construqt 0.0.1

data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb

@@ -0,0 +1,381 @@
+
+require_relative 'flavour_ubuntu_dns.rb'
+require_relative 'flavour_ubuntu_ipsec.rb'
+require_relative 'flavour_ubuntu_bgp.rb'
+require_relative 'flavour_ubuntu_opvn.rb'
+require_relative 'flavour_ubuntu_vrrp.rb'
+require_relative 'flavour_ubuntu_firewall.rb'
+require_relative 'flavour_ubuntu_result.rb'
+require_relative 'flavour_ubuntu_services.rb'
+
+module Construqt
+  module Flavour
+    module Ubuntu
+      def self.name
+        'ubuntu'
+      end
+
+      Flavour.add(self)
+
+      #  class Interface < OpenStruct
+      #    def initialize(cfg)
+      #      super(cfg)
+      #    end
+
+      #    def build_config(host, iface)
+      #      self.clazz.build_config(host, iface||self)
+      #    end
+
+      #  end
+
+      class Device < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def self.add_address(host, ifname, iface, lines, writer)
+          if iface.address.nil?
+            Firewall.create(host, ifname, iface)
+            return
+          end
+
+          writer.header.mode(EtcNetworkInterfaces::Entry::Header::MODE_DHCP) if iface.address.dhcpv4?
+          writer.header.mode(EtcNetworkInterfaces::Entry::Header::MODE_LOOPBACK) if iface.address.loopback?
+          lines.add(iface.flavour) if iface.flavour
+          iface.address.ips.each do |ip|
+            lines.up("ip addr add #{ip.to_string} dev #{ifname}")
+            lines.down("ip addr del #{ip.to_string} dev #{ifname}")
+          end
+
+          iface.address.routes.each do |route|
+            if route.metric
+              metric = " metric #{route.metric}"
+            else
+              metric = ""
+            end
+            lines.up("ip route add #{route.dst.to_string} via #{route.via.to_s}#{metric}")
+            lines.down("ip route del #{route.dst.to_string} via #{route.via.to_s}#{metric}")
+          end
+
+          Firewall.create(host, ifname, iface)
+        end
+
+        def build_config(host, iface)
+          self.class.build_config(host, iface)
+        end
+
+        def self.add_services(host, ifname, iface, writer)
+          iface.services && iface.services.each do |service|
+            Services.get_renderer(service).interfaces(host, ifname, iface, writer)
+          end
+        end
+
+        def self.build_config(host, iface)
+          #      binding.pry
+          writer = host.result.etc_network_interfaces.get(iface)
+          writer.header.protocol(EtcNetworkInterfaces::Entry::Header::PROTO_INET4)
+          #binding.pry #unless iface.delegate
+          writer.lines.add(iface.delegate.flavour) if iface.delegate.flavour
+          ifname = writer.header.get_interface_name
+          #      ifaces.header.mode(Result::EtcNetworkInterfaces::Entry::Header::MODE_DHCP4) if iface.address.dhcpv4?
+          #      ifaces.header.mode(Result::EtcNetworkInterfaces::Entry::Header::MODE_LOOOPBACK) if iface.address.loopback?
+          writer.lines.up("ip link set mtu #{iface.delegate.mtu} dev #{ifname} up")
+          writer.lines.down("ip link set dev #{ifname} down")
+          add_address(host, ifname, iface.delegate, writer.lines, writer) #unless iface.address.nil? || iface.address.ips.empty?
+          add_services(host, ifname, iface.delegate, writer)
+        end
+      end
+
+      class Bond < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, bond)
+          bond_delegate = bond.delegate
+          bond_delegate.interfaces.each do |i|
+            host.result.etc_network_interfaces.get(i).lines.add("bond-master #{bond_delegate.name}")
+          end
+
+          mac_address = bond_delegate.mac_address || Construqt::Util.generate_mac_address_from_name("#{host.name} #{bond_delegate.name}")
+          host.result.etc_network_interfaces.get(bond_delegate).lines.add(<<BOND)
+pre-up ip link set dev #{bond_delegate.name} mtu #{bond_delegate.mtu} address #{mac_address}
+bond-mode #{bond_delegate.mode||'active-backup'}
+bond-miimon 100
+bond-lacp-rate 1
+bond-slaves none
+BOND
+          Device.build_config(host, bond)
+        end
+      end
+
+      class Vlan < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, iface)
+          vlan = iface.name.split('.')
+          throw "vlan name not valid if.# => #{iface.name}" if vlan.length != 2 ||
+            !vlan.first.match(/^[0-9a-zA-Z]+$/) ||
+            !vlan.last.match(/^[0-9]+/) ||
+            !(1 <= vlan.last.to_i && vlan.last.to_i < 4096)
+          Device.build_config(host, iface)
+        end
+      end
+
+      class Bridge < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, iface)
+          port_list = iface.interfaces.map { |i| i.name }.join(",")
+          host.result.etc_network_interfaces.get(iface).lines.add("bridge_ports #{port_list}")
+          Device.build_config(host, iface)
+        end
+      end
+
+      class Host < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, unused)
+          host.result.add(self, <<SCTL, Construqt::Resources::Rights::ROOT_0644, "etc", "sysctl.conf")
+net.ipv4.conf.all.forwarding = 1
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.vs.pmtu_disc=1
+
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.all.forwarding=1
+SCTL
+          host.result.add(self, <<HOSTS, Construqt::Resources::Rights::ROOT_0644, "etc", "hosts")
+127.0.0.1       localhost
+::1             localhost ip6-localhost ip6-loopback
+fe00::0         ip6-localnet
+ff00::0         ip6-mcastprefix
+ff02::1         ip6-allnodes
+ff02::2         ip6-allrouters
+
+127.0.1.1       #{host.name} #{host.region.network.fqdn(host.name)}
+HOSTS
+          host.result.add(self, host.name, Construqt::Resources::Rights::ROOT_0644, "etc", "hostname")
+          host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights::ROOT_0644, "etc", "resolvconf", "resolv.conf.d", "orignal");
+          host.result.add(self,
+                          (host.region.network.dns_resolver.nameservers.ips.map{|i| "nameserver #{i.to_s}" }+
+                           ["search #{host.region.network.dns_resolver.search.join(' ')}"]).join("\n"),
+                          Construqt::Resources::Rights::ROOT_0644, "etc", "resolv.conf")
+          #binding.pry
+          Dns.build_config(host) if host.delegate.dns_server
+          akeys = []
+          ykeys = []
+          skeys = []
+          host.region.users.all.each do |u|
+            akeys << u.public_key if u.public_key
+            ykeys << "#{u.name}:#{u.yubikey}" if u.yubikey
+            skeys << "#{u.shadow}" if u.shadow
+          end
+
+          host.result.add(self, skeys.join(), Construqt::Resources::Rights::ROOT_0644, "etc", "shadow.merge")
+          host.result.add(self, akeys.join(), Construqt::Resources::Rights::ROOT_0644, "root", ".ssh", "authorized_keys")
+          host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights::ROOT_0644, "etc", "yubikey_mappings")
+
+          host.result.add(self, <<SSH , Construqt::Resources::Rights::ROOT_0644, "etc", "ssh", "sshd_config")
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+SSH
+          host.result.add(self, <<PAM , Construqt::Resources::Rights::ROOT_0644, "etc", "pam.d", "openvpn")
+          #{host.delegate.yubikey ? '':'# '}auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
+auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
+auth requisite pam_deny.so
+
+@include common-account
+@include common-session-noninteractive
+PAM
+          #binding.pry
+          host.delegate.files && host.delegate.files.each do |file|
+            if host.result.replace(nil, file.data, file.right, *file.path)
+              Construqt.logger.warn("the file #{file.path} was overriden!")
+            end
+          end
+        end
+      end
+
+      class Gre < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, gre)
+          gre_delegate = gre.delegate
+          #      binding.pry
+          cfg = nil
+          if gre_delegate.local.first_ipv6
+            cfg = OpenStruct.new(:prefix=>6, :my=>gre_delegate.local.first_ipv6, :other => gre_delegate.remote.first_ipv6, :mode => "ip6gre")
+          elsif gre_delegate.local.first_ipv4
+            cfg = OpenStruct.new(:prefix=>4, :my=>gre_delegate.local.first_ipv4, :other => gre_delegate.remote.first_ipv4, :mode => "ipgre")
+          end
+
+          throw "need a local address #{host.name}:#{gre_delegate.name}" unless cfg
+          local_iface = host.interfaces.values.find { |iface| iface.address.match_network(cfg.my) }
+          throw "need a interface with address #{host.name}:#{cfg.my}" unless local_iface
+          iname = Util.clean_if("gt#{cfg.prefix}", gre_delegate.name)
+
+          writer_local = host.result.etc_network_interfaces.get(local_iface)
+          writer_local.lines.up("/bin/bash /etc/network/#{iname}-up.iface")
+          writer_local.lines.down("/bin/bash /etc/network/#{iname}-down.iface")
+
+
+          writer = host.result.etc_network_interfaces.get(gre_delegate)
+          writer.skip_interfaces.header.interface_name(iname)
+          writer.lines.up("ip -#{cfg.prefix} tunnel add #{iname} mode #{cfg.mode} local #{cfg.my.to_s} remote #{cfg.other.to_s}")
+          #      writer.lines.up("ip -#{cfg.prefix} link set dev #{iname} up")
+          Device.build_config(host, gre)
+          #      Device.add_address(host, iname, iface, writer.lines, writer)
+          writer.lines.down("ip -#{cfg.prefix} tunnel del #{iname}")
+        end
+      end
+
+      class Template < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def build_config(host, iface)
+        end
+      end
+
+      def self.clazzes
+        {
+          "opvn" => Opvn,
+          "gre" => Gre,
+          "host" => Host,
+          "device"=> Device,
+          "vrrp" => Vrrp,
+          "bridge" => Bridge,
+          "bond" => Bond,
+          "vlan" => Vlan,
+          "result" => Result,
+          "ipsec" => Ipsec,
+          "bgp" => Bgp,
+          "template" => Template
+        }
+      end
+
+      def self.clazz(name)
+        ret = self.clazzes[name]
+        throw "class not found #{name}" unless ret
+        ret
+      end
+
+      def self.create_host(name, cfg)
+        cfg['name'] = name
+        cfg['result'] = nil
+        host = Host.new(cfg)
+        host.result = Result.new(host)
+        host
+      end
+
+      def self.create_interface(name, cfg)
+        cfg['name'] = name
+        clazz(cfg['clazz']).new(cfg)
+      end
+
+      def self.create_bgp(cfg)
+        Bgp.new(cfg)
+      end
+
+      def self.create_ipsec(cfg)
+        Ipsec.new(cfg)
+      end
+    end
+  end
+end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb

@@ -0,0 +1,117 @@
+module Construqt
+  module Flavour
+    module Ubuntu
+
+      class Bgp < OpenStruct
+        def initialize(cfg)
+          super(cfg)
+        end
+
+        def self.header(host)
+          addrs = {}
+          host.interfaces.values.each do |iface|
+            iface = iface.delegate
+            next unless iface.cfg
+            next unless iface.cfg.kind_of? Construqt::Bgp
+            addrs[iface.name] = iface
+          end
+          return if addrs.empty?
+          bird_v4 = self.header_bird(host, OpenStruct.new(:net_clazz => IPAddress::IPv4, :filter => lambda {|ip| ip.ipv4? }))
+          host.result.add(self, bird_v4, Construqt::Resources::Rights::ROOT_0644, "etc", "bird", "bird.conf")
+          bird_v6 = self.header_bird(host, OpenStruct.new(:net_clazz => IPAddress::IPv6, :filter => lambda {|ip| ip.ipv6? }))
+          host.result.add(self, bird_v6, Construqt::Resources::Rights::ROOT_0644, "etc", "bird", "bird6.conf")
+        end
+
+        def self.header_bird(host, mode)
+          #      binding.pry
+          ret = <<BGP
+log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
+router id #{host.id.first_ipv4.first_ipv4.to_s};
+protocol device {
+}
+protocol direct {
+}
+protocol kernel {
+        learn;
+        persist;                # Don't remove routes on bird shutdown
+        scan time 20;           # Scan kernel routing table every 20 seconds
+        export all;             # Default is export none
+}
+protocol static {
+}
+
+BGP
+          Bgps.filters.each do |filter|
+            ret = ret + "filter filter_#{filter.name} {\n"
+            filter.list.each do |rule|
+              nets = rule['network']
+              if nets.kind_of?(String)
+                nets = Construqt::Tags.find(nets, mode.net_clazz)
+                #            puts ">>>>>>>>>> #{nets.map{|i| i.class.name}}"
+                nets = IPAddress::summarize(nets)
+              else
+                nets = nets.ips
+              end
+
+              nets.each do |ip|
+                next unless mode.filter.call(ip)
+                ip_str = ip.to_string
+                if rule['prefix_length']
+                  ip_str = "#{ip.to_string}{#{rule['prefix_length'].first},#{rule['prefix_length'].last}}"
+                end
+
+                ret = ret + "  if net ~ [ #{ip_str} ] then { print \"#{rule['rule']}:\",net; #{rule['rule']}; }\n"
+              end
+            end
+
+            ret = ret + "}\n\n"
+          end
+
+          ret
+        end
+
+        def build_bird_conf
+          if self.my.address.first_ipv4 && self.other.my.address.first_ipv4
+            self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::ROOT_0644, "etc", "bird", "bird.conf")
+protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
+        description "#{self.my.host.name} <=> #{self.other.host.name}";
+        direct;
+        next hop self;
+            #{self.as == self.other.as ? '' : '#'}rr client;
+        local #{self.my.address.first_ipv4} as #{self.as.num};
+        neighbor #{self.other.my.address.first_ipv4}  as #{self.other.as.num};
+        password "#{Util.password(self.cfg.password)}";
+        import #{self.filter['in'] ? "filter filter_"+self.filter['in'].name : "all"};
+        export #{self.filter['out'] ? "filter filter_"+self.filter['out'].name : "all"};
+}
+BGP
+          end
+        end
+
+        def build_bird6_conf
+          #      binding.pry
+          if self.my.address.first_ipv6 && self.other.my.address.first_ipv6
+            self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::ROOT_0644, "etc", "bird", "bird6.conf")
+protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
+        description "#{self.my.host.name} <=> #{self.other.host.name}";
+        direct;
+        next hop self;
+            #{self.as == self.other.as ? '' : '#'}rr client;
+        local as #{self.as.num};
+        neighbor #{self.other.my.address.first_ipv6}  as #{self.other.as.num};
+        password "#{Util.password(self.cfg.password)}";
+        import #{self.filter['in'] ? "filter filter_"+self.filter['in'].name : "all"};
+        export #{self.filter['out'] ? "filter filter_"+self.filter['out'].name : "all"};
+}
+BGP
+          end
+        end
+
+        def build_config(unused, unused1)
+          build_bird_conf
+          build_bird6_conf
+        end
+      end
+    end
+  end
+end

data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb

@@ -0,0 +1,97 @@
+module Construqt
+  module Flavour
+
+    module Ubuntu
+      module Dns
+
+        def self.write_header(region, domain)
+          ret = [<<OUT]
+; this is a generated file do not edit!!!!!
+; for #{domain.to_s}
+$TTL 86400      ; 1 day
+#{domain}. IN SOA ns.#{region.network.domain}. #{region.network.contact}. (
+#{Time.now.to_i} ; serial
+10000      ; refresh (2 hours 46 minutes 40 seconds)
+3600       ; retry (1 hour)
+604800     ; expire (1 week)
+28800      ; minimum (8 hours)
+)
+OUT
+          region.hosts.get_hosts.each do |host|
+            next unless host.delegate.dns_server
+            plain_adr = region.network.addresses.all.find{|i| i.name! == host.name }
+            unless plain_adr
+              plain_adr = host.id.first_ipv6
+            end
+
+            binding.pry unless plain_adr.name
+
+            ret << "#{domain}. 3600 IN NS #{region.network.fqdn(plain_adr.name)}."
+            #if (domain == Addresses.domain)
+            #  ret << "#{host.id.first_ipv6.fqdn}.  3600 IN A #{host.id.first_ipv4}" if host.id.first_ipv4
+            #  ret << "#{host.id.first_ipv6.fqdn}.  3600 IN AAAA #{host.id.first_ipv6}" if host.id.first_ipv6
+            #end
+          end
+
+          ret << ""
+          ret.join("\n")
+        end
+
+        def self.build_config(host)
+          forward = {}
+          reverse = {}
+          host.region.network.addresses.all.each do |address|
+            next unless address
+            next if address.ips.empty?
+            unless address.name!
+              Construqt.logger.warn "unreference address #{address.ips.map{|i| i.to_string}}"
+              next
+            end
+            name = host.region.network.fqdn(address.name!)
+            domain = host.region.network.domain
+            forward[domain] ||= []
+            address.ips.each do |ip|
+              next if ip.to_i == ip.network.to_i && ((ip.ipv6? && ip.prefix < 128) || (ip.ipv4? && ip.prefix < 32))
+              forward[domain] << "#{"%-42s" % "#{name}."} 3600 IN #{ip.ipv4? ? 'A' : 'AAAA'} #{ip.to_s}"
+              if ip.ipv4?
+                forward[domain] << "#{"ipv4-%-37s" % "#{name}."} 3600 IN A    #{ip.to_s}"
+              end
+
+              if ip.ipv6?
+                forward[domain] << "#{"ipv6-%-37s" % "#{name}."} 3600 IN AAAA #{ip.to_s}"
+              end
+
+              network = host.region.network.to_network(ip.network)
+              reverse[network] ||= {}
+              reverse[network][ip.reverse.to_s] ||= "#{ip.reverse} 3600 IN PTR #{name}."
+            end
+          end
+
+          include = {}
+          forward.each do |domain, lines|
+            include[domain] = "/etc/bind/tables/#{domain}.forward"
+            host.result.add(self, write_header(host.region, domain), Construqt::Resources::Rights::ROOT_0644, "etc/bind/tables", "#{domain}.forward")
+            host.result.add(self, lines.sort.join("\n"), Construqt::Resources::Rights::ROOT_0644, "etc/bind/tables", "#{domain}.forward")
+          end
+
+          reverse.each do |domain, lines|
+            include[domain.rev_domains.first] = "/etc/bind/tables/#{domain}.reverse"
+            host.result.add(self, write_header(host.region, domain.rev_domains.first), Construqt::Resources::Rights::ROOT_0644, "etc/bind/tables", "#{domain.to_s}.reverse")
+            host.result.add(self, lines.values.sort.join("\n"), Construqt::Resources::Rights::ROOT_0644, "etc/bind/tables", "#{domain.to_s}.reverse")
+          end
+
+          include.each do |domain,path|
+            host.result.add(self, <<DNS, Construqt::Resources::Rights::ROOT_0644, "etc/bind/named.conf.local")
+zone "#{domain.to_s}" {
+        type master;
+        file "#{path}";
+        notify yes;
+        allow-query { any; };
+};
+DNS
+          end
+        end
+      end
+    end
+  end
+end