commit be9792cac1d080b9313bda1a5be4efb90af21963 Author: Simeon Keske Date: Mon May 25 13:36:51 2020 +0200 initial commit diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..3931cde --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,42 @@ +--- +bird_lg_user: "bird_lg" +bird_lg_group: "{{ bird_lg_user }}" + +bird_lg_install_path: "/opt/bird-lg" +bird_lg_log_path: "/var/log/bird-lg" + +bird_lg_repository: "https://github.com/sesa-me/bird-lg" +bird_lg_version: "burble-clean" + +bird_lg_proxy_enabled: yes +bird_lg_webservice_enabled: yes + +bird_lg_domain: "example.com" +bird_lg_asn_zone: "asn.cymru.com" + +bird_lg_webservice_bind: "0.0.0.0" +bird_lg_webservice_port: 5000 + +bird_lg_proxy_bind: "0.0.0.0" +bird_lg_proxy_port: 5000 +bird_lg_access: + - 91.224.149.206 + - 178.33.111.110 + - 2a01:6600:8081:ce00::1 + +bird_lg_unified_daemon: yes + +bird_lg_proxys: + - name: gw + address: gw.some.network:5000 + as: "197422" + ips: + - "91.224.148.2" + - "2a01:6600:8000::175" + - name: h3 + address: h3.some.network:5000 + as: "197422" + ips: + - "91.224.148.3" + - "2a01:6600:8000::131" + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..3aa6363 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart webservice + service: + name: bird-lg-webservice + state: restarted + +- name: restart proxy + service: + name: bird-lg-proxy + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..d3be4d7 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Install system dependencies + apt: + name: + - python + - python-pip + - python-virtualenv + - whois + - traceroute + - graphviz + +- name: Create group + group: + name: "{{ bird_lg_group }}" + state: present + +- name: Create user + user: + name: "{{ bird_lg_user }}" + group: "{{ bird_lg_group }}" + home: "{{ bird_lg_install_path }}" + create_home: no + system: yes + +- name: Add user to group bird + user: + name: '{{ bird_lg_user }}' + groups: "bird" + append: yes + +- name: Create installation Directory + file: + path: "{{ bird_lg_install_path }}" + recurse: yes + state: directory + owner: "{{ bird_lg_user }}" + group: "{{ bird_lg_group }}" + +- name: Create log Directory + file: + path: "{{ bird_lg_log_path }}" + recurse: yes + state: directory + owner: "{{ bird_lg_user }}" + group: "{{ bird_lg_group }}" + +- name: Clone bird_lg source + git: + dest: "{{ bird_lg_install_path }}" + repo: "{{ bird_lg_repository }}" + version: "{{ bird_lg_version }}" + force: yes + become_user: "{{ bird_lg_user }}" + become: true + +- name: fix broken encoding due to change in memcached library + lineinfile: + path: "{{ bird_lg_install_path }}/lg.py" + regexp: 'return "AS\%s \| \%s" \% \(_as, name.*' + line: ' return "AS%s | %s" % (_as, name)' + + +- name: Install python-dependencies + pip: + name: + - flask + - dnspython + - pydot + - python-memcached + virtualenv: "{{ bird_lg_install_path }}/.venv" + state: present + become_user: "{{ bird_lg_user }}" + become: true + +- include_tasks: proxy.yml + when: bird_lg_proxy_enabled + +- include_tasks: web.yml + when: bird_lg_webservice_enabled diff --git a/tasks/proxy.yml b/tasks/proxy.yml new file mode 100644 index 0000000..eed4185 --- /dev/null +++ b/tasks/proxy.yml @@ -0,0 +1,18 @@ +--- +- name: Copy proxy config file + template: + src: "lgproxy.cfg.j2" + dest: "{{ bird_lg_install_path }}/lgproxy.cfg" + notify: restart proxy + +- name: Add systemd service file for bird-lg-proxy + template: + src: "bird-lg-proxy.service.j2" + dest: "/etc/systemd/system/bird-lg-proxy.service" + +- name: Ensure bird-lg-proxy systemd service is enabled and running + systemd: + name: "bird-lg-proxy" + daemon_reload: yes + enabled: yes + state: started \ No newline at end of file diff --git a/tasks/web.yml b/tasks/web.yml new file mode 100644 index 0000000..1aa1b99 --- /dev/null +++ b/tasks/web.yml @@ -0,0 +1,18 @@ +--- +- name: Copy webservice config file + template: + src: "lg.cfg.j2" + dest: "{{ bird_lg_install_path }}/lg.cfg" + notify: restart webservice + +- name: Add systemd service file for bird-lg-webservice + template: + src: "bird-lg-webservice.service.j2" + dest: "/etc/systemd/system/bird-lg-webservice.service" + +- name: Ensure bird-lg-web systemd service is enabled and running + systemd: + name: "bird-lg-webservice" + daemon_reload: yes + enabled: yes + state: started diff --git a/templates/bird-lg-proxy.service.j2 b/templates/bird-lg-proxy.service.j2 new file mode 100644 index 0000000..42fd3a1 --- /dev/null +++ b/templates/bird-lg-proxy.service.j2 @@ -0,0 +1,50 @@ +# Copyright (C) 2015-2018 Alsace Réseau Neutre +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Debian GNU/Linux: store this in /etc/systemd/system/ + +[Unit] +Description=BIRD Looking-Glass proxy +After=bird.service + +[Service] +Type=simple +# +# User and group to run as +# +User={{ bird_lg_user }} +Group={{ bird_lg_group }} +# +# Service Hardening +# +#ProtectSystem=strict +#NoNewPrivileges=yes +#ProtectControlGroups=yes +#PrivateTmp=yes +#PrivateDevices=yes +#DevicePolicy=closed +#MemoryDenyWriteExecute=yes +## set this to match LOG_FILE from the .cfg file +#ReadWritePaths={{ bird_lg_log_path }} +#ReadWritePaths={{ bird_lg_install_path }} +## set these to match BIRD{,6}_SOCKET +#ReadWritePaths=/var/run/bird/bird.ctl +#ReadWritePaths=/var/run/bird/bird6.ctl +# +ExecStart={{ bird_lg_install_path }}/.venv/bin/python {{ bird_lg_install_path }}/lgproxy.py +Restart=on-failure + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/templates/bird-lg-webservice.service.j2 b/templates/bird-lg-webservice.service.j2 new file mode 100644 index 0000000..5cb1f6e --- /dev/null +++ b/templates/bird-lg-webservice.service.j2 @@ -0,0 +1,48 @@ +# Copyright (C) 2015-2018 Alsace Réseau Neutre +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Debian GNU/Linux: store this in /etc/systemd/system/ + +[Unit] +Description=BIRD Looking-Glass service + +[Service] +Type=simple +# +# User and group to run as +# +User={{ bird_lg_user }} +Group={{ bird_lg_group }} +# +# Service Hardening +# +#ProtectSystem=strict +#NoNewPrivileges=yes +#ProtectControlGroups=yes +#PrivateTmp=yes +#PrivateDevices=yes +#DevicePolicy=closed +#MemoryDenyWriteExecute=yes +#AmbientCapabilities=CAP_NET_BIND_SERVICE +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +## Change this to match LOG_FILE from the .cfg file +#ReadWritePaths={{ bird_lg_log_path }}/lg.log +#ReadWritePaths={{ bird_lg_install_path }} +# +ExecStart={{ bird_lg_install_path }}/.venv/bin/python {{ bird_lg_install_path }}/lg.py +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/templates/lg.cfg.j2 b/templates/lg.cfg.j2 new file mode 100644 index 0000000..f73f1c1 --- /dev/null +++ b/templates/lg.cfg.j2 @@ -0,0 +1,45 @@ + +DEBUG = True +LOG_FILE="{{ bird_lg_log_path }}/lg.log" +LOG_LEVEL="WARNING" + +DOMAIN = "{{ bird_lg_domain }}" + +BIND_IP = "{{ bird_lg_webservice_bind }}" +BIND_PORT = {{ bird_lg_webservice_port }} + +PROXY = { +{% for proxy in bird_lg_proxys %} + "{{ proxy.name }}": "{{ proxy.address }}", +{% endfor %} +} + +# set a timeout (in seconds) on lgproxy requests +PROXY_TIMEOUT = { + "bird": 10, + "traceroute": 60 +} + +# If True, queries are always done with the "ipv4" backend, +# and the distinction between IPv4 and IPv6 is removed from the UI. +UNIFIED_DAEMON = {{ bird_lg_unified_daemon | ternary("True", "False") }} + +# Used for bgpmap +ROUTER_IP = { +{% for proxy in bird_lg_proxys %} + "{{ proxy.name }}": {{ proxy.ips }}, +{% endfor %} +} + +AS_NUMBER = { +{% for proxy in bird_lg_proxys %} + "{{ proxy.name }}": "{{ proxy.as }}", +{% endfor %} +} + +#WHOIS_SERVER = "whois.foo.bar" + +# DNS zone to query for ASN -> name mapping +ASN_ZONE = "{{ bird_lg_asn_zone }}" + +SESSION_KEY = '\xd77\xf9\xfa\xc2\xb5\xcd\x85)`+H\x9d\xeeW\\%\xbe/\xbaT\x89\xe8\xa7' \ No newline at end of file diff --git a/templates/lgproxy.cfg.j2 b/templates/lgproxy.cfg.j2 new file mode 100644 index 0000000..9f592b0 --- /dev/null +++ b/templates/lgproxy.cfg.j2 @@ -0,0 +1,10 @@ +DEBUG=False +LOG_FILE="{{ bird_lg_log_path }}/lg-proxy.log" +LOG_LEVEL="WARNING" +BIND_IP = "{{ bird_lg_proxy_bind }}" +BIND_PORT = {{ bird_lg_proxy_port }} +ACCESS_LIST = {{ bird_lg_access }} +IPV4_SOURCE="" +IPV6_SOURCE="" +BIRD_SOCKET="/var/run/bird/bird.ctl" +BIRD6_SOCKET="/var/run/bird/bird6.ctl"