ao - yume bgp

nna774 · nna774 · commit 567ef3615741 · 2024-06-16T03:40:39.000+09:00
diff --git a/itamae/hosts/ao/default.rb b/itamae/hosts/ao/default.rb
@@ -1,5 +1,12 @@
 node.reverse_merge!({
-
+  ebgp_router: {
+    id: '192.50.220.191',
+    as: 64777,
+    local: {
+      v4: '192.50.220.191',
+      v6: '2001:df0:8500:a717::1',
+    },
+  },
 })
 
 # シリアルで入れないのはデバッグに不便なので入れるようにする。
@@ -45,21 +52,45 @@
 end
 
 %w(
-  /etc/systemd/network/11-enp11s0f0.network
-  /etc/systemd/network/12-enp11s0f1.network
+  01-lo.network
+  11-enp11s0f0.network
+  12-enp11s0f1.network
+  31-t_yume.netdev
+  32-t_yume.network
 ).each do |f|
-  remote_file f do
+  remote_file "/etc/systemd/network/#{f}" do
     owner 'root'
     group 'root'
     mode '644'
     notifies :restart, 'service[systemd-networkd]'
   end
 end
 
+include_role 'ebgp-router'
+
+%w(
+  t_yume.conf
+  static.conf
+).each do |t|
+  template "/etc/bird/bird.conf.d/#{t}" do
+    owner 'root'
+    group 'root'
+    mode '644'
+    notifies :restart, 'service[bird]'
+  end
+end
+
+service 'bird' do
+  action [:enable, :start]
+end
+
 include_cookbook 'sshd'
 
 %w(
   bind9-dnsutils
+  tcpdump
+  htop
+  mtr
 ).each do |p|
   package p
 end
diff --git a/itamae/hosts/ao/files/etc/systemd/network/01-lo.network b/itamae/hosts/ao/files/etc/systemd/network/01-lo.network
@@ -2,5 +2,8 @@
 Name=lo
 
 [Network]
-Address=192.50.220.185/32
+Address=192.50.220.191/32
+Scope=global
 
+[Network]
+Address=2001:df0:8500:a717::1/64
diff --git a/itamae/hosts/ao/files/etc/systemd/network/11-enp11s0f0.network b/itamae/hosts/ao/files/etc/systemd/network/11-enp11s0f0.network
@@ -7,5 +7,10 @@ Name=enp11s0f0
 Address=240b:250:8020:d00::17/64
 IPv6AcceptRA=true
 
-[Route]
+Tunnel=t_yume
 
+[Route]
+Destination=::/0
+Gateway=fe80::a
+Table=100
+Metric=2000
diff --git a/itamae/hosts/ao/files/etc/systemd/network/12-enp11s0f1.network b/itamae/hosts/ao/files/etc/systemd/network/12-enp11s0f1.network
@@ -6,7 +6,6 @@ Name=enp11s0f1
 Address=10.8.30.17/24
 DNS=10.8.192.42
 DNS=10.8.208.42
-# Address=2001:df0:8500:a7a3::17/64
 
 IPv6AcceptRA=false
 
diff --git a/itamae/hosts/ao/files/etc/systemd/network/31-t_yume.netdev b/itamae/hosts/ao/files/etc/systemd/network/31-t_yume.netdev
@@ -0,0 +1,9 @@
+[NetDev]
+Name=t_yume
+Kind=ip6tnl
+
+[Tunnel]
+Local=240b:250:8020:d00::17
+Remote=2001:f74:9800:400::eb96
+Mode=any
+EncapsulationLimit=none
diff --git a/itamae/hosts/ao/files/etc/systemd/network/32-t_yume.network b/itamae/hosts/ao/files/etc/systemd/network/32-t_yume.network
@@ -0,0 +1,11 @@
+[Match]
+Name=t_yume
+
+[Network]
+DHCP=off
+IPv6AcceptRA=no
+IPForward=yes
+
+[Address]
+Address=2001:0df0:8500:0022::120:13/128
+Peer=2001:0df0:8500:0022::120:12/128
diff --git a/itamae/hosts/ao/templates/etc/bird/bird.conf.d/static.conf b/itamae/hosts/ao/templates/etc/bird/bird.conf.d/static.conf
@@ -0,0 +1,14 @@
+/*
+protocol static static6 {
+  route 240b:250:8020:d00::/64 via 240b:250:8020:d00::1;
+  igp table t6_igp;
+  ipv6 {
+    table t6_bgp;
+    import filter
+    {
+      bgp_community.add((AS_SELF, C_CTL_ASSUME_BGP));
+      accept;
+    };
+  };
+}
+*/
diff --git a/itamae/hosts/ao/templates/etc/bird/bird.conf.d/t_yume.conf b/itamae/hosts/ao/templates/etc/bird/bird.conf.d/t_yume.conf
@@ -0,0 +1,71 @@
+protocol static static_yume {
+  route 2001:f74:9800:400::eb96/128 via fe80::212:e2ff:fe70:b200%enp11s0f0;
+  igp table t6_igp;
+  ipv6 {
+    table t6_bgp;
+    import filter
+    {
+      bgp_community.add((AS_SELF, C_CTL_ASSUME_BGP));
+      accept;
+    };
+  };
+}
+
+protocol bgp bgp_t_yume
+{
+  local 2001:df0:8500:22::120:13 as 64777;
+  neighbor 2001:df0:8500:22::120:12 as 59128;
+
+  password "<%= node[:secrets].fetch(:bgp_secret_yume) %>";
+
+  hold time 30;
+  startup hold time 90;
+  keepalive time 6;
+  connect retry time 5;
+  connect delay time 5;
+  error wait time 30, 30;
+  error forget time 30;
+  default bgp_local_pref 200;
+
+  ipv4 {
+    table t4_bgp;
+    igp table t4_igp;
+    preference 200;
+    next hop address 2001:df0:8500:22::120:13;
+    extended next hop on;
+
+    import filter
+    {
+      accept;
+      filter_accept_default_route();
+      reject;
+    };
+
+    export filter
+    {
+      if ( net ~ [ 192.50.220.191/32 ]) then accept;
+      reject;
+    };
+  };
+
+
+  ipv6 {
+    table t6_bgp;
+    igp table t6_igp;
+    preference 200;
+    next hop self on;
+
+    import filter
+    {
+      accept;
+      filter_accept_default_route();
+      reject;
+    };
+
+    export filter
+    {
+      if ( net ~ [ 2001:0df0:8500:a717::/64+ ]) then accept;
+      reject;
+    };
+  };
+}
diff --git a/itamae/roles/ebgp-router/default.rb b/itamae/roles/ebgp-router/default.rb
@@ -0,0 +1,20 @@
+package 'bird2'
+
+directory '/etc/bird' do
+  owner 'root'
+  group 'root'
+  mode  '0755'
+end
+
+directory '/etc/bird/bird.conf.d' do
+  owner 'root'
+  group 'root'
+  mode  '0755'
+end
+
+template '/etc/bird/bird.conf' do
+  owner 'root'
+  group 'root'
+  mode '644'
+  notifies :restart, 'service[bird]'
+end
diff --git a/itamae/roles/ebgp-router/templates/etc/bird/bird.conf b/itamae/roles/ebgp-router/templates/etc/bird/bird.conf
diff --git a/itamae/secrets/values/bgp_secret_yume b/itamae/secrets/values/bgp_secret_yume
