aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.tool-versions2
-rw-r--r--ansible/ansible.cfg1
-rw-r--r--tnet/bird-deploy.yml1
-rw-r--r--tnet/bird-gen-password.yml1
-rw-r--r--tnet/group_vars/all/bird.sops.yml46
-rw-r--r--tnet/templates/akili/bird-tnet.conf4
-rw-r--r--tnet/templates/astyanax/bird-tnet.conf4
-rw-r--r--tnet/templates/bird-tnet.conf.j28
-rw-r--r--tnet/templates/conflatorio/bird-tnet.conf4
-rw-r--r--tnet/templates/coregonus/bird-tnet.conf3
-rw-r--r--tnet/templates/hash/bird-tnet.conf7
-rw-r--r--tnet/templates/knot/bird-tnet.conf9
-rw-r--r--tnet/templates/lhn2pi/bird-tnet.conf4
-rw-r--r--tnet/templates/node1/bird-tnet.conf4
-rw-r--r--tnet/templates/node2/bird-tnet.conf4
15 files changed, 81 insertions, 21 deletions
diff --git a/.tool-versions b/.tool-versions
index c269650..120416f 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1 +1,3 @@
golang 1.23.2
+sops 3.9.1
+yamlfmt 0.13.0
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 6f2b86b..014f5a6 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -7,6 +7,7 @@ stdout_callback = debug
vault_password_file = ./.vault-password
roles_path = roles:thirdparty
retry_files_enabled = False
+vars_plugins_enabled = community.sops.sops
[ssh_connection]
pipelining = True
diff --git a/tnet/bird-deploy.yml b/tnet/bird-deploy.yml
index 82f7f39..9759c01 100644
--- a/tnet/bird-deploy.yml
+++ b/tnet/bird-deploy.yml
@@ -23,4 +23,3 @@
systemd:
name: bird
state: reloaded
-
diff --git a/tnet/bird-gen-password.yml b/tnet/bird-gen-password.yml
new file mode 100644
index 0000000..501c5ef
--- /dev/null
+++ b/tnet/bird-gen-password.yml
@@ -0,0 +1 @@
+- tasks:
diff --git a/tnet/group_vars/all/bird.sops.yml b/tnet/group_vars/all/bird.sops.yml
new file mode 100644
index 0000000..334634f
--- /dev/null
+++ b/tnet/group_vars/all/bird.sops.yml
@@ -0,0 +1,46 @@
+bgp_password:
+ conflatorio-knot: ENC[AES256_GCM,data:PBE4TnHXDw==,iv:Kj6SnVvwsYUrKt0Vqd76j6IaxufLP0Rf+Bw3i1M/3tI=,tag:9jPWHiqqTHSG8BMQ/k4pEw==,type:str]
+ coregonus-knot: ENC[AES256_GCM,data:WgO2B0FQVQ==,iv:zhaCbX6M7fMMHr63KgIrOcpnI9dmPJLTOlXJVqYkFb0=,tag:Y2H+RjuPGBMUFJJFEeL5Yw==,type:str]
+ hash-knot: ENC[AES256_GCM,data:SI2yYLIepg==,iv:Icky8rMsLQj77zu5vdqCZBWoHiYlNbIwlAvD5m+DH7A=,tag:9PImx9SXYuusNhZeWVPV7g==,type:str]
+ knot-kv24ix: ENC[AES256_GCM,data:z7SG+zuQ7g==,iv:APPjOs+MH9c0xfxmGEMoAQq00i847jGdbpoSkgwbpY0=,tag:jkgb7PlAF/kb50+i+3WEGw==,type:str]
+ knot-lhn2pi: ENC[AES256_GCM,data:k/pQyjnQyA==,iv:oW9t8Pruu/k/qIG6uG8Ex61QHerYhU09Ns0AI8NKkJA=,tag:H0A4jr/hBcGTuKeNV2zB1Q==,type:str]
+ knot-node1: ENC[AES256_GCM,data:rY0x5yu9zw==,iv:TyyhW1IwtkcU2q2y6ACgEqNEqMJ64PyMQ/kkkyCJB8E=,tag:fepqIEhEbrNFUr9f1iOMAQ==,type:str]
+ knot-node2: ENC[AES256_GCM,data:EE/JkIj23g==,iv:Gv1kd+lOFPir3z0TTlRdeOMffCQreBA5HiCHHwOUu+M=,tag:hwmABQCkbvQ6kSVchUZ6+g==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RRcHh2UVN0U0ljeFgr
+ VndTMkRRR0Fzd042R0F5RnZpelZRNmVIcG1jCklHMkFoVjBhb3NrMjB5c3dMcjYv
+ Zkw5c3hIeElQOW54WDJ6a1MySDc2bGMKLS0tIEt3TTdLVkx4UFRCOU5WcWxjbXky
+ b05uMC94dUtxWE1qWHRTbVlubWQ4N1UKcPsMrAWryuaHar6qF/JL40hMkhkGoVsv
+ fj1FGz2xoI1FOtnqU8/LCOZF7ncUjzJS0m2GxiA/WDRLeLSWAi84vg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MEJWVjF4cm04UU44bU9N
+ VEpmVnVDN1VIcm5RVk1VcThqNjFQQ3EzNkdjCnFGcVBMb0NiTzFSUm1qckkzRjNR
+ WEo1ai95L1B2bEpCYnB2blNyOFBwR0kKLS0tIFEyWlRZbUZWdnR0dzVCc0NraHpj
+ OUxUbWp4T1E2TTBTN0NRSDdKaXlJd2cKMwUjax16RyxnQRpxtZDjnrJx7CX06Z37
+ T5GfLprSS4vXGfQkuJTDn7a/v8DfftOBL9ubclIet9cOD8YzIcAiZw==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZEdhUlBEV1FBeGhSNVNG
+ YkQ1dmlieWlVMmMvUERNTnJlcVpmV3lBa0JjCnBJUWJmUmp2d01ZdFRlR3M1ZUI0
+ NHhnMmxYNmlHeFFGbjJnK0w4QU5HenMKLS0tIHd6aUk1NWR2SnFCMENzSGFES0hi
+ VzVzNmtJampuZ2tKQnU3Y3FTZFFhdkUKej0Hy9kOYDqg+8B+slMdGE2Krcvqr4uJ
+ X7GxDCdLV7sllK6OlHe2aQkXb16oT0iGG7N61LCzWBDOfx0hzdyFPA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-10-19T18:22:33Z"
+ mac: ENC[AES256_GCM,data:Gm09oBu15JksqrK3H1TabhshiOShqwZLYFon6aqd8MmNQU0ufItZARU2K32Gu09dmDerE5Kbrq5u5U4fJXDkFRVYcFktIlD5FcCN2DlG7pB9rbpMZEHUt89wMAX6uvFat+66PUbE56Cio3Hlv88sB98VIKSratK2E0mlFB0oqYY=,iv:QaG4djyDGv+bpSz3+q6BTWAZyuUtNSkdG79/HciQlVE=,tag:TZ/qUmvWadnHYW/B00oEmQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.9.1
diff --git a/tnet/templates/akili/bird-tnet.conf b/tnet/templates/akili/bird-tnet.conf
index 24c9b8e..d306fcc 100644
--- a/tnet/templates/akili/bird-tnet.conf
+++ b/tnet/templates/akili/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba;
interface "tnet-hash";
+ password "{{ bgp_password['akili-hash'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a;
interface "tnet-knot";
+ password "{{ bgp_password['akili-knot'] }}";
}
diff --git a/tnet/templates/astyanax/bird-tnet.conf b/tnet/templates/astyanax/bird-tnet.conf
index 3dbf4c9..496cebe 100644
--- a/tnet/templates/astyanax/bird-tnet.conf
+++ b/tnet/templates/astyanax/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516;
interface "tnet-hash";
+ password "{{ bgp_password['astyanax-hash'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56;
interface "tnet-knot";
+ password "{{ bgp_password['astyanax-knot'] }}";
}
diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2
index 2ba456b..1185014 100644
--- a/tnet/templates/bird-tnet.conf.j2
+++ b/tnet/templates/bird-tnet.conf.j2
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -48,6 +46,12 @@ protocol bgp tnet_{{ p }} from tnet_tpl {
{% else %}
interface "tnet-{{ p }}";
{% endif %}
+{% if inventory_hostname < p %}
+{% set password_var = inventory_hostname + "-" + p %}
+{% else %}
+{% set password_var = p + "-" + inventory_hostname %}
+{% endif %}
+ password "{{ "{{ bgp_password['" + password_var + "'] }}" }}";
{% if peer.rr_client|default(False) %}
rr client;
diff --git a/tnet/templates/conflatorio/bird-tnet.conf b/tnet/templates/conflatorio/bird-tnet.conf
index 02780a6..4ffcc7f 100644
--- a/tnet/templates/conflatorio/bird-tnet.conf
+++ b/tnet/templates/conflatorio/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:4540:476c:d432:2f32:818b:811b:bb61;
interface "tnet-hash";
+ password "{{ bgp_password['conflatorio-hash'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:47fc:0660:b91f:1063:a6ae:46bb:7589;
interface "tnet-knot";
+ password "{{ bgp_password['conflatorio-knot'] }}";
}
diff --git a/tnet/templates/coregonus/bird-tnet.conf b/tnet/templates/coregonus/bird-tnet.conf
index 95ede41..2d2a573 100644
--- a/tnet/templates/coregonus/bird-tnet.conf
+++ b/tnet/templates/coregonus/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,4 +38,5 @@ template bgp tnet_tpl {
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2;
interface "tnet-knot";
+ password "{{ bgp_password['coregonus-knot'] }}";
}
diff --git a/tnet/templates/hash/bird-tnet.conf b/tnet/templates/hash/bird-tnet.conf
index a570291..d9c52b0 100644
--- a/tnet/templates/hash/bird-tnet.conf
+++ b/tnet/templates/hash/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
protocol bgp tnet_conflatorio from tnet_tpl {
neighbor fe80:4540:476c:d432:2f32:818b:811b:bb60;
interface "tnet-confltrio";
+ password "{{ bgp_password['conflatorio-hash'] }}";
rr client;
}
@@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl {
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c;
interface "tnet-knot";
+ password "{{ bgp_password['hash-knot'] }}";
rr client;
}
@@ -54,6 +54,7 @@ protocol bgp tnet_knot from tnet_tpl {
protocol bgp tnet_lhn2pi from tnet_tpl {
neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b9;
interface "tnet-lhn2pi";
+ password "{{ bgp_password['hash-lhn2pi'] }}";
rr client;
}
@@ -61,6 +62,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl {
protocol bgp tnet_node1 from tnet_tpl {
neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df;
interface "tnet-node1";
+ password "{{ bgp_password['hash-node1'] }}";
rr client;
}
@@ -68,6 +70,7 @@ protocol bgp tnet_node1 from tnet_tpl {
protocol bgp tnet_node2 from tnet_tpl {
neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d;
interface "tnet-node2";
+ password "{{ bgp_password['hash-node2'] }}";
rr client;
}
diff --git a/tnet/templates/knot/bird-tnet.conf b/tnet/templates/knot/bird-tnet.conf
index f21be09..699c0f2 100644
--- a/tnet/templates/knot/bird-tnet.conf
+++ b/tnet/templates/knot/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
protocol bgp tnet_conflatorio from tnet_tpl {
neighbor fe80:47fc:660:b91f:1063:a6ae:46bb:7588;
interface "tnet-confltrio";
+ password "{{ bgp_password['conflatorio-knot'] }}";
rr client;
}
@@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl {
protocol bgp tnet_coregonus from tnet_tpl {
neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3;
interface "tnet-coregonus";
+ password "{{ bgp_password['coregonus-knot'] }}";
rr client;
}
@@ -54,6 +54,7 @@ protocol bgp tnet_coregonus from tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d;
interface "tnet-hash";
+ password "{{ bgp_password['hash-knot'] }}";
rr client;
}
@@ -61,6 +62,7 @@ protocol bgp tnet_hash from tnet_tpl {
protocol bgp tnet_kv24ix from tnet_tpl {
neighbor fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf;
interface "tnet-kv24ix";
+ password "{{ bgp_password['knot-kv24ix'] }}";
rr client;
}
@@ -68,6 +70,7 @@ protocol bgp tnet_kv24ix from tnet_tpl {
protocol bgp tnet_lhn2pi from tnet_tpl {
neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9;
interface "tnet-lhn2pi";
+ password "{{ bgp_password['knot-lhn2pi'] }}";
rr client;
}
@@ -75,6 +78,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl {
protocol bgp tnet_node1 from tnet_tpl {
neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3;
interface "tnet-node1";
+ password "{{ bgp_password['knot-node1'] }}";
rr client;
}
@@ -82,6 +86,7 @@ protocol bgp tnet_node1 from tnet_tpl {
protocol bgp tnet_node2 from tnet_tpl {
neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db;
interface "tnet-node2";
+ password "{{ bgp_password['knot-node2'] }}";
rr client;
}
diff --git a/tnet/templates/lhn2pi/bird-tnet.conf b/tnet/templates/lhn2pi/bird-tnet.conf
index 9f0ef8c..f755c3b 100644
--- a/tnet/templates/lhn2pi/bird-tnet.conf
+++ b/tnet/templates/lhn2pi/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8;
interface "tnet-hash";
+ password "{{ bgp_password['hash-lhn2pi'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8;
interface "tnet-knot";
+ password "{{ bgp_password['knot-lhn2pi'] }}";
}
diff --git a/tnet/templates/node1/bird-tnet.conf b/tnet/templates/node1/bird-tnet.conf
index 6449582..bafb6de 100644
--- a/tnet/templates/node1/bird-tnet.conf
+++ b/tnet/templates/node1/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de;
interface "tnet-hash";
+ password "{{ bgp_password['hash-node1'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2;
interface "tnet-knot";
+ password "{{ bgp_password['knot-node1'] }}";
}
diff --git a/tnet/templates/node2/bird-tnet.conf b/tnet/templates/node2/bird-tnet.conf
index b9a2294..8a7b887 100644
--- a/tnet/templates/node2/bird-tnet.conf
+++ b/tnet/templates/node2/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
direct;
- password "trygvis";
-
ipv6 {
next hop self;
import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
protocol bgp tnet_hash from tnet_tpl {
neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c;
interface "tnet-hash";
+ password "{{ bgp_password['hash-node2'] }}";
}
protocol bgp tnet_knot from tnet_tpl {
neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da;
interface "tnet-knot";
+ password "{{ bgp_password['knot-node2'] }}";
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-20 05:49:43 +0000