construqt 0.0.5 → 0.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/construqt/addresses.rb +121 -10
- data/lib/construqt/bgps.rb +10 -12
- data/lib/construqt/firewalls.rb +115 -16
- data/lib/construqt/flavour/ciscian/ciscian.rb +73 -93
- data/lib/construqt/flavour/ciscian/deploy_template.rb +36 -0
- data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +62 -114
- data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +74 -14
- data/lib/construqt/flavour/delegates.rb +9 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +0 -3
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +12 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +32 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +2 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +3 -3
- data/lib/construqt/flavour/plantuml/plantuml.rb +2 -2
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +24 -13
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +16 -7
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +218 -67
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +33 -17
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +77 -14
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +77 -29
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +18 -3
- data/lib/construqt/interfaces.rb +25 -6
- data/lib/construqt/ipsecs.rb +5 -3
- data/lib/construqt/rack.rb +51 -0
- data/lib/construqt/resource.rb +25 -3
- data/lib/construqt/reverse.rb +1 -0
- data/lib/construqt/services.rb +15 -29
- data/lib/construqt/tags.rb +21 -15
- data/lib/construqt/templates.rb +17 -0
- data/lib/construqt/users.rb +4 -0
- data/lib/construqt/util.rb +1 -1
- data/lib/construqt/version.rb +1 -1
- data/lib/construqt/vlans.rb +13 -2
- data/lib/construqt.rb +2 -1
- metadata +4 -2
@@ -13,6 +13,30 @@ module Construqt
|
|
13
13
|
def commit
|
14
14
|
end
|
15
15
|
|
16
|
+
def sort_section_keys(keys)
|
17
|
+
return keys.sort do |a,b|
|
18
|
+
a = a.to_s
|
19
|
+
b = b.to_s
|
20
|
+
match_a=/^(.*[^\d])(\d+)$/.match(a)||[nil,a,1]
|
21
|
+
match_b=/^(.*[^\d])(\d+)$/.match(b)||[nil,b,1]
|
22
|
+
#puts match_a, match_b, a, b
|
23
|
+
ret=0
|
24
|
+
ret = rate_higher("hostname", match_a[1], match_b[1]) if ret==0
|
25
|
+
ret = rate_higher("snmp", match_a[1], match_b[1]) if ret==0
|
26
|
+
ret = rate_higher("trunk", match_a[1], match_b[1]) if ret==0
|
27
|
+
ret = rate_higher("max-vlans", match_a[1], match_b[1]) if ret==0
|
28
|
+
ret = rate_higher("vlan", match_a[1], match_b[1]) if ret==0
|
29
|
+
ret = rate_higher("vlan", match_a[1], match_b[1]) if ret==0
|
30
|
+
ret = match_a[1]<=>match_b[1] if ret==0
|
31
|
+
ret = match_a[2].to_i<=>match_b[2].to_i if ret==0
|
32
|
+
ret
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def rate_higher(prefix, a, b)
|
37
|
+
return a.start_with?(prefix) ^ b.start_with?(prefix) ? (a.start_with?(prefix) ? -1 : 1) : 0
|
38
|
+
end
|
39
|
+
|
16
40
|
def expand_vlan_device_name(device)
|
17
41
|
expand_device_name(device, { "po" => "Trk%s", "ge" => "%s" })
|
18
42
|
end
|
@@ -25,45 +49,71 @@ module Construqt
|
|
25
49
|
end
|
26
50
|
|
27
51
|
def add_host(host)
|
28
|
-
@result.add("hostname"
|
29
|
-
@result.add("max-vlans"
|
30
|
-
@result.add("snmp-server community \"public\"
|
52
|
+
@result.add("hostname").add(@result.host.name).quotes
|
53
|
+
@result.add("max-vlans").add(64)
|
54
|
+
@result.add("snmp-server community \"public\"")
|
55
|
+
|
56
|
+
#enable ssh per default
|
57
|
+
@result.add("ip ssh")
|
58
|
+
|
31
59
|
@result.host.interfaces.values.each do |iface|
|
32
60
|
next unless iface.delegate.address
|
33
61
|
iface.delegate.address.routes.each do |route|
|
34
|
-
@result.add("ip route #{route.dst.to_s} #{route.dst.netmask} #{route.via.to_s}"
|
62
|
+
@result.add("ip route #{route.dst.to_s} #{route.dst.netmask} #{route.via.to_s}")
|
35
63
|
end
|
36
64
|
end
|
65
|
+
|
66
|
+
if host.delegate.sntp
|
67
|
+
@result.add("sntp server").add(host.delegate.sntp)
|
68
|
+
@result.add("timesync sntp")
|
69
|
+
@result.add("sntp unicast")
|
70
|
+
end
|
71
|
+
|
72
|
+
if host.delegate.logging
|
73
|
+
@result.add("logging").add(host.delegate.logging)
|
74
|
+
end
|
75
|
+
|
37
76
|
end
|
38
77
|
|
39
78
|
def add_device(device)
|
40
79
|
end
|
41
80
|
|
42
81
|
def add_bond(bond)
|
43
|
-
@result.add("trunk", TrunkVerb).add("{+ports}" => bond.interfaces.map{|i| i.delegate.number }, "{*channel}" => bond.delegate.number)
|
82
|
+
@result.add("trunk", TrunkVerb).add("{+ports}" => bond.interfaces.map{|i| i.delegate.number }, "{*channel}" => bond.delegate.number, "{=mode}"=>"LACP")
|
44
83
|
@result.add("spanning-tree #{expand_vlan_device_name(bond)} priority 4")
|
45
84
|
end
|
46
85
|
|
47
86
|
def add_vlan(vlan)
|
48
|
-
@result.add("vlan #{vlan.delegate.vlan_id}
|
87
|
+
@result.add("vlan #{vlan.delegate.vlan_id}", NestedSection) do |section|
|
49
88
|
next unless vlan.delegate.description && !vlan.delegate.description.empty?
|
50
89
|
throw "vlan name too long, max 32 chars" if vlan.delegate.description.length > 32
|
51
|
-
section.add("name"
|
90
|
+
section.add("name").add(vlan.delegate.description).quotes
|
91
|
+
section.add("jumbo")
|
52
92
|
vlan.interfaces.each do |port|
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
93
|
+
range=nil
|
94
|
+
if port.template.is_tagged?(vlan.vlan_id)
|
95
|
+
range=section.add("tagged", Tagged)
|
96
|
+
range.add("{+ports}" => [expand_vlan_device_name(port)])
|
97
|
+
elsif port.template.is_untagged?(vlan.vlan_id)
|
98
|
+
range=section.add("tagged", Tagged)
|
99
|
+
range.add("{+uports}" => [expand_vlan_device_name(port)])
|
100
|
+
elsif port.template.is_nountagged?(vlan.vlan_id)
|
101
|
+
range=section.add("tagged", Tagged)
|
102
|
+
range.add("{-uports}" => [expand_vlan_device_name(port)])
|
103
|
+
end
|
58
104
|
end
|
59
105
|
|
60
106
|
if vlan.delegate.address
|
61
107
|
if vlan.delegate.address.first_ipv4
|
62
|
-
section.add("ip address").add(vlan.delegate.address.first_ipv4.
|
108
|
+
section.add("ip address").add(vlan.delegate.address.first_ipv4.to_s + " " + vlan.delegate.address.first_ipv4.netmask)
|
63
109
|
elsif vlan.delegate.address.dhcpv4?
|
64
110
|
section.add("ip address").add("dhcp-bootp")
|
65
111
|
end
|
66
112
|
end
|
113
|
+
|
114
|
+
if vlan.delegate.igmp
|
115
|
+
section.add("ip igmp")
|
116
|
+
end
|
67
117
|
end
|
68
118
|
end
|
69
119
|
|
@@ -81,6 +131,10 @@ module Construqt
|
|
81
131
|
end.flatten.join(' ')
|
82
132
|
end
|
83
133
|
|
134
|
+
def is_virtual?(line)
|
135
|
+
line.include?("vlan")
|
136
|
+
end
|
137
|
+
|
84
138
|
def block_end?(line)
|
85
139
|
['end','exit'].include?(line.strip)
|
86
140
|
end
|
@@ -101,8 +155,14 @@ module Construqt
|
|
101
155
|
"trunk"
|
102
156
|
end
|
103
157
|
|
158
|
+
def self.find_regex(variable)
|
159
|
+
{
|
160
|
+
"mode" => "(Trunk|LACP)"
|
161
|
+
}[variable]
|
162
|
+
end
|
163
|
+
|
104
164
|
def self.patterns
|
105
|
-
["no trunk {-ports}", "trunk {+ports} Trk{*channel}
|
165
|
+
["no trunk {-ports}", "trunk {+ports} Trk{*channel} {=mode}"]
|
106
166
|
end
|
107
167
|
end
|
108
168
|
end
|
@@ -9,6 +9,7 @@ module Construqt
|
|
9
9
|
|
10
10
|
def delegate=(a)
|
11
11
|
throw "delegate needs to be !nil" unless a
|
12
|
+
a.delegate = self
|
12
13
|
@delegate = a
|
13
14
|
end
|
14
15
|
|
@@ -28,6 +29,14 @@ module Construqt
|
|
28
29
|
@vrrp
|
29
30
|
end
|
30
31
|
|
32
|
+
def ipsec
|
33
|
+
self.delegate.ipsec
|
34
|
+
end
|
35
|
+
|
36
|
+
def firewalls
|
37
|
+
self.delegate.firewalls
|
38
|
+
end
|
39
|
+
|
31
40
|
def description
|
32
41
|
self.delegate.description
|
33
42
|
end
|
@@ -14,7 +14,16 @@ module Construqt
|
|
14
14
|
host.result.add("set [ find chain=#{v4_name.inspect} ] comment=to_remove", nil, "routing", "filter")
|
15
15
|
host.result.add("set [ find chain=#{v6_name.inspect} ] comment=to_remove", nil, "routing", "filter")
|
16
16
|
filter.list.each do |rule|
|
17
|
-
rule['network']
|
17
|
+
nets = rule['network']
|
18
|
+
if nets.kind_of?(String)
|
19
|
+
#binding.pry
|
20
|
+
nets = Construqt::Tags.find(nets, Construqt::Addresses::IPV4) + Construqt::Tags.find(nets, Construqt::Addresses::IPV6)
|
21
|
+
# puts ">>>>>>>>>> #{nets.map{|i| i.class.name}}"
|
22
|
+
nets = IPAddress::summarize(nets)
|
23
|
+
else
|
24
|
+
nets = nets.ips
|
25
|
+
end
|
26
|
+
nets.each do |ip|
|
18
27
|
prefix_len = ""
|
19
28
|
if rule['prefix_length']
|
20
29
|
prefix_len = "prefix-length=#{rule['prefix_length'].first}-#{rule['prefix_length'].last}"
|
@@ -115,6 +124,7 @@ module Construqt
|
|
115
124
|
"address-families" => "ip",
|
116
125
|
"default-originate" => self.default_originate,
|
117
126
|
"remote-address" => self.other.my.address.first_ipv4,
|
127
|
+
"use-bfd" => self.cfg.use_bfd.kind_of?(false.class) ? false : true,
|
118
128
|
"tcp-md5-key" => self.cfg.password,
|
119
129
|
"in-filter" => "v4-"+self.filter['in'].name,
|
120
130
|
"out-filter" => "v4-"+self.filter['out'].name)
|
@@ -124,6 +134,7 @@ module Construqt
|
|
124
134
|
"remote-as" => self.other.as.num,
|
125
135
|
"address-families" => "ipv6",
|
126
136
|
"remote-address" => self.other.my.address.first_ipv6,
|
137
|
+
"use-bfd" => self.cfg.use_bfd.kind_of?(false.class) ? false : true,
|
127
138
|
"tcp-md5-key" => self.cfg.password,
|
128
139
|
"in-filter" => "v6-"+self.filter['in'].name,
|
129
140
|
"out-filter" => "v6-"+self.filter['out'].name)
|
@@ -43,12 +43,16 @@ module Construqt
|
|
43
43
|
end
|
44
44
|
|
45
45
|
cfg['distance'] = rt.metric if rt.metric
|
46
|
+
|
47
|
+
cfg['routing-mark'] = rt.routing_table if rt.routing_table
|
48
|
+
|
46
49
|
default = {
|
47
50
|
"dst-address" => Schema.network.required.key(0),
|
48
51
|
"gateway" => Schema.address,
|
49
52
|
"type" => Schema.identifier,
|
50
53
|
"distance" => Schema.int,
|
51
|
-
"comment" => Schema.string.required.key(1)
|
54
|
+
"comment" => Schema.string.required.key(1),
|
55
|
+
"routing-mark" => Schema.identifier
|
52
56
|
}
|
53
57
|
cfg['comment'] = "#{cfg['dst-address']} via #{cfg['gateway']} CONSTRUQT"
|
54
58
|
if rt.dst.ipv6?
|
@@ -58,10 +62,37 @@ module Construqt
|
|
58
62
|
end
|
59
63
|
end
|
60
64
|
|
65
|
+
def self.render_firewall_mangle(host, iface)
|
66
|
+
cfg = {
|
67
|
+
"in-interface" => iface.name,
|
68
|
+
"new-routing-mark" => iface.routing_table,
|
69
|
+
"chain" => "prerouting",
|
70
|
+
"action" => "mark-routing"
|
71
|
+
}
|
72
|
+
cfg['comment'] = "tag interface #{cfg['in-interface']} with routing-mark #{cfg['new-routing-mark']} CONSTRUQT"
|
73
|
+
|
74
|
+
default = {
|
75
|
+
"chain" => Schema.identifier.required,
|
76
|
+
"action" => Schema.identifier.required,
|
77
|
+
"new-routing-mark" => Schema.identifier.required,
|
78
|
+
"in-interface" => Schema.identifier.required,
|
79
|
+
"comment" => Schema.string.required.key(1),
|
80
|
+
}
|
81
|
+
|
82
|
+
host.result.render_mikrotik(default, cfg, "ipv6", "firewall", "mangle")
|
83
|
+
host.result.render_mikrotik(default, cfg, "ip", "firewall", "mangle")
|
84
|
+
end
|
85
|
+
|
86
|
+
|
61
87
|
def self.build_config(host, iface)
|
88
|
+
if iface.routing_table
|
89
|
+
render_firewall_mangle(host, iface)
|
90
|
+
end
|
91
|
+
|
62
92
|
#name = File.join(host.name, "interface", "device")
|
63
93
|
#ret = []
|
64
94
|
#ret += self.clazz.build_config(host, iface||self)
|
95
|
+
|
65
96
|
if !(iface.address.nil? || iface.address.ips.empty?)
|
66
97
|
iface.address.ips.each do |ip|
|
67
98
|
render_ip(host, iface, ip)
|
@@ -155,9 +155,11 @@ module Construqt
|
|
155
155
|
"interface vrrp",
|
156
156
|
"interface gre6",
|
157
157
|
"ipv6 address",
|
158
|
+
"ipv6 firewall mangle",
|
158
159
|
"ipv6 route",
|
159
160
|
"ip address",
|
160
161
|
"ip dns",
|
162
|
+
"ip firewall mangle",
|
161
163
|
"ip route",
|
162
164
|
"ip ipsec proposal",
|
163
165
|
"ip ipsec peer",
|
@@ -101,7 +101,7 @@ module Construqt
|
|
101
101
|
end
|
102
102
|
|
103
103
|
def self.serialize(schema, val)
|
104
|
-
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
104
|
+
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
105
105
|
# throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
106
106
|
return Flavour::Mikrotik.compress_address(val)
|
107
107
|
end
|
@@ -113,7 +113,7 @@ module Construqt
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def self.serialize(schema, val)
|
116
|
-
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
116
|
+
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
117
117
|
# throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
118
118
|
return "#{Flavour::Mikrotik.compress_address(val)}/#{val.prefix}"
|
119
119
|
end
|
@@ -125,7 +125,7 @@ module Construqt
|
|
125
125
|
end
|
126
126
|
|
127
127
|
def self.serialize(schema, val)
|
128
|
-
throw "Network::val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
128
|
+
throw "Network::val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
129
129
|
#throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
130
130
|
return "#{Flavour::Mikrotik.compress_address(val)}/#{val.prefix}"
|
131
131
|
end
|
@@ -138,11 +138,11 @@ UML
|
|
138
138
|
end
|
139
139
|
end
|
140
140
|
|
141
|
-
iface.delegate.firewalls && iface.delegate.firewalls.each_with_index do |fw, idx|
|
141
|
+
iface.delegate && iface.delegate.firewalls && iface.delegate.firewalls.each_with_index do |fw, idx|
|
142
142
|
out << "fw(#{idx}) = \"#{fw.name}\""
|
143
143
|
end
|
144
144
|
|
145
|
-
(iface.tags+tags).sort.uniq.each_with_index do |tag, idx|
|
145
|
+
iface.tags && (iface.tags+tags).sort.uniq.each_with_index do |tag, idx|
|
146
146
|
out << "tag(#{idx}) = \"#{tag}\""
|
147
147
|
end
|
148
148
|
|
@@ -39,7 +39,8 @@ module Construqt
|
|
39
39
|
return
|
40
40
|
end
|
41
41
|
|
42
|
-
writer.header.
|
42
|
+
writer.header.dhcpv4 if iface.address.dhcpv4?
|
43
|
+
writer.header.dhcpv6 if iface.address.dhcpv6?
|
43
44
|
writer.header.mode(EtcNetworkInterfaces::Entry::Header::MODE_LOOPBACK) if iface.address.loopback?
|
44
45
|
lines.add(iface.flavour) if iface.flavour
|
45
46
|
iface.address.ips.each do |ip|
|
@@ -83,6 +84,15 @@ module Construqt
|
|
83
84
|
writer.lines.down("ip link set dev #{ifname} down")
|
84
85
|
add_address(host, ifname, iface.delegate, writer.lines, writer) #unless iface.address.nil? || iface.address.ips.empty?
|
85
86
|
add_services(host, ifname, iface.delegate, writer)
|
87
|
+
host.ipsecs.find do |ipsec|
|
88
|
+
if ipsec.left.remote.interface == iface || ipsec.right.remote.interface == iface
|
89
|
+
writer.lines.up("STARTED_BY_CONSTRUQT=yes /etc/init.d/racoon start")
|
90
|
+
writer.lines.down("STARTED_BY_CONSTRUQT=yes /etc/init.d/racoon restart")
|
91
|
+
true
|
92
|
+
else
|
93
|
+
false
|
94
|
+
end
|
95
|
+
end
|
86
96
|
end
|
87
97
|
end
|
88
98
|
|
@@ -142,7 +152,7 @@ BOND
|
|
142
152
|
end
|
143
153
|
|
144
154
|
def build_config(host, unused)
|
145
|
-
host.result.add(self, <<SCTL, Construqt::Resources::Rights
|
155
|
+
host.result.add(self, <<SCTL, Construqt::Resources::Rights.root_0644, "etc", "sysctl.conf")
|
146
156
|
net.ipv4.conf.all.forwarding = 1
|
147
157
|
net.ipv4.conf.default.forwarding = 1
|
148
158
|
net.ipv4.vs.pmtu_disc=1
|
@@ -151,7 +161,7 @@ net.ipv6.conf.all.autoconf=0
|
|
151
161
|
net.ipv6.conf.all.accept_ra=0
|
152
162
|
net.ipv6.conf.all.forwarding=1
|
153
163
|
SCTL
|
154
|
-
host.result.add(self, <<HOSTS, Construqt::Resources::Rights
|
164
|
+
host.result.add(self, <<HOSTS, Construqt::Resources::Rights.root_0644, "etc", "hosts")
|
155
165
|
127.0.0.1 localhost
|
156
166
|
::1 localhost ip6-localhost ip6-loopback
|
157
167
|
fe00::0 ip6-localnet
|
@@ -161,12 +171,12 @@ ff02::2 ip6-allrouters
|
|
161
171
|
|
162
172
|
127.0.1.1 #{host.name} #{host.region.network.fqdn(host.name)}
|
163
173
|
HOSTS
|
164
|
-
host.result.add(self, host.name, Construqt::Resources::Rights
|
165
|
-
host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights
|
174
|
+
host.result.add(self, host.name, Construqt::Resources::Rights.root_0644, "etc", "hostname")
|
175
|
+
host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights.root_0644, "etc", "resolvconf", "resolv.conf.d", "orignal");
|
166
176
|
host.result.add(self,
|
167
177
|
(host.region.network.dns_resolver.nameservers.ips.map{|i| "nameserver #{i.to_s}" }+
|
168
178
|
["search #{host.region.network.dns_resolver.search.join(' ')}"]).join("\n"),
|
169
|
-
Construqt::Resources::Rights
|
179
|
+
Construqt::Resources::Rights.root_0644, "etc", "resolv.conf")
|
170
180
|
#binding.pry
|
171
181
|
Dns.build_config(host) if host.delegate.dns_server
|
172
182
|
akeys = []
|
@@ -178,11 +188,11 @@ HOSTS
|
|
178
188
|
skeys << "#{u.shadow}" if u.shadow
|
179
189
|
end
|
180
190
|
|
181
|
-
host.result.add(self, skeys.join(), Construqt::Resources::Rights
|
182
|
-
host.result.add(self, akeys.join(), Construqt::Resources::Rights
|
183
|
-
host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights
|
191
|
+
#host.result.add(self, skeys.join(), Construqt::Resources::Rights.root_0644, "etc", "shadow.merge")
|
192
|
+
host.result.add(self, akeys.join(), Construqt::Resources::Rights.root_0644, "root", ".ssh", "authorized_keys")
|
193
|
+
host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights.root_0644, "etc", "yubikey_mappings")
|
184
194
|
|
185
|
-
host.result.add(self, <<SSH , Construqt::Resources::Rights::
|
195
|
+
host.result.add(self, <<SSH , Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::SSH), "etc", "ssh", "sshd_config")
|
186
196
|
# Package generated configuration file
|
187
197
|
# See the sshd_config(5) manpage for details
|
188
198
|
|
@@ -272,7 +282,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|
272
282
|
# and ChallengeResponseAuthentication to 'no'.
|
273
283
|
UsePAM yes
|
274
284
|
SSH
|
275
|
-
host.result.add(self, <<PAM , Construqt::Resources::Rights::
|
285
|
+
host.result.add(self, <<PAM , Construqt::Resources::Rights::root_0644, "etc", "pam.d", "openvpn")
|
276
286
|
#{host.delegate.yubikey ? '':'# '}auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
|
277
287
|
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
|
278
288
|
auth requisite pam_deny.so
|
@@ -297,7 +307,6 @@ PAM
|
|
297
307
|
|
298
308
|
def build_config(host, gre)
|
299
309
|
gre_delegate = gre.delegate
|
300
|
-
# binding.pry
|
301
310
|
cfg = nil
|
302
311
|
if gre_delegate.local.first_ipv6
|
303
312
|
cfg = OpenStruct.new(:prefix=>6, :my=>gre_delegate.local.first_ipv6, :other => gre_delegate.remote.first_ipv6, :mode => "ip6gre")
|
@@ -306,7 +315,7 @@ PAM
|
|
306
315
|
end
|
307
316
|
|
308
317
|
throw "need a local address #{host.name}:#{gre_delegate.name}" unless cfg
|
309
|
-
local_iface = host.interfaces.values.find { |iface| iface.address.match_network(cfg.my) }
|
318
|
+
local_iface = host.interfaces.values.find { |iface| iface.address && iface.address.match_network(cfg.my) }
|
310
319
|
throw "need a interface with address #{host.name}:#{cfg.my}" unless local_iface
|
311
320
|
iname = Util.clean_if("gt#{cfg.prefix}", gre_delegate.name)
|
312
321
|
|
@@ -318,6 +327,8 @@ PAM
|
|
318
327
|
writer = host.result.etc_network_interfaces.get(gre_delegate)
|
319
328
|
writer.skip_interfaces.header.interface_name(iname)
|
320
329
|
writer.lines.up("ip -#{cfg.prefix} tunnel add #{iname} mode #{cfg.mode} local #{cfg.my.to_s} remote #{cfg.other.to_s}")
|
330
|
+
#writer.lines.up("ip -#{cfg.prefix} tunnel add #{iname} mode #{cfg.mode} local #{cfg.my.to_s} remote #{cfg.other.to_s}")
|
331
|
+
#/sbin/ip -6 tunnel add gt4nactr01 mode ip4ip6 remote 2a04:2f80:f:f003::2 local 2a04:2f80:f:f003::1
|
321
332
|
# writer.lines.up("ip -#{cfg.prefix} link set dev #{iname} up")
|
322
333
|
Device.build_config(host, gre)
|
323
334
|
# Device.add_address(host, iname, iface, writer.lines, writer)
|
@@ -10,10 +10,16 @@ module Construqt
|
|
10
10
|
def self.header(host)
|
11
11
|
return if host.bgps.empty?
|
12
12
|
# binding.pry
|
13
|
-
bird_v4 = self.header_bird(host, OpenStruct.new(:net_clazz =>
|
14
|
-
|
15
|
-
|
16
|
-
|
13
|
+
bird_v4 = self.header_bird(host, OpenStruct.new(:net_clazz => lambda {|o|
|
14
|
+
(o.kind_of?(IPAddress::IPv4)||o.kind_of?(Construqt::Addresses::CqIpAddress)) && o.ipv4?
|
15
|
+
},
|
16
|
+
:filter => lambda {|ip| ip.ipv4? }))
|
17
|
+
host.result.add(self, bird_v4, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird.conf")
|
18
|
+
bird_v6 = self.header_bird(host, OpenStruct.new(:net_clazz => lambda {|o|
|
19
|
+
(o.kind_of?(IPAddress::IPv6)||o.kind_of?(Construqt::Addresses::CqIpAddress)) && o.ipv6?
|
20
|
+
},
|
21
|
+
:filter => lambda {|ip| ip.ipv6? }))
|
22
|
+
host.result.add(self, bird_v6, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird6.conf")
|
17
23
|
end
|
18
24
|
|
19
25
|
def self.header_bird(host, mode)
|
@@ -40,6 +46,7 @@ BGP
|
|
40
46
|
filter.list.each do |rule|
|
41
47
|
nets = rule['network']
|
42
48
|
if nets.kind_of?(String)
|
49
|
+
#binding.pry
|
43
50
|
nets = Construqt::Tags.find(nets, mode.net_clazz)
|
44
51
|
# puts ">>>>>>>>>> #{nets.map{|i| i.class.name}}"
|
45
52
|
nets = IPAddress::summarize(nets)
|
@@ -50,7 +57,9 @@ BGP
|
|
50
57
|
nets.each do |ip|
|
51
58
|
next unless mode.filter.call(ip)
|
52
59
|
ip_str = ip.to_string
|
53
|
-
if rule['
|
60
|
+
if rule['addr_sub_prefix']
|
61
|
+
ip_str = "#{ip.to_string}{#{ip.prefix},#{ip.ipv4? ? 32 : 128}}"
|
62
|
+
elsif rule['prefix_length']
|
54
63
|
ip_str = "#{ip.to_string}{#{rule['prefix_length'].first},#{rule['prefix_length'].last}}"
|
55
64
|
end
|
56
65
|
|
@@ -66,7 +75,7 @@ BGP
|
|
66
75
|
|
67
76
|
def build_bird_conf
|
68
77
|
if self.my.address.first_ipv4 && self.other.my.address.first_ipv4
|
69
|
-
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::
|
78
|
+
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird.conf")
|
70
79
|
protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
|
71
80
|
description "#{self.my.host.name} <=> #{self.other.host.name}";
|
72
81
|
direct;
|
@@ -85,7 +94,7 @@ BGP
|
|
85
94
|
def build_bird6_conf
|
86
95
|
# binding.pry
|
87
96
|
if self.my.address.first_ipv6 && self.other.my.address.first_ipv6
|
88
|
-
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::
|
97
|
+
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird6.conf")
|
89
98
|
protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
|
90
99
|
description "#{self.my.host.name} <=> #{self.other.host.name}";
|
91
100
|
direct;
|
@@ -70,18 +70,18 @@ OUT
|
|
70
70
|
include = {}
|
71
71
|
forward.each do |domain, lines|
|
72
72
|
include[domain] = "/etc/bind/tables/#{domain}.forward"
|
73
|
-
host.result.add(self, write_header(host.region, domain), Construqt::Resources::Rights::
|
74
|
-
host.result.add(self, lines.sort.join("\n"), Construqt::Resources::Rights::
|
73
|
+
host.result.add(self, write_header(host.region, domain), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain}.forward")
|
74
|
+
host.result.add(self, lines.sort.join("\n"), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain}.forward")
|
75
75
|
end
|
76
76
|
|
77
77
|
reverse.each do |domain, lines|
|
78
78
|
include[domain.rev_domains.first] = "/etc/bind/tables/#{domain}.reverse"
|
79
|
-
host.result.add(self, write_header(host.region, domain.rev_domains.first), Construqt::Resources::Rights::
|
80
|
-
host.result.add(self, lines.values.sort.join("\n"), Construqt::Resources::Rights::
|
79
|
+
host.result.add(self, write_header(host.region, domain.rev_domains.first), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain.to_s}.reverse")
|
80
|
+
host.result.add(self, lines.values.sort.join("\n"), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain.to_s}.reverse")
|
81
81
|
end
|
82
82
|
|
83
83
|
include.each do |domain,path|
|
84
|
-
host.result.add(self, <<DNS, Construqt::Resources::Rights::
|
84
|
+
host.result.add(self, <<DNS, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/named.conf.local")
|
85
85
|
zone "#{domain.to_s}" {
|
86
86
|
type master;
|
87
87
|
file "#{path}";
|