diff --git a/data/defaults.yaml b/data/defaults.yaml --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -39,6 +39,7 @@ - 127.0.0.0/8 - "[::ffff:127.0.0.0]/104" - "[::1]/128" + smtp::relay_destinations: [] smtp::virtual_aliases: [] smtp::mail_aliases: @@ -105,6 +106,26 @@ aliases: - nicolas.gattolin@softwareheritage.org +networks: {} + +networks::private_routes: + vpn: + network: 192.168.101.0/24 + gateway: "%{alias('networks::private_gateway')}" + enabled: true + azure: + network: 192.168.200.0/21 + gateway: "%{alias('networks::private_gateway')}" + enabled: true + staging: + network: 192.168.128.0/24 + gateway: "%{alias('networks::staging_gateway')}" + enabled: false + +networks::private_network: 192.168.100.0/24 +networks::private_gateway: 192.168.100.1 +networks::staging_gateway: 192.168.100.125 + locales::default_locale: C.UTF-8 locales::installed_locales: - C.UTF-8 UTF-8 diff --git a/data/hostname/db0.internal.staging.swh.network.yaml b/data/hostname/db0.internal.staging.swh.network.yaml --- a/data/hostname/db0.internal.staging.swh.network.yaml +++ b/data/hostname/db0.internal.staging.swh.network.yaml @@ -1,7 +1,6 @@ --- networks: - default: - interface: eth0 + eth0: address: 192.168.128.3 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/deposit.internal.staging.swh.network.yaml b/data/hostname/deposit.internal.staging.swh.network.yaml --- a/data/hostname/deposit.internal.staging.swh.network.yaml +++ b/data/hostname/deposit.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.7 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/gateway.internal.staging.swh.network.yaml b/data/hostname/gateway.internal.staging.swh.network.yaml --- a/data/hostname/gateway.internal.staging.swh.network.yaml +++ b/data/hostname/gateway.internal.staging.swh.network.yaml @@ -1,7 +1,6 @@ --- networks: - default: - interface: eth0 + eth0: address: 192.168.100.125 netmask: 255.255.255.0 gateway: 192.168.100.1 @@ -9,9 +8,12 @@ - 'iptables -t nat -A POSTROUTING -s 192.168.128.0/24 -o eth0 -j MASQUERADE' downs: - 'iptables -t nat -F' - private: - interface: eth1 + eth1: address: 192.168.128.1 netmask: 255.255.255.0 - ups: [] - downs: [] + +networks::private_routes: + vpn: + enabled: false + azure: + enabled: false diff --git a/data/hostname/moma.softwareheritage.org.yaml b/data/hostname/moma.softwareheritage.org.yaml --- a/data/hostname/moma.softwareheritage.org.yaml +++ b/data/hostname/moma.softwareheritage.org.yaml @@ -1,14 +1,13 @@ networks: - private: - interface: eth1 - address: 192.168.100.31 - netmask: 255.255.255.0 - gateway: 192.168.100.1 - default: - interface: eth0 + eth0: address: 128.93.193.31 netmask: 255.255.255.0 gateway: 128.93.193.254 + eth1: + type: private + address: 192.168.100.31 + netmask: 255.255.255.0 + gateway: 192.168.100.1 backups::exclude: - var/lib/rabbitmq diff --git a/data/hostname/pergamon.softwareheritage.org.yaml b/data/hostname/pergamon.softwareheritage.org.yaml --- a/data/hostname/pergamon.softwareheritage.org.yaml +++ b/data/hostname/pergamon.softwareheritage.org.yaml @@ -15,33 +15,20 @@ - 192.168.200.0/21 networks: - private: - interface: eth1 + eth0: + address: 128.93.193.29 + netmask: 255.255.255.0 + gateway: 128.93.193.254 + eth1: + type: private address: 192.168.100.29 netmask: 255.255.255.0 gateway: 192.168.100.1 - ups: - - "ip route add 192.168.101.0/24 via 192.168.100.1" - - "ip route add 192.168.200.0/21 via 192.168.100.1" - - "ip route add 192.168.128.0/24 via 192.168.100.125" - - "ip rule add from 192.168.100.29 table private" - - "ip route add 192.168.100.0/24 src 192.168.100.29 dev eth1 table private" - - "ip route add default via 192.168.100.1 dev eth1 table private" - - 'ip route flush cache' - downs: - - "ip route del default via 192.168.100.1 dev eth1 table private" - - "ip route del 192.168.100.0/24 src 192.168.100.29 dev eth1 table private" - - "ip rule del from 192.168.100.29 table private" - - "ip route del 192.168.128.0/24 via 192.168.100.125" - - "ip route del 192.168.200.0/24 via 192.168.100.1" - - "ip route del 192.168.101.0/24 via 192.168.100.1" - - 'ip route flush cache' - default: - interface: eth0 - address: 128.93.193.29 - netmask: 255.255.255.0 - gateway: 128.93.193.254 +networks::private_routes: + staging: + enabled: true + # Set apache MPM to prefork apache::mpm_module: prefork diff --git a/data/hostname/scheduler0.internal.staging.swh.network.yaml b/data/hostname/scheduler0.internal.staging.swh.network.yaml --- a/data/hostname/scheduler0.internal.staging.swh.network.yaml +++ b/data/hostname/scheduler0.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.4 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/storage0.internal.staging.swh.network.yaml b/data/hostname/storage0.internal.staging.swh.network.yaml --- a/data/hostname/storage0.internal.staging.swh.network.yaml +++ b/data/hostname/storage0.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.2 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/tate.softwareheritage.org.yaml b/data/hostname/tate.softwareheritage.org.yaml --- a/data/hostname/tate.softwareheritage.org.yaml +++ b/data/hostname/tate.softwareheritage.org.yaml @@ -9,16 +9,15 @@ ssh::port: 2222 networks: - private: - interface: eth1 - address: 192.168.100.30 - netmask: 255.255.255.0 - gateway: 192.168.100.1 - default: - interface: eth0 + eth0: address: 128.93.193.30 netmask: 255.255.255.0 gateway: 128.93.193.254 + eth1: + type: private + address: 192.168.100.30 + netmask: 255.255.255.0 + gateway: 192.168.100.1 apache::rewrite_domains: # Must have matching certificates in letsencrypt::certificates diff --git a/data/hostname/webapp.internal.staging.swh.network.yaml b/data/hostname/webapp.internal.staging.swh.network.yaml --- a/data/hostname/webapp.internal.staging.swh.network.yaml +++ b/data/hostname/webapp.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.8 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/worker0.internal.staging.swh.network.yaml b/data/hostname/worker0.internal.staging.swh.network.yaml --- a/data/hostname/worker0.internal.staging.swh.network.yaml +++ b/data/hostname/worker0.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.5 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/worker01.softwareheritage.org.yaml b/data/hostname/worker01.softwareheritage.org.yaml --- a/data/hostname/worker01.softwareheritage.org.yaml +++ b/data/hostname/worker01.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.21 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.21 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker02.softwareheritage.org.yaml b/data/hostname/worker02.softwareheritage.org.yaml --- a/data/hostname/worker02.softwareheritage.org.yaml +++ b/data/hostname/worker02.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.22 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.22 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker03.softwareheritage.org.yaml b/data/hostname/worker03.softwareheritage.org.yaml --- a/data/hostname/worker03.softwareheritage.org.yaml +++ b/data/hostname/worker03.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.23 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.23 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker04.softwareheritage.org.yaml b/data/hostname/worker04.softwareheritage.org.yaml --- a/data/hostname/worker04.softwareheritage.org.yaml +++ b/data/hostname/worker04.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.24 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.24 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker05.softwareheritage.org.yaml b/data/hostname/worker05.softwareheritage.org.yaml --- a/data/hostname/worker05.softwareheritage.org.yaml +++ b/data/hostname/worker05.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.25 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.25 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker06.softwareheritage.org.yaml b/data/hostname/worker06.softwareheritage.org.yaml --- a/data/hostname/worker06.softwareheritage.org.yaml +++ b/data/hostname/worker06.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.26 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.26 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker07.softwareheritage.org.yaml b/data/hostname/worker07.softwareheritage.org.yaml --- a/data/hostname/worker07.softwareheritage.org.yaml +++ b/data/hostname/worker07.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.27 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.27 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker08.softwareheritage.org.yaml b/data/hostname/worker08.softwareheritage.org.yaml --- a/data/hostname/worker08.softwareheritage.org.yaml +++ b/data/hostname/worker08.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.28 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.28 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker09.softwareheritage.org.yaml b/data/hostname/worker09.softwareheritage.org.yaml --- a/data/hostname/worker09.softwareheritage.org.yaml +++ b/data/hostname/worker09.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.35 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.35 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker1.internal.staging.swh.network.yaml b/data/hostname/worker1.internal.staging.swh.network.yaml --- a/data/hostname/worker1.internal.staging.swh.network.yaml +++ b/data/hostname/worker1.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.6 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/data/hostname/worker10.softwareheritage.org.yaml b/data/hostname/worker10.softwareheritage.org.yaml --- a/data/hostname/worker10.softwareheritage.org.yaml +++ b/data/hostname/worker10.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.36 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.36 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker11.softwareheritage.org.yaml b/data/hostname/worker11.softwareheritage.org.yaml --- a/data/hostname/worker11.softwareheritage.org.yaml +++ b/data/hostname/worker11.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.37 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.37 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker12.softwareheritage.org.yaml b/data/hostname/worker12.softwareheritage.org.yaml --- a/data/hostname/worker12.softwareheritage.org.yaml +++ b/data/hostname/worker12.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.38 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.38 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker13.softwareheritage.org.yaml b/data/hostname/worker13.softwareheritage.org.yaml --- a/data/hostname/worker13.softwareheritage.org.yaml +++ b/data/hostname/worker13.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.39 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.39 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker14.softwareheritage.org.yaml b/data/hostname/worker14.softwareheritage.org.yaml --- a/data/hostname/worker14.softwareheritage.org.yaml +++ b/data/hostname/worker14.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.40 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.40 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker15.softwareheritage.org.yaml b/data/hostname/worker15.softwareheritage.org.yaml --- a/data/hostname/worker15.softwareheritage.org.yaml +++ b/data/hostname/worker15.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.41 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.41 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker16.softwareheritage.org.yaml b/data/hostname/worker16.softwareheritage.org.yaml --- a/data/hostname/worker16.softwareheritage.org.yaml +++ b/data/hostname/worker16.softwareheritage.org.yaml @@ -1,11 +1,10 @@ networks: - private: - interface: ens19 + ens19: + type: private address: 192.168.100.42 netmask: 255.255.255.0 gateway: 192.168.100.1 - default: - interface: ens18 + ens18: address: 128.93.193.42 netmask: 255.255.255.0 gateway: 128.93.193.254 diff --git a/data/hostname/worker2.internal.staging.swh.network.yaml b/data/hostname/worker2.internal.staging.swh.network.yaml --- a/data/hostname/worker2.internal.staging.swh.network.yaml +++ b/data/hostname/worker2.internal.staging.swh.network.yaml @@ -1,6 +1,5 @@ networks: - default: - interface: eth0 + eth0: address: 192.168.128.11 netmask: 255.255.255.0 gateway: 192.168.128.1 diff --git a/site-modules/profile/manifests/network.pp b/site-modules/profile/manifests/network.pp --- a/site-modules/profile/manifests/network.pp +++ b/site-modules/profile/manifests/network.pp @@ -1,81 +1,80 @@ # Network configuration for Software Heritage servers -# -# Supports one private and one public interface class profile::network { debnet::iface::loopback { 'lo': } - # The network description is expected to be a dict of key route_label - # (values: private, default) and value a dict describing the interface. - # The interface dict has the following possible keys: - # - interface: interface's name - # - address: ip address for the node - # - netmask: netmask - # - gateway: to use for the network - # - ups: Post instruction when the interface is up (should be set to [] when - # none) - # - downs: Post instructions to run when the interface is teared down (should - # be set to [] when none) + # The `networks` hiera variable is a dict mapping interface names to a + # settings dict. Entries of the settings dict with undefined values are not + # output in the interface configuration. + # The settings dict has the following keys: + # - type (defaults to 'static'): the type of the interface as used by + # ifupdown. A special type, 'private', generates a static configuration + # with a separate routing table for the networks defined in the + # `networks::private_routes` hiera variable (e.g. the OpenVPN and azure + # machines). + # - address (ip address): ip address to set on the + # interface + # - netmask (int or netmask): netmask for the network (e.g. 26 or 255.255.255.192) + # - gateway (ip address): address of the gateway to use for the network + # - mtu (int): MTU to set for the interface + # - extras (dict): extra configuration entries to pass to ifupdown directly + # - ups (list[str]): Instructions to run after the interface is brought up + # - downs (list[str]): instructions to run when the interface is torn down $interfaces = lookup('networks') - each($interfaces) |$label, $data| { + $private_routes = lookup('networks::private_routes', Hash, 'deep') + each($interfaces) |$interface, $data| { - if $label == 'private' { + $interface_type = pick($data['type'], 'static') + + if $interface_type == 'private' { file_line {'private route table': ensure => 'present', line => '42 private', path => '/etc/iproute2/rt_tables', } - if $data['ups'] { - $ups = $data['ups'] - } else { - $ups = [ - "ip route add 192.168.101.0/24 via ${data['gateway']}", - "ip route add 192.168.200.0/21 via ${data['gateway']}", - "ip rule add from ${data['address']} table private", - "ip route add 192.168.100.0/24 src ${data['address']} dev ${data['interface']} table private", - "ip route add default via ${data['gateway']} dev ${data['interface']} table private", - 'ip route flush cache', - ] - } + $filtered_routes = $private_routes.filter |$route_label, $route_data| { pick($route_data['enabled'], true) } - if $data['downs'] { - $downs = $data['downs'] - } else { - $downs = [ - "ip route del default via ${data['gateway']} dev ${data['interface']} table private", - "ip route del 192.168.100.0/24 src ${data['address']} dev ${data['interface']} table private", - "ip rule del from ${data['address']} table private", - "ip route del 192.168.200.0/24 via ${data['gateway']}", - "ip route del 192.168.101.0/24 via ${data['gateway']}", - 'ip route flush cache', - ] + $routes_up = $filtered_routes.map |$route_label, $route_data| { + "ip route add ${route_data['network']} via ${route_data['gateway']}" } + $routes_down = $filtered_routes.map |$route_label, $route_data| { + "ip route del ${route_data['network']} via ${route_data['gateway']}" + }.reverse + + $_ups = $routes_up + [ + "ip rule add from ${data['address']} table private", + "ip route add 192.168.100.0/24 src ${data['address']} dev ${interface} table private", + "ip route add default via ${data['gateway']} dev ${interface} table private", + 'ip route flush cache', + ] + + $_downs = [ + "ip route del default via ${data['gateway']} dev ${interface} table private", + "ip route del 192.168.100.0/24 src ${data['address']} dev ${interface} table private", + "ip rule del from ${data['address']} table private", + ] + $routes_down + [ + 'ip route flush cache', + ] + $method = 'static' $gateway = undef } else { - if $data['ups'] { - $ups = $data['ups'] - } else { - $ups = [] - } - - if $data['downs'] { - $downs = $data['downs'] - } else { - $downs = [] - } + $method = $interface_type $gateway = $data['gateway'] + $_ups = [] + $_downs = [] } - - debnet::iface { $data['interface']: - method => 'static', + debnet::iface { $interface: + method => $method, address => $data['address'], netmask => $data['netmask'], + mtu => $data['mtu'], gateway => $gateway, - ups => $ups, - downs => $downs, + ups => pick_default($data['ups'], $_ups, []), + downs => pick_default($data['downs'], $_downs, []), + aux_ops => pick_default($data['extras'], {}), } } }