From 61d009f18d5886db8b22ae41e04bb41a4ba2fddb Mon Sep 17 00:00:00 2001
From: Quentin <quentin@deuxfleurs.fr>
Date: Sat, 1 Jun 2019 16:02:49 +0200
Subject: Initial commit

---
 ansible/roles/network/files/nsswitch.conf          | 22 +++++++
 ansible/roles/network/files/rules.v6               |  6 ++
 .../network/files/systemd-resolve-no-listen.conf   |  2 +
 ansible/roles/network/handlers/main.yml            | 12 ++++
 ansible/roles/network/tasks/main.yml               | 42 +++++++++++++
 ansible/roles/network/templates/nomad-interface.j2 |  8 +++
 ansible/roles/network/templates/rules.v4.j2        | 72 ++++++++++++++++++++++
 7 files changed, 164 insertions(+)
 create mode 100644 ansible/roles/network/files/nsswitch.conf
 create mode 100644 ansible/roles/network/files/rules.v6
 create mode 100644 ansible/roles/network/files/systemd-resolve-no-listen.conf
 create mode 100644 ansible/roles/network/handlers/main.yml
 create mode 100644 ansible/roles/network/tasks/main.yml
 create mode 100644 ansible/roles/network/templates/nomad-interface.j2
 create mode 100644 ansible/roles/network/templates/rules.v4.j2

(limited to 'ansible/roles/network')

diff --git a/ansible/roles/network/files/nsswitch.conf b/ansible/roles/network/files/nsswitch.conf
new file mode 100644
index 0000000..f4c3149
--- /dev/null
+++ b/ansible/roles/network/files/nsswitch.conf
@@ -0,0 +1,22 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files systemd
+group:          files systemd
+shadow:         files
+gshadow:        files
+
+#hosts:          files dns
+hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+
diff --git a/ansible/roles/network/files/rules.v6 b/ansible/roles/network/files/rules.v6
new file mode 100644
index 0000000..0f402bd
--- /dev/null
+++ b/ansible/roles/network/files/rules.v6
@@ -0,0 +1,6 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+
diff --git a/ansible/roles/network/files/systemd-resolve-no-listen.conf b/ansible/roles/network/files/systemd-resolve-no-listen.conf
new file mode 100644
index 0000000..6e95967
--- /dev/null
+++ b/ansible/roles/network/files/systemd-resolve-no-listen.conf
@@ -0,0 +1,2 @@
+[Resolve]
+DNSStubListener=no
diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml
new file mode 100644
index 0000000..3454894
--- /dev/null
+++ b/ansible/roles/network/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: reload iptables
+  shell: iptables-restore < /etc/iptables/rules.v4 && systemctl restart docker && ifdown nomad1 || true && ifup nomad1 || true
+
+- name: reload ip6tables
+  shell: ip6tables-restore < /etc/iptables/rules.v6
+
+- name: reload nomad interface
+  shell: ifdown nomad1 || true ; ifup nomad1
+
+- name: reload systemd-resolved
+  service: name=systemd-resolved state=restarted 
diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml
new file mode 100644
index 0000000..7f95b0f
--- /dev/null
+++ b/ansible/roles/network/tasks/main.yml
@@ -0,0 +1,42 @@
+- name: "Add dummy interface to handle Nomad NAT restriction nomad#2770"
+  template: src=nomad-interface.j2 dest=/etc/network/interfaces.d/nomad.cfg
+  when: public_ip != private_ip
+  notify:
+    - reload nomad interface
+
+- name: "Deploy iptablesv4 configuration"
+  template: src=rules.v4.j2 dest=/etc/iptables/rules.v4
+  notify:
+    - reload iptables
+
+- name: "Deploy iptablesv6 configuration"
+  copy: src=rules.v6 dest=/etc/iptables/rules.v6
+  notify:
+    - reload ip6tables
+
+- name: "Activate IP forwarding"
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: yes
+
+- name: "Create systemd-resolved override directory"
+  file: path=/etc/systemd/resolved.conf.d/ state=directory
+
+- name: "Prevent systemd-resolved from listening on port 53 (DNS)"
+  copy: src=systemd-resolve-no-listen.conf dest=/etc/systemd/resolved.conf.d/systemd-resolve-no-listen.conf
+  notify: reload systemd-resolved
+
+- name: "Use systemd-resolved as a source for /etc/resolv.conf"
+  file:
+    src: "/run/systemd/resolve/resolv.conf"
+    dest: "/etc/resolv.conf"
+    state: link
+    force: yes
+  notify: reload systemd-resolved
+
+- name: "Update nsswitch.conf to use systemd-resolved"
+  copy: src=nsswitch.conf dest=/etc/nsswitch.conf
+
+- name: "Flush handlers"
+  meta: flush_handlers
diff --git a/ansible/roles/network/templates/nomad-interface.j2 b/ansible/roles/network/templates/nomad-interface.j2
new file mode 100644
index 0000000..74e9cd4
--- /dev/null
+++ b/ansible/roles/network/templates/nomad-interface.j2
@@ -0,0 +1,8 @@
+auto nomad1
+iface nomad1 inet manual
+    pre-up /sbin/ip link add nomad1 type dummy
+    up /sbin/ip addr add {{ public_ip }} dev nomad1
+    up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
+    down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32
+    post-down /sbin/ip link del nomad1
+
diff --git a/ansible/roles/network/templates/rules.v4.j2 b/ansible/roles/network/templates/rules.v4.j2
new file mode 100644
index 0000000..a77852f
--- /dev/null
+++ b/ansible/roles/network/templates/rules.v4.j2
@@ -0,0 +1,72 @@
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# DNS
+-A INPUT -p udp  --dport 53 -j ACCEPT
+-A INPUT -p tcp  --dport 53 -j ACCEPT
+
+# Email
+-A INPUT -p tcp  --dport 993 -j ACCEPT
+-A INPUT -p tcp  --dport 25 -j ACCEPT
+-A INPUT -p tcp  --dport 465 -j ACCEPT
+-A INPUT -p tcp  --dport 587 -j ACCEPT
+
+# Old SSH configuration
+-A INPUT -p tcp  --dport 110 -j ACCEPT
+
+# New SSH configuration
+-A INPUT -p tcp  --dport 22 -j ACCEPT
+
+# LDAP
+-A INPUT -p tcp  --dport 389 -j ACCEPT
+
+# Web
+-A INPUT -p tcp  --dport 80 -j ACCEPT
+-A INPUT -p tcp  --dport 443 -j ACCEPT
+
+# Coturn
+-A INPUT -p tcp  --dport 3478 -j ACCEPT
+-A INPUT -p udp  --dport 3478 -j ACCEPT
+-A INPUT -p tcp  --dport 3479 -j ACCEPT
+-A INPUT -p udp  --dport 3479 -j ACCEPT
+
+# Cluster
+{% for selected_host in groups['cluster_nodes'] %}
+-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
+{% endfor %}
+
+# Rennes
+-A INPUT -s 82.253.205.190 -j ACCEPT
+
+-A INPUT -i docker0 -j ACCEPT
+
+-A INPUT -s 127.0.0.1/8 -j ACCEPT
+
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+COMMIT
+
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+COMMIT
+
+
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+COMMIT
+
+
-- 
cgit v1.2.3