320 Commits

All Branches

Search

Author	SHA1	Message	Date
toby	e404a21e92	making it even more obvious that we *want* an ipsec cert	2019-05-03 15:34:53 +00:00
toby	4177964e8f	better help output on qemu-ifup-public	2019-05-01 23:48:45 +00:00
toby	78a2a7b13f	better comments on firewall rules	2019-05-01 05:04:29 +00:00
toby	313ea1085f	adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this	2019-05-01 04:37:44 +00:00
toby	05bc412860	MAJOR: static hostname assignments in favor of disabling ipv4 on mgmt1, frr reload, and simple rename of a couple of files to make it simpler	2019-05-01 03:49:00 +00:00
toby	b37d2b5c74	adding new 3300 port for ceph msgr2 protocol	2019-04-29 07:06:51 +00:00
toby	e907220280	apperently interfaces can't have comments	2019-04-27 05:21:56 +00:00
toby	e1eac9c8c7	quick if test so one can just synlink trunk uplinks using qemu-ifup-TRUNKNAME syntax and be done with it	2019-04-26 18:34:16 +00:00
toby	0493a328ff	re-addign ipv4 dhcp for mgmt1, still need it for the hostname for, but prob gonna hardcode the dns/sntp/hostname at this point soon	2019-04-23 06:42:40 +00:00
toby	c5ecd31709	nicer output on ifdown... being anal	2019-04-22 23:56:23 +00:00
toby	d3a64d956c	fix updating resolv.conf for IPv6 stateless DHCP6	2019-04-19 20:34:35 +00:00
toby	ff5df9e336	swtiching to statleless dhcp6 and trying to disable ipv4 now that mirrors is ipv6 it should work in theory. we'll have to fix SNTP dhcp client script probably though	2019-04-19 19:12:12 +00:00
toby	f293436c67	just like I assumed, SAN header not needed for ipsec and moved the CA handler to mirrors	2019-04-18 05:33:21 +00:00
toby	4f0c28d56b	starting to migrate to a more meaningfull DN for ipsec	2019-04-17 02:42:36 +00:00
toby	99773128d3	we're ready now to roll out ikev2 as a given	2019-04-16 23:20:23 +00:00
toby	60b16ebddc	forcing the curl to be over IPv6, allows us to close the firewall for ipv4	2019-04-16 21:48:29 +00:00
toby	182de8533f	removing ipsec reload upon cert *creation*, no point in doing it, we don't have the signed cert yet. we just risk breaking a working setup while being sure we won't get it working right away. the cron job, pulling the actual signed cert will be doing this part	2019-04-16 21:21:29 +00:00
toby	088830f07a	removing legacy net-tools dependency, going to iproute2 tools	2019-04-12 05:22:28 +00:00
toby	d3f593888e	remove some dependencies, that aren't really needed. we should move them to optional package	2019-04-12 04:34:50 +00:00
toby	54b08d2f38	upping the char limit by 1	2019-04-10 22:46:48 +00:00
toby	0d20e9c028	removing the default publicmac value to be sure it's always set. it just NEEDS to match what libvirt/qemu thinks it is	2019-04-10 22:03:01 +00:00
toby	0bed52d345	conffiles name is not variable after all :)	2019-04-10 22:02:22 +00:00
toby	8f76828d0b	not sure if this is needed - actually I know its not - but it seems like a good idea as it may be needed for compat level 12+?... who knows	2019-04-10 04:30:09 +00:00
toby	fa496d25c5	making sure the new cert is tried to be pulled over the mgmt vrf since it doesn't have connectivity on the frontend without a cert	2019-04-09 23:26:37 +00:00
toby	a000b9e2de	firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them	2019-04-09 22:47:57 +00:00
toby	47b2e0b3e6	adding firewall http over VPN rule for bastion cert exchange and possibly more in the future	2019-04-09 21:27:28 +00:00
toby	c53f3e2219	making sysctl tweaks more versatile and just reload sysctl settings	2019-04-09 21:00:11 +00:00
toby	1c38fef482	updateting qemu-ifup to support the VNI passed in the ifname	2019-04-09 20:38:44 +00:00
toby	7d5a761793	Merge branch 'master' of https://git.wit.com/netops/wit-network-config	2019-04-05 18:09:30 +00:00
toby	68f8088b55	drone and gitignore	2019-04-05 18:09:20 +00:00
toby	7a00635a57	adding curl supprt to the qemu-ifup script again	2019-04-05 17:58:55 +00:00
toby	b8e6a8a418	doh, ipv6 we want not ipv4 ;)	2019-04-05 00:17:39 +00:00
toby	30eecc7f51	allowing stackapi traffic over the VPN	2019-04-04 23:35:07 +00:00
toby	50688b3188	adding changelog to gitignore since it's generated out of the git history	2019-04-01 18:57:16 +00:00
toby	d2a7099392	pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit...	2019-03-29 22:40:03 +00:00
toby	a2201fd74b	adding debheler log to gitignore	2019-03-29 19:58:35 +00:00
toby	d3ecbaf20b	fixing ipsec cert generation section in postscript	2019-03-29 19:57:08 +00:00
toby	ebc7c6a5ff	screw it, allowing undefined vars for now, will fix that eventually	2019-03-29 18:46:22 +00:00
toby	3a08cb5182	trying to be more specific on the variables and fail if var has not been defined, also fixing some drone stuff	2019-03-29 18:33:34 +00:00
toby	3e5b0e21a6	drone fixes	2019-03-29 18:10:33 +00:00
toby	22008293c5	updating .drone file for mirrors	2019-03-29 18:07:01 +00:00
toby	ec5869cba8	adding ipsec node cerd self generation and sign req to bastion	2019-03-29 17:57:21 +00:00
toby	2b6992eec1	qemu-ifup: use variable for consistency	2019-03-22 19:55:03 +00:00
toby	ff8f9fa025	default frr logging verbosity to debug. so when debug is enabled it's actually logged as well	2019-03-18 22:58:00 +00:00
toby	9fa840a956	fixing typo in firewall rules	2019-03-13 01:32:01 +00:00
toby	73b2389f08	adding iptables comments to all rules	2019-03-13 00:14:17 +00:00
toby	0c2e02c1b8	removing old prometheus rules that were once hosted in aws	2019-03-11 21:51:06 +00:00
toby	c760ae7c2c	firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6	2019-03-11 21:48:58 +00:00
toby	eeb6cedbf6	bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else	2019-03-11 19:30:52 +00:00
toby	73ae7b9680	accepting up to /56 on ipv6 and bugfixing for wit-gc	2019-03-11 18:59:24 +00:00