toby
|
d3a64d956c
|
fix updating resolv.conf for IPv6 stateless DHCP6
|
2019-04-19 20:34:35 +00:00 |
toby
|
ff5df9e336
|
swtiching to statleless dhcp6 and trying to disable ipv4 now that mirrors is ipv6 it should work in theory. we'll have to fix SNTP dhcp client script probably though
|
2019-04-19 19:12:12 +00:00 |
toby
|
f293436c67
|
just like I assumed, SAN header not needed for ipsec and moved the CA handler to mirrors
|
2019-04-18 05:33:21 +00:00 |
toby
|
4f0c28d56b
|
starting to migrate to a more meaningfull DN for ipsec
|
2019-04-17 02:42:36 +00:00 |
toby
|
99773128d3
|
we're ready now to roll out ikev2 as a given
|
2019-04-16 23:20:23 +00:00 |
toby
|
60b16ebddc
|
forcing the curl to be over IPv6, allows us to close the firewall for ipv4
|
2019-04-16 21:48:29 +00:00 |
toby
|
182de8533f
|
removing ipsec reload upon cert *creation*, no point in doing it, we don't have the signed cert yet. we just risk breaking a working setup while being sure we won't get it working right away. the cron job, pulling the actual signed cert will be doing this part
|
2019-04-16 21:21:29 +00:00 |
toby
|
088830f07a
|
removing legacy net-tools dependency, going to iproute2 tools
|
2019-04-12 05:22:28 +00:00 |
toby
|
d3f593888e
|
remove some dependencies, that aren't really needed. we should move them to optional package
|
2019-04-12 04:34:50 +00:00 |
toby
|
54b08d2f38
|
upping the char limit by 1
|
2019-04-10 22:46:48 +00:00 |
toby
|
0d20e9c028
|
removing the default publicmac value to be sure it's always set. it just NEEDS to match what libvirt/qemu thinks it is
|
2019-04-10 22:03:01 +00:00 |
toby
|
0bed52d345
|
conffiles name is not variable after all :)
|
2019-04-10 22:02:22 +00:00 |
toby
|
8f76828d0b
|
not sure if this is needed - actually I know its not - but it seems like a good idea as it may be needed for compat level 12+?... who knows
|
2019-04-10 04:30:09 +00:00 |
toby
|
fa496d25c5
|
making sure the new cert is tried to be pulled over the mgmt vrf since it doesn't have connectivity on the frontend without a cert
|
2019-04-09 23:26:37 +00:00 |
toby
|
a000b9e2de
|
firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them
|
2019-04-09 22:47:57 +00:00 |
toby
|
47b2e0b3e6
|
adding firewall http over VPN rule for bastion cert exchange and possibly more in the future
|
2019-04-09 21:27:28 +00:00 |
toby
|
c53f3e2219
|
making sysctl tweaks more versatile and just reload sysctl settings
|
2019-04-09 21:00:11 +00:00 |
toby
|
1c38fef482
|
updateting qemu-ifup to support the VNI passed in the ifname
|
2019-04-09 20:38:44 +00:00 |
toby
|
7d5a761793
|
Merge branch 'master' of https://git.wit.com/netops/wit-network-config
|
2019-04-05 18:09:30 +00:00 |
toby
|
68f8088b55
|
drone and gitignore
|
2019-04-05 18:09:20 +00:00 |
toby
|
7a00635a57
|
adding curl supprt to the qemu-ifup script again
|
2019-04-05 17:58:55 +00:00 |
toby
|
b8e6a8a418
|
doh, ipv6 we want not ipv4 ;)
|
2019-04-05 00:17:39 +00:00 |
toby
|
30eecc7f51
|
allowing stackapi traffic over the VPN
|
2019-04-04 23:35:07 +00:00 |
toby
|
50688b3188
|
adding changelog to gitignore since it's generated out of the git history
|
2019-04-01 18:57:16 +00:00 |
toby
|
d2a7099392
|
pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit...
|
2019-03-29 22:40:03 +00:00 |
toby
|
a2201fd74b
|
adding debheler log to gitignore
|
2019-03-29 19:58:35 +00:00 |
toby
|
d3ecbaf20b
|
fixing ipsec cert generation section in postscript
|
2019-03-29 19:57:08 +00:00 |
toby
|
ebc7c6a5ff
|
screw it, allowing undefined vars for now, will fix that eventually
|
2019-03-29 18:46:22 +00:00 |
toby
|
3a08cb5182
|
trying to be more specific on the variables and fail if var has not been defined, also fixing some drone stuff
|
2019-03-29 18:33:34 +00:00 |
toby
|
3e5b0e21a6
|
drone fixes
|
2019-03-29 18:10:33 +00:00 |
toby
|
22008293c5
|
updating .drone file for mirrors
|
2019-03-29 18:07:01 +00:00 |
toby
|
ec5869cba8
|
adding ipsec node cerd self generation and sign req to bastion
|
2019-03-29 17:57:21 +00:00 |
toby
|
2b6992eec1
|
qemu-ifup: use variable for consistency
|
2019-03-22 19:55:03 +00:00 |
toby
|
ff8f9fa025
|
default frr logging verbosity to debug. so when debug is enabled it's actually logged as well
|
2019-03-18 22:58:00 +00:00 |
toby
|
9fa840a956
|
fixing typo in firewall rules
|
2019-03-13 01:32:01 +00:00 |
toby
|
73b2389f08
|
adding iptables comments to all rules
|
2019-03-13 00:14:17 +00:00 |
toby
|
0c2e02c1b8
|
removing old prometheus rules that were once hosted in aws
|
2019-03-11 21:51:06 +00:00 |
toby
|
c760ae7c2c
|
firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6
|
2019-03-11 21:48:58 +00:00 |
toby
|
eeb6cedbf6
|
bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else
|
2019-03-11 19:30:52 +00:00 |
toby
|
73ae7b9680
|
accepting up to /56 on ipv6 and bugfixing for wit-gc
|
2019-03-11 18:59:24 +00:00 |
toby
|
2e9317222e
|
minor bugfix on wit-gc... more to come on stale routes
|
2019-03-11 07:19:09 +00:00 |
toby
|
5be0d4b8fc
|
updated qemu scripts and wit-gc to support new ipv4 forwarding
|
2019-03-11 02:16:33 +00:00 |
toby
|
bc47af367a
|
we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually
|
2019-03-09 13:13:36 -08:00 |
toby
|
f44ff9304e
|
disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor
|
2019-03-09 12:05:45 -08:00 |
toby
|
51d76bc101
|
more testing...
|
2019-03-08 23:37:53 -08:00 |
toby
|
268dd01421
|
another attempt at the rules file
|
2019-03-08 23:21:18 -08:00 |
toby
|
cfeef0de5b
|
... seriously,... running out of ideas ...
|
2019-03-08 23:19:39 -08:00 |
toby
|
396b2899ae
|
... seriously,... running out of ideas ...
|
2019-03-08 22:53:21 -08:00 |
toby
|
b63d21ba83
|
... seriously,... running out of ideas ...
|
2019-03-08 22:42:11 -08:00 |
toby
|
2b1c7b34a6
|
trying a whole new approach, seems like it worked on my wit-vm-router-config package, lets see what it does here ...
|
2019-03-08 22:14:00 -08:00 |