...
 
Commits (5)
---
- name: restart re6stnet
service: name=re6stnet state=restarted
- name: a play that runs entirely on the ansible host
hosts: 127.0.0.1
connection: local
vars_prompt:
- name: "local_ipv4"
prompt: "When finish we please update the /etc/quagga/bgpd.conf."
private: no
roles:
- he-quagga
- name: a play that runs entirely on the ansible host
hosts: 127.0.0.1
connection: local
vars_prompt:
- name: "network_prefix"
prompt: "RADVD Adv. Network"
private: no
roles:
- { role: radvd }
- { role: package, package_name: dnsmasq, package_state: present }
tasks:
- name: Check if configuration exists already
stat: path=/etc/re6stnet/re6stnet.conf
register: re6stnet_conf
- lineinfile: dest=/etc/re6stnet/re6stnet.conf line='interface eth0' state=present
notify: restart re6stnet
when: re6stnet_conf.stat.exists == True
- lineinfile: dest=/etc/re6stnet/re6stnet.conf line='main-interface eth0' state=present
notify: restart re6stnet
when: re6stnet_conf.stat.exists == True
- lineinfile: dest=/etc/re6stnet/re6stnet.conf line='daemon "/usr/sbin/radvd -n /etc/radvd.conf"' state=present
notify: restart re6stnet
when: re6stnet_conf.stat.exists == True
! -*- bgp -*-
!
! BGPd grandenet configuratin file
!
! UPDATE ALL XXX
hostname bgpd
password zebra
!enable password please-set-at-here
!
!bgp mulitple-instance
!
router bgp XXX
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor upstream peer-group
neighbor upstream remote-as 6939
neighbor upstream update-source XXX
!
address-family ipv6
network XXX
neighbor upstream activate
neighbor upstream remove-private-AS
neighbor upstream prefix-list pl-transit-64-v6i in
neighbor upstream prefix-list pl-XXX-v6-to-upstream out
neighbor XXX peer-group upstream
exit-address-family
!
ipv6 prefix-list pl-transit-64-v6i deny any
!
ipv6 prefix-list pl-XXX-v6-to-upstream permit XXX
ipv6 prefix-list pl-XXX-v6-to-upstream deny any
!
log file /var/log/quagga/bgpd.log
!
!log stdout
# This file tells the quagga package which daemons to start.
#
# Entries are in the format: <daemon>=(yes|no|priority)
# 0, "no" = disabled
# 1, "yes" = highest priority
# 2 .. 10 = lower priorities
# Read /usr/share/doc/quagga/README.Debian for details.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/quagga/examples/.
#
# ATTENTION:
#
# When activation a daemon at the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "quagga", else
# the daemon will not be started by /etc/init.d/quagga. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "quaggavty" and set to ug=rw,o= though. Check /etc/pam.d/quagga, too.
#
# The watchquagga daemon is always started. Per default in monitoring-only but
# that can be changed via /etc/quagga/debian.conf.
#
vtysh_enable=yes
zebra=yes
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
babeld=no
!
! Sample configuration file for vtysh.
!
service integrated-vtysh-config
!hostname quagga-router
username root nopassword
!
! -*- zebra -*-
!
! zebra sample configuration file
!
! $Id: zebra.conf.sample,v 1.1 2002/12/13 20:15:30 paul Exp $
!
hostname Router
password zebra
enable password zebra
!
! Interface's description.
!
!interface lo
! description test of desc.
!
!interface sit0
! multicast
!
! Static default route sample.
!
!ip route 0.0.0.0/0 203.181.89.241
!
log file /var/log/quagga/zebra.log
---
- name: restart re6stnet
service: name=re6stnet state=restarted
---
dependencies:
- { role: package, package_name: quagga, package_state: present }
- name: Check if configuration exists already
stat: path=/etc/re6stnet/re6stnet.conf
register: re6stnet_conf
- lineinfile: dest=/etc/re6stnet/re6stnet.conf line='gateway' state=present
notify: restart re6stnet
when: re6stnet_conf.stat.exists == True
- name: copy templates
copy: src={{ item }} dest=/etc/quagga/{{ item }} mode=660
with_items:
- bgpd.conf
- daemons
- vtysh.conf
- zebra.conf
---
- name: restart re6stnet
service: name=re6stnet state=restarted
---
dependencies:
- { role: package, package_name: radvd, package_state: present }
- name: copy templates
template: src=radvd.conf.in dest=/etc/radvd.conf mode=660
interface eth0
{
AdvSendAdvert on;
prefix {{ network_prefix}}c000/64
{
};
};
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all ACCEPT
# The FOLLOWING POLICY MUST BE LAST
all all ACCEPT
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
##############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
---
dependencies:
- { role: package, package_name: shorewall, package_state: present }
- name: Copy files
copy: src={{ item }} dest=/etc/shorewall/{{ item }} mode=660
with_items:
- interfaces
- policy
- zones
- name: copy templates
template: src={{ item }} dest=/etc/shorewall/{{ item }} mode=660
with_items:
- masq
- rules
#INTERFACE SOURCE ADDRESS PROTO PORT
eth0:{{ local_ipv4 }} 0.0.0.0/0 {{ public_ipv4 }} tcp 4443
eth0:{{ local_ipv4 }} 0.0.0.0/0 {{ public_ipv4 }} tcp 8080
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
Ping/ACCEPT net $FW
# ssh (the most important thing...)
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 1194
# Access local slapos services
# slappart16
DNAT net $FW:{{ local_ipv4 }}:4443 tcp 443
DNAT net $FW:{{ local_ipv4 }}:8080 tcp 80
- name: a play that runs entirely on the ansible host
hosts: 127.0.0.1
connection: local
vars_prompt:
- name: "local_ipv4"
prompt: "IPv4 of apache"
private: no
- name: "public_ipv4"
prompt: "IPv4 on eth0"
private: no
roles:
- shorewall