nigger/lixonet-ee
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Manevolent/lixonet-ee

Browse Source
This commit is contained in:
Manevolent 2021-05-18 16:44:39 -06:00
commit b7dee82b66
No known key found for this signature in database
GPG Key ID: 2E9B7592DFA4F344
15 changed files with 105 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1,3 @@
build/
work/
*.mesh/

19
bird/bird.conf.tmpl
View File

@ -17,7 +17,7 @@ timeformat protocol iso long; # See: https://github.com/czerwonk/bird_export
# Custom routing tables
# See: https://bird.network.cz/?get_doc&v=20&f=bird-2.html (recommended read)
ipv4 table ${network_name:-lixonet}_v4;
ipv4 table ${netname:-lixonet}_v4;
roa4 table r4; # ROA RPKI
# RPKI
@ -122,7 +122,7 @@ filter kernel_export_filter_v4
# See how dn42 does it; we're very similar: https://dn42.net/howto/Bird
protocol static {
ipv4 {
table ${network_name:-lixonet}_v4;
table ${netname:-lixonet}_v4;
import all;
export none;
};
@ -143,7 +143,7 @@ protocol static {
# This prevents BGP from listening on eth0/off-network
protocol device {
scan time 10; # Scan the interfaces often
interface "${network_name:-lixonet}" {
interface "${netname:-lixonet}" {
preferred ${tinc_peer_address};
};
};
@ -162,7 +162,7 @@ protocol kernel { # Primary routing table
persist; # Don't remove routes on bird shutdown
scan time 10; # Scan kernel routing table every 10 seconds
ipv4 {
table ${network_name:-lixonet}_v4;
table ${netname:-lixonet}_v4;
import none; # Don't try to import any routes from the kernel
export filter kernel_export_filter_v4; # Export everything we are told to the kernel
};
@ -170,10 +170,11 @@ protocol kernel { # Primary routing table
# BFD
protocol bfd {
interface "${network_name:-lixonet}" {
min rx interval 20 ms;
min tx interval 250 ms;
idle tx interval 300 ms;
interface "${netname:-lixonet}" {
min rx interval 1 s;
min tx interval 1 s;
idle tx interval 5 s;
multiplier 5;
};
};
@ -199,7 +200,7 @@ template bgp lixonet_client {
# BGP IPv4 channel settings
ipv4 {
table ${network_name:-lixonet}_v4;
table ${netname:-lixonet}_v4;
# Always advertise our own local address as a next hop, even in cases where the
# current Next Hop attribute should be used unchanged.

20
build.sh
View File

@ -2,7 +2,7 @@
process_template ( ) {
processed_filename=$(dirname $1)/$(basename $1 .tmpl)
echo "Processing template $1 -> $processed_filename with args $2"
echo "Processing template $1 -> $processed_filename"
sh -c "sigil -f $1 -p $2 > $processed_filename"
rm $1
}
@ -39,10 +39,13 @@ do
echo "Configuring Lixonet3 network $netname from $git..."
echo "Variables: $sigil_vars"
# Clone and enter the repository
# Clone and copy the repository
rm -rf "$(basename "$git" .git)"
git clone $git || { echo "clone $git failed, quitting" ; exit 1; }
cd "$(basename "$git" .git)"
echo "Creating work directory..."
rm -rf work
mkdir --verbose work
cp -r "$(basename "$git" .git)"/* work/ && cd work
# Copy default files
cp -r ../tinc/* tinc/
@ -90,8 +93,19 @@ do
find bind -type f | sed -e "s@bind/@@g" | xargs -I '{}' cp --verbose bind/{} /etc/bind/$netname/{}
# Fill out templates and remove them after
process_templates "/etc/bind/$netname/" "$sigil_vars"
# Docker
# Copy templates and dependencies to directory
mkdir docker/
cp -r ../docker/* docker/
cp -r $dir/docker/* docker/
cp ./../docker-compose.yml.tmpl .
cp ../Dockerfile.* .
process_templates "." "$sigil_vars"
echo $sigil_vars | tr ' ' '\n' > .env
cat docker-compose.yml
docker-compose -p $netname down
docker-compose -p $netname up -d --build --remove-orphans
rm .env

70
docker-compose.yml
View File

@ -1,70 +0,0 @@
version: "3.7"
services:
tinc:
build:
context: .
dockerfile: Dockerfile.tinc
volumes:
- /etc/tinc/${COMPOSE_PROJECT_NAME}:/etc/tinc/${COMPOSE_PROJECT_NAME}
- /usr/bin/docker-proxy:/usr/bin/docker-proxy
environment:
- RUNMODE=server
- NETNAME=${COMPOSE_PROJECT_NAME}
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
restart: always
networks:
internal:
ipv4_address: ${internal_address}
bird:
network_mode: 'service:tinc'
depends_on:
- tinc
build:
context: .
dockerfile: Dockerfile.bird
volumes:
- /etc/bird/${netname}/:/etc/bird/
- bird-run:/var/run/bird/
cap_add:
- NET_ADMIN
restart: always
bind:
network_mode: 'service:tinc'
build:
context: .
dockerfile: Dockerfile.bind
volumes:
- /etc/bind/${netname}/:/etc/bind/
restart: always
bird_exporter:
network_mode: 'service:tinc'
image: czerwonk/bird_exporter
command: '-bird.v2=true -bird.socket=/var/run/bird/bird.ctl'
depends_on:
- bird
volumes:
- bird-run:/var/run/bird/
restart: always
ping_exporter:
network_mode: 'service:tinc'
image: czerwonk/ping_exporter
command: './ping_exporter --config.path /pinger.yml'
depends_on:
- tinc
volumes:
- /etc/tinc/${netname}/pinger.yml:/pinger.yml
restart: always
volumes:
bird-run:
networks:
internal:
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
- subnet: ${internal_subnet:-$internal_gateway/24}

10
docker-compose.yml.tmpl Normal file
View File

@ -0,0 +1,10 @@
version: "2"
services:
{{ range files "docker/services" }} {{ . }}:
{{ include (print "docker/services/" .) }}{{ end }}
volumes:
{{ range files "docker/volumes" }} {{ . }}:
{{ include (print "docker/volumes/" .) }}{{ end }}
networks:
{{ range files "docker/networks" }} {{ . }}:
{{ include (print "docker/networks/" .) }}{{ end }}

7
docker/networks/internal Normal file
View File

@ -0,0 +1,7 @@
driver: macvlan
driver_opts:
parent: ${internal_interface}
ipam:
config:
- subnet: ${internal_subnet}
gateway: ${internal_gateway}

7
docker/services/bind Normal file
View File

@ -0,0 +1,7 @@
network_mode: 'service:tinc'
build:
context: .
dockerfile: Dockerfile.bind
volumes:
- /etc/bind/${netname}/:/etc/bind/
restart: always

12
docker/services/bird Normal file
View File

@ -0,0 +1,12 @@
network_mode: 'service:tinc'
depends_on:
- tinc
build:
context: .
dockerfile: Dockerfile.bird
volumes:
- /etc/bird/${netname}/:/etc/bird/
- bird-run:/var/run/bird/
cap_add:
- NET_ADMIN
restart: always

8
docker/services/bird_exporter Normal file
View File

@ -0,0 +1,8 @@
network_mode: 'service:tinc'
image: czerwonk/bird_exporter
command: '-bird.v2=true -bird.socket=/var/run/bird/bird.ctl'
depends_on:
- bird
volumes:
- bird-run:/var/run/bird/
restart: always

8
docker/services/ping_exporter Normal file
View File

@ -0,0 +1,8 @@
network_mode: 'service:tinc'
image: czerwonk/ping_exporter
command: './ping_exporter --config.path /pinger.yml'
depends_on:
- tinc
volumes:
- /etc/tinc/${netname}/pinger.yml:/pinger.yml
restart: always

17
docker/services/tinc Normal file
View File

@ -0,0 +1,17 @@
build:
context: .
dockerfile: Dockerfile.tinc
volumes:
- /etc/tinc/${netname}:/etc/tinc/${netname}
- /usr/bin/docker-proxy:/usr/bin/docker-proxy
environment:
- RUNMODE=server
- NETNAME=${netname}
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
restart: always
networks:
internal:
ipv4_address: ${internal_address}

1
docker/volumes/bird-run Normal file
View File

@ -0,0 +1 @@

4
tinc/tinc-down.tmpl
View File

@ -1,11 +1,11 @@
#!/bin/sh
{{ if len "${ip_aliases:-}" }}{{ range "$ip_aliases" | split "," }}iptables -t nat -D PREROUTING -d {{ . }} -i \$INTERFACE -j DNAT --to-destination ${tinc_peer_address}
iptables -t nat -D PREROUTING -d {{ . }} -i ${internal_interface:-eth0} -j DNAT --to-destination ${tinc_peer_address}
iptables -t nat -D PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
{{ end }}{{ end }}
# Disable IPv4 kernel routing/forwarding for this network
iptables -D FORWARD -o \$INTERFACE -d ${network_address}/${global_prefix:-16} -j ACCEPT
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -D FORWARD -o ${internal_interface:-eth0} -d {{.}} -j ACCEPT
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -D FORWARD -o eth0 -d {{.}} -j ACCEPT
{{ end }}{{ end }}
# Prevent spoofing attacks

6
tinc/tinc-up.tmpl
View File

@ -3,12 +3,12 @@ sysctl -w net.ipv6.conf.\$INTERFACE.disable_ipv6=1 || echo "[WARNING] IPv6 could
{{ if len "${vip:-}" }}ifconfig "\$INTERFACE:0" ${vip}{{ end }}
{{ if len "${ip_aliases:-}" }}{{ range "$ip_aliases" | split "," }}iptables -t nat -I PREROUTING -d {{ . }} -i \$INTERFACE -j DNAT --to-destination ${tinc_peer_address}
iptables -t nat -I PREROUTING -d {{ . }} -i ${internal_interface:-eth0} -j DNAT --to-destination ${tinc_peer_address}
iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
{{ end }}{{ end }}
# Enable IPv4 kernel routing/forwarding for this network
iptables -A FORWARD -o \$INTERFACE -d ${network_address}/${global_prefix:-16} -j ACCEPT
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -o ${internal_interface:-eth0} -d {{.}} -j ACCEPT
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -o eth0 -d {{.}} -j ACCEPT
{{ end }}{{ end }}
# Prevent spoofing attacks
@ -16,4 +16,4 @@ iptables -A FORWARD -i \$INTERFACE ! -s ${network_address}/${global_prefix:-16}
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -i \$INTERFACE -s {{.}} -j DROP
{{ end }}{{ end }}
ifconfig \$INTERFACE ${tinc_peer_address} netmask ${netmask:-255.255.255.0}
ifconfig \$INTERFACE ${tinc_peer_address} netmask ${netmask:-255.255.255.0}

6
tinc/tinc.conf.tmpl
View File

@ -9,11 +9,7 @@
Name = ${tinc_peer_name}
# Do not change these. Lixonet runs over port 9993 by standard.
{{ if len "${tinc_bind_interface:-}" }}
BindToInterface ${tinc_bind_interface}
{{ else }}
BindToAddress ${tinc_bind_address:-$internal_address}
{{ end }}
BindToInterface eth0
Port = ${tinc_bind_port:-9994}
# Device is named "${network_name:-lixonet}" by Tinc and visible directly in host kernel