Update build.sh, README.md, bird/bird.conf.tmpl, tinc/subnet-down.tmpl, tinc/subnet-up.tmpl, tinc/tinc-up.tmpl, tinc/tinc.conf.tmpl, docker-compose.yml files

Deleted gortr/roas.json, tinc/lixonet/hosts/daltx_nurd_lixo, tinc/lixonet/hosts/denco_mane_lixo, tinc/lixonet/hosts/inwwv_nurd_lixo, tinc/lixonet/hosts/lkwco_mane_lixo, tinc/lixonet/hosts/manva_nurd_lixo, tinc/lixonet/subnet-down.tmpl, tinc/lixonet/subnet-up.tmpl, tinc/lixonet/tinc-up.tmpl, tinc/lixonet/tinc.conf.tmpl, bird/rpki/hosts/denco_mane_lixo, bird/rpki/known_hosts, bird/neighbors/daltx_nurd_lixo, bird/neighbors/denco_mane_lixo, bird/neighbors/glaz_nurd_lixo, bird/neighbors/lkwco_mane_lixo, bird/neighbors/phxaz_nurd_lixo files
This commit is contained in:
sump pump 2020-05-21 21:22:04 +00:00
parent ff26404500
commit 67141ab30d
22 changed files with 72 additions and 206 deletions

View File

@ -53,7 +53,7 @@ You **MUST** specify these options, or Lixonet will not work.
* `netmask`: router netmask: defaults to `255.255.255.0` (`/24`); _SHOULD_ be the bitmask that corresponds to the `router_prefix`
#### Tinc options
* `tinc_interface_name` - The name of the interface that Tinc should create when it's started. Defaults to `lixonet`. Set this for multiple networks.
* `network_name` - The name of the interface that Tinc should create when it's started. Defaults to `lixonet`. Set this for multiple networks.
* `tinc_bind_address` - The address that Tinc should bind to to _listen_ for incoming WAN-sided connections (i.e. 10.0.0.1). This is _not_ the Lixonet router IP (i.e. 172.31.0.8). Use this if you have an `eth1` that you _don't_ want to use for binding tinc to, and would prefer to bind tinc exclusivley to `eth0` instead.
* `tinc_connect_to` - A comma-separated list of well-known/pre-defined hosts to connect to (i.e. `denco_mane_lixo`). If not supplied, this is automatically set to all core routers that aren't yourself (`name`).

View File

@ -12,11 +12,11 @@
log stderr all; # Using docker; defer logging to stderr (to Docker logs)
debug protocols all; # Enable debugging (this should be switched off in prod)
router id ${address};
router id ${tinc_peer_address};
# Custom routing tables
# See: https://bird.network.cz/?get_doc&v=20&f=bird-2.html (recommended read)
ipv4 table lixonet_v4;
ipv4 table ${network_name:-lixonet}_v4;
roa4 table r4; # ROA RPKI
# RPKI
@ -120,13 +120,13 @@ filter kernel_export_filter_v4
# See how dn42 does it; we're very similar: https://dn42.net/howto/Bird
protocol static {
ipv4 {
table lixonet_v4;
table ${network_name:-lixonet}_v4;
import all;
export none;
};
# Announced networks
{{ if len "${routes:-}" }}{{ range "$routes" | split "," }}route {{.}} reject;
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}route {{.}} reject;
{{ end }}{{ end }}
};
@ -136,8 +136,8 @@ protocol static {
# This prevents BGP from listening on eth0/off-network
protocol device {
scan time 10; # Scan the interfaces often
interface "lixonet" {
preferred ${address};
interface "${network_name:-lixonet}" {
preferred ${tinc_peer_address};
};
};
@ -155,7 +155,7 @@ protocol kernel { # Primary routing table
persist; # Don't remove routes on bird shutdown
scan time 10; # Scan kernel routing table every 10 seconds
ipv4 {
table lixonet_v4;
table ${network_name:-lixonet}_v4;
import none; # Don't try to import any routes from the kernel
export filter kernel_export_filter_v4; # Export everything we are told to the kernel
};
@ -168,10 +168,10 @@ protocol kernel { # Primary routing table
# individual neighbor configurations where per-neighbor configurations (such as their
# ASN) are applied.
template bgp lixonet_client {
local as ${asn}; # Local AS advertised to peers, read from lixonet.conf
local as ${bgp_asn}; # Local AS advertised to peers
source address ${address}; # What local IP address we use for any outbound TCP
# connections on port 179
source address ${tinc_peer_address}; # What local IP address we use for any outbound TCP
# connections on port 179
path metric ${bgp_path_metric:-1}; # 1 = Prefer routes with shorter paths (like Cisco does)
@ -180,7 +180,7 @@ template bgp lixonet_client {
# BGP IPv4 channel settings
ipv4 {
table lixonet_v4;
table ${network_name:-lixonet}_v4;
# Always advertise our own local address as a next hop, even in cases where the
# current Next Hop attribute should be used unchanged.
@ -204,8 +204,8 @@ template bgp lixonet_client {
};
# Neighbors
{{ range files "bird/neighbors" }} {{ if ne . "${name}" }}
{{ range files "bird/neighbors" }} {{ if ne . "${tinc_peer_name}" }}
protocol bgp {{ . }} from lixonet_client {
description "Lixonet BGP link from ${address} (ASN: ${asn}) to {{ . }}";
description "Lixonet BGP link to {{ . }}";
{{ include (print "bird/neighbors/" .) }}
};{{ end }}{{ end }}

View File

@ -1,2 +0,0 @@
neighbor 172.31.0.212 as 4206969212;
{{ if len "${bgp_passwd_daltx_nurd_lixo:-}" }}password "${bgp_passwd_daltx_nurd_lixo}";{{ end }}

View File

@ -1,2 +0,0 @@
neighbor 172.31.0.8 as 4206969008;
{{ if len "${bgp_passwd_denco_mane_lixo:-}" }}password "${bgp_passwd_denco_mane_lixo}";{{ end }}

View File

@ -1,2 +0,0 @@
neighbor 172.31.0.200 as 4206969200;
{{ if len "${bgp_passwd_glaz_nurd_lixo:-}" }}password "${bgp_passwd_glaz_nurd_lixo}";{{ end }}

View File

@ -1,2 +0,0 @@
neighbor 172.31.0.16 as 4206969016;
{{ if len "${bgp_passwd_lkwco_mane_lixo:-}" }}password "${bgp_passwd_lkwco_mane_lixo}";{{ end }}

View File

@ -1,2 +0,0 @@
neighbor 172.31.0.208 as 4206969208;
{{ if len "${bgp_passwd_phxaz_nurd_lixo:-}" }}password "${bgp_passwd_phxaz_nurd_lixo}";{{ end }}

View File

@ -1 +0,0 @@
remote 172.31.0.8 port 8282;

View File

View File

@ -1,37 +1,55 @@
#!/bin/ash
# Tinc
# Remove existing configuration
rm -v -rf /etc/tinc/*
# Copy all tinc default files to /etc/(tinc)
find tinc -type d | xargs -I '{}' mkdir --verbose -p /etc/{}
find tinc -type f | xargs -I '{}' cp --verbose {} /etc/{}
# Fill out templates and remove them after
find /etc/tinc/ -type f -name '*.tmpl' -exec sh -c 'sigil -f {} -p $(cat /etc/lixonet/lixonet.conf | tr "\\n" " ") > "$(dirname {})/$(basename {} .tmpl)"' {} \;
find /etc/tinc/ -type f -name '*.tmpl' | xargs -I '{}' rm -f {}
# Copy private key
cp /etc/lixonet/tinc.key /etc/tinc/lixonet/rsa_key.priv
# Set permissions for tinc scripts
chmod +x /etc/tinc/lixonet/tinc-up
chmod +x /etc/tinc/lixonet/tinc-down
chmod +x /etc/tinc/lixonet/subnet-up
chmod +x /etc/tinc/lixonet/subnet-down
topdir=`pwd`
# Bird
# Remove existing configuration
rm -v -rf /etc/bird/*
# Copy all tinc default files to /etc/(bird)
find bird -type d | xargs -I '{}' mkdir --verbose -p /etc/{}
find bird -type f | xargs -I '{}' cp --verbose {} /etc/{}
# Fill out templates and remove them after
find /etc/bird/ -type f -name '*.tmpl' -exec sh -c 'sigil -f {} -p $(cat /etc/lixonet/lixonet.conf | tr "\\n" " ") > "$(dirname {})/$(basename {} .tmpl)"' {} \;
find /etc/bird/ -type f -name '*.tmpl' | xargs -I '{}' rm -f {}
for dir in /etc/lixonet/*/ # list directories in the form "/tmp/dirname/"
do
# Pop directory
cd $topdir
# GoRTR
# Remove existing configuration
rm -v -rf /etc/gortr/*
# Copy all gortr default files to /etc/(gortr)
find gortr -type d | xargs -I '{}' mkdir --verbose -p /etc/{}
find gortr -type f | xargs -I '{}' cp --verbose {} /etc/{}
dir=${dir%*/} # remove the trailing "/"
netname=${dir##*/} # print everything after the final "/"
docker-compose up -d --build
# Load relevant environment variables from lixonet.conf
unset git
source $dir/lixonet.conf
echo "Configuring Lixonet3 network $netname from $git..."
# Clone and enter the repository
git clone $git
cd "$(basename "$git" .git)"
# Copy default files
cp -r ../tinc/* tinc/
cp -r ../bird/* bird/
# Tinc
# Remove existing configuration
rm -v -rf /etc/tinc/$netname/*
# Copy all tinc default files to /etc/(tinc)
find tinc -type d | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
find tinc -type f | sed -e "s@tinc@tinc/${netname}@g" | xargs -I '{}' cp --verbose {} /etc/{}
# Fill out templates and remove them after
find /etc/tinc/$netname/ -type f -name '*.tmpl' -exec sh -c 'sigil -f {} -p $(cat /etc/lixonet/$netname/lixonet.conf | tr "\\n" " ") > "$(dirname {})/$(basename {} .tmpl)"' {} \;
find /etc/tinc/$netname/ -type f -name '*.tmpl' | xargs -I '{}' rm -f {}
# Copy private key
cp /etc/lixonet/$netname/tinc.key /etc/tinc/$netname/rsa_key.priv
# Set permissions for tinc scripts
chmod +x /etc/tinc/$netname/tinc-up
chmod +x /etc/tinc/$netname/tinc-down
chmod +x /etc/tinc/$netname/subnet-up
chmod +x /etc/tinc/$netname/subnet-down
# Bird
# Remove existing configuration
rm -v -rf /etc/bird/$netname/*
# Copy all tinc default files to /etc/(bird)
find bird -type d | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' mkdir --verbose -p /etc/{}
find bird -type f | sed -e "s@bird@bird/${netname}@g" | xargs -I '{}' cp --verbose {} /etc/{}
# Fill out templates and remove them after
find /etc/bird/$netname/ -type f -name '*.tmpl' -exec sh -c 'sigil -f {} -p $(cat /etc/lixonet/$netname/lixonet.conf | tr "\\n" " ") > "$(dirname {})/$(basename {} .tmpl)"' {} \;
find /etc/bird/$netname/ -type f -name '*.tmpl' | xargs -I '{}' rm -f {}
#docker-compose up -d --build
done

View File

@ -9,10 +9,10 @@ services:
- "655:655/tcp"
- "655:655/udp"
volumes:
- /etc/tinc:/etc/tinc
- /etc/tinc/${NETNAME}:/etc/tinc/${NETNAME}
environment:
- RUNMODE=server
- NETNAME=lixonet
- NETNAME=${NETNAME}
cap_add:
- NET_ADMIN
devices:
@ -26,7 +26,7 @@ services:
ports:
- "179:179/tcp"
volumes:
- /etc/bird:/etc/bird
- /etc/bird/${NETNAME}:/etc/bird/${NETNAME}
cap_add:
- NET_ADMIN
restart: always

View File

@ -1,58 +0,0 @@
{
"roas": [
{
"comment": "denco.mane.lixo",
"asn": "AS4206969008",
"prefix": "172.31.8.0/21",
"maxLength": 21
},
{
"comment": "lkwco.mane.lixo",
"asn": "AS4206969016",
"prefix": "172.31.16.0/21",
"maxLength": 21
},
{
"comment": "inwwv.nurd.lixo",
"asn": "AS4206969200",
"prefix": "172.31.200.0/21",
"maxLength": 21
},
{
"comment": "manva.nurd.lixo",
"asn": "AS4206969208",
"prefix": "172.31.208.0/22",
"maxLength": 22
},
{
"comment": "daltx.nurd.lixo",
"asn": "AS4206969212",
"prefix": "172.31.212.0/22",
"maxLength": 22
},
{
"comment": "phxaz.nurd.lixo",
"asn": "AS4206969216",
"prefix": "172.31.216.0/21",
"maxLength": 21
},
{
"comment": "anycast denco.mane.lixo",
"asn": "AS4206969008",
"prefix": "172.31.254.0/24",
"maxLength": 24
},
{
"comment": "anycast manva.nurd.lixo",
"asn": "AS4206969208",
"prefix": "172.31.254.0/24",
"maxLength": 24
},
{
"comment": "anycast phxaz.nurd.lixo",
"asn": "AS4206969216",
"prefix": "172.31.254.0/24",
"maxLength": 24
}
]
}

View File

@ -1,15 +0,0 @@
Address = daltx.needs.vodka
Port = 9993
Cipher = blowfish
Digest = sha1
Subnet = 172.31.0.212/32
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA8p5Pyqe/jSht3wO2QYR/Oyxw+kZGBzeXlmESg+UM3XobOf5v60JE
08Xb+KTuykSSdsPTKjKi5ulg6oYUGeSHcne1Kg1/sri5G+r8QTGYJ+wF4FlkUmkp
JasriArrUPCg/IRcsWlRzG3i8sotzgfD78ryGN1tnNYUUT7qBguJEl/XpSLdrugH
caL/MtXdQ1WIKtRjZdqUrwdNUmpsAgDd7Oc/xJx9bdg00OltX8cJHLExHT9wl8Dy
kmAGi+C2ncyVBisWKAo0W2a6IUe/G0aZLfoIABanPBUHAvERv2AaS5sbRWJDVa5Z
umoF2QtkfrgGu0Wftu6coG58wgxgtjv9jwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -1,15 +0,0 @@
Address = tunnel.teamlixo.net
Port = 9993
Cipher = blowfish
Digest = sha1
Subnet = 172.31.0.8/32
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAlo0meA9kqA/IgUxiXaAqEteSBo5g2EHwdZOGpdS0FMggQDg0DsG9
je7xDsCsoelDoWXGvivRGp5vzovYMkd1KeT+alMJVsKcM+6UNjBSZ75s9TOp0/Pw
FkkhlzibiFpQ+BVng3SVnR/ZnfFTT0zn1egxlT1OPp40GcpCMf8ZFSseyWBLItxo
GXFXAZZfg/OjtnKFfnEtYpMdN/uZFk8fe9v6V2z+lcfg7wo0v2EvLnV53LBG+Rjv
TAUrE1Mkb/tET0vc5NP3fYJxCrBnMY+V+XDEb4eh/FVVwaJwK7IeM1IENpnCNMVi
m1wFyBI0inVplKvQSrBF22rW6/ccqyUv/QIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -1,19 +0,0 @@
# This is a local node; no direct connections are possible as it
# is behind a dynamic host. Therefore, we set the host address
# to 0.0.0.0
Address = 0.0.0.0
Port = 9993
Cipher = blowfish
Digest = sha1
Subnet = 172.31.0.200/32
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqMJesuX07HCLjDI+DuWCvZvWk9CoTLdjlYiDkHWkeyy6vkkHH+mP
qqo4mo1vPiIwQJoBxAdjO1qN1CMBA1SR/JtRLXpo2tvLHlW96vN4XbKtOuOa3rNy
OH1UGC+JOagYAAxoHQfZWmmYs8hM80g9J80jP99wuwY+ZQJELxtLpOl3hwMbFx8I
LqjiFPEMflz3wJDiFoI4dSRd+IvwIIzTUqId6yNgDpZLalZ73DvTj2GKUWZu525k
oAyWxuFit1f55tLNa0SgKf8VefDIXl4uCuQN4SUHTGQo0H/luUh92OFE+hhG1EMj
Ja45AZ+3+DYFX0eLVyTq/OCjHugHsBOAPwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -1,19 +0,0 @@
# This is a local node; no direct connections are possible as it
# is behind a dynamic host. Therefore, we set the host address
# to 0.0.0.0
Address = 0.0.0.0
Port = 9993
Cipher = blowfish
Digest = sha1
Subnet = 172.31.0.16/32
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAo2NyYsNCAKl0xMlyMxKfK9oJ0MV1xkotQGKXAt22wB3G23M979nz
5A/FSUaTKoiuZlGU67A+4d4VXWMXjxkaEn3xTASqv1wmrZbV5i7VIpoIbIekJ8iS
VW1e2NXgYkSECNafubMGyScUaauMU3mAAn8gcO4hLVrmXaRIElViUoFP1U/5kLik
vfDNTBdEdgy8z7Nq9nkGmq18TGVPfDSbf0DjG0jLoaBbKZwCw6dkTyCeRbjkwh+i
jVLP0vWt1B9RIrzdyRzEka81yGFDFPgDZPkql4pZdVoTG2A8953oonxPPa+HBF/d
bKAsu4QRGLCPI+AaIRxaoS2EaM9oBEqdHQIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -1,15 +0,0 @@
Address = paperbag.needs.vodka
Port = 9993
Cipher = blowfish
Digest = sha1
Subnet = 172.31.0.208/32
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApp+DSQCFowhht6YW3+uWynL3CH1NHvoZvWpI1Rb94z2sez32bMwD
PijqlTLYjbCf9xjV2IeGJk41QHhZs29kJmaO9BARYzl44GlmfnwQVbJVRot13r10
efa6au2gaRm6IucLB6qrExhstGfZtOfsLE3ydoeTeKq4uPy07X0GU91hXNRbrvUX
bzfvDUhLw0sd84g/15lEtm+wrUMfMhWuoVe0o3F/4x23pE+w57feK5jDxQUbE5LB
ICt0z+hzNKVqC1GKQ3sCqtMSEm9Tl/SXdCxVuWbBb2q241wgqjQZvczdbcYHkL9B
9qJWQ+Y63sm0gMRZL6tR7cXBnWF1nLEYqwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -1,2 +0,0 @@
#!/bin/sh
ifconfig \$INTERFACE ${address} netmask ${netmask:-255.255.255.0}

2
tinc/tinc-up.tmpl Normal file
View File

@ -0,0 +1,2 @@
#!/bin/sh
ifconfig \$INTERFACE ${tinc_peer_address} netmask ${netmask:-255.255.255.0}

View File

@ -6,7 +6,7 @@
# This is a configuration file for Lixonet that is already pre-configured for
# you. Please refer to your lixonet.conf file for changing parameters.
Name = ${name}
Name = ${tinc_peer_name}
# Do not change these. Lixonet runs over port 9993 by standard.
{{ if len "${tinc_bind_interface:-}" }}
@ -17,7 +17,7 @@ BindToAddress ${tinc_bind_address}
{{ end }}
Port = ${tinc_bind_port:-9994}
# Device is named "lixonet" by Tinc and visible directly in host kernel
# Device is named "${network_name:-lixonet}" by Tinc and visible directly in host kernel
DeviceType = ${tinc_device_type:-tap}
Device = ${tinc_device:-/dev/net/tun}
Mode = ${tinc_mode:-switch}
@ -41,7 +41,7 @@ DirectOnly = ${tinc_direct_only:-yes}
ConnectTo = {{.}}
{{ end }}
{{ else }}
{{ range files "tinc/lixonet/hosts" }}{{ if ne . "${name}" }}{{ if ne . "server" }}
{{ range files "tinc/hosts" }}{{ if ne . "${tinc_peer_name}" }}{{ if ne . "server" }}
ConnectTo = {{.}}
{{ end }}{{ end }}{{ end }}
{{ end }}