28 files changed, 147 insertions, 80 deletions

diff --git a/tnet/bird-deploy.yml b/tnet/bird-deploy.yml
index ed7cecf..9759c01 100644
--- a/tnet/bird-deploy.yml
+++ b/tnet/bird-deploy.yml
@@ -1,9 +1,9 @@
 - hosts: tnet_bird
   tasks:
     - become: yes
-      copy:
-        dest: "/etc/bird/{{ item }}"
+      template:
         src: "{{ inventory_hostname }}/{{ item }}"
+        dest: "/etc/bird/{{ item }}"
         owner: bird
         group: bird
         mode: 0640
@@ -23,4 +23,3 @@
       systemd:
         name: bird
         state: reloaded
-
diff --git a/tnet/bird-gen-password.yml b/tnet/bird-gen-password.yml
new file mode 100644
index 0000000..501c5ef
--- /dev/null
+++ b/tnet/bird-gen-password.yml
@@ -0,0 +1 @@
+- tasks:
diff --git a/tnet/bird-gen.yml b/tnet/bird-gen.yml
index 9fa71b1..74a83b1 100644
--- a/tnet/bird-gen.yml
+++ b/tnet/bird-gen.yml
@@ -1,25 +1,16 @@
-- name: Remove old configuration
-  hosts: localhost
-  connection: local
-  gather_facts: False
-  tasks:
-    - file:
-        path: files
-        state: absent
-      changed_when: False
-
 - name: Generate Bird configuration
   hosts: tnet_bird
   connection: local
   gather_facts: False
   tasks:
-    - file:
+    - name: rmdir files/$hostname
+      file:
         path: files/{{ inventory_hostname }}
-        state: directory
+        state: absent
       changed_when: False
     - template:
         src: "{{ item }}.j2"
-        dest: "files/{{ inventory_hostname }}/{{ item }}"
+        dest: "templates/{{ inventory_hostname }}/{{ item }}"
       loop:
         - bird-tnet-pre.conf
         - bird-tnet.conf
diff --git a/tnet/files/lhn2pi/bird-tnet.conf b/tnet/files/lhn2pi/bird-tnet.conf
deleted file mode 100644
index a4498cd..0000000
--- a/tnet/files/lhn2pi/bird-tnet.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-# Set to true if this peer is directly connected to a dn42 peer
-define is_dn42_peer = true;
-# If we are connected directly to dn42, we don't want the dn42 routes from others
-define import_dn42 = !is_dn42_peer;
-define export_dn42 = is_dn42_peer;
-
-template bgp tnet_tpl {
-  local    as 4242423538;
-  neighbor internal;
-
-  direct;
-
-  password "trygvis";
-
-  ipv6 {
-    next hop self;
-    import filter {
-      if is_tnet() then {
-        accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw;
-      } else if import_dn42 && dn42_is_valid_network() then {
-        accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw;
-      } else {
-        reject proto, ": import reject, reason=not tnet";
-      }
-    };
-    # newer bird's only
-    # import keep filtered;
-    export filter {
-      if is_tnet() then {
-        accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw;
-      } else if export_dn42 && dn42_is_valid_network() then {
-        accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw;
-      } else {
-        reject proto, ": export reject, reason=not tnet";
-      }
-    };
-  };
-}
diff --git a/tnet/group_vars/all/bird.sops.yml b/tnet/group_vars/all/bird.sops.yml
new file mode 100644
index 0000000..334634f
--- /dev/null
+++ b/tnet/group_vars/all/bird.sops.yml
@@ -0,0 +1,46 @@
+bgp_password:
+    conflatorio-knot: ENC[AES256_GCM,data:PBE4TnHXDw==,iv:Kj6SnVvwsYUrKt0Vqd76j6IaxufLP0Rf+Bw3i1M/3tI=,tag:9jPWHiqqTHSG8BMQ/k4pEw==,type:str]
+    coregonus-knot: ENC[AES256_GCM,data:WgO2B0FQVQ==,iv:zhaCbX6M7fMMHr63KgIrOcpnI9dmPJLTOlXJVqYkFb0=,tag:Y2H+RjuPGBMUFJJFEeL5Yw==,type:str]
+    hash-knot: ENC[AES256_GCM,data:SI2yYLIepg==,iv:Icky8rMsLQj77zu5vdqCZBWoHiYlNbIwlAvD5m+DH7A=,tag:9PImx9SXYuusNhZeWVPV7g==,type:str]
+    knot-kv24ix: ENC[AES256_GCM,data:z7SG+zuQ7g==,iv:APPjOs+MH9c0xfxmGEMoAQq00i847jGdbpoSkgwbpY0=,tag:jkgb7PlAF/kb50+i+3WEGw==,type:str]
+    knot-lhn2pi: ENC[AES256_GCM,data:k/pQyjnQyA==,iv:oW9t8Pruu/k/qIG6uG8Ex61QHerYhU09Ns0AI8NKkJA=,tag:H0A4jr/hBcGTuKeNV2zB1Q==,type:str]
+    knot-node1: ENC[AES256_GCM,data:rY0x5yu9zw==,iv:TyyhW1IwtkcU2q2y6ACgEqNEqMJ64PyMQ/kkkyCJB8E=,tag:fepqIEhEbrNFUr9f1iOMAQ==,type:str]
+    knot-node2: ENC[AES256_GCM,data:EE/JkIj23g==,iv:Gv1kd+lOFPir3z0TTlRdeOMffCQreBA5HiCHHwOUu+M=,tag:hwmABQCkbvQ6kSVchUZ6+g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2RRcHh2UVN0U0ljeFgr
+            VndTMkRRR0Fzd042R0F5RnZpelZRNmVIcG1jCklHMkFoVjBhb3NrMjB5c3dMcjYv
+            Zkw5c3hIeElQOW54WDJ6a1MySDc2bGMKLS0tIEt3TTdLVkx4UFRCOU5WcWxjbXky
+            b05uMC94dUtxWE1qWHRTbVlubWQ4N1UKcPsMrAWryuaHar6qF/JL40hMkhkGoVsv
+            fj1FGz2xoI1FOtnqU8/LCOZF7ncUjzJS0m2GxiA/WDRLeLSWAi84vg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MEJWVjF4cm04UU44bU9N
+            VEpmVnVDN1VIcm5RVk1VcThqNjFQQ3EzNkdjCnFGcVBMb0NiTzFSUm1qckkzRjNR
+            WEo1ai95L1B2bEpCYnB2blNyOFBwR0kKLS0tIFEyWlRZbUZWdnR0dzVCc0NraHpj
+            OUxUbWp4T1E2TTBTN0NRSDdKaXlJd2cKMwUjax16RyxnQRpxtZDjnrJx7CX06Z37
+            T5GfLprSS4vXGfQkuJTDn7a/v8DfftOBL9ubclIet9cOD8YzIcAiZw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZEdhUlBEV1FBeGhSNVNG
+            YkQ1dmlieWlVMmMvUERNTnJlcVpmV3lBa0JjCnBJUWJmUmp2d01ZdFRlR3M1ZUI0
+            NHhnMmxYNmlHeFFGbjJnK0w4QU5HenMKLS0tIHd6aUk1NWR2SnFCMENzSGFES0hi
+            VzVzNmtJampuZ2tKQnU3Y3FTZFFhdkUKej0Hy9kOYDqg+8B+slMdGE2Krcvqr4uJ
+            X7GxDCdLV7sllK6OlHe2aQkXb16oT0iGG7N61LCzWBDOfx0hzdyFPA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-19T18:22:33Z"
+    mac: ENC[AES256_GCM,data:Gm09oBu15JksqrK3H1TabhshiOShqwZLYFon6aqd8MmNQU0ufItZARU2K32Gu09dmDerE5Kbrq5u5U4fJXDkFRVYcFktIlD5FcCN2DlG7pB9rbpMZEHUt89wMAX6uvFat+66PUbE56Cio3Hlv88sB98VIKSratK2E0mlFB0oqYY=,iv:QaG4djyDGv+bpSz3+q6BTWAZyuUtNSkdG79/HciQlVE=,tag:TZ/qUmvWadnHYW/B00oEmQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
diff --git a/tnet/host_vars/hash/bird.yml b/tnet/host_vars/hash/bird.yml
index 663f8e1..2b4bb51 100644
--- a/tnet/host_vars/hash/bird.yml
+++ b/tnet/host_vars/hash/bird.yml
@@ -4,6 +4,8 @@ tnet_bird_peers:
     interface: tnet-confltrio
   knot:
     rr_client: true
+  lhn2pi:
+    rr_client: true
   node1:
     rr_client: true
   node2:
diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml
index 243c9f2..9ad867e 100644
--- a/tnet/host_vars/knot/wg.yml
+++ b/tnet/host_vars/knot/wg.yml
@@ -15,8 +15,7 @@ tnet_wg:
     address: fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a
   lhn2pi:
     port: 51005
-    #address: fe80:440a:607e:b685:c955:93ae:29f8:dcd8
-    address: fdb1:4242:3538:ffff:374e:2c7d:319e:e526
+    address: fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8
   astyanax:
     port: 51006
     address: fe80:6728:53fc:fc81:40b3:9beb:8336:ba56
diff --git a/tnet/host_vars/lhn2pi/bird.yml b/tnet/host_vars/lhn2pi/bird.yml
index d132dd7..564c993 100644
--- a/tnet/host_vars/lhn2pi/bird.yml
+++ b/tnet/host_vars/lhn2pi/bird.yml
@@ -1,3 +1,5 @@
-tnet_bird_peers: []
-#  hash:
-#  knot:
+tnet_bird_peers:
+  hash:
+  knot:
+
+birdv: 2008
diff --git a/tnet/host_vars/lhn2pi/wg.yml b/tnet/host_vars/lhn2pi/wg.yml
index f9e741f..c94745c 100644
--- a/tnet/host_vars/lhn2pi/wg.yml
+++ b/tnet/host_vars/lhn2pi/wg.yml
@@ -1,8 +1,7 @@
 tnet_wg:
   knot:
     endpoint: knot.inamo.no:51005
-    #address: fe80:440a:607e:b685:c955:93ae:29f8:dcd9
-    address: fdb1:4242:3538:ffff:374e:2c7d:319e:e527
+    address: fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9
   hash:
     endpoint: hash.trygvis.io:51003
     address: fe80:6195:1d43:9655:35f7:9dba:798c:26b9
diff --git a/tnet/files/akili/bird-tnet-pre.conf b/tnet/templates/akili/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/akili/bird-tnet-pre.conf
+++ b/tnet/templates/akili/bird-tnet-pre.conf
diff --git a/tnet/files/akili/bird-tnet.conf b/tnet/templates/akili/bird-tnet.conf
index 24c9b8e..d306fcc 100644
--- a/tnet/files/akili/bird-tnet.conf
+++ b/tnet/templates/akili/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fdb1:4242:3538:ffff:ca85:f812:3935:5fba;
   interface "tnet-hash";
+  password "{{ bgp_password['akili-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fdb1:4242:3538:ffff:59d7:cf77:8b5d:761a;
   interface "tnet-knot";
+  password "{{ bgp_password['akili-knot'] }}";
 }
diff --git a/tnet/files/astyanax/bird-tnet-pre.conf b/tnet/templates/astyanax/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/astyanax/bird-tnet-pre.conf
+++ b/tnet/templates/astyanax/bird-tnet-pre.conf
diff --git a/tnet/files/astyanax/bird-tnet.conf b/tnet/templates/astyanax/bird-tnet.conf
index 3dbf4c9..496cebe 100644
--- a/tnet/files/astyanax/bird-tnet.conf
+++ b/tnet/templates/astyanax/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a0fd:89e4:42c6:f617:7398:abf4:b516;
   interface "tnet-hash";
+  password "{{ bgp_password['astyanax-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:6728:53fc:fc81:40b3:9beb:8336:ba56;
   interface "tnet-knot";
+  password "{{ bgp_password['astyanax-knot'] }}";
 }
diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2
index 2ba456b..1185014 100644
--- a/tnet/templates/bird-tnet.conf.j2
+++ b/tnet/templates/bird-tnet.conf.j2
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -48,6 +46,12 @@ protocol bgp tnet_{{ p }} from tnet_tpl {
 {% else %}
   interface "tnet-{{ p }}";
 {% endif %}
+{% if inventory_hostname < p %}
+{% set password_var = inventory_hostname + "-" + p %}
+{% else %}
+{% set password_var = p + "-" + inventory_hostname %}
+{% endif %}
+  password "{{ "{{ bgp_password['" + password_var + "'] }}" }}";
 {% if peer.rr_client|default(False) %}
 
   rr client;
diff --git a/tnet/files/conflatorio/bird-tnet-pre.conf b/tnet/templates/conflatorio/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/conflatorio/bird-tnet-pre.conf
+++ b/tnet/templates/conflatorio/bird-tnet-pre.conf
diff --git a/tnet/files/conflatorio/bird-tnet.conf b/tnet/templates/conflatorio/bird-tnet.conf
index 02780a6..4ffcc7f 100644
--- a/tnet/files/conflatorio/bird-tnet.conf
+++ b/tnet/templates/conflatorio/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:4540:476c:d432:2f32:818b:811b:bb61;
   interface "tnet-hash";
+  password "{{ bgp_password['conflatorio-hash'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:47fc:0660:b91f:1063:a6ae:46bb:7589;
   interface "tnet-knot";
+  password "{{ bgp_password['conflatorio-knot'] }}";
 }
diff --git a/tnet/files/coregonus/bird-tnet-pre.conf b/tnet/templates/coregonus/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/coregonus/bird-tnet-pre.conf
+++ b/tnet/templates/coregonus/bird-tnet-pre.conf
diff --git a/tnet/files/coregonus/bird-tnet.conf b/tnet/templates/coregonus/bird-tnet.conf
index 95ede41..2d2a573 100644
--- a/tnet/files/coregonus/bird-tnet.conf
+++ b/tnet/templates/coregonus/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,4 +38,5 @@ template bgp tnet_tpl {
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d2;
   interface "tnet-knot";
+  password "{{ bgp_password['coregonus-knot'] }}";
 }
diff --git a/tnet/files/hash/bird-tnet-pre.conf b/tnet/templates/hash/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/hash/bird-tnet-pre.conf
+++ b/tnet/templates/hash/bird-tnet-pre.conf
diff --git a/tnet/files/hash/bird-tnet.conf b/tnet/templates/hash/bird-tnet.conf
index 5ac9690..d9c52b0 100644
--- a/tnet/files/hash/bird-tnet.conf
+++ b/tnet/templates/hash/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
 protocol bgp tnet_conflatorio from tnet_tpl {
   neighbor fe80:4540:476c:d432:2f32:818b:811b:bb60;
   interface "tnet-confltrio";
+  password "{{ bgp_password['conflatorio-hash'] }}";
 
   rr client;
 }
@@ -47,6 +46,15 @@ protocol bgp tnet_conflatorio from tnet_tpl {
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7c;
   interface "tnet-knot";
+  password "{{ bgp_password['hash-knot'] }}";
+
+  rr client;
+}
+
+protocol bgp tnet_lhn2pi from tnet_tpl {
+  neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b9;
+  interface "tnet-lhn2pi";
+  password "{{ bgp_password['hash-lhn2pi'] }}";
 
   rr client;
 }
@@ -54,6 +62,7 @@ protocol bgp tnet_knot from tnet_tpl {
 protocol bgp tnet_node1 from tnet_tpl {
   neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1df;
   interface "tnet-node1";
+  password "{{ bgp_password['hash-node1'] }}";
 
   rr client;
 }
@@ -61,6 +70,7 @@ protocol bgp tnet_node1 from tnet_tpl {
 protocol bgp tnet_node2 from tnet_tpl {
   neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8d;
   interface "tnet-node2";
+  password "{{ bgp_password['hash-node2'] }}";
 
   rr client;
 }
diff --git a/tnet/files/knot/bird-tnet-pre.conf b/tnet/templates/knot/bird-tnet-pre.conf
index d60e8df..d60e8df 100644
--- a/tnet/files/knot/bird-tnet-pre.conf
+++ b/tnet/templates/knot/bird-tnet-pre.conf
diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/templates/knot/bird-tnet.conf
index e774e31..699c0f2 100644
--- a/tnet/files/knot/bird-tnet.conf
+++ b/tnet/templates/knot/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,6 +38,7 @@ template bgp tnet_tpl {
 protocol bgp tnet_conflatorio from tnet_tpl {
   neighbor fe80:47fc:660:b91f:1063:a6ae:46bb:7588;
   interface "tnet-confltrio";
+  password "{{ bgp_password['conflatorio-knot'] }}";
 
   rr client;
 }
@@ -47,6 +46,7 @@ protocol bgp tnet_conflatorio from tnet_tpl {
 protocol bgp tnet_coregonus from tnet_tpl {
   neighbor fe80:ba82:77f0:f96d:7a85:a7fa:ef6f:37d3;
   interface "tnet-coregonus";
+  password "{{ bgp_password['coregonus-knot'] }}";
 
   rr client;
 }
@@ -54,6 +54,7 @@ protocol bgp tnet_coregonus from tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:3b20:4cb0:5315:22a:c7de:a45b:8a7d;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-knot'] }}";
 
   rr client;
 }
@@ -61,13 +62,15 @@ protocol bgp tnet_hash from tnet_tpl {
 protocol bgp tnet_kv24ix from tnet_tpl {
   neighbor fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf;
   interface "tnet-kv24ix";
+  password "{{ bgp_password['knot-kv24ix'] }}";
 
   rr client;
 }
 
 protocol bgp tnet_lhn2pi from tnet_tpl {
-  neighbor fdb1:4242:3538:ffff:374e:2c7d:319e:e527;
+  neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e9;
   interface "tnet-lhn2pi";
+  password "{{ bgp_password['knot-lhn2pi'] }}";
 
   rr client;
 }
@@ -75,6 +78,7 @@ protocol bgp tnet_lhn2pi from tnet_tpl {
 protocol bgp tnet_node1 from tnet_tpl {
   neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f3;
   interface "tnet-node1";
+  password "{{ bgp_password['knot-node1'] }}";
 
   rr client;
 }
@@ -82,6 +86,7 @@ protocol bgp tnet_node1 from tnet_tpl {
 protocol bgp tnet_node2 from tnet_tpl {
   neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32db;
   interface "tnet-node2";
+  password "{{ bgp_password['knot-node2'] }}";
 
   rr client;
 }
diff --git a/tnet/files/lhn2pi/bird-tnet-pre.conf b/tnet/templates/lhn2pi/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/lhn2pi/bird-tnet-pre.conf
+++ b/tnet/templates/lhn2pi/bird-tnet-pre.conf
diff --git a/tnet/templates/lhn2pi/bird-tnet.conf b/tnet/templates/lhn2pi/bird-tnet.conf
new file mode 100644
index 0000000..f755c3b
--- /dev/null
+++ b/tnet/templates/lhn2pi/bird-tnet.conf
@@ -0,0 +1,48 @@
+# Set to true if this peer is directly connected to a dn42 peer
+define is_dn42_peer = true;
+# If we are connected directly to dn42, we don't want the dn42 routes from others
+define import_dn42 = !is_dn42_peer;
+define export_dn42 = is_dn42_peer;
+
+template bgp tnet_tpl {
+  local    as 4242423538;
+  neighbor internal;
+
+  direct;
+
+  ipv6 {
+    next hop self;
+    import filter {
+      if is_tnet() then {
+        accept proto, ": (tnet) import accept, net=", net, ", from=", from, ", gw=", gw;
+      } else if import_dn42 && dn42_is_valid_network() then {
+        accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw;
+      } else {
+        reject proto, ": import reject, reason=not tnet";
+      }
+    };
+    # newer bird's only
+    # import keep filtered;
+    export filter {
+      if is_tnet() then {
+        accept proto, ": (tnet) export accept, net=", net, ", from=", from, ", gw=", gw;
+      } else if export_dn42 && dn42_is_valid_network() then {
+        accept proto, ": (dn42) import accept, net=", net, ", from=", from, ", gw=", gw;
+      } else {
+        reject proto, ": export reject, reason=not tnet";
+      }
+    };
+  };
+}
+
+protocol bgp tnet_hash from tnet_tpl {
+  neighbor fe80:6195:1d43:9655:35f7:9dba:798c:26b8;
+  interface "tnet-hash";
+  password "{{ bgp_password['hash-lhn2pi'] }}";
+}
+
+protocol bgp tnet_knot from tnet_tpl {
+  neighbor fe80:d83a:350b:2162:6eda:1cc1:9cd7:80e8;
+  interface "tnet-knot";
+  password "{{ bgp_password['knot-lhn2pi'] }}";
+}
diff --git a/tnet/files/node1/bird-tnet-pre.conf b/tnet/templates/node1/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/node1/bird-tnet-pre.conf
+++ b/tnet/templates/node1/bird-tnet-pre.conf
diff --git a/tnet/files/node1/bird-tnet.conf b/tnet/templates/node1/bird-tnet.conf
index 6449582..bafb6de 100644
--- a/tnet/files/node1/bird-tnet.conf
+++ b/tnet/templates/node1/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a026:6ec2:b356:21c5:b51:22b9:a1de;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-node1'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:58eb:3930:1815:2a6d:8918:70c9:96f2;
   interface "tnet-knot";
+  password "{{ bgp_password['knot-node1'] }}";
 }
diff --git a/tnet/files/node2/bird-tnet-pre.conf b/tnet/templates/node2/bird-tnet-pre.conf
index 74c981d..74c981d 100644
--- a/tnet/files/node2/bird-tnet-pre.conf
+++ b/tnet/templates/node2/bird-tnet-pre.conf
diff --git a/tnet/files/node2/bird-tnet.conf b/tnet/templates/node2/bird-tnet.conf
index b9a2294..8a7b887 100644
--- a/tnet/files/node2/bird-tnet.conf
+++ b/tnet/templates/node2/bird-tnet.conf
@@ -10,8 +10,6 @@ template bgp tnet_tpl {
 
   direct;
 
-  password "trygvis";
-
   ipv6 {
     next hop self;
     import filter {
@@ -40,9 +38,11 @@ template bgp tnet_tpl {
 protocol bgp tnet_hash from tnet_tpl {
   neighbor fe80:a7a6:c1a8:c261:232e:7d67:fc27:7c8c;
   interface "tnet-hash";
+  password "{{ bgp_password['hash-node2'] }}";
 }
 
 protocol bgp tnet_knot from tnet_tpl {
   neighbor fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da;
   interface "tnet-knot";
+  password "{{ bgp_password['knot-node2'] }}";
 }