1507a5f
--- /dev/null
+++ b/tnet/keys/wg-knot-node1.pub
@@ -0,0 +1 @@
+thONllLZCmXl09Fpj0hJXMC71RL5fBUWYL1pSvQFDhE=
+\ No newline at end of file
diff --git a/tnet/keys/wg-knot-node1.sops.key b/tnet/keys/wg-knot-node1.sops.key
new file mode 100644
index 0000000..7612836
--- /dev/null
+++ b/tnet/keys/wg-knot-node1.sops.key
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:kDjtgcIJwZdtUmzeZ+HtEM2FPYF+W9gWCm55vdSxC3scA6MoxNBRSxw4uQg=,iv:4K18STAhTTxtpAnQCHaNYbVlg+M8iyxAX9sYbeetvWw=,tag:PcVWrkISwxvnBXSoFwJ0Bg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZVdCNFdSd05jTHo0c1Fm\nYUpPcXA4ODJ6cUdHUGxNUVc3UVpMVmFjM0Y4CjN4ajB2aE9oVEc5blk2OEJaRW1y\nUjVxUlI2bUVvZGpEOWRpMTRGMnZGRWsKLS0tIDQySDlRU0lIdjExZkkrMTFaNTFs\nRnBrVXN1WUxBbTBjUm9BQ0pTOWRXMEkKmkogKiY+AN+6MTuu1cj8l9Xw/Jzt+sXC\njpnl99+hAp0WmUV5+tqq3jGyzURuYpkoG+qX19jcVxMhwCx0A+JJZg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcGxKS0VCWk1NOTR5ZVB2\nZUpKaWMrbGVqREZLVG1mZk9WSU43YXhwVjBBCkJRc2QvcmhFNFUyaTFKbVhOc3RM\nY0RZTVY5TEJYQTEyM20wS2NJMDEyYWMKLS0tIGJZRE16a2pEb2Q1ZmFTNTJiWVo1\nb0ZGM0xMeC85bWM4VHU3RWhKczE3Z28Karpa7UyGJmwGcy+dTnie+tYRo99YME0h\n8c/0oWNIQYKuNU0LvmXLaCXfANWNoW++MEYcj8ctTH8stOScqZ20wA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QnpkdytmUGpwM1ZHSXd5\neEpMM3VZK3p0YTdhN2QwazhMTThYYU50NFZnCjVmWWxsSHpSa2x1OHlSU2liOTUr\nVHJYWWpZbXlwVDc1N3NLODJtaTFjM2cKLS0tIEZ4TExVVDBiT0diL3dlL1JzNzdn\nbG1NS3lDQmJWSlNLamlhejVsU2MvWkUKi/LFKOdgK3SKTwP2LdiWd4egqYI5+xAi\nHOWnFQGnljXuQlRXBHv20fq0QwWm8wPJnzg7QK4wNVAWAjZwQXeMXg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-11T08:37:28Z",
+		"mac": "ENC[AES256_GCM,data:5uwz5pswuas/97KI8n4fm/+sjshkNHdRlS3k28xRftcNRsTi/k9Z1omhfLlwKKL3D/955UyHnnV86XvZPQfCxPm/I/5HbpFMyqKP4g88wSxN7poI+CBM+PNCeN/HHb0oIbq7Z72vq3VTI4Prs2V3/i1E5LE+4Sx4IFE2lmP9gjI=,iv:XG4uF8aqGBjKN7yTNWptmQtQjT05eOE/J8zTrOD8dGw=,tag:HpOf1YyQl36SJw0DpgW//w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
+\ No newline at end of file
diff --git a/tnet/keys/wg-knot-node2.pub b/tnet/keys/wg-knot-node2.pub
new file mode 100644
index 0000000..8c9f071
--- /dev/null
+++ b/tnet/keys/wg-knot-node2.pub
@@ -0,0 +1 @@
+4shyuJgqiQsaRZG0zuD3WWEJP2eEzNSpt2vfcUXqikg=
+\ No newline at end of file
diff --git a/tnet/keys/wg-knot-node2.sops.key b/tnet/keys/wg-knot-node2.sops.key
new file mode 100644
index 0000000..3395667
--- /dev/null
+++ b/tnet/keys/wg-knot-node2.sops.key
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:/yNbyRXzUhx5OJBiSsV0sGY4n85fBLV4wFBsbM2sHOO4FkvBQOKXRfEeNHI=,iv:x0Zcv+f17YYoGGN5lXSHBTta3+8eX8NrnmSeKf2t0gc=,tag:uBjDTRMrhuceisM0V0eH+g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaT25BVjBxUk5IdlVRNmZS\ndXFRVTJkdFdRMEJMdnQ1eWxMcTMwSGRWMGpVCndNVm1seHJpSnk0R1A5TVB5bFlE\nbjdHK1owNm5Bc25PK2czdHJHMys5NUUKLS0tIDhZdUVybmNkN25XUU9wbVZxSHZ2\nenFxM0t3V2RXKzRWZ25sVzJaUU9Hd0UKIaW5AiVahrrVim0whQTFE4YjEh2Rel5r\nm5rgebK9IdjwG6iUWQlnC+xaZFcqSyp6S+rGLBg/Axg2aAJpCUVcIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTzhoMHlVcjBFdFAvRVpi\ndlpuTzFuOGNaaG5EbG0wNWRtY3ZBSEkwQ0RNCnM0V2JyNHZNblJCOXlOWFNYQTFm\nc2VtTmt4c21Ma2Z4VDdubm5YYkpkU3MKLS0tIEtlQStSR05Nb3h5L1FkcFJ2Tjd1\naStFTWlzMVBLVnAxSWRoYjZPdUN0UFkKVgByyiUXtgDi1Z1AivQsNA6lUKwB9iQM\nh7ch10JBPSNVrjXisdxU3qoBeuOKl9ZmTue/aR1clvJqkhDN5BzX8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQ2FSZ0NocWlaemZPT3NW\nU3pwOFdZVlZzTGVsNHlMa2J2SzBleWJIdTM4CnZYTFVtdFErNyt4QnIzVGdsekxy\nZjZmR1lKZDRDbnZCQ3V4TEd1VTE1SVEKLS0tIGRPNGhnMjVKZnpwN2kvbkhNL1Nw\nOFN1azRiTVg3VndBWFREYVAzdFFEK0UKngv/lSquans6wzi3qEAaOXdTttWsayKb\nhicgFbKmwdcI6oW39PfkZLm9G+1/sBSDeEBCO/ysgygR5Qn2oG55dw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-06-11T08:37:28Z",
+		"mac": "ENC[AES256_GCM,data:COfWtS5eOQ5cG9cqQyhwyjntpjbo7vzk5g/Gs7/wGZOInxp6eVSGMSxCr7hxaHNZDpcYgMYiAHOoo4GRCQIm0nalryzPd5oLPLZKzNlRdlnpvxQuk8JOB+WPXf3kz5SbjfMU3fLt1/msdGAafZ/sOB9agRozLOc7LBPX1XyTZ4o=,iv:Zw5/T/mSKbh8VSlfbx7xxx72e7j0AILCXx9UglqY+IE=,tag:ZzKtg5bpbz84dJt4lFprIA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
+\ No newline at end of file
diff --git a/tnet/templates/bird.conf.j2 b/tnet/templates/bird.conf.j2
new file mode 100644
index 0000000..45dc318
--- /dev/null
+++ b/tnet/templates/bird.conf.j2
@@ -0,0 +1,36 @@
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+  rr client;
+
+  password "trygvis";
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": import reject, reason=not tnet"; reject;
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw;
+        accept;
+      }
+      print proto, ": export reject, reason=not tnet"; reject;
+    };
+  };
+}
+{% for p in tnet_bird_peers|default([])|sort %}
+
+protocol bgp tnet_{{ p }} from tnet_tpl {
+  neighbor {{ hostvars[p].tnet_wg[inventory_hostname].address }};
+  interface "tnet-{{ p }}";
+}
+{% endfor %}
diff --git a/tnet/wg-keys.yml b/tnet/wg-keys.yml
index 1979619..1980b97 100644
--- a/tnet/wg-keys.yml
+++ b/tnet/wg-keys.yml
@@ -1,4 +1,3 @@
----
 - name: Generate Wireguard keys
   hosts: tnet
   connection: local
diff --git a/tnet/wg-links-link.yml b/tnet/wg-links-link.yml
index aaaf01f..6f1bb87 100644
--- a/tnet/wg-links-link.yml
+++ b/tnet/wg-links-link.yml
@@ -1,3 +1,9 @@
+- notify: systemctl restart systemd-networkd
+  become: yes
+  file:
+    path: "/etc/systemd/network/50-tnet-{{ inventory_hostname }}-{{ item.key }}.netdev"
+    state: absent
+
 - name: "Make netdev for {{ inventory_hostname }} -> {{ item.key }}"
   notify: systemctl restart systemd-networkd
   become: yes
@@ -26,6 +32,12 @@
       PersistentKeepalive=60
       {% endif %}
 
+- notify: systemctl restart systemd-networkd
+  become: yes
+  file:
+    path: "/etc/systemd/network/50-tnet-{{ inventory_hostname }}-{{ item.key }}.network"
+    state: absent
+
 - name: "Make network for {{ inventory_hostname }} -> {{ item.key }}"
   notify: systemctl restart systemd-networkd
   become: yes
@@ -38,4 +50,4 @@
       Name=tnet-{{ item.key }}
 
       [Network]
-      Address={{ item.value.address }}/127
+      Address={{ item.value.address }}/64
author	Trygve Laugstøl <trygvis@inamo.no>	2024-06-12 21:14:09 +0200
committer	Trygve Laugstøl <trygvis@inamo.no>	2024-06-12 21:14:09 +0200
commit	b49b58d2749d50a42b25d39a744b0edc8d24bf77 (patch)
tree	a4aa115c23dde1cc02057b48e29be3336185718c
parent	d1114cdc45c69ae8ae633790e85afe0e9d633015 (diff)
download	infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.gz infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.bz2 infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.tar.xz infra-b49b58d2749d50a42b25d39a744b0edc8d24bf77.zip