Commit Graph

310 Commits

Author SHA1 Message Date
toby d3a64d956c fix updating resolv.conf for IPv6 stateless DHCP6 2019-04-19 20:34:35 +00:00
toby ff5df9e336 swtiching to statleless dhcp6 and trying to disable ipv4 now that mirrors is ipv6 it should work in theory. we'll have to fix SNTP dhcp client script probably though 2019-04-19 19:12:12 +00:00
toby f293436c67 just like I assumed, SAN header not needed for ipsec and moved the CA handler to mirrors 2019-04-18 05:33:21 +00:00
toby 4f0c28d56b starting to migrate to a more meaningfull DN for ipsec 2019-04-17 02:42:36 +00:00
toby 99773128d3 we're ready now to roll out ikev2 as a given 2019-04-16 23:20:23 +00:00
toby 60b16ebddc forcing the curl to be over IPv6, allows us to close the firewall for ipv4 2019-04-16 21:48:29 +00:00
toby 182de8533f removing ipsec reload upon cert *creation*, no point in doing it, we don't have the signed cert yet. we just risk breaking a working setup while being sure we won't get it working right away. the cron job, pulling the actual signed cert will be doing this part 2019-04-16 21:21:29 +00:00
toby 088830f07a removing legacy net-tools dependency, going to iproute2 tools 2019-04-12 05:22:28 +00:00
toby d3f593888e remove some dependencies, that aren't really needed. we should move them to optional package 2019-04-12 04:34:50 +00:00
toby 54b08d2f38 upping the char limit by 1 2019-04-10 22:46:48 +00:00
toby 0d20e9c028 removing the default publicmac value to be sure it's always set. it just NEEDS to match what libvirt/qemu thinks it is 2019-04-10 22:03:01 +00:00
toby 0bed52d345 conffiles name is not variable after all :) 2019-04-10 22:02:22 +00:00
toby 8f76828d0b not sure if this is needed - actually I know its not - but it seems like a good idea as it may be needed for compat level 12+?... who knows 2019-04-10 04:30:09 +00:00
toby fa496d25c5 making sure the new cert is tried to be pulled over the mgmt vrf since it doesn't have connectivity on the frontend without a cert 2019-04-09 23:26:37 +00:00
toby a000b9e2de firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them 2019-04-09 22:47:57 +00:00
toby 47b2e0b3e6 adding firewall http over VPN rule for bastion cert exchange and possibly more in the future 2019-04-09 21:27:28 +00:00
toby c53f3e2219 making sysctl tweaks more versatile and just reload sysctl settings 2019-04-09 21:00:11 +00:00
toby 1c38fef482 updateting qemu-ifup to support the VNI passed in the ifname 2019-04-09 20:38:44 +00:00
toby 7d5a761793 Merge branch 'master' of https://git.wit.com/netops/wit-network-config 2019-04-05 18:09:30 +00:00
toby 68f8088b55 drone and gitignore 2019-04-05 18:09:20 +00:00
toby 7a00635a57 adding curl supprt to the qemu-ifup script again 2019-04-05 17:58:55 +00:00
toby b8e6a8a418 doh, ipv6 we want not ipv4 ;) 2019-04-05 00:17:39 +00:00
toby 30eecc7f51 allowing stackapi traffic over the VPN 2019-04-04 23:35:07 +00:00
toby 50688b3188 adding changelog to gitignore since it's generated out of the git history 2019-04-01 18:57:16 +00:00
toby d2a7099392 pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit... 2019-03-29 22:40:03 +00:00
toby a2201fd74b adding debheler log to gitignore 2019-03-29 19:58:35 +00:00
toby d3ecbaf20b fixing ipsec cert generation section in postscript 2019-03-29 19:57:08 +00:00
toby ebc7c6a5ff screw it, allowing undefined vars for now, will fix that eventually 2019-03-29 18:46:22 +00:00
toby 3a08cb5182 trying to be more specific on the variables and fail if var has not been defined, also fixing some drone stuff 2019-03-29 18:33:34 +00:00
toby 3e5b0e21a6 drone fixes 2019-03-29 18:10:33 +00:00
toby 22008293c5 updating .drone file for mirrors 2019-03-29 18:07:01 +00:00
toby ec5869cba8 adding ipsec node cerd self generation and sign req to bastion 2019-03-29 17:57:21 +00:00
toby 2b6992eec1 qemu-ifup: use variable for consistency 2019-03-22 19:55:03 +00:00
toby ff8f9fa025 default frr logging verbosity to debug. so when debug is enabled it's actually logged as well 2019-03-18 22:58:00 +00:00
toby 9fa840a956 fixing typo in firewall rules 2019-03-13 01:32:01 +00:00
toby 73b2389f08 adding iptables comments to all rules 2019-03-13 00:14:17 +00:00
toby 0c2e02c1b8 removing old prometheus rules that were once hosted in aws 2019-03-11 21:51:06 +00:00
toby c760ae7c2c firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6 2019-03-11 21:48:58 +00:00
toby eeb6cedbf6 bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else 2019-03-11 19:30:52 +00:00
toby 73ae7b9680 accepting up to /56 on ipv6 and bugfixing for wit-gc 2019-03-11 18:59:24 +00:00
toby 2e9317222e minor bugfix on wit-gc... more to come on stale routes 2019-03-11 07:19:09 +00:00
toby 5be0d4b8fc updated qemu scripts and wit-gc to support new ipv4 forwarding 2019-03-11 02:16:33 +00:00
toby bc47af367a we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually 2019-03-09 13:13:36 -08:00
toby f44ff9304e disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor 2019-03-09 12:05:45 -08:00
toby 51d76bc101 more testing... 2019-03-08 23:37:53 -08:00
toby 268dd01421 another attempt at the rules file 2019-03-08 23:21:18 -08:00
toby cfeef0de5b ... seriously,... running out of ideas ... 2019-03-08 23:19:39 -08:00
toby 396b2899ae ... seriously,... running out of ideas ... 2019-03-08 22:53:21 -08:00
toby b63d21ba83 ... seriously,... running out of ideas ... 2019-03-08 22:42:11 -08:00
toby 2b1c7b34a6 trying a whole new approach, seems like it worked on my wit-vm-router-config package, lets see what it does here ... 2019-03-08 22:14:00 -08:00