diff options
180 files changed, 4966 insertions, 1918 deletions
diff --git a/.settings.sh b/.settings.sh index 38b5e20..a166ade 100644 --- a/.settings.sh +++ b/.settings.sh @@ -5,8 +5,9 @@ basedir=$(cd "$basedir" && pwd) export ANSIBLE_CONFIG=$basedir/ansible/ansible.cfg -echo "Adding bin/ to path" +PATH="$basedir/bin/env/bin:$PATH" PATH="$basedir/bin:$PATH" +PATH="$HOME/.asdf/shims:$PATH" #echo "Adding bin/.tmp/asdf-data/shims/ to path" #PATH="$basedir/bin/.tmp/asdf-data/shims:$PATH" diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 0000000..ad228d9 --- /dev/null +++ b/.tool-versions @@ -0,0 +1,7 @@ +golang 1.23.2 +sops 3.9.1 +yamlfmt 0.13.0 +kubectl 1.31.1 +helm 3.16.2 +cilium-cli 0.16.20 +terraform 1.9.5 diff --git a/README-snmp.md b/README-snmp.md new file mode 100644 index 0000000..e4ec3fe --- /dev/null +++ b/README-snmp.md @@ -0,0 +1,19 @@ +# Collecting SNMP data with Prometheus + +Use the `prometheus-snmp-exporter` package. + +## Generating snmp.yml + +This file is not included in the Debian packages for licensing reasons, and we +also want to include the Ubiquiti MIBs anyway. + +Main docs: https://github.com/prometheus/snmp_exporter/tree/main/generator + +Short story: + +* git clone https://github.com/prometheus/snmp_exporter.git +* make generate +* make mibs # downloads the MIBs, including the UBNT ones +* ./generator generate -m mibs -g generator.yml -o snmp.yml + +Copy `snmp.yml` to `/etc/prometheus/snmp.yml`. diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6da8010..2190846 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,6 +1,5 @@ [defaults] become_method = sudo -connection_plugins = ./connection_plugins inventory = ./inventory #,./inventory-terraform nocows = True @@ -8,3 +7,8 @@ stdout_callback = debug vault_password_file = ./.vault-password roles_path = roles:thirdparty retry_files_enabled = False +vars_plugins_enabled = host_group_vars,community.sops.sops + +[ssh_connection] +pipelining = True +ssh_args = -o ControlMaster=auto -o ControlPersist=1200 diff --git a/ansible/connection_plugins/lxc_ssh.py b/ansible/connection_plugins/lxc_ssh.py deleted file mode 100644 index 2bb5352..0000000 --- a/ansible/connection_plugins/lxc_ssh.py +++ /dev/null @@ -1,1259 +0,0 @@ -# Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net> -# -# SSH + lxc-attach connection module for Ansible 2.0 -# -# Adapted from ansible/plugins/connection/ssh.py -# Forked from https://github.com/chifflier/ansible-lxc-ssh -# Hosted on https://github.com/andreasscherbaum/ansible-lxc-ssh -# -# Ansible is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# Ansible is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Ansible. If not, see <http://www.gnu.org/licenses/>. -# -import errno -import fcntl -import hashlib -import os -import pipes -import pty -import shlex -import subprocess -import sys -from distutils.version import LooseVersion - -from ansible.release import __version__ as ansible_version -if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - from functools import wraps -from ansible import constants as C -if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - from ansible.compat.six import text_type, binary_type - from ansible.errors import AnsibleConnectionFailure, AnsibleError - from ansible.plugins.connection import ConnectionBase -if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound - from ansible.errors import AnsibleOptionsError - from ansible.compat import selectors - from ansible.module_utils.six import PY3, text_type, binary_type - if LooseVersion(ansible_version) < LooseVersion('2.4.0.0'): - from ansible.compat.six.moves import shlex_quote - else: - from ansible.module_utils.six.moves import shlex_quote - from ansible.module_utils._text import to_bytes, to_native, to_text - if LooseVersion(ansible_version) >= LooseVersion('2.4.0.0'): - from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean - from ansible.plugins.connection import ConnectionBase, BUFSIZE -from ansible.utils.path import unfrackpath, makedirs_safe - -if LooseVersion(ansible_version) >= LooseVersion('2.2.0.0'): - from ansible.module_utils._text import to_bytes, to_text as to_unicode, to_native as to_str -else: - from ansible.utils.unicode import to_bytes, to_unicode, to_str - -try: - from __main__ import display -except ImportError: - from ansible.utils.display import Display - display = Display() - -if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - import select - - -# only used from Ansible version 2.3 on forward -class AnsibleControlPersistBrokenPipeError(AnsibleError): - ''' ControlPersist broken pipe ''' - pass - - -def _ssh_retry(func): - """ - Decorator to retry ssh/scp/sftp in the case of a connection failure - - Will retry if: - * an exception is caught - * ssh returns 255 - Will not retry if - * remaining_tries is <2 - * retries limit reached - """ - @wraps(func) - def wrapped(self, *args, **kwargs): - remaining_tries = int(C.ANSIBLE_SSH_RETRIES) + 1 - cmd_summary = "%s..." % args[0] - for attempt in range(remaining_tries): - cmd = args[0] - if attempt != 0 and self._play_context.password and isinstance(cmd, list): - # If this is a retry, the fd/pipe for sshpass is closed, and we need a new one - self.sshpass_pipe = os.pipe() - cmd[1] = b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict') - - try: - try: - return_tuple = func(self, *args, **kwargs) - display.vvv(return_tuple, host=self.host) - # 0 = success - # 1-254 = remote command return code - # 255 = failure from the ssh command itself - except (AnsibleControlPersistBrokenPipeError) as e: - # Retry one more time because of the ControlPersist broken pipe (see #16731) - display.vvv(u"RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE") - return_tuple = func(self, *args, **kwargs) - - if return_tuple[0] != 255: - break - else: - raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2])) - except (AnsibleConnectionFailure, Exception) as e: - if attempt == remaining_tries - 1: - raise - else: - pause = 2 ** attempt - 1 - if pause > 30: - pause = 30 - - if isinstance(e, AnsibleConnectionFailure): - msg = "ssh_retry: attempt: %d, ssh return code is 255. cmd (%s), pausing for %d seconds" % (attempt, cmd_summary, pause) - else: - msg = "ssh_retry: attempt: %d, caught exception(%s) from cmd (%s), pausing for %d seconds" % (attempt, e, cmd_summary, pause) - - display.vv(msg, host=self.host) - - time.sleep(pause) - continue - - return return_tuple - return wrapped - - -class Connection(ConnectionBase): - ''' ssh+lxc_attach connection ''' - transport = 'lxc_ssh' - - def __init__(self, play_context, new_stdin, *args, **kwargs): - #print args - #print kwargs - super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs) - self.host = self._play_context.remote_addr - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - self.port = self._play_context.port - self.user = self._play_context.remote_user - self.control_path = C.ANSIBLE_SSH_CONTROL_PATH - self.control_path_dir = C.ANSIBLE_SSH_CONTROL_PATH_DIR - self.lxc_version = None - - # LXC v1 uses 'lxc-info', 'lxc-attach' and so on - # LXC v2 uses just 'lxc' - (returncode2, stdout2, stderr2) = self._exec_command("which lxc", None, False) - (returncode1, stdout1, stderr1) = self._exec_command("which lxc-info", None, False) - if (returncode2 == 0): - self.lxc_version = 2 - display.vvv('LXC v2') - elif (returncode1 == 0): - self.lxc_version = 1 - display.vvv('LXC v1') - else: - raise AnsibleConnectionFailure('Cannot identify LXC version') - sys.exit(1) - - - # The connection is created by running ssh/scp/sftp from the exec_command, - # put_file, and fetch_file methods, so we don't need to do any connection - # management here. - def _connect(self): - ''' connect to the lxc; nothing to do here ''' - display.vvv('XXX connect') - super(Connection, self)._connect() - #self.container_name = self.ssh._play_context.remote_addr - self.container_name = self._play_context.ssh_extra_args # XXX - #self.container = None - - - # only used from Ansible version 2.3 on forward - @staticmethod - def _create_control_path(host, port, user, connection=None): - '''Make a hash for the controlpath based on con attributes''' - pstring = '%s-%s-%s' % (host, port, user) - if connection: - pstring += '-%s' % connection - m = hashlib.sha1() - m.update(to_bytes(pstring)) - digest = m.hexdigest() - cpath = '%(directory)s/' + digest[:10] - return cpath - - - @staticmethod - def _persistence_controls(b_command): - ''' - Takes a command array and scans it for ControlPersist and ControlPath - settings and returns two booleans indicating whether either was found. - This could be smarter, e.g. returning false if ControlPersist is 'no', - but for now we do it simple way. - ''' - - controlpersist = False - controlpath = False - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - for arg in b_command: - if 'controlpersist' in arg.lower(): - controlpersist = True - elif 'controlpath' in arg.lower(): - controlpath = True - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - for b_arg in (a.lower() for a in b_command): - if b'controlpersist' in b_arg: - controlpersist = True - elif b'controlpath' in b_arg: - controlpath = True - - return controlpersist, controlpath - - - @staticmethod - def _split_args(argstring): - """ - Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a - list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to - the argument list. The list will not contain any empty elements. - """ - return [to_unicode(x.strip()) for x in shlex.split(to_bytes(argstring)) if x.strip()] - - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - def _add_args(self, explanation, args): - """ - Adds the given args to self._command and displays a caller-supplied - explanation of why they were added. - """ - self._command += args - display.vvvvv('SSH: ' + explanation + ': (%s)' % ')('.join(args), host=self._play_context.remote_addr) - - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - def _add_args(self, b_command, b_args, explanation): - """ - Adds arguments to the ssh command and displays a caller-supplied explanation of why. - :arg b_command: A list containing the command to add the new arguments to. - This list will be modified by this method. - :arg b_args: An iterable of new arguments to add. This iterable is used - more than once so it must be persistent (ie: a list is okay but a - StringIO would not) - :arg explanation: A text string containing explaining why the arguments - were added. It will be displayed with a high enough verbosity. - .. note:: This function does its work via side-effect. The b_command list has the new arguments appended. - """ - display.vvvvv(u'SSH: %s: (%s)' % (explanation, ')('.join(to_text(a) for a in b_args)), host=self._play_context.remote_addr) - b_command += b_args - - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - def _build_command(self, binary, *other_args): - self._command = [] - self._command += [binary] - self._command += ['-C'] - if self._play_context.verbosity > 3: - self._command += ['-vvv'] - elif binary == 'ssh': - # Older versions of ssh (e.g. in RHEL 6) don't accept sftp -q. - self._command += ['-q'] - # Next, we add [ssh_connection]ssh_args from ansible.cfg. - if self._play_context.ssh_args: - args = self._split_args(self._play_context.ssh_args) - self._add_args("ansible.cfg set ssh_args", args) - # Now we add various arguments controlled by configuration file settings - # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or - # a combination thereof. - if not C.HOST_KEY_CHECKING: - self._add_args( - "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled", - ("-o", "StrictHostKeyChecking=no") - ) - if self._play_context.port is not None: - self._add_args( - "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set", - ("-o", "Port={0}".format(self._play_context.port)) - ) - key = self._play_context.private_key_file - if key: - self._add_args( - "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set", - ("-o", "IdentityFile=\"{0}\"".format(os.path.expanduser(key))) - ) - if not self._play_context.password: - self._add_args( - "ansible_password/ansible_ssh_pass not set", ( - "-o", "KbdInteractiveAuthentication=no", - "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", - "-o", "PasswordAuthentication=no" - ) - ) - user = self._play_context.remote_user - if user: - self._add_args( - "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set", - ("-o", "User={0}".format(to_bytes(self._play_context.remote_user))) - ) - self._add_args( - "ANSIBLE_TIMEOUT/timeout set", - ("-o", "ConnectTimeout={0}".format(self._play_context.timeout)) - ) - # Check if ControlPersist is enabled and add a ControlPath if one hasn't - # already been set. - controlpersist, controlpath = self._persistence_controls(self._command) - if controlpersist: - self._persistent = True - if not controlpath: - cpdir = unfrackpath('$HOME/.ansible/cp') - display.vv(str(C.ANSIBLE_SSH_CONTROL_PATH)) - # The directory must exist and be writable. - makedirs_safe(cpdir, 0o700) - if not os.access(cpdir, os.W_OK): - raise AnsibleError("Cannot write to ControlPath %s" % cpdir) - args = ("-o", "ControlPath={0}".format( - to_bytes(C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=cpdir))) - ) - self._add_args("found only ControlPersist; added ControlPath", args) - ## Finally, we add any caller-supplied extras. - if other_args: - self._command += other_args - return self._command - - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - def _build_command(self, binary, *other_args): - b_command = [] - if binary == 'ssh': - b_command += [to_bytes(self._play_context.ssh_executable, errors='surrogate_or_strict')] - else: - b_command += [to_bytes(binary, errors='surrogate_or_strict')] - if self._play_context.verbosity > 3: - b_command.append(b'-vvv') - # Next, we add [ssh_connection]ssh_args from ansible.cfg. - # - if self._play_context.ssh_args: - b_args = [to_bytes(a, errors='surrogate_or_strict') for a in - self._split_args(self._play_context.ssh_args)] - self._add_args(b_command, b_args, u"ansible.cfg set ssh_args") - - # Now we add various arguments controlled by configuration file settings - # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or - # a combination thereof. - if not C.HOST_KEY_CHECKING: - b_args = (b"-o", b"StrictHostKeyChecking=no") - self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled") - if self._play_context.port is not None: - b_args = (b"-o", b"Port=" + to_bytes(self._play_context.port, nonstring='simplerepr', errors='surrogate_or_strict')) - self._add_args(b_command, b_args, u"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set") - key = self._play_context.private_key_file - if key: - b_args = (b"-o", b'IdentityFile="' + to_bytes(os.path.expanduser(key), errors='surrogate_or_strict') + b'"') - self._add_args(b_command, b_args, u"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set") - if not self._play_context.password: - self._add_args( - b_command, ( - b"-o", b"KbdInteractiveAuthentication=no", - b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", - b"-o", b"PasswordAuthentication=no" - ), - u"ansible_password/ansible_ssh_pass not set" - ) - user = self._play_context.remote_user - if user: - self._add_args( - b_command, - (b"-o", b"User=" + to_bytes(self._play_context.remote_user, errors='surrogate_or_strict')), - u"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set" - ) - self._add_args( - b_command, - (b"-o", b"ConnectTimeout=" + to_bytes(self._play_context.timeout, errors='surrogate_or_strict', nonstring='simplerepr')), - u"ANSIBLE_TIMEOUT/timeout set" - ) - # Check if ControlPersist is enabled and add a ControlPath if one hasn't - # already been set. - controlpersist, controlpath = self._persistence_controls(b_command) - if controlpersist: - self._persistent = True - if not controlpath: - cpdir = unfrackpath(self.control_path_dir) - b_cpdir = to_bytes(cpdir, errors='surrogate_or_strict') - # The directory must exist and be writable. - makedirs_safe(b_cpdir, 0o700) - if not os.access(b_cpdir, os.W_OK): - raise AnsibleError("Cannot write to ControlPath %s" % to_native(cpdir)) - - if not self.control_path: - self.control_path = self._create_control_path( - self.host, - self.port, - self.user - ) - b_args = (b"-o", b"ControlPath=" + to_bytes(self.control_path % dict(directory=cpdir), errors='surrogate_or_strict')) - self._add_args(b_command, b_args, u"found only ControlPersist; added ControlPath") - - # Finally, we add any caller-supplied extras. - if other_args: - b_command += [to_bytes(a) for a in other_args] - - return b_command - - - def _send_initial_data(self, fh, in_data): - ''' - Writes initial data to the stdin filehandle of the subprocess and closes - it. (The handle must be closed; otherwise, for example, "sftp -b -" will - just hang forever waiting for more commands.) - ''' - - display.debug('Sending initial data') - - try: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - fh.write(in_data) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - fh.write(to_bytes(in_data)) - fh.close() - except (OSError, IOError): - raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) - - display.debug('Sent initial data (%d bytes)' % len(in_data)) - - - # Used by _run() to kill processes on failures - @staticmethod - def _terminate_process(p): - """ Terminate a process, ignoring errors """ - try: - p.terminate() - except (OSError, IOError): - pass - - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - # This is separate from _run() because we need to do the same thing for stdout - # and stderr. - def _examine_output(self, source, state, chunk, sudoable): - ''' - Takes a string, extracts complete lines from it, tests to see if they - are a prompt, error message, etc., and sets appropriate flags in self. - Prompt and success lines are removed. - - Returns the processed (i.e. possibly-edited) output and the unprocessed - remainder (to be processed with the next chunk) as strings. - ''' - - output = [] - for l in chunk.splitlines(True): - suppress_output = False - - #display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) - if self._play_context.prompt and self.check_password_prompt(l): - display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) - self._flags['become_prompt'] = True - suppress_output = True - elif self._play_context.success_key and self.check_become_success(l): - display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) - self._flags['become_success'] = True - suppress_output = True - elif sudoable and self.check_incorrect_password(l): - display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) - self._flags['become_error'] = True - elif sudoable and self.check_missing_password(l): - display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) - self._flags['become_nopasswd_error'] = True - - if not suppress_output: - output.append(l) - - # The chunk we read was most likely a series of complete lines, but just - # in case the last line was incomplete (and not a prompt, which we would - # have removed from the output), we retain it to be processed with the - # next chunk. - - remainder = '' - if output and not output[-1].endswith('\n'): - remainder = output[-1] - output = output[:-1] - - return ''.join(output), remainder - - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - # This is separate from _run() because we need to do the same thing for stdout - # and stderr. - def _examine_output(self, source, state, b_chunk, sudoable): - ''' - Takes a string, extracts complete lines from it, tests to see if they - are a prompt, error message, etc., and sets appropriate flags in self. - Prompt and success lines are removed. - Returns the processed (i.e. possibly-edited) output and the unprocessed - remainder (to be processed with the next chunk) as strings. - ''' - - output = [] - for b_line in b_chunk.splitlines(True): - display_line = to_text(b_line).rstrip('\r\n') - suppress_output = False - - # display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line)) - if self._play_context.prompt and self.check_password_prompt(b_line): - display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, display_line)) - self._flags['become_prompt'] = True - suppress_output = True - elif self._play_context.success_key and self.check_become_success(b_line): - display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, display_line)) - self._flags['become_success'] = True - suppress_output = True - elif sudoable and self.check_incorrect_password(b_line): - display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) - self._flags['become_error'] = True - elif sudoable and self.check_missing_password(b_line): - display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) - self._flags['become_nopasswd_error'] = True - - if not suppress_output: - output.append(b_line) - - # The chunk we read was most likely a series of complete lines, but just - # in case the last line was incomplete (and not a prompt, which we would - # have removed from the output), we retain it to be processed with the - # next chunk. - - remainder = b'' - if output and not output[-1].endswith(b'\n'): - remainder = output[-1] - output = output[:-1] - - return b''.join(output), remainder - - - # only used from Ansible version 2.3 on forward - def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True): - ''' - Starts the command and communicates with it until it ends. - ''' - - display_cmd = list(map(shlex_quote, map(to_text, cmd))) - display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) - - # Start the given command. If we don't need to pipeline data, we can try - # to use a pseudo-tty (ssh will have been invoked with -tt). If we are - # pipelining data, or can't create a pty, we fall back to using plain - # old pipes. - - p = None - - if isinstance(cmd, (text_type, binary_type)): - cmd = to_bytes(cmd) - else: - cmd = map(to_bytes, cmd) - - if not in_data: - try: - # Make sure stdin is a proper pty to avoid tcgetattr errors - master, slave = pty.openpty() - if PY3 and self._play_context.password: - p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) - else: - p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdin = os.fdopen(master, 'wb', 0) - os.close(slave) - except (OSError, IOError): - p = None - - if not p: - if PY3 and self._play_context.password: - p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) - else: - p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdin = p.stdin - - # If we are using SSH password authentication, write the password into - # the pipe we opened in _build_command. - - if self._play_context.password: - os.close(self.sshpass_pipe[0]) - try: - os.write(self.sshpass_pipe[1], to_bytes(self._play_context.password) + b'\n') - except OSError as e: - # Ignore broken pipe errors if the sshpass process has exited. - if e.errno != errno.EPIPE or p.poll() is None: - raise - os.close(self.sshpass_pipe[1]) - - # - # SSH state machine - # - - # Now we read and accumulate output from the running process until it - # exits. Depending on the circumstances, we may also need to write an - # escalation password and/or pipelined input to the process. - - states = [ - 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' - ] - - # Are we requesting privilege escalation? Right now, we may be invoked - # to execute sftp/scp with sudoable=True, but we can request escalation - # only when using ssh. Otherwise we can send initial data straightaway. - - state = states.index('ready_to_send') - if b'ssh' in cmd: - if self._play_context.prompt: - # We're requesting escalation with a password, so we have to - # wait for a password prompt. - state = states.index('awaiting_prompt') - display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.prompt)) - elif self._play_context.become and self._play_context.success_key: - # We're requesting escalation without a password, so we have to - # detect success/failure before sending any initial data. - state = states.index('awaiting_escalation') - display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.success_key)) - - # We store accumulated stdout and stderr output from the process here, - # but strip any privilege escalation prompt/confirmation lines first. - # Output is accumulated into tmp_*, complete lines are extracted into - # an array, then checked and removed or copied to stdout or stderr. We - # set any flags based on examining the output in self._flags. - - b_stdout = b_stderr = b'' - b_tmp_stdout = b_tmp_stderr = b'' - - self._flags = dict( - become_prompt=False, become_success=False, - become_error=False, become_nopasswd_error=False - ) - - # select timeout should be longer than the connect timeout, otherwise - # they will race each other when we can't connect, and the connect - # timeout usually fails - timeout = 2 + self._play_context.timeout - for fd in (p.stdout, p.stderr): - fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) - - # TODO: bcoca would like to use SelectSelector() when open - # filehandles is low, then switch to more efficient ones when higher. - # select is faster when filehandles is low. - selector = selectors.DefaultSelector() - selector.register(p.stdout, selectors.EVENT_READ) - selector.register(p.stderr, selectors.EVENT_READ) - - # If we can send initial data without waiting for anything, we do so - # before we start polling - if states[state] == 'ready_to_send' and in_data: - self._send_initial_data(stdin, in_data) - state += 1 - - try: - while True: - poll = p.poll() - events = selector.select(timeout) - - # We pay attention to timeouts only while negotiating a prompt. - - if not events: - # We timed out - if state <= states.index('awaiting_escalation'): - # If the process has already exited, then it's not really a - # timeout; we'll let the normal error handling deal with it. - if poll is not None: - break - self._terminate_process(p) - raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, to_native(b_stdout))) - - # Read whatever output is available on stdout and stderr, and stop - # listening to the pipe if it's been closed. - - for key, event in events: - if key.fileobj == p.stdout: - b_chunk = p.stdout.read() - if b_chunk == b'': - # stdout has been closed, stop watching it - selector.unregister(p.stdout) - # When ssh has ControlMaster (+ControlPath/Persist) enabled, the - # first connection goes into the background and we never see EOF - # on stderr. If we see EOF on stdout, lower the select timeout - # to reduce the time wasted selecting on stderr if we observe - # that the process has not yet existed after this EOF. Otherwise - # we may spend a long timeout period waiting for an EOF that is - # not going to arrive until the persisted connection closes. - timeout = 1 - b_tmp_stdout += b_chunk - display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) - elif key.fileobj == p.stderr: - b_chunk = p.stderr.read() - if b_chunk == b'': - # stderr has been closed, stop watching it - selector.unregister(p.stderr) - b_tmp_stderr += b_chunk - display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) - - # We examine the output line-by-line until we have negotiated any - # privilege escalation prompt and subsequent success/error message. - # Afterwards, we can accumulate output without looking at it. - - if state < states.index('ready_to_send'): - if b_tmp_stdout: - b_output, b_unprocessed = self._examine_output('stdout', states[state], b_tmp_stdout, sudoable) - b_stdout += b_output - b_tmp_stdout = b_unprocessed - - if b_tmp_stderr: - b_output, b_unprocessed = self._examine_output('stderr', states[state], b_tmp_stderr, sudoable) - b_stderr += b_output - b_tmp_stderr = b_unprocessed - else: - b_stdout += b_tmp_stdout - b_stderr += b_tmp_stderr - b_tmp_stdout = b_tmp_stderr = b'' - - # If we see a privilege escalation prompt, we send the password. - # (If we're expecting a prompt but the escalation succeeds, we - # didn't need the password and can carry on regardless.) - - if states[state] == 'awaiting_prompt': - if self._flags['become_prompt']: - display.debug('Sending become_pass in response to prompt') - stdin.write(to_bytes(self._play_context.become_pass) + b'\n') - self._flags['become_prompt'] = False - state += 1 - elif self._flags['become_success']: - state += 1 - - # We've requested escalation (with or without a password), now we - # wait for an error message or a successful escalation. - - if states[state] == 'awaiting_escalation': - if self._flags['become_success']: - display.debug('Escalation succeeded') - self._flags['become_success'] = False - state += 1 - elif self._flags['become_error']: - display.debug('Escalation failed') - self._terminate_process(p) - self._flags['become_error'] = False - raise AnsibleError('Incorrect %s password' % self._play_context.become_method) - elif self._flags['become_nopasswd_error']: - display.debug('Escalation requires password') - self._terminate_process(p) - self._flags['become_nopasswd_error'] = False - raise AnsibleError('Missing %s password' % self._play_context.become_method) - elif self._flags['become_prompt']: - # This shouldn't happen, because we should see the "Sorry, - # try again" message first. - display.debug('Escalation prompt repeated') - self._terminate_process(p) - self._flags['become_prompt'] = False - raise AnsibleError('Incorrect %s password' % self._play_context.become_method) - - # Once we're sure that the privilege escalation prompt, if any, has - # been dealt with, we can send any initial data and start waiting - # for output. - - if states[state] == 'ready_to_send': - if in_data: - self._send_initial_data(stdin, in_data) - state += 1 - - # Now we're awaiting_exit: has the child process exited? If it has, - # and we've read all available output from it, we're done. - - if poll is not None: - if not selector.get_map() or not events: - break - # We should not see further writes to the stdout/stderr file - # descriptors after the process has closed, set the select - # timeout to gather any last writes we may have missed. - timeout = 0 - continue - - # If the process has not yet exited, but we've already read EOF from - # its stdout and stderr (and thus no longer watching any file - # descriptors), we can just wait for it to exit. - - elif not selector.get_map(): - p.wait() - break - - # Otherwise there may still be outstanding data to read. - finally: - selector.close() - # close stdin after process is terminated and stdout/stderr are read - # completely (see also issue #848) - stdin.close() - - if C.HOST_KEY_CHECKING: - if cmd[0] == b"sshpass" and p.returncode == 6: - raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support ' - 'this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') - - controlpersisterror = b'Bad configuration option: ControlPersist' in b_stderr or b'unknown configuration option: ControlPersist' in b_stderr - if p.returncode != 0 and controlpersisterror: - raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" ' - '(or ssh_args in [ssh_connection] section of the config file) before running again') - - # If we find a broken pipe because of ControlPersist timeout expiring (see #16731), - # we raise a special exception so that we can retry a connection. - controlpersist_broken_pipe = b'mux_client_hello_exchange: write packet: Broken pipe' in b_stderr - if p.returncode == 255 and controlpersist_broken_pipe: - raise AnsibleControlPersistBrokenPipeError('SSH Error: data could not be sent because of ControlPersist broken pipe.') - - if p.returncode == 255 and in_data and checkrc: - raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) - - return (p.returncode, b_stdout, b_stderr) - - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - @_ssh_retry - def _run(self, cmd, in_data, sudoable=True, checkrc=True): - """Wrapper around _bare_run that retries the connection - """ - return self._bare_run(cmd, in_data, sudoable, checkrc) - - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - def _run(self, cmd, in_data, sudoable=True): - ''' - Starts the command and communicates with it until it ends. - ''' - - display_cmd = map(to_unicode, map(pipes.quote, cmd)) - display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) - - # Start the given command. If we don't need to pipeline data, we can try - # to use a pseudo-tty (ssh will have been invoked with -tt). If we are - # pipelining data, or can't create a pty, we fall back to using plain - # old pipes. - - p = None - - if isinstance(cmd, (text_type, binary_type)): - cmd = to_bytes(cmd) - else: - cmd = map(to_bytes, cmd) - - if not in_data: - try: - # Make sure stdin is a proper pty to avoid tcgetattr errors - master, slave = pty.openpty() - p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdin = os.fdopen(master, 'w', 0) - os.close(slave) - except (OSError, IOError): - p = None - - if not p: - p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdin = p.stdin - - # If we are using SSH password authentication, write the password into - # the pipe we opened in _build_command. - - if self._play_context.password: - os.close(self.sshpass_pipe[0]) - os.write(self.sshpass_pipe[1], "{0}\n".format(to_bytes(self._play_context.password))) - os.close(self.sshpass_pipe[1]) - - ## SSH state machine - # - # Now we read and accumulate output from the running process until it - # exits. Depending on the circumstances, we may also need to write an - # escalation password and/or pipelined input to the process. - - states = [ - 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' - ] - - # Are we requesting privilege escalation? Right now, we may be invoked - # to execute sftp/scp with sudoable=True, but we can request escalation - # only when using ssh. Otherwise we can send initial data straightaway. - - state = states.index('ready_to_send') - if b'ssh' in cmd: - if self._play_context.prompt: - # We're requesting escalation with a password, so we have to - # wait for a password prompt. - state = states.index('awaiting_prompt') - display.debug('Initial state: %s: %s' % (states[state], self._play_context.prompt)) - elif self._play_context.become and self._play_context.success_key: - # We're requesting escalation without a password, so we have to - # detect success/failure before sending any initial data. - state = states.index('awaiting_escalation') - display.debug('Initial state: %s: %s' % (states[state], self._play_context.success_key)) - - # We store accumulated stdout and stderr output from the process here, - # but strip any privilege escalation prompt/confirmation lines first. - # Output is accumulated into tmp_*, complete lines are extracted into - # an array, then checked and removed or copied to stdout or stderr. We - # set any flags based on examining the output in self._flags. - - stdout = stderr = '' - tmp_stdout = tmp_stderr = '' - - self._flags = dict( - become_prompt=False, become_success=False, - become_error=False, become_nopasswd_error=False - ) - - # select timeout should be longer than the connect timeout, otherwise - # they will race each other when we can't connect, and the connect - # timeout usually fails - timeout = 2 + self._play_context.timeout - rpipes = [p.stdout, p.stderr] - for fd in rpipes: - fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) - - # If we can send initial data without waiting for anything, we do so - # before we call select. - - if states[state] == 'ready_to_send' and in_data: - self._send_initial_data(stdin, in_data) - state += 1 - - while True: - rfd, wfd, efd = select.select(rpipes, [], [], timeout) - - # We pay attention to timeouts only while negotiating a prompt. - - if not rfd: - if state <= states.index('awaiting_escalation'): - # If the process has already exited, then it's not really a - # timeout; we'll let the normal error handling deal with it. - if p.poll() is not None: - break - self._terminate_process(p) - raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, stdout)) - - # Read whatever output is available on stdout and stderr, and stop - # listening to the pipe if it's been closed. - - if p.stdout in rfd: - chunk = p.stdout.read() - if chunk == '': - rpipes.remove(p.stdout) - tmp_stdout += chunk - display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) - - if p.stderr in rfd: - chunk = p.stderr.read() - if chunk == '': - rpipes.remove(p.stderr) - tmp_stderr += chunk - display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) - - # We examine the output line-by-line until we have negotiated any - # privilege escalation prompt and subsequent success/error message. - # Afterwards, we can accumulate output without looking at it. - - if state < states.index('ready_to_send'): - if tmp_stdout: - output, unprocessed = self._examine_output('stdout', states[state], tmp_stdout, sudoable) - stdout += output - tmp_stdout = unprocessed - - if tmp_stderr: - output, unprocessed = self._examine_output('stderr', states[state], tmp_stderr, sudoable) - stderr += output - tmp_stderr = unprocessed - else: - stdout += tmp_stdout - stderr += tmp_stderr - tmp_stdout = tmp_stderr = '' - - # If we see a privilege escalation prompt, we send the password. - # (If we're expecting a prompt but the escalation succeeds, we - # didn't need the password and can carry on regardless.) - - if states[state] == 'awaiting_prompt': - if self._flags['become_prompt']: - display.debug('Sending become_pass in response to prompt') - stdin.write('{0}\n'.format(to_bytes(self._play_context.become_pass ))) - self._flags['become_prompt'] = False - state += 1 - elif self._flags['become_success']: - state += 1 - - # We've requested escalation (with or without a password), now we - # wait for an error message or a successful escalation. - - if states[state] == 'awaiting_escalation': - if self._flags['become_success']: - display.debug('Escalation succeeded') - self._flags['become_success'] = False - state += 1 - elif self._flags['become_error']: - display.debug('Escalation failed') - self._terminate_process(p) - self._flags['become_error'] = False - raise AnsibleError('Incorrect %s password' % self._play_context.become_method) - elif self._flags['become_nopasswd_error']: - display.debug('Escalation requires password') - self._terminate_process(p) - self._flags['become_nopasswd_error'] = False - raise AnsibleError('Missing %s password' % self._play_context.become_method) - elif self._flags['become_prompt']: - # This shouldn't happen, because we should see the "Sorry, - # try again" message first. - display.debug('Escalation prompt repeated') - self._terminate_process(p) - self._flags['become_prompt'] = False - raise AnsibleError('Incorrect %s password' % self._play_context.become_method) - - # Once we're sure that the privilege escalation prompt, if any, has - # been dealt with, we can send any initial data and start waiting - # for output. - - if states[state] == 'ready_to_send': - if in_data: - self._send_initial_data(stdin, in_data) - state += 1 - - # Now we're awaiting_exit: has the child process exited? If it has, - # and we've read all available output from it, we're done. - - if p.poll() is not None: - if not rpipes or not rfd: - break - - # When ssh has ControlMaster (+ControlPath/Persist) enabled, the - # first connection goes into the background and we never see EOF - # on stderr. If we see EOF on stdout and the process has exited, - # we're probably done. We call select again with a zero timeout, - # just to make certain we don't miss anything that may have been - # written to stderr between the time we called select() and when - # we learned that the process had finished. - - if p.stdout not in rpipes: - timeout = 0 - continue - - # If the process has not yet exited, but we've already read EOF from - # its stdout and stderr (and thus removed both from rpipes), we can - # just wait for it to exit. - - elif not rpipes: - p.wait() - break - - # Otherwise there may still be outstanding data to read. - - # close stdin after process is terminated and stdout/stderr are read - # completely (see also issue #848) - stdin.close() - - if C.HOST_KEY_CHECKING: - if cmd[0] == b"sshpass" and p.returncode == 6: - raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') - - controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or 'unknown configuration option: ControlPersist' in stderr - if p.returncode != 0 and controlpersisterror: - raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again') - - if p.returncode == 255 and in_data: - raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh') - - return (p.returncode, stdout, stderr) - - - def _exec_command(self, cmd, in_data=None, sudoable=True): - ''' run a command on the remote host ''' - - super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) - - display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr) - - # we can only use tty when we are not pipelining the modules. piping - # data into /usr/bin/python inside a tty automatically invokes the - # python interactive-mode but the modules are not compatible with the - # interactive-mode ("unexpected indent" mainly because of empty lines) - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - ssh_executable = self._play_context.ssh_executable - if in_data: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', self.host, cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, self.host, cmd) - else: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', '-tt', self.host, cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, '-tt', self.host, cmd) - - (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) - - return (returncode, stdout, stderr) - - - def dir_print(self,obj): - for attr_name in dir(obj): - try: - attr_value = getattr(obj, attr_name) - print(attr_name, attr_value, callable(attr_value)) - except: - pass - - - # - # Main public methods - # - def exec_command(self, cmd, in_data=None, sudoable=False): - ''' run a command on the chroot ''' - display.vvv('XXX exec_command: %s' % cmd) - super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - ssh_executable = self._play_context.ssh_executable - ##print dir(self) - ##print dir(self._play_context) - ##print self._play_context._attributes - #self.dir_print(self._play_context) - #vm = self._play_context.get_ds() - #print( vm ) - #raise "blah" - h = self.container_name - if (self.lxc_version == 2): - lxc_cmd = 'sudo -i lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - elif (self.lxc_version == 1): - lxc_cmd = 'sudo -i lxc-attach --name %s -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - if in_data: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', self.host, lxc_cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, self.host, lxc_cmd) - else: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) - #self.ssh.exec_command(lxc_cmd,in_data,sudoable) - (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) - return (returncode, stdout, stderr) - - - def put_file(self, in_path, out_path): - ''' transfer a file from local to lxc ''' - super(Connection, self).put_file(in_path, out_path) - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - display.vvv('XXX put_file %s %s' % (in_path,out_path)) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - display.vvv(u"PUT {0} TO {1}".format(in_path, out_path), host=self.host) - ssh_executable = self._play_context.ssh_executable - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - if not os.path.exists(in_path): - raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')): - raise AnsibleFileNotFound("file or module does not exist: {0}".format(to_native(in_path))) - - with open(in_path,'r') as in_f: - in_data = in_f.read() - cmd = ('cat > %s; echo -n done' % pipes.quote(out_path)) - h = self.container_name - if (self.lxc_version == 2): - lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - elif (self.lxc_version == 1): - lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - if in_data: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', self.host, lxc_cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, self.host, lxc_cmd) - else: - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) - #self.ssh.exec_command(lxc_cmd,in_data,sudoable) - (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) - return (returncode, stdout, stderr) - - - def fetch_file(self, in_path, out_path): - ''' fetch a file from lxc to local ''' - super(Connection, self).fetch_file(in_path, out_path) - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - display.vvv('XXX fetch_file %s %s' % (in_path,out_path)) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - display.vvv(u"FETCH {0} TO {1}".format(in_path, out_path), host=self.host) - ssh_executable = self._play_context.ssh_executable - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - cmd = ('cat %s' % pipes.quote(in_path)) - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = ('cat < %s' % pipes.quote(in_path)) - h = self.container_name - if (self.lxc_version == 2): - lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - elif (self.lxc_version == 1): - lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ - % (pipes.quote(h), - pipes.quote(cmd)) - - if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): - in_data = None - if in_data: - cmd = self._build_command('ssh', self.host, lxc_cmd) - else: - cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) - (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) - if returncode != 0: - raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) - with open(out_path,'w') as out_f: - out_f.write(stdout) - - if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): - cmd = self._build_command(ssh_executable, self.host, lxc_cmd) - (returncode, stdout, stderr) = self._run(cmd, None, sudoable=False) - - if returncode != 0: - raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) - with open(out_path,'w') as out_f: - out_f.write(stdout) - - return (returncode, stdout, stderr) - - - # only used from Ansible version 2.3 on forward - def reset(self): - # If we have a persistent ssh connection (ControlPersist), we can ask it to stop listening. - cmd = self._build_command(self._play_context.ssh_executable, '-O', 'stop', self.host) - controlpersist, controlpath = self._persistence_controls(cmd) - if controlpersist: - display.vvv(u'sending stop: %s' % cmd) - p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = p.communicate() - status_code = p.wait() - if status_code != 0: - raise AnsibleError("Cannot reset connection:\n%s" % stderr) - self.close() - - - def close(self): - ''' terminate the connection; nothing to do here ''' - display.vvv('XXX close') - super(Connection, self).close() - #self.ssh.close() - self._connected = False diff --git a/ansible/group_vars/all/bird.yml b/ansible/group_vars/all/bird.yml new file mode 100644 index 0000000..dce5afa --- /dev/null +++ b/ansible/group_vars/all/bird.yml @@ -0,0 +1,3 @@ +# which version of bird is used, 0-padded with 3 digits +# 2.15 => 2015 +birdv: 0 diff --git a/ansible/group_vars/all/ipam.yml b/ansible/group_vars/all/ipam.yml new file mode 100644 index 0000000..7c3bd0b --- /dev/null +++ b/ansible/group_vars/all/ipam.yml @@ -0,0 +1,102 @@ +# Netmasks for prefixes: +# 48: ffff:ffff:ffff:0000:: +# 52: ffff:ffff:ffff:f000:: +# 56: ffff:ffff:ffff:ff00:: +# 60: ffff:ffff:ffff:fff0:: +# 64: ffff:ffff:ffff:ffff:: +# 80: ffff:ffff:ffff:ffff:ffff: +ipam6: + networks: + bitraf_dn42: + range: "fdb1:4242:3538::/48" + tnet_dn42: + range: "fdb1:4242:3538:2000::/52" + unused_2001: + range: "fdb1:4242:3538:2001::/64" + node1_dn42: + range: "fdb1:4242:3538:2002::/64" + hosts: + node1: "fdb1:4242:3538:2002::ffff" + node2_dn42: + range: "fdb1:4242:3538:2003::/64" + hosts: + node2: "fdb1:4242:3538:2003::ffff" + knot_dn42: + range: "fdb1:4242:3538:2004::/64" + hosts: + knot: "fdb1:4242:3538:2004::ffff" + coregonus_dn42: + range: "fdb1:4242:3538:2005::/64" + hosts: + coregonus: "fdb1:4242:3538:2005::ffff" + coregonus_docker: + range: "fdb1:4242:3538:2005:df01:676a:ec28:0a00/120" + kv24_pub: + range: "2a01:799:111d:1801::/64" + hosts: + ha-kv24: "fdb1:4242:3538:2005:c534:9d54:8212:1ced/64" + kv24_dn42: + range: "fdb1:4242:3538:2006::/64" + hosts: + kv24ix: "fdb1:4242:3538:2006::ffff" + hash_dn42: + range: "fdb1:4242:3538:2007::/64" + hosts: + hash: "fdb1:4242:3538:2007::ffff" + hash_docker_dn42: + range: "fdb1:4242:3538:2007:1001::/112" + lhn2_dn42: + range: "fdb1:4242:3538:2008::/64" + hosts: + lhn2pi: "fdb1:4242:3538:2008::ffff" + lhn2-z2m: "fdb1:4242:3538:2008:9aed:e460:1711:07dd" + conflatorio: "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" + danneri: "fdb1:4242:3538:2008:9422:d355:95b7:f170" + unifi: "fdb1:4242:3538:2008:5054:ff:fe4d:96c" + +# k8s: +# range: "fdb1:4242:3538:3000::/52" + danneri_cluster: + range: "fdb1:4242:3538:2008:aaaa:aaaa:aaaa::/112" + danneri_service: + range: "fdb1:4242:3538:2008:bbbb:bbbb:bbbb::/112" +# danneri_service2: +# range: "fdb1:4242:3538:300a::/112" + + dn42: + range: "fd00::/8" + +routers: + knot: + as: 4242423538 + peers: + hash: + routedbits_lon1: + as: 4242420207 + hash: + as: 4242423538 + peers: + knot: + lhn2: + as: 4242423538 + peers: + knot: + node1: + as: 4242423538 + peers: + knot: + hash: + node2: + as: 4242423538 + peers: + knot: + hash: + kv24: + as: 4242423538 + peers: + knot: + danneri: + as: 4242423538 + peers: + knot: + hash: diff --git a/ansible/host_vars/danneri/systemd-networkd.yml b/ansible/host_vars/danneri/systemd-networkd.yml new file mode 100644 index 0000000..023e276 --- /dev/null +++ b/ansible/host_vars/danneri/systemd-networkd.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - danneri/systemd-networkd/enp1s0.network diff --git a/ansible/host_vars/hash/roa-server.vault.yml b/ansible/host_vars/hash/roa-server.vault.yml new file mode 100644 index 0000000..a750fb2 --- /dev/null +++ b/ansible/host_vars/hash/roa-server.vault.yml @@ -0,0 +1,19 @@ +$ANSIBLE_VAULT;1.1;AES256 +38363463316565643131623966623232623833613832383566353166636462613237396635396239 +3832343533663432353731353231313732386662333035330a363464616131316264613331383333 +31353331336166313361623833343135653761653133623931396464383436633132393963303462 +3630653434643266610a613130653961636362313065353833613036623239333635643164333266 +64373064363563666435383062626139356630643163386134366133333933383939343265646365 +33323165353331656232303133613263346530376333336565393235393564373562613732323766 +32613534306565386135303263383561316230303434656664323635666463663062313661343338 +39313535393964383232643337666364343763623964303130343631393964633330303038666364 +64346362343066643566333030313232396334643139613066336332633466663466663530346339 +39613430303461326431663832386537643061313961663332356661663535306266323064313634 +62393663373364336239626233396336636232376532343732616432343031653361383734333235 +31343032396532313531396135376263373163396634626166363366663365653562613130313839 +65656136633965643035353234333037663363616366323830333265616236613761323836303461 +39656237343561646166616265383630366432333631303938393938346232613039373735356333 +36626537353564353662616566643635336464336432636464616663336661373965323035326232 +34373831613465313161343132383036666338303166626639646539303438376335323261356532 +34346535656462646562333332393561656262656631303465346330643934343039663762396563 +3437326539616661643163396461663930376232396136333634 diff --git a/ansible/host_vars/lhn2pi/all.yml b/ansible/host_vars/lhn2pi/all.yml new file mode 100644 index 0000000..447906a --- /dev/null +++ b/ansible/host_vars/lhn2pi/all.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - lhn2pi/systemd/network/10-eth0.network diff --git a/ansible/host_vars/unifi/systemd-networkd.yml b/ansible/host_vars/unifi/systemd-networkd.yml new file mode 100644 index 0000000..4ee9ee6 --- /dev/null +++ b/ansible/host_vars/unifi/systemd-networkd.yml @@ -0,0 +1,2 @@ +systemd_networkd__files: + - unifi/systemd-networkd/enp1s0.network diff --git a/ansible/inventory b/ansible/inventory index 4e2d0b2..91e463e 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -29,12 +29,10 @@ all: ansible_python_interpreter: /usr/bin/python3 nextcloud: ansible_host: 192.168.10.201 - unifi: - ansible_host: 192.168.10.202 babypi: ansible_host: 192.168.10.159 - astyanax: - ansible_host: astyanax.vpn.trygvis.io + # astyanax: + # ansible_host: astyanax.vpn.trygvis.io sweetzpot-mobile: ansible_host: 192.168.10.123 sweetzpot-macos: @@ -44,6 +42,12 @@ all: ansible_host: lhn2pi.vpn.trygvis.io lhn2ix: kv24ix: + coregonus: + ansible_host: 192.168.10.190 + danneri: + ansible_host: danneri.dn42.trygvis.io + unifi: + ansible_host: unifi.dn42.trygvis.io node1: ansible_host: 9859f51e-1e3e-4c05-a826-b7fbe18d91be.pub.instances.scw.cloud @@ -81,7 +85,6 @@ all: malabaricus: nextcloud: numquam: - unifi: lxc_hosts: hosts: arius: @@ -98,7 +101,6 @@ all: debian_stretch: hosts: malabaricus: - unifi: vars: packages__version: stretch @@ -148,10 +150,12 @@ all: android-trygvis: arius: astyanax: + state: absent babypi: birgitte: biwia: conflatorio: + coregonus: hash: knot: kv24ix: @@ -173,6 +177,8 @@ all: hosts: akili: astyanax: + conflatorio: + coregonus: hash: knot: kv24ix: @@ -185,6 +191,8 @@ all: hosts: akili: astyanax: + conflatorio: + coregonus: hash: knot: lhn2pi: diff --git a/ansible/plays/danneri.yml b/ansible/plays/danneri.yml new file mode 100644 index 0000000..6b4265a --- /dev/null +++ b/ansible/plays/danneri.yml @@ -0,0 +1,27 @@ +- hosts: + - danneri + tasks: + - import_role: + name: systemd-networkd + + - meta: flush_handlers + + - become: yes + apt: + name: + - etckeeper + - import_role: + name: timezone + + - become: yes + tags: k3s + copy: + dest: /etc/rancher/k3s/config.yaml + content: | + tls-san: + - "danneri.dn42.trygvis.io" + - "{{ ipam6.networks.lhn2_dn42.hosts.danneri }}" + - "2a06:2240:f00d:b500:9422:d355:95b7:f170" + cluster-cidr: "{{ ipam6.networks.danneri_cluster.range }}" + service-cidr: "{{ ipam6.networks.danneri_service.range }}" + diff --git a/ansible/plays/host-hash.yml b/ansible/plays/host-hash.yml new file mode 100644 index 0000000..62b781f --- /dev/null +++ b/ansible/plays/host-hash.yml @@ -0,0 +1,10 @@ +- hosts: hash + tasks: + - become: yes + copy: + dest: /etc/docker/daemon.json + content: | + { + "ipv6": true, + "fixed-cidr-v6": "{{ ipam6.networks.hash_docker_dn42.range }}" + } diff --git a/ansible/plays/host-lhn2pi.yml b/ansible/plays/host-lhn2pi.yml new file mode 100644 index 0000000..551c3dd --- /dev/null +++ b/ansible/plays/host-lhn2pi.yml @@ -0,0 +1,6 @@ +- hosts: + - lhn2pi + roles: + - systemd-networkd + - prometheus-bird-exporter + - prometheus-node-exporter diff --git a/ansible/plays/host-unifi.yml b/ansible/plays/host-unifi.yml new file mode 100644 index 0000000..41fb292 --- /dev/null +++ b/ansible/plays/host-unifi.yml @@ -0,0 +1,18 @@ +- hosts: + - unifi + tasks: + - become: yes + apt: + name: + - etckeeper + + - import_role: + name: timezone + + - import_role: + name: systemd-networkd + + - become: yes + apt: + name: + - docker.io diff --git a/ansible/plays/ipam-generate-dns.yml b/ansible/plays/ipam-generate-dns.yml new file mode 100644 index 0000000..25f8087 --- /dev/null +++ b/ansible/plays/ipam-generate-dns.yml @@ -0,0 +1,34 @@ +- hosts: localhost + gather_facts: no + connection: local + vars_files: + - ../group_vars/all/ipam.yml + tasks: + - set_fact: + content: | + {% set hosts = [] %} + {% for nw_name, network in ipam6.networks.items() %} + {% for host, address in (network.hosts|default({})).items() %} + {{- hosts.append({'name': host, 'address': address}) -}} + {% endfor %} + {% endfor %} + # Generated from ansible data + {% for h in hosts|sort(attribute='name') %} + + resource "linode_domain_record" "dn42-{{ h.name }}" { + domain_id = linode_domain.root.id + name = "{{ h.name }}.dn42" + record_type = "AAAA" + target = "{{ h.address|ansible.utils.ipv6('address') }}" + } + {% endfor %} + - debug: + msg: "{{ content }}" + when: false + - name: Generating ../../terraform/dns/dn42.tf + register: tf + copy: + dest: ../../terraform/dns/dn42.tf + content: "{{ content }}" + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/ipam-generate-tf.yml b/ansible/plays/ipam-generate-tf.yml new file mode 100644 index 0000000..d9888b4 --- /dev/null +++ b/ansible/plays/ipam-generate-tf.yml @@ -0,0 +1,55 @@ +- hosts: localhost + gather_facts: no + connection: local + vars_files: + - ../group_vars/all/ipam.yml + collections: + - ansible.utils + tasks: + - name: Generate terraform/ipam6/ipam6.tf + register: tf + copy: + dest: ../../terraform/ipam6/ipam6.tf + content: | + output "networks" { + value = { + {% for name, network in ipam6.networks.items() %} + {% if not (network.range | ansible.utils.ipv6) %} + Invalid network: {{ network.range }} + {% endif %} + {{ name }} = { + {% if network.description|default("") %} + description = "{{ network.description }}" + {% endif %} + range = "{{ network.range }}" + address = "{{ network.range|ansible.utils.ipaddr("network") }}" + prefix = "{{ network.range|ansible.utils.ipaddr("prefix") }}" + {% set hosts = network.hosts|default({}) %} + hosts = { + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ansible.utils.ipaddr("address") }}" + prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}" + } + {% endfor %} + } + } + {% endfor %} + } + } + + output "hosts" { + value = { + {% for name, network in ipam6.networks.items() %} + {% set hosts = network.hosts|default({}) %} + {% for name, addr in hosts.items() %} + {{ name }} = { + address: "{{ addr|ansible.utils.ipaddr("address") }}" + prefix: "{{ addr|ansible.utils.ipaddr("prefix") }}" + } + {% endfor %} + {% endfor %} + } + } + - shell: terraform fmt ../../terraform/ipam6/ipam6.tf + when: "tf.changed" diff --git a/ansible/plays/otelcol-contrib.yml b/ansible/plays/otelcol-contrib.yml new file mode 100644 index 0000000..f667337 --- /dev/null +++ b/ansible/plays/otelcol-contrib.yml @@ -0,0 +1,29 @@ +- hosts: + - coregonus + - hash + - knot + tasks: + + # otelcol-contrib.deb needs to be installed first + # adduser otelcol-contrib systemd-journal + + - name: /etc/otelcol-contrib/config.yaml + become: yes + template: + src: otelcol-contrib/config.yaml + dest: /etc/otelcol-contrib/config.yaml + notify: systemctl restart otelcol-contrib + + - name: mkdir /var/lib/otelcol/file_storage + become: yes + file: + path: /var/lib/otelcol/file_storage + owner: otelcol-contrib + notify: systemctl restart otelcol-contrib + + handlers: + - name: systemctl restart otelcol-contrib + become: yes + systemd: + service: otelcol-contrib + state: restarted diff --git a/ansible/plays/roa-server.yml b/ansible/plays/roa-server.yml new file mode 100644 index 0000000..c662640 --- /dev/null +++ b/ansible/plays/roa-server.yml @@ -0,0 +1,25 @@ +- hosts: + - hash + tasks: + - name: mkdir /etc/docker-service/roa-server + become: true + file: + path: /etc/docker-service/roa-server + state: directory + mode: 0700 + - name: Install /etc/docker-service/roa-server/private.pem + become: true + copy: + dest: /etc/docker-service/roa-server/private.pem + content: "{{ roa_server.private }}" + owner: root + group: root + mode: 0444 + + - import_role: + name: docker-service + vars: + service: roa-server + template: templates/roa-server/docker-compose.yml +# systemd_enabled: no +# systemd_state: stopped diff --git a/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network new file mode 100644 index 0000000..b38116c --- /dev/null +++ b/ansible/plays/templates/danneri/systemd-networkd/enp1s0.network @@ -0,0 +1,8 @@ +[Match] +Name=enp1s0 + +[Network] +DHCP=ipv4 + +[IPv6AcceptRA] +Token=static:{{ ipam6.networks.lhn2_dn42.hosts.danneri }} diff --git a/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network new file mode 100644 index 0000000..853556d --- /dev/null +++ b/ansible/plays/templates/lhn2pi/systemd/network/10-eth0.network @@ -0,0 +1,11 @@ +[Match] +Name=eth0 + +[Network] +DHCP=ipv4 +Address={{ ipam6.networks.lhn2_dn42.hosts.lhn2pi }} +# IPv6Forwarding=yes # needs newer systemd + +# Disables the automatic activation of DHCPv6 from RA packets +[IPv6AcceptRA] +DHCPv6Client=no diff --git a/ansible/plays/templates/otelcol-contrib/config.yaml b/ansible/plays/templates/otelcol-contrib/config.yaml new file mode 100644 index 0000000..671dbaa --- /dev/null +++ b/ansible/plays/templates/otelcol-contrib/config.yaml @@ -0,0 +1,65 @@ +receivers: + journald: + priority: debug + +exporters: + debug: + verbosity: detailed + + nop: + + otlphttp/hash: + endpoint: https://loki.trygvis.io/otlp + +extensions: + file_storage/journald: + +processors: + batch: {} + + transform/severity_parse: + log_statements: + - context: log + statements: + - set(resource.attributes["service.namespace"], "systemd") + - set(resource.attributes["service.name"], body["_SYSTEMD_UNIT"]) + - set(resource.attributes["systemd_unit"], body["_SYSTEMD_UNIT"]) + - set(resource.attributes["systemd_slice"], body["_SYSTEMD_SLICE"]) + - set(resource.attributes["node"], body["_HOSTNAME"]) + + - set(severity_number, SEVERITY_NUMBER_TRACE) where body["PRIORITY"] == "7" + - set(severity_text, "debug") where body["PRIORITY"] == "7" + - set(severity_number, SEVERITY_NUMBER_DEBUG) where body["PRIORITY"] == "6" + - set(severity_text, "info") where body["PRIORITY"] == "6" + - set(severity_number, SEVERITY_NUMBER_INFO) where body["PRIORITY"] == "5" + - set(severity_text, "notice") where body["PRIORITY"] == "5" + - set(severity_number, SEVERITY_NUMBER_WARN) where body["PRIORITY"] == "4" + - set(severity_text, "warning") where body["PRIORITY"] == "4" + - set(severity_number, SEVERITY_NUMBER_ERROR) where body["PRIORITY"] == "3" + - set(severity_text, "err") where body["PRIORITY"] == "3" + - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "2" + - set(severity_text, "crit") where body["PRIORITY"] == "2" + - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "1" + - set(severity_text, "alert") where body["PRIORITY"] == "1" + - set(severity_number, SEVERITY_NUMBER_FATAL) where body["PRIORITY"] == "0" + - set(severity_text, "emerg") where body["PRIORITY"] == "0" + + - set(body, body["MESSAGE"]) + +service: +# telemetry: +# logs: +# level: debug + extensions: + - file_storage/journald + pipelines: + logs: + receivers: + - journald + processors: + - transform/severity_parse + - batch + exporters: +# - debug +# - nop + - otlphttp/hash diff --git a/ansible/plays/templates/roa-server/docker-compose.yml b/ansible/plays/templates/roa-server/docker-compose.yml new file mode 100644 index 0000000..c11933c --- /dev/null +++ b/ansible/plays/templates/roa-server/docker-compose.yml @@ -0,0 +1,14 @@ +version: "3" +services: + stayrtr: + image: rpki/stayrtr:latest # no tagged images are available :( + volumes: + - /etc/docker-service/roa-server/id_ecdsa:/id_ecdsa:ro + ports: + - 8022:8022 + command: + - -bind= + - -ssh.bind=:8022 + - -ssh.key=/id_ecdsa + - -checktime=false + - -cache=https://dn42.burble.com/roa/dn42_roa_46.json diff --git a/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network new file mode 100644 index 0000000..251bf45 --- /dev/null +++ b/ansible/plays/templates/unifi/systemd-networkd/enp1s0.network @@ -0,0 +1,8 @@ +[Match] +Name=enp1s0 + +[Network] +DHCP=ipv4 + +[IPv6AcceptRA] +Token=static:{{ ipam6.networks.lhn2_dn42.hosts.unifi }} diff --git a/ansible/prometheus/deploy-config.yml b/ansible/prometheus/deploy-config.yml new file mode 100644 index 0000000..472d05c --- /dev/null +++ b/ansible/prometheus/deploy-config.yml @@ -0,0 +1,19 @@ +- hosts: + - conflatorio + tasks: + - become: yes + file: + path: /etc/docker-service/prometheus + state: directory + owner: root + group: root + + - become: yes + notify: reload prometheus + copy: + dest: /etc/docker-service/prometheus/prometheus.yml + src: "{{ inventory_hostname }}/prometheus.yml" + + handlers: + - name: reload prometheus + shell: docker kill --signal HUP prometheus diff --git a/ansible/prometheus/files/conflatorio/prometheus.yml b/ansible/prometheus/files/conflatorio/prometheus.yml new file mode 100644 index 0000000..9fc1316 --- /dev/null +++ b/ansible/prometheus/files/conflatorio/prometheus.yml @@ -0,0 +1,25 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + +rule_files: + # - "first.rules" + # - "second.rules" + +scrape_configs: + - job_name: prometheus + static_configs: + - targets: ['localhost:9090'] + + - job_name: node + static_configs: + - targets: + - "knot.vpn.trygvis.io:9100" + - "hash.vpn.trygvis.io:9323" + - "conflatorio.vpn.trygvis.io:9100" + + - job_name: bird + static_configs: + - targets: + - "knot.vpn.trygvis.io:9324" + - "conflatorio.vpn.trygvis.io:9324" diff --git a/ansible/roles/prometheus-bird-exporter/handlers/main.yml b/ansible/roles/prometheus-bird-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-bird-exporter/tasks/main.yml b/ansible/roles/prometheus-bird-exporter/tasks/main.yml new file mode 100644 index 0000000..6d8b999 --- /dev/null +++ b/ansible/roles/prometheus-bird-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-bird-exporter +- name: /etc/default/prometheus-bird-exporter + become: yes + copy: + dest: /etc/default/prometheus-bird-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="-bird.v2 -format.new" + notify: restart diff --git a/ansible/roles/prometheus-node-exporter/handlers/main.yml b/ansible/roles/prometheus-node-exporter/handlers/main.yml new file mode 100644 index 0000000..f4f9381 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart + become: yes + systemd: + name: prometheus-bird-exporter + state: restarted diff --git a/ansible/roles/prometheus-node-exporter/tasks/main.yml b/ansible/roles/prometheus-node-exporter/tasks/main.yml new file mode 100644 index 0000000..e7c6d18 --- /dev/null +++ b/ansible/roles/prometheus-node-exporter/tasks/main.yml @@ -0,0 +1,18 @@ +- become: yes + package: + name: "{{ items }}" + state: present + vars: + items: + - prometheus-node-exporter +- name: /etc/default/prometheus-node-exporter + become: yes + copy: + dest: /etc/default/prometheus-node-exporter + content: | + # Set the command-line arguments to pass to the server. + # Due to shell escaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="" + notify: restart diff --git a/ansible/roles/superusers/tasks/main.yml b/ansible/roles/superusers/tasks/main.yml index c1f5a47..12672ec 100644 --- a/ansible/roles/superusers/tasks/main.yml +++ b/ansible/roles/superusers/tasks/main.yml @@ -16,7 +16,7 @@ unix_groups: - sudo - systemd-journal - with_items: "{{ unix_groups }}" + with_items: "{{ unix_groups + (['docker'] if 'docker' in getent_group else []) }}" loop_control: loop_var: group include_tasks: adjust-group.yml diff --git a/ansible/roles/systemd-networkd/handlers/main.yml b/ansible/roles/systemd-networkd/handlers/main.yml index 9656da4..c9b2603 100644 --- a/ansible/roles/systemd-networkd/handlers/main.yml +++ b/ansible/roles/systemd-networkd/handlers/main.yml @@ -1,4 +1,5 @@ -- name: restart +- name: reload + become: yes systemd: name: systemd-networkd - state: restarted + state: reloaded diff --git a/ansible/roles/systemd-networkd/tasks/main.yml b/ansible/roles/systemd-networkd/tasks/main.yml index 13c167b..aed4168 100644 --- a/ansible/roles/systemd-networkd/tasks/main.yml +++ b/ansible/roles/systemd-networkd/tasks/main.yml @@ -1,9 +1,18 @@ -- systemd: +- become: yes + systemd: name: systemd-networkd state: started enabled: yes -- loop: "{{ systemd_networkd__files | default([]) }}" - copy: +- name: mkdir /etc/systemd/network + become: yes + file: + path: "/etc/systemd/network" + state: directory + owner: systemd-network + group: systemd-network +- become: yes + loop: "{{ systemd_networkd__files | default([]) }}" + template: src: "{{ item }}" dest: "/etc/systemd/network/{{ item | basename }}" - notify: restart + notify: reload diff --git a/ansible/roles/unifi/handlers/main.yml b/ansible/roles/unifi/handlers/main.yml deleted file mode 100644 index ce78323..0000000 --- a/ansible/roles/unifi/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: update apt cache - apt: - update_cache: yes diff --git a/ansible/roles/unifi/tasks/main.yml b/ansible/roles/unifi/tasks/main.yml deleted file mode 100644 index 11c4c00..0000000 --- a/ansible/roles/unifi/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Ubiquiti APT key - notify: update apt cache - apt_key: - id: 06E85760C0A52C50 - keyserver: keyserver.ubuntu.com - -- name: Ubiquiti APT repository - notify: update apt cache - copy: - dest: /etc/apt/sources.list.d/unifi.list - content: 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' - -- meta: flush_handlers - -- name: packages - apt: - name: "{{ items }}" - install_recommends: no - vars: - items: - - openjdk-8-jre - - unifi diff --git a/ansible/unifi.yml b/ansible/unifi.yml deleted file mode 100644 index d417a2a..0000000 --- a/ansible/unifi.yml +++ /dev/null @@ -1,6 +0,0 @@ -- hosts: - - unifi - roles: - - role: unifi - tags: unifi - become: yes diff --git a/ansible/wg0/files/coregonus/etc/wireguard/public-wg0.key b/ansible/wg0/files/coregonus/etc/wireguard/public-wg0.key new file mode 100644 index 0000000..16f44f9 --- /dev/null +++ b/ansible/wg0/files/coregonus/etc/wireguard/public-wg0.key @@ -0,0 +1 @@ +M1qJnHL6GD19On7y11uVF9m5J2noqspbfgZRmmEnwkc= diff --git a/ansible/wg0/group_vars/all/wireguard_wg0.yml b/ansible/wg0/group_vars/all/wireguard_wg0.yml index 3a8099c..109de3d 100644 --- a/ansible/wg0/group_vars/all/wireguard_wg0.yml +++ b/ansible/wg0/group_vars/all/wireguard_wg0.yml @@ -16,7 +16,7 @@ wireguard_wg0: ipv4: 192.168.60.2 ipv6: fdf3:aad9:a885:0b3a::2 conflatorio: - state: absent + state: present ipv6: fdf3:aad9:a885:0b3a::3 arius: state: present @@ -33,7 +33,7 @@ wireguard_wg0: state: present ipv6: fdf3:aad9:a885:0b3a::9 astyanax: - state: present + state: absent ipv6: fdf3:aad9:a885:0b3a::10 allowed_ips: - fdf3:aad9:a885:ba65::/64 @@ -66,3 +66,6 @@ wireguard_wg0: biwia: state: present ipv6: fdf3:aad9:a885:0b3a::17 + coregonus: + state: present + ipv6: fdf3:aad9:a885:0b3a::18 diff --git a/ansible/wg0/wireguard-wg0-terraform.yml b/ansible/wg0/wireguard-wg0-terraform.yml index 33b4b47..c4c809c 100644 --- a/ansible/wg0/wireguard-wg0-terraform.yml +++ b/ansible/wg0/wireguard-wg0-terraform.yml @@ -7,11 +7,12 @@ content: | # Generated from ansible data {% for host, data in wireguard_wg0.hosts.items() %} + {% if data.state | default("present") == "present" %} resource "linode_domain_record" "vpn-{{ host }}" { domain_id = linode_domain.root.id name = "{{ host }}.vpn" record_type = "AAAA" target = "{{ data.ipv6 }}" } + {% endif %} {% endfor %} - @@ -2,7 +2,7 @@ set -euo pipefail -v="0.14.0" +v="0.14.1" basedir="${0%/*}" self="${0##*/}" @@ -18,6 +18,4 @@ then curl -L "$url" | tar xfz - -C $dir fi -export ASDF_DATA_DIR="$dir/asdf-data" - exec "$bin" "${@}" diff --git a/bin/requirements.txt b/bin/requirements.txt index 8a3e290..b47e2cd 100644 --- a/bin/requirements.txt +++ b/bin/requirements.txt @@ -1,2 +1,5 @@ -ansible==8.4.0 +ansible==10.4.0 gns3fy==0.8.0 +netaddr==1.3.0 +swiplserver==1.0.2 +jinja2<3.1 diff --git a/bin/terraform b/bin/terraform index d90a3d8..e1a4dfc 100755 --- a/bin/terraform +++ b/bin/terraform @@ -2,7 +2,7 @@ set -euo pipefail -version=1.3.6 +version=1.9.5 basedir="${0%/*}" diff --git a/danneri/README.md b/danneri/README.md new file mode 100644 index 0000000..26a9e85 --- /dev/null +++ b/danneri/README.md @@ -0,0 +1,60 @@ +# Installing k3s + +Create `/etc/rancher/k3s/config.yaml`. Must be done before installation. + +Run: `curl -sfL https://get.k3s.io | bash` + +Copy /etc/rancher/k3s/k3s.yaml to ~/.kube/config. Adjust `server:` url. + +Reinstalling: + + k3s-uninstall.sh + +Reboot + + cd /etc + git restore rancher/k3s/config.yaml + cd + curl -sfL https://get.k3s.io | bash + +# Get kubeconfig + + ssh danneri.dn42.trygvis.io sudo cat /etc/rancher/k3s/k3s.yaml |\ + sed s,https://.*,https://danneri.dn42.trygvis.io:6443, > ~/.kube/config + +# Installing Cilium: + + cilium install -f cilium.yaml + +old: + + cilium install \ + --set routingMode=native \ + --set ipv4.enabled=true \ + --set ipam.operator.clusterPoolIPv4PodCIDRList=10.0.0.0/8 \ + --set ipv4NativeRoutingCIDR=10.0.0.0/8 \ + --set ipv6.enabled=true \ + --set enableIPv6Masquerade=false \ + --set k8s.requireIPv6PodCIDR=true \ + --set ipam.operator.clusterPoolIPv6PodCIDRList=fdb1:4242:3538:2008:aaaa:aaaa:aaaa::/96 \ + --set ipam.operator.clusterPoolIPv6MaskSize=112 \ + --set ipv6NativeRoutingCIDR=fdb1:4242:3538:2008::/64 \ + --set kubeProxyReplacement=true \ + --set k8sServiceHost=fdb1:4242:3538:2008:9422:d355:95b7:f170 \ + --set k8sServicePort=6443 + +TODO: check `kubeProxyReplacement=true` / `kube-proxy-replacement`. + +# Uninstalling + +Run: `k3s-uninstall.sh`. Note that this will delete everything, including `/etc/rancher/k3s/config.yaml`. + + rm -rf \ + /var/lib/cni \ + /etc/cni \ + /var/lib/rancher \ + /run/cilium \ + /run/containerd \ + /etc/sysctl.d/99-zzz-override_cilium.conf + +and then do a reboot to really stop Cilium from running. diff --git a/danneri/cilium.yaml b/danneri/cilium.yaml new file mode 100644 index 0000000..144e819 --- /dev/null +++ b/danneri/cilium.yaml @@ -0,0 +1,44 @@ +# https://yolops.net/k3s-at-home.html +# https://yolops.net/k8s-dualstack-cilium.html +# https://www.jeffgeerling.com/blog/2022/quick-hello-world-http-deployment-testing-k3s-and-traefik +# https://www.redpill-linpro.com/techblog/2024/01/03/cilium-dual-stack-k3s-pi-setup.html +--- +k8sServiceHost: fdb1:4242:3538:2008:9422:d355:95b7:f170 +k8sServicePort: 6443 +ipv4: + enabled: false +ipv6: + enabled: true +ipam: + mode: cluster-pool + operator: + # clusterPoolIPv4PodCIDRList: "10.96.0.0/16" + # clusterPoolIPv4MaskSize: 24 + clusterPoolIPv6PodCIDRList: "fdb1:4242:3538:2008:cccc:cccc::/96" + clusterPoolIPv6MaskSize: 112 +bpf: + masquerade: false + +enableIPv6Masquerade: false +kubeProxyReplacement: true + +# new +ipv6NativeRoutingCIDR: fdb1:4242:3538:2008::/64 + +extraConfig: + enable-ipv6-ndp: "true" + ipv6-mcast-device: "enp1s0" + ipv6-service-range: "fdb1:4242:3538:2008:5555:5555:5555::/112" + routing-mode: "native" +operator: + replicas: 1 + +# enable-bpf-masquerade true +# enable-endpoint-health-checking true +# enable-health-check-loadbalancer-ip false +# enable-health-check-nodeport true +# enable-health-checking true +# enable-hubble true +# enable-ipv4 false +# enable-ipv4-big-tcp false +# enable-ipv4-masquerade diff --git a/danneri/config.yaml b/danneri/config.yaml new file mode 100644 index 0000000..198d09f --- /dev/null +++ b/danneri/config.yaml @@ -0,0 +1,18 @@ +tls-san: + - "danneri.dn42.trygvis.io" + - "fdb1:4242:3538:2008:9422:d355:95b7:f170" + - "2a06:2240:f00d:b500:9422:d355:95b7:f170" + +node-ip: "fdb1:4242:3538:2008:9422:d355:95b7:f170" +cluster-cidr: "fdb1:4242:3538:2008:aaaa:aaaa:aaaa::/96" +service-cidr: "fdb1:4242:3538:2008:bbbb:bbbb:bbbb::/112" +# This https://docs.cilium.io/en/stable/network/kubernetes/requirements/#enable-automatic-node-cidr-allocation-recommended recommends that --allocate-node-cidrs is added to kube-controller-manager +kube-controller-manager-arg: node-cidr-mask-size-ipv6=112 +flannel-backend: none +disable: +# - traefik + - servicelb +disable-network-policy: true +disable-kube-proxy: true + +# default-local-storage-path: /srv/k3s-local-storage diff --git a/danneri/futar-deployment.yml b/danneri/futar-deployment.yml new file mode 100644 index 0000000..00a07ca --- /dev/null +++ b/danneri/futar-deployment.yml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: futar-deployment + labels: + app: futar +spec: + selector: + matchLabels: + app: futar + replicas: 2 + template: + metadata: + labels: + app: futar + spec: + containers: + - name: futar + image: ghcr.io/trygvis/futar:main + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: futar-np +spec: + selector: + app: futar + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + nodePort: 30000 + type: NodePort + +--- +apiVersion: v1 +kind: Service +metadata: + name: futar +spec: + selector: + app: futar + ports: + - protocol: TCP + port: 8080 + +--- +apiVersion: v1 +kind: Service +metadata: + name: futar-lb +spec: + selector: + app: futar + type: LoadBalancer + ports: + - protocol: TCP + port: 8080 diff --git a/docs/.$wg0.drawio.bkp b/docs/.$wg0.drawio.bkp new file mode 100644 index 0000000..02850e9 --- /dev/null +++ b/docs/.$wg0.drawio.bkp @@ -0,0 +1,105 @@ +<mxfile host="Electron" modified="2023-10-05T06:48:05.910Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.2 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="Pz4jShWJTjG_Br3Oixw4" version="22.0.2" type="device"> + <diagram name="Page-1" id="v7i8TAT-5xv207MUNhIB"> + <mxGraphModel dx="1383" dy="799" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-8" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-11" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.855;exitY=0.8555;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-1" value="conflatorio<br>wg0::3" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="350" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-9" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-10" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-26" value="eno1" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-28" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="980" y="300" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-32" value="enp2s0" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-33" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="960" y="360" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-2" value="akili<br>wg0:&nbsp;fdf3:aad9:a885:b3a::7/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" parent="1" vertex="1"> + <mxGeometry x="840" y="340" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-14" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-15" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.209;entryY=0.791;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-3" value="arius" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="350" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-13" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.855;entryY=0.8555;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-4" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-4" value="knot<br>wg0:&nbsp;fdf3:aad9:a885:b3a::1/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-6" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="810" y="210" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-12" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.145;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="710" y="300" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-5" value="hash" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-6" value="vimscore-4" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="631.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-16" value="unifi" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="361.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-16" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="840" y="225" as="targetPoint" /> + <mxPoint x="680" y="275" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-19" value="trygvis net<br>Global ID: f3aad9a885<br>AS: 4230483679" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="518.75" y="10" width="140" height="60" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-20" value="Current:<br>Global ID: f3aad9a885<br style="border-color: var(--border-color);"><div style=""><span style="background-color: initial;">wg0 subnet ID: 0b3a</span></div><div style=""><span style="background-color: initial;">wg0 prefix: fdf3:aad9:a885:0b3a:/64</span></div>" style="text;html=1;align=left;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="70" width="210" height="70" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-22" value="lhn2<br>lhn2 subnet id: ::77dd/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="660" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-23" value="kv24<br>subnet id: ba64<br>ipv6 net:&nbsp;fdf3:aad9:a885:ba64::/64<br>" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="520" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-24" value="wg0 is the peering network" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="180" width="170" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-28" value="Network: fdf3:aad9:a885:ba64::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;" parent="1" vertex="1"> + <mxGeometry x="880" y="260" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-33" value="Network: fdf3:aad9:a885:ba65::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;perimeterSpacing=0;spacing=2;" parent="1" vertex="1"> + <mxGeometry x="850" y="680" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-6" value="astyanax<br>wg0:&nbsp;fdf3:aad9:a885:b3a::10/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" vertex="1" parent="1"> + <mxGeometry x="840" y="460" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-7" style="orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;rounded=0;" edge="1" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-4"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> +</mxfile> diff --git a/docs/2023-10-23 - tnet.drawio b/docs/2023-10-23 - tnet.drawio new file mode 100644 index 0000000..7414262 --- /dev/null +++ b/docs/2023-10-23 - tnet.drawio @@ -0,0 +1,571 @@ +<mxfile host="Electron" modified="2024-09-24T20:15:30.452Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.2 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="5nmccZ1ov7ZESQxNsFWk" version="22.0.2" type="device" pages="5"> + <diagram name="tnet" id="BvOL4zu76bRaQ85PTpcJ"> + <mxGraphModel dx="2074" dy="1230" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="_oqYuhv8jh0_rys1Lpot-2" value="Wireguard" style="orthogonalLoop=1;jettySize=auto;startArrow=classic;startFill=1;curved=1;labelPosition=center;verticalLabelPosition=top;align=center;verticalAlign=bottom;html=1;fontStyle=0;labelBackgroundColor=none;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" edge="1"> + <mxGeometry y="-10" relative="1" as="geometry"> + <mxPoint x="880" y="110" as="sourcePoint" /> + <mxPoint x="800" y="110" as="targetPoint" /> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="kq-59-67Notf0ipTlqrg-4" value="kv24" style="rounded=1;whiteSpace=wrap;html=1;fontStyle=0;labelPosition=center;verticalLabelPosition=bottom;align=center;verticalAlign=top;fillColor=none;connectable=0;" parent="1" vertex="1"> + <mxGeometry x="40" y="439" width="240" height="169.5" as="geometry" /> + </mxCell> + <mxCell id="kq-59-67Notf0ipTlqrg-3" value="lhn2" style="rounded=1;whiteSpace=wrap;html=1;fontStyle=1;labelPosition=center;verticalLabelPosition=top;align=center;verticalAlign=bottom;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="40.5" width="240" height="169.5" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-5" style="orthogonalLoop=1;jettySize=auto;html=1;curved=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.145;entryY=0.855;entryDx=0;entryDy=0;entryPerimeter=0;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-1" target="CLQh8vJcVvMq8tJKvEXp-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="602" y="200" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-14" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-1" target="_oqYuhv8jh0_rys1Lpot-13" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-1" value="kv24ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="220" y="530" width="41" height="41" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-7" style="orthogonalLoop=1;jettySize=auto;html=1;curved=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-2" target="CLQh8vJcVvMq8tJKvEXp-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="596" y="195" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-2" value="lhn2ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="210" y="90" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-3" value="hash" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="600" y="439" width="41" height="41" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-9" style="orthogonalLoop=1;jettySize=auto;html=1;startArrow=classic;startFill=1;curved=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-4" target="CLQh8vJcVvMq8tJKvEXp-3" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="630" y="210" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-16" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-4" target="_oqYuhv8jh0_rys1Lpot-9" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-4" value="knot" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="600" y="160" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="CLQh8vJcVvMq8tJKvEXp-10" value="conflatorio" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="110" y="89" width="41" height="41" as="geometry" /> + </mxCell> + <mxCell id="kq-59-67Notf0ipTlqrg-2" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-10" target="CLQh8vJcVvMq8tJKvEXp-2" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-6" value="Wireguard connections can be initiated from both&nbsp;endpoints, arrow indicates direction" style="whiteSpace=wrap;html=1;strokeColor=none;fillColor=none;autosize=0;resizeWidth=0;resizable=1;resizeHeight=1;align=left;verticalAlign=top;fixedWidth=1;" parent="1" vertex="1"> + <mxGeometry x="920" y="79.5" width="240" height="50.5" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-9" value="" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="360" y="240" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-12" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.855;exitY=0.8555;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="_oqYuhv8jh0_rys1Lpot-10" target="_oqYuhv8jh0_rys1Lpot-9" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-10" value="ISP" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="210" y="160" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-11" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;exitPerimeter=0;endArrow=none;endFill=0;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-2" target="_oqYuhv8jh0_rys1Lpot-10" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-15" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="_oqYuhv8jh0_rys1Lpot-13" target="_oqYuhv8jh0_rys1Lpot-9" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-13" value="ISP" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="221" y="450" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-17" value="ISP routers are un-controlled hardware that delivers IPv4 NAT and public IPv6 addresses" style="text;html=1;align=left;verticalAlign=middle;resizable=1;points=[];autosize=1;strokeColor=none;fillColor=none;overflow=width;whiteSpace=wrap" parent="1" vertex="1"> + <mxGeometry x="920" y="142.5" width="240" height="35" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-18" value="ISP" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="820" y="140" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-19" value="ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="820" y="200" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-20" value="IX (internet exchange) routers are EdgeOS routers" style="text;html=1;align=left;verticalAlign=middle;resizable=1;points=[];autosize=1;strokeColor=none;fillColor=none;overflow=width;whiteSpace=wrap" parent="1" vertex="1"> + <mxGeometry x="920" y="205.5" width="240" height="30" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-21" value="" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="820" y="260" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="_oqYuhv8jh0_rys1Lpot-22" value="All other routers are Linux hosts" style="text;html=1;align=left;verticalAlign=middle;resizable=1;points=[];autosize=1;strokeColor=none;fillColor=none;overflow=width;whiteSpace=wrap" parent="1" vertex="1"> + <mxGeometry x="920" y="265" width="190" height="30" as="geometry" /> + </mxCell> + <mxCell id="QNxnjQuwQrLiuIVgEP8Q-1" style="orthogonalLoop=1;jettySize=auto;html=1;curved=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;fillColor=#dae8fc;strokeColor=#6c8ebf;entryX=0.8555;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="CLQh8vJcVvMq8tJKvEXp-2" target="CLQh8vJcVvMq8tJKvEXp-1" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="210" y="410" as="targetPoint" /> + <mxPoint x="265" y="546" as="sourcePoint" /> + <Array as="points"> + <mxPoint x="590" y="230" /> + </Array> + </mxGeometry> + </mxCell> + </root> + </mxGraphModel> + </diagram> + <diagram id="OTq_sM1T3sTYLIRuV6jG" name="conflatorio"> + <mxGraphModel dx="905" dy="1198" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-1" value="traefik" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="1520" y="400" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-2" value="pdb" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;fillColor=#f5f5f5;fontColor=#333333;strokeColor=#666666;" parent="1" vertex="1"> + <mxGeometry x="1731" y="400" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-3" style="orthogonalLoop=1;jettySize=auto;html=1;rounded=0;fillColor=#f5f5f5;strokeColor=#666666;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-4" target="Vz1C8OB2fIIe8CMhx9Ex-2" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-4" value="pdb" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=database_relational;fillColor=#f5f5f5;strokeColor=#666666;labelPosition=left;fontColor=#333333;" parent="1" vertex="1"> + <mxGeometry x="1800" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-5" style="orthogonalLoop=1;jettySize=auto;html=1;rounded=0;fillColor=#f5f5f5;strokeColor=#666666;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-8" target="Vz1C8OB2fIIe8CMhx9Ex-2" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-6" style="orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-8" target="Vz1C8OB2fIIe8CMhx9Ex-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-7" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;shadow=0;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-8" target="Vz1C8OB2fIIe8CMhx9Ex-19" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="1670" y="320" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-8" value="grafana" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="1630" y="320" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-9" style="orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-10" target="Vz1C8OB2fIIe8CMhx9Ex-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-10" value="traefik" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="1520" y="320" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-11" value="docker-proxy" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="1520" y="201" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-12" value="conflatorio" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;fontSize=24;" parent="1" vertex="1"> + <mxGeometry x="1465" y="25" width="130" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-13" value="conflatorio-net::2" style="edgeStyle=orthogonalEdgeStyle;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=0;entryDx=0;entryDy=0;entryPerimeter=0;curved=1;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-11" target="Vz1C8OB2fIIe8CMhx9Ex-10" edge="1"> + <mxGeometry x="0.5097" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-14" value="lhn2ix-net = fdf3:aad9:a885:77dd::/64<br>conflatorio-net = fdf3:aad9:a885:77dd:aaaa::/120" style="text;html=1;align=left;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="1770" y="60" width="280" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-15" style="orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;exitPerimeter=0;rounded=0;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-16" target="Vz1C8OB2fIIe8CMhx9Ex-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-16" value="unifi-controller" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="1410" y="320" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-11" target="Vz1C8OB2fIIe8CMhx9Ex-16" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-18" style="orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.4;exitY=0.1;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-19" target="Vz1C8OB2fIIe8CMhx9Ex-20" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="1630" y="140" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-19" value="public" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="1662" y="161" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-20" value="conflatorio" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="1510.5" y="80" width="41" height="41" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-21" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="Vz1C8OB2fIIe8CMhx9Ex-22" target="Vz1C8OB2fIIe8CMhx9Ex-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="Vz1C8OB2fIIe8CMhx9Ex-22" value="influxdb" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=database_relational;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="1401" y="440" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-2" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="MlYskDayVSW2n0ct6hMW-1" target="Vz1C8OB2fIIe8CMhx9Ex-19" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="1870" y="350" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-4" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;shadow=0;jumpStyle=none;fontStyle=1;fillColor=#f5f5f5;strokeColor=#666666;" parent="1" source="MlYskDayVSW2n0ct6hMW-3" target="Vz1C8OB2fIIe8CMhx9Ex-2" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="1740" y="340" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-1" value="telegraf" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=right;" parent="1" vertex="1"> + <mxGeometry x="1742" y="320" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-6" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="MlYskDayVSW2n0ct6hMW-3" target="Vz1C8OB2fIIe8CMhx9Ex-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-7" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="MlYskDayVSW2n0ct6hMW-3" target="Vz1C8OB2fIIe8CMhx9Ex-19" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-3" value="pgadmin" style="points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;shadow=0;labelBackgroundColor=none;" parent="1" vertex="1"> + <mxGeometry x="1670" y="440" width="22" height="40" as="geometry" /> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-9" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;dashed=1;entryX=1.002;entryY=0.247;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="MlYskDayVSW2n0ct6hMW-8" target="MlYskDayVSW2n0ct6hMW-1" edge="1"> + <mxGeometry relative="1" as="geometry"> + <Array as="points"> + <mxPoint x="1780" y="330" /> + </Array> + </mxGeometry> + </mxCell> + <mxCell id="MlYskDayVSW2n0ct6hMW-8" value="Has network=host, monitors conflatorio itself" style="text;html=1;strokeColor=none;fillColor=none;align=left;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1"> + <mxGeometry x="1830" y="260" width="110" height="50" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> + <diagram id="pCcwJyTKyqWcmV8DOXKF" name="tnet"> + <mxGraphModel dx="2074" dy="1198" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="qgdV0KhxuuxavuWXjZ00-3" value="lhn2ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;fontStyle=1" parent="1" vertex="1"> + <mxGeometry x="400" y="240" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-1" value="hash" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=center;fontStyle=1" parent="1" vertex="1"> + <mxGeometry x="360" y="120" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-2" value="knot" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=center;fontStyle=1" parent="1" vertex="1"> + <mxGeometry x="200" y="120" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-8" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.145;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-3" target="qgdV0KhxuuxavuWXjZ00-1" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="420" y="230" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-14" value="::3" style="edgeLabel;html=1;align=right;verticalAlign=top;resizable=0;points=[];labelPosition=left;verticalLabelPosition=bottom;" parent="qgdV0KhxuuxavuWXjZ00-8" vertex="1" connectable="0"> + <mxGeometry x="1" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-20" value="::9" style="edgeLabel;html=1;align=left;verticalAlign=bottom;resizable=0;points=[];labelPosition=right;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-8" vertex="1" connectable="0"> + <mxGeometry x="-0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-6" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.145;entryY=0.855;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-4" target="qgdV0KhxuuxavuWXjZ00-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-16" value="::5" style="edgeLabel;html=1;align=left;verticalAlign=middle;resizable=0;points=[];labelPosition=right;verticalLabelPosition=middle;" parent="qgdV0KhxuuxavuWXjZ00-6" vertex="1" connectable="0"> + <mxGeometry x="-0.9" relative="1" as="geometry"> + <mxPoint y="6" as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-21" value="::10" style="edgeLabel;html=1;align=right;verticalAlign=bottom;resizable=0;points=[];labelPosition=left;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-6" vertex="1" connectable="0"> + <mxGeometry x="0.95" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-4" value="kv24ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;fontStyle=1" parent="1" vertex="1"> + <mxGeometry x="160" y="240" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-5" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=1;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-4" target="qgdV0KhxuuxavuWXjZ00-2" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="110" y="360" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-18" value="::7" style="edgeLabel;html=1;align=left;verticalAlign=top;resizable=0;points=[];labelPosition=right;verticalLabelPosition=bottom;" parent="qgdV0KhxuuxavuWXjZ00-5" vertex="1" connectable="0"> + <mxGeometry x="0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-40" value="::6" style="edgeLabel;html=1;align=right;verticalAlign=bottom;resizable=0;points=[];labelPosition=left;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-5" vertex="1" connectable="0"> + <mxGeometry x="-0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-7" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-2" target="qgdV0KhxuuxavuWXjZ00-1" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="250" y="110" as="sourcePoint" /> + <mxPoint x="340" y="120" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-12" value="::1" style="edgeLabel;html=1;align=left;verticalAlign=bottom;resizable=0;points=[];labelPosition=right;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-7" vertex="1" connectable="0"> + <mxGeometry x="-1" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-13" value="::2" style="edgeLabel;html=1;align=right;verticalAlign=bottom;resizable=0;points=[];labelPosition=left;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-7" vertex="1" connectable="0"> + <mxGeometry x="1" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-10" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.855;entryY=0.8555;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.145;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-3" target="qgdV0KhxuuxavuWXjZ00-2" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="380" y="220" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-15" value="::4" style="edgeLabel;html=1;align=right;verticalAlign=top;resizable=0;points=[];labelPosition=left;verticalLabelPosition=bottom;" parent="qgdV0KhxuuxavuWXjZ00-10" vertex="1" connectable="0"> + <mxGeometry x="-0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-19" value="::8" style="edgeLabel;html=1;align=left;verticalAlign=bottom;resizable=0;points=[];labelPosition=right;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-10" vertex="1" connectable="0"> + <mxGeometry x="0.94" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-22" value="conflatorio" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;fontStyle=1" parent="1" vertex="1"> + <mxGeometry x="520" y="240" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-24" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0;exitY=0.5;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-22" target="qgdV0KhxuuxavuWXjZ00-3" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="430" y="250" as="sourcePoint" /> + <mxPoint x="390" y="170" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-25" value="::11" style="edgeLabel;html=1;align=left;verticalAlign=bottom;resizable=0;points=[];labelPosition=right;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-24" vertex="1" connectable="0"> + <mxGeometry x="0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-26" value="::12" style="edgeLabel;html=1;align=right;verticalAlign=bottom;resizable=0;points=[];labelPosition=left;verticalLabelPosition=top;" parent="qgdV0KhxuuxavuWXjZ00-24" vertex="1" connectable="0"> + <mxGeometry x="-0.9" relative="1" as="geometry"> + <mxPoint as="offset" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-28" value="f11b" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="70" y="70" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-29" value="cd02" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="60" y="210" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-30" value="dbe1" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="280" y="320" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-31" value="ab69" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="450" y="330" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-32" value="e5b0" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="440" y="50" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-33" value="78e1" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="580" y="180" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-34" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.8;exitY=0.8;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-28" target="qgdV0KhxuuxavuWXjZ00-2" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-35" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;exitX=0.8;exitY=0.8;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-29" target="qgdV0KhxuuxavuWXjZ00-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="158" y="124" as="sourcePoint" /> + <mxPoint x="210" y="150" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-36" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.855;entryY=0.8555;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.4;exitY=0.1;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-31" target="qgdV0KhxuuxavuWXjZ00-3" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="138" y="286" as="sourcePoint" /> + <mxPoint x="170" y="270" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-37" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.145;entryY=0.855;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.88;exitY=0.25;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-30" target="qgdV0KhxuuxavuWXjZ00-3" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="148" y="296" as="sourcePoint" /> + <mxPoint x="180" y="280" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-38" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;exitX=0.13;exitY=0.77;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.8555;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-33" target="qgdV0KhxuuxavuWXjZ00-22" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="472" y="350" as="sourcePoint" /> + <mxPoint x="444" y="284" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="qgdV0KhxuuxavuWXjZ00-39" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.8555;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.13;exitY=0.77;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="qgdV0KhxuuxavuWXjZ00-32" target="qgdV0KhxuuxavuWXjZ00-1" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="602" y="244" as="sourcePoint" /> + <mxPoint x="570" y="260" as="targetPoint" /> + </mxGeometry> + </mxCell> + </root> + </mxGraphModel> + </diagram> + <diagram id="nSABVEWmQI0BlYm3Q41k" name="Processing"> + <mxGraphModel dx="2074" dy="1198" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="rF8hUq1je10sbddVmS0I-5" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="rF8hUq1je10sbddVmS0I-1" target="rF8hUq1je10sbddVmS0I-3" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-6" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;fontStyle=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="rF8hUq1je10sbddVmS0I-1" target="rF8hUq1je10sbddVmS0I-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-13" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="rF8hUq1je10sbddVmS0I-1" target="rF8hUq1je10sbddVmS0I-12" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-8" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.25;entryDx=0;entryDy=0;" parent="1" source="rF8hUq1je10sbddVmS0I-1" target="rF8hUq1je10sbddVmS0I-16" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-1" value="BGP routers" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1"> + <mxGeometry x="360" y="160" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-3" value="bird.conf" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="520" y="160" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-2" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="rF8hUq1je10sbddVmS0I-4" target="-XoDwskljkkj49KLHc14-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-4" value="wireguard interfaces" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="520" y="240" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-9" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="rF8hUq1je10sbddVmS0I-8" target="rF8hUq1je10sbddVmS0I-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-15" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="rF8hUq1je10sbddVmS0I-8" target="rF8hUq1je10sbddVmS0I-14" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-8" value="Hosts<br>Local networks" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="200" y="160" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-11" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="rF8hUq1je10sbddVmS0I-10" target="rF8hUq1je10sbddVmS0I-1" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-10" value="Remote ASes" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="360" y="80" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-12" value="Networks" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="520" y="320" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-18" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="rF8hUq1je10sbddVmS0I-14" target="rF8hUq1je10sbddVmS0I-16" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-14" value="Applications" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="360" y="400" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-16" value="Firewall rules" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="520" y="400" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="rF8hUq1je10sbddVmS0I-19" value="Wireguard Telegraf configuration" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="840" y="240" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-3" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;" parent="1" source="-XoDwskljkkj49KLHc14-1" target="rF8hUq1je10sbddVmS0I-19" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-1" value="Wireguard Telegraf configuration" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1"> + <mxGeometry x="680" y="240" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-5" value="data" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1"> + <mxGeometry x="880" y="40" width="120" height="40" as="geometry" /> + </mxCell> + <mxCell id="-XoDwskljkkj49KLHc14-7" value="rules" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1"> + <mxGeometry x="880" y="120" width="120" height="40" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> + <diagram id="KZKIfHUl2okZInCISHyk" name="tnet - new"> + <mxGraphModel dx="1257" dy="745" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="rOxvz-1gei3paqyAHtll-16" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;" parent="1" source="rOxvz-1gei3paqyAHtll-11" target="rOxvz-1gei3paqyAHtll-13" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-11" value="knot<br>2004::ffff" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="680" y="160" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-12" value="dn42" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="520" y="20" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-13" value="hash<br>2009:ffff" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="400" y="160" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-14" value="lhn2ix" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;labelPosition=right;spacing=4;fillColor=#eeeeee;strokeColor=#36393d;fillStyle=auto;" parent="1" vertex="1"> + <mxGeometry x="480" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-19" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="rOxvz-1gei3paqyAHtll-15" target="rOxvz-1gei3paqyAHtll-12" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-15" value="routedbits-lon1" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="680" y="40" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-17" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="rOxvz-1gei3paqyAHtll-11" target="rOxvz-1gei3paqyAHtll-15" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-47" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.498;entryY=0.112;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-18" target="rOxvz-1gei3paqyAHtll-46" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-18" value="lhn2pi" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="600" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-23" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;entryX=0.086;entryY=0.76;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-20" target="rOxvz-1gei3paqyAHtll-11" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-24" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;" parent="1" source="rOxvz-1gei3paqyAHtll-20" target="rOxvz-1gei3paqyAHtll-13" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-20" value="node1" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="160" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-22" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;entryX=0.122;entryY=0.827;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-21" target="rOxvz-1gei3paqyAHtll-11" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-25" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;" parent="1" source="rOxvz-1gei3paqyAHtll-21" target="rOxvz-1gei3paqyAHtll-13" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-21" value="node2" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;spacing=4;" parent="1" vertex="1"> + <mxGeometry x="320" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-26" value="node1<br>2002" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="120" y="560" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-27" value="node2<br>2003" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="280" y="560" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-30" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=0.108;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-21" target="rOxvz-1gei3paqyAHtll-27" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="90" y="503" as="sourcePoint" /> + <mxPoint x="620" y="257" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-31" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=0.107;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-20" target="rOxvz-1gei3paqyAHtll-26" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="200" y="519" as="sourcePoint" /> + <mxPoint x="119" y="531" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-43" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=0.105;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-32" target="rOxvz-1gei3paqyAHtll-40" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-44" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;entryX=0.805;entryY=0.904;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.211;exitY=0.092;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-32" target="rOxvz-1gei3paqyAHtll-11" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-32" value="coregonus" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;spacing=4;snapToPoint=0;" parent="1" vertex="1"> + <mxGeometry x="920" y="480" width="40" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-38" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=0.947;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-37" target="rOxvz-1gei3paqyAHtll-46" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="780" y="640" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-37" value="danneri" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="580" y="680" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-39" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;spacing=4;entryX=0.374;entryY=0.976;entryDx=0;entryDy=0;entryPerimeter=0;exitX=0.619;exitY=0.022;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-18" target="rOxvz-1gei3paqyAHtll-11" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="490" y="200" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-40" value="2005" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="880" y="560" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-45" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.5;entryY=0.947;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="rOxvz-1gei3paqyAHtll-41" target="rOxvz-1gei3paqyAHtll-40" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-41" value="akili" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="900" y="680" width="80" height="40" as="geometry" /> + </mxCell> + <mxCell id="rOxvz-1gei3paqyAHtll-46" value="2008" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;" parent="1" vertex="1"> + <mxGeometry x="560" y="560" width="120" height="80" as="geometry" /> + </mxCell> + <mxCell id="eAi0Ebt_qy5pI5aUobQS-5" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;entryX=0.238;entryY=0.083;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" source="rOxvz-1gei3paqyAHtll-13" target="rOxvz-1gei3paqyAHtll-18"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> +</mxfile> diff --git a/docs/new-vm.md b/docs/new-vm.md new file mode 100644 index 0000000..76e4eea --- /dev/null +++ b/docs/new-vm.md @@ -0,0 +1,37 @@ +Download generic cloud image: + + cd /data3/libvirt/images/pool/ + export TS=20240717-1811 + wget https://cloud.debian.org/images/cloud/bookworm/$TS/debian-12-genericcloud-amd64-$TS.qcow2 + cp debian-*-$TS.qcow2 $VM.qcow2 + qemu-img resize $VM.qcow2 20G + # This requires guestfs-tools + virt-resize --expand /dev/sda1 debian-*$TS.qcow2 $VM.qcow2 + +Inject SSH key for root user: + + virt-customize \ + --add /data3/libvirt/images/pool/$VM.qcow2 \ + --root-password password:root \ + --hostname $VM \ + --firstboot-command 'ssh-keygen -A && systemctl restart sshd' \ + --ssh-inject "root:file:$(echo ~trygvis/.ssh/id_ed25519.pub)" + +Register a new VM with Virtual Machine Manager. + + * Import existing disk image + * Select $VM.qcow2, select correct OS + * Set name to $VM, use "Bridge device", enter `br0`. + +Connect to the machine, log in as root/root and run `dhclient enp1s0`. + +Add host to Ansible inventory `ansible/inventory`. + +SSH to the host first so the host's fingerprint is saved: + + ssh $VM + +Apply users playbook: + + ansible-playbook ansible/plays/users.yml -l $VM -u root -k + ansible-playbook plays/danneri.yml diff --git a/docs/wg0 - 2023-10-23.drawio b/docs/wg0 - 2023-10-23.drawio new file mode 100644 index 0000000..c4fb932 --- /dev/null +++ b/docs/wg0 - 2023-10-23.drawio @@ -0,0 +1,105 @@ +<mxfile host="Electron" modified="2023-10-23T11:52:11.884Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.2 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="pchNw836AFK198TFqVm4" version="22.0.2" type="device"> + <diagram name="Page-1" id="v7i8TAT-5xv207MUNhIB"> + <mxGraphModel dx="2074" dy="1198" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-8" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-11" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.855;exitY=0.8555;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-1" value="conflatorio<br>wg0::3" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="350" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-9" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-10" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-26" value="eno1" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-28" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="980" y="300" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-32" value="enp2s0" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-33" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="960" y="360" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-2" value="akili<br>wg0:&nbsp;fdf3:aad9:a885:b3a::7/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" parent="1" vertex="1"> + <mxGeometry x="840" y="340" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-14" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-15" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.209;entryY=0.791;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-3" value="arius" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="350" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-13" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.855;entryY=0.8555;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-4" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-4" value="knot<br>wg0:&nbsp;fdf3:aad9:a885:b3a::1/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-6" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="810" y="210" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-12" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.145;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="710" y="300" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-5" value="hash" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-6" value="vimscore-4" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="631.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-16" value="unifi" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="361.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-16" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="840" y="225" as="targetPoint" /> + <mxPoint x="680" y="275" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-19" value="trygvis net<br>Global ID: f3aad9a885<br>AS: 4230483679" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="518.75" y="10" width="140" height="60" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-20" value="Current:<br>Global ID: f3aad9a885<br style="border-color: var(--border-color);"><div style=""><span style="background-color: initial;">wg0 subnet ID: 0b3a</span></div><div style=""><span style="background-color: initial;">wg0 prefix: fdf3:aad9:a885:0b3a:/64</span></div>" style="text;html=1;align=left;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="70" width="210" height="70" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-22" value="lhn2<br>lhn2 subnet id: ::77dd/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="660" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-23" value="kv24<br>subnet id: ba64<br>ipv6 net:&nbsp;fdf3:aad9:a885:ba64::/64<br>" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="520" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-24" value="wg0 is the peering network" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="180" width="170" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-28" value="Network: fdf3:aad9:a885:ba64::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;" parent="1" vertex="1"> + <mxGeometry x="880" y="260" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-33" value="Network: fdf3:aad9:a885:ba65::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;perimeterSpacing=0;spacing=2;" parent="1" vertex="1"> + <mxGeometry x="850" y="680" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-6" value="astyanax<br>wg0:&nbsp;fdf3:aad9:a885:b3a::10/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" parent="1" vertex="1"> + <mxGeometry x="840" y="460" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-7" style="orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;rounded=0;" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> +</mxfile> diff --git a/docs/wg0.drawio b/docs/wg0.drawio new file mode 100644 index 0000000..e36c570 --- /dev/null +++ b/docs/wg0.drawio @@ -0,0 +1,105 @@ +<mxfile host="Electron" modified="2023-10-09T08:55:10.684Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.2 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="hlol1f-Fuq1V6yMgB_ic" version="22.0.2" type="device"> + <diagram name="Page-1" id="v7i8TAT-5xv207MUNhIB"> + <mxGraphModel dx="1383" dy="799" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0"> + <root> + <mxCell id="0" /> + <mxCell id="1" parent="0" /> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-8" style="rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-11" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.855;exitY=0.8555;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-1" value="conflatorio<br>wg0::3" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=right;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=left;" parent="1" vertex="1"> + <mxGeometry x="350" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-9" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-10" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-26" value="eno1" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-2" target="UDWjvm1ZnLB2DU_sOnAa-28" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="980" y="300" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-32" value="enp2s0" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-33" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="960" y="360" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-2" value="akili<br>wg0:&nbsp;fdf3:aad9:a885:b3a::7/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" parent="1" vertex="1"> + <mxGeometry x="840" y="340" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-14" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-15" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=classic;endFill=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.209;entryY=0.791;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-3" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-3" value="arius" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="350" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-13" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.8555;exitY=0.145;exitDx=0;exitDy=0;exitPerimeter=0;entryX=0.855;entryY=0.8555;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-4" target="UDWjvm1ZnLB2DU_sOnAa-5" edge="1"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-4" value="knot<br>wg0:&nbsp;fdf3:aad9:a885:b3a::1/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="550" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-7" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-6" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="810" y="210" as="targetPoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-12" style="edgeStyle=none;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.145;entryY=0.145;entryDx=0;entryDy=0;entryPerimeter=0;endArrow=none;endFill=0;exitX=0.145;exitY=0.855;exitDx=0;exitDy=0;exitPerimeter=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-5" target="UDWjvm1ZnLB2DU_sOnAa-4" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="710" y="300" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-5" value="hash" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="620" y="240" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-6" value="vimscore-4" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="631.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-16" value="unifi" style="sketch=0;points=[[0.015,0.015,0],[0.985,0.015,0],[0.985,0.985,0],[0.015,0.985,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0.25,0],[1,0.5,0],[1,0.75,0],[0.75,1,0],[0.5,1,0],[0.25,1,0],[0,0.75,0],[0,0.5,0],[0,0.25,0]];verticalLabelPosition=top;html=1;verticalAlign=bottom;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.server;fillColor=#005073;strokeColor=none;labelPosition=center;" parent="1" vertex="1"> + <mxGeometry x="361.25" y="130" width="27.500000000000004" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;endArrow=none;endFill=0;" parent="1" source="UDWjvm1ZnLB2DU_sOnAa-1" target="UDWjvm1ZnLB2DU_sOnAa-16" edge="1"> + <mxGeometry relative="1" as="geometry"> + <mxPoint x="840" y="225" as="targetPoint" /> + <mxPoint x="680" y="275" as="sourcePoint" /> + </mxGeometry> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-19" value="trygvis net<br>Global ID: f3aad9a885<br>AS: 4230483679" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="518.75" y="10" width="140" height="60" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-20" value="Current:<br>Global ID: f3aad9a885<br style="border-color: var(--border-color);"><div style=""><span style="background-color: initial;">wg0 subnet ID: 0b3a</span></div><div style=""><span style="background-color: initial;">wg0 prefix: fdf3:aad9:a885:0b3a:/64</span></div>" style="text;html=1;align=left;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="70" width="210" height="70" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-22" value="lhn2<br>lhn2 subnet id: ::77dd/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="660" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-23" value="kv24<br>subnet id: ba64<br>ipv6 net:&nbsp;fdf3:aad9:a885:ba64::/64<br>" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=bottom;html=1;verticalAlign=top;aspect=fixed;align=center;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;" parent="1" vertex="1"> + <mxGeometry x="100" y="520" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-24" value="wg0 is the peering network" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1"> + <mxGeometry x="40" y="180" width="170" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-28" value="Network: fdf3:aad9:a885:ba64::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;" parent="1" vertex="1"> + <mxGeometry x="880" y="260" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="UDWjvm1ZnLB2DU_sOnAa-33" value="Network: fdf3:aad9:a885:ba65::/64" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;rounded=0;perimeterSpacing=0;spacing=2;" parent="1" vertex="1"> + <mxGeometry x="850" y="680" width="210" height="30" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-6" value="astyanax<br>wg0:&nbsp;fdf3:aad9:a885:b3a::10/64" style="sketch=0;points=[[0.5,0,0],[1,0.5,0],[0.5,1,0],[0,0.5,0],[0.145,0.145,0],[0.8555,0.145,0],[0.855,0.8555,0],[0.145,0.855,0]];verticalLabelPosition=middle;html=1;verticalAlign=middle;aspect=fixed;align=left;pointerEvents=1;shape=mxgraph.cisco19.rect;prIcon=router;fillColor=#FAFAFA;strokeColor=#005073;labelPosition=right;" vertex="1" parent="1"> + <mxGeometry x="840" y="460" width="50" height="50" as="geometry" /> + </mxCell> + <mxCell id="yd4OAxL_OL2nS1uvAmHJ-7" style="orthogonalLoop=1;jettySize=auto;html=1;entryX=1;entryY=0.5;entryDx=0;entryDy=0;entryPerimeter=0;rounded=0;" edge="1" parent="1" source="yd4OAxL_OL2nS1uvAmHJ-6" target="UDWjvm1ZnLB2DU_sOnAa-4"> + <mxGeometry relative="1" as="geometry" /> + </mxCell> + </root> + </mxGraphModel> + </diagram> +</mxfile> @@ -1,5 +1,5 @@ -#ENC[AES256_GCM,data:KE8haaNoCU7koejXB4F+UvE=,iv:M6s1LQBOlM97GAtZOGw7cnDcQZD/q4rNrEDF1FocxGs=,tag:mQszvgw+WNcEt9Czi+8hjg==,type:comment] -linode_token: ENC[AES256_GCM,data:OaLHFMUozNiWb/YA+Nja7plMvHfRBbvr3UMrt+hGl88F7eDe5CLkEfkeNNRHcUy1lxNhX1j4YlVhBGxdTA2PoQ==,iv:gz31tnelnCg7Yw1CoHCrSaNXnlehnx4TWFHJq0VCc3g=,tag:sdeiTbUAkTCVAeyw78DIVA==,type:str] +#ENC[AES256_GCM,data:VXrX0NUIHcFjmxHLuYzz9ekkR7N2IW/CF6a9U0dk/cvgtwoNLA==,iv:NIpefl6uO7c7ESxgCHXe3Y2x4cf9nLPjwDJo28xt5SY=,tag:U59KOg8Ny+O33Lf63Zjo1w==,type:comment] +linode_token: ENC[AES256_GCM,data:PeLIxcZ5mQMnp1LZy4saSUWIpCxrGm+3/6PssmIE9yO81x2HcGrgxO0CNl1feOtPrI1PVcAfFnFlpSetELLZlg==,iv:ETBKZgmFdIHoUROHVUzhxRoLS2uIuGR0SXZ96C9FhDk=,tag:pzuS8RLQf1A5ctmrOanVgA==,type:str] knot_pdb_terraform_password: ENC[AES256_GCM,data:cu5aUZAVrmtzgBB2hGfBkd+TU4vB0cWnBNluTHptyV0YvZuq,iv:HT4Cmr9huuylVt2vwFcrWUlBmDE6V3n0bXq/telJNBM=,tag:2RSvWnAAM5seHv12HyDprA==,type:str] sops: kms: [] @@ -34,8 +34,8 @@ sops: a1E2c3VEaWR0K3U4dnpqdm5RU0VCZUkKiOtFMhim7qAe4kDU2gijcCChesM0qAGk Z2xNVfBy4HH58cgWrtCQ6PRvULwAQ6Bgq59iZ7H/C2IFVqVfliajmw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-23T13:22:29Z" - mac: ENC[AES256_GCM,data:XkWZD0Whj/5Zd/dGC20UyQxvvkrca6Ox58L2cXzLAgum/lYj6Q+GdRIIApz7Iwmj8ZkX4I8+jrF9epozJwS4ZiYW6qsmcNzpt3F3oiwYqe8OcLfOpdSVdy5QekiNtweqO9zTAO14hVbz+QYkTnCBqc8tBF2BFVxek6j8KKSbTTM=,iv:O8AU9xhhnfJ36NBfJkdB6YVtmL/sEXRfVrMBpCV5ufc=,tag:/g/I6C2t4+QWUfFXDbblKQ==,type:str] + lastmodified: "2024-08-21T18:05:07Z" + mac: ENC[AES256_GCM,data:Kxa9SCKy0pLCgqGd7f+xFbQz3Cpf9EfDYP1fwPiIweHhw8iFEeaI7WZCb9zXjsky1tuQ0nbJMHfVQaPSqLC+ACyrBioXIBjgITAfEg3xtpRYiSQRFVBtGA7HpEAKWeFquzTvBR/EAoDuEvFTkrup3JSE8sM3bWKVb2dy1uRyBIc=,iv:O5LO1TFJLlFdCOGWWk5xJlQtVF1+sZTCH2DUKQdvQGo=,tag:0USQg2+EYUVG3+FsjilssQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/terraform/conflatorio-docker/network.tf b/terraform/conflatorio-docker/network.tf deleted file mode 100644 index 32e1bfb..0000000 --- a/terraform/conflatorio-docker/network.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "docker_network" "public" { - name = "public" - - ipv6 = true - - ipam_config { - subnet = "fdf3:aad9:a885:77dd:bbbb::/120" - } -} diff --git a/terraform/conflatorio-docker/traefik.tf b/terraform/conflatorio-docker/traefik.tf index d15ac5c..cb5f2a0 100644 --- a/terraform/conflatorio-docker/traefik.tf +++ b/terraform/conflatorio-docker/traefik.tf @@ -12,6 +12,8 @@ resource "docker_container" "traefik" { privileged = false must_run = false + network_mode = "bridge" + networks_advanced { name = docker_network.traefik.name } @@ -23,20 +25,20 @@ resource "docker_container" "traefik" { ports { internal = 80 external = 80 - ip = "fdf3:aad9:a885:77dd::2" + ip = "${local.public_ip}" } ports { internal = 443 external = 443 - ip = "fdf3:aad9:a885:77dd::2" + ip = "${local.public_ip}" } # for buildfarm-server ports { internal = 8980 external = 8980 - ip = "fdf3:aad9:a885:77dd::2" + ip = "${local.public_ip}" } command = [ diff --git a/terraform/grafana/.terraform.lock.hcl b/terraform/conflatorio-prometheus/.terraform.lock.hcl index 4362198..9e1ccff 100644 --- a/terraform/grafana/.terraform.lock.hcl +++ b/terraform/conflatorio-prometheus/.terraform.lock.hcl @@ -23,8 +23,28 @@ provider "registry.terraform.io/cyrilgdn/postgresql" { ] } +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + hashes = [ + "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" + version = "3.5.1" + constraints = "3.5.1" hashes = [ "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", diff --git a/terraform/conflatorio-docker/backend.tf b/terraform/conflatorio-prometheus/backend.tf index d2de289..9f2eed0 100644 --- a/terraform/conflatorio-docker/backend.tf +++ b/terraform/conflatorio-prometheus/backend.tf @@ -2,7 +2,7 @@ terraform { backend "s3" { bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" - key = "conflatorio-docker/terraform.tfstate" + key = "conflatorio-prometheus/terraform.tfstate" skip_region_validation = true skip_credentials_validation = true skip_metadata_api_check = true diff --git a/terraform/conflatorio-prometheus/main.tf b/terraform/conflatorio-prometheus/main.tf new file mode 100644 index 0000000..f5c5a7f --- /dev/null +++ b/terraform/conflatorio-prometheus/main.tf @@ -0,0 +1,34 @@ +terraform { + required_version = "~> 1.3.5" + + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "2.24.0" + } + postgresql = { + source = "cyrilgdn/postgresql" + version = "1.21.0" + } + random = { + source = "hashicorp/random" + version = "3.5.1" + } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } + } +} + +provider "docker" { + host = "ssh://conflatorio.vpn.trygvis.io" +} + +data "docker_network" "traefik" { + name = "traefik" +} + +data "docker_network" "private" { + name = "private" +} diff --git a/terraform/conflatorio-prometheus/prometheus.tf b/terraform/conflatorio-prometheus/prometheus.tf new file mode 100644 index 0000000..04dd406 --- /dev/null +++ b/terraform/conflatorio-prometheus/prometheus.tf @@ -0,0 +1,66 @@ +resource "docker_image" "prometheus" { + name = "prom/prometheus:v2.53.2" +} + +resource "docker_volume" "prometheus" { + name = "prometheus" +} + +resource "docker_container" "prometheus" { + image = docker_image.prometheus.image_id + name = "prometheus" + must_run = true + + env = [ + ] + + networks_advanced { + name = data.docker_network.private.name + } + + # networks_advanced { + # name = data.docker_network.traefik.name + # } + + # dynamic "labels" { + # for_each = [ + # { label = "traefik.enable", value = "true" }, + # { label = "traefik.docker.network", value = data.docker_network.traefik.name }, + # { label = "traefik.http.routers.prometheus.rule", value = "Host(`prometheus.trygvis.io`)" }, + # { label = "traefik.http.routers.prometheus.entrypoints", value = "websecure" }, + # { label = "traefik.http.routers.prometheus.tls.certresolver", value = "linode" }, + # ] + # content { + # label = labels.value["label"] + # value = labels.value["value"] + # } + # } + + mounts { + source = "${local.path}" + target = "/etc/prometheus" + type = "bind" + } + + volumes { + volume_name = docker_volume.prometheus.name + read_only = false + container_path = "/prometheus" + } + + depends_on = [ null_resource.mkdir ] +} + +locals { + path = "/etc/docker-service/prometheus" +} + +resource "null_resource" "mkdir" { + triggers = { + path = local.path + } + + provisioner "local-exec" { + command = "ssh conflatorio.vpn.trygvis.io sudo mkdir -p ${local.path}" + } +} diff --git a/terraform/conflatorio-docker/terragrunt.hcl b/terraform/conflatorio-prometheus/terragrunt.hcl index e147285..e147285 100644 --- a/terraform/conflatorio-docker/terragrunt.hcl +++ b/terraform/conflatorio-prometheus/terragrunt.hcl diff --git a/terraform/grafana/backend.tf b/terraform/dns/backend.tf index e796c2e..4f05aaf 100644 --- a/terraform/grafana/backend.tf +++ b/terraform/dns/backend.tf @@ -1,12 +1,16 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { + required_version = "~> 1.9.5" + backend "s3" { bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" - key = "grafana/terraform.tfstate" + key = "dns/terraform.tfstate" skip_region_validation = true skip_credentials_validation = true skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true region = "eu-central-1" - endpoint = "eu-central-1.linodeobjects.com" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } } } diff --git a/terraform/dns/dn42.tf b/terraform/dns/dn42.tf new file mode 100644 index 0000000..1f27821 --- /dev/null +++ b/terraform/dns/dn42.tf @@ -0,0 +1,85 @@ +# Generated from ansible data + +resource "linode_domain_record" "dn42-conflatorio" { + domain_id = linode_domain.root.id + name = "conflatorio.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" +} + +resource "linode_domain_record" "dn42-coregonus" { + domain_id = linode_domain.root.id + name = "coregonus.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2005::ffff" +} + +resource "linode_domain_record" "dn42-danneri" { + domain_id = linode_domain.root.id + name = "danneri.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2008:9422:d355:95b7:f170" +} + +resource "linode_domain_record" "dn42-ha-kv24" { + domain_id = linode_domain.root.id + name = "ha-kv24.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2005:c534:9d54:8212:1ced" +} + +resource "linode_domain_record" "dn42-hash" { + domain_id = linode_domain.root.id + name = "hash.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2007::ffff" +} + +resource "linode_domain_record" "dn42-knot" { + domain_id = linode_domain.root.id + name = "knot.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2004::ffff" +} + +resource "linode_domain_record" "dn42-kv24ix" { + domain_id = linode_domain.root.id + name = "kv24ix.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2006::ffff" +} + +resource "linode_domain_record" "dn42-lhn2-z2m" { + domain_id = linode_domain.root.id + name = "lhn2-z2m.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2008:9aed:e460:1711:7dd" +} + +resource "linode_domain_record" "dn42-lhn2pi" { + domain_id = linode_domain.root.id + name = "lhn2pi.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2008::ffff" +} + +resource "linode_domain_record" "dn42-node1" { + domain_id = linode_domain.root.id + name = "node1.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2002::ffff" +} + +resource "linode_domain_record" "dn42-node2" { + domain_id = linode_domain.root.id + name = "node2.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2003::ffff" +} + +resource "linode_domain_record" "dn42-unifi" { + domain_id = linode_domain.root.id + name = "unifi.dn42" + record_type = "AAAA" + target = "fdb1:4242:3538:2008:5054:ff:fe4d:96c" +} diff --git a/terraform/dns/main.tf b/terraform/dns/main.tf index c67944e..812f3b2 100644 --- a/terraform/dns/main.tf +++ b/terraform/dns/main.tf @@ -1,20 +1,8 @@ terraform { - required_version = "~> 1.3.6" - - backend "s3" { - bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" - key = "dns/terraform.tfstate" - region = "eu-central-1" - skip_region_validation = true - skip_credentials_validation = true - skip_metadata_api_check = true - endpoint = "eu-central-1.linodeobjects.com" - } - required_providers { linode = { version = "2.7.1" - source = "linode/linode" + source = "linode/linode" } } } diff --git a/terraform/dns/terraform.tfstate b/terraform/dns/terraform.tfstate new file mode 100644 index 0000000..891db4d --- /dev/null +++ b/terraform/dns/terraform.tfstate @@ -0,0 +1,52 @@ +{ + "version": 3, + "serial": 1, + "lineage": "8244bd55-1992-3e9a-1072-28df4fb0d2f2", + "backend": { + "type": "s3", + "config": { + "access_key": null, + "acl": null, + "assume_role_duration_seconds": null, + "assume_role_policy": null, + "assume_role_policy_arns": null, + "assume_role_tags": null, + "assume_role_transitive_tag_keys": null, + "bucket": "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05", + "dynamodb_endpoint": null, + "dynamodb_table": null, + "encrypt": null, + "endpoint": "eu-central-1.linodeobjects.com", + "external_id": null, + "force_path_style": null, + "iam_endpoint": null, + "key": "dns/terraform.tfstate", + "kms_key_id": null, + "max_retries": null, + "profile": null, + "region": "eu-central-1", + "role_arn": null, + "secret_key": null, + "session_name": null, + "shared_credentials_file": null, + "skip_credentials_validation": true, + "skip_metadata_api_check": true, + "skip_region_validation": true, + "sse_customer_key": null, + "sts_endpoint": null, + "token": null, + "workspace_key_prefix": null + }, + "hash": 1226279900 + }, + "modules": [ + { + "path": [ + "root" + ], + "outputs": {}, + "resources": {}, + "depends_on": [] + } + ] +} diff --git a/terraform/grafana/terragrunt.hcl b/terraform/dns/terragrunt.hcl index e147285..e147285 100644 --- a/terraform/grafana/terragrunt.hcl +++ b/terraform/dns/terragrunt.hcl diff --git a/terraform/dns/trygvis.tf b/terraform/dns/trygvis.tf index ebc9da4..2a6752f 100644 --- a/terraform/dns/trygvis.tf +++ b/terraform/dns/trygvis.tf @@ -17,6 +17,22 @@ resource "linode_domain_record" "root-a" { target = "176.58.112.84" } +resource "linode_domain_record" "root-mx" { + domain_id = linode_domain.root.id + name = "" + record_type = "MX" + target = "in1-smtp.messagingengine.com" + priority = 10 +} + +resource "linode_domain_record" "root-mx2" { + domain_id = linode_domain.root.id + name = "" + record_type = "MX" + target = "in2-smtp.messagingengine.com" + priority = 20 +} + resource "linode_domain_record" "root-txt-google" { domain_id = linode_domain.root.id name = "" @@ -39,6 +55,52 @@ resource "linode_domain_record" "root-txt-keybase" { target = "keybase-site-verification=gcoO7zav4G2IK5KQdrWOgz_PD9wpZhz-0afIb1Kodrk" } +resource "linode_domain_record" "root-txt-fastmail-dkim" { + count = 3 + domain_id = linode_domain.root.id + name = format("fm%d._domainkey", count.index + 1) + record_type = "CNAME" + target = format("fm%d.trygvis.io.dkim.fmhosted.com", count.index + 1) +} + +resource "linode_domain_record" "root-txt-fastmail-spf" { + domain_id = linode_domain.root.id + name = "" + record_type = "TXT" + target = "v=spf1 include:spf.messagingengine.com ?all" +} + +resource "linode_domain_record" "root-txt-fastmail-dmark" { + domain_id = linode_domain.root.id + name = "_dmarc" + record_type = "TXT" + target = "v=DMARC1; p=none;" +} + +resource "linode_domain_record" "root-txt-fastmail-srv" { + domain_id = linode_domain.root.id + record_type = "SRV" + service = each.key + priority = each.value.priority + weight = each.value.weight + port = each.value.port + target = each.value.target + + for_each = tomap({ + submission = { priority = 0, weight = 0, port = 0, target = "." }, + imap = { priority = 0, weight = 0, port = 0, target = "." }, + submissions = { priority = 0, weight = 1, port = 465, target = "smtp.fastmail.com" }, + imaps = { priority = 0, weight = 1, port = 993, target = "imap.fastmail.com" }, + jmap = { priority = 0, weight = 1, port = 443, target = "api.fastmail.com" }, + autodiscover = { priority = 0, weight = 1, port = 443, target = "autodiscover.fastmail.com" }, + autodiscover = { priority = 0, weight = 1, port = 443, target = "autodiscover.fastmail.com" }, + carddav = { priority = 0, weight = 0, port = 0, target = "." }, + carddavs = { priority = 0, weight = 1, port = 443, target = "carddav.fastmail.com" }, + caldav = { priority = 0, weight = 0, port = 0, target = "." }, + caldavs = { priority = 0, weight = 1, port = 443, target = "caldav.fastmail.com" }, + }) +} + resource "linode_domain_record" "root-cname-ses-1" { domain_id = linode_domain.root.id name = "k5o5gjadej2kkfncu36i3ef5gt473sxy._domainkey" @@ -53,13 +115,6 @@ resource "linode_domain_record" "root-cname-ses-2" { target = "imtuzw2lnfktlc7uongw433qbwjxxatg.dkim.amazonses.com" } -resource "linode_domain_record" "dlock" { - domain_id = linode_domain.root.id - name = "dlock" - record_type = "A" - target = "35.205.192.14" -} - resource "linode_domain_record" "hash" { domain_id = linode_domain.root.id name = "hash" @@ -103,6 +158,13 @@ resource "linode_domain_record" "unifi" { target = "trygvis.io" } +resource "linode_domain_record" "kv24" { + domain_id = linode_domain.root.id + name = "kv24" + record_type = "CNAME" + target = "trygvis.io" +} + # Aliases for vs.trygvis.io resource "linode_domain_record" "nextcloud" { domain_id = linode_domain.root.id @@ -115,7 +177,14 @@ resource "linode_domain_record" "grafana" { domain_id = linode_domain.root.id name = "grafana" record_type = "CNAME" - target = "vs.trygvis.io" + target = "hash.trygvis.io" +} + +resource "linode_domain_record" "loki" { + domain_id = linode_domain.root.id + name = "loki" + record_type = "CNAME" + target = "hash.trygvis.io" } resource "linode_domain_record" "owncloud" { diff --git a/terraform/dns/vpn-cname.tf b/terraform/dns/vpn-cname.tf index bbd411a..c03b2bb 100644 --- a/terraform/dns/vpn-cname.tf +++ b/terraform/dns/vpn-cname.tf @@ -1,22 +1,22 @@ -resource "linode_domain_record" "vpn-conflatorio" { +#resource "linode_domain_record" "vpn-conflatorio" { +# domain_id = linode_domain.root.id +# name = "conflatorio.vpn" +# record_type = "AAAA" +# target = "fdf3:aad9:a885:77dd::2" +#} + +resource "linode_domain_record" "net-conflatorio" { domain_id = linode_domain.root.id - name = "conflatorio.vpn" + name = "conflatorio.net" record_type = "AAAA" - target = "fdf3:aad9:a885:77dd::2" + target = "fdb1:4242:3538:2001::ffff" } resource "linode_domain_record" "vpn-unifi" { domain_id = linode_domain.root.id name = "unifi.vpn" record_type = "CNAME" - target = "${linode_domain_record.vpn-conflatorio.name}.trygvis.io" -} - -resource "linode_domain_record" "vpn-grafana" { - domain_id = linode_domain.root.id - name = "grafana.vpn" - record_type = "CNAME" - target = "${linode_domain_record.vpn-conflatorio.name}.trygvis.io" + target = "${linode_domain_record.net-conflatorio.name}.trygvis.io" } resource "linode_domain_record" "vpn-influxdb" { diff --git a/terraform/dns/vpn.tf b/terraform/dns/vpn.tf index d73d01e..58efa5c 100644 --- a/terraform/dns/vpn.tf +++ b/terraform/dns/vpn.tf @@ -5,11 +5,11 @@ resource "linode_domain_record" "vpn-knot" { record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::1" } -resource "linode_domain_record" "vpn-birgitte" { +resource "linode_domain_record" "vpn-conflatorio" { domain_id = linode_domain.root.id - name = "birgitte.vpn" + name = "conflatorio.vpn" record_type = "AAAA" - target = "fdf3:aad9:a885:0b3a::2" + target = "fdf3:aad9:a885:0b3a::3" } resource "linode_domain_record" "vpn-arius" { domain_id = linode_domain.root.id @@ -23,36 +23,18 @@ resource "linode_domain_record" "vpn-akili" { record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::7" } -resource "linode_domain_record" "vpn-malabaricus" { - domain_id = linode_domain.root.id - name = "malabaricus.vpn" - record_type = "AAAA" - target = "fdf3:aad9:a885:0b3a::8" -} resource "linode_domain_record" "vpn-sweetzpot-mobile" { domain_id = linode_domain.root.id name = "sweetzpot-mobile.vpn" record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::9" } -resource "linode_domain_record" "vpn-astyanax" { - domain_id = linode_domain.root.id - name = "astyanax.vpn" - record_type = "AAAA" - target = "fdf3:aad9:a885:0b3a::10" -} resource "linode_domain_record" "vpn-sweetzpot-macos" { domain_id = linode_domain.root.id name = "sweetzpot-macos.vpn" record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::11" } -resource "linode_domain_record" "vpn-android-trygvis" { - domain_id = linode_domain.root.id - name = "android-trygvis.vpn" - record_type = "AAAA" - target = "fdf3:aad9:a885:0b3a::12" -} resource "linode_domain_record" "vpn-hash" { domain_id = linode_domain.root.id name = "hash.vpn" @@ -71,9 +53,21 @@ resource "linode_domain_record" "vpn-lhn2ix" { record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::15" } +resource "linode_domain_record" "vpn-kv24ix" { + domain_id = linode_domain.root.id + name = "kv24ix.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::16" +} resource "linode_domain_record" "vpn-biwia" { domain_id = linode_domain.root.id name = "biwia.vpn" record_type = "AAAA" target = "fdf3:aad9:a885:0b3a::17" } +resource "linode_domain_record" "vpn-coregonus" { + domain_id = linode_domain.root.id + name = "coregonus.vpn" + record_type = "AAAA" + target = "fdf3:aad9:a885:0b3a::18" +} diff --git a/terraform/conflatorio-docker/.terraform.lock.hcl b/terraform/hash-docker/.terraform.lock.hcl index aa0f1fb..e35130a 100644 --- a/terraform/conflatorio-docker/.terraform.lock.hcl +++ b/terraform/hash-docker/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" + version = "3.2.3" hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", ] } diff --git a/terraform/hash-docker/backend.tf b/terraform/hash-docker/backend.tf new file mode 100644 index 0000000..d793773 --- /dev/null +++ b/terraform/hash-docker/backend.tf @@ -0,0 +1,16 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + required_version = "~> 1.9.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "hash-docker/terraform.tfstate" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true + region = "eu-central-1" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } + } +} diff --git a/terraform/conflatorio-docker/main.tf b/terraform/hash-docker/main.tf index 8a01be6..ba2c79f 100644 --- a/terraform/conflatorio-docker/main.tf +++ b/terraform/hash-docker/main.tf @@ -1,6 +1,4 @@ terraform { - required_version = "~> 1.3.5" - required_providers { docker = { source = "kreuzwerker/docker" @@ -13,8 +11,17 @@ terraform { } } +locals { + host = "hash.trygvis.io" + public_ip = "138.201.33.16" + + hs = module.ipam6.hosts + ns = module.ipam6.networks + dn42_range = local.ns.hash_docker_dn42.range +} + provider "docker" { - host = "ssh://conflatorio.vpn.trygvis.io" + host = "ssh://${local.host}" } data "sops_file_entry" "linode_token" { @@ -22,6 +29,6 @@ data "sops_file_entry" "linode_token" { data_key = "linode_token" } -output "foo" { - value = "foo!" +module "ipam6" { + source = "../ipam6" } diff --git a/terraform/hash-docker/network.tf b/terraform/hash-docker/network.tf new file mode 100644 index 0000000..94ddeef --- /dev/null +++ b/terraform/hash-docker/network.tf @@ -0,0 +1,14 @@ +resource "docker_network" "dn42" { + name = "dn42" + + ipv6 = true + + ipam_config { + gateway = "172.20.0.1" + subnet = "172.20.0.0/16" + } + + ipam_config { + subnet = local.dn42_range + } +} diff --git a/terraform/hash-docker/terragrunt.hcl b/terraform/hash-docker/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/hash-docker/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/hash-docker/traefik.tf b/terraform/hash-docker/traefik.tf new file mode 100644 index 0000000..3708024 --- /dev/null +++ b/terraform/hash-docker/traefik.tf @@ -0,0 +1,105 @@ +resource "docker_network" "traefik" { + name = "traefik" +} + +resource "docker_image" "traefik" { + name = "traefik:2.9.8" +} + +resource "docker_container" "traefik" { + image = docker_image.traefik.image_id + name = "traefik" + privileged = false + must_run = false + + network_mode = "bridge" + + networks_advanced { + name = docker_network.traefik.name + } + + ports { + internal = 80 + external = 80 + ip = local.public_ip + } + + ports { + internal = 443 + external = 443 + ip = local.public_ip + } + + command = [ + "--log.level=DEBUG", + "--api=true", + "--api.dashboard=true", + "--api.debug=true", + # "--api.insecure=true", + "--providers.docker=true", + "--providers.docker.exposedbydefault=false", + "--entrypoints.websecure.address=:443", + "--entrypoints.web.address=:80", + "--entrypoints.web.http.redirections.entrypoint.to=websecure", + "--entrypoints.web.http.redirections.entrypoint.scheme=https", + "--certificatesresolvers.linode.acme.dnschallenge.provider=linode", + "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53", + "--certificatesresolvers.linode.acme.email=root@trygvis.io", + "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json", + + # There doesn't seem to be a way to define a specific + # serversTransport through the CLI or lables, to here backend + # certificate checks are globally disabled. + "--serverstransport.insecureskipverify", + ] + + dynamic "labels" { + for_each = [ + { label = "traefik.enable", value = "true" }, + { label = "traefik.http.routers.traefik.service", value = "api@internal" }, + { label = "traefik.http.routers.traefik.rule", value = "Host(`${local.host}`)" }, + { label = "traefik.http.routers.traefik.entrypoints", value = "websecure" }, + { label = "traefik.http.routers.traefik.tls.certresolver", value = "linode" }, + ] + content { + label = labels.value["label"] + value = labels.value["value"] + } + } + + env = [ + "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}" + ] + + mounts { + source = "/etc/docker-service/traefik/letsencrypt" + target = "/letsencrypt" + type = "bind" + read_only = false + } + + mounts { + source = "/var/run/docker.sock" + target = "/var/run/docker.sock" + type = "bind" + read_only = true + } + + depends_on = [ + resource.null_resource.letsencrypt, + ] +} + +locals { + path = "/etc/docker-service/traefik/letsencrypt" +} + +resource "null_resource" "letsencrypt" { + triggers = { + path = local.path + } + + provisioner "local-exec" { + command = "ssh ${local.host} sudo mkdir -p ${local.path}" + } +} diff --git a/terraform/hash-grafana/.terraform.lock.hcl b/terraform/hash-grafana/.terraform.lock.hcl new file mode 100644 index 0000000..3242795 --- /dev/null +++ b/terraform/hash-grafana/.terraform.lock.hcl @@ -0,0 +1,84 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cyrilgdn/postgresql" { + version = "1.21.0" + constraints = "1.21.0" + hashes = [ + "h1:v7X6z6j8Uo07+QJPuO3EVM8N1uy6t2k+1GiRGioOPGc=", + "zh:17e3d204dabc116276c763bb0cd159aa315789d3b0bcd3b8aede935509960ab6", + "zh:1a7e5ac1921afdb3b12a49714c5f446a7604bfa1eb7bd9c123d607f8cbda45e4", + "zh:24a880623e30928ee866c84016b1db4e0458764c7a547b808e2d398e90456d42", + "zh:255c6162d35ace6a313a50c4ceb5452bd5582d7bb097a44e75ac4901e635ca13", + "zh:281ab48b69d0852b5138fe5ea2301ff7fdff30748f1f7878ac837c71622d3f7b", + "zh:3d4e0ae2809e743272e5d2640b64354c48140e225c2ba6f1a211700ea70e0754", + "zh:4f4df290e3ff626d8b274c624852d21d194a397a7f580ebe0cbf0ff64dd8fa31", + "zh:5997ce8f7cbcd7ff5a443d037b83857b17b64be928e9d9338dd494466733df60", + "zh:a05f0b65b0abf4488cdaf7b239206940940be77fd51f458f2a0986c6a17436aa", + "zh:aeb6c6da639abb6126f38be90a7bc428f925461bf599388ff092e059e0bb1a94", + "zh:d30bb053b6000c32cc8d03da231c30eaecddd926200adf2e9ad9c0186c2ad1ad", + "zh:d978827683b324c75141fa80ebc28dcaf181acd0be0a47b1e5f9579a72a08151", + "zh:f51fae9206361cbe865e30b06d106270d6acf7ece0550953b0d6b55afe6be9ba", + "zh:fa49a2702c529865c20f57185d6dd41072fdd9a13ac1a49e30eb88605c31af7a", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + hashes = [ + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "3.0.2" + constraints = "3.0.2" + hashes = [ + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", + ] +} + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/hash-grafana/backend.tf b/terraform/hash-grafana/backend.tf new file mode 100644 index 0000000..b06355d --- /dev/null +++ b/terraform/hash-grafana/backend.tf @@ -0,0 +1,16 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + required_version = "~> 1.9.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "hash-grafana/terraform.tfstate" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true + region = "eu-central-1" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } + } +} diff --git a/terraform/grafana/grafana.tf b/terraform/hash-grafana/grafana.tf index 6d75da3..b425e72 100644 --- a/terraform/grafana/grafana.tf +++ b/terraform/hash-grafana/grafana.tf @@ -1,5 +1,5 @@ resource "docker_image" "grafana" { - name = "grafana/grafana-oss:10.1.5" + name = "grafana/grafana-oss:11.2.2" } resource "docker_volume" "grafana" { @@ -12,19 +12,21 @@ resource "docker_container" "grafana" { privileged = false must_run = true + network_mode = "bridge" + networks_advanced { name = data.docker_network.traefik.name } networks_advanced { - name = data.docker_network.public.name + name = data.docker_network.dn42.name } dynamic "labels" { for_each = [ { label = "traefik.enable", value = "true" }, { label = "traefik.docker.network", value = data.docker_network.traefik.name }, - { label = "traefik.http.routers.grafana.rule", value = "Host(`grafana.vpn.trygvis.io`)" }, + { label = "traefik.http.routers.grafana.rule", value = "Host(`grafana.trygvis.io`)" }, { label = "traefik.http.routers.grafana.entrypoints", value = "websecure" }, { label = "traefik.http.routers.grafana.tls.certresolver", value = "linode" }, ] @@ -36,7 +38,7 @@ resource "docker_container" "grafana" { env = [ "GF_DATABASE_TYPE=postgres", - "GF_DATABASE_HOST=[fdf3:aad9:a885:b3a::1]", + "GF_DATABASE_HOST=knot.dn42.trygvis.io", "GF_DATABASE_DATABASE=${postgresql_database.grafana.name}", "GF_DATABASE_USER=${postgresql_role.grafana.name}", "GF_DATABASE_PASSWORD=${postgresql_role.grafana.password}", @@ -45,5 +47,6 @@ resource "docker_container" "grafana" { volumes { volume_name = docker_volume.grafana.name container_path = "/var/lib/grafana" + read_only = false } } diff --git a/terraform/grafana/main.tf b/terraform/hash-grafana/main.tf index fa225ab..043b778 100644 --- a/terraform/grafana/main.tf +++ b/terraform/hash-grafana/main.tf @@ -1,10 +1,8 @@ terraform { - required_version = "~> 1.3.5" - required_providers { docker = { source = "kreuzwerker/docker" - version = "2.24.0" + version = "3.0.2" } postgresql = { source = "cyrilgdn/postgresql" @@ -21,8 +19,12 @@ terraform { } } +locals { + host = "hash.trygvis.io" +} + provider "docker" { - host = "ssh://conflatorio.vpn.trygvis.io" + host = "ssh://${local.host}" } data "sops_file_entry" "knot_pdb_terraform_password" { @@ -42,6 +44,6 @@ data "docker_network" "traefik" { name = "traefik" } -data "docker_network" "public" { - name = "public" +data "docker_network" "dn42" { + name = "dn42" } diff --git a/terraform/grafana/pdb.tf b/terraform/hash-grafana/pdb.tf index e2a59cd..e2a59cd 100644 --- a/terraform/grafana/pdb.tf +++ b/terraform/hash-grafana/pdb.tf diff --git a/terraform/hash-grafana/terragrunt.hcl b/terraform/hash-grafana/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/hash-grafana/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/hash-loki/.terraform.lock.hcl b/terraform/hash-loki/.terraform.lock.hcl new file mode 100644 index 0000000..7020808 --- /dev/null +++ b/terraform/hash-loki/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cyrilgdn/postgresql" { + version = "1.21.0" + constraints = "1.21.0" + hashes = [ + "h1:v7X6z6j8Uo07+QJPuO3EVM8N1uy6t2k+1GiRGioOPGc=", + "zh:17e3d204dabc116276c763bb0cd159aa315789d3b0bcd3b8aede935509960ab6", + "zh:1a7e5ac1921afdb3b12a49714c5f446a7604bfa1eb7bd9c123d607f8cbda45e4", + "zh:24a880623e30928ee866c84016b1db4e0458764c7a547b808e2d398e90456d42", + "zh:255c6162d35ace6a313a50c4ceb5452bd5582d7bb097a44e75ac4901e635ca13", + "zh:281ab48b69d0852b5138fe5ea2301ff7fdff30748f1f7878ac837c71622d3f7b", + "zh:3d4e0ae2809e743272e5d2640b64354c48140e225c2ba6f1a211700ea70e0754", + "zh:4f4df290e3ff626d8b274c624852d21d194a397a7f580ebe0cbf0ff64dd8fa31", + "zh:5997ce8f7cbcd7ff5a443d037b83857b17b64be928e9d9338dd494466733df60", + "zh:a05f0b65b0abf4488cdaf7b239206940940be77fd51f458f2a0986c6a17436aa", + "zh:aeb6c6da639abb6126f38be90a7bc428f925461bf599388ff092e059e0bb1a94", + "zh:d30bb053b6000c32cc8d03da231c30eaecddd926200adf2e9ad9c0186c2ad1ad", + "zh:d978827683b324c75141fa80ebc28dcaf181acd0be0a47b1e5f9579a72a08151", + "zh:f51fae9206361cbe865e30b06d106270d6acf7ece0550953b0d6b55afe6be9ba", + "zh:fa49a2702c529865c20f57185d6dd41072fdd9a13ac1a49e30eb88605c31af7a", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + constraints = "3.5.1" + hashes = [ + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "3.0.2" + constraints = "3.0.2" + hashes = [ + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", + ] +} + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/hash-loki/backend.tf b/terraform/hash-loki/backend.tf new file mode 100644 index 0000000..699df68 --- /dev/null +++ b/terraform/hash-loki/backend.tf @@ -0,0 +1,16 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + required_version = "~> 1.9.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "hash-loki/terraform.tfstate" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true + region = "eu-central-1" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } + } +} diff --git a/terraform/hash-loki/loki-config.yaml b/terraform/hash-loki/loki-config.yaml new file mode 100644 index 0000000..72e68b0 --- /dev/null +++ b/terraform/hash-loki/loki-config.yaml @@ -0,0 +1,73 @@ +# Downloaded with wget https://raw.githubusercontent.com/grafana/loki/v3.0.0/cmd/loki/loki-local-config.yaml -O loki-config.yaml + +auth_enabled: false + +server: + http_listen_port: 3100 + grpc_listen_port: 9096 + +common: + instance_addr: 127.0.0.1 + path_prefix: /loki + storage: + filesystem: + chunks_directory: /loki/chunks + rules_directory: /loki/rules + replication_factor: 1 + ring: + kvstore: + store: inmemory + +query_range: + results_cache: + cache: + embedded_cache: + enabled: true + max_size_mb: 100 + +schema_config: + configs: + - from: 2020-10-24 + store: tsdb + object_store: filesystem + schema: v13 + index: + prefix: index_ + period: 24h + +ruler: + alertmanager_url: http://localhost:9093 + +# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration +# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/ +# +# Statistics help us better understand how Loki is used, and they show us performance +# levels for most users. This helps us prioritize features and documentation. +# For more information on what's sent, look at +# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go +# Refer to the buildReport method to see what goes into a report. +# +# If you would like to disable reporting, uncomment the following lines: +analytics: + reporting_enabled: false + +distributor: + otlp_config: + default_resource_attributes_as_index_labels: + - cloud.availability_zone + - cloud.region + - container.name + - deployment.environment + - k8s.cluster.name + - k8s.container.name + - k8s.cronjob.name + - k8s.daemonset.name + - k8s.deployment.name + - k8s.job.name + - k8s.namespace.name + - k8s.pod.name + - k8s.replicaset.name + - k8s.statefulset.name + - service.instance.id + - service.name + - service.namespace diff --git a/terraform/hash-loki/loki.tf b/terraform/hash-loki/loki.tf new file mode 100644 index 0000000..1e09037 --- /dev/null +++ b/terraform/hash-loki/loki.tf @@ -0,0 +1,59 @@ +resource "docker_image" "loki" { + name = "grafana/loki:3.3.0" +} + +resource "docker_volume" "loki" { + name = "loki" +} + +resource "docker_container" "loki" { + image = docker_image.loki.image_id + name = "loki" + privileged = false + must_run = true + + command = [ + "-config.file=${local.container_config_dir}/loki-config.yaml" + ] + + network_mode = "bridge" + + networks_advanced { + name = data.docker_network.traefik.name + } + + networks_advanced { + name = data.docker_network.dn42.name + } + + dynamic "labels" { + for_each = [ + { label = "traefik.enable", value = "true" }, + { label = "traefik.docker.network", value = data.docker_network.traefik.name }, + { label = "traefik.http.routers.loki.rule", value = "Host(`loki.trygvis.io`)" }, + { label = "traefik.http.routers.loki.entrypoints", value = "websecure" }, + { label = "traefik.http.routers.loki.tls.certresolver", value = "linode" }, + ] + content { + label = labels.value["label"] + value = labels.value["value"] + } + } + + env = [ + ] + + mounts { + source = local.host_config_dir + target = local.container_config_dir + type = "bind" + read_only = false + } + + volumes { + volume_name = docker_volume.loki.name + container_path = "/loki" + read_only = false + } +} + diff --git a/terraform/hash-loki/main.tf b/terraform/hash-loki/main.tf new file mode 100644 index 0000000..7f00e45 --- /dev/null +++ b/terraform/hash-loki/main.tf @@ -0,0 +1,39 @@ +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } + postgresql = { + source = "cyrilgdn/postgresql" + version = "1.21.0" + } + random = { + source = "hashicorp/random" + version = "3.5.1" + } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } + } +} + +locals { + host = "hash.trygvis.io" + host_config_dir = "/etc/docker-service/loki" + container_config_dir = "/config" +} + +provider "docker" { + host = "ssh://${local.host}" +} + +data "docker_network" "traefik" { + name = "traefik" +} + +data "docker_network" "dn42" { + name = "dn42" +} + diff --git a/terraform/hash-loki/play-config.yml b/terraform/hash-loki/play-config.yml new file mode 100644 index 0000000..955524f --- /dev/null +++ b/terraform/hash-loki/play-config.yml @@ -0,0 +1,17 @@ +- hosts: hash + tasks: + - become: yes + name: mkdir /etc/docker-service/loki + file: + path: /etc/docker-service/loki + state: directory + + - become: yes + name: cp /etc/docker-service/loki/loki-config.yaml + register: config + copy: + src: loki-config.yaml + dest: /etc/docker-service/loki/loki-config.yaml + +# - shell: docker kill --signal HUP loki +# when: config.changed diff --git a/terraform/hash-loki/terragrunt.hcl b/terraform/hash-loki/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/hash-loki/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/hash-prometheus/.terraform.lock.hcl b/terraform/hash-prometheus/.terraform.lock.hcl new file mode 100644 index 0000000..52de25e --- /dev/null +++ b/terraform/hash-prometheus/.terraform.lock.hcl @@ -0,0 +1,123 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cyrilgdn/postgresql" { + version = "1.21.0" + constraints = "1.21.0" + hashes = [ + "h1:v7X6z6j8Uo07+QJPuO3EVM8N1uy6t2k+1GiRGioOPGc=", + "zh:17e3d204dabc116276c763bb0cd159aa315789d3b0bcd3b8aede935509960ab6", + "zh:1a7e5ac1921afdb3b12a49714c5f446a7604bfa1eb7bd9c123d607f8cbda45e4", + "zh:24a880623e30928ee866c84016b1db4e0458764c7a547b808e2d398e90456d42", + "zh:255c6162d35ace6a313a50c4ceb5452bd5582d7bb097a44e75ac4901e635ca13", + "zh:281ab48b69d0852b5138fe5ea2301ff7fdff30748f1f7878ac837c71622d3f7b", + "zh:3d4e0ae2809e743272e5d2640b64354c48140e225c2ba6f1a211700ea70e0754", + "zh:4f4df290e3ff626d8b274c624852d21d194a397a7f580ebe0cbf0ff64dd8fa31", + "zh:5997ce8f7cbcd7ff5a443d037b83857b17b64be928e9d9338dd494466733df60", + "zh:a05f0b65b0abf4488cdaf7b239206940940be77fd51f458f2a0986c6a17436aa", + "zh:aeb6c6da639abb6126f38be90a7bc428f925461bf599388ff092e059e0bb1a94", + "zh:d30bb053b6000c32cc8d03da231c30eaecddd926200adf2e9ad9c0186c2ad1ad", + "zh:d978827683b324c75141fa80ebc28dcaf181acd0be0a47b1e5f9579a72a08151", + "zh:f51fae9206361cbe865e30b06d106270d6acf7ece0550953b0d6b55afe6be9ba", + "zh:fa49a2702c529865c20f57185d6dd41072fdd9a13ac1a49e30eb88605c31af7a", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.2" + hashes = [ + "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", + "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", + "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", + "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", + "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", + "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", + "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", + "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", + "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", + "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", + "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + constraints = "3.5.1" + hashes = [ + "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "3.0.2" + constraints = "3.0.2" + hashes = [ + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", + ] +} + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/hash-prometheus/backend.tf b/terraform/hash-prometheus/backend.tf new file mode 100644 index 0000000..d531b8d --- /dev/null +++ b/terraform/hash-prometheus/backend.tf @@ -0,0 +1,16 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + required_version = "~> 1.9.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "hash-prometheus/terraform.tfstate" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true + region = "eu-central-1" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } + } +} diff --git a/terraform/hash-prometheus/main.tf b/terraform/hash-prometheus/main.tf new file mode 100644 index 0000000..cbf843e --- /dev/null +++ b/terraform/hash-prometheus/main.tf @@ -0,0 +1,36 @@ +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } + postgresql = { + source = "cyrilgdn/postgresql" + version = "1.21.0" + } + random = { + source = "hashicorp/random" + version = "3.5.1" + } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } + } +} + +locals { + host = "hash.trygvis.io" +} + +provider "docker" { + host = "ssh://${local.host}" +} + +data "docker_network" "traefik" { + name = "traefik" +} + +data "docker_network" "dn42" { + name = "dn42" +} diff --git a/terraform/hash-prometheus/play-config.yml b/terraform/hash-prometheus/play-config.yml new file mode 100644 index 0000000..92ec3e6 --- /dev/null +++ b/terraform/hash-prometheus/play-config.yml @@ -0,0 +1,17 @@ +- hosts: hash + tasks: + - become: yes + name: mkdir /etc/docker-service/prometheus + file: + path: /etc/docker-service/prometheus + state: directory + + - become: yes + name: cp /etc/docker-service/prometheus/prometheus.yml + register: config + copy: + src: prometheus.yml + dest: /etc/docker-service/prometheus/prometheus.yml + + - shell: docker kill --signal HUP prometheus + when: config.changed diff --git a/terraform/hash-prometheus/prometheus.tf b/terraform/hash-prometheus/prometheus.tf new file mode 100644 index 0000000..09df3ee --- /dev/null +++ b/terraform/hash-prometheus/prometheus.tf @@ -0,0 +1,70 @@ +data "docker_registry_image" "prometheus" { + name = "prom/prometheus:v2.53.2" +} + +resource "docker_image" "prometheus" { + name = data.docker_registry_image.prometheus.name + pull_triggers = [data.docker_registry_image.prometheus.sha256_digest] +} + +resource "docker_volume" "prometheus" { + name = "prometheus" +} + +resource "docker_container" "prometheus" { + image = docker_image.prometheus.image_id + name = "prometheus" + must_run = true + + env = [ + ] + + command = [ +#"/bin/prometheus", + "--config.file=/etc/prometheus/prometheus.yml", + "--storage.tsdb.path=/prometheus", + "--web.console.libraries=/usr/share/prometheus/console_libraries", + "--web.console.templates=/usr/share/prometheus/consoles", + "--storage.tsdb.retention.time=100y", + ] + + networks_advanced { + name = data.docker_network.dn42.name + } + + # networks_advanced { + # name = data.docker_network.traefik.name + # } + + # dynamic "labels" { + # for_each = [ + # { label = "traefik.enable", value = "true" }, + # { label = "traefik.docker.network", value = data.docker_network.traefik.name }, + # { label = "traefik.http.routers.prometheus.rule", value = "Host(`prometheus.trygvis.io`)" }, + # { label = "traefik.http.routers.prometheus.entrypoints", value = "websecure" }, + # { label = "traefik.http.routers.prometheus.tls.certresolver", value = "linode" }, + # ] + # content { + # label = labels.value["label"] + # value = labels.value["value"] + # } + # } + + mounts { + source = local.path + target = "/etc/prometheus" + type = "bind" + read_only = false + } + + volumes { + volume_name = docker_volume.prometheus.name + read_only = false + container_path = "/prometheus" + } + +} + +locals { + path = "/etc/docker-service/prometheus" +} diff --git a/terraform/hash-prometheus/prometheus.yml b/terraform/hash-prometheus/prometheus.yml new file mode 100644 index 0000000..9c0ede7 --- /dev/null +++ b/terraform/hash-prometheus/prometheus.yml @@ -0,0 +1,91 @@ +global: + scrape_interval: 60s + +scrape_configs: + - job_name: node + scrape_interval: 30s + static_configs: + - targets: + - "conflatorio.dn42.trygvis.io:9100" + - "coregonus.dn42.trygvis.io:9100" + - "hash.dn42.trygvis.io:9100" + - "knot.dn42.trygvis.io:9100" + - "lhn2pi.dn42.trygvis.io:9100" + + - job_name: bird + scrape_interval: 30s + static_configs: + - targets: + - "coregonus.dn42.trygvis.io:9324" + - "hash.dn42.trygvis.io:9324" + - "knot.dn42.trygvis.io:9324" + - "lhn2pi.dn42.trygvis.io:9324" + + - job_name: libvirt + scrape_interval: 30s + static_configs: + - targets: + - "conflatorio.dn42.trygvis.io:9177" + - "hash.dn42.trygvis.io:9177" + + - job_name: snmp_kv24_ap + scrape_interval: 60s + static_configs: + - targets: + - "192.168.10.20" + - "192.168.10.21" + - "192.168.10.22" + - "192.168.10.23" + - "192.168.10.25" + - "192.168.10.26" + metrics_path: /snmp + params: + auth: [public_v2] + module: + - if_mib + - ubiquiti_unifi + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: "coregonus.dn42.trygvis.io:9116" + + - job_name: snmp_kv24_sw + scrape_interval: 60s + static_configs: + - targets: + - "192.168.10.10" + - "192.168.10.11" + - "192.168.10.12" + metrics_path: /snmp + params: + auth: [public_v2] + module: + - if_mib + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: "coregonus.dn42.trygvis.io:9116" + + - job_name: snmp_kv24_router + scrape_interval: 60s + static_configs: + - targets: + - "192.168.10.1" + metrics_path: /snmp + params: + auth: [public_v2] + module: + - if_mib + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: "coregonus.dn42.trygvis.io:9116" diff --git a/terraform/hash-prometheus/terragrunt.hcl b/terraform/hash-prometheus/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/hash-prometheus/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/ipam6/ipam6.tf b/terraform/ipam6/ipam6.tf new file mode 100644 index 0000000..eada854 --- /dev/null +++ b/terraform/ipam6/ipam6.tf @@ -0,0 +1,217 @@ +output "networks" { + value = { + bitraf_dn42 = { + range = "fdb1:4242:3538::/48" + address = "fdb1:4242:3538::" + prefix = "48" + hosts = { + } + } + tnet_dn42 = { + range = "fdb1:4242:3538:2000::/52" + address = "fdb1:4242:3538:2000::" + prefix = "52" + hosts = { + } + } + unused_2001 = { + range = "fdb1:4242:3538:2001::/64" + address = "fdb1:4242:3538:2001::" + prefix = "64" + hosts = { + } + } + node1_dn42 = { + range = "fdb1:4242:3538:2002::/64" + address = "fdb1:4242:3538:2002::" + prefix = "64" + hosts = { + node1 = { + address : "fdb1:4242:3538:2002::ffff" + prefix : "128" + } + } + } + node2_dn42 = { + range = "fdb1:4242:3538:2003::/64" + address = "fdb1:4242:3538:2003::" + prefix = "64" + hosts = { + node2 = { + address : "fdb1:4242:3538:2003::ffff" + prefix : "128" + } + } + } + knot_dn42 = { + range = "fdb1:4242:3538:2004::/64" + address = "fdb1:4242:3538:2004::" + prefix = "64" + hosts = { + knot = { + address : "fdb1:4242:3538:2004::ffff" + prefix : "128" + } + } + } + coregonus_dn42 = { + range = "fdb1:4242:3538:2005::/64" + address = "fdb1:4242:3538:2005::" + prefix = "64" + hosts = { + coregonus = { + address : "fdb1:4242:3538:2005::ffff" + prefix : "128" + } + } + } + coregonus_docker = { + range = "fdb1:4242:3538:2005:df01:676a:ec28:0a00/120" + address = "fdb1:4242:3538:2005:df01:676a:ec28:a00" + prefix = "120" + hosts = { + } + } + kv24_pub = { + range = "2a01:799:111d:1801::/64" + address = "2a01:799:111d:1801::" + prefix = "64" + hosts = { + ha-kv24 = { + address : "fdb1:4242:3538:2005:c534:9d54:8212:1ced" + prefix : "64" + } + } + } + kv24_dn42 = { + range = "fdb1:4242:3538:2006::/64" + address = "fdb1:4242:3538:2006::" + prefix = "64" + hosts = { + kv24ix = { + address : "fdb1:4242:3538:2006::ffff" + prefix : "128" + } + } + } + hash_dn42 = { + range = "fdb1:4242:3538:2007::/64" + address = "fdb1:4242:3538:2007::" + prefix = "64" + hosts = { + hash = { + address : "fdb1:4242:3538:2007::ffff" + prefix : "128" + } + } + } + hash_docker_dn42 = { + range = "fdb1:4242:3538:2007:1001::/112" + address = "fdb1:4242:3538:2007:1001::" + prefix = "112" + hosts = { + } + } + lhn2_dn42 = { + range = "fdb1:4242:3538:2008::/64" + address = "fdb1:4242:3538:2008::" + prefix = "64" + hosts = { + lhn2pi = { + address : "fdb1:4242:3538:2008::ffff" + prefix : "128" + } + lhn2-z2m = { + address : "fdb1:4242:3538:2008:9aed:e460:1711:7dd" + prefix : "128" + } + conflatorio = { + address : "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" + prefix : "128" + } + danneri = { + address : "fdb1:4242:3538:2008:9422:d355:95b7:f170" + prefix : "128" + } + unifi = { + address : "fdb1:4242:3538:2008:5054:ff:fe4d:96c" + prefix : "128" + } + } + } + danneri_cluster = { + range = "fdb1:4242:3538:2008:aaaa:aaaa:aaaa::/112" + address = "fdb1:4242:3538:2008:aaaa:aaaa:aaaa:0" + prefix = "112" + hosts = { + } + } + danneri_service = { + range = "fdb1:4242:3538:2008:bbbb:bbbb:bbbb::/112" + address = "fdb1:4242:3538:2008:bbbb:bbbb:bbbb:0" + prefix = "112" + hosts = { + } + } + dn42 = { + range = "fd00::/8" + address = "fd00::" + prefix = "8" + hosts = { + } + } + } +} + +output "hosts" { + value = { + node1 = { + address : "fdb1:4242:3538:2002::ffff" + prefix : "128" + } + node2 = { + address : "fdb1:4242:3538:2003::ffff" + prefix : "128" + } + knot = { + address : "fdb1:4242:3538:2004::ffff" + prefix : "128" + } + coregonus = { + address : "fdb1:4242:3538:2005::ffff" + prefix : "128" + } + ha-kv24 = { + address : "fdb1:4242:3538:2005:c534:9d54:8212:1ced" + prefix : "64" + } + kv24ix = { + address : "fdb1:4242:3538:2006::ffff" + prefix : "128" + } + hash = { + address : "fdb1:4242:3538:2007::ffff" + prefix : "128" + } + lhn2pi = { + address : "fdb1:4242:3538:2008::ffff" + prefix : "128" + } + lhn2-z2m = { + address : "fdb1:4242:3538:2008:9aed:e460:1711:7dd" + prefix : "128" + } + conflatorio = { + address : "fdb1:4242:3538:2008:8042:32ff:fe0c:7161" + prefix : "128" + } + danneri = { + address : "fdb1:4242:3538:2008:9422:d355:95b7:f170" + prefix : "128" + } + unifi = { + address : "fdb1:4242:3538:2008:5054:ff:fe4d:96c" + prefix : "128" + } + } +} diff --git a/terraform/lhn2pi-zigbee2mqtt/.terraform.lock.hcl b/terraform/lhn2pi-zigbee2mqtt/.terraform.lock.hcl new file mode 100644 index 0000000..e61b376 --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/.terraform.lock.hcl @@ -0,0 +1,87 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/cyrilgdn/postgresql" { + version = "1.18.0" + constraints = "1.18.0" + hashes = [ + "h1:Nf26liFILUZXPh1P2B8T3qtq2Tc7objtm0sBSt0lhh0=", + "zh:251b609167ce25e974607c0c7dd3f90cfc45980c9068364f896e26c31416d96c", + "zh:317980d14a6a171f118bb522ffd02046e508d98100073f97671aeb2adae30d79", + "zh:3622c6414e91f8ccceed94ddf12062a22c14de4fac73c6142b009ae791ca7cd4", + "zh:36be2b338c230b0ab0c7b4c55049dba9bd8d705973c2cceaf3e293d41f520db5", + "zh:4332e83b91f60c43679ff9660c8ef4ebe251e05926a4d20dc64db1bfbabc8670", + "zh:444835840c917aff17f49f9f7b4ae542d5bd9f2ec306b581d1931b00380213bd", + "zh:5174bd85ea94ed4a6cef6c02bc27498f47ac21841fcab7487ab19d8513c97e54", + "zh:61c6eb6b2bf18cdc0734c101854e25990ba24a16580c6bbc599a0b00f72be397", + "zh:b40bbc61a4e522b22ebd57f01a518370a97cd6945e4bdd2955e5f887c88ee3f6", + "zh:d7aeb158c884f6590d6033cd44d5e9438f648bcb5ca3bd54573847c287845b00", + "zh:da3bee1282f6b48572d15f7a693113931afb306b98e29c09c9a054bdc3d6df44", + "zh:ec864a068eeab48899d99405f5606379478df8e48c005844d63a5360c23d5e15", + "zh:fda709d1cabde236b79c98c9abb80f2c1591fdea751afadc546073056be6e6ba", + "zh:ff08607ab25d1c5b55c3794b67a4ee2c9ac5023962c196ce587df34f0e201ca6", + ] +} + +provider "registry.terraform.io/kreuzwerker/docker" { + version = "3.0.2" + constraints = "3.0.2" + hashes = [ + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", + ] +} + +provider "registry.terraform.io/linode/linode" { + version = "1.30.0" + constraints = "1.30.0" + hashes = [ + "h1:rd4yQ7u3awn2kTqdKf5D67TTeo6rybYpDry/WwvolRA=", + "zh:197c61c5eb2252f65c18d2aa65cdc0511617b13e2388118f3fe063d7969dd7ad", + "zh:1a66470682acb13dc57308d5b1eaa19ff60c2404a3b15714e3072d02d569b1a5", + "zh:368cdcf17073a39687da830c02cf3ce50e0d8f03b7ec808b49561628be798abc", + "zh:42f2510a70afbb7fc8928df119d1e14ce1b61d2aded13b88072858ee5861feb2", + "zh:57734dd1e8255abd52a33ff79c20ef4efc3831850b22dd1a628e6301c3cf95c6", + "zh:61d614a7a4607bfc4ab6bfd0501007501957b973dbd028e0e513a3d4df07f12e", + "zh:79243f22fc0a9adfc1123abdd17c515f0ce4d8147302889033b6c44f6a48337e", + "zh:9f7cd46185bbe2c001dab1d0bd6c17a9740e7279d3fffe93755f2c964e267213", + "zh:9fdc9f8f47bde4140bc14cf082bbc2ceb63a3bebf0683df2fefd83c9e248274c", + "zh:aa1fd80a7ea245f8b852e40c68ccde2d8b6446e2138ebdec7425c67e82099881", + "zh:bb31f1ba5b0e001cf343d3a4cfafa70e6f3e30fd8a200d2cd7e077663efe0456", + "zh:da87881fa030287df2009028c49581e1fd0ff89baef0d8543b27ca506eff2971", + "zh:ed6afd7b1bc7237a9dff5c721ca3a5c7c505803cd5ea0b4ad0dfdf07ed6f9b0d", + "zh:ee653d5d08cb331ce2d8dc1010e68d363470ae87be62c0515e5d2418727cd02b", + ] +} + +provider "registry.terraform.io/lokkersp/sops" { + version = "0.6.10" + constraints = "0.6.10" + hashes = [ + "h1:atU8NIBxpNTWY+qBubvEOfjOn4K1aCDoq1iUFocgIHQ=", + "zh:0f053a26392a581b1f1ce6316cb7ed8ec4cc75e7f5f1cf7cfd45050b6b3c87ea", + "zh:207bb96c4471fce9aeb1b3c217d772692c3d865d294cf4d2501dad41de36a15e", + "zh:28506e8f1f3b9eaa95d99043440328044ee6340143535e5751538328a529d001", + "zh:3cae3bcea9e35fdc5b3f2af1b4580cd625c996448ad0c676c772260e46b25289", + "zh:3e44daaf82986c2b0028aeb17b867f3c68ed5dd8ac8625ba0406cf2a5fd3d92e", + "zh:457fb8ca2e677af24f9a4bdd8b613b1d7b604ad7133541657e5757c19268da71", + "zh:473d727c228f021a3df8cc8dcc6231ad7f90ed63f9e47c36b597d591e76228da", + "zh:48c4c1df39fd76ec8bd5fe9ac70cdc0927ac8be95582dbe46458b3442ce0fcd9", + "zh:728b19cb5c07e5e9d8b78fd94cc57d4c13582ecd24b7eb7c4cc2bf73b12fe4d1", + "zh:c51ed9af591779bb0910b82addeebb10f53428b994f8db653dd1dedcec60916c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/lhn2pi-zigbee2mqtt/README.md b/terraform/lhn2pi-zigbee2mqtt/README.md new file mode 100644 index 0000000..2e6209c --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/README.md @@ -0,0 +1,15 @@ +This is not a docker container as the rest, but using podman as lhn2pi runs + +https://www.zigbee2mqtt.io/guide/installation/02_docker.html#rootless-container + +podman run \ + --name=zigbee2mqtt \ + --restart=unless-stopped \ + -p 8080:8080 \ + -v $(pwd)/data:/app/data \ + -v /run/udev:/run/udev:ro \ + --device=/dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0018ED3DDF-if00:/dev/ttyACM0 \ + --group-add keep-groups \ + -e TZ=Europe/Amsterdam \ + koenkk/zigbee2mqtt + diff --git a/terraform/lhn2pi-zigbee2mqtt/backend.tf b/terraform/lhn2pi-zigbee2mqtt/backend.tf new file mode 100644 index 0000000..7251725 --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/backend.tf @@ -0,0 +1,16 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + required_version = "~> 1.9.5" + + backend "s3" { + bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" + key = "lhn2pi-zigbee2mqtt/terraform.tfstate" + skip_region_validation = true + skip_credentials_validation = true + skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true + region = "eu-central-1" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } + } +} diff --git a/terraform/lhn2pi-zigbee2mqtt/main.tf b/terraform/lhn2pi-zigbee2mqtt/main.tf new file mode 100644 index 0000000..4182db8 --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/main.tf @@ -0,0 +1,33 @@ +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } + linode = { + source = "linode/linode" + version = "1.30.0" + } + postgresql = { + source = "cyrilgdn/postgresql" + version = "1.18.0" + } + sops = { + source = "lokkersp/sops" + version = "0.6.10" + } + } +} + +provider "docker" { + host = "ssh://lhn2pi.dn42.trygvis.io" +} + +locals { + docker_image = "koenkk/zigbee2mqtt:1.42.0" + public_ip = module.ipam.hosts.lhn2-z2m.address +} + +module "ipam" { + source = "../ipam6" +} diff --git a/terraform/lhn2pi-zigbee2mqtt/terragrunt.hcl b/terraform/lhn2pi-zigbee2mqtt/terragrunt.hcl new file mode 100644 index 0000000..e147285 --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/terragrunt.hcl @@ -0,0 +1,3 @@ +include "root" { + path = find_in_parent_folders() +} diff --git a/terraform/lhn2pi-zigbee2mqtt/zigbee2mqtt.tf b/terraform/lhn2pi-zigbee2mqtt/zigbee2mqtt.tf new file mode 100644 index 0000000..1e3e1a9 --- /dev/null +++ b/terraform/lhn2pi-zigbee2mqtt/zigbee2mqtt.tf @@ -0,0 +1,44 @@ +data "docker_registry_image" "zigbee2mqtt" { + name = local.docker_image +} + +resource "docker_image" "zigbee2mqtt" { + name = data.docker_registry_image.zigbee2mqtt.name + pull_triggers = [data.docker_registry_image.zigbee2mqtt.sha256_digest] +} + +resource "docker_volume" "zigbee2mqtt" { + name = "zigbee2mqtt" +} + +resource "docker_container" "zigbee2mqtt" { + image = docker_image.zigbee2mqtt.image_id + name = "zigbee2mqtt" + hostname = "zigbee2mqtt" + # privileged = true + must_run = true + + network_mode = "host" + + ports { + internal = 8080 + external = 8080 + protocol = "tcp" + ip = local.public_ip + } + + volumes { + volume_name = docker_volume.zigbee2mqtt.name + read_only = false + container_path = "/app/data" + } + + env = [ + "TZ=Europe/Oslo", + ] + + devices { + host_path = "/dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2688076-if00" + container_path = "/dev/ttyACM0" + } +} diff --git a/terraform/telegraf/conflatorio/vault.yml b/terraform/telegraf/conflatorio/vault.yml index 90061a8..e380599 100644 --- a/terraform/telegraf/conflatorio/vault.yml +++ b/terraform/telegraf/conflatorio/vault.yml @@ -1,5 +1,4 @@ influx_token: ENC[AES256_GCM,data:48AbbP7v1QRvK7h73J6RYb1BBXsKdF+8YREXqtvPlEk3DFHoncmPIVWCH0G8it21BJtBsAupnJCPoa9IR7nJMWZMy/2NotmjeJuBD7LYY05BFEs4K5y+yw==,iv:RbWI8JWTg1LHqNUAEsx42rFp7IIntkz7PR6l/kCl7z8=,tag:lCpcfh7xQR+29RhWEkG1lA==,type:str] -config_url: ENC[AES256_GCM,data:tlhn8wfyD7EETkWGeeLEVOVQ3OS+PXnfWL6zXbuKYxz2I4EftRTAG9QAGCw2nb2VpTkBG4AE3kkLKLTiNWFBQsQ=,iv:V1pSBlTeE3zFBI29DtrzgAySHxhTS5jp8kuc7HtCKiI=,tag:Yo8vqUr9gohQYvuwqFkdFw==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +14,8 @@ sops: Snd2V1FCL0hXUHA0R0FyUHBEUmNoeTAKK3uEAXKZetmJmn9vwleVzpfvIqyDMbuv FEYrJ4oBr+NykSfWqZSLB+y4DPTNyE2jhZ1vOK1u/CcxisaVa3o7+A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-26T17:50:27Z" - mac: ENC[AES256_GCM,data:eFMCwmDaAvVaF1a45UQo/Z0lahAPVw5Mi7MH0m/UcVmvczad31gbPNuSZDAHyF+CWz4RmVCuqR0ukRBBXF5y18mVaTWC0zXhBaMsYIV3LR4CrdJ3wgmD5uY91X4un1aPJ/iR6T7w0wPfEaSnTR00n+f7tVhmyVfl6+9IwuUlcUo=,iv:Kme2RcQXWpYKPXfbzmK0JxbNyJqK1PEvLO6K4smWMLM=,tag:11nLZIVh7AYqhcO+1E6HmA==,type:str] + lastmodified: "2023-10-31T14:31:13Z" + mac: ENC[AES256_GCM,data:0KMb/2PdJybWd47RFIDn5bLaQzjKLATPDSgjmT7O79ErKvRu5gqt/or04kPcla1ToofNza1b1tH2nvJONTrIx8I/GCvy1nNa1sFfFa8cbb12em1SWwVIrqG8O2zEiQ9Wh2FW4x2wFRTinOEzwhAnum5OPD2K58fPWm6jFsG9fxY=,iv:SeCYnl/dngeAGOtTL3/qblrMXvRPPTfnhjoVSmbNGZA=,tag:t8grQyCkM0SWWFYWUomIJg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl index e7e5f6a..8af2aca 100644 --- a/terraform/terragrunt.hcl +++ b/terraform/terragrunt.hcl @@ -1,16 +1,20 @@ generate "backend" { path = "backend.tf" if_exists = "overwrite_terragrunt" - contents = <<EOF + contents = <<EOF terraform { + required_version = "~> 1.9.5" + backend "s3" { bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" key = "${path_relative_to_include()}/terraform.tfstate" skip_region_validation = true skip_credentials_validation = true skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true region = "eu-central-1" - endpoint = "eu-central-1.linodeobjects.com" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } } } EOF diff --git a/terraform/unifi-controller/.terraform.lock.hcl b/terraform/unifi-controller/.terraform.lock.hcl index 9fa446f..e61b376 100644 --- a/terraform/unifi-controller/.terraform.lock.hcl +++ b/terraform/unifi-controller/.terraform.lock.hcl @@ -24,24 +24,24 @@ provider "registry.terraform.io/cyrilgdn/postgresql" { } provider "registry.terraform.io/kreuzwerker/docker" { - version = "3.0.1" - constraints = "3.0.1" + version = "3.0.2" + constraints = "3.0.2" hashes = [ - "h1:X2wZHQoG54NmtojeFcX0PSJPelaIejQRqyyI2h+LjWg=", - "zh:02f60126ca16b344092df3c315296bf1a216c3b2a68eddb3c89fdfa5ea826118", - "zh:0d2ee9624a54dbc10538b0c4e296348641b9bfba1354b3f872e43f7ec69a75f2", - "zh:473d7427da8c9efc231266abc7fdc27fca5f9ee0bdfcdb9914f0a2886e3e23b8", - "zh:5f0189bcd0c944c001098cb17a23efa79df8f0eec8644a64fe0e4200983ba5b7", - "zh:6200319c41d6baad3f46701a4028412f8ae2496e29fc4fef9584cc71da5fbbe6", - "zh:650be621f2216b1240f148eae8fcf80ec57c35925e2b212db7c23a70b9e67e06", - "zh:72fcfa6207251105066a34f0ec6d27ecc658b565e84fa946da376dd1afadd265", - "zh:92fc352a2090d3d380c7c8e8bbdf6f99d93a0182701056bb1d2dbfd5049e8ca6", - "zh:a7e2ef666c2a7eb5661b06cfbd7635cb9543524e7bf6a3851dcf6eacc9950cc4", - "zh:a8604595e61e8919c51a8656800c8c64557f9a2bc00309315895b380f2e9be19", - "zh:caf65603a84b749d8f3af2ee47b66f7e21d481f981e2e1d1d59838751c5e3be4", - "zh:dad40c4e57da284e7f57b5c0cc9dfac3cb27b01d2f2436fbe3464f0a2111b262", - "zh:dc1b173dbcba9d74879b16f36f6d9e97ef62fbd6fca8db79ec4fe4ec69c0e2f3", - "zh:e506d04677383b6d62bd69d42dc9005e27a45ccc2efc6e0de607e1f8445981d2", + "h1:cT2ccWOtlfKYBUE60/v2/4Q6Stk1KYTNnhxSck+VPlU=", + "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f", + "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95", + "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138", + "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da", + "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2", + "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06", + "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1", + "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710", + "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005", + "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d", + "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792", + "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387", + "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62", + "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d", ] } diff --git a/terraform/unifi-controller/backend.tf b/terraform/unifi-controller/backend.tf index 5f2d6d0..bebc5a5 100644 --- a/terraform/unifi-controller/backend.tf +++ b/terraform/unifi-controller/backend.tf @@ -1,12 +1,16 @@ # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa terraform { + required_version = "~> 1.9.5" + backend "s3" { bucket = "terraform-a6726272-73ff-11ed-8bdd-c79eb8376e05" key = "unifi-controller/terraform.tfstate" skip_region_validation = true skip_credentials_validation = true skip_metadata_api_check = true + skip_requesting_account_id = true + skip_s3_checksum = true region = "eu-central-1" - endpoint = "eu-central-1.linodeobjects.com" + endpoints = { s3 : "https://eu-central-1.linodeobjects.com" } } } diff --git a/terraform/unifi-controller/main.tf b/terraform/unifi-controller/main.tf index f5f7b0a..f93bc78 100644 --- a/terraform/unifi-controller/main.tf +++ b/terraform/unifi-controller/main.tf @@ -1,10 +1,8 @@ terraform { - required_version = "~> 1.3.5" - required_providers { docker = { source = "kreuzwerker/docker" - version = "3.0.1" + version = "3.0.2" } linode = { source = "linode/linode" @@ -22,14 +20,17 @@ terraform { } provider "docker" { - host = "ssh://conflatorio.vpn.trygvis.io" + host = "ssh://unifi.dn42.trygvis.io" } locals { domain_name = "unifi.vpn.trygvis.io" - docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless" - docker_image_mongo = "mongo:7.0" + public_ip = module.ipam.hosts.unifi.address + +# docker_image_controller = "lscr.io/linuxserver/unifi-controller:8.0.24-mongoless" + docker_image_controller = "lscr.io/linuxserver/unifi-network-application:8.5.6-ls68" + docker_image_mongo = "mongo:7.0" mongo_database = "unifi" mongo_username = "unifi" @@ -40,3 +41,7 @@ data "sops_file_entry" "mongo_password" { source_file = "sops.yml" data_key = "mongo_password" } + +module "ipam" { + source = "../ipam6" +} diff --git a/terraform/unifi-controller/mongo.tf b/terraform/unifi-controller/mongo.tf index 98b4e36..f7c1950 100644 --- a/terraform/unifi-controller/mongo.tf +++ b/terraform/unifi-controller/mongo.tf @@ -1,6 +1,6 @@ -resource "docker_network" "unifi" { - name = "unifi" -} +# resource "docker_network" "unifi" { +# name = "unifi" +# } data "docker_registry_image" "mongo" { name = local.docker_image_mongo @@ -20,19 +20,22 @@ resource "docker_container" "unifi-mongo" { name = "unifi-mongo" hostname = "unifi-mongo" - networks_advanced { - name = docker_network.unifi.name - } +# networks_advanced { +# name = docker_network.unifi.name +# } + + network_mode = "host" volumes { volume_name = docker_volume.unifi-mongo.name + read_only = false container_path = "/data/db" } } output "mongo_init_js" { sensitive = true - value = <<-EOF + value = <<-EOF db.getSiblingDB("${local.mongo_database}"). createUser({ user: "${local.mongo_database}", diff --git a/terraform/unifi-controller/terragrunt.hcl b/terraform/unifi-controller/terragrunt.hcl index 5236c23..f378bf5 100644 --- a/terraform/unifi-controller/terragrunt.hcl +++ b/terraform/unifi-controller/terragrunt.hcl @@ -2,10 +2,6 @@ include "root" { path = find_in_parent_folders() } -dependency "docker" { - config_path = "../conflatorio-docker" -} - -# inputs = { -# vpc_id = dependency.docker.outputs.foo -# } +#dependency "ipam6" { +# config_path = "../ipam6" +#} diff --git a/terraform/unifi-controller/unifi.tf b/terraform/unifi-controller/unifi.tf index 8e6c7d7..4f1317f 100644 --- a/terraform/unifi-controller/unifi.tf +++ b/terraform/unifi-controller/unifi.tf @@ -1,34 +1,36 @@ -data "docker_network" "traefik" { - name = "traefik" -} +# data "docker_network" "traefik" { +# name = "traefik" +# } -data "docker_registry_image" "unifi-controller" { +data "docker_registry_image" "unifi-network-application" { name = local.docker_image_controller } -resource "docker_image" "unifi-controller" { - name = data.docker_registry_image.unifi-controller.name - pull_triggers = [data.docker_registry_image.unifi-controller.sha256_digest] +resource "docker_image" "unifi-network-application" { + name = data.docker_registry_image.unifi-network-application.name + pull_triggers = [data.docker_registry_image.unifi-network-application.sha256_digest] } -resource "docker_volume" "unifi-controller" { - name = "unifi-controller-new" +resource "docker_volume" "unifi-network-application" { + name = "unifi-network-application" } -resource "docker_container" "unifi-controller" { - image = docker_image.unifi-controller.image_id - name = "unifi-controller" - hostname = "unifi-controller" +resource "docker_container" "unifi-network-application" { + image = docker_image.unifi-network-application.image_id + name = "unifi-network-application" + hostname = "unifi-network-application" # privileged = true - # must_run = false + must_run = true - networks_advanced { - name = data.docker_network.traefik.name - } + network_mode = "host" - networks_advanced { - name = docker_network.unifi.name - } +# networks_advanced { +# name = data.docker_network.traefik.name +# } + +# networks_advanced { +# name = docker_network.unifi.name +# } dynamic "ports" { for_each = [ @@ -40,7 +42,8 @@ resource "docker_container" "unifi-controller" { { port = 8080, proto = "tcp" }, # Required for device communication # Public HTTP is handled by traefik - # { port = 8443, proto = "tcp" }, # Unifi web admin port + # Not anymore! + { port = 8443, proto = "tcp" }, # Unifi web admin port # Not used # { port = 8843, proto = "tcp" }, # Unifi guest portal HTTPS redirect port @@ -52,31 +55,32 @@ resource "docker_container" "unifi-controller" { internal = ports.value["port"] external = ports.value["port"] protocol = ports.value["proto"] - ip = "fdf3:aad9:a885:77dd::2" + ip = local.public_ip } } volumes { - volume_name = docker_volume.unifi-controller.name + volume_name = docker_volume.unifi-network-application.name + read_only = false container_path = "/config" } - dynamic "labels" { - for_each = [ - { label = "traefik.enable", value = "true" }, - { label = "traefik.http.routers.unifi-controller.rule", value = "Host(`${local.domain_name}`)" }, - { label = "traefik.http.routers.unifi-controller.entrypoints", value = "websecure" }, - { label = "traefik.http.routers.unifi-controller.tls.certresolver", value = "linode" }, - { label = "traefik.http.services.unifi-controller.loadbalancer.server.port", value = "8443" }, - { label = "traefik.http.services.unifi-controller.loadbalancer.server.scheme", value = "https" }, - { label = "traefik.docker.network", value = "traefik" }, - # { label = "traefik.http.services.unifi-controller.loadbalancer.passHostHeader", value = "false" }, - ] - content { - label = labels.value["label"] - value = labels.value["value"] - } - } +# dynamic "labels" { +# for_each = [ +# { label = "traefik.enable", value = "true" }, +# { label = "traefik.http.routers.unifi-network-application.rule", value = "Host(`${local.domain_name}`)" }, +# { label = "traefik.http.routers.unifi-network-application.entrypoints", value = "websecure" }, +# { label = "traefik.http.routers.unifi-network-application.tls.certresolver", value = "linode" }, +# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.port", value = "8443" }, +# { label = "traefik.http.services.unifi-network-application.loadbalancer.server.scheme", value = "https" }, +# { label = "traefik.docker.network", value = "traefik" }, +# # { label = "traefik.http.services.unifi-network-application.loadbalancer.passHostHeader", value = "false" }, +# ] +# content { +# label = labels.value["label"] +# value = labels.value["value"] +# } +# } env = [ "PUID=1000", @@ -85,7 +89,8 @@ resource "docker_container" "unifi-controller" { "MEM_LIMIT=default", "MONGO_USER=${local.mongo_username}", "MONGO_PASS=${local.mongo_password}", - "MONGO_HOST=${docker_container.unifi-mongo.hostname}", + #"MONGO_HOST=${docker_container.unifi-mongo.hostname}", + "MONGO_HOST=localhost", "MONGO_PORT=27017", "MONGO_DBNAME=${local.mongo_database}", ] diff --git a/tnet/README.md b/tnet/README.md new file mode 100644 index 0000000..d65106e --- /dev/null +++ b/tnet/README.md @@ -0,0 +1,8 @@ +Generating link-local ULA address: + + echo fe80:$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4):$(uuid -v4|cut -c1-4) + +Generating Wireguard link keys: + + from=conflatorio to=knot; wg genkey | tee keys/wg-$from-$to.sops.key | wg pubkey > keys/wg-$from-$to.pub; sops -e -i keys/wg-$from-$to.sops.key + diff --git a/tnet/bird-deploy.yml b/tnet/bird-deploy.yml index ed7cecf..9759c01 100644 --- a/tnet/bird-deploy.yml +++ b/tnet/bird-deploy.yml @@ -1,9 +1,9 @@ - hosts: tnet_bird tasks: - become: yes - copy: - dest: "/etc/bird/{{ item }}" + template: src: "{{ inventory_hostname }}/{{ item }}" + dest: "/etc/bird/{{ item }}" owner: bird group: bird mode: 0640 @@ -23,4 +23,3 @@ systemd: name: bird state: reloaded - diff --git a/tnet/bird-gen-password.yml b/tnet/bird-gen-password.yml new file mode 100644 index 0000000..501c5ef --- /dev/null +++ b/tnet/bird-gen-password.yml @@ -0,0 +1 @@ +- tasks: diff --git a/tnet/bird-gen.yml b/tnet/bird-gen.yml index 9fa71b1..74a83b1 100644 --- a/tnet/bird-gen.yml +++ b/tnet/bird-gen.yml @@ -1,25 +1,16 @@ -- name: Remove old configuration - hosts: localhost - connection: local - gather_facts: False - tasks: - - file: - path: files - state: absent - changed_when: False - - name: Generate Bird configuration hosts: tnet_bird connection: local gather_facts: False tasks: - - file: + - name: rmdir files/$hostname + file: path: files/{{ inventory_hostname }} - state: directory + state: absent changed_when: False - template: src: "{{ item }}.j2" - dest: "files/{{ inventory_hostname }}/{{ item }}" + dest: "templates/{{ inventory_hostname }}/{{ item }}" loop: - bird-tnet-pre.conf - bird-tnet.conf diff --git a/tnet/files/akili/bird-tnet-pre.conf b/tnet/files/akili/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/akili/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/akili/bird-tnet.conf b/tnet/files/akili/bird-tnet.conf deleted file mode 100644 index f9b9d08..0000000 --- a/tnet/files/akili/bird-tnet.conf +++ /dev/null @@ -1,38 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba; - interface "tnet-hash"; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a; - interface "tnet-knot"; -} diff --git a/tnet/files/astyanax/bird-tnet-pre.conf b/tnet/files/astyanax/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/astyanax/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/astyanax/bird-tnet.conf b/tnet/files/astyanax/bird-tnet.conf deleted file mode 100644 index d697e54..0000000 --- a/tnet/files/astyanax/bird-tnet.conf +++ /dev/null @@ -1,38 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516; - interface "tnet-hash"; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56; - interface "tnet-knot"; -} diff --git a/tnet/files/hash/bird-tnet-pre.conf b/tnet/files/hash/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/hash/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/hash/bird-tnet.conf b/tnet/files/hash/bird-tnet.conf deleted file mode 100644 index 16ce2cc..0000000 --- a/tnet/files/hash/bird-tnet.conf +++ /dev/null @@ -1,56 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_astyanax from tnet_tpl { - neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b517; - interface "tnet-astyanax"; - - rr client; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c; - interface "tnet-knot"; - - rr client; -} - -protocol bgp tnet_node1 from tnet_tpl { - neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df; - interface "tnet-node1"; - - rr client; -} - -protocol bgp tnet_node2 from tnet_tpl { - neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d; - interface "tnet-node2"; - - rr client; -} diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/files/knot/bird-tnet.conf deleted file mode 100644 index 66189e1..0000000 --- a/tnet/files/knot/bird-tnet.conf +++ /dev/null @@ -1,79 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d; - interface "tnet-hash"; - - rr client; -} - -protocol bgp tnet_node1 from tnet_tpl { - neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3; - interface "tnet-node1"; - - rr client; -} - -protocol bgp tnet_node2 from tnet_tpl { - neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db; - interface "tnet-node2"; - - rr client; -} - -protocol bgp routedbits_lon1 { - local as 4242423538; - neighbor fe80::207; - neighbor as 4242420207; - interface "tnet-rtdbts_l1"; - - ipv6 { - import filter { - if dn42_is_valid_network() && !is_tnet() then { - # Check when unknown or invalid according to ROA - if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then { - accept; - } else { - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; - reject; - } - } else { - reject; - } - }; - export filter { - if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { - accept; - } else { - reject; - } - }; - }; -} diff --git a/tnet/files/lhn2pi/bird-tnet-pre.conf b/tnet/files/lhn2pi/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/lhn2pi/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/lhn2pi/bird-tnet.conf b/tnet/files/lhn2pi/bird-tnet.conf deleted file mode 100644 index 864ad0b..0000000 --- a/tnet/files/lhn2pi/bird-tnet.conf +++ /dev/null @@ -1,38 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8; - interface "tnet-hash"; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fdb1:4242:3538:ffff:374e:2c7d:319e:e526; - interface "tnet-knot"; -} diff --git a/tnet/files/node1/bird-tnet-pre.conf b/tnet/files/node1/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/node1/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/node1/bird-tnet.conf b/tnet/files/node1/bird-tnet.conf deleted file mode 100644 index 88bd6f8..0000000 --- a/tnet/files/node1/bird-tnet.conf +++ /dev/null @@ -1,38 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de; - interface "tnet-hash"; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2; - interface "tnet-knot"; -} diff --git a/tnet/files/node2/bird-tnet-pre.conf b/tnet/files/node2/bird-tnet-pre.conf deleted file mode 100644 index 7994dfe..0000000 --- a/tnet/files/node2/bird-tnet-pre.conf +++ /dev/null @@ -1,7 +0,0 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; - -function is_tnet() # -> bool -{ - return net ~ tnet && ! (net ~ tnet_router); -} diff --git a/tnet/files/node2/bird-tnet.conf b/tnet/files/node2/bird-tnet.conf deleted file mode 100644 index 99dfc5e..0000000 --- a/tnet/files/node2/bird-tnet.conf +++ /dev/null @@ -1,38 +0,0 @@ -template bgp tnet_tpl { - local as 4242423538; - neighbor internal; - - direct; - - password "trygvis"; - - ipv6 { - next hop self; - import filter { - if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": import reject, reason=not tnet"; reject; - }; - # newer bird's only - # import keep filtered; - export filter { - if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; - } - print proto, ": export reject, reason=not tnet"; reject; - }; - }; -} - -protocol bgp tnet_hash from tnet_tpl { - neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c; - interface "tnet-hash"; -} - -protocol bgp tnet_knot from tnet_tpl { - neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da; - interface "tnet-knot"; -} diff --git a/tnet/group_vars/all/bird.sops.yml b/tnet/group_vars/all/bird.sops.yml new file mode 100644 index 0000000..334634f --- /dev/null +++ b/tnet/group_vars/all/bird.sops.yml @@ -0,0 +1,46 @@ +bgp_password: + conflatorio-knot: ENC[AES256_GCM,data:PBE4TnHXDw==,iv:Kj6SnVvwsYUrKt0Vqd76j6IaxufLP0Rf+Bw3i1M/3tI=,tag:9jPWHiqqTHSG8BMQ/k4pEw==,type:str] + coregonus-knot: ENC[AES256_GCM,data:WgO2B0FQVQ==,iv:zhaCbX6M7fMMHr63KgIrOcpnI9dmPJLTOlXJVqYkFb0=,tag:Y2H+RjuPGBMUFJJFEeL5Yw==,type:str] + hash-knot: ENC[AES256_GCM,data:SI2yYLIepg==,iv:Icky8rMsLQj77zu5vdqCZBWoHiYlNbIwlAvD5m+DH7A=,tag:9PImx9SXYuusNhZeWVPV7g==,type:str] + knot-kv24ix: ENC[AES256_GCM,data:z7SG+zuQ7g==,iv:APPjOs+MH9c0xfxmGEMoAQq00i847jGdbpoSkgwbpY0=,tag:jkgb7PlAF/kb50+i+3WEGw==,type:str] + knot-lhn2pi: ENC[AES256_GCM,data:k/pQyjnQyA==,iv:oW9t8Pruu/k/qIG6uG8Ex61QHerYhU09Ns0AI8NKkJA=,tag:H0A4jr/hBcGTuKeNV2zB1Q==,type:str] + knot-node1: ENC[AES256_GCM,data:rY0x5yu9zw==,iv:TyyhW1IwtkcU2q2y6ACgEqNEqMJ64PyMQ/kkkyCJB8E=,tag:fepqIEhEbrNFUr9f1iOMAQ==,type:str] + knot-node2: ENC[AES256_GCM,data:EE/JkIj23g==,iv:Gv1kd+lOFPir3z0TTlRdeOMffCQreBA5HiCHHwOUu+M=,tag:hwmABQCkbvQ6kSVchUZ6+g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RRcHh2UVN0U0ljeFgr + VndTMkRRR0Fzd042R0F5RnZpelZRNmVIcG1jCklHMkFoVjBhb3NrMjB5c3dMcjYv + Zkw5c3hIeElQOW54WDJ6a1MySDc2bGMKLS0tIEt3TTdLVkx4UFRCOU5WcWxjbXky + b05uMC94dUtxWE1qWHRTbVlubWQ4N1UKcPsMrAWryuaHar6qF/JL40hMkhkGoVsv + fj1FGz2xoI1FOtnqU8/LCOZF7ncUjzJS0m2GxiA/WDRLeLSWAi84vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MEJWVjF4cm04UU44bU9N + VEpmVnVDN1VIcm5RVk1VcThqNjFQQ3EzNkdjCnFGcVBMb0NiTzFSUm1qckkzRjNR + WEo1ai95L1B2bEpCYnB2blNyOFBwR0kKLS0tIFEyWlRZbUZWdnR0dzVCc0NraHpj + OUxUbWp4T1E2TTBTN0NRSDdKaXlJd2cKMwUjax16RyxnQRpxtZDjnrJx7CX06Z37 + T5GfLprSS4vXGfQkuJTDn7a/v8DfftOBL9ubclIet9cOD8YzIcAiZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZEdhUlBEV1FBeGhSNVNG + YkQ1dmlieWlVMmMvUERNTnJlcVpmV3lBa0JjCnBJUWJmUmp2d01ZdFRlR3M1ZUI0 + NHhnMmxYNmlHeFFGbjJnK0w4QU5HenMKLS0tIHd6aUk1NWR2SnFCMENzSGFES0hi + VzVzNmtJampuZ2tKQnU3Y3FTZFFhdkUKej0Hy9kOYDqg+8B+slMdGE2Krcvqr4uJ + X7GxDCdLV7sllK6OlHe2aQkXb16oT0iGG7N61LCzWBDOfx0hzdyFPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-19T18:22:33Z" + mac: ENC[AES256_GCM,data:Gm09oBu15JksqrK3H1TabhshiOShqwZLYFon6aqd8MmNQU0ufItZARU2K32Gu09dmDerE5Kbrq5u5U4fJXDkFRVYcFktIlD5FcCN2DlG7pB9rbpMZEHUt89wMAX6uvFat+66PUbE56Cio3Hlv88sB98VIKSratK2E0mlFB0oqYY=,iv:QaG4djyDGv+bpSz3+q6BTWAZyuUtNSkdG79/HciQlVE=,tag:TZ/qUmvWadnHYW/B00oEmQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/tnet/host_vars/conflatorio/bird.yml b/tnet/host_vars/conflatorio/bird.yml new file mode 100644 index 0000000..a976306 --- /dev/null +++ b/tnet/host_vars/conflatorio/bird.yml @@ -0,0 +1,5 @@ +tnet_bird_peers: + hash: + knot: + +birdv: 2015 diff --git a/tnet/host_vars/conflatorio/wg.yml b/tnet/host_vars/conflatorio/wg.yml new file mode 100644 index 0000000..087441b --- /dev/null +++ b/tnet/host_vars/conflatorio/wg.yml @@ -0,0 +1,7 @@ +tnet_wg: + knot: + endpoint: knot.inamo.no:51010 + address: fe80:47fc:660:b91f:1063:a6ae:46bb:7588 + hash: + endpoint: hash.trygvis.io:51007 + address: fe80:4540:476c:d432:2f32:818b:811b:bb60 diff --git a/tnet/host_vars/coregonus/bird.yml b/tnet/host_vars/coregonus/bird.yml new file mode 100644 index 0000000..816b95a --- /dev/null +++ b/tnet/host_vars/coregonus/bird.yml @@ -0,0 +1,4 @@ +tnet_bird_peers: + knot: + +birdv: 2015 diff --git a/tnet/host_vars/coregonus/wg.yml b/tnet/host_vars/coregonus/wg.yml new file mode 100644 index 0000000..0d80a18 --- /dev/null +++ b/tnet/host_vars/coregonus/wg.yml @@ -0,0 +1,5 @@ +tnet_wg: + knot: + endpoint: knot.inamo.no:51011 + address: fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3 + diff --git a/tnet/host_vars/hash/bird.yml b/tnet/host_vars/hash/bird.yml index 17cb4cd..2b4bb51 100644 --- a/tnet/host_vars/hash/bird.yml +++ b/tnet/host_vars/hash/bird.yml @@ -1,8 +1,11 @@ tnet_bird_peers: - astyanax: + conflatorio: rr_client: true + interface: tnet-confltrio knot: rr_client: true + lhn2pi: + rr_client: true node1: rr_client: true node2: diff --git a/tnet/host_vars/hash/wg.yml b/tnet/host_vars/hash/wg.yml index c7d9363..5754f57 100644 --- a/tnet/host_vars/hash/wg.yml +++ b/tnet/host_vars/hash/wg.yml @@ -19,3 +19,7 @@ tnet_wg: node2: port: 51006 address: fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c + conflatorio: + if_name: confltrio + port: 51007 + address: fe80:4540:476c:d432:2f32:818b:811b:bb61 diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml index b79e9e2..94c610a 100644 --- a/tnet/host_vars/knot/bird.yml +++ b/tnet/host_vars/knot/bird.yml @@ -1,12 +1,23 @@ tnet_bird_peers: + conflatorio: + rr_client: true + interface: tnet-confltrio + coregonus: + rr_client: true hash: rr_client: true + kv24ix: + rr_client: true node1: rr_client: true node2: rr_client: true + lhn2pi: + rr_client: true routedbits_lon1: policy: dn42 as: 4242420207 address: fe80::207 interface: tnet-rtdbts_l1 + +birdv: 2015 diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml index 8a92e53..9ad867e 100644 --- a/tnet/host_vars/knot/wg.yml +++ b/tnet/host_vars/knot/wg.yml @@ -9,14 +9,13 @@ tnet_wg: address: fdb1:4242:3538:ffff:18b7:d3ec:5608:db9a kv24ix: port: 51003 - address: fdb1:4242:3538:ffff:ea4:11cb:863:5252 + address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7ce akili: port: 51004 address: fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a lhn2pi: port: 51005 - #address: fe80:440a:607e:b685:c955:93ae:29f8:dcd8 - address: fdb1:4242:3538:ffff:374e:2c7d:319e:e526 + address: fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8 astyanax: port: 51006 address: fe80:6728:53fc:fc81:40b3:9beb:8336:ba56 @@ -28,7 +27,13 @@ tnet_wg: address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da rtdbts_l1: port: 51009 - # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c address: fe80::621b:7ccf:ff44:c42c - # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c/64 endpoint: router.lon1.routedbits.com:53538 + conflatorio: + if_name: confltrio + port: 51010 + address: fe80:47fc:0660:b91f:1063:a6ae:46bb:7589 + coregonus: + if_name: coregonus + port: 51011 + address: fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2 diff --git a/tnet/host_vars/kv24ix/wg.yml b/tnet/host_vars/kv24ix/wg.yml index 9cfdc5d..99c54b6 100644 --- a/tnet/host_vars/kv24ix/wg.yml +++ b/tnet/host_vars/kv24ix/wg.yml @@ -1,2 +1,3 @@ tnet_wg: knot: + address: fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf diff --git a/tnet/host_vars/lhn2pi/bird.yml b/tnet/host_vars/lhn2pi/bird.yml index b59526c..564c993 100644 --- a/tnet/host_vars/lhn2pi/bird.yml +++ b/tnet/host_vars/lhn2pi/bird.yml @@ -1,3 +1,5 @@ tnet_bird_peers: hash: knot: + +birdv: 2008 diff --git a/tnet/host_vars/lhn2pi/wg.yml b/tnet/host_vars/lhn2pi/wg.yml index f9e741f..c94745c 100644 --- a/tnet/host_vars/lhn2pi/wg.yml +++ b/tnet/host_vars/lhn2pi/wg.yml @@ -1,8 +1,7 @@ tnet_wg: knot: endpoint: knot.inamo.no:51005 - #address: fe80:440a:607e:b685:c955:93ae:29f8:dcd9 - address: fdb1:4242:3538:ffff:374e:2c7d:319e:e527 + address: fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9 hash: endpoint: hash.trygvis.io:51003 address: fe80:6195:1d43:9655:35f7:9dba:798c:26b9 diff --git a/tnet/keys/wg-conflatorio-hash.pub b/tnet/keys/wg-conflatorio-hash.pub new file mode 100644 index 0000000..8a27ee5 --- /dev/null +++ b/tnet/keys/wg-conflatorio-hash.pub @@ -0,0 +1 @@ +9o91CH8mx6OhTYer+gTMzwEfp94O4dSEOFuEKy/B+Ew= diff --git a/tnet/keys/wg-conflatorio-hash.sops.key b/tnet/keys/wg-conflatorio-hash.sops.key new file mode 100644 index 0000000..8c17e7c --- /dev/null +++ b/tnet/keys/wg-conflatorio-hash.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:4wFMiJhThT4ORoE/AdIRiN9EHr5NbSwysfhWCJxsLN6o7W3cMPA15E6ABnzk,iv:ib383CRTa7gCsC+RYAaJYV6TN8WMAPDJlQmlA2yUVow=,tag:LhhzRZGgYyviy7UTEeJbaQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMDhIREx3emlWdUgvQ0RW\nRnEvV0g4OWJkMmVSSHZaNzRLQTkvS1R0d1JnCk8xM0hMbWdEWlVhRklLeTNJYk9i\ncGtOL0huM29aU3dSNG92elJlV0k4ZncKLS0tIDVGcDBLbTI5Y1lUeFFJeGMrMm80\nQlFoTjRiVEh6UndoMHkvS3ptN3ZYc0EKfjcibzyYgYbZDTkz5g+FyxFFIFlU5LLL\nWGtyCal+2zl+h3z3vn4WUyHcj6BTqe3ks2zeyYWwiNuoTb1tSzj94Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaFIwSDg0ZFNPZXdNOUxh\nSGdqYk1CaUpmVGg3YW1waTJFaUNtUHloTGtvClAxdmJnK1FLNStKdzBNTXo0TEpL\nbTZhcTVMR202QXBkV2VTcDJ6Z2Fqak0KLS0tIG9hb2M0b1NaRWMwaGl3UXZKWTU0\nN0lyM0dudDJsSm9HRzlxempMWEdlcncK4OG+Qrsn06Dl+wxk6SCg5dULZvZpDemE\n+MT6qbu74mgcS07PuzrCguueCC5mNBsjy8WanPQDRnzWqX+DzBxeDQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMVp2SGdMTWFVd2U0MjVq\ndksvVFJvYUp3U2RyZHhOSERxNXZtSTBpSW5jClJWTkt0QmF1RU9hRExJb0wyNGxt\nK2ZzTnpOcU1BcElXT2wxd1o1R1VyTHcKLS0tIEJqOUVwY0h3VWxrc3F5aHluTHJJ\nckNlVzJJMHJkRXZPbER6ZXg5Z2xVa0kKByXn7yYIHY8Ckhr83tBYv062UDyBOYMS\nJ+dfYZ0ouT58l5CyatLURhyEDohAvQI95eKsIM1KkPgpzvV97Uq31Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-11T19:04:11Z", + "mac": "ENC[AES256_GCM,data:TroGIp1ZphoyDZXYxPbMpnCbq8i3v4eaT/8jlPnlFbCcHWqId2Tp2sBLlwuaq3E+vhvmN1K7ndbevCUhWmJW4oyWiEWXGUC3TUtVwc2nw3En/jsXFX9Yp7opF+a3iR+NLCbGTxm2CcQPoxuayAUIIp78ITB61SSF9QzIuAAhmcw=,iv:E3yB6yF3TDN8WPP+Kq78bK36Qw70Oz4Hl9lc7vhstnM=,tag:94udYmA1spcHcZMzylNA0w==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/keys/wg-conflatorio-knot.pub b/tnet/keys/wg-conflatorio-knot.pub new file mode 100644 index 0000000..053a7d6 --- /dev/null +++ b/tnet/keys/wg-conflatorio-knot.pub @@ -0,0 +1 @@ +T6Gst6C4i8c1JDEdlWL4EMnkabEjUBfj9Ii6RiLU30c= diff --git a/tnet/keys/wg-conflatorio-knot.sops.key b/tnet/keys/wg-conflatorio-knot.sops.key new file mode 100644 index 0000000..973726d --- /dev/null +++ b/tnet/keys/wg-conflatorio-knot.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:X2V545B0R61+kZty3UEsBH83JytzpPCLMLpvgbct8+818EItkbhCiowJj01t,iv:ADEd0FZUSQPWuza8lL5Ld12j3nRfrewNxjMqwOfwA0Q=,tag:t/2Yg8XxOpCovgRn6zwztA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTTdzekJDdEhuKzhEUitG\nSU5qYVI3TURHTXUySk5Xenowc2FpczFDM3lJClI0L1huRVhGWjB3N0ZzQ2VoNEI1\nWVJtRCtJWmkyb0c5M2RVeS9IaytmU0EKLS0tIHdUNExJTGhqckVvSzhhTFFFTDhE\nQXY4NzlwM0FJbW41RFlRTXZIcnlBZ00KFN8m0pMUkNUoaUGTforKg4VMDL0qbs/J\nsPVXbJf9n+GTEn7qeqOvMDHW9hj5s8zQOyeNNt8k1PkmNjHbxNNolw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RjNEdWQ5dnlzY2dubU5a\nTVN0ZFhOd2RrcGVrYjRKZzRBRVk5dHVSdDI4ClgyS1ZJUDVYQ2MzN2haWEZ4VTJj\nem5jYWdnYmpWMWhjREdBcHltTWV5YmsKLS0tIG5yVkt3em8weUVZTzY4N2JBOFo2\neUQ0M1JCL2RXTTlCc1RxakpjQzBXZDAKa+gNtS/eL3rdNp7Jl52EHcVfBzdVcezL\n8VawKcdVaFU8pXi2wSRjSJlVf4jESjTFC9dip3hAxM7R/V9M/SxXkg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdlNaM2RPYWZMMDh4V1Ew\nMkRIM2dTNktpYUxPWC9jcFFYeHcraTV1b2tvCk11RVZxMkdvd21ORWlXKzdrUm5w\nYUdZVTB2dmk3ZjFiaUlzdG54dmJpMDgKLS0tIDJwYWFGQmp2YXh6Z1BUMGdkWFNR\nemcwUHp1MjRobjh4ZEkyZjRzWDBFaGcK1EIKbWoR7dBHy/r0o2V9VxYaN9XJx5x4\n1fLZALfTA5C3kJgcuJbzhNUqvIwcKJ0LXpENidEHbAuZBTDzl0lYTQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-11T19:04:13Z", + "mac": "ENC[AES256_GCM,data:czGSSuK2RW0cIeJ4WRyu87EINudH8/tlwAxuALcTuvMWnzJ2B4kap9BAesCOw5FuZHzc4dGulmzrVbbH1pBg8REaWvy7989ELvNDFLyFqOc54XPfDuDMjT6D2SGw+2y6mB3kg0r1ajd3SASfhvc1q/8K1R2NZiO5xSG1ybbqlUM=,iv:VJVsV+xpL0gvXnlZjpZeljtqcJgLXl/+Rtkj0iBmBQ0=,tag:cqEbeEp4uc/vTjNaASnkDQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/keys/wg-coregonus-knot.pub b/tnet/keys/wg-coregonus-knot.pub new file mode 100644 index 0000000..181fd56 --- /dev/null +++ b/tnet/keys/wg-coregonus-knot.pub @@ -0,0 +1 @@ +uOqXlYKRgwBXVKPAaPn2fx4YtMHCH5M2qQ3hs/tZwms= diff --git a/tnet/keys/wg-coregonus-knot.sops.key b/tnet/keys/wg-coregonus-knot.sops.key new file mode 100644 index 0000000..b3c6239 --- /dev/null +++ b/tnet/keys/wg-coregonus-knot.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:aPPYaRDzczKgMZxWKJXE5X7JC0pQxs9W0d3UZjY8QYLhxmxk8L+RpX6zWscR,iv:CE+JgwUMdkbFDrkk53ow77ehm3GEmeJFnVM5jbWXZIY=,tag:mlnV5SNhIOnU/+TnOWiU0g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMWml3V0dCRStJY0RsUEN5\nSVhya1dXYW5GQ0R1a1h3NVJMV09LbVV1eXhNCmFMS2JYVzVPbS95TmwxWG04emtO\nd3B5QUtxWGVaWTlpUDN4ZVErZ1BqcEEKLS0tIE9iTjJaN0RaZjJQeG5Zd1Z5Ylp1\nYkwxS0JqVzNLNHBkSjM0b2owcURZN1UKj5i3uMAwhcqM/vB6faF2vq3ndEYGEOAn\nH1m4LdRj0b03BOtz5vz5oeF+nW3e8rGwhq84N7UFdI4W+9w3ZCI2AQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVGdPaERQRWNodnpmOUFM\nWG1QSGhJUmoyamplMFFsK3krNzd4ZHVvdlY0Cit3UHNzNUVIVWlZakNsTUFNVlA1\neE9rNTliWmZ0a295UVJZUXo3dk9WTkkKLS0tIDE2SjE1bXFVdno5NkwwQk15UGZY\nczBPTTUwdTBJT0laWWJsWmJmNDFuUG8KRlCmMio144qdPuPXuxc2AEHhdUxbJT8W\nDp7Atk0G57V57tX/zk1RaXjp+ORStvwpgDAdCwmikt1PW78Y6x77tQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYWlHRUVTV1RreFExcDBj\nYmI3OTBpRnEwd0FBTDdPTHI1OVhRYmlZMGdFCjlHTWJPY0lSRVhPSTQyNEgxYkMy\nY3ljMnhKeURSL2JwcDd3dmlubW15bFEKLS0tIEZHUG9NUmNnUlh2NjlTd1RsYytR\nVDI0OVhZeGhyWFVFcU9URE1NRXpnR00KUO2W8ab2RehPhEAjFlOXWrr2rn55gBR5\neSvOtAPEEV1lWO+O0r3jOFpnUI/ahgPeBhMoLFOdionm3GPrYzf8aQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-20T22:51:59Z", + "mac": "ENC[AES256_GCM,data:4haVcOm18uCW8LK06wURyf32qr9ZXnjc6feJHf4T85C0COrmZ7AmxUZKt5Mi9YoPO7dTMpjcvnxhEVEP4x6/wBc3SB5RpRSWU25GZ4/ofnqR/xBH0R1edirQtuhsDJeR3rYnTYeMjRltf9zpZknED907GRmmddaO15xsWtU8/t8=,iv:wXMIQRj4mV7SNnUqC3XVM/8mEhbPMwL1Z4/LrIBqpcs=,tag:i6CSlmj2449GgMqosa8e0A==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/keys/wg-hash-conflatorio.pub b/tnet/keys/wg-hash-conflatorio.pub new file mode 100644 index 0000000..bf16a1c --- /dev/null +++ b/tnet/keys/wg-hash-conflatorio.pub @@ -0,0 +1 @@ +oGEr7UWht1fUQ92hRu5r9SdRPfqj462behU34s6500o= diff --git a/tnet/keys/wg-hash-conflatorio.sops.key b/tnet/keys/wg-hash-conflatorio.sops.key new file mode 100644 index 0000000..c78eebc --- /dev/null +++ b/tnet/keys/wg-hash-conflatorio.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:LLC57pLBVZNEOTDdSEF4JgjGS8nLm/ef4ds71IFRJOX5tnnC9D/0hgbjdncF,iv:OU8/eGbM0axRajBOplvycs5rr100QPMv4RXYTv5NJMs=,tag:7IH46V36BbbhvCs5ze4UJQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEdjRCWlQ5OVI0cTkwL3Ey\nWG5tYUdNSks1UkpROU0wVUVVMlhwWEdweXpvCmFQYTE2bkZlV1BlZXg2d3pia0Jr\nVFhQVElXUjJCVGRXS2R4aEhBdzFBNU0KLS0tIEUzaHQxbzQ4aml0VHBaU0MyMjhJ\ncHo4L0doL1NKa0VOc21PanhhdUh2UGcKetAIpPpINd6UgrHYvTh/o5w4DlTlNY2c\n94zKEsWGShRZDOJ2EWiYR+47+OLTZjRKpt/oyXBhnyTa4gBSsNwHHg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCeTBwdU9iOGhaWThqOVN2\ndG1qUW43eW83NS9sQ0ExbnlIY0s3TlVQdlJJClJHeDloOTk2WFBPNitZQ3BXaFR0\nNVNCTncyV0RqVFJ4S2ZGWUt0RThHYWsKLS0tIDBxaVBXNjdlTXRsYlN5aWhnQkJ5\nd3pyS3preFRBWVF1eUE3eUYrZ2F6aDQKU447p1FB1bX98Ni3oQnhkRdM1al0ySvk\nSeApyf3gKO5BhtQkQKuMF2lRGQEJ8Vh4H0mxf8cTspCn4rld0T2P7w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMjYwbHpkT0xWTDhzd3ZD\nRko0NXlZU1MwcmhCdGtCdFJ5SnAvVU1VK244CkY5VWRDVFhZUUdzMFpFR00vMlRv\nNmxUYjg2azcrRnBkQ09BVXlxeTYzRkkKLS0tIGljOTFnMll2RE1TWmpvMld2RWxu\nU2d0d2xwbWtZa3NoSUlXc3pnSHMraDQKYc02UngnR+mCVRKDxZy1VqiOW1AA9mEf\nf8XNX9CARGaAbXesOnj8ADKswErDOHrca4f1CbrgOWd9UM1qk6HyTw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-11T19:04:03Z", + "mac": "ENC[AES256_GCM,data:ja8qprE1psQHAQ+hw8UDXxFqDg+K3tSBq+Hvef4z4nKd4+v8lhIBjCXTE7b+ovmFzJhV4jEd761ugHsxkLUcThAWkuaVy82dmF8idgKwTxg1NKmn3dBGC1fRjOXGPmOvO6Y6dCbL2L1e7z3EoQP2SzgcVa1/g+QgtnWEcTkvXKk=,iv:062sBg8V5nSq10VbFNZ3z7+FZLwXvKyXGbZEpdCjpM0=,tag:DM0zH1chw7pn8d9LwLh1Gg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/keys/wg-knot-conflatorio.pub b/tnet/keys/wg-knot-conflatorio.pub new file mode 100644 index 0000000..dfbd2b3 --- /dev/null +++ b/tnet/keys/wg-knot-conflatorio.pub @@ -0,0 +1 @@ +N3BmA8j6VuY7hmB/lWN3OjUK9cgNoMSOZiPiuSAytgQ= diff --git a/tnet/keys/wg-knot-conflatorio.sops.key b/tnet/keys/wg-knot-conflatorio.sops.key new file mode 100644 index 0000000..4565d73 --- /dev/null +++ b/tnet/keys/wg-knot-conflatorio.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:hDq6uKsf4/ZaLBtR+vW+ldTnupF0wGKYh1NwFuraHEs//9muJIcRwQ93Zhhd,iv:c/U1BRw2PdhWWFle7zYNOfjsvl7BYCbj2cKsc/vaHHI=,tag:pABhOJxuO7ARyfuCuqMwoA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb2ppbEY3SVZqL1pLM1h6\nWUJaZE5IQlRGUWlSNHBDeVpHSDBrT0Ztb1hzCjVOUEMyUm5JN1lBaTEvRlRHL1BT\nOTV0aGtXRnAvNWNNTWJiNGMwaU9CWncKLS0tIC9ySXdyOURsODRXODVNbkFyZlVm\nUXFwWFI4RzIrZUVUV1MvVlJyYTlCeDQKnZuwumgHUEwiAMtEEarlPEMAFYBQDGeD\n6oRPWB3lkVl4C7RAGjG/vkvgSf7Wq71Fv24YDRtJddYgnqWRTp+d9w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVStFYkUwNVVUUG9mRHFp\nazZValA1d08rcWlyeVdFTFBSVEJmUGFZQjNnCmtTQW5oeVNmWW4rR3liZjRJRDBi\nbEQ1VVFRajluSXUzcUtObm0ySUZYMjgKLS0tIHcweUVNendleGl5WlY1eVN0ZFFF\nRGs0enc1b2MxV2RBQnljdHR6N0dMTWsKKERcoegcxCLeAc07a/H5+jA9NopzyYfD\nlZ3tsursdaZKWsCRgPpQJfqtZVbin61zDrxgGJRpVsVkmGtqFZHfyQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUThmR0xCOE9NN2xHTm9j\naGxpUVVQRXRTMzM5d2R4Mk84RkVScFdRZ3hZCk10TWtwZ09zWkl4TTU3ZDhDNWxp\nVEErYk5ucUpvNUordGdiRWsyS04zY1kKLS0tIEcwSTVZdU1HNFRVS2NTbjM3bGxB\ndGZreWNNWnFGd3JCM3VHeTJDZi83TzAK+y28heVBf2Tl+9X8sgKuAcyzrHn038RM\nzTFnhy0sn5FmmPeAt+DaTI5L23d4h9rs9kMuqkyWFvZH5L1ZKPMC6Q==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-11T19:04:05Z", + "mac": "ENC[AES256_GCM,data:Wo9zqglEVWtnfqK9X513PexmbrHEVbcgWSIfvdBAGVT4SAT26yvWVoPzBH1Nt11iePBwkLSjut5+G0Zf5XvhCnWwM3oGqGFhXAJqx3ta3mJIAFwD8E8DDEzvsVy5KM9AZkPv+YFSz33OgtrgSX/8sKfcVYO0DzivwTXiYKEeS1M=,iv:qTyug6kkZCF16oAL6uFsMsMG4aTh5nN8L4+Z0m844LE=,tag:JKXI0oi8D+X0PVVFMInoag==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/keys/wg-knot-coregonus.pub b/tnet/keys/wg-knot-coregonus.pub new file mode 100644 index 0000000..7fc1905 --- /dev/null +++ b/tnet/keys/wg-knot-coregonus.pub @@ -0,0 +1 @@ +lTuzdN+En+Jc8v9+cTx2U455mw6v+fl/QsWWxO7ZYgI= diff --git a/tnet/keys/wg-knot-coregonus.sops.key b/tnet/keys/wg-knot-coregonus.sops.key new file mode 100644 index 0000000..6acb9ef --- /dev/null +++ b/tnet/keys/wg-knot-coregonus.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:NhASCvnUd1DDdo8qQ8MNY+KXMa9fACx7DNEwNwwLgjuwSu+bV42z/OYTY6Ck,iv:z0mGt+HuBwuS+WnbuomGwqReCXqEfIC+qPOuz+JciSw=,tag:sCUW0nXWJWgxYEAbkp+7JQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTWY3a0xxbzJnVm1GRHdU\nZU1IcnhKQkdEVjBtNFRIb0swWHlqdldFSUR3Ckg4dGlERkV4Ly93YVRwSjBJdzB0\nS1hmSkNQY2ROdDBZVTVmODRUR2Z4bmMKLS0tIFh0ZDJ1d2ViMFVwNlRkY3d6eU5E\nbHVhSXVCRWI2b2NKVVI1cGVjL3RGaVEKgFzmd42NmzH4GH4Vuklcd1jkCJnngloO\nN4Q5/NdHij8fXWnhkuV/8xX7KnBXEGX5uHo9pYd1aYzyZTUD40rDyw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TmJ4UjZBN2pFU2dBZXdG\naDNtQUhGdkFnYkh5OXVlYTZ6c1N0YWpaTnpNCnZMWFgrWFpNd0tqVGpyN2NIZnlo\ncTRlQ1Q4UGJySm16TThwS0V1dW1nTlUKLS0tIGgzWjQvZ0hETW15TTV4S0Q1K1V5\naDFMODFVcVB4cmxnYXR5RTRnanQ0bVkKPZ/caVVhPQ/0I5X3A70czYnMNgw/l39W\nrf75d5RK5x5FcgZenz23l00g+AUt8uNfct+3YHc15OjL+vOrtm1NCQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjalBWcXg5NVlFS3Bjb0Vt\nUXlhNVNxMmtIMVhEdC8rb2h5UEJxUVpUckI0Ci9BaUM3YWJSczI1RVNQWGtIZllI\nQmhuK2dyMUwvRlpORUZDK2thWldUdFkKLS0tIDA2UVBzbTQ3aDEwcXNHcjRoMkNW\nRXhmZ3hmUlhVR0xzaWU1MDZBUW1zcTAKkkyLoqodk7FWwZV07wlkttEs115/v9ZI\nOVfi+VzkI++jLW2KzL1S1i1N+/BHnfXDnzNDaIqUTRrFi5jhd1kk0A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-08-20T23:20:12Z", + "mac": "ENC[AES256_GCM,data:l4s7OdTHRqBXVGHpCQMo/k6nwwPEcWK8J47n1b8pQSDuO4DFcB/ApI8rNKgFAujXLUwB10YeRwp0bcLdlGREt7PhcHhddNB5yRYx/8djqYpm0w3rSAN9p4IW5CNB5LmfdxQk2dI0Ow8wxw8UzTVO08T7cDNeYRZdQTJLd+VUhCo=,iv:Ffv/pz30FwLaho3Y2HlMO11jKIl71GUpKMe1cSMNOwo=,tag:Qo3ZSTnJa26jYdwJtGvmyQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/tnet/files/knot/bird-tnet-pre.conf b/tnet/templates/akili/bird-tnet-pre.conf index ec31fa2..74c981d 100644 --- a/tnet/files/knot/bird-tnet-pre.conf +++ b/tnet/templates/akili/bird-tnet-pre.conf @@ -1,9 +1,8 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; +define tnet = fdb1:4242:3538:2000::/52; -function is_tnet() # -> bool +function is_tnet() { - return net ~ tnet && ! (net ~ tnet_router); + return net ~ tnet; } roa6 table dn42_roa; @@ -13,7 +12,7 @@ protocol static { include "/etc/bird/dn42_roa_bird2_6.conf"; }; -function dn42_is_valid_network() # -> bool +function dn42_is_valid_network() { return net ~ [ fd00::/8{44,64} # ULA address space as per RFC 4193 diff --git a/tnet/templates/akili/bird-tnet.conf b/tnet/templates/akili/bird-tnet.conf new file mode 100644 index 0000000..d306fcc --- /dev/null +++ b/tnet/templates/akili/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba; + interface "tnet-hash"; + password "{{ bgp_password['akili-hash'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a; + interface "tnet-knot"; + password "{{ bgp_password['akili-knot'] }}"; +} diff --git a/tnet/templates/astyanax/bird-tnet-pre.conf b/tnet/templates/astyanax/bird-tnet-pre.conf new file mode 100644 index 0000000..74c981d --- /dev/null +++ b/tnet/templates/astyanax/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/astyanax/bird-tnet.conf b/tnet/templates/astyanax/bird-tnet.conf new file mode 100644 index 0000000..496cebe --- /dev/null +++ b/tnet/templates/astyanax/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516; + interface "tnet-hash"; + password "{{ bgp_password['astyanax-hash'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56; + interface "tnet-knot"; + password "{{ bgp_password['astyanax-knot'] }}"; +} diff --git a/tnet/templates/bird-tnet-pre.conf.j2 b/tnet/templates/bird-tnet-pre.conf.j2 index ec31fa2..e762cd5 100644 --- a/tnet/templates/bird-tnet-pre.conf.j2 +++ b/tnet/templates/bird-tnet-pre.conf.j2 @@ -1,9 +1,8 @@ -define tnet = fdb1:4242:3538::/48; -define tnet_router = fdb1:4242:3538:ffff::/64; +define tnet = {{ ipam6.networks.tnet_dn42.range }}; -function is_tnet() # -> bool +function is_tnet(){{ " -> bool" if birdv >= 2015 }} { - return net ~ tnet && ! (net ~ tnet_router); + return net ~ tnet; } roa6 table dn42_roa; @@ -13,7 +12,7 @@ protocol static { include "/etc/bird/dn42_roa_bird2_6.conf"; }; -function dn42_is_valid_network() # -> bool +function dn42_is_valid_network(){{ " -> bool" if birdv >= 2015 }} { return net ~ [ fd00::/8{44,64} # ULA address space as per RFC 4193 diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2 index 9797241..1185014 100644 --- a/tnet/templates/bird-tnet.conf.j2 +++ b/tnet/templates/bird-tnet.conf.j2 @@ -1,28 +1,36 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + template bgp tnet_tpl { local as 4242423538; neighbor internal; direct; - password "trygvis"; - ipv6 { next hop self; import filter { if is_tnet() then { - print proto, ": import accept, net=", net, ", from=", from, ", gw=", gw; - accept; + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; } - print proto, ": import reject, reason=not tnet"; reject; }; # newer bird's only # import keep filtered; export filter { if is_tnet() then { - print proto, ": export accept, net=", net, ", from=", from, ", gw=", gw; - accept; + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; } - print proto, ": export reject, reason=not tnet"; reject; }; }; } @@ -33,7 +41,17 @@ template bgp tnet_tpl { {% if policy == "tnet" %} protocol bgp tnet_{{ p }} from tnet_tpl { neighbor {{ hostvars[p].tnet_wg[inventory_hostname].address }}; +{% if peer.interface is defined %} + interface "{{ peer.interface }}"; +{% else %} interface "tnet-{{ p }}"; +{% endif %} +{% if inventory_hostname < p %} +{% set password_var = inventory_hostname + "-" + p %} +{% else %} +{% set password_var = p + "-" + inventory_hostname %} +{% endif %} + password "{{ "{{ bgp_password['" + password_var + "'] }}" }}"; {% if peer.rr_client|default(False) %} rr client; @@ -50,23 +68,22 @@ protocol bgp {{ p }} { ipv6 { import filter { - if dn42_is_valid_network() && !is_tnet() then { + if dn42_is_valid_network() && (net !~ tnet) then { # Check when unknown or invalid according to ROA if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then { accept; } else { - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; - reject; + reject proto, "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; } } else { - reject; + reject proto, "[dn42] invalid dn42 network ", net, " ASN ", bgp_path.last; } }; export filter { - if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { - accept; + if net ~ tnet then { + accept proto, "[dn42] accepting export tnet: ", net; } else { - reject; + reject proto, "[dn42] rejecting export: ", net; } }; }; diff --git a/tnet/templates/conflatorio/bird-tnet-pre.conf b/tnet/templates/conflatorio/bird-tnet-pre.conf new file mode 100644 index 0000000..d60e8df --- /dev/null +++ b/tnet/templates/conflatorio/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() -> bool +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() -> bool +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/conflatorio/bird-tnet.conf b/tnet/templates/conflatorio/bird-tnet.conf new file mode 100644 index 0000000..4ffcc7f --- /dev/null +++ b/tnet/templates/conflatorio/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:4540:476c:d432:2f32:818b:811b:bb61; + interface "tnet-hash"; + password "{{ bgp_password['conflatorio-hash'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:47fc:0660:b91f:1063:a6ae:46bb:7589; + interface "tnet-knot"; + password "{{ bgp_password['conflatorio-knot'] }}"; +} diff --git a/tnet/templates/coregonus/bird-tnet-pre.conf b/tnet/templates/coregonus/bird-tnet-pre.conf new file mode 100644 index 0000000..d60e8df --- /dev/null +++ b/tnet/templates/coregonus/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() -> bool +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() -> bool +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/coregonus/bird-tnet.conf b/tnet/templates/coregonus/bird-tnet.conf new file mode 100644 index 0000000..2d2a573 --- /dev/null +++ b/tnet/templates/coregonus/bird-tnet.conf @@ -0,0 +1,42 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2; + interface "tnet-knot"; + password "{{ bgp_password['coregonus-knot'] }}"; +} diff --git a/tnet/templates/hash/bird-tnet-pre.conf b/tnet/templates/hash/bird-tnet-pre.conf new file mode 100644 index 0000000..74c981d --- /dev/null +++ b/tnet/templates/hash/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/hash/bird-tnet.conf b/tnet/templates/hash/bird-tnet.conf new file mode 100644 index 0000000..d9c52b0 --- /dev/null +++ b/tnet/templates/hash/bird-tnet.conf @@ -0,0 +1,76 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_conflatorio from tnet_tpl { + neighbor fe80:4540:476c:d432:2f32:818b:811b:bb60; + interface "tnet-confltrio"; + password "{{ bgp_password['conflatorio-hash'] }}"; + + rr client; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c; + interface "tnet-knot"; + password "{{ bgp_password['hash-knot'] }}"; + + rr client; +} + +protocol bgp tnet_lhn2pi from tnet_tpl { + neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b9; + interface "tnet-lhn2pi"; + password "{{ bgp_password['hash-lhn2pi'] }}"; + + rr client; +} + +protocol bgp tnet_node1 from tnet_tpl { + neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df; + interface "tnet-node1"; + password "{{ bgp_password['hash-node1'] }}"; + + rr client; +} + +protocol bgp tnet_node2 from tnet_tpl { + neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d; + interface "tnet-node2"; + password "{{ bgp_password['hash-node2'] }}"; + + rr client; +} diff --git a/tnet/templates/knot/bird-tnet-pre.conf b/tnet/templates/knot/bird-tnet-pre.conf new file mode 100644 index 0000000..d60e8df --- /dev/null +++ b/tnet/templates/knot/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() -> bool +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() -> bool +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/knot/bird-tnet.conf b/tnet/templates/knot/bird-tnet.conf new file mode 100644 index 0000000..699c0f2 --- /dev/null +++ b/tnet/templates/knot/bird-tnet.conf @@ -0,0 +1,121 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_conflatorio from tnet_tpl { + neighbor fe80:47fc:660:b91f:1063:a6ae:46bb:7588; + interface "tnet-confltrio"; + password "{{ bgp_password['conflatorio-knot'] }}"; + + rr client; +} + +protocol bgp tnet_coregonus from tnet_tpl { + neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3; + interface "tnet-coregonus"; + password "{{ bgp_password['coregonus-knot'] }}"; + + rr client; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d; + interface "tnet-hash"; + password "{{ bgp_password['hash-knot'] }}"; + + rr client; +} + +protocol bgp tnet_kv24ix from tnet_tpl { + neighbor fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf; + interface "tnet-kv24ix"; + password "{{ bgp_password['knot-kv24ix'] }}"; + + rr client; +} + +protocol bgp tnet_lhn2pi from tnet_tpl { + neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9; + interface "tnet-lhn2pi"; + password "{{ bgp_password['knot-lhn2pi'] }}"; + + rr client; +} + +protocol bgp tnet_node1 from tnet_tpl { + neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3; + interface "tnet-node1"; + password "{{ bgp_password['knot-node1'] }}"; + + rr client; +} + +protocol bgp tnet_node2 from tnet_tpl { + neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db; + interface "tnet-node2"; + password "{{ bgp_password['knot-node2'] }}"; + + rr client; +} + +protocol bgp routedbits_lon1 { + local as 4242423538; + neighbor fe80::207; + neighbor as 4242420207; + interface "tnet-rtdbts_l1"; + + ipv6 { + import filter { + if dn42_is_valid_network() && (net !~ tnet) then { + # Check when unknown or invalid according to ROA + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then { + accept; + } else { + reject proto, "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + } + } else { + reject proto, "[dn42] invalid dn42 network ", net, " ASN ", bgp_path.last; + } + }; + export filter { + if net ~ tnet then { + accept proto, "[dn42] accepting export tnet: ", net; + } else { + reject proto, "[dn42] rejecting export: ", net; + } + }; + }; +} diff --git a/tnet/templates/lhn2pi/bird-tnet-pre.conf b/tnet/templates/lhn2pi/bird-tnet-pre.conf new file mode 100644 index 0000000..74c981d --- /dev/null +++ b/tnet/templates/lhn2pi/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/lhn2pi/bird-tnet.conf b/tnet/templates/lhn2pi/bird-tnet.conf new file mode 100644 index 0000000..f755c3b --- /dev/null +++ b/tnet/templates/lhn2pi/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8; + interface "tnet-hash"; + password "{{ bgp_password['hash-lhn2pi'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8; + interface "tnet-knot"; + password "{{ bgp_password['knot-lhn2pi'] }}"; +} diff --git a/tnet/templates/node1/bird-tnet-pre.conf b/tnet/templates/node1/bird-tnet-pre.conf new file mode 100644 index 0000000..74c981d --- /dev/null +++ b/tnet/templates/node1/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/node1/bird-tnet.conf b/tnet/templates/node1/bird-tnet.conf new file mode 100644 index 0000000..bafb6de --- /dev/null +++ b/tnet/templates/node1/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de; + interface "tnet-hash"; + password "{{ bgp_password['hash-node1'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2; + interface "tnet-knot"; + password "{{ bgp_password['knot-node1'] }}"; +} diff --git a/tnet/templates/node2/bird-tnet-pre.conf b/tnet/templates/node2/bird-tnet-pre.conf new file mode 100644 index 0000000..74c981d --- /dev/null +++ b/tnet/templates/node2/bird-tnet-pre.conf @@ -0,0 +1,20 @@ +define tnet = fdb1:4242:3538:2000::/52; + +function is_tnet() +{ + return net ~ tnet; +} + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/node2/bird-tnet.conf b/tnet/templates/node2/bird-tnet.conf new file mode 100644 index 0000000..8a7b887 --- /dev/null +++ b/tnet/templates/node2/bird-tnet.conf @@ -0,0 +1,48 @@ +# Set to true if this peer is directly connected to a dn42 peer +define is_dn42_peer = true; +# If we are connected directly to dn42, we don't want the dn42 routes from others +define import_dn42 = !is_dn42_peer; +define export_dn42 = is_dn42_peer; + +template bgp tnet_tpl { + local as 4242423538; + neighbor internal; + + direct; + + ipv6 { + next hop self; + import filter { + if is_tnet() then { + accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw; + } else if import_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": import reject, reason=not tnet"; + } + }; + # newer bird's only + # import keep filtered; + export filter { + if is_tnet() then { + accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw; + } else if export_dn42 && dn42_is_valid_network() then { + accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw; + } else { + reject proto, ": export reject, reason=not tnet"; + } + }; + }; +} + +protocol bgp tnet_hash from tnet_tpl { + neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c; + interface "tnet-hash"; + password "{{ bgp_password['hash-node2'] }}"; +} + +protocol bgp tnet_knot from tnet_tpl { + neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da; + interface "tnet-knot"; + password "{{ bgp_password['knot-node2'] }}"; +} diff --git a/tnet/wg-links-link.yml b/tnet/wg-links-link.yml index 6f1bb87..c1c520b 100644 --- a/tnet/wg-links-link.yml +++ b/tnet/wg-links-link.yml @@ -1,3 +1,12 @@ +- set_fact: + if_name: tnet-{{ item.value.if_name|default(item.key) }} + +#- debug: +# msg: | +# if_name {{ if_name }} +# item.value.if_name {{ item.value.if_name|default("NOT SET") }} +# item.key {{ item.key }} + - notify: systemctl restart systemd-networkd become: yes file: @@ -8,13 +17,13 @@ notify: systemctl restart systemd-networkd become: yes copy: - dest: "/etc/systemd/network/50-tnet-{{ item.key }}.netdev" + dest: "/etc/systemd/network/50-{{ if_name }}.netdev" owner: systemd-network group: adm mode: 0640 content: | [NetDev] - Name=tnet-{{ item.key }} + Name={{ if_name }} Kind=wireguard Description=tnet link to {{ item.key }} @@ -42,12 +51,12 @@ notify: systemctl restart systemd-networkd become: yes copy: - dest: "/etc/systemd/network/50-tnet-{{ item.key }}.network" + dest: "/etc/systemd/network/50-{{ if_name }}.network" owner: systemd-network group: adm content: | [Match] - Name=tnet-{{ item.key }} + Name={{ if_name }} [Network] Address={{ item.value.address }}/64 diff --git a/utils/.gitignore b/utils/.gitignore new file mode 100644 index 0000000..9487075 --- /dev/null +++ b/utils/.gitignore @@ -0,0 +1 @@ +utils diff --git a/utils/Makefile b/utils/Makefile new file mode 100644 index 0000000..409ef2d --- /dev/null +++ b/utils/Makefile @@ -0,0 +1,18 @@ +IPAM=../ansible/group_vars/all/ipam.yml + +all: utils + +networks: ../ansible/group_vars/all/networks.tmp.png +routers: ../ansible/group_vars/all/routers.tmp.png + +%.png:%.dot + dot -Tpng $< > $@ + +../ansible/group_vars/all/networks.tmp.dot: $(IPAM) + go run main.go networks $< > $@ + +../ansible/group_vars/all/routers.tmp.dot: $(IPAM) + go run main.go routers $< > $@ + +utils: + go build diff --git a/utils/go.mod b/utils/go.mod new file mode 100644 index 0000000..0090185 --- /dev/null +++ b/utils/go.mod @@ -0,0 +1,5 @@ +module utils + +go 1.23 + +require gopkg.in/yaml.v3 v3.0.1 diff --git a/utils/go.sum b/utils/go.sum new file mode 100644 index 0000000..a62c313 --- /dev/null +++ b/utils/go.sum @@ -0,0 +1,4 @@ +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/utils/ipam/ipam.go b/utils/ipam/ipam.go new file mode 100644 index 0000000..d61fa3e --- /dev/null +++ b/utils/ipam/ipam.go @@ -0,0 +1,183 @@ +package ipam + +import ( + "cmp" + "fmt" + "log" + "net/netip" + "slices" + "utils/ipam/yaml_model" +) + +func LoadIpam(bs []byte) (*Ipam, error) { + parsed, err := yaml_model.Parse(bs) + if err != nil { + return nil, err + } + + ipam := Ipam{} + err = processNetworks(parsed.Ipam6.Networks, &ipam) + if err != nil { + return nil, err + } + + err = processRouters(parsed.Routers, &ipam) + if err != nil { + return nil, err + } + + ipam.ResolveParents() + + return &ipam, nil +} + +type Ipam struct { + Networks []*Network + Routers []*Router +} + +func contains(a, b netip.Prefix) bool { + return b.Bits() > a.Bits() && b.Overlaps(a) +} + +func (ipam *Ipam) ResolveParents() { + for _, n := range ipam.Networks { + log.Printf("network %s/%s", n.Name, n.Prefix) + for _, p := range ipam.Networks { + if n == p { + continue + } + log.Printf(" candidate %s/%s", p.Name, p.Prefix) + if contains(p.Prefix, n.Prefix) { + if n.Parent == nil { + log.Printf(" found parent %s/%s", p.Name, p.Prefix) + n.Parent = p + } else { + if n.Parent.Prefix.Bits() < p.Prefix.Bits() { + log.Printf(" found better parent %s/%s", p.Name, p.Prefix) + n.Parent = p + } + } + } + } + } + + return +} + +func (ipam *Ipam) FindRoots() []*Network { + var ns []*Network + + for _, n := range ipam.Networks { + if n.Parent == nil { + ns = append(ns, n) + } + } + + return ns +} + +type Network struct { + Name string + Parent *Network + Prefix netip.Prefix + hosts []networkHost +} + +func CompareNetwork(a, b *Network) int { + return cmp.Compare(a.Name, b.Name) +} + +func (n *Network) Compare(other *Network) int { + return cmp.Compare(n.Name, other.Name) +} + +type networkHost struct { + name string + address netip.Addr +} + +func processNetworks(networks map[string]yaml_model.Network6Yaml, ipam *Ipam) error { + var ns []*Network + + for name, net := range networks { + log.Printf("Processing net %v\n", name) + prefix, err := netip.ParsePrefix(net.Range) + if err != nil { + return fmt.Errorf("error parsing net range: %v", err) + } + log.Printf("prefix: %s", prefix.String()) + + n := Network{Name: name, Prefix: prefix} + for hostname, a := range net.Hosts { + addr, err := netip.ParseAddr(a) + if err != nil { + return fmt.Errorf("network: %s, unable to parse host address %s", n.Name, a) + } + + n.hosts = append(n.hosts, networkHost{ + name: hostname, + address: addr, + }) + } + + ns = append(ns, &n) + } + + ipam.Networks = ns + return nil +} + +type Router struct { + Name string + As string + Peers []Peer +} + +func (r *Router) Compare(other *Router) int { + return cmp.Compare(r.Name, other.Name) +} + +type Peer struct { + Name string + /// Router is set if this is a known peer + Router *Router + + As string +} + +func processRouters(routers map[string]yaml_model.Router, ipam *Ipam) error { + var rs []*Router + rsIndex := make(map[string]*Router) + for name, router := range routers { + r := &Router{ + Name: name, + As: router.As, + } + + rs = append(rs, r) + rsIndex[name] = r + } + + for _, r := range rs { + router := routers[r.Name] + + for name, peer := range router.Peers { + remote := rsIndex[name] + + r.Peers = append(r.Peers, Peer{ + Name: name, + Router: remote, + As: peer.As, + }) + } + } + + compare := func(a *Router, b *Router) int { + return a.Compare(b) + } + + ipam.Routers = slices.SortedStableFunc(slices.Values(rs), compare) + + return nil +} diff --git a/utils/ipam/yaml_model/yaml_model.go b/utils/ipam/yaml_model/yaml_model.go new file mode 100644 index 0000000..4109e12 --- /dev/null +++ b/utils/ipam/yaml_model/yaml_model.go @@ -0,0 +1,36 @@ +package yaml_model + +import "gopkg.in/yaml.v3" + +type Ipam struct { + Ipam6 Ipam6 `yaml:"ipam6,omitempty"` + Routers map[string]Router `yaml:"routers,omitempty"` +} + +type Ipam6 struct { + Networks map[string]Network6Yaml `yaml:"networks"` +} + +type Network6Yaml struct { + Range string `yaml:"range"` + Hosts map[string]string `yaml:"hosts"` +} + +type Router struct { + As string `yaml:"as,omitempty"` + Peers map[string]Peer `yaml:"peers,omitempty"` +} + +type Peer struct { + As string `yaml:"as"` +} + +func Parse(bs []byte) (Ipam, error) { + var ipam Ipam + err := yaml.Unmarshal(bs, &ipam) + if err != nil { + return Ipam{}, err + } + + return ipam, nil +} diff --git a/utils/main.go b/utils/main.go new file mode 100644 index 0000000..32f9682 --- /dev/null +++ b/utils/main.go @@ -0,0 +1,50 @@ +package main + +import ( + "fmt" + "os" + Ipam "utils/ipam" + "utils/networks" + "utils/routers" +) + +func main() { + if len(os.Args) != 3 { + _, _ = fmt.Fprintf(os.Stderr, "Usage: %s IPAM-FILE PICTURE\n", os.Args[0]) + os.Exit(1) + } + + ipam, err := loadIpam() + if err != nil { + return + } + + if os.Args[1] == "networks" { + err = networks.RunNetworks(ipam) + } else if os.Args[1] == "routers" { + err = routers.RunRouters(ipam) + } else { + _, _ = fmt.Fprintf(os.Stderr, "Unknown command: %s\n", os.Args[2]) + os.Exit(1) + } + + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "%v\n", err) + os.Exit(1) + } +} + +func loadIpam() (*Ipam.Ipam, error) { + ipamYaml := os.Args[2] + bs, err := os.ReadFile(ipamYaml) + if err != nil { + return nil, err + } + + ipam, err := Ipam.LoadIpam(bs) + if err != nil { + return nil, err + } + + return ipam, nil +} diff --git a/utils/networks/networks.go b/utils/networks/networks.go new file mode 100644 index 0000000..9ecf256 --- /dev/null +++ b/utils/networks/networks.go @@ -0,0 +1,55 @@ +package networks + +import ( + "fmt" + "slices" + Ipam "utils/ipam" +) + +func RunNetworks(ipam *Ipam.Ipam) error { + networks := slices.SortedFunc(slices.Values(ipam.Networks), Ipam.CompareNetwork) + roots := slices.SortedFunc(slices.Values(ipam.FindRoots()), Ipam.CompareNetwork) + + fmt.Printf("digraph {\n") + //fmt.Printf(" layout=dot\n") + //fmt.Printf(" layout=twopi\n") + fmt.Printf(" layout=fdp\n") + //fmt.Printf(" layout=circo\n") + //fmt.Printf(" layout=neato\n") + //fmt.Printf(" ranksep=3\n") + //fmt.Printf(" ratio=auto\n") + //fmt.Printf(" rankdir=LR\n") + //fmt.Printf(" rankdir=RL\n") + fmt.Printf(" rankdir=TB\n") + //fmt.Printf(" sep=3\n") + //fmt.Printf(" overlap_scaling=-10\n") + fmt.Printf("node [len=10];") + fmt.Printf("node [shape=box];") + fmt.Printf("overlap=false") + + fmt.Printf("\n") + fmt.Printf(" # Nodes\n") + for _, n := range networks { + fmt.Printf(" %s [ label = \"%s\\n%s\"];\n", n.Name, n.Name, n.Prefix) + } + + fmt.Printf("\n") + fmt.Printf(" # Roots\n") + for _, n := range roots { + fmt.Printf(" %s [ root = true ];\n", n.Name) + } + + fmt.Printf("\n") + fmt.Printf(" # Relationships\n") + for _, n := range networks { + for _, c := range ipam.Networks { + if c.Parent == n { + fmt.Printf(" %s -> %s", n.Name, c.Name) + fmt.Printf(";\n") + } + } + } + fmt.Printf("}\n") + + return nil +} diff --git a/utils/routers/routers.go b/utils/routers/routers.go new file mode 100644 index 0000000..24d25e3 --- /dev/null +++ b/utils/routers/routers.go @@ -0,0 +1,51 @@ +package routers + +import ( + "fmt" + Ipam "utils/ipam" +) + +func RunRouters(ipam *Ipam.Ipam) error { + routers := ipam.Routers + + fmt.Printf("digraph {\n") + //fmt.Printf(" layout=dot\n") + //fmt.Printf(" layout=twopi\n") + fmt.Printf(" layout=fdp\n") + //fmt.Printf(" layout=circo\n") + //fmt.Printf(" layout=neato\n") + //fmt.Printf(" ranksep=3\n") + //fmt.Printf(" ratio=auto\n") + //fmt.Printf(" rankdir=LR\n") + //fmt.Printf(" rankdir=RL\n") + fmt.Printf(" rankdir=TB\n") + //fmt.Printf(" sep=3\n") + //fmt.Printf(" overlap_scaling=-10\n") + fmt.Printf("node [len=10];") + fmt.Printf("node [shape=box];") + fmt.Printf("overlap=false") + + fmt.Printf("\n") + fmt.Printf(" # Nodes\n") + for _, r := range routers { + fmt.Printf(" %s [ label = \"%s\"];\n", r.Name, r.Name) + } + + fmt.Printf("\n") + fmt.Printf(" # Connections\n") + for _, n := range routers { + fmt.Printf(" %s [ root = true ];\n", n.Name) + } + + fmt.Printf("\n") + fmt.Printf(" # Peers\n") + for _, r := range routers { + for _, p := range r.Peers { + fmt.Printf(" %s -> %s", r.Name, p.Name) + fmt.Printf(";\n") + } + } + fmt.Printf("}\n") + + return nil +} |