wit-network-config/debian/wit-network-config.postinst

415 lines
14 KiB
Bash
Executable File

#!/bin/bash
# postinst script for #PACKAGE#
#
# see: dh_installdeb(1)
set -xe
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package
case "$1" in
configure)
## START gather all the info from the box and generate the variabels
IFCONFIG="/etc/network/interfaces"
UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
FRRCONFIG="/etc/frr/frr.conf.wit"
IPSECCONFIG="/etc/ipsec.conf.wit"
SWANCTLCONFIG="/etc/swanctl/conf.d/swanctl-wit.conf.wit"
dig_txt() {
TMPDIG=$(dig txt +short $1)
[ -z ${TMPDIG} ] && exit 2
TMPDIG=${TMPDIG//\//\\\/}
TMPDIG=${TMPDIG//\"/} #" fix the god damn syntax highlighter
echo ${TMPDIG}
}
dig_a() {
TMPDIG=$(dig a +short $1)
[ -z ${TMPDIG} ] && exit 2
echo ${TMPDIG}
}
dig_aaaa() {
TMPDIG=$(dig aaaa +short $1)
[ -z ${TMPDIG} ] && exit 2
echo ${TMPDIG}
}
LOOPBACKv4=$(dig_a ${HOSTNAME})
LOOPBACKv6=$(dig_aaaa ${HOSTNAME})
NODEASN=$(dig_txt asn.${HOSTNAME})
## END variables
## START nic config compile
# wiping existing config in prep for re-deploying it
mv -f ${IFCONFIG} ${IFCONFIG}.dpkg-old || true
mv -f ${UDEVCONFIG} ${UDEVCONFIG}.dpkg-old || true
# write loopback config
cat <<-EOF >>$IFCONFIG
auto lo
iface lo inet loopback
iface lo inet static
address ${LOOPBACKv4}/32
iface lo inet6 static
address ${LOOPBACKv6}/128
EOF
PUBLICLOIP=$(dig_a public.loopback.${HOSTNAME}) || true
if [[ ! -z $PUBLICLOIP ]]; then
cat <<-EOF >>$IFCONFIG
iface lo inet static
address ${PUBLICLOIP}/32
EOF
FRR_BASTION="${FRR_BASTION}ip prefix-list ANY permit 0.0.0.0\/0 le 32\n"
FRR_BASTION="${FRR_BASTION}route-map BASTION permit 10\n"
FRR_BASTION="${FRR_BASTION} match ip address prefix-list ANY\n"
FRR_BASTION="${FRR_BASTION} set src ${PUBLICLOIP}\n"
FRR_BASTION="${FRR_BASTION}ip protocol bgp route-map BASTION\n"
fi
# gathering defined interfaces
for if in mgmt mgmtgw ipmigw feth up ibgp gre; do
for i in {1..4}; do #### for now we support/count only to 4 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt)
ifname=${if}${i}
ifalias=$(dig_txt name.${ifname}.${HOSTNAME}) || true ## still thinking how to do this cleaner
if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then
ifmtu=$(dig_txt mtu.${ifname}.${HOSTNAME})
local=$(dig_txt local.${ifname}.${HOSTNAME})
localasn=$(dig_txt localasn.${ifname}.${HOSTNAME})
remote=$(dig_txt remote.${ifname}.${HOSTNAME})
## for the GRE tunnel to not have to deal with ibgp/full-mesh or reflectors prepending a private AS
FRR_GRE_ASN="$localasn"
## build FRR interface config to enable ND adv for ipv6 unmanaged
FRR_IFS="${FRR_IFS}interface $ifname\n"
FRR_IFS="${FRR_IFS} description $ifalias\n"
FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n"
## build FRR neightbor interfaces
FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group GRE\n$FRR_EDGE_NEIGH"
## build regular linux network interface config
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
## $ifalias
pre-up ip tunnel add $ifname mode gre local $local remote $remote
down ip tunnel del $ifname
mtu $ifmtu
EOF
fi
## blow we deal with real physical interfaces
## it is crucial that this `ifmac` block is above the rest, since if no mac is returned it will skip the loop and prevent the package install to fail
if [[ $ifname = mgmt1 ]] || [[ $ifname = mgmtgw1 ]] || [[ $ifname = ipmigw1 ]] ## we only support a single interface of these types and they are handled slightly differently in DNS
then
ifmac=$(dig_txt mac.${if}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined (those are basically not configured)
else
ifmac=$(dig_txt mac.${ifname}.${HOSTNAME}) || continue ## at this point skip the rest of the loop for interfaces that do not have a mac defined
fi
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="'${ifmac}'", ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG
if [[ $ifname = up? ]]; then
ipv4=$(dig_txt ipv4.$ifname.${HOSTNAME})
ipv6=$(dig_txt ipv6.$ifname.${HOSTNAME})
peerv4=$(dig_txt peerv4.$ifname.${HOSTNAME}) || true ## we dont know if we will always have both available
peerv6=$(dig_txt peerv6.$ifname.${HOSTNAME}) || true ## we dont know if we will always have both available
[ -z $peerv4 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv4 peer-group eBGPv4\n$FRR_EDGE_NEIGH"
[ -z $peerv6 ] || FRR_EDGE_NEIGH=" !!! neighbor $peerv6 peer-group eBGPv6\n$FRR_EDGE_NEIGH"
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet static
address ${ipv4/\\/}
mtu 9000
iface $ifname inet6 static
address ${ipv6/\\/}
dad-attempts 0
EOF
fi
if [[ $ifname = ibgp? ]]; then
## build FRR interface config to enable ND adv for ipv6 unmanaged
FRR_IFS="${FRR_IFS}interface $ifname\n"
FRR_IFS="${FRR_IFS} ipv6 nd ra-interval 10\n"
FRR_IFS="${FRR_IFS} no ipv6 nd suppress-ra\n!\n"
## build FRR neightbor interfaces
FRR_EDGE_NEIGH=" !!! neighbor $ifname interface peer-group iBGP\n$FRR_EDGE_NEIGH"
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
mtu 9000
EOF
fi
if [[ $ifname = feth? ]]; then
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
mtu 9000
EOF
fi
if [[ $ifname = mgmt1 ]]; then ## only 1 mgmt interface supported for now
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet6 auto
iface $ifname inet dhcp
pre-up /bin/ip link add mgmt type vrf table mgmt
pre-up /bin/ip link set up dev mgmt
pre-up /bin/ip link set master mgmt dev $ifname
post-down /bin/ip link del dev mgmt
EOF
fi
if [[ $ifname = mgmtgw1 ]] || [[ $ifname = ipmigw1 ]]; then ## only 1 mgmt interface supported for now
ipv4=$(dig_txt ipv4.$if.${HOSTNAME})
cat <<-EOF >>$IFCONFIG
auto ${ifname}
iface ${ifname} inet static
address ${ipv4/\\/}
EOF
fi
done
done
## STOP nic config compile
## START compiling frr and ipsec dynamic config blocks
## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider
i=1
while true; do
TEMP="$(dig_txt $i.ipv4.public.prefixlist.usw2.admin.wit.com)" || break
TEMPAGGS=" !!! aggregate-address ${TEMP}\n"
FRR_IPV4_EDGE_SUMMARIES_AGGREGATS="${FRR_IPV4_EDGE_SUMMARIES_AGGREGATS}${TEMPAGGS}"
TEMPSUM="!!! ip prefix-list WITv4-SUMMARIES seq $((i*5)) permit ${TEMP}\n"
FRR_IPV4_EDGE_SUMMARIES_PFLIST="${FRR_IPV4_EDGE_SUMMARIES_PFLIST}${TEMPSUM}"
let i+=1
done
i=1
while true; do
TEMP="$(dig_txt $i.ipv6.public.prefixlist.usw2.admin.wit.com)" || break
TEMPAGGS=" !!! aggregate-address ${TEMP}\n"
FRR_IPV6_EDGE_SUMMARIES_AGGREGATS="${FRR_IPV6_EDGE_SUMMARIES_AGGREGATS}${TEMPAGGS}"
TEMPSUM="!!! ipv6 prefix-list WITv6-SUMMARIES seq $((i*5)) permit ${TEMP}\n"
FRR_IPV6_EDGE_SUMMARIES_PFLIST="${FRR_IPV6_EDGE_SUMMARIES_PFLIST}${TEMPSUM}"
let i+=1
done
## compile customer IP blocks that we accept. this in theory should be a combination of *all* public blocks used accross regions while limiting it a smaller subnet size
i=1
while true; do
TEMP="$(dig_txt $i.ipv4.customers.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ip prefix-list WITv4-CUSTOMERS seq $((i*5)) permit ${TEMP} ge 25\n"
FRR_IPV4_CUSTOMERS_PFLIST="${FRR_IPV4_CUSTOMERS_PFLIST}${TEMPSUM}"
let i+=1
done
i=1
while true; do
TEMP="$(dig_txt $i.ipv6.customers.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ipv6 prefix-list WITv6-CUSTOMERS seq $((i*5)) permit ${TEMP} ge 64\n"
FRR_IPV6_CUSTOMERS_PFLIST="${FRR_IPV6_CUSTOMERS_PFLIST}${TEMPSUM}"
let i+=1
done
## compile loopback IP blocks that we wanna accept to be injected into the bgp
i=1
while true; do
TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n"
FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}"
[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
let i+=1
done
i=1
while true; do
TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.usw2.admin.wit.com)" || break
TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n"
FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}"
[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
let i+=1
done
## STOP compiling frr config
## START writing config files
# set frr config
sed -i \
-e "s/^!!! FRR_BASTION/$FRR_BASTION/" \
-e "s/^!!! FRR_IFS/$FRR_IFS/" \
-e "s/^ !!! FRR_EDGE_NEIGH/$FRR_EDGE_NEIGH/" \
-e "s/^ !!! FRR_IPV4_EDGE_SUMMARIES_AGGREGATS/$FRR_IPV4_EDGE_SUMMARIES_AGGREGATS/" \
-e "s/^ !!! FRR_IPV6_EDGE_SUMMARIES_AGGREGATS/$FRR_IPV6_EDGE_SUMMARIES_AGGREGATS/" \
-e "s/^!!! FRR_IPV4_EDGE_SUMMARIES_PFLIST/$FRR_IPV4_EDGE_SUMMARIES_PFLIST/" \
-e "s/^!!! FRR_IPV6_EDGE_SUMMARIES_PFLIST/$FRR_IPV6_EDGE_SUMMARIES_PFLIST/" \
-e "s/^!!! FRR_IPV4_CUSTOMERS_PFLIST/$FRR_IPV4_CUSTOMERS_PFLIST/" \
-e "s/^!!! FRR_IPV6_CUSTOMERS_PFLIST/$FRR_IPV6_CUSTOMERS_PFLIST/" \
-e "s/^!!! FRR_IPV4_LOOPBACK_PFLIST/$FRR_IPV4_LOOPBACK_PFLIST/" \
-e "s/^!!! FRR_IPV6_LOOPBACK_PFLIST/$FRR_IPV6_LOOPBACK_PFLIST/" \
-e "s/FRR_GRE_ASN/${FRR_GRE_ASN}/" \
-e "s/FRRROUTERID/${LOOPBACKv4}/" \
-e "s/NODEASN/${NODEASN}/" \
$FRRCONFIG
[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!! //' $FRRCONFIG
# set ipsec config
for IPSECCONFIGFILE in $IPSECCONFIG $SWANCTLCONFIG
do
sed -i \
-e "s/FQHOSTNAME/${HOSTNAME}/" \
-e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
-e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
-e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
-e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
$IPSECCONFIGFILE
done
echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets
chown frr.frr $FRRCONFIG /etc/frr/daemons.wit
# wite grub rules for serial terminal
sed -i -e '/GRUB_CMDLINE_LINUX_DEFAULT=/d' -e '/GRUB_CMDLINE_LINUX=/d' -e '/GRUB_SERIAL_COMMAND=/d' -e '/GRUB_TERMINAL=/d' /etc/default/grub
cat <<-EOF >>/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=1 --word=8 --parity=no --stop=1"
EOF
# disable password logins on ssh
sed -i -e '/#*\s*PasswordAuthentication /d' /etc/ssh/sshd_config
echo "PasswordAuthentication no" >>/etc/ssh/sshd_config
## END config file section
## START configuring services as we need it
#systemctl disable strongswan # disable ipsec till we have the certs and all ansible will enable it after dropping certs
systemctl enable firewall
systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl restart ssh
update-grub
sysctl -p /etc/sysctl.d/10-frr.conf
## END services section
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0