crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'bird' into 'newinfra' 

[bird] Use bird instead of quagga

See merge request nounous/ansible!180
certbot_on_virtu
_benjamin 2021-01-08 14:49:49 +01:00
parent f141643c64 30ecc05a52
commit c425a0c934
9 changed files with 127 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
plays/firewall.yml
View File

@ -38,19 +38,21 @@
roles:
- firewall
# Deploy BGP server configuration on IPv4 routers
# Deploy BGP server configuration on routers
- hosts: crans_routeurs
vars:
zebra:
password: "{{ vault_zebra_password }}"
bgp:
as: 204515
router_id_v4: 158.255.113.73
network_v4: 185.230.76.0/22
neighbor_v4: 158.255.113.72
router_id_v6: 138.231.136.200
network_v6: 2a0c:700::/32
neighbor_v6: 2001:1b48:2:103::bb:1
remote_as: 8218
ipv4:
router_id: 158.255.113.73
bind_address: 158.255.113.73
network: 185.230.76.0/22
neighbor: 158.255.113.72
ipv6:
router_id: 185.230.79.62
bind_address: 2001:1b48:2:103::bb:2
network: 2a0c:700::/32
neighbor: 2001:1b48:2:103::bb:1
roles:
- quagga
- bird

25
roles/bird/tasks/main.yml 100644
View File

@ -0,0 +1,25 @@
---
- name: Install BIRD
apt:
update_cache: true
name:
- bird
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Deploy bird configuration
template:
src: bird/bird.conf.j2
dest: /etc/bird/bird.conf
mode: 0640
owner: bird
group: bird
- name: Deploy bird6 configuration
template:
src: bird/bird6.conf.j2
dest: /etc/bird/bird6.conf
mode: 0640
owner: bird
group: bird

45
roles/bird/templates/bird/bird.conf.j2 100644
View File

@ -0,0 +1,45 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv4 addresses.
router id {{ bgp.ipv4.router_id }};
listen bgp address {{ bgp.ipv4.bind_address }} port 179;
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
persist;
scan time 60;
import none;
export all; # Actually insert routes into the kernel routing table
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
route {{ bgp.ipv4.network }} reject;
}
protocol bgp zayo {
local as {{ bgp.as }};
neighbor {{ bgp.ipv4.neighbor }} as {{ bgp.remote_as }};
import all;
export filter {
if ( net ~ [ {{ bgp.ipv4.network }} ] ) then accept;
reject;
};
}

45
roles/bird/templates/bird/bird6.conf.j2 100644
View File

@ -0,0 +1,45 @@
{{ ansible_header | comment }}
# This is a minimal configuration file, which allows the bird daemon to start
# but will not cause anything else to happen.
#
# Please refer to the documentation in the bird-doc package or BIRD User's
# Guide on http://bird.network.cz/ for more information on configuring BIRD and
# adding routing protocols.
# Change this into your BIRD router ID. It's a world-wide unique identification
# of your router, usually one of router's IPv6 addresses.
router id {{ bgp.ipv6.router_id }};
listen bgp address {{ bgp.ipv6.bind_address }} port 179;
# The Kernel protocol is not a real routing protocol. Instead of communicating
# with other routers in the network, it performs synchronization of BIRD's
# routing tables with the OS kernel.
protocol kernel {
persist;
scan time 60;
import none;
export all; # Actually insert routes into the kernel routing table
}
# The Device protocol is not a real routing protocol. It doesn't generate any
# routes and it only serves as a module for getting information about network
# interfaces from the kernel.
protocol device {
scan time 60;
}
protocol static {
route {{ bgp.ipv6.network }} reject;
}
protocol bgp zayo {
local as {{ bgp.as }};
neighbor {{ bgp.ipv6.neighbor }} as {{ bgp.remote_as }};
import all;
export filter {
if ( net ~ [ {{ bgp.ipv6.network }} ] ) then accept;
reject;
};
}

49
roles/quagga/tasks/main.yml
View File

@ -1,49 +0,0 @@
---
- name: Install quagga
apt:
update_cache: true
name:
- quagga
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create quagga log directory
file:
path: /var/log/quagga
state: directory
mode: 0755
owner: quagga
group: quagga
- name: Deploy quagga daemons configuration
template:
src: quagga/daemons.j2
dest: /etc/quagga/daemons
mode: 0644
owner: root
group: root
- name: Deploy quagga debian configuration
template:
src: quagga/debian.conf.j2
dest: /etc/quagga/debian.conf
mode: 0640
owner: quagga
group: quagga
- name: Deploy quagga bgpd configuration
template:
src: quagga/bgpd.conf.j2
dest: /etc/quagga/bgpd.conf
mode: 0640
owner: quagga
group: quagga
- name: Deploy quagga zabra configuration
template:
src: quagga/zebra.conf.j2
dest: /etc/quagga/zebra.conf
mode: 0640
owner: quagga
group: quagga

16
roles/quagga/templates/quagga/bgpd.conf.j2
View File

@ -1,16 +0,0 @@
{{ ansible_header | comment(decoration='! ') }}
!
router bgp {{ bgp.as }}
no synchronization
bgp router-id {{ bgp.router_id_v4 }}
network {{ bgp.network_v4 }}
neighbor {{ bgp.neighbor_v4 }} remote-as {{ bgp.remote_as }}
neighbor {{ bgp.neighbor_v6 }} remote-as {{ bgp.remote_as }}
!
address-family ipv6
network {{ bgp.network_v6 }}
neighbor {{ bgp.neighbor_v6 }} activate
exit-address-family
!
log file /var/log/quagga/bgpd.log
log stdout

28
roles/quagga/templates/quagga/daemons.j2
View File

@ -1,28 +0,0 @@
{{ ansible_header | comment }}
# 2 .. 10 = lower priorities
# Read /usr/share/doc/quagga/README.Debian for details.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/quagga/examples/.
#
# ATTENTION:
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "quagga", else
# the daemon will not be started by /etc/init.d/quagga. The permissions should
# be u=rw,g=r,o=.
# # When using "vtysh" such a config file is also needed. It should be owned by
# group "quaggavty" and set to ug=rw,o= though. Check /etc/pam.d/quagga, too.
#
# The watchquagga daemon is always started. Per default in monitoring-only but
# that can be changed via /etc/quagga/debian.conf.
#
zebra=yes
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
babeld=no

25
roles/quagga/templates/quagga/debian.conf.j2
View File

@ -1,25 +0,0 @@
{{ ansible_header | comment }}
#
# If this option is set the /etc/init.d/quagga script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/quagga if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" --daemon -A 127.0.0.1"
bgpd_options=" --daemon -A 127.0.0.1"
ospfd_options=" --daemon -A 127.0.0.1"
ospf6d_options=" --daemon -A ::1"
ripd_options=" --daemon -A 127.0.0.1"
ripngd_options=" --daemon -A ::1"
isisd_options=" --daemon -A 127.0.0.1"
babeld_options=" --daemon -A 127.0.0.1"
#
# Please note that watchquagga_options is an array and not a string so that
# quotes can be used.
#
# The list of daemons to watch is automatically generated by the init script
# from daemons.conf and appended to the watchquagga_options.
# Example:
# watchquagga_options=("-Adz" "-r" '/sbin/service %s restart' -s '/sbin/service %s start' -k '/sbin/service %s stop')
watchquagga_enable=yes
watchquagga_options=(--daemon)

11
roles/quagga/templates/quagga/zebra.conf.j2
View File

@ -1,11 +0,0 @@
{{ ansible_header | comment(decoration='! ') }}
hostname zebra
password {{ zebra.password }}
enable password {{ zebra.password }}
log file /var/log/quagga/zebra.log
interface lo
line vty