Mercurial > code > home > repos > infra
changeset 7:b6fff51f8676
net.py setup. May not be safe on bang yet
| author | drewp@bigasterisk.com |
|---|---|
| date | Wed, 10 Nov 2021 09:57:02 -0800 |
| parents | aa633eb49c63 |
| children | 226f3c8419b2 |
| files | net.py tasks.py templates/bang_exports.j2 templates/bang_interfaces.j2 templates/dhcp_hosts.j2 templates/dhcp_hosts_file.j2 templates/dnsmasq.conf.j2 templates/dnsmasq.service.j2 templates/hosts.j2 templates/netplan_dns.yaml.j2 templates/prime_resolved.conf.j2 templates/resolv.conf.j2 templates/resolved.conf.j2 templates/webforward.service.j2 |
| diffstat | 14 files changed, 396 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/net.py Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,82 @@ +from pyinfra import host +from pyinfra.facts.hardware import Ipv4Addrs +from pyinfra.facts.server import LinuxDistribution +from pyinfra.operations import apt, files, server, systemd + +bang_is_old = True +is_pi = host.get_fact(LinuxDistribution)['name'] in ['Debian', 'Raspbian GNU/Linux'] +is_wifi = host.name in ['frontdoor', 'living', 'plus'] +ssh_host = host.host_data.get('ssh_hostname', host.name) + +if is_wifi: + files.put(src="files/wpa_supplicant.conf", dest="/etc/wpa_supplicant/wpa_supplicant.conf") + +files.template(src='templates/hosts.j2', dest='/etc/hosts') + +if host.name == 'prime': + # prime should have gotten this through netplan, but i give up. + # + # Note the DNS list: this list is tried randomly, not in order, so we could have + # some trouble with internal names + files.template(src='templates/prime_resolved.conf.j2', dest='/etc/systemd/resolved.conf') +else: + files.template(src='templates/resolved.conf.j2', dest='/etc/systemd/resolved.conf') +systemd.service(service='systemd-resolved.service', running=True, restarted=True) + +files.template(src='templates/resolv.conf.j2', dest='/etc/resolv.conf') + +if host.name in ['dash', 'slash', 'garage']: + # might need to upgrade pi systemd if there are errors in this part + apt.packages(packages=['netplan.io']) + files.file(path='/etc/netplan/00-installer-config.yaml', present=False) + addrs = host.get_fact(Ipv4Addrs) + ipv4Interface = host.host_data['interface'] + ipv4Address = host.host_data['addr'] + files.template(src='templates/netplan_dns.yaml.j2', + dest='/etc/netplan/99-ansible-written.yaml', + ipv4Interface=ipv4Interface, + ipv4Address=ipv4Address) + server.shell(commands=['netplan apply']) + +if host.name not in ['plus']: + apt.packages(packages=['network-manager'], present=False) + +if host.name == 'bang': + files.template(src='templates/bang_interfaces.j2', dest='/etc/network/interfaces', user='root', group='root', mode='644') + apt.packages(packages=['iptables', 'openntpd', 'ntpdate']) + server.shell(commands=['systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target'], user='root') + + apt.packages(packages=['nfs-kernel-server']) + files.template(src='templates/bang_exports.j2', dest='/etc/exports') + + # Now using a HW router for this firewall. No incoming connections. + # test connections from the outside: + # http://www.t1shopper.com/tools/port-scanner/ + apt.packages(packages=['ufw'], present=False) + + apt.packages(packages=['dnsmasq']) + systemd.service(service='dnsmasq', enabled=False, running=False) + files.directory(path='/opt/dnsmasq') + + for net_name in ['10.1', '10.2', '10.5']: + files.directory(path=f'/opt/dnsmasq/{net_name}') + files.template(src='templates/dnsmasq.conf.j2', dest=f'/opt/dnsmasq/{net_name}/dnsmasq.conf', net=net_name) + files.template(src='templates/dhcp_hosts_file.j2', dest=f'/opt/dnsmasq/{net_name}/hosts', net=net_name) + files.template(src='templates/dhcp_hosts.j2', dest=f'/opt/dnsmasq/{net_name}/dhcp_hosts', net=net_name) + + files.template(src='templates/dnsmasq.service.j2', dest=f'/etc/systemd/system/dnsmasq_{net_name}.service', net=net_name) + systemd.service(service=f'dnsmasq_{net_name}', restarted=True, daemon_reload=True) + +if host.name == 'prime': + # using digitalocean network config: + # https://cloud.digitalocean.com/networking/firewalls/f68899ae-1aac-4469-b379-59ce2bbc988f/droplets?i=7c5072 + apt.packages(packages=['ufw'], present=False) + + files.line(name='shorter systemctl log window, for disk space', + path='/etc/systemd/journald.conf', + line='MaxFileSec', + replace="MaxFileSec=7day") + + for port in [80, 443]: + files.template(src="webforward.service.j2", dest=f"/etc/systemd/system/web_forward_{port}.service", port=port) + systemd.service(service=f'web_forward_{port}', enabled=True, restarted=True)
--- a/tasks.py Wed Nov 10 09:53:49 2021 -0800 +++ b/tasks.py Wed Nov 10 09:57:02 2021 -0800 @@ -19,6 +19,14 @@ @task +def net(ctx): + # workaround for https://github.com/Fizzadar/pyinfra/issues/702 + ctx.run(cmd + '-vv inventory.py exec -- rm -f /tmp/pyinfra-7ed098bf43cef74d8ab8ea095e4a95c92605c61c', pty=True) + + ctx.run(cmd + '-vv inventory.py net.py --limit slash ', pty=True) + + +@task def wireguard(ctx): ctx.run(cmd + 'inventory.py wireguard.py', pty=True)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/bang_exports.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,1 @@ +# none; zfs takes care of its own \ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/bang_interfaces.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,34 @@ +# written by ansible; do not edit + +# For more information, see interfaces(5). + +# see /etc/udev/rules.d/70-persistent-net.rules for assignments + +# boot will stall for these to be up +auto lo + +# to comcast router, who would also serve dhcp but that was hanging on boot +allow-hotplug ens4 ens5 enp1s0 + +iface lo inet loopback + +# 60:e3:27:04:4a:85 +iface ens5 inet static + address 10.2.0.1 + netmask 255.255.255.0 + broadcast 10.2.0.255 + + +# e8:39:35:46:0d:bb +iface enp1s0 inet static + address 10.1.0.1 + netmask 255.255.255.0 + broadcast 10.1.0.255 + + +# ...:81:9e +iface ens4 inet dhcp + # house nat: (see /etc/ufw/after.rules) + post-up iptables -A POSTROUTING --table nat --out-interface ens4 --jump MASQUERADE + # fix bang to use itself as its dns. Not sure when this command needs to run. + post-up ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/dhcp_hosts.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,70 @@ +b8:97:5a:17:d7:1f,dash,10.1.0.5,infinite +c8:60:00:98:ec:74,slash,10.1.0.6,infinite +7c:c3:a1:b0:83:03,kelsi-imac,10.1.0.7,infinite +1c:c1:de:56:e6:70,music,10.1.0.8,infinite + +a0:40:a0:6f:96:d5,orbi,10.2.0.5,infinite +a0:40:a0:6f:aa:f8,orbi-sat1,10.2.0.6,infinite +8c:3b:ad:c4:8d:ce,orbi-sat2,10.2.0.7,infinite + +# 00:0f:54:13:36:d2,prevkitchen,10.2.0.10,infinite +b8:27:eb:d9:86:22,kitchen,10.2.0.10,infinite +b8:27:eb:00:26:92,living,10.2.0.11,infinite +b8:27:eb:6d:2b:6f,workshop,10.2.0.13,infinite +b8:27:eb:81:17:92,garage,10.2.0.14,infinite +b8:27:eb:86:28:02,bed,10.2.0.15,infinite +b8:27:eb:d6:15:72,changing,10.2.0.16,infinite +b8:27:eb:e9:d3:44,frontbed,10.2.0.17,infinite +b8:27:eb:83:40:27,changing-wifi,10.2.0.18,infinite +b8:27:eb:d4:42:c7,garage-wifi,10.2.0.19,infinite + +# pi4 # dc:a6:32:00:d1:de,frontdoor,10.2.0.12,infinite +b8:27:eb:6a:41:e3,frontdoor,10.2.0.12,infinite + +1c:c1:de:56:e6:70,dot,10.2.0.30,infinite +7c:c3:a1:b0:83:03,kelsi-imac,10.2.0.31,infinite + +78:11:dc:44:4a:48,gardencam,10.2.0.40,infinite +78:11:dc:78:00:8d,ashercam,10.2.0.41,infinite +34:ce:00:e4:a4:11,livingcam,10.2.0.42,infinite +78:11:dc:78:39:31,twinscam,10.2.0.43,infinite +24:62:ab:f8:6f:20,office_back_cam,10.2.0.44,infinite +#...,garage_hall_cam,10.2.0.45,infinite + + +94:9f:3e:7e:7d:b4,sonos-bed,10.2.0.50,infinite +# skip .51 for old lease +94:9f:3e:7b:45:a8,sonos-kitchen,10.2.0.52,infinite + +30:fd:38:79:2f:48,googlehome-ari,10.2.0.60,infinite +38:8b:59:5b:63:5f,googlehome-bed,10.2.0.61,infinite +48:d6:d5:75:f5:7b,googlehome-asher,10.2.0.62,infinite + +30:fd:38:8b:98:c0,chromecast1,10.2.0.70,infinite +cc:08:8d:e9:60:65,chromecast2,10.2.0.71,infinite +6c:ad:f8:1b:c5:31,chromecast3,10.2.0.72,infinite + +a0:cc:2b:f5:a2:21,tradfri,10.2.0.80,infinite +d8:d5:b9:00:2c:41,powereagle,10.2.0.81,infinite + +3c:71:bf:8c:49:c4,cabin,10.2.0.90,infinite +80:7d:3a:33:bd:72,kitchen-counter-lights,10.2.0.91,infinite +dc:4f:22:4b:d9:65,kitchen-ceiling-lights,10.2.0.92,infinite +24:0a:c4:9b:cb:c8,frontdoorlock,10.2.0.93,infinite +18:fe:34:a6:04:31,greenhouse,10.2.0.94,infinite +5c:cf:7f:01:58:8a,ridecontrol,10.2.0.95,infinite +a0:20:a6:0a:87:a8,nightlight_ari,10.2.0.96,infinite +84:f3:eb:e3:a7:84,nightlight_display1,10.2.0.97,infinite +a0:20:a6:0b:9e:68,bed_bar_asher,10.2.0.98,infinite + +9c:b6:d0:1d:d1:03,plus,10.2.0.110,infinite +#6c:19:c0:70:7e:98,unknown +48:60:5f:69:1a:e6,drew-work-phone,10.2.0.111,infinite +dc:ef:ca:ed:58:27,drew-note8,10.2.0.112,infinite +fc:db:b3:ff:f3:d1,drew-note5,10.2.0.113,infinite +38:8b:59:5b:63:5f,kelsi-ipad,10.2.0.114,infinite +68:ab:1e:38:14:ed,kelsi-watch,10.2.0.115,infinite +7c:c3:a1:b0:83:03,kelsi-imac-wifi,10.2.0.116,infinite +7c:b0:c2:83:31:0f,ari-chromebook,10.2.0.117,infinite +b0:19:c6:79:ef:55,daniele-phone,10.2.0.118,infinite +e8:f2:e2:83:cc:c0,pf1500-projector,10.2.0.119,infinite
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/dhcp_hosts_file.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,38 @@ +# by pyinfra + +162.243.138.136 prime-ext.bigasterisk.com public.bigasterisk.com primary.bigasterisk.com maildirfetch.bigasterisk.com vpn-ext.bigasterisk.com + +# This is the dns trick-- hosts at home should use the local address +# for 'bigasterisk.com' etc instead of taking a trip to prime. +10.2.0.1 bang bang.bigasterisk.com bigasterisk.com file.bigasterisk.com local.fantasyfamegame.com imap.bigasterisk.com repo.bigasterisk.com mail.bigasterisk.com puppet.bigasterisk.com computeracronym.quickwitretort.com csigen.quickwitretort.com drewp.quickwitretort.com kelsi.quickwitretort.com owncloud.bigasterisk.com photo.bigasterisk.com projects.bigasterisk.com quickwitretort.com whatsplayingnext.com whopickedthis.com aask.bigasterisk.com bebop.bigasterisk.com brazilog.bigasterisk.com cinepaint.bigasterisk.com craigslist.bigasterisk.com cuisine.bigasterisk.com cvs.bigasterisk.com dafnaandjonas.bigasterisk.com darcs.bigasterisk.com daveandlisa.bigasterisk.com digibook.bigasterisk.com gasuse.bigasterisk.com graphite.bigasterisk.com johnmuir.bigasterisk.com jazz.bigasterisk.com js.bigasterisk.com karinandjohn.bigasterisk.com light9.bigasterisk.com linuxmovies.bigasterisk.com lisa.bigasterisk.com lisaanddave.bigasterisk.com magma.bigasterisk.com maps.bigasterisk.com monk.bigasterisk.com ov099.bigasterisk.com picreferer.bigasterisk.com rayz.bigasterisk.com seabird.bigasterisk.com semfile.bigasterisk.com sinai.bigasterisk.com stef.bigasterisk.com wedding.bigasterisk.com wedding-john-karin.bigasterisk.com www.bigasterisk.com vpn-home.bigasterisk.com file.bigasterisk.com + +{% if net != '10.5' %} +# so bang can see these names +10.1.0.5 dash.bigasterisk.com +10.1.0.6 slash.bigasterisk.com +{% endif %} + +10.5.0.1 bang5.bigasterisk.com local.bigasterisk.com mail.bigasterisk.com +10.5.0.2 prime5.bigasterisk.com prime.bigasterisk.com prime.vpn-ext.bigasterisk.com +10.5.0.5 dash5.bigasterisk.com +10.5.0.6 slash5.bigasterisk.com +10.5.0.8 piedmont5.bigasterisk.com +10.5.0.10 kitchen5.bigasterisk.com +10.5.0.11 living5.bigasterisk.com +10.5.0.12 frontdoor5.bigasterisk.com +10.5.0.13 workshop5.bigasterisk.com +10.5.0.14 garage5.bigasterisk.com +10.5.0.15 bed5.bigasterisk.com +10.5.0.16 changing5.bigasterisk.com +10.5.0.17 frontbed5.bigasterisk.com +10.5.0.30 dot5.bigasterisk.com +10.5.0.99 piedmont5.bigasterisk.com +10.5.0.110 plus5.bigasterisk.com +10.5.0.112 drew-note85.bigasterisk.com + + +{% if net == '10.5' %} +10.5.0.1 bang.bigasterisk.com +10.5.0.2 prime.bigasterisk.com +10.5.0.5 dash.bigasterisk.com +{% endif %}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/dnsmasq.conf.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,54 @@ +user=nobody +keep-in-foreground +log-facility=- + +listen-address={{ net }}.0.1 +{% if net == "10.2" %} +listen-address=127.0.0.1 +{% endif %} +bind-interfaces + +domain-needed +no-resolv +# i didn't say --all-servers, but it was behaving like that +server=208.201.224.11 +#server=208.201.224.33 +#server=8.8.4.4 +#server=8.8.8.8 +local=/bigasterisk.com/ +no-hosts +addn-hosts=/opt/dnsmasq/{{ net }}/hosts +local-ttl=30 +mx-host=bigasterisk.com,prime6.bigasterisk.com +cache-size=10000 +neg-ttl=60 +dns-forward-max=1000 +domain=bigasterisk.com + +log-dhcp +dhcp-sequential-ip +{% if net == "10.1" %} +dhcp-broadcast +dhcp-authoritative +dhcp-option=option:domain-name,bigasterisk.com +dhcp-hostsfile=/opt/dnsmasq/{{ net }}/dhcp_hosts +dhcp-leasefile=/opt/dnsmasq/{{ net }}/leases +dhcp-range=enp1s0,10.1.0.0,static,infinite +dhcp-range=tag:!known,enp1s0,10.1.0.100,10.1.0.180 +dhcp-option=enp1s0,option:dns-server,10.1.0.1 +dhcp-option=enp1s0,option:router,10.1.0.1 +{% endif %} + +{% if net == "10.2" %} +dhcp-broadcast +dhcp-authoritative +dhcp-option=option:domain-name,bigasterisk.com +dhcp-hostsfile=/opt/dnsmasq/{{ net }}/dhcp_hosts +dhcp-leasefile=/opt/dnsmasq/{{ net }}/leases +dhcp-range=ens5,10.2.0.0,static,infinite +dhcp-range=tag:!known,ens5,10.2.0.21,10.2.0.120,24h +dhcp-option=ens5,option:dns-server,10.2.0.1 +dhcp-option=ens5,option:router,10.2.0.1 +{% endif %} + +# net==10.5 is not used for dhcp at all
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/dnsmasq.service.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,27 @@ +# custom, installed with ansible +[Unit] +Description=dnsmasq for {{ net }} network +Requires=network.target +Wants=nss-lookup.target +Before=nss-lookup.target +After=network.target + +[Service] +Type=simple + +# Test the config file and refuse starting if it is not valid. +ExecStartPre=/usr/sbin/dnsmasq --conf-file=/opt/dnsmasq/{{ net }}/dnsmasq.conf --test + +ExecStart=/usr/sbin/dnsmasq --conf-file=/opt/dnsmasq/{{ net }}/dnsmasq.conf + +# The systemd-*-resolvconf functions configure (and deconfigure) +# resolvconf to work with the dnsmasq DNS server. They're called like +# this to get correct error handling (ie don't start-resolvconf if the +# dnsmasq daemon fails to start. +ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf +ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf + +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/hosts.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,16 @@ +# written by pyinfra + +127.0.0.1 localhost +127.0.1.1 {{ host.name }} + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + + +{% if host.name in ['prime', 'piedmont'] %} +10.5.0.1 bang bang.bigasterisk.com bang5 bang5.bigasterisk.com +{% endif %}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/netplan_dns.yaml.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,26 @@ +network: + version: 2 + ethernets: + {{ipv4Interface}}: +{% if host.name in ['prime'] %} + link-local: [ ipv4 ] + addresses: ['{{ipv4Address}}/32'] + routes: + - to: 0.0.0.0/0 + via: 162.243.138.1 + nameservers: + search: ['bigasterisk.com'] + addresses: + - 10.5.0.1 + - 8.8.4.4 + - 8.8.8.8 +{% else %} + dhcp4: true +# routes: +# - to: 0.0.0.0/0 +# via: {{ipv4Address.rsplit('.', 1)[0]}}.1 +# nameservers: +# search: ['bigasterisk.com'] +# addresses: +# - 10.2.0.1 +{% endif %}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/prime_resolved.conf.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,3 @@ +[Resolve] +DNS=10.5.0.1 8.8.8.8 8.8.4.4 +Domains=bigasterisk.com
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/resolv.conf.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,7 @@ +# installed by pyinfra + +# see 'resolvectl status' for more + +nameserver 10.2.0.1 +options edns0 +search bigasterisk.com
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/resolved.conf.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,15 @@ +# Written by pyinfra + +# See resolved.conf(5) for details + +[Resolve] +DNS=10.2.0.1 +#FallbackDNS= +Domains=bigasterisk.com +#LLMNR=no +#MulticastDNS=no +#DNSSEC=no +#DNSOverTLS=no +#Cache=yes +#DNSStubListener=yes +#ReadEtcHosts=yes
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/webforward.service.j2 Wed Nov 10 09:57:02 2021 -0800 @@ -0,0 +1,15 @@ +# custom, installed with pyinfra +[Unit] +Description=web forward for port {{ port }} +Requires=network.target +Wants=nss-lookup.target +Before=nss-lookup.target +After=network.target + +[Service] +Type=simple + +ExecStart=/usr/bin/socat tcp-listen:{{ port }},fork,reuseaddr tcp:bang:{{ port }} + +[Install] +WantedBy=multi-user.target