39e1db9c32
Add basic firewall setup for l4lb namespace
...
Also teach sunet-l4lb-namespace to load the nft ruleset if it exists.
While here modify the script so instead of running "once per netns
config file" we merge the interface config from each json file into the
same dict per namespace. Without this we would attempt to load the nft
ruleset twice (once per file that mentioned the namespace) or warn twice
if the file did not exist etc.
2025-03-31 17:19:29 +02:00
db2b4ca409
Update sunet-l4lb-namespace
...
Make it able to delete addresses that are no longer in the netns config.
Also make it read one netns-base.json for hardware config which is
managed by puppet but also make it look for netns-sunet-cdn-agent.json
which is not created by puppet. This file will be generated by
sunet-cdn-agent and will include the configuration for dummy0.
2025-03-19 12:35:21 +01:00
29c81d13a0
Expose postgres at standard port
2024-11-14 12:14:18 +01:00
cb46a3b6fb
Expose postgres port
2024-11-14 12:12:50 +01:00
f1b4d5ad07
Fix path typo
2024-11-13 14:59:59 +01:00
206e450c99
Add init script for setting up cdn database
2024-11-13 14:52:17 +01:00
61f47320a7
Use named volume for persistence
2024-11-13 13:52:26 +01:00
b121790b77
Fix password variable
2024-11-13 13:39:42 +01:00
85afb706ed
Add initial support for handling a DB server
...
Used to store varnish config etc
2024-11-13 13:27:58 +01:00
2e49e12c70
Start creating sunet-cdnp unit file
2024-11-12 10:11:03 +01:00
0461a8f0b8
mqtt: fix certfile usage
...
Use fullchain.pem instead of cert.pem which fixes "certificate signed by
unknown authority" problems.
Also point cafile to correct root cert.
2024-11-05 14:39:13 +01:00
41298df063
Setup interface for ip6ip6 tunneling
...
Running into systemd-networkd bugs, don't be fooled by "Local=::1" and
"Remote=::1". This still results in the equivalent of setting them to
'any' or '::' because we are using the default interface name.
2024-10-29 17:01:46 +01:00
c4b9bef3c5
Set net.ipv4.vs.sloppy_tcp=1
...
Needed if taking over packets for a connection that was established via
another node.
2024-10-29 08:29:21 +01:00
c93846d03b
Use @
2024-10-28 13:35:55 +01:00
c7b74c27fc
Use fact that exists
2024-10-28 13:34:59 +01:00
6a8671fa3e
Add import filters for bgp
2024-10-28 13:26:13 +01:00
7dc787cb68
Less indentation
2024-10-28 13:22:53 +01:00
af96f5e985
Manage bird.conf on l4lb machines
...
Currently just add basic template
2024-10-28 13:18:59 +01:00
fb956e4198
Add basic dummy0 interface
2024-10-25 15:28:03 +02:00
5d60c2dd02
Move template to correct location
2024-10-25 15:23:49 +02:00
e2d550bf29
Start managing bird2
...
Also give dummy-interface support to sunet-l4lb-namespace tool, used
to hold IPv4/IPv6 service addresses that should be announced via BGP.
2024-10-25 15:19:21 +02:00
f588078b75
Add namespace management files
2024-10-22 17:06:29 +02:00
7286dec3ff
Make sure X-Forwarded-Proto is set
...
Needed to cache http and https responses separately via Vary header
2024-10-15 16:29:31 +02:00
d289ffa656
Add config for ipip interface
...
Supplying an empty .network file is weird but without it the tunl0
interface is left in a DOWN state even with Independent=true.
Maybe this is related to "tunl0" being automatically created when the
"ipip" kernel module is loaded.
2024-10-11 22:05:11 +02:00
cb50714f4f
Rename remaining file
2024-10-11 22:00:37 +02:00
44c73b78ae
Prefix files with numbers as recommended by docs
...
See "systemd.netdev" docs.
2024-10-11 21:57:59 +02:00
fe428a9e74
Also include cidr suffix
2024-10-11 18:57:10 +02:00
b5d9682e01
This is a hash
2024-10-11 18:55:39 +02:00
637e2ae307
Add address config for dummy interface
2024-10-11 18:52:53 +02:00
1e8cad6ea0
Add dummy0 interface
...
The netplan version we have is too old to do this so handle it manually.
2024-10-11 18:45:54 +02:00
eb49f13c49
Fix backend name
2024-10-11 18:14:30 +02:00
8227300a34
Enclose ipv6 addresses in []
2024-10-11 14:00:23 +02:00
4d7283e361
Allow haproxy to bind to ports 80/443
...
This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
2024-10-11 13:49:04 +02:00
1247c7f0be
Use hiera data for ip4/ip6
2024-10-11 12:03:24 +02:00
88e3771f6e
Install certificate files
2024-10-11 11:38:58 +02:00
747059cd92
Missing "
2024-10-10 20:44:23 +02:00
ff6376b68d
Add basic varnish VCL for testing
2024-10-10 20:39:35 +02:00
802e9a1389
Fix erb iteration
2024-10-10 15:45:58 +02:00
d0a19691aa
Initial cdn::cache manifest
2024-10-10 15:22:11 +02:00
5d05e596c0
Cleanup ":"
2024-10-10 10:24:31 +02:00
563886294b
Fix template
2024-10-10 10:23:55 +02:00
b44fb5ce43
Update key paths to reflect internal CA
2024-10-10 10:17:39 +02:00
22a2029cf9
Enable ACME provisioner at init
2024-10-08 16:50:46 +02:00
d1c863c7cb
Expose the step-ca port
2024-10-08 10:09:20 +02:00
1803d1c69a
Add initial compose file for step-ca
2024-10-08 10:02:48 +02:00
828f9a899d
Fix templates for passwords
2024-10-08 09:51:08 +02:00
61a4ec13e3
Start setting up step-ca files
2024-10-08 09:36:04 +02:00
e5ce5dd1cd
Start managing cdn.conf
2024-10-06 14:50:07 +02:00
40036c3c32
Fix variable usage
2024-10-06 14:44:32 +02:00
7352a20143
Start managing mqtt ACL
...
Include sample comsos-rules entry for testing out template
2024-10-06 14:26:10 +02:00
