From f4ac1f200037d682f4997ff087fb06af1ef4361f Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 25 Apr 2025 00:34:09 +1000
Subject: [PATCH] feat: manage route-reflectors

- add route-reflector role and hieradata
- enable using dhcp in networkd
- add hieradata/node/* entries for route-reflectors
---
 .../nodes/ausyd1nxvm2000.main.unkin.net.yaml  |  5 ++
 .../nodes/ausyd1nxvm2001.main.unkin.net.yaml  |  5 ++
 .../nodes/ausyd1nxvm2002.main.unkin.net.yaml  |  5 ++
 .../nodes/ausyd1nxvm2003.main.unkin.net.yaml  |  5 ++
 .../nodes/ausyd1nxvm2004.main.unkin.net.yaml  |  5 ++
 hieradata/roles/infra/incus/node.yaml         |  8 ++
 hieradata/roles/infra/mpls/rr.yaml            | 79 +++++++++++++++++++
 modules/frrouting/templates/frr.conf.erb      |  3 +
 modules/networking/manifests/static.pp        |  3 +-
 .../networking/templates/networkd-network.erb |  4 +
 site/profiles/manifests/selinux/frr.pp        | 23 +++---
 site/roles/manifests/infra/mpls/rr.pp         | 10 +++
 12 files changed, 143 insertions(+), 12 deletions(-)
 create mode 100644 hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml
 create mode 100644 hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml
 create mode 100644 hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml
 create mode 100644 hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml
 create mode 100644 hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml
 create mode 100644 hieradata/roles/infra/mpls/rr.yaml
 create mode 100644 site/roles/manifests/infra/mpls/rr.pp

diff --git a/hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml
new file mode 100644
index 0000000..8ff498d
--- /dev/null
+++ b/hieradata/nodes/ausyd1nxvm2000.main.unkin.net.yaml
@@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.14  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:69:0f:3b
diff --git a/hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml
new file mode 100644
index 0000000..ea8429b
--- /dev/null
+++ b/hieradata/nodes/ausyd1nxvm2001.main.unkin.net.yaml
@@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.15  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:55:46:bd
diff --git a/hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml
new file mode 100644
index 0000000..de5fda3
--- /dev/null
+++ b/hieradata/nodes/ausyd1nxvm2002.main.unkin.net.yaml
@@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.16  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:6a:25:6b
diff --git a/hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml
new file mode 100644
index 0000000..46e4e1c
--- /dev/null
+++ b/hieradata/nodes/ausyd1nxvm2003.main.unkin.net.yaml
@@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.17  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:63:89:f2
diff --git a/hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml
new file mode 100644
index 0000000..a41c3fd
--- /dev/null
+++ b/hieradata/nodes/ausyd1nxvm2004.main.unkin.net.yaml
@@ -0,0 +1,5 @@
+---
+networking_loopback0_ip: 198.18.19.18  # management loopback
+networking::interfaces:
+  eth0:
+    mac: 00:16:3e:ca:e1:51
diff --git a/hieradata/roles/infra/incus/node.yaml b/hieradata/roles/infra/incus/node.yaml
index 2fa57f9..9b26229 100644
--- a/hieradata/roles/infra/incus/node.yaml
+++ b/hieradata/roles/infra/incus/node.yaml
@@ -110,12 +110,16 @@ frrouting::ospfd_interfaces:
     area: 0.0.0.0
   loopback2:
     area: 0.0.0.0
+  brmplscore:
+    area: 0.0.0.0
 frrouting::mpls_te_enabled: true
 frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
 frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
 frrouting::mpls_ldp_interfaces:
+  - loopback0
   - enp2s0
   - enp3s0
+  - brmplscore
 frrouting::daemons:
   ldpd: true
   ospfd: true
@@ -199,6 +203,10 @@ sysctl::base::values:
     value: '1'
   net.mpls.conf.enp3s0.input:
     value: '1'
+  net.mpls.conf.brmplscore.input:
+    value: '1'
+  net.mpls.conf.loopback0.input:
+    value: '1'
 
 # limits.d recommendations
 limits::entries:
diff --git a/hieradata/roles/infra/mpls/rr.yaml b/hieradata/roles/infra/mpls/rr.yaml
new file mode 100644
index 0000000..fbad875
--- /dev/null
+++ b/hieradata/roles/infra/mpls/rr.yaml
@@ -0,0 +1,79 @@
+---
+hiera_include:
+  - profiles::selinux::frr
+  - frrouting
+
+# additional repos
+profiles::yum::global::repos:
+  frr-extras:
+    name: frr-extras
+    descr: frr-extras repository
+    target: /etc/yum.repos.d/frr-extras.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/extras-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+  frr-stable:
+    name: frr-stable
+    descr: frr-stable repository
+    target: /etc/yum.repos.d/frr-stable.repo
+    baseurl: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os
+    gpgkey: https://packagerepo.service.consul/frr/el9/stable-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-FRR
+    mirrorlist: absent
+
+# networking
+systemd::manage_networkd: true
+systemd::manage_all_network_files: true
+networking::interfaces:
+  eth0:
+    dhcp: true
+    type: physical
+    mtu: 8000
+    forwarding: true
+  loopback0:
+    type: dummy
+    ipaddress: "%{hiera('networking_loopback0_ip')}"
+    netmask: 255.255.255.255
+    mtu: 8000
+
+# frrouting
+frrouting::ospfd_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::ospfd_redistribute:
+  - connected
+frrouting::ospfd_interfaces:
+  eth0:
+    area: 0.0.0.0
+  loopback0:
+    area: 0.0.0.0
+frrouting::mpls_te_enabled: true
+frrouting::mpls_ldp_router_id: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_transport_addr: "%{hiera('networking_loopback0_ip')}"
+frrouting::mpls_ldp_interfaces:
+  - eth0
+  - loopback0
+frrouting::daemons:
+  ldpd: true
+  ospfd: true
+
+# add loopback interfaces to ssh list
+ssh::server::options:
+  ListenAddress:
+    - "%{hiera('networking_loopback0_ip')}"
+
+# sysctl recommendations
+sysctl::base::values:
+  net.ipv4.conf.all.forwarding:
+    value: '1'
+  net.ipv6.conf.all.forwarding:
+    value: '1'
+  net.ipv4.tcp_l3mdev_accept:
+    value: '0'
+  net.ipv4.conf.default.rp_filter:
+    value: '0'
+  net.ipv4.conf.all.rp_filter:
+    value: '0'
+  net.mpls.platform_labels:
+    value: '1048575'
+  net.mpls.conf.eth0.input:
+    value: '1'
+  net.mpls.conf.loopback0.input:
+    value: '1'
diff --git a/modules/frrouting/templates/frr.conf.erb b/modules/frrouting/templates/frr.conf.erb
index 4e6668b..2a06218 100644
--- a/modules/frrouting/templates/frr.conf.erb
+++ b/modules/frrouting/templates/frr.conf.erb
@@ -10,6 +10,9 @@ interface <%= iface %>
 <% if params['passive'] == true -%>
  ip ospf passive
 <% end -%>
+<% if @mpls_ldp_interfaces and @mpls_ldp_interfaces.include?(iface) -%>
+ mpls enable
+<% end -%>
 exit
 <% end -%>
 router ospf
diff --git a/modules/networking/manifests/static.pp b/modules/networking/manifests/static.pp
index 018ef89..8110d8a 100644
--- a/modules/networking/manifests/static.pp
+++ b/modules/networking/manifests/static.pp
@@ -1,10 +1,11 @@
 # manage static interfaces
 define networking::static (
   String                $type,
-  Stdlib::IP::Address   $ipaddress,
   Stdlib::IP::Address   $netmask  = '255.255.255.0',
   Integer[100-9200]     $mtu      = 1500,
+  Boolean               $dhcp     = false,
   Optional[Boolean]     $forwarding = false,
+  Optional[Stdlib::IP::Address]         $ipaddress = undef,
   Optional[Stdlib::IP::Address]         $gateway = undef,
   Optional[Array[Stdlib::IP::Address]]  $dns = undef,
   Optional[Array[Stdlib::Fqdn]]         $domains = undef,
diff --git a/modules/networking/templates/networkd-network.erb b/modules/networking/templates/networkd-network.erb
index 298304d..b2ffc1e 100644
--- a/modules/networking/templates/networkd-network.erb
+++ b/modules/networking/templates/networkd-network.erb
@@ -2,6 +2,9 @@
 Name=<%= @title %>
 
 [Network]
+<% if @dhcp == true -%>
+DHCP=yes
+<% else -%>
 <% if @ipaddress && @netmask -%>
 Address=<%= @ipaddress %>/<%= IPAddr.new(@netmask).to_i.to_s(2).count('1') %>
 <% end -%>
@@ -14,6 +17,7 @@ DNS=<%= Array(@dns).join(' ') %>
 <% if @domains -%>
 Domains=<%= Array(@domains).join(' ') %>
 <% end -%>
+<% end -%>
 <% if @bridge and @bridge != true -%>
 Bridge=<%= @bridge %>
 <% end -%>
diff --git a/site/profiles/manifests/selinux/frr.pp b/site/profiles/manifests/selinux/frr.pp
index 65bcb46..7abea32 100644
--- a/site/profiles/manifests/selinux/frr.pp
+++ b/site/profiles/manifests/selinux/frr.pp
@@ -32,16 +32,17 @@ class profiles::selinux::frr {
     allow init_t self:process setpgid;
   | EOF
 
-  selinux::module { 'frr_local':
-    ensure     => 'present',
-    content_te => $frr_te_content,
-    builder    => 'simple',
-    before     => Service['frr'],
-  }
-
-  selboolean { 'domain_can_mmap_files':
-    value      => 'on',
-    persistent => true,
-    before     => Service['frr'],
+  if $facts['virtual'] != 'lxc' {
+    selinux::module { 'frr_local':
+      ensure     => 'present',
+      content_te => $frr_te_content,
+      builder    => 'simple',
+      before     => Service['frr'],
+    }
+    selboolean { 'domain_can_mmap_files':
+      value      => 'on',
+      persistent => true,
+      before     => Service['frr'],
+    }
   }
 }
diff --git a/site/roles/manifests/infra/mpls/rr.pp b/site/roles/manifests/infra/mpls/rr.pp
new file mode 100644
index 0000000..258f592
--- /dev/null
+++ b/site/roles/manifests/infra/mpls/rr.pp
@@ -0,0 +1,10 @@
+# a role to manage mpls route-reflectors
+class roles::infra::mpls::rr {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}