From: alex <alex@pdp7.net>
Date: Sat, 14 Jan 2023 18:11:18 +0000 (+0100)
Subject: Add tinc management
X-Git-Tag: 20240214-emacs~507
X-Git-Url: https://xn--ix-yja.es/gitweb/?a=commitdiff_plain;h=b7e8dca0b38999b361b108e852c47ebd1ab77938;p=alex.git

Add tinc management
---

diff --git a/personal_infra/puppet/modules/tinc/manifests/init.pp b/personal_infra/puppet/modules/tinc/manifests/init.pp
new file mode 100644
index 0000000..9f1ab0b
--- /dev/null
+++ b/personal_infra/puppet/modules/tinc/manifests/init.pp
@@ -0,0 +1,71 @@
+class tinc($tinc_name, $tinc_location, $tinc_connect_to, $tinc_locations, $tinc_ip, $tinc_netmask, $tinc_other_networks) {
+  package {'tinc':}
+  ->
+  file {'/etc/tinc':
+    ensure => directory,
+  }
+  ->
+  file {"/etc/tinc/${tinc_name}":
+    ensure => directory,
+  }
+  ->
+  file {"/etc/tinc/${tinc_name}/hosts":
+    ensure => directory,
+  }
+  ->
+  file {"/etc/tinc/${tinc_name}/tinc.conf":
+    content => epp('tinc/tinc.conf', {'tinc_name'       => $tinc_name,
+                                      'tinc_location'   => $tinc_location,
+                                      'tinc_connect_to' => $tinc_connect_to,
+                                      }),
+    notify => Service["tinc@${tinc_name}"],
+  }
+
+  $tinc_locations.each |$name, $location| {
+    exec {"/bin/echo Subnet = ${location['subnet']} >/etc/tinc/${tinc_name}/hosts/${name} && echo Address = ${location['address']} >>/etc/tinc/${tinc_name}/hosts/${name} ; cat /etc/ansible/tinc/public_${location['address']}.pem >>/etc/tinc/${tinc_name}/hosts/${name}":
+      require => File["/etc/tinc/${tinc_name}/hosts"],
+      notify => Service["tinc@${tinc_name}"],
+    }
+  }
+
+  service {"tinc@${tinc_name}":
+    ensure => running,
+    enable => true,
+  }
+
+  exec {"/bin/cp /etc/ansible/tinc/private.pem /etc/tinc/${tinc_name}/rsa_key.priv":
+    creates => "/etc/tinc/${tinc_name}/rsa_key.priv",
+    require => File["/etc/tinc/${tinc_name}"],
+    notify => Service["tinc@${tinc_name}"],
+  }
+
+  file {"/etc/tinc/${tinc_name}/tinc-up":
+    content => epp('tinc/tinc-up', {'ip' => $tinc_ip,
+                                    'netmask' => $tinc_netmask,
+                                    'tinc_other_networks' => $tinc_other_networks,}),
+    require => File["/etc/tinc/${tinc_name}"],
+    mode => '777',
+    notify => Service["tinc@${tinc_name}"],
+  }
+
+  if ($osfamily == 'RedHat') {
+    exec {'open firewall for tinc':
+      command => '/usr/bin/firewall-cmd --permanent --add-port=655/{tcp,udp}',
+      unless => '/usr/bin/firewall-cmd --query-port=655/udp',
+    }
+    ~>
+    exec {'reload firewall for tinc':
+      command => '/usr/bin/firewall-cmd --reload',
+      refreshonly => true,
+    }
+  }
+
+  file {'/etc/sysctl.d/tinc.conf':
+    content => "net.ipv4.ip_forward=1\nnet.ipv4.conf.all.proxy_arp=0\n",
+  }
+  ~>
+  exec {'reload sysctl for tinc':
+    command => '/sbin/sysctl --system',
+    refreshonly => true,
+  }
+}
diff --git a/personal_infra/puppet/modules/tinc/templates/tinc-up.epp b/personal_infra/puppet/modules/tinc/templates/tinc-up.epp
new file mode 100644
index 0000000..7c89098
--- /dev/null
+++ b/personal_infra/puppet/modules/tinc/templates/tinc-up.epp
@@ -0,0 +1,11 @@
+<%- | $ip,
+      $netmask,
+      $tinc_other_networks,
+| -%>
+#!/bin/sh
+
+ifconfig $INTERFACE <%= $ip %> netmask 255.255.255.255
+
+<% $tinc_other_networks.each |$tinc_other_network| { %>
+  route add -net <%= $tinc_other_network %> dev $INTERFACE
+<% } %>
diff --git a/personal_infra/puppet/modules/tinc/templates/tinc.conf.epp b/personal_infra/puppet/modules/tinc/templates/tinc.conf.epp
new file mode 100644
index 0000000..959fb94
--- /dev/null
+++ b/personal_infra/puppet/modules/tinc/templates/tinc.conf.epp
@@ -0,0 +1,8 @@
+<%- | $tinc_name,
+      $tinc_location,
+      $tinc_connect_to,
+| -%>
+Name = <%= $tinc_location %>
+<% $tinc_connect_to.each | $tinc_connection | { -%>
+ConnectTo = <%= $tinc_connection %>
+<% } %>
diff --git a/personal_infra/puppet/site/00-common.pp b/personal_infra/puppet/site/00-common.pp
index 080c754..c502308 100644
--- a/personal_infra/puppet/site/00-common.pp
+++ b/personal_infra/puppet/site/00-common.pp
@@ -1 +1,28 @@
 include automatic_updates
+
+$tinc_hosts = lookup("'$ansible_inventory_hostname'.groups.tinc")
+$tinc_other_hosts = $tinc_hosts.filter |$host_name| { $host_name != $ansible_inventory_hostname }
+
+$tinc_locations = Hash($tinc_hosts.map |$host_name| { [
+  lookup("'$host_name'.network.tinc.location"),
+  {
+    subnet => lookup("'$host_name'.network.self_internal_network"),
+    address => lookup("'$host_name'.network.public_hostname"),
+  }
+] })
+
+$tinc_connect_to = $tinc_other_hosts.map |$host_name| { lookup("'$host_name'.network.tinc.location") }
+
+$tinc_other_networks = $tinc_other_hosts.map |$host_name| { lookup("'$host_name'.network.self_internal_network") }
+
+if 'tinc' in lookup("'$ansible_inventory_hostname'.group_names") {
+  class {'tinc':
+    tinc_name           => lookup("'$ansible_inventory_hostname'.tinc_global.name"),
+    tinc_location       => lookup("'$ansible_inventory_hostname'.network.tinc.location"),
+    tinc_connect_to     => $tinc_connect_to,
+    tinc_locations      => $tinc_locations,
+    tinc_ip             => lookup("'$ansible_inventory_hostname'.network.self_internal_ip"),
+    tinc_netmask        => lookup("'$ansible_inventory_hostname'.network.self_internal_netmask"),
+    tinc_other_networks => $tinc_other_networks,
+  }
+}
diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp
index ea16d81..0af8c68 100644
--- a/personal_infra/puppet/site/h1.pdp7.net.pp
+++ b/personal_infra/puppet/site/h1.pdp7.net.pp
@@ -1,4 +1,7 @@
 node 'h1.pdp7.net' {
   class {'proxmox':}
   class {'dns_dhcp':}
+
+  # TODO: ugly; tinc scripts require this :(
+  package {'net-tools':}
 }