diff options
-rw-r--r-- | .tool-versions | 2 | ||||
-rw-r--r-- | ansible/ansible.cfg | 1 | ||||
-rw-r--r-- | tnet/bird-deploy.yml | 1 | ||||
-rw-r--r-- | tnet/bird-gen-password.yml | 1 | ||||
-rw-r--r-- | tnet/group_vars/all/bird.sops.yml | 46 | ||||
-rw-r--r-- | tnet/templates/akili/bird-tnet.conf | 4 | ||||
-rw-r--r-- | tnet/templates/astyanax/bird-tnet.conf | 4 | ||||
-rw-r--r-- | tnet/templates/bird-tnet.conf.j2 | 8 | ||||
-rw-r--r-- | tnet/templates/conflatorio/bird-tnet.conf | 4 | ||||
-rw-r--r-- | tnet/templates/coregonus/bird-tnet.conf | 3 | ||||
-rw-r--r-- | tnet/templates/hash/bird-tnet.conf | 7 | ||||
-rw-r--r-- | tnet/templates/knot/bird-tnet.conf | 9 | ||||
-rw-r--r-- | tnet/templates/lhn2pi/bird-tnet.conf | 4 | ||||
-rw-r--r-- | tnet/templates/node1/bird-tnet.conf | 4 | ||||
-rw-r--r-- | tnet/templates/node2/bird-tnet.conf | 4 |
15 files changed, 81 insertions, 21 deletions
diff --git a/.tool-versions b/.tool-versions index c269650..120416f 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1,3 @@ golang 1.23.2 +sops 3.9.1 +yamlfmt 0.13.0 diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6f2b86b..014f5a6 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -7,6 +7,7 @@ stdout_callback = debug vault_password_file = ./.vault-password roles_path = roles:thirdparty retry_files_enabled = False +vars_plugins_enabled = community.sops.sops [ssh_connection] pipelining = True diff --git a/tnet/bird-deploy.yml b/tnet/bird-deploy.yml index 82f7f39..9759c01 100644 --- a/tnet/bird-deploy.yml +++ b/tnet/bird-deploy.yml @@ -23,4 +23,3 @@ systemd: name: bird state: reloaded - diff --git a/tnet/bird-gen-password.yml b/tnet/bird-gen-password.yml new file mode 100644 index 0000000..501c5ef --- /dev/null +++ b/tnet/bird-gen-password.yml @@ -0,0 +1 @@ +- tasks: diff --git a/tnet/group_vars/all/bird.sops.yml b/tnet/group_vars/all/bird.sops.yml new file mode 100644 index 0000000..334634f --- /dev/null +++ b/tnet/group_vars/all/bird.sops.yml @@ -0,0 +1,46 @@ +bgp_password: + conflatorio-knot: ENC[AES256_GCM,data:PBE4TnHXDw==,iv:Kj6SnVvwsYUrKt0Vqd76j6IaxufLP0Rf+Bw3i1M/3tI=,tag:9jPWHiqqTHSG8BMQ/k4pEw==,type:str] + coregonus-knot: ENC[AES256_GCM,data:WgO2B0FQVQ==,iv:zhaCbX6M7fMMHr63KgIrOcpnI9dmPJLTOlXJVqYkFb0=,tag:Y2H+RjuPGBMUFJJFEeL5Yw==,type:str] + hash-knot: ENC[AES256_GCM,data:SI2yYLIepg==,iv:Icky8rMsLQj77zu5vdqCZBWoHiYlNbIwlAvD5m+DH7A=,tag:9PImx9SXYuusNhZeWVPV7g==,type:str] + knot-kv24ix: ENC[AES256_GCM,data:z7SG+zuQ7g==,iv:APPjOs+MH9c0xfxmGEMoAQq00i847jGdbpoSkgwbpY0=,tag:jkgb7PlAF/kb50+i+3WEGw==,type:str] + knot-lhn2pi: ENC[AES256_GCM,data:k/pQyjnQyA==,iv:oW9t8Pruu/k/qIG6uG8Ex61QHerYhU09Ns0AI8NKkJA=,tag:H0A4jr/hBcGTuKeNV2zB1Q==,type:str] + knot-node1: ENC[AES256_GCM,data:rY0x5yu9zw==,iv:TyyhW1IwtkcU2q2y6ACgEqNEqMJ64PyMQ/kkkyCJB8E=,tag:fepqIEhEbrNFUr9f1iOMAQ==,type:str] + knot-node2: ENC[AES256_GCM,data:EE/JkIj23g==,iv:Gv1kd+lOFPir3z0TTlRdeOMffCQreBA5HiCHHwOUu+M=,tag:hwmABQCkbvQ6kSVchUZ6+g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RRcHh2UVN0U0ljeFgr + VndTMkRRR0Fzd042R0F5RnZpelZRNmVIcG1jCklHMkFoVjBhb3NrMjB5c3dMcjYv + Zkw5c3hIeElQOW54WDJ6a1MySDc2bGMKLS0tIEt3TTdLVkx4UFRCOU5WcWxjbXky + b05uMC94dUtxWE1qWHRTbVlubWQ4N1UKcPsMrAWryuaHar6qF/JL40hMkhkGoVsv + fj1FGz2xoI1FOtnqU8/LCOZF7ncUjzJS0m2GxiA/WDRLeLSWAi84vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MEJWVjF4cm04UU44bU9N + VEpmVnVDN1VIcm5RVk1VcThqNjFQQ3EzNkdjCnFGcVBMb0NiTzFSUm1qckkzRjNR + WEo1ai95L1B2bEpCYnB2blNyOFBwR0kKLS0tIFEyWlRZbUZWdnR0dzVCc0NraHpj + OUxUbWp4T1E2TTBTN0NRSDdKaXlJd2cKMwUjax16RyxnQRpxtZDjnrJx7CX06Z37 + T5GfLprSS4vXGfQkuJTDn7a/v8DfftOBL9ubclIet9cOD8YzIcAiZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZEdhUlBEV1FBeGhSNVNG + YkQ1dmlieWlVMmMvUERNTnJlcVpmV3lBa0JjCnBJUWJmUmp2d01ZdFRlR3M1ZUI0 + NHhnMmxYNmlHeFFGbjJnK0w4QU5HenMKLS0tIHd6aUk1NWR2SnFCMENzSGFES0hi + VzVzNmtJampuZ2tKQnU3Y3FTZFFhdkUKej0Hy9kOYDqg+8B+slMdGE2Krcvqr4uJ + X7GxDCdLV7sllK6OlHe2aQkXb16oT0iGG7N61LCzWBDOfx0hzdyFPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-19T18:22:33Z" + mac: ENC[AES256_GCM,data:Gm09oBu15JksqrK3H1TabhshiOShqwZLYFon6aqd8MmNQU0ufItZARU2K32Gu09dmDerE5Kbrq5u5U4fJXDkFRVYcFktIlD5FcCN2DlG7pB9rbpMZEHUt89wMAX6uvFat+66PUbE56Cio3Hlv88sB98VIKSratK2E0mlFB0oqYY=,iv:QaG4djyDGv+bpSz3+q6BTWAZyuUtNSkdG79/HciQlVE=,tag:TZ/qUmvWadnHYW/B00oEmQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/tnet/templates/akili/bird-tnet.conf b/tnet/templates/akili/bird-tnet.conf index 24c9b8e..d306fcc 100644 --- a/tnet/templates/akili/bird-tnet.conf +++ b/tnet/templates/akili/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba; interface "tnet-hash"; + password "{{ bgp_password['akili-hash'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a; interface "tnet-knot"; + password "{{ bgp_password['akili-knot'] }}"; } diff --git a/tnet/templates/astyanax/bird-tnet.conf b/tnet/templates/astyanax/bird-tnet.conf index 3dbf4c9..496cebe 100644 --- a/tnet/templates/astyanax/bird-tnet.conf +++ b/tnet/templates/astyanax/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516; interface "tnet-hash"; + password "{{ bgp_password['astyanax-hash'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56; interface "tnet-knot"; + password "{{ bgp_password['astyanax-knot'] }}"; } diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2 index 2ba456b..1185014 100644 --- a/tnet/templates/bird-tnet.conf.j2 +++ b/tnet/templates/bird-tnet.conf.j2 @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -48,6 +46,12 @@ protocol bgp tnet_{{ p }} from tnet_tpl { {% else %} interface "tnet-{{ p }}"; {% endif %} +{% if inventory_hostname < p %} +{% set password_var = inventory_hostname + "-" + p %} +{% else %} +{% set password_var = p + "-" + inventory_hostname %} +{% endif %} + password "{{ "{{ bgp_password['" + password_var + "'] }}" }}"; {% if peer.rr_client|default(False) %} rr client; diff --git a/tnet/templates/conflatorio/bird-tnet.conf b/tnet/templates/conflatorio/bird-tnet.conf index 02780a6..4ffcc7f 100644 --- a/tnet/templates/conflatorio/bird-tnet.conf +++ b/tnet/templates/conflatorio/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:4540:476c:d432:2f32:818b:811b:bb61; interface "tnet-hash"; + password "{{ bgp_password['conflatorio-hash'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fe80:47fc:0660:b91f:1063:a6ae:46bb:7589; interface "tnet-knot"; + password "{{ bgp_password['conflatorio-knot'] }}"; } diff --git a/tnet/templates/coregonus/bird-tnet.conf b/tnet/templates/coregonus/bird-tnet.conf index 95ede41..2d2a573 100644 --- a/tnet/templates/coregonus/bird-tnet.conf +++ b/tnet/templates/coregonus/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,4 +38,5 @@ template bgp tnet_tpl { protocol bgp tnet_knot from tnet_tpl { neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2; interface "tnet-knot"; + password "{{ bgp_password['coregonus-knot'] }}"; } diff --git a/tnet/templates/hash/bird-tnet.conf b/tnet/templates/hash/bird-tnet.conf index a570291..d9c52b0 100644 --- a/tnet/templates/hash/bird-tnet.conf +++ b/tnet/templates/hash/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,6 +38,7 @@ template bgp tnet_tpl { protocol bgp tnet_conflatorio from tnet_tpl { neighbor fe80:4540:476c:d432:2f32:818b:811b:bb60; interface "tnet-confltrio"; + password "{{ bgp_password['conflatorio-hash'] }}"; rr client; } @@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl { protocol bgp tnet_knot from tnet_tpl { neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c; interface "tnet-knot"; + password "{{ bgp_password['hash-knot'] }}"; rr client; } @@ -54,6 +54,7 @@ protocol bgp tnet_knot from tnet_tpl { protocol bgp tnet_lhn2pi from tnet_tpl { neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b9; interface "tnet-lhn2pi"; + password "{{ bgp_password['hash-lhn2pi'] }}"; rr client; } @@ -61,6 +62,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl { protocol bgp tnet_node1 from tnet_tpl { neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df; interface "tnet-node1"; + password "{{ bgp_password['hash-node1'] }}"; rr client; } @@ -68,6 +70,7 @@ protocol bgp tnet_node1 from tnet_tpl { protocol bgp tnet_node2 from tnet_tpl { neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d; interface "tnet-node2"; + password "{{ bgp_password['hash-node2'] }}"; rr client; } diff --git a/tnet/templates/knot/bird-tnet.conf b/tnet/templates/knot/bird-tnet.conf index f21be09..699c0f2 100644 --- a/tnet/templates/knot/bird-tnet.conf +++ b/tnet/templates/knot/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,6 +38,7 @@ template bgp tnet_tpl { protocol bgp tnet_conflatorio from tnet_tpl { neighbor fe80:47fc:660:b91f:1063:a6ae:46bb:7588; interface "tnet-confltrio"; + password "{{ bgp_password['conflatorio-knot'] }}"; rr client; } @@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl { protocol bgp tnet_coregonus from tnet_tpl { neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3; interface "tnet-coregonus"; + password "{{ bgp_password['coregonus-knot'] }}"; rr client; } @@ -54,6 +54,7 @@ protocol bgp tnet_coregonus from tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d; interface "tnet-hash"; + password "{{ bgp_password['hash-knot'] }}"; rr client; } @@ -61,6 +62,7 @@ protocol bgp tnet_hash from tnet_tpl { protocol bgp tnet_kv24ix from tnet_tpl { neighbor fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf; interface "tnet-kv24ix"; + password "{{ bgp_password['knot-kv24ix'] }}"; rr client; } @@ -68,6 +70,7 @@ protocol bgp tnet_kv24ix from tnet_tpl { protocol bgp tnet_lhn2pi from tnet_tpl { neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9; interface "tnet-lhn2pi"; + password "{{ bgp_password['knot-lhn2pi'] }}"; rr client; } @@ -75,6 +78,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl { protocol bgp tnet_node1 from tnet_tpl { neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3; interface "tnet-node1"; + password "{{ bgp_password['knot-node1'] }}"; rr client; } @@ -82,6 +86,7 @@ protocol bgp tnet_node1 from tnet_tpl { protocol bgp tnet_node2 from tnet_tpl { neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db; interface "tnet-node2"; + password "{{ bgp_password['knot-node2'] }}"; rr client; } diff --git a/tnet/templates/lhn2pi/bird-tnet.conf b/tnet/templates/lhn2pi/bird-tnet.conf index 9f0ef8c..f755c3b 100644 --- a/tnet/templates/lhn2pi/bird-tnet.conf +++ b/tnet/templates/lhn2pi/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8; interface "tnet-hash"; + password "{{ bgp_password['hash-lhn2pi'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8; interface "tnet-knot"; + password "{{ bgp_password['knot-lhn2pi'] }}"; } diff --git a/tnet/templates/node1/bird-tnet.conf b/tnet/templates/node1/bird-tnet.conf index 6449582..bafb6de 100644 --- a/tnet/templates/node1/bird-tnet.conf +++ b/tnet/templates/node1/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de; interface "tnet-hash"; + password "{{ bgp_password['hash-node1'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2; interface "tnet-knot"; + password "{{ bgp_password['knot-node1'] }}"; } diff --git a/tnet/templates/node2/bird-tnet.conf b/tnet/templates/node2/bird-tnet.conf index b9a2294..8a7b887 100644 --- a/tnet/templates/node2/bird-tnet.conf +++ b/tnet/templates/node2/bird-tnet.conf @@ -10,8 +10,6 @@ template bgp tnet_tpl { direct; - password "trygvis"; - ipv6 { next hop self; import filter { @@ -40,9 +38,11 @@ template bgp tnet_tpl { protocol bgp tnet_hash from tnet_tpl { neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c; interface "tnet-hash"; + password "{{ bgp_password['hash-node2'] }}"; } protocol bgp tnet_knot from tnet_tpl { neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da; interface "tnet-knot"; + password "{{ bgp_password['knot-node2'] }}"; } |