2 # Cookbook:: networking
5 # Copyright:: 2010, OpenStreetMap Foundation.
6 # Copyright:: 2009, Opscode, Inc.
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
12 # https://www.apache.org/licenses/LICENSE-2.0
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
21 # * node[:networking][:nameservers]
26 keys = data_bag_item("networking", "keys")
33 "renderer" => "networkd",
40 node[:networking][:interfaces].each do |name, interface|
41 if interface[:interface]
42 if interface[:role] && (role = node[:networking][:roles][interface[:role]])
43 if interface[:inet] && role[:inet]
44 node.default[:networking][:interfaces][name][:inet][:prefix] = role[:inet][:prefix]
45 node.default[:networking][:interfaces][name][:inet][:gateway] = role[:inet][:gateway]
46 node.default[:networking][:interfaces][name][:inet][:routes] = role[:inet][:routes]
49 if interface[:inet6] && role[:inet6]
50 node.default[:networking][:interfaces][name][:inet6][:prefix] = role[:inet6][:prefix]
51 node.default[:networking][:interfaces][name][:inet6][:gateway] = role[:inet6][:gateway]
52 node.default[:networking][:interfaces][name][:inet6][:routes] = role[:inet6][:routes]
55 node.default[:networking][:interfaces][name][:metric] = role[:metric]
56 node.default[:networking][:interfaces][name][:zone] = role[:zone]
59 interface = node[:networking][:interfaces][name]
61 deviceplan = if interface[:interface] =~ /^(.*)\.(\d+)$/
62 netplan["network"]["vlans"][interface[:interface]] ||= {
63 "id" => Regexp.last_match(2).to_i,
64 "link" => Regexp.last_match(1),
69 elsif interface[:interface] =~ /^bond\d+$/
70 netplan["network"]["bonds"][interface[:interface]] ||= {
76 netplan["network"]["ethernets"][interface[:interface]] ||= {
84 deviceplan["addresses"].push("#{interface[:inet][:address]}/#{interface[:inet][:prefix]}")
88 deviceplan["addresses"].push("#{interface[:inet6][:address]}/#{interface[:inet6][:prefix]}")
92 deviceplan["mtu"] = interface[:mtu]
96 deviceplan["interfaces"] = interface[:bond][:slaves].to_a
98 deviceplan["parameters"] = {
99 "mode" => interface[:bond][:mode] || "active-backup",
100 "mii-monitor-interval" => interface[:bond][:miimon] || 100,
101 "down-delay" => interface[:bond][:downdelay] || 200,
102 "up-delay" => interface[:bond][:updelay] || 200
105 deviceplan["parameters"]["primary"] = interface[:bond][:slaves].first if deviceplan["parameters"]["mode"] == "active-backup"
106 deviceplan["parameters"]["transmit-hash-policy"] = interface[:bond][:xmithashpolicy] if interface[:bond][:xmithashpolicy]
107 deviceplan["parameters"]["lacp-rate"] = interface[:bond][:lacprate] if interface[:bond][:lacprate]
111 if interface[:inet][:gateway] && interface[:inet][:gateway] != interface[:inet][:address]
112 deviceplan["routes"].push(
114 "via" => interface[:inet][:gateway],
115 "metric" => interface[:metric],
120 if interface[:inet][:routes]
121 interface[:inet][:routes].each do |to, parameters|
122 next if parameters[:via] == interface[:inet][:address]
128 route["type"] = parameters[:type] if parameters[:type]
129 route["via"] = parameters[:via] if parameters[:via]
130 route["metric"] = parameters[:metric] if parameters[:metric]
132 deviceplan["routes"].push(route)
138 if interface[:inet6][:gateway] && interface[:inet6][:gateway] != interface[:inet6][:address]
139 deviceplan["routes"].push(
141 "via" => interface[:inet6][:gateway],
142 "metric" => interface[:metric],
146 # This ordering relies on systemd-networkd adding routes
147 # in reverse order and will need moving before the previous
148 # route once that is fixed:
150 # https://github.com/systemd/systemd/issues/5430
151 # https://github.com/systemd/systemd/pull/10938
152 if !IPAddr.new(interface[:inet6][:address]).mask(interface[:inet6][:prefix]).include?(interface[:inet6][:gateway]) &&
153 !IPAddr.new("fe80::/64").include?(interface[:inet6][:gateway])
154 deviceplan["routes"].push(
155 "to" => interface[:inet6][:gateway],
161 if interface[:inet6][:routes]
162 interface[:inet6][:routes].each do |to, parameters|
163 next if parameters[:via] == interface[:inet6][:address]
169 route["type"] = parameters[:type] if parameters[:type]
170 route["via"] = parameters[:via] if parameters[:via]
171 route["metric"] = parameters[:metric] if parameters[:metric]
173 deviceplan["routes"].push(route)
178 node.rm(:networking, :interfaces, name)
182 netplan["network"]["bonds"].each_value do |bond|
183 bond["interfaces"].each do |interface|
184 netplan["network"]["ethernets"][interface] ||= { "accept-ra" => false, "optional" => true }
188 netplan["network"]["vlans"].each_value do |vlan|
189 unless vlan["link"] =~ /^bond\d+$/
190 netplan["network"]["ethernets"][vlan["link"]] ||= { "accept-ra" => false }
194 file "/etc/netplan/00-installer-config.yaml" do
198 file "/etc/netplan/01-netcfg.yaml" do
202 file "/etc/netplan/50-cloud-init.yaml" do
206 file "/etc/netplan/99-chef.yaml" do
210 content YAML.dump(netplan)
213 package "cloud-init" do
217 if node[:networking][:wireguard][:enabled]
218 wireguard_id = persistent_token("networking", "wireguard")
220 node.default[:networking][:wireguard][:address] = "fd43:e709:ea6d:1:#{wireguard_id[0, 4]}:#{wireguard_id[4, 4]}:#{wireguard_id[8, 4]}:#{wireguard_id[12, 4]}"
222 package "wireguard-tools" do
224 options "--no-install-recommends"
227 directory "/var/lib/systemd/wireguard" do
229 group "systemd-network"
234 file "/var/lib/systemd/wireguard/private.key" do
235 action :create_if_missing
237 group "systemd-network"
239 content %x(wg genkey)
243 node.default[:networking][:wireguard][:public_key] = %x(wg pubkey < /var/lib/systemd/wireguard/private.key).chomp
245 file "/var/lib/systemd/wireguard/preshared.key" do
246 action :create_if_missing
248 group "systemd-network"
250 content keys["wireguard"]
253 if node[:roles].include?("gateway")
254 search(:node, "roles:gateway") do |gateway|
255 next if gateway.name == node.name
256 next unless gateway[:networking][:wireguard] && gateway[:networking][:wireguard][:enabled]
258 allowed_ips = gateway.ipaddresses(:role => :internal).map(&:subnet)
260 node.default[:networking][:wireguard][:peers] << {
261 :public_key => gateway[:networking][:wireguard][:public_key],
262 :allowed_ips => allowed_ips,
263 :endpoint => "#{gateway.name}:51820"
267 search(:node, "roles:prometheus") do |server|
268 allowed_ips = server.ipaddresses(:role => :internal).map(&:subnet)
270 if server[:networking][:private_address]
271 allowed_ips << "#{server[:networking][:private_address]}/32"
274 node.default[:networking][:wireguard][:peers] << {
275 :public_key => server[:networking][:wireguard][:public_key],
276 :allowed_ips => allowed_ips,
277 :endpoint => "#{server.name}:51820"
281 node.default[:networking][:wireguard][:peers] << {
282 :public_key => "7Oj9ufNlgidyH/xDc+aHQKMjJPqTmD/ab13agMh6AxA=",
283 :allowed_ips => "10.0.16.1/32",
284 :endpoint => "gate.compton.nu:51820"
288 node.default[:networking][:wireguard][:peers] << {
289 :public_key => "RofATnvlWxP3mt87+QKRXFE5MVxtoCcTsJ+yftZYEE4=",
290 :allowed_ips => "10.89.122.1/32",
291 :endpoint => "gate.firefishy.com:51820"
295 node.default[:networking][:wireguard][:peers] << {
296 :public_key => "YbUkREE9TAmomqgL/4Fh2e5u2Hh7drN/2o5qg3ndRxg=",
297 :allowed_ips => "10.89.123.1/32",
298 :endpoint => "roaming.firefishy.com:51820"
300 elsif node[:roles].include?("shenron")
301 search(:node, "roles:gateway") do |gateway|
302 allowed_ips = gateway.ipaddresses(:role => :internal).map(&:subnet)
304 node.default[:networking][:wireguard][:peers] << {
305 :public_key => gateway[:networking][:wireguard][:public_key],
306 :allowed_ips => allowed_ips,
307 :endpoint => "#{gateway.name}:51820"
312 template "/etc/systemd/network/wireguard.netdev" do
313 source "wireguard.netdev.erb"
315 group "systemd-network"
319 template "/etc/systemd/network/wireguard.network" do
320 source "wireguard.network.erb"
326 execute "networkctl-delete-wg0" do
328 command "networkctl delete wg0"
329 subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
330 only_if { ::File.exist?("/sys/class/net/wg0") }
333 execute "networkctl-reload" do
335 command "networkctl reload"
336 subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
337 subscribes :run, "template[/etc/systemd/network/wireguard.network]"
342 ohai "reload-hostname" do
347 execute "hostnamectl-set-hostname" do
348 command "hostnamectl set-hostname #{node[:networking][:hostname]}"
349 notifies :reload, "ohai[reload-hostname]"
350 not_if { kitchen? || node[:hostnamectl][:static_hostname] == node[:networking][:hostname] }
353 template "/etc/hosts" do
361 service "systemd-resolved" do
362 action [:enable, :start]
365 directory "/etc/systemd/resolved.conf.d" do
371 template "/etc/systemd/resolved.conf.d/99-chef.conf" do
372 source "resolved.conf.erb"
376 notifies :restart, "service[systemd-resolved]", :immediately
379 if node[:filesystem][:by_mountpoint][:"/etc/resolv.conf"]
380 execute "umount-resolve-conf" do
381 command "umount -c /etc/resolv.conf"
385 link "/etc/resolv.conf" do
386 to "../run/systemd/resolve/stub-resolv.conf"
389 hosts = { :inet => [], :inet6 => [] }
391 search(:node, "networking:interfaces").collect do |n|
392 next if n[:fqdn] == node[:fqdn]
394 n.interfaces.each do |interface|
395 next unless interface[:role] == "external"
397 hosts[:inet] << interface[:inet][:address] if interface[:inet]
398 hosts[:inet6] << interface[:inet6][:address] if interface[:inet6]
406 node.interfaces(:role => :external).each do |interface|
407 interfaces << interface[:interface]
410 template "/etc/nftables.conf" do
411 source "nftables.conf.erb"
415 variables :interfaces => interfaces, :hosts => hosts
416 notifies :reload, "service[nftables]"
419 directory "/var/lib/nftables" do
425 template "/usr/local/bin/nftables" do
426 source "nftables.erb"
432 systemd_service "nftables-stop" do
438 systemd_service "nftables-chef" do
441 exec_start "/usr/local/bin/nftables start"
442 exec_reload "/usr/local/bin/nftables reload"
443 exec_stop "/usr/local/bin/nftables stop"
446 if node[:networking][:firewall][:enabled]
447 service "nftables" do
448 action [:enable, :start]
451 service "nftables" do
452 action [:disable, :stop]
456 if node[:networking][:wireguard][:enabled]
457 firewall_rule "accept-wireguard" do
461 source :osm unless node[:roles].include?("gateway")
467 firewall_rule "accept-http" do
471 dest_ports %w[http https]
472 rate_limit node[:networking][:firewall][:http_rate_limit]
473 connection_limit node[:networking][:firewall][:http_connection_limit]