Skip to content
Snippets Groups Projects
Unverified Commit 2d3ebd11 authored by Nico's avatar Nico
Browse files

TEMP: continue backbone

parent 99148c81
Branches
No related tags found
No related merge requests found
......@@ -6,9 +6,53 @@
- wireguard-tools
state: present
- ansible.builtin.set_fact:
bb_bgp_local_host: "{{ bb_bgp_peers[ansible_facts['hostname']] }}"
- name: Ensure wireguard private key permissions (please create private key manually if this fails)
ansible.builtin.file:
path: /etc/systemd/network/wg-private.key
mode: 0640
owner: root
group: systemd-network
- name: Deploy loopback netdev interface
ansible.builtin.template:
src: bbbgplo.netdev.j2
dest: "/etc/systemd/network/bbbgplo.netdev"
mode: 0640
owner: root
group: systemd-network
- name: Deploy loopback network interface
ansible.builtin.template:
src: bbbgplo.network.j2
dest: "/etc/systemd/network/bbbgplo.network"
mode: 0640
owner: root
group: systemd-network
- name: Deploy bird base config
ansible.builtin.template:
src: bird.conf.j2
dest: "/etc/bird/bird.conf"
mode: 0640
owner: bird
group: bird
- ansible.builtin.set_fact:
bb_bgp_local_host: ""
- name: Create /etc/bird/peers
ansible.builtin.file:
path: /etc/bird/peers
state: directory
mode: 0750
owner: bird
group: bird
- name: Deploy lines
include_tasks: wireguard_line.yml
loop: "{{ bb_bgp_peers[ansible_facts['hostname']].lines }}"
loop_control:
loop_var: local_line
......@@ -13,30 +13,56 @@
bb_bgp_remote_host: "{{ bb_bgp_peers[bb_bgp_remote_line.hostname] }}"
bb_bgp_local_host: "{{ bb_bgp_peers[bb_bgp_local_line.hostname] }}"
- ansible.builtin.set_fact:
# WARNING: the shellscript-based backbone generates IPv6 addresses inside
# the tunnel from the IPv4 offset! ip6offset is only used to generate
# loopback IPs.
# BGP session endpoints (addresses in fd21:711:ffff:ffff::) use the IPv4 offset!
bb_bgp_local_ip6: "fd21:711:ffff:ffff::{{ tunnel.idx }}:{{ bb_bgp_local_host.ip4offset }}"
bb_bgp_remote_ip6: "fd21:711:ffff:ffff::{{ tunnel.idx }}:{{ bb_bgp_remote_host.ip4offset }}"
bb_bgp_local_ip4: "100.100.{{ tunnel.idx }}.{{ bb_bgp_local_host.ip4offset }}"
bb_bgp_remote_ip4: "100.100.{{ tunnel.idx }}.{{ bb_bgp_remote_host.ip4offset }}"
bb_bgp_interface_name: "{{ bb_bgp_local_line_name }}{{ bb_bgp_remote_line_name }}"
- ansible.builtin.debug:
msg: "{{ bb_bgp_local_line }}"
msg: "{{ bb_bgp_local_host }}"
- ansible.builtin.debug:
msg: "{{ bb_bgp_remote_line }}"
- name: Deploy netdev file for wireguard tunnel
ansible.builtin.template:
src: wg-tunnel.netdev.j2
dest: "/etc/systemd/network/{{ bb_bgp_remote_line_name }}.netdev"
dest: "/etc/systemd/network/{{ bb_bgp_interface_name }}.netdev"
mode: 0750
owner: root
group: systemd-network
vars:
local_port: "{{ 12000 + (tunnel.idx|int - 1) * 1000 + bb_bgp_remote_host.ip4offset|int }}"
remote_port: "{{ 12000 + (tunnel.idx|int - 1) * 1000 + bb_bgp_local_host.ip4offset|int }}"
local_port: "{{ 12000 + tunnel.idx|int * 1000 + bb_bgp_remote_host.ip4offset|int }}"
remote_port: "{{ 12000 + tunnel.idx|int * 1000 + bb_bgp_local_host.ip4offset|int }}"
- name: Ensure netdev file permissions
ansible.builtin.file:
path: "/etc/systemd/network/{{ bb_bgp_interface_name }}.netdev"
mode: 0640
owner: root
group: systemd-network
- name: Deploy network file for wireguard tunnel
ansible.builtin.template:
src: wg-tunnel.network.j2
dest: "/etc/systemd/network/{{ bb_bgp_remote_line_name }}.network"
mode: 0750
dest: "/etc/systemd/network/{{ bb_bgp_interface_name }}.network"
mode: 0640
owner: root
group: systemd-network
- name: Deploy bird peer config file for tunnel
ansible.builtin.template:
src: bird-peer.conf.j2
dest: "/etc/bird/peers/{{ bb_bgp_interface_name }}.network"
mode: 0640
owner: bird
group: bird
- ansible.builtin.set_fact:
bb_bgp_remote_line_name: ""
bb_bgp_local_line_name: ""
......@@ -44,3 +70,8 @@
bb_bgp_local_line: ""
bb_bgp_remote_host: ""
bb_bgp_local_host: ""
bb_bgp_local_ip6: ""
bb_bgp_remote_ip6: ""
bb_bgp_local_ip4: ""
bb_bgp_remote_ip4: ""
bb_bgp_interface_name: ""
[NetDev]
Name=bbbgplo
Kind=dummy
[Match]
Name=bbbgplo
[Network]
DHCP=no
[Address]
Address=fd21:b4dc::a38:{{ bb_bgp_local_host.ip6offset }}/128
[Address]
Address=10.191.255.{{ bb_bgp_local_host.ip4offset }}/32
[Route]
Destination=fd21:b4dc::a38:{{ bb_bgp_local_host.ip6offset }}/128
Type=local
[Route]
Destination=10.191.255.{{ bb_bgp_local_host.ip4offset }}/32
Type=local
protocol bgp {{ bb_bgp_interface_name }}_v6 {
local as BB_BGP_ASN;
neighbor {{ bb_bgp_remote_ip6 }} as {{ bb_bgp_remote_host.asn }};
interface "{{ bb_bgp_interface_name }}";
bfd on;
ipv6 {
import filter ffs_backbone_bgp_import;
export filter ffs_backbone_bgp_export;
};
}
protocol bgp {{ bb_bgp_interface_name }}_v4 {
local as BB_BGP_ASN;
neighbor {{ bb_bgp_remote_ip4 }} as {{ bb_bgp_remote_host.asn }};
interface "{{ bb_bgp_interface_name }}";
bfd on;
ipv4 {
import filter ffs_backbone_bgp_import;
export filter ffs_backbone_bgp_export;
};
}
log syslog all;
#debug protocols all;
#debug channels all;
define BB_BGP_ASN = {{ bb_bgp_local_host.asn }};
router id {{ bb_bgp_local_host.routerid }};
protocol device {
};
protocol static static_myself_v6 {
ipv6;
route fd21:b4dc::a38:{{ bb_bgp_local_host.ip6offset }}/128 via "lo";
};
protocol static static_myself_v4 {
ipv4;
route 10.191.255.{{ bb_bgp_local_host.ip4offset }}/32 via "lo";
};
function is_default_route() {
if net.type = NET_IP4 && net ~ [ 0.0.0.0/0 ] then return true;
if net.type = NET_IP6 && net ~ [ ::/0 ] then return true;
return false;
};
filter nodefaultroute {
if is_default_route() then reject;
accept;
};
protocol kernel t_kernel {
ipv6 {
import none;
export filter nodefaultroute;
};
};
function is_ffs_net() {
if net.type = NET_IP4 && net ~ [ 10.190.0.0/15+ ] then return true;
if net.type = NET_IP6 && net ~ [ fd21:b4dc:4b00::/40 ] then return true;
return false;
};
filter ffs_backbone_bgp_import {
if is_ffs_net() then accept;
else reject;
};
filter ffs_backbone_bgp_export {
if is_ffs_net() then accept;
else reject;
};
include "/etc/bird/peers/*";
[NetDev]
Name={{ bb_bgp_remote_line_name }}
Name={{ bb_bgp_interface_name }}
Kind=wireguard
MTUBytes=1280
[WireGuard]
ListenPort={{ local_port }}
PrivateKeyFile=/etc/wireguard/wg-private.key
PrivateKeyFile=/etc/systemd/network/wg-private.key
RouteTable=off
[WireGuardPeer]
PublicKey={{ bb_bgp_remote_host.wg_pubkey }}
......
[Match]
Name={{ bb_bgp_interface_name }}
[Network]
DHCP=no
IPv6AcceptRA=false
IPForward=yes
[Address]
Address={{ bb_bgp_local_ip4 }}/32
Peer={{ bb_bgp_remote_ip4 }}/32
[Address]
Address={{ bb_bgp_local_ip6 }}/128
Peer={{ bb_bgp_remote_ip6 }}/128
......@@ -143,7 +143,7 @@ class VarsModule(BaseVarsPlugin):
try:
tunnels_next_idx[tunnel_key] += 1
except KeyError:
tunnels_next_idx[tunnel_key] = 1
tunnels_next_idx[tunnel_key] = 0
tunnel = Tunnel(line_a=line_a,
line_b=line_b,
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment