Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(terraform): mikrotik #338

Closed
wants to merge 39 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
0a833ef
Add provider configuration
mircea-pavel-anton May 21, 2024
d03e941
Set hostname
mircea-pavel-anton May 21, 2024
71aeadc
Set dns server
mircea-pavel-anton May 21, 2024
4b3039c
configure wan iface to 100M max due to negotiation issues caused by a…
mircea-pavel-anton May 21, 2024
f957ff6
add comments to interfaces for lan devices
mircea-pavel-anton May 21, 2024
f3cd477
add comment for management interface
mircea-pavel-anton May 21, 2024
71f10b6
disable unused interfaces
mircea-pavel-anton May 21, 2024
911b0db
Set timezone
mircea-pavel-anton May 21, 2024
621e6ff
Configure dhcp client on WAN
mircea-pavel-anton May 21, 2024
fba81e2
Create LAN bridge
mircea-pavel-anton May 21, 2024
2b29647
configure LAN DHCP
mircea-pavel-anton May 21, 2024
3e6a962
add bridge ports to LAN bridge
mircea-pavel-anton May 21, 2024
45f6eb6
add static dhcp leases for lan
mircea-pavel-anton May 21, 2024
5533498
configure NAT on WAN bridge
mircea-pavel-anton May 21, 2024
2991b32
configure WAN bridge :)
mircea-pavel-anton May 21, 2024
16f8206
run `terraform fmt`
mircea-pavel-anton May 21, 2024
cc25018
put dhcp client on bridge not on port
mircea-pavel-anton May 21, 2024
f6e80a2
advertise 100M full duplex only
mircea-pavel-anton May 21, 2024
8466c1e
add static dhcp leases for kube nodes
mircea-pavel-anton May 21, 2024
6169cd2
rename truenas lan lease
mircea-pavel-anton May 21, 2024
713435c
add local dns for kube stuff
mircea-pavel-anton May 21, 2024
07afd00
wip: defconf fw rules
mircea-pavel-anton May 21, 2024
c651b45
WIP: add some firewall rules
mircea-pavel-anton May 22, 2024
92a01ec
rename files
mircea-pavel-anton May 23, 2024
fbdbcea
migrate to interface lists vs random bridges
mircea-pavel-anton May 23, 2024
c76924c
define interface lists
mircea-pavel-anton May 23, 2024
71542f1
update interface lists and firewall rules
mircea-pavel-anton May 25, 2024
46f7b88
set dhcp lease for proxmox management
mircea-pavel-anton May 27, 2024
fc85dc2
add LAN interface for Proxmox
mircea-pavel-anton May 27, 2024
e59a3eb
enable proxmox interface :)
mircea-pavel-anton May 27, 2024
eb50d78
fix
mircea-pavel-anton May 27, 2024
377b6ff
configure ip services and tls
mircea-pavel-anton May 27, 2024
b1957fa
use python-bullseye as the base image
mircea-pavel-anton May 28, 2024
8377097
disable conflict detection on lan dhcp
mircea-pavel-anton May 28, 2024
e3506d1
update firewall rules
mircea-pavel-anton May 28, 2024
9ba779d
WIP: ansible tests????
mircea-pavel-anton May 28, 2024
f3ddb67
upgrade terraform provider
mircea-pavel-anton Jun 5, 2024
4e2c937
disable/bind tool/servers to interfaces
mircea-pavel-anton Jun 5, 2024
9327f66
remove tests, wtf was i thinking
mircea-pavel-anton Jun 5, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ RUN wget https://github.com/cilium/cilium-cli/releases/download/${CILIUM_VERSION
## ================================================================================================
## Main image
## ================================================================================================
FROM mcr.microsoft.com/devcontainers/base:bullseye AS workspace
FROM mcr.microsoft.com/devcontainers/python:3.9-bullseye AS workspace
ENV EDITOR=vim

RUN DEBIAN_FRONTEND=noninteractive \
Expand Down
3 changes: 3 additions & 0 deletions terraform/mikrotik/_locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
locals {
local_domain = "mirceanton.com"
}
15 changes: 15 additions & 0 deletions terraform/mikrotik/_provider.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
terraform {
required_providers {
routeros = {
source = "terraform-routeros/routeros"
version = "1.54.2"
}
}
}

provider "routeros" {
hosturl = var.mikrotik_router_url
username = var.mikrotik_router_username
password = var.mikrotik_router_password
insecure = var.mikrotik_router_insecure_skip_tls_verify
}
21 changes: 21 additions & 0 deletions terraform/mikrotik/_variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
variable "mikrotik_router_username" {
type = string
default = "admin"
description = "The username to authenticate against the RouterOS API on the RB5009."
}

variable "mikrotik_router_password" {
type = string
description = "The password to authenticate against the RouterOS API on the RB5009."
}

variable "mikrotik_router_url" {
type = string
description = "The URL for the RouterOS API on the RB5009."
}

variable "mikrotik_router_insecure_skip_tls_verify" {
type = bool
default = true
description = "Whether or not to check for certificate validity"
}
85 changes: 85 additions & 0 deletions terraform/mikrotik/firewall.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
## ================================================================================================
## Interface Lists
## ================================================================================================
#################### EXPOSURE LEVEL GROUPING ####################
resource "routeros_interface_list" "external" { name = "external" }
resource "routeros_interface_list" "internal" { name = "internal" }

#################### TRUST LEVEL GROUPING ####################
resource "routeros_interface_list" "private_trusted" { name = "private_trusted" }
resource "routeros_interface_list" "private_untrusted" { name = "private_untrusted" }



## ================================================================================================
## NAT Rules
## ================================================================================================
resource "routeros_ip_firewall_nat" "nat" {
action = "masquerade"
chain = "srcnat"
out_interface = routeros_interface_ethernet.wan.factory_name
}



## ================================================================================================
## Firewall Rules
## ================================================================================================
resource "routeros_ip_firewall_filter" "rule_1" {
comment="defconf: accept established,related,untracked"
chain = "input"
action="accept"
place_before = routeros_ip_firewall_filter.rule_2.id
}
resource "routeros_ip_firewall_filter" "rule_2" {
comment="defconf: fasttrack"
chain = "forward"
action="fasttrack-connection"
connection_state="established,related"
hw_offload = true
place_before = routeros_ip_firewall_filter.rule_3.id
}
resource "routeros_ip_firewall_filter" "rule_3" {
chain = "forward"
action="accept"
connection_state="established,related,untracked"
comment="defconf: accept established,related, untracked"
place_before = routeros_ip_firewall_filter.rule_4.id
}
resource "routeros_ip_firewall_filter" "rule_4" {
comment="defconf: drop invalid"
chain = "input"
action="drop"
connection_state="invalid"
place_before = routeros_ip_firewall_filter.rule_5.id
}
resource "routeros_ip_firewall_filter" "rule_5" {
comment="block untrusted -> trusted"
chain = "forward"
action="drop"
src_address_list = "private_untrusted"
dst_address_list = "private_trusted"
place_before = routeros_ip_firewall_filter.rule_6.id
}
resource "routeros_ip_firewall_filter" "rule_6" {
chain = "input"
action="drop"
in_interface_list="!internal"
comment="defconf: drop all not coming from internal networks"
place_before = routeros_ip_firewall_filter.rule_7.id
}
resource "routeros_ip_firewall_filter" "rule_7" {
chain = "forward"
action="drop"
connection_state="invalid"
comment="defconf: drop invalid"
place_before = routeros_ip_firewall_filter.rule_8.id
}
resource "routeros_ip_firewall_filter" "rule_8" {
chain = "forward"
action="drop"
connection_state="new"
connection_nat_state="!dstnat"
in_interface_list="external"
comment="defconf: drop all from external interfaces not DSTNATed"
}
67 changes: 67 additions & 0 deletions terraform/mikrotik/interfaces.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
resource "routeros_interface_ethernet" "wan" {
factory_name = "ether1"
name = "ether1"
comment = "WAN"
l2mtu = 1514
advertise = "100M-baseT-full"
}

resource "routeros_interface_ethernet" "desktop" {
factory_name = "ether2"
name = "ether2"
comment = "desktop"
l2mtu = 1514
}

resource "routeros_interface_ethernet" "access_point" {
factory_name = "ether3"
name = "ether3"
comment = "cAP"
l2mtu = 1514
}

resource "routeros_interface_ethernet" "truenas" {
factory_name = "ether4"
name = "ether4"
comment = "TrueNAS"
l2mtu = 1514
}

resource "routeros_interface_ethernet" "home_assistant" {
factory_name = "ether5"
name = "ether5"
comment = "HomeAssistant"
l2mtu = 1514
}

resource "routeros_interface_ethernet" "proxmox_lan" {
factory_name = "ether6"
name = "ether6"
comment = "Proxmox LAN"
disabled = false
l2mtu = 1514
}

resource "routeros_interface_ethernet" "ether7" {
factory_name = "ether7"
name = "ether7"
comment = "N/A"
disabled = true
l2mtu = 1514
}

resource "routeros_interface_ethernet" "management" {
factory_name = "ether8"
name = "ether8"
comment = "Management"
l2mtu = 1514
}

resource "routeros_interface_ethernet" "sfp-sfpplus1" {
factory_name = "sfp-sfpplus1"
name = "sfp-sfpplus1"
comment = "N/A"
l2mtu = 1514
disabled = true
sfp_shutdown_temperature = 90
}
56 changes: 56 additions & 0 deletions terraform/mikrotik/ip-services.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
locals {
tls_service = {"api-ssl" = 8729, "www-ssl" = 443}
disable_service = {"api" = 8728, "ftp" = 21, "telnet" = 23, "www" = 80, "ssh" = 22}
enable_service = { "winbox" = 8291}
}

resource "routeros_ip_service" "disabled" {
for_each = local.disable_service
numbers = each.key
port = each.value
disabled = true
}


resource "routeros_ip_service" "enabled" {
for_each = local.enable_service
numbers = each.key
port = each.value
address = "${routeros_ip_address.management.network}/24,${routeros_ip_dhcp_server_lease.lan_desktop.address}/32"
disabled = false
}


resource "routeros_system_certificate" "webfig" {
name = "webfig"
common_name = routeros_ip_dns_record.mgmt_self.name
subject_alt_name = ""#"IP:${routeros_ip_dns_record.mgmt_self.name},DNS:${routeros_ip_dns_record.lan_self.name},IP:${routeros_ip_dns_record.lan_self.address}"

country = "RO"
locality = "BUC"
organization = "MIRCEANTON"
unit = "HOME"
days_valid = 3650

key_usage = ["key-cert-sign", "crl-sign", "digital-signature", "key-agreement", "tls-server"]
key_size = "prime256v1"

trusted = true

lifecycle {
ignore_changes = [
sign,
]
}
}

resource "routeros_ip_service" "api-ssl" {
for_each = local.tls_service
numbers = each.key
port = each.value

address = "${routeros_ip_address.management.network}/24,${routeros_ip_dhcp_server_lease.lan_desktop.address}/32"
tls_version = "only-1.2"
disabled = false
certificate = routeros_system_certificate.webfig.name
}
Loading
Loading