From 9cb533f71d69d5f6c95e4486586e0f3a3aae7e41 Mon Sep 17 00:00:00 2001 From: Marek Isalski Date: Sat, 11 May 2019 23:09:41 +0100 Subject: [PATCH] deploying a very basic template config --- hphr.sls | 8 + load-configure-compare-commit.sh | 8 + vyos.conf.j2 | 496 ++++++++++++++++--------------- 3 files changed, 269 insertions(+), 243 deletions(-) create mode 100644 load-configure-compare-commit.sh diff --git a/hphr.sls b/hphr.sls index 19305b0..84dba2a 100644 --- a/hphr.sls +++ b/hphr.sls @@ -2,3 +2,11 @@ file.managed: - template: jinja - source: salt://vyos.conf.j2 + +configure: + cmd.script: + - source: salt://load-configure-compare-commit.sh + - shell: /bin/vbash + - runas: minion + - require: + - file: /config/config.new diff --git a/load-configure-compare-commit.sh b/load-configure-compare-commit.sh new file mode 100644 index 0000000..84a9d6f --- /dev/null +++ b/load-configure-compare-commit.sh @@ -0,0 +1,8 @@ +#!/bin/vbash +source /opt/vyatta/etc/functions/script-template +configure +load /config/config.new +compare +commit +save +exit diff --git a/vyos.conf.j2 b/vyos.conf.j2 index 3f81fd7..ebcd6d9 100644 --- a/vyos.conf.j2 +++ b/vyos.conf.j2 @@ -1,348 +1,357 @@ -interfaces { +/* -=-=-=-=-=-=-=-=-=-=-=-=-=- INTERFACES -=-=-=-=-=-=-=-=-=-=-=-=-=- */ -{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %} -{% if iface_data['form_factor']['label'] != 'Virtual' and not iface_data[ 'mgmt_only' ] %} - ethernet {{ iface_name }} { - {% for address in iface_data['addresses'] %} - address {{ address['address'] }} - {% endfor %} - duplex auto - policy { - } - smp-affinity auto - speed auto - } -{% endif %} -{% endfor %} +{% macro interface_ip_ospf(iface_name) %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf') %} + ospf { + {% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost') }}{% endif %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %} + {% else %} + network {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:network') }} + dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:dead-interval',40) }} + hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:hello-interval',10) }} + priority {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:priority',1) }} + retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:retransmit-interval',5) }} + transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:transmit-delay',1) }} + {% endif %} + } + {% endif %} +{% endmacro %} - ethernet eth0 { - address 10.13.0.56/22 - hw-id ac:1f:6b:94:1f:58 - } - ethernet eth1 { - address 185.1.101.32/24 - address 2001:7f8:bc::4:1495:1/64 - duplex auto - hw-id ac:1f:6b:94:1f:59 - ipv6 { +{% macro interface_ipv6_ospfv3(iface_name) %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3') %} ospfv3 { + {% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost') }}{% endif %} + instance-id {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:instance-id',0) }} + {% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:passive') %} passive + {% else %} + dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:dead-interval',40) }} + hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:hello-interval',10) }} + priority {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:priority',1) }} + retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:retransmit-interval',5) }} + transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:transmit-delay',1) }} + {% endif %} } + {% endif %} +{% endmacro %} + +interfaces { +{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if iface_data['mgmt_only'] %} +{% elif iface_name == 'lo' %} + loopback lo { + description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}" + {% for address in iface_data['addresses'] %} + address {{ address['address'] }} + {% endfor %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ip') %} + ip { +{{ interface_ip_ospf(iface_name) }} } - smp-affinity auto - speed auto + {% endif %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %} + ipv6 { +{{ interface_ipv6_ospfv3(iface_name) }} + } + {% endif %} } - ethernet eth2 { +{% elif iface_data['form_factor']['label'] != 'Virtual' %} + ethernet {{ iface_name }} { + description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}" + {% for address in iface_data['addresses'] %} + address {{ address['address'] }} + {% endfor %} + {% if iface_data['mac_address'] %}hw-id {{ iface_data['mac_address'].lower() }}{% endif %} duplex auto - hw-id 3c:fd:fe:d0:20:20 + policy { + } smp-affinity auto speed auto - } - ethernet eth3 { - address 46.227.200.106/26 - address 2a01:9e00:a217:0d00::46.227.200.106/64 - duplex auto - hw-id 3c:fd:fe:d0:20:21 + {% if not iface_data['enabled'] %}disable{% endif %} + {% if iface_data['lag'] %}bond-group {{ iface_data['lag']['name'] }}{% endif %} + + {% for subiface_name, subiface_data in pillar['netbox']['interfaces'].items() %}{% if subiface_data['form_factor']['label'] == 'Virtual' and subiface_name.startswith( iface_name + "." ) %} + vif {{ subiface_name.split( "." )[ 1 ] }} { + description "{{ subiface_data['description'].replace('"','\\"') or "-" }}" + {% for address in subiface_data['addresses'] %} + address {{ address['address'] }} + {% endfor %} + {% if not subiface_data['enabled'] %}disable{% endif %} + } + {% endif %}{% endfor %} + + {% if salt['pillar.get']('interfaces:'+iface_name+':ip') %} ip { - ospf { - cost 1 - dead-interval 40 - hello-interval 10 - network broadcast - priority 1 - retransmit-interval 5 - transmit-delay 1 - } +{{ interface_ip_ospf(iface_name) }} } + {% endif %} + {% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %} ipv6 { dup-addr-detect-transmits 1 - ospfv3 { - cost 40 - dead-interval 40 - hello-interval 10 - instance-id 0 - priority 1 - retransmit-interval 5 - transmit-delay 1 - } +{{ interface_ipv6_ospfv3(iface_name) }} } - smp-affinity auto - speed auto - } - ethernet eth4 { - duplex auto - hw-id 3c:fd:fe:d0:20:22 - smp-affinity auto - speed auto - } - ethernet eth5 { - duplex auto - hw-id 3c:fd:fe:d0:20:23 - smp-affinity auto - speed auto - } - loopback lo { - address 46.227.204.1/32 - address 2a01:9e00:1234::1/128 + {% endif %} } +{% endif %}{% endfor %} } -policy { - prefix-list TEST-EQUINIXIX-OUT { - rule 1 { - action permit - prefix 46.227.204.0/24 + +/* -=-=-=-=-=-=-=-=-=-=-=-=-=- PROTOCOLS -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + +protocols { + + /* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + + ospf { + parameters { + router-id {{ salt['pillar.get']('protocols:ospf:parameters:router-id') }} + abr-type {{ salt['pillar.get']('protocols:ospf:parameters:abr-type','cisco') }} } - rule 2 { - action deny - le 32 - prefix 0.0.0.0/0 + + {% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %} + passive-interface {{ iface_name }} + {% endif %}{% endfor %} + {% for area_name, area_data in pillar['protocols']['ospf']['area'].items() %} + area {{ area_name }} { + {% for network in area_data['networks'] %} + network {{ network }} + {% endfor %} } + {% endfor %} } - prefix-list6 TEST-EQUINIXIX-OUT { - rule 1 { - action permit - prefix 2a01:9e00:1234::/48 + + ospfv3 { + parameters { + router-id {{ salt['pillar.get']('protocols:ospfv3:parameters:router-id') }} } - rule 2 { - action deny - le 128 - prefix ::/0 + + {% for area_name, area_data in pillar['protocols']['ospfv3']['area'].items() %} + area {{ area_name }} { + {% for range in area_data.get('range',[]) %} + range {{ range }} { + } + {% endfor %} + {% for interface in area_data.get('interface',[]) %} + interface {{ interface }} + {% endfor %} } + {% endfor %} } -} -protocols { - bgp 41495 { - address-family { - ipv4-unicast { - redistribute { - static { - } - } - } - ipv6-unicast { - redistribute { - static { - } - } + + /* -=-=-=-=-=-=-=-=-=-=-=-=-=- STATIC -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + + static { + {% for route_name, route_data in pillar['protocols']['static']['route'].items() %} + route {{ route_name }} { + {% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %} + next-hop {{ nexthop }} { } - } - neighbor 185.1.101.28 { - address-family { - ipv4-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } - } + {% endfor %} + {% if route_data.get('blackhole',None) %} + blackhole { + distance {{ route_data['blackhole'].get('distance',254) }} } - remote-as 6939 + {% endif %} } - neighbor 185.1.101.250 { - address-family { - ipv4-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } - } - ipv6-unicast { - soft-reconfiguration { - inbound - } - } + {% endfor %} + {% for route_name, route_data in pillar['protocols']['static']['route6'].items() %} + route6 {{ route_name }} { + {% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %} + next-hop {{ nexthop }} { } - remote-as 65517 - } - neighbor 185.1.101.251 { - address-family { - ipv4-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } - } + {% endfor %} + {% if route_data.get('blackhole',None) %} + blackhole { + distance {{ route_data['blackhole'].get('distance',254) }} } - remote-as 24115 + {% endif %} } - neighbor 185.1.101.252 { - address-family { - ipv4-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } - } - } - remote-as 24115 + {% endfor %} + } + + /* -=-=-=-=-=-=-=-=-=-=-=-=-=- BGP -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + + {% for bgp_as, as_data in salt['pillar.get']('protocols:bgp',{}).items() %} + bgp {{ bgp_as }} { + parameters { + router-id {{ as_data['parameters']['router-id'] }} } - neighbor 2001:7f8:bc::2:4115:1 { - address-family { - ipv6-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } + {% if as_data.get('address-family',None) %} + address-family { + {% if as_data['address-family'].get('ipv4-unicast',None) %} + ipv4-unicast { + redistribute { + {% for redistribute in as_data['address-family']['ipv4-unicast'].get('redistribute',[]) %} + {{ redistribute }} {} + {% endfor %} } } - remote-as 24115 - } - neighbor 2001:7f8:bc::2:4115:2 { - address-family { - ipv6-unicast { - prefix-list { - export TEST-EQUINIXIX-OUT - } - soft-reconfiguration { - inbound - } + {% endif %} + {% if as_data['address-family'].get('ipv6-unicast',None) %} + ipv6-unicast { + redistribute { + {% for redistribute in as_data['address-family']['ipv6-unicast'].get('redistribute',[]) %} + {{ redistribute }} {} + {% endfor %} } } - remote-as 24115 + {% endif %} } - neighbor 2001:7f8:bc::6:5517:1 { + {% endif %} + + {% for neighbor, neighbor_data in as_data.get('neighbor',{}).items() %} + neighbor {{ neighbor }} { + remote-as {{ neighbor_data['remote-as'] }} + + {% if 'address-family' in neighbor_data %} address-family { - ipv6-unicast { + {% if 'ipv4-unicast' in neighbor_data['address-family'] %} + ipv4-unicast { + {% if 'prefix-list' in neighbor_data['address-family']['ipv4-unicast'] %} prefix-list { - export TEST-EQUINIXIX-OUT + {% if 'export' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['export'] }}{% endif %} + {% if 'import' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['import'] }}{% endif %} } + {% endif %} + {% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv4-unicast'] %} soft-reconfiguration { - inbound + {% for softreconf in neighbor_data['address-family']['ipv4-unicast']['soft-reconfiguration'] %} + {{ softreconf }} + {% endfor %} } + {% endif %} } - } - remote-as 65517 - } - neighbor 2001:7f8:bc::6939:1 { - address-family { + {% endif %} + {% if 'ipv6-unicast' in neighbor_data['address-family'] %} ipv6-unicast { + {% if 'prefix-list' in neighbor_data['address-family']['ipv6-unicast'] %} prefix-list { - export TEST-EQUINIXIX-OUT + {% if 'export' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['export'] }}{% endif %} + {% if 'import' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['import'] }}{% endif %} } + {% endif %} + {% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv6-unicast'] %} soft-reconfiguration { - inbound + {% for softreconf in neighbor_data['address-family']['ipv6-unicast']['soft-reconfiguration'] %} + {{ softreconf }} + {% endfor %} } + {% endif %} } + {% endif %} } - remote-as 6939 - } - parameters { - router-id 46.227.201.1 - } - } - ospf { - area 0.0.0.0 { - network 46.227.200.64/26 - } - area 185.1.101.0 { - network 185.1.101.0/24 - } - parameters { - abr-type cisco - router-id 46.227.201.1 + {% endif %} + } - passive-interface eth1 + {% endfor %} + } - ospfv3 { - area 0.0.0.0 { - interface eth3 - range 2a01:9e00:a217:0d00::/64 { - } - } - area 185.1.101.0 { - interface eth1 - range 2001:7f8:bc::/64 { - } + {% endfor %} +} + +/* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + +policy { + prefix-list TEST-EQUINIXIX-OUT { + rule 1 { + action permit + prefix 46.227.204.0/24 } - parameters { - router-id 46.227.201.1 + rule 2 { + action deny + le 32 + prefix 0.0.0.0/0 } } - static { - route 10.0.0.0/8 { - next-hop 10.13.0.1 { - } - } - route 46.227.204.0/24 { - blackhole { - } + prefix-list6 TEST-EQUINIXIX-OUT { + rule 1 { + action permit + prefix 2a01:9e00:1234::/48 } - route6 2a01:9e00:1234::/48 { - blackhole { - } + rule 2 { + action deny + le 128 + prefix ::/0 } } } + +/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + service { lldp { - interface al { + {% for iface_name, iface_data in salt['pillar.get']('service:lldp:interface',{}).items() %} + interface {{ iface_name }} { } - interface all { - } - management-address 10.13.0.56 + {% endfor %} + management-address {{ pillar['service']['lldp']['management-address'] }} } salt-minion { id {{ grains['fqdn'] }} - master hphr.salt.faelix.net + master {{ pillar['service']['salt-minion']['master'] }} } snmp { - community public { + {% for cty_name, cty_data in salt['pillar.get']('service:snmp:community',{}).items() %} + community {{ cty_name }} { } - trap-source 10.13.0.56 - trap-target 10.13.1.111 { + {% endfor %} + trap-source {{ pillar['service']['snmp']['trap-source'] }} + {% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %} + trap-target {{ trap_target }} { } + {% endfor %} } ssh { - listen-address 10.13.0.56 + listen-address {{ pillar['service']['ssh']['listen-address'] }} } } + +/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SYSTEM -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + system { config-management { commit-revisions 100 } + console { device ttyS0 { speed 9600 } } + host-name {{ grains['fqdn'] }} + ip { multipath { layer4-hashing } } + ipv6 { multipath { layer4-hashing } } -login { - user vyos { - authentication { - encrypted-password $6$fXZ3cwEft1XFJTH$twZmVheX0PEi21KqQfv/zvKhuXVc1UwVVXI3Y7KCXYk0osil3QmJqmAYgNQyNqGUROydxp7R6yiPe4N06QnBH1 - plaintext-password "" + + login { + user vyos { + authentication { + encrypted-password $6$fXZ3cwEft1XFJTH$twZmVheX0PEi21KqQfv/zvKhuXVc1UwVVXI3Y7KCXYk0osil3QmJqmAYgNQyNqGUROydxp7R6yiPe4N06QnBH1 + plaintext-password "" + } + level admin } - level admin } -} + {% for nameserver in pillar['nameservers'] %} name-server {{ nameserver }} {% endfor %} + ntp { {% for ntp_server, ntp_data in pillar['ntp'].items() %} server {{ ntp_server }} { } {% endfor %} } + syslog { global { facility all { @@ -353,6 +362,7 @@ login { } } } + time-zone UTC }