2018-07-27 15:51:10 -05:00
#!/bin/bash
2018-07-26 03:57:41 -05:00
# postinst script for #PACKAGE#
#
# see: dh_installdeb(1)
2019-03-29 12:57:21 -05:00
#set -xe
2019-03-29 13:46:22 -05:00
set -Eexo pipefail
2018-07-26 03:57:41 -05:00
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package
2019-03-09 00:14:00 -06:00
2018-07-26 03:57:41 -05:00
case "$1" in
configure)
2019-03-09 01:19:39 -06:00
IFCONFIG="etc/network/interfaces"
UDEVCONFIG="etc/udev/rules.d/70-persistent-net.rules"
FRRCONFIG="etc/frr/frr.conf.wit"
SWANCTLCONFIG="etc/swanctl/conf.d/wit-swanctl.conf"
IPSECCONFIG="etc/ipsec.conf.wit"
2019-02-15 00:15:36 -06:00
IPSECSECRETS="etc/ipsec.secrets"
2019-03-29 14:57:08 -05:00
CAPATH="/etc/ipsec.d"
2019-04-18 00:33:21 -05:00
CACURLURL="https://mirrors.wit.com/wit-ca"
2019-03-29 12:57:21 -05:00
## START gather all the info from the box and generate the variabels
2019-03-29 14:57:08 -05:00
HOSTNAME="$(hostname)"
DOMAINNAME="$(hostname -d)"
2018-10-16 15:44:57 -05:00
2019-03-29 12:57:21 -05:00
2018-10-16 15:44:57 -05:00
dig_txt() {
2018-10-18 15:12:43 -05:00
TMPDIG=$(dig txt +short $1)
2018-10-31 15:02:57 -05:00
[ -z ${TMPDIG} ] && exit 2
2018-10-18 15:12:43 -05:00
TMPDIG=${TMPDIG//\//\\\/}
TMPDIG=${TMPDIG//\"/} #" fix the god damn syntax highlighter
echo ${TMPDIG}
2018-10-16 15:44:57 -05:00
}
2018-11-01 15:12:23 -05:00
dig_a() {
2018-10-31 15:02:57 -05:00
TMPDIG=$(dig a +short $1)
[ -z ${TMPDIG} ] && exit 2
echo ${TMPDIG}
}
2018-10-09 13:06:28 -05:00
2018-11-01 15:12:23 -05:00
dig_aaaa() {
2018-10-31 15:02:57 -05:00
TMPDIG=$(dig aaaa +short $1)
[ -z ${TMPDIG} ] && exit 2
echo ${TMPDIG}
}
2018-10-09 11:23:52 -05:00
2018-10-31 15:02:57 -05:00
LOOPBACKv4=$(dig_a ${HOSTNAME})
LOOPBACKv6=$(dig_aaaa ${HOSTNAME})
NODEASN=$(dig_txt asn.${HOSTNAME})
2019-03-29 12:57:21 -05:00
ROOTCA=$(dig_txt ca.${HOSTNAME})
2018-08-09 07:42:42 -05:00
2018-08-09 05:18:19 -05:00
2019-03-29 12:57:21 -05:00
KEYFILE=${CAPATH}/private/${HOSTNAME}.key
REQFILE=${CAPATH}/reqs/${HOSTNAME}.req
CRTFILE=${CAPATH}/certs/${HOSTNAME}.crt
2019-03-29 13:33:34 -05:00
CRLFILE=${CAPATH}/crls/${ROOTCA}.crl
CAFILE=${CAPATH}/cacerts/${ROOTCA}.crt
2019-03-29 12:57:21 -05:00
2018-07-28 15:52:38 -05:00
## END variables
2018-10-09 13:06:28 -05:00
## START nic config compile
2018-07-27 15:34:21 -05:00
2018-08-02 10:45:52 -05:00
2018-10-09 13:06:28 -05:00
# write loopback config
2018-10-19 09:56:11 -05:00
cat <<-EOF >>$IFCONFIG
2018-09-09 05:58:45 -05:00
auto lo
iface lo inet loopback
iface lo inet static
address ${LOOPBACKv4}/32
2018-10-08 11:20:48 -05:00
2018-09-09 05:58:45 -05:00
iface lo inet6 static
address ${LOOPBACKv6}/128
2018-10-09 13:46:35 -05:00
2018-09-09 05:58:45 -05:00
EOF
2018-11-19 11:35:11 -06:00
BASTIONPUBLICIP=$(dig_a public.${HOSTNAME}) || true
if [[ ! -z $BASTIONPUBLICIP ]]; then
2018-11-04 14:02:07 -06:00
cat <<-EOF >>$IFCONFIG
iface lo inet static
2018-11-19 11:35:11 -06:00
address ${BASTIONPUBLICIP}/32
2018-11-04 14:02:07 -06:00
EOF
fi
2018-09-09 05:58:45 -05:00
2018-10-09 13:06:28 -05:00
2018-10-16 15:44:57 -05:00
# gathering defined interfaces
2019-01-02 15:05:35 -06:00
for if in mgmt mgmtgw ipmigw feth up ibgp gre customer; do
2018-10-26 12:50:55 -05:00
for i in {1..4}; do #### for now we support/count only to 4 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt)
2018-10-16 15:44:57 -05:00
ifname=${if}${i}
2018-10-18 15:12:43 -05:00
ifalias=$(dig_txt name.${ifname}.${HOSTNAME}) || true ## still thinking how to do this cleaner
2018-10-16 15:44:57 -05:00
2018-10-26 12:50:55 -05:00
2018-10-16 15:44:57 -05:00
if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then
2018-10-19 09:56:11 -05:00
ifmtu=$(dig_txt mtu.${ifname}.${HOSTNAME})
local=$(dig_txt local.${ifname}.${HOSTNAME})
2018-10-23 09:59:12 -05:00
localasn=$(dig_txt localasn.${ifname}.${HOSTNAME})
2018-10-19 09:56:11 -05:00
remote=$(dig_txt remote.${ifname}.${HOSTNAME})
2018-10-16 15:44:57 -05:00
2018-10-20 10:51:53 -05:00
2018-10-26 12:50:55 -05:00
## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS
2018-10-23 09:59:12 -05:00
FRR_GRE_ASN="$localasn"
2018-10-20 10:51:53 -05:00
2018-10-19 09:56:11 -05:00
## build FRR interface config to enable ND adv for ipv6 unmanaged
2018-10-19 10:03:43 -05:00
FRR_IFS="${FRR_IFS}interface $ifname\n"
FRR_IFS="${FRR_IFS} description $ifalias\n"
FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n"
2018-10-09 13:06:28 -05:00
2018-10-19 09:56:11 -05:00
## build FRR neightbor interfaces
FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group GRE\n$FRR_EDGE_NEIGH"
2018-10-16 15:44:57 -05:00
2018-10-19 09:56:11 -05:00
## build regular linux network interface config
cat <<-EOF >>$IFCONFIG
2018-10-16 15:44:57 -05:00
auto $ifname
iface $ifname inet manual
## $ifalias
pre-up ip tunnel add $ifname mode gre local $local remote $remote
down ip tunnel del $ifname
mtu $ifmtu
EOF
fi
2018-10-26 12:50:55 -05:00
## blow we deal with real physical interfaces
## it is crucial that this `ifmac` block is above the rest, since if no mac is returned it will skip the loop and prevent the package install to fail
2018-10-26 13:45:18 -05:00
if [[ $ifname = mgmt1 ]] || [[ $ifname = mgmtgw1 ]] || [[ $ifname = ipmigw1 ]] ## we only support a single interface of these types and they are handled slightly differently in DNS
2018-10-26 12:50:55 -05:00
then
2018-10-26 13:45:18 -05:00
ifmac=$(dig_txt mac.${if}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are basically not configured)
2018-10-26 12:50:55 -05:00
else
2018-10-26 13:24:47 -05:00
ifmac=$(dig_txt mac.${ifname}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined
2018-10-26 12:50:55 -05:00
fi
2018-10-19 09:56:11 -05:00
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="'${ifmac}'", ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG
2018-10-16 15:44:57 -05:00
2019-01-02 15:05:35 -06:00
if [[ $ifname = up? ]] || [[ $ifname = customer? ]]; then
2018-10-16 15:44:57 -05:00
2018-10-19 09:56:11 -05:00
ipv4=$(dig_txt ipv4.$ifname.${HOSTNAME})
ipv6=$(dig_txt ipv6.$ifname.${HOSTNAME})
peerv4=$(dig_txt peerv4.$ifname.${HOSTNAME}) || true ## we dont know if we will always have both available
peerv6=$(dig_txt peerv6.$ifname.${HOSTNAME}) || true ## we dont know if we will always have both available
2018-10-16 15:44:57 -05:00
2019-01-02 15:05:35 -06:00
if [[ $ifname = up? ]]; then
[ -z $peerv4 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv4 peer-group eBGPv4\n$FRR_EDGE_NEIGH"
[ -z $peerv6 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv6 peer-group eBGPv6\n$FRR_EDGE_NEIGH"
elif [[ $ifname = customer? ]]; then
[ -z $peerv4 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv4 peer-group CUSTOMERv4\n$FRR_EDGE_NEIGH"
[ -z $peerv6 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv6 peer-group CUSTOMERv6\n$FRR_EDGE_NEIGH"
fi
2018-10-16 15:44:57 -05:00
2018-10-19 09:56:11 -05:00
cat <<-EOF >>$IFCONFIG
2018-10-16 15:44:57 -05:00
auto $ifname
iface $ifname inet static
2018-10-19 16:01:19 -05:00
address ${ipv4/\\/}
2018-10-09 13:06:28 -05:00
2018-10-16 15:44:57 -05:00
iface $ifname inet6 static
2018-10-19 16:01:19 -05:00
address ${ipv6/\\/}
2018-10-19 16:37:46 -05:00
dad-attempts 0
2018-10-16 15:44:57 -05:00
2018-10-09 13:06:28 -05:00
EOF
2018-10-16 15:44:57 -05:00
2018-10-09 13:06:28 -05:00
fi
2018-09-09 05:58:45 -05:00
2018-07-27 15:34:21 -05:00
2018-10-16 15:44:57 -05:00
if [[ $ifname = ibgp? ]]; then
2018-10-19 16:01:19 -05:00
## build FRR interface config to enable ND adv for ipv6 unmanaged
FRR_IFS="${FRR_IFS}interface $ifname\n"
FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n"
2018-10-19 16:08:31 -05:00
## build FRR neightbor interfaces
FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group iBGP\n$FRR_EDGE_NEIGH"
2018-10-26 12:50:55 -05:00
cat <<-EOF >>$IFCONFIG
2018-10-16 15:44:57 -05:00
auto $ifname
iface $ifname inet manual
mtu 9000
2018-07-28 13:47:08 -05:00
2018-09-09 05:58:45 -05:00
2018-10-09 13:06:28 -05:00
EOF
fi
2018-10-16 15:44:57 -05:00
if [[ $ifname = feth? ]]; then
2018-10-26 12:50:55 -05:00
cat <<-EOF >>$IFCONFIG
2018-10-16 15:44:57 -05:00
auto $ifname
iface $ifname inet manual
2018-10-09 13:06:28 -05:00
mtu 9000
EOF
fi
2018-10-26 12:50:55 -05:00
if [[ $ifname = mgmt1 ]]; then ## only 1 mgmt interface supported for now
cat <<-EOF >>$IFCONFIG
2018-10-16 15:44:57 -05:00
auto $ifname
iface $ifname inet6 auto
2019-04-19 14:12:12 -05:00
dhcp 1
2018-10-16 15:44:57 -05:00
pre-up /bin/ip link add mgmt type vrf table mgmt
pre-up /bin/ip link set up dev mgmt
pre-up /bin/ip link set master mgmt dev $ifname
post-down /bin/ip link del dev mgmt
2019-04-27 00:21:56 -05:00
iface $ifname inet dhcp
# still need it, but at this point only for hostname, we prob think of something
2018-10-09 13:06:28 -05:00
EOF
fi
2018-10-31 15:02:57 -05:00
if [[ $ifname = mgmtgw1 ]] || [[ $ifname = ipmigw1 ]]; then ## only 1 mgmt interface supported for now
ipv4=$(dig_txt ipv4.$if.${HOSTNAME})
2018-11-13 10:22:42 -06:00
ipv6=$(dig_txt ipv6.$if.${HOSTNAME})
2018-10-31 15:02:57 -05:00
cat <<-EOF >>$IFCONFIG
2018-11-02 18:02:42 -05:00
auto ${ifname}
iface ${ifname} inet static
2018-11-02 17:54:39 -05:00
address ${ipv4/\\/}
2018-11-28 11:14:08 -06:00
2018-11-13 10:22:42 -06:00
iface ${ifname} inet6 static
address ${ipv6/\\/}
2018-10-31 15:02:57 -05:00
EOF
2018-11-19 11:35:11 -06:00
FRR_IFS="${FRR_IFS}interface ${ifname}\n"
FRR_IFS="${FRR_IFS} description $ifalias\n"
FRR_IFS="${FRR_IFS} ipv6 nd other-config-flag\n"
2018-11-19 17:11:40 -06:00
FRR_IFS="${FRR_IFS} ipv6 nd prefix ${ipv6}\n"
2018-11-19 11:35:11 -06:00
FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
2018-12-06 11:57:32 -06:00
FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n\n"
[[ $ifname = mgmtgw1 ]] && listnum=10
[[ $ifname = ipmigw1 ]] && listnum=20
FRR_IFS="${FRR_IFS}ipv6 prefix-list MGMT seq $listnum permit ${ipv6}\n"
2018-11-19 11:35:11 -06:00
2018-10-31 15:02:57 -05:00
fi
2018-10-16 15:44:57 -05:00
done
2018-10-09 13:06:28 -05:00
done
2018-10-16 15:44:57 -05:00
## STOP nic config compile
2018-10-09 13:06:28 -05:00
2018-10-26 12:50:55 -05:00
## START compiling frr and ipsec dynamic config blocks
2018-10-18 15:12:43 -05:00
2018-10-19 12:57:07 -05:00
## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider
2018-10-18 15:12:43 -05:00
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv4.public.prefixlist.$DOMAINNAME)" || break
2018-10-19 09:56:11 -05:00
TEMPAGGS=" !!! aggregate-address ${TEMP}\n"
2018-10-18 15:12:43 -05:00
FRR_IPV4_EDGE_SUMMARIES_AGGREGATS="${FRR_IPV4_EDGE_SUMMARIES_AGGREGATS}${TEMPAGGS}"
2018-10-19 09:56:11 -05:00
TEMPSUM="!!! ip prefix-list WITv4-SUMMARIES seq $((i*5)) permit ${TEMP}\n"
2018-10-18 15:12:43 -05:00
FRR_IPV4_EDGE_SUMMARIES_PFLIST="${FRR_IPV4_EDGE_SUMMARIES_PFLIST}${TEMPSUM}"
let i+=1
done
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv6.public.prefixlist.$DOMAINNAME)" || break
2018-10-19 09:56:11 -05:00
TEMPAGGS=" !!! aggregate-address ${TEMP}\n"
2018-10-18 15:12:43 -05:00
FRR_IPV6_EDGE_SUMMARIES_AGGREGATS="${FRR_IPV6_EDGE_SUMMARIES_AGGREGATS}${TEMPAGGS}"
2018-10-19 09:56:11 -05:00
TEMPSUM="!!! ipv6 prefix-list WITv6-SUMMARIES seq $((i*5)) permit ${TEMP}\n"
2018-10-18 15:12:43 -05:00
FRR_IPV6_EDGE_SUMMARIES_PFLIST="${FRR_IPV6_EDGE_SUMMARIES_PFLIST}${TEMPSUM}"
let i+=1
done
2018-10-19 12:57:07 -05:00
## compile customer IP blocks that we accept. this in theory should be a combination of *all* public blocks used accross regions while limiting it a smaller subnet size
2018-10-19 09:56:11 -05:00
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv4.customers.prefixlist.$DOMAINNAME)" || break
2018-10-19 09:56:11 -05:00
TEMPSUM="ip prefix-list WITv4-CUSTOMERS seq $((i*5)) permit ${TEMP} ge 25\n"
FRR_IPV4_CUSTOMERS_PFLIST="${FRR_IPV4_CUSTOMERS_PFLIST}${TEMPSUM}"
let i+=1
done
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv6.customers.prefixlist.$DOMAINNAME)" || break
2019-03-11 13:59:24 -05:00
TEMPSUM="ipv6 prefix-list WITv6-CUSTOMERS seq $((i*5)) permit ${TEMP} ge 56\n"
2018-10-19 09:56:11 -05:00
FRR_IPV6_CUSTOMERS_PFLIST="${FRR_IPV6_CUSTOMERS_PFLIST}${TEMPSUM}"
let i+=1
done
2018-10-26 12:50:55 -05:00
## compile loopback IP blocks that we wanna accept to be injected into the bgp
2018-10-19 09:56:11 -05:00
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.$DOMAINNAME)" || break
2018-10-19 09:56:11 -05:00
TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n"
FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}"
2018-10-26 12:50:55 -05:00
[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
2018-10-19 09:56:11 -05:00
let i+=1
done
i=1
while true; do
2018-12-01 11:30:10 -06:00
TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.$DOMAINNAME)" || break
2018-10-19 09:56:11 -05:00
TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n"
FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}"
2018-10-26 12:50:55 -05:00
[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
2018-10-19 09:56:11 -05:00
let i+=1
done
2018-10-18 15:12:43 -05:00
2018-12-06 16:12:57 -06:00
[ -z $IPSEC_IPV4_SUBNETS ] && exit 2
[ -z $IPSEC_IPV6_SUBNETS ] && exit 2
2018-12-03 15:22:54 -06:00
2018-10-18 15:12:43 -05:00
## STOP compiling frr config
2018-10-09 13:06:28 -05:00
## START writing config files
2018-09-09 05:58:45 -05:00
# set frr config
2018-10-19 09:56:11 -05:00
sed -i \
2019-03-29 13:33:34 -05:00
-e "s/^!!! FRR_IFS/${FRR_IFS:-""}/" \
-e "s/^ !!! FRR_EDGE_NEIGH/${FRR_EDGE_NEIGH:-""}/" \
-e "s/^ !!! FRR_IPV4_EDGE_SUMMARIES_AGGREGATS/${FRR_IPV4_EDGE_SUMMARIES_AGGREGATS:-""}/" \
-e "s/^ !!! FRR_IPV6_EDGE_SUMMARIES_AGGREGATS/${FRR_IPV6_EDGE_SUMMARIES_AGGREGATS:-""}/" \
-e "s/^!!! FRR_IPV4_EDGE_SUMMARIES_PFLIST/${FRR_IPV4_EDGE_SUMMARIES_PFLIST:-""}/" \
-e "s/^!!! FRR_IPV6_EDGE_SUMMARIES_PFLIST/${FRR_IPV6_EDGE_SUMMARIES_PFLIST:-""}/" \
-e "s/^!!! FRR_IPV4_CUSTOMERS_PFLIST/${FRR_IPV4_CUSTOMERS_PFLIST:-""}/" \
-e "s/^!!! FRR_IPV6_CUSTOMERS_PFLIST/${FRR_IPV6_CUSTOMERS_PFLIST:-""}/" \
-e "s/^!!! FRR_IPV4_LOOPBACK_PFLIST/${FRR_IPV4_LOOPBACK_PFLIST:-""}/" \
-e "s/^!!! FRR_IPV6_LOOPBACK_PFLIST/${FRR_IPV6_LOOPBACK_PFLIST:-""}/" \
-e "s/BASTION-PUBLIC-IP/${BASTIONPUBLICIP:-""}/" \
2018-12-06 16:19:52 -06:00
-e "s/FRR_GRE_ASN/${FRR_GRE_ASN:=$NODEASN}/" \
2018-10-19 09:56:11 -05:00
-e "s/FRRROUTERID/${LOOPBACKv4}/" \
2019-02-04 20:09:28 -06:00
-e "s/LOOPBACK-IPV6/${LOOPBACKv6}/" \
2018-10-19 09:56:11 -05:00
-e "s/NODEASN/${NODEASN}/" \
$FRRCONFIG
2018-10-26 12:50:55 -05:00
[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG
2018-11-19 11:35:11 -06:00
[ -z $BASTIONPUBLICIP ] || sed -i -e 's/!!BASTION //' $FRRCONFIG
2018-07-27 15:34:21 -05:00
2018-09-09 05:58:45 -05:00
# set ipsec config
2019-02-15 00:15:36 -06:00
for IPSECCONFIGFILE in $IPSECCONFIG $SWANCTLCONFIG
2018-10-28 14:45:20 -05:00
do
sed -i \
2018-10-19 12:57:07 -05:00
-e "s/FQHOSTNAME/${HOSTNAME}/" \
2018-10-23 16:28:29 -05:00
-e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
-e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
2018-10-19 12:57:07 -05:00
-e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
-e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
2018-10-28 14:45:20 -05:00
$IPSECCONFIGFILE
done
2018-10-19 14:16:16 -05:00
2019-02-15 00:15:36 -06:00
cat <<-EOF >$IPSECSECRETS
# dynamic file, content is overwritten by wit-network-config. I'm sorry but divertion is not working due to apparmor blocking it to this place and didn't wanna deal with that
: RSA ${HOSTNAME}.key
EOF
2019-03-29 12:57:21 -05:00
# do we already have a cert? if not, lets generate one and ask for signing
if [ ! -e $KEYFILE ]; then
pki --gen --type rsa --size 2048 --outform pem >${KEYFILE}
2019-04-18 00:33:21 -05:00
pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, CN=${HOSTNAME}" --outform pem | curl -6 --fail -T - ${CACURLURL}/reqs/${REQFILE##*/}
2019-04-16 21:42:36 -05:00
# we wanna migrate to this DN once the new ipsec.conf is rolled out everywhere
#pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, OU=DCs, OU=PhyNodes, CN=${HOSTNAME}" --san "${HOSTNAME}" --outform pem | curl -6 --fail -T - ${CACURLURL}/reqs/${REQFILE##*/}
2019-03-29 12:57:21 -05:00
2019-04-16 16:48:29 -05:00
curl -6 --fail -so ${CAFILE} ${CACURLURL}/cacerts/${CAFILE##*/}
curl -6 --fail -so ${CRLFILE} ${CACURLURL}/crls/${CRLFILE##*/}
2019-03-29 12:57:21 -05:00
cat <<-EOF >/etc/cron.d/wit-net-config-pull-signed-cert
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
2019-04-09 18:26:37 -05:00
* * * * * root ip vrf exec mgmt curl --fail -so ${CRTFILE} ${CACURLURL}/certs/${CRTFILE##*/} 2>/dev/null && diff -s <(pki --keyid --type priv --in ${KEYFILE} 2>/dev/null) <(pki --keyid --type x509 --in ${CRTFILE} 2>/dev/null) >/dev/null && ipsec rereadall && ipsec rereadsecrets && ipsec purgecerts && ipsec purgecrls && ipsec reload && rm -f /etc/cron.d/wit-net-config-pull-signed-cert
2019-03-29 12:57:21 -05:00
## self delete after successfully pulling cert
EOF
fi
2018-07-28 15:52:38 -05:00
## END config file section
## START configuring services as we need it
2019-04-09 16:00:11 -05:00
sysctl --system
2019-03-29 12:57:21 -05:00
systemctl enable strongswan || true ## in case we kick-start or done have it enabled for some reason
2018-07-26 03:57:41 -05:00
systemctl enable firewall
2018-11-28 11:14:08 -06:00
systemctl restart firewall
2018-07-26 03:57:41 -05:00
2018-07-28 15:52:38 -05:00
## END services section
2018-07-26 03:57:41 -05:00
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
2019-03-09 00:53:21 -06:00
#DEBHELPER#
2018-07-26 03:57:41 -05:00
exit 0
