construqt 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/construqt/addresses.rb +121 -10
- data/lib/construqt/bgps.rb +10 -12
- data/lib/construqt/firewalls.rb +115 -16
- data/lib/construqt/flavour/ciscian/ciscian.rb +73 -93
- data/lib/construqt/flavour/ciscian/deploy_template.rb +36 -0
- data/lib/construqt/flavour/ciscian/dialect_dlink-dgs15xx.rb +62 -114
- data/lib/construqt/flavour/ciscian/dialect_hp-2510g.rb +74 -14
- data/lib/construqt/flavour/delegates.rb +9 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik.rb +0 -3
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_bgp.rb +12 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_interface.rb +32 -1
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_result.rb +2 -0
- data/lib/construqt/flavour/mikrotik/flavour_mikrotik_schema.rb +3 -3
- data/lib/construqt/flavour/plantuml/plantuml.rb +2 -2
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu.rb +24 -13
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_bgp.rb +16 -7
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_dns.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb +218 -67
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_ipsec.rb +33 -17
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_opvn.rb +5 -5
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_result.rb +77 -14
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_services.rb +77 -29
- data/lib/construqt/flavour/ubuntu/flavour_ubuntu_vrrp.rb +18 -3
- data/lib/construqt/interfaces.rb +25 -6
- data/lib/construqt/ipsecs.rb +5 -3
- data/lib/construqt/rack.rb +51 -0
- data/lib/construqt/resource.rb +25 -3
- data/lib/construqt/reverse.rb +1 -0
- data/lib/construqt/services.rb +15 -29
- data/lib/construqt/tags.rb +21 -15
- data/lib/construqt/templates.rb +17 -0
- data/lib/construqt/users.rb +4 -0
- data/lib/construqt/util.rb +1 -1
- data/lib/construqt/version.rb +1 -1
- data/lib/construqt/vlans.rb +13 -2
- data/lib/construqt.rb +2 -1
- metadata +4 -2
@@ -13,6 +13,30 @@ module Construqt
|
|
13
13
|
def commit
|
14
14
|
end
|
15
15
|
|
16
|
+
def sort_section_keys(keys)
|
17
|
+
return keys.sort do |a,b|
|
18
|
+
a = a.to_s
|
19
|
+
b = b.to_s
|
20
|
+
match_a=/^(.*[^\d])(\d+)$/.match(a)||[nil,a,1]
|
21
|
+
match_b=/^(.*[^\d])(\d+)$/.match(b)||[nil,b,1]
|
22
|
+
#puts match_a, match_b, a, b
|
23
|
+
ret=0
|
24
|
+
ret = rate_higher("hostname", match_a[1], match_b[1]) if ret==0
|
25
|
+
ret = rate_higher("snmp", match_a[1], match_b[1]) if ret==0
|
26
|
+
ret = rate_higher("trunk", match_a[1], match_b[1]) if ret==0
|
27
|
+
ret = rate_higher("max-vlans", match_a[1], match_b[1]) if ret==0
|
28
|
+
ret = rate_higher("vlan", match_a[1], match_b[1]) if ret==0
|
29
|
+
ret = rate_higher("vlan", match_a[1], match_b[1]) if ret==0
|
30
|
+
ret = match_a[1]<=>match_b[1] if ret==0
|
31
|
+
ret = match_a[2].to_i<=>match_b[2].to_i if ret==0
|
32
|
+
ret
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
def rate_higher(prefix, a, b)
|
37
|
+
return a.start_with?(prefix) ^ b.start_with?(prefix) ? (a.start_with?(prefix) ? -1 : 1) : 0
|
38
|
+
end
|
39
|
+
|
16
40
|
def expand_vlan_device_name(device)
|
17
41
|
expand_device_name(device, { "po" => "Trk%s", "ge" => "%s" })
|
18
42
|
end
|
@@ -25,45 +49,71 @@ module Construqt
|
|
25
49
|
end
|
26
50
|
|
27
51
|
def add_host(host)
|
28
|
-
@result.add("hostname"
|
29
|
-
@result.add("max-vlans"
|
30
|
-
@result.add("snmp-server community \"public\"
|
52
|
+
@result.add("hostname").add(@result.host.name).quotes
|
53
|
+
@result.add("max-vlans").add(64)
|
54
|
+
@result.add("snmp-server community \"public\"")
|
55
|
+
|
56
|
+
#enable ssh per default
|
57
|
+
@result.add("ip ssh")
|
58
|
+
|
31
59
|
@result.host.interfaces.values.each do |iface|
|
32
60
|
next unless iface.delegate.address
|
33
61
|
iface.delegate.address.routes.each do |route|
|
34
|
-
@result.add("ip route #{route.dst.to_s} #{route.dst.netmask} #{route.via.to_s}"
|
62
|
+
@result.add("ip route #{route.dst.to_s} #{route.dst.netmask} #{route.via.to_s}")
|
35
63
|
end
|
36
64
|
end
|
65
|
+
|
66
|
+
if host.delegate.sntp
|
67
|
+
@result.add("sntp server").add(host.delegate.sntp)
|
68
|
+
@result.add("timesync sntp")
|
69
|
+
@result.add("sntp unicast")
|
70
|
+
end
|
71
|
+
|
72
|
+
if host.delegate.logging
|
73
|
+
@result.add("logging").add(host.delegate.logging)
|
74
|
+
end
|
75
|
+
|
37
76
|
end
|
38
77
|
|
39
78
|
def add_device(device)
|
40
79
|
end
|
41
80
|
|
42
81
|
def add_bond(bond)
|
43
|
-
@result.add("trunk", TrunkVerb).add("{+ports}" => bond.interfaces.map{|i| i.delegate.number }, "{*channel}" => bond.delegate.number)
|
82
|
+
@result.add("trunk", TrunkVerb).add("{+ports}" => bond.interfaces.map{|i| i.delegate.number }, "{*channel}" => bond.delegate.number, "{=mode}"=>"LACP")
|
44
83
|
@result.add("spanning-tree #{expand_vlan_device_name(bond)} priority 4")
|
45
84
|
end
|
46
85
|
|
47
86
|
def add_vlan(vlan)
|
48
|
-
@result.add("vlan #{vlan.delegate.vlan_id}
|
87
|
+
@result.add("vlan #{vlan.delegate.vlan_id}", NestedSection) do |section|
|
49
88
|
next unless vlan.delegate.description && !vlan.delegate.description.empty?
|
50
89
|
throw "vlan name too long, max 32 chars" if vlan.delegate.description.length > 32
|
51
|
-
section.add("name"
|
90
|
+
section.add("name").add(vlan.delegate.description).quotes
|
91
|
+
section.add("jumbo")
|
52
92
|
vlan.interfaces.each do |port|
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
93
|
+
range=nil
|
94
|
+
if port.template.is_tagged?(vlan.vlan_id)
|
95
|
+
range=section.add("tagged", Tagged)
|
96
|
+
range.add("{+ports}" => [expand_vlan_device_name(port)])
|
97
|
+
elsif port.template.is_untagged?(vlan.vlan_id)
|
98
|
+
range=section.add("tagged", Tagged)
|
99
|
+
range.add("{+uports}" => [expand_vlan_device_name(port)])
|
100
|
+
elsif port.template.is_nountagged?(vlan.vlan_id)
|
101
|
+
range=section.add("tagged", Tagged)
|
102
|
+
range.add("{-uports}" => [expand_vlan_device_name(port)])
|
103
|
+
end
|
58
104
|
end
|
59
105
|
|
60
106
|
if vlan.delegate.address
|
61
107
|
if vlan.delegate.address.first_ipv4
|
62
|
-
section.add("ip address").add(vlan.delegate.address.first_ipv4.
|
108
|
+
section.add("ip address").add(vlan.delegate.address.first_ipv4.to_s + " " + vlan.delegate.address.first_ipv4.netmask)
|
63
109
|
elsif vlan.delegate.address.dhcpv4?
|
64
110
|
section.add("ip address").add("dhcp-bootp")
|
65
111
|
end
|
66
112
|
end
|
113
|
+
|
114
|
+
if vlan.delegate.igmp
|
115
|
+
section.add("ip igmp")
|
116
|
+
end
|
67
117
|
end
|
68
118
|
end
|
69
119
|
|
@@ -81,6 +131,10 @@ module Construqt
|
|
81
131
|
end.flatten.join(' ')
|
82
132
|
end
|
83
133
|
|
134
|
+
def is_virtual?(line)
|
135
|
+
line.include?("vlan")
|
136
|
+
end
|
137
|
+
|
84
138
|
def block_end?(line)
|
85
139
|
['end','exit'].include?(line.strip)
|
86
140
|
end
|
@@ -101,8 +155,14 @@ module Construqt
|
|
101
155
|
"trunk"
|
102
156
|
end
|
103
157
|
|
158
|
+
def self.find_regex(variable)
|
159
|
+
{
|
160
|
+
"mode" => "(Trunk|LACP)"
|
161
|
+
}[variable]
|
162
|
+
end
|
163
|
+
|
104
164
|
def self.patterns
|
105
|
-
["no trunk {-ports}", "trunk {+ports} Trk{*channel}
|
165
|
+
["no trunk {-ports}", "trunk {+ports} Trk{*channel} {=mode}"]
|
106
166
|
end
|
107
167
|
end
|
108
168
|
end
|
@@ -9,6 +9,7 @@ module Construqt
|
|
9
9
|
|
10
10
|
def delegate=(a)
|
11
11
|
throw "delegate needs to be !nil" unless a
|
12
|
+
a.delegate = self
|
12
13
|
@delegate = a
|
13
14
|
end
|
14
15
|
|
@@ -28,6 +29,14 @@ module Construqt
|
|
28
29
|
@vrrp
|
29
30
|
end
|
30
31
|
|
32
|
+
def ipsec
|
33
|
+
self.delegate.ipsec
|
34
|
+
end
|
35
|
+
|
36
|
+
def firewalls
|
37
|
+
self.delegate.firewalls
|
38
|
+
end
|
39
|
+
|
31
40
|
def description
|
32
41
|
self.delegate.description
|
33
42
|
end
|
@@ -14,7 +14,16 @@ module Construqt
|
|
14
14
|
host.result.add("set [ find chain=#{v4_name.inspect} ] comment=to_remove", nil, "routing", "filter")
|
15
15
|
host.result.add("set [ find chain=#{v6_name.inspect} ] comment=to_remove", nil, "routing", "filter")
|
16
16
|
filter.list.each do |rule|
|
17
|
-
rule['network']
|
17
|
+
nets = rule['network']
|
18
|
+
if nets.kind_of?(String)
|
19
|
+
#binding.pry
|
20
|
+
nets = Construqt::Tags.find(nets, Construqt::Addresses::IPV4) + Construqt::Tags.find(nets, Construqt::Addresses::IPV6)
|
21
|
+
# puts ">>>>>>>>>> #{nets.map{|i| i.class.name}}"
|
22
|
+
nets = IPAddress::summarize(nets)
|
23
|
+
else
|
24
|
+
nets = nets.ips
|
25
|
+
end
|
26
|
+
nets.each do |ip|
|
18
27
|
prefix_len = ""
|
19
28
|
if rule['prefix_length']
|
20
29
|
prefix_len = "prefix-length=#{rule['prefix_length'].first}-#{rule['prefix_length'].last}"
|
@@ -115,6 +124,7 @@ module Construqt
|
|
115
124
|
"address-families" => "ip",
|
116
125
|
"default-originate" => self.default_originate,
|
117
126
|
"remote-address" => self.other.my.address.first_ipv4,
|
127
|
+
"use-bfd" => self.cfg.use_bfd.kind_of?(false.class) ? false : true,
|
118
128
|
"tcp-md5-key" => self.cfg.password,
|
119
129
|
"in-filter" => "v4-"+self.filter['in'].name,
|
120
130
|
"out-filter" => "v4-"+self.filter['out'].name)
|
@@ -124,6 +134,7 @@ module Construqt
|
|
124
134
|
"remote-as" => self.other.as.num,
|
125
135
|
"address-families" => "ipv6",
|
126
136
|
"remote-address" => self.other.my.address.first_ipv6,
|
137
|
+
"use-bfd" => self.cfg.use_bfd.kind_of?(false.class) ? false : true,
|
127
138
|
"tcp-md5-key" => self.cfg.password,
|
128
139
|
"in-filter" => "v6-"+self.filter['in'].name,
|
129
140
|
"out-filter" => "v6-"+self.filter['out'].name)
|
@@ -43,12 +43,16 @@ module Construqt
|
|
43
43
|
end
|
44
44
|
|
45
45
|
cfg['distance'] = rt.metric if rt.metric
|
46
|
+
|
47
|
+
cfg['routing-mark'] = rt.routing_table if rt.routing_table
|
48
|
+
|
46
49
|
default = {
|
47
50
|
"dst-address" => Schema.network.required.key(0),
|
48
51
|
"gateway" => Schema.address,
|
49
52
|
"type" => Schema.identifier,
|
50
53
|
"distance" => Schema.int,
|
51
|
-
"comment" => Schema.string.required.key(1)
|
54
|
+
"comment" => Schema.string.required.key(1),
|
55
|
+
"routing-mark" => Schema.identifier
|
52
56
|
}
|
53
57
|
cfg['comment'] = "#{cfg['dst-address']} via #{cfg['gateway']} CONSTRUQT"
|
54
58
|
if rt.dst.ipv6?
|
@@ -58,10 +62,37 @@ module Construqt
|
|
58
62
|
end
|
59
63
|
end
|
60
64
|
|
65
|
+
def self.render_firewall_mangle(host, iface)
|
66
|
+
cfg = {
|
67
|
+
"in-interface" => iface.name,
|
68
|
+
"new-routing-mark" => iface.routing_table,
|
69
|
+
"chain" => "prerouting",
|
70
|
+
"action" => "mark-routing"
|
71
|
+
}
|
72
|
+
cfg['comment'] = "tag interface #{cfg['in-interface']} with routing-mark #{cfg['new-routing-mark']} CONSTRUQT"
|
73
|
+
|
74
|
+
default = {
|
75
|
+
"chain" => Schema.identifier.required,
|
76
|
+
"action" => Schema.identifier.required,
|
77
|
+
"new-routing-mark" => Schema.identifier.required,
|
78
|
+
"in-interface" => Schema.identifier.required,
|
79
|
+
"comment" => Schema.string.required.key(1),
|
80
|
+
}
|
81
|
+
|
82
|
+
host.result.render_mikrotik(default, cfg, "ipv6", "firewall", "mangle")
|
83
|
+
host.result.render_mikrotik(default, cfg, "ip", "firewall", "mangle")
|
84
|
+
end
|
85
|
+
|
86
|
+
|
61
87
|
def self.build_config(host, iface)
|
88
|
+
if iface.routing_table
|
89
|
+
render_firewall_mangle(host, iface)
|
90
|
+
end
|
91
|
+
|
62
92
|
#name = File.join(host.name, "interface", "device")
|
63
93
|
#ret = []
|
64
94
|
#ret += self.clazz.build_config(host, iface||self)
|
95
|
+
|
65
96
|
if !(iface.address.nil? || iface.address.ips.empty?)
|
66
97
|
iface.address.ips.each do |ip|
|
67
98
|
render_ip(host, iface, ip)
|
@@ -155,9 +155,11 @@ module Construqt
|
|
155
155
|
"interface vrrp",
|
156
156
|
"interface gre6",
|
157
157
|
"ipv6 address",
|
158
|
+
"ipv6 firewall mangle",
|
158
159
|
"ipv6 route",
|
159
160
|
"ip address",
|
160
161
|
"ip dns",
|
162
|
+
"ip firewall mangle",
|
161
163
|
"ip route",
|
162
164
|
"ip ipsec proposal",
|
163
165
|
"ip ipsec peer",
|
@@ -101,7 +101,7 @@ module Construqt
|
|
101
101
|
end
|
102
102
|
|
103
103
|
def self.serialize(schema, val)
|
104
|
-
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
104
|
+
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
105
105
|
# throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
106
106
|
return Flavour::Mikrotik.compress_address(val)
|
107
107
|
end
|
@@ -113,7 +113,7 @@ module Construqt
|
|
113
113
|
end
|
114
114
|
|
115
115
|
def self.serialize(schema, val)
|
116
|
-
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
116
|
+
throw "Address:val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
117
117
|
# throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
118
118
|
return "#{Flavour::Mikrotik.compress_address(val)}/#{val.prefix}"
|
119
119
|
end
|
@@ -125,7 +125,7 @@ module Construqt
|
|
125
125
|
end
|
126
126
|
|
127
127
|
def self.serialize(schema, val)
|
128
|
-
throw "Network::val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
128
|
+
throw "Network::val must be ipaddress #{val.class.name} #{val} #{schema.field_name}" unless val.kind_of?(Construqt::Addresses::CqIpAddress) || val.kind_of?(IPAddress::IPv6) || val.kind_of?(IPAddress::IPv4)
|
129
129
|
#throw "only 0-9:\.\/ are allowed #{val}" unless val.match(/^[a-fA-F0-9:\.\/]+$/)
|
130
130
|
return "#{Flavour::Mikrotik.compress_address(val)}/#{val.prefix}"
|
131
131
|
end
|
@@ -138,11 +138,11 @@ UML
|
|
138
138
|
end
|
139
139
|
end
|
140
140
|
|
141
|
-
iface.delegate.firewalls && iface.delegate.firewalls.each_with_index do |fw, idx|
|
141
|
+
iface.delegate && iface.delegate.firewalls && iface.delegate.firewalls.each_with_index do |fw, idx|
|
142
142
|
out << "fw(#{idx}) = \"#{fw.name}\""
|
143
143
|
end
|
144
144
|
|
145
|
-
(iface.tags+tags).sort.uniq.each_with_index do |tag, idx|
|
145
|
+
iface.tags && (iface.tags+tags).sort.uniq.each_with_index do |tag, idx|
|
146
146
|
out << "tag(#{idx}) = \"#{tag}\""
|
147
147
|
end
|
148
148
|
|
@@ -39,7 +39,8 @@ module Construqt
|
|
39
39
|
return
|
40
40
|
end
|
41
41
|
|
42
|
-
writer.header.
|
42
|
+
writer.header.dhcpv4 if iface.address.dhcpv4?
|
43
|
+
writer.header.dhcpv6 if iface.address.dhcpv6?
|
43
44
|
writer.header.mode(EtcNetworkInterfaces::Entry::Header::MODE_LOOPBACK) if iface.address.loopback?
|
44
45
|
lines.add(iface.flavour) if iface.flavour
|
45
46
|
iface.address.ips.each do |ip|
|
@@ -83,6 +84,15 @@ module Construqt
|
|
83
84
|
writer.lines.down("ip link set dev #{ifname} down")
|
84
85
|
add_address(host, ifname, iface.delegate, writer.lines, writer) #unless iface.address.nil? || iface.address.ips.empty?
|
85
86
|
add_services(host, ifname, iface.delegate, writer)
|
87
|
+
host.ipsecs.find do |ipsec|
|
88
|
+
if ipsec.left.remote.interface == iface || ipsec.right.remote.interface == iface
|
89
|
+
writer.lines.up("STARTED_BY_CONSTRUQT=yes /etc/init.d/racoon start")
|
90
|
+
writer.lines.down("STARTED_BY_CONSTRUQT=yes /etc/init.d/racoon restart")
|
91
|
+
true
|
92
|
+
else
|
93
|
+
false
|
94
|
+
end
|
95
|
+
end
|
86
96
|
end
|
87
97
|
end
|
88
98
|
|
@@ -142,7 +152,7 @@ BOND
|
|
142
152
|
end
|
143
153
|
|
144
154
|
def build_config(host, unused)
|
145
|
-
host.result.add(self, <<SCTL, Construqt::Resources::Rights
|
155
|
+
host.result.add(self, <<SCTL, Construqt::Resources::Rights.root_0644, "etc", "sysctl.conf")
|
146
156
|
net.ipv4.conf.all.forwarding = 1
|
147
157
|
net.ipv4.conf.default.forwarding = 1
|
148
158
|
net.ipv4.vs.pmtu_disc=1
|
@@ -151,7 +161,7 @@ net.ipv6.conf.all.autoconf=0
|
|
151
161
|
net.ipv6.conf.all.accept_ra=0
|
152
162
|
net.ipv6.conf.all.forwarding=1
|
153
163
|
SCTL
|
154
|
-
host.result.add(self, <<HOSTS, Construqt::Resources::Rights
|
164
|
+
host.result.add(self, <<HOSTS, Construqt::Resources::Rights.root_0644, "etc", "hosts")
|
155
165
|
127.0.0.1 localhost
|
156
166
|
::1 localhost ip6-localhost ip6-loopback
|
157
167
|
fe00::0 ip6-localnet
|
@@ -161,12 +171,12 @@ ff02::2 ip6-allrouters
|
|
161
171
|
|
162
172
|
127.0.1.1 #{host.name} #{host.region.network.fqdn(host.name)}
|
163
173
|
HOSTS
|
164
|
-
host.result.add(self, host.name, Construqt::Resources::Rights
|
165
|
-
host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights
|
174
|
+
host.result.add(self, host.name, Construqt::Resources::Rights.root_0644, "etc", "hostname")
|
175
|
+
host.result.add(self, "# WTF resolvconf", Construqt::Resources::Rights.root_0644, "etc", "resolvconf", "resolv.conf.d", "orignal");
|
166
176
|
host.result.add(self,
|
167
177
|
(host.region.network.dns_resolver.nameservers.ips.map{|i| "nameserver #{i.to_s}" }+
|
168
178
|
["search #{host.region.network.dns_resolver.search.join(' ')}"]).join("\n"),
|
169
|
-
Construqt::Resources::Rights
|
179
|
+
Construqt::Resources::Rights.root_0644, "etc", "resolv.conf")
|
170
180
|
#binding.pry
|
171
181
|
Dns.build_config(host) if host.delegate.dns_server
|
172
182
|
akeys = []
|
@@ -178,11 +188,11 @@ HOSTS
|
|
178
188
|
skeys << "#{u.shadow}" if u.shadow
|
179
189
|
end
|
180
190
|
|
181
|
-
host.result.add(self, skeys.join(), Construqt::Resources::Rights
|
182
|
-
host.result.add(self, akeys.join(), Construqt::Resources::Rights
|
183
|
-
host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights
|
191
|
+
#host.result.add(self, skeys.join(), Construqt::Resources::Rights.root_0644, "etc", "shadow.merge")
|
192
|
+
host.result.add(self, akeys.join(), Construqt::Resources::Rights.root_0644, "root", ".ssh", "authorized_keys")
|
193
|
+
host.result.add(self, ykeys.join("\n"), Construqt::Resources::Rights.root_0644, "etc", "yubikey_mappings")
|
184
194
|
|
185
|
-
host.result.add(self, <<SSH , Construqt::Resources::Rights::
|
195
|
+
host.result.add(self, <<SSH , Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::SSH), "etc", "ssh", "sshd_config")
|
186
196
|
# Package generated configuration file
|
187
197
|
# See the sshd_config(5) manpage for details
|
188
198
|
|
@@ -272,7 +282,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|
272
282
|
# and ChallengeResponseAuthentication to 'no'.
|
273
283
|
UsePAM yes
|
274
284
|
SSH
|
275
|
-
host.result.add(self, <<PAM , Construqt::Resources::Rights::
|
285
|
+
host.result.add(self, <<PAM , Construqt::Resources::Rights::root_0644, "etc", "pam.d", "openvpn")
|
276
286
|
#{host.delegate.yubikey ? '':'# '}auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
|
277
287
|
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
|
278
288
|
auth requisite pam_deny.so
|
@@ -297,7 +307,6 @@ PAM
|
|
297
307
|
|
298
308
|
def build_config(host, gre)
|
299
309
|
gre_delegate = gre.delegate
|
300
|
-
# binding.pry
|
301
310
|
cfg = nil
|
302
311
|
if gre_delegate.local.first_ipv6
|
303
312
|
cfg = OpenStruct.new(:prefix=>6, :my=>gre_delegate.local.first_ipv6, :other => gre_delegate.remote.first_ipv6, :mode => "ip6gre")
|
@@ -306,7 +315,7 @@ PAM
|
|
306
315
|
end
|
307
316
|
|
308
317
|
throw "need a local address #{host.name}:#{gre_delegate.name}" unless cfg
|
309
|
-
local_iface = host.interfaces.values.find { |iface| iface.address.match_network(cfg.my) }
|
318
|
+
local_iface = host.interfaces.values.find { |iface| iface.address && iface.address.match_network(cfg.my) }
|
310
319
|
throw "need a interface with address #{host.name}:#{cfg.my}" unless local_iface
|
311
320
|
iname = Util.clean_if("gt#{cfg.prefix}", gre_delegate.name)
|
312
321
|
|
@@ -318,6 +327,8 @@ PAM
|
|
318
327
|
writer = host.result.etc_network_interfaces.get(gre_delegate)
|
319
328
|
writer.skip_interfaces.header.interface_name(iname)
|
320
329
|
writer.lines.up("ip -#{cfg.prefix} tunnel add #{iname} mode #{cfg.mode} local #{cfg.my.to_s} remote #{cfg.other.to_s}")
|
330
|
+
#writer.lines.up("ip -#{cfg.prefix} tunnel add #{iname} mode #{cfg.mode} local #{cfg.my.to_s} remote #{cfg.other.to_s}")
|
331
|
+
#/sbin/ip -6 tunnel add gt4nactr01 mode ip4ip6 remote 2a04:2f80:f:f003::2 local 2a04:2f80:f:f003::1
|
321
332
|
# writer.lines.up("ip -#{cfg.prefix} link set dev #{iname} up")
|
322
333
|
Device.build_config(host, gre)
|
323
334
|
# Device.add_address(host, iname, iface, writer.lines, writer)
|
@@ -10,10 +10,16 @@ module Construqt
|
|
10
10
|
def self.header(host)
|
11
11
|
return if host.bgps.empty?
|
12
12
|
# binding.pry
|
13
|
-
bird_v4 = self.header_bird(host, OpenStruct.new(:net_clazz =>
|
14
|
-
|
15
|
-
|
16
|
-
|
13
|
+
bird_v4 = self.header_bird(host, OpenStruct.new(:net_clazz => lambda {|o|
|
14
|
+
(o.kind_of?(IPAddress::IPv4)||o.kind_of?(Construqt::Addresses::CqIpAddress)) && o.ipv4?
|
15
|
+
},
|
16
|
+
:filter => lambda {|ip| ip.ipv4? }))
|
17
|
+
host.result.add(self, bird_v4, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird.conf")
|
18
|
+
bird_v6 = self.header_bird(host, OpenStruct.new(:net_clazz => lambda {|o|
|
19
|
+
(o.kind_of?(IPAddress::IPv6)||o.kind_of?(Construqt::Addresses::CqIpAddress)) && o.ipv6?
|
20
|
+
},
|
21
|
+
:filter => lambda {|ip| ip.ipv6? }))
|
22
|
+
host.result.add(self, bird_v6, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird6.conf")
|
17
23
|
end
|
18
24
|
|
19
25
|
def self.header_bird(host, mode)
|
@@ -40,6 +46,7 @@ BGP
|
|
40
46
|
filter.list.each do |rule|
|
41
47
|
nets = rule['network']
|
42
48
|
if nets.kind_of?(String)
|
49
|
+
#binding.pry
|
43
50
|
nets = Construqt::Tags.find(nets, mode.net_clazz)
|
44
51
|
# puts ">>>>>>>>>> #{nets.map{|i| i.class.name}}"
|
45
52
|
nets = IPAddress::summarize(nets)
|
@@ -50,7 +57,9 @@ BGP
|
|
50
57
|
nets.each do |ip|
|
51
58
|
next unless mode.filter.call(ip)
|
52
59
|
ip_str = ip.to_string
|
53
|
-
if rule['
|
60
|
+
if rule['addr_sub_prefix']
|
61
|
+
ip_str = "#{ip.to_string}{#{ip.prefix},#{ip.ipv4? ? 32 : 128}}"
|
62
|
+
elsif rule['prefix_length']
|
54
63
|
ip_str = "#{ip.to_string}{#{rule['prefix_length'].first},#{rule['prefix_length'].last}}"
|
55
64
|
end
|
56
65
|
|
@@ -66,7 +75,7 @@ BGP
|
|
66
75
|
|
67
76
|
def build_bird_conf
|
68
77
|
if self.my.address.first_ipv4 && self.other.my.address.first_ipv4
|
69
|
-
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::
|
78
|
+
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird.conf")
|
70
79
|
protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
|
71
80
|
description "#{self.my.host.name} <=> #{self.other.host.name}";
|
72
81
|
direct;
|
@@ -85,7 +94,7 @@ BGP
|
|
85
94
|
def build_bird6_conf
|
86
95
|
# binding.pry
|
87
96
|
if self.my.address.first_ipv6 && self.other.my.address.first_ipv6
|
88
|
-
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights::
|
97
|
+
self.my.host.result.add(self, <<BGP, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::BGP), "etc", "bird", "bird6.conf")
|
89
98
|
protocol bgp #{Util.clean_bgp(self.my.host.name)}_#{Util.clean_bgp(self.other.host.name)} {
|
90
99
|
description "#{self.my.host.name} <=> #{self.other.host.name}";
|
91
100
|
direct;
|
@@ -70,18 +70,18 @@ OUT
|
|
70
70
|
include = {}
|
71
71
|
forward.each do |domain, lines|
|
72
72
|
include[domain] = "/etc/bind/tables/#{domain}.forward"
|
73
|
-
host.result.add(self, write_header(host.region, domain), Construqt::Resources::Rights::
|
74
|
-
host.result.add(self, lines.sort.join("\n"), Construqt::Resources::Rights::
|
73
|
+
host.result.add(self, write_header(host.region, domain), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain}.forward")
|
74
|
+
host.result.add(self, lines.sort.join("\n"), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain}.forward")
|
75
75
|
end
|
76
76
|
|
77
77
|
reverse.each do |domain, lines|
|
78
78
|
include[domain.rev_domains.first] = "/etc/bind/tables/#{domain}.reverse"
|
79
|
-
host.result.add(self, write_header(host.region, domain.rev_domains.first), Construqt::Resources::Rights::
|
80
|
-
host.result.add(self, lines.values.sort.join("\n"), Construqt::Resources::Rights::
|
79
|
+
host.result.add(self, write_header(host.region, domain.rev_domains.first), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain.to_s}.reverse")
|
80
|
+
host.result.add(self, lines.values.sort.join("\n"), Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/tables", "#{domain.to_s}.reverse")
|
81
81
|
end
|
82
82
|
|
83
83
|
include.each do |domain,path|
|
84
|
-
host.result.add(self, <<DNS, Construqt::Resources::Rights::
|
84
|
+
host.result.add(self, <<DNS, Construqt::Resources::Rights.root_0644(Construqt::Resources::Component::DNS), "etc/bind/named.conf.local")
|
85
85
|
zone "#{domain.to_s}" {
|
86
86
|
type master;
|
87
87
|
file "#{path}";
|