aufgeräumt
This commit is contained in:
parent
1256feca47
commit
77c23ef27f
5 changed files with 28 additions and 3631 deletions
69
app.py
69
app.py
|
@ -1,69 +0,0 @@
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
from git import Repo
|
|
||||||
import paramiko
|
|
||||||
|
|
||||||
# Function to export RouterOS configuration
|
|
||||||
def export_routeros_config(device_config):
|
|
||||||
device = device_config["host"]
|
|
||||||
username = device_config["username"]
|
|
||||||
ssh_key_path = device_config["ssh_key_path"]
|
|
||||||
|
|
||||||
ssh = paramiko.SSHClient()
|
|
||||||
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
||||||
ssh.connect(device, username=username, key_filename=ssh_key_path)
|
|
||||||
|
|
||||||
# Modify the export command based on the RouterOS command for configuration export
|
|
||||||
stdin, stdout, stderr = ssh.exec_command("/export")
|
|
||||||
with open(f"{device}_config_export.txt", "w") as f:
|
|
||||||
f.write(stdout.read().decode())
|
|
||||||
|
|
||||||
ssh.close()
|
|
||||||
|
|
||||||
# Function to check if the Git repository exists and pull or clone accordingly
|
|
||||||
def check_and_pull_git_repo():
|
|
||||||
git_repo_path = os.environ.get("GIT_REPO_PATH")
|
|
||||||
if os.path.exists(git_repo_path):
|
|
||||||
repo = Repo(git_repo_path)
|
|
||||||
if not repo.bare:
|
|
||||||
origin = repo.remote(name="origin")
|
|
||||||
origin.pull()
|
|
||||||
else:
|
|
||||||
print("Error: The directory exists but is not a Git repository.")
|
|
||||||
exit(1)
|
|
||||||
else:
|
|
||||||
git_repo_url = os.environ.get("GIT_REPO_URL")
|
|
||||||
Repo.clone_from(git_repo_url, git_repo_path)
|
|
||||||
|
|
||||||
# Function to commit and push the configuration to the Git repository
|
|
||||||
def commit_and_push_to_git():
|
|
||||||
git_repo_path = os.environ.get("GIT_REPO_PATH")
|
|
||||||
repo = Repo(git_repo_path)
|
|
||||||
index = repo.index
|
|
||||||
|
|
||||||
# Add the RouterOS config files to the index
|
|
||||||
config_files = [f"{device['host']}_config_export.txt" for device in DEVICE_CONFIGS]
|
|
||||||
index.add(config_files)
|
|
||||||
|
|
||||||
# Commit and push the changes
|
|
||||||
index.commit("Update configuration")
|
|
||||||
origin = repo.remote(name="origin")
|
|
||||||
origin.push()
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
# RouterOS devices SSH connection settings
|
|
||||||
DEVICE_CONFIGS = os.environ.get("DEVICE_CONFIGS").split()
|
|
||||||
DEVICE_CONFIGS = [
|
|
||||||
{"host": device.split(',')[0], "username": device.split(',')[1], "ssh_key_path": device.split(',')[2]}
|
|
||||||
for device in DEVICE_CONFIGS
|
|
||||||
]
|
|
||||||
|
|
||||||
# Export RouterOS configurations
|
|
||||||
for device_config in DEVICE_CONFIGS:
|
|
||||||
export_routeros_config(device_config)
|
|
||||||
|
|
||||||
# Check and pull the Git repository
|
|
||||||
check_and_pull_git_repo()
|
|
||||||
|
|
||||||
# Commit and push the configurations to the Git repository
|
|
||||||
commit_and_push_to_git()
|
|
|
@ -1,174 +0,0 @@
|
||||||
# 2023-07-21 18:48:14 by RouterOS 7.10
|
|
||||||
# software id = NPZE-DVQU
|
|
||||||
#
|
|
||||||
# model = RB750Gr3
|
|
||||||
# serial number = CC210C7265A3
|
|
||||||
/interface ethernet
|
|
||||||
set [ find default-name=ether1 ] disabled=yes
|
|
||||||
set [ find default-name=ether3 ] disabled=yes
|
|
||||||
set [ find default-name=ether4 ] disabled=yes
|
|
||||||
set [ find default-name=ether5 ] disabled=yes
|
|
||||||
/interface wireguard
|
|
||||||
add listen-port=13233 mtu=1420 name=wireguard_clients private-key=\
|
|
||||||
"4EsatRG85+HxsoPF1gm6A5vZQ88xRo/fHb0xsdJMb3w="
|
|
||||||
add listen-port=13232 mtu=1420 name=wireguard_s2s_hex private-key=\
|
|
||||||
"ABE3o3tWAw2GeLfJDAKeNqG9OwudiOLFhT+ghQ6P1Fc="
|
|
||||||
/interface list
|
|
||||||
add name=LAN
|
|
||||||
add name=VPN
|
|
||||||
add name=winbox-access
|
|
||||||
/interface lte apn
|
|
||||||
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
|
|
||||||
/interface wireless security-profiles
|
|
||||||
set [ find default=yes ] supplicant-identity=MikroTik
|
|
||||||
/port
|
|
||||||
set 1 name=serial0
|
|
||||||
/routing ospf instance
|
|
||||||
add disabled=no name=ospf-instance-s2s redistribute=connected router-id=\
|
|
||||||
10.25.26.2
|
|
||||||
/routing ospf area
|
|
||||||
add area-id=0.0.0.1 disabled=no instance=ospf-instance-s2s name=ospf-area-1
|
|
||||||
/snmp community
|
|
||||||
set [ find default=yes ] read-access=no security=private
|
|
||||||
add addresses=::/0 authentication-password=9IEYe5R-usuhdH7y-LEcJpWcfeQ319 \
|
|
||||||
authentication-protocol=SHA1 encryption-password=\
|
|
||||||
GjYze03kkkeRMH3sDVbAJp9Gl6WC-I encryption-protocol=AES name=librenms-v3
|
|
||||||
/system logging action
|
|
||||||
set 0 memory-lines=10000
|
|
||||||
/ip neighbor discovery-settings
|
|
||||||
set discover-interface-list=winbox-access
|
|
||||||
/ip settings
|
|
||||||
set tcp-syncookies=yes
|
|
||||||
/ipv6 settings
|
|
||||||
set disable-ipv6=yes max-neighbor-entries=8192
|
|
||||||
/interface list member
|
|
||||||
add interface=ether2 list=LAN
|
|
||||||
add interface=wireguard_s2s_hex list=VPN
|
|
||||||
add interface=wireguard_clients list=LAN
|
|
||||||
add interface=wireguard_s2s_hex list=winbox-access
|
|
||||||
add interface=wireguard_clients list=winbox-access
|
|
||||||
add interface=ether2 list=winbox-access
|
|
||||||
/interface ovpn-server server
|
|
||||||
set auth=sha1,md5
|
|
||||||
/interface wireguard peers
|
|
||||||
add allowed-address=0.0.0.0/0 endpoint-address=mgrote.net endpoint-port=13232 \
|
|
||||||
interface=wireguard_s2s_hex persistent-keepalive=10s public-key=\
|
|
||||||
"/drwUkzCR7umH4YFTRa+D9WB8KOvTXIZxRf/9gC9kkM="
|
|
||||||
add allowed-address=10.25.27.2/24 comment=iphone_andreas interface=\
|
|
||||||
wireguard_clients public-key=\
|
|
||||||
"Y/3GVIZsdAUpKr2XJ42MVPte4qJvPpe6ZWj7lQIjPEM="
|
|
||||||
add allowed-address=10.25.27.200/32 comment=iphone_maximilian interface=\
|
|
||||||
wireguard_clients public-key=\
|
|
||||||
"45IEON4osDmTxIv/pkDTWwdUb6X33uTmZFbebkrkdHo="
|
|
||||||
add allowed-address=10.25.27.100/24 comment=ipad_maximilian interface=\
|
|
||||||
wireguard_clients public-key=\
|
|
||||||
"45/22voZXBbjYhtLLQqwPQ00tMZVB6sglrLbkEnlTUM="
|
|
||||||
/ip address
|
|
||||||
add address=10.25.26.2/30 interface=wireguard_s2s_hex network=10.25.26.0
|
|
||||||
add address=10.25.27.1/24 interface=wireguard_clients network=10.25.27.0
|
|
||||||
/ip cloud
|
|
||||||
set ddns-enabled=yes ddns-update-interval=5m
|
|
||||||
/ip dhcp-client
|
|
||||||
add interface=ether2
|
|
||||||
/ip firewall address-list
|
|
||||||
add address=192.168.2.0/24 list=subnet2
|
|
||||||
add address=192.168.2.0/24 list=mgmt_access
|
|
||||||
add address=192.168.3.0/24 list=subnet3
|
|
||||||
add address=10.25.25.0/24 list=subnet2525
|
|
||||||
add address=10.25.26.0/24 list=mgmt_access
|
|
||||||
add address=10.25.26.0/24 list=subnet2526
|
|
||||||
add address=192.168.3.0/24 list=mgmt_access
|
|
||||||
add address=10.25.27.0/24 list=subnet2527
|
|
||||||
add address=10.25.27.0/24 list=mgmt_access
|
|
||||||
add address=192.168.2.43 list=snmp_server
|
|
||||||
/ip firewall filter
|
|
||||||
add action=accept chain=input connection-state=established,related \
|
|
||||||
log-prefix="Allow established, related: "
|
|
||||||
add action=drop chain=input connection-state=invalid log-prefix=\
|
|
||||||
"Drop invalid:"
|
|
||||||
add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix=\
|
|
||||||
"Allow OSPF: " protocol=ospf
|
|
||||||
add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " \
|
|
||||||
protocol=icmp
|
|
||||||
add action=accept chain=input dst-port=13232,13233 in-interface=ether2 \
|
|
||||||
log-prefix="Allow Wireguard: " protocol=udp
|
|
||||||
add action=accept chain=input dst-port=22,8291 log-prefix=\
|
|
||||||
"Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
|
|
||||||
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
|
|
||||||
add action=fasttrack-connection chain=forward connection-state=\
|
|
||||||
established,related hw-offload=yes log-prefix="FastTrack Connection: "
|
|
||||||
add action=accept chain=forward connection-state=established,related \
|
|
||||||
log-prefix="Allow established, related: "
|
|
||||||
add action=drop chain=forward connection-state=invalid log-prefix=\
|
|
||||||
"Drop invalid:"
|
|
||||||
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
||||||
"Allow SN2 -> SN3: " src-address-list=subnet2
|
|
||||||
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
||||||
"Allow SN2526 -> SN3: " src-address-list=subnet2526
|
|
||||||
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
||||||
"Allow SN2525 -> SN3: " src-address-list=subnet2525
|
|
||||||
add action=accept chain=forward in-interface=wireguard_clients log-prefix=\
|
|
||||||
"Allow WG-Clients-> Ether2: " out-interface=ether2 src-address-list=\
|
|
||||||
subnet2527
|
|
||||||
add action=drop chain=forward disabled=yes log=yes log-prefix=\
|
|
||||||
"FORWARD: Drop anything not allowed: "
|
|
||||||
/ip firewall nat
|
|
||||||
add action=masquerade chain=srcnat log-prefix="NAT: Alles von SN2" \
|
|
||||||
out-interface=!wireguard_s2s_hex
|
|
||||||
/ip service
|
|
||||||
set telnet disabled=yes
|
|
||||||
set ftp disabled=yes
|
|
||||||
set www disabled=yes
|
|
||||||
set ssh address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
|
|
||||||
set api disabled=yes
|
|
||||||
set winbox address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
|
|
||||||
set api-ssl disabled=yes
|
|
||||||
/ip ssh
|
|
||||||
set strong-crypto=yes
|
|
||||||
/routing ospf interface-template
|
|
||||||
add area=ospf-area-1 disabled=no interfaces=wireguard_s2s_hex networks=\
|
|
||||||
10.25.26.0/30 type=ptmp
|
|
||||||
/routing ospf static-neighbor
|
|
||||||
add address=10.25.26.1%wireguard_s2s_hex area=ospf-area-1 disabled=no
|
|
||||||
/snmp
|
|
||||||
set contact="mgrote <michael.grote@posteo.de>" location="S\FCdstra\DFe" \
|
|
||||||
trap-community=librenms-v3 trap-generators=temp-exception,interfaces \
|
|
||||||
trap-version=3
|
|
||||||
/system clock
|
|
||||||
set time-zone-name=Europe/Berlin
|
|
||||||
/system identity
|
|
||||||
set name=hex
|
|
||||||
/system logging
|
|
||||||
add disabled=yes topics=ospf
|
|
||||||
/system note
|
|
||||||
set show-at-login=no
|
|
||||||
/system ntp client
|
|
||||||
set enabled=yes
|
|
||||||
/system ntp client servers
|
|
||||||
add address=0.de.pool.ntp.org
|
|
||||||
/system routerboard settings
|
|
||||||
set silent-boot=yes
|
|
||||||
/system watchdog
|
|
||||||
set automatic-supout=no ping-timeout=5m watch-address=10.25.26.1
|
|
||||||
/tool bandwidth-server
|
|
||||||
set enabled=no
|
|
||||||
/tool mac-server
|
|
||||||
set allowed-interface-list=none
|
|
||||||
/tool mac-server mac-winbox
|
|
||||||
set allowed-interface-list=winbox-access
|
|
||||||
/tool mac-server ping
|
|
||||||
set enabled=no
|
|
||||||
/tool netwatch
|
|
||||||
add disabled=no down-script="# set variables\r\
|
|
||||||
\n:local wginterface wireguard_s2s_hex\r\
|
|
||||||
\n# Valid characters in variable names are letters and digits. If variable\
|
|
||||||
\_name contains any other character, then variable name should be put in d\
|
|
||||||
ouble quotes.\r\
|
|
||||||
\n\r\
|
|
||||||
\n:log error \"wireguard-tunnel down: \$wginterface\"\r\
|
|
||||||
\n/interface/wireguard/disable \$wginterface\r\
|
|
||||||
\n:delay 20s\r\
|
|
||||||
\n/interface/wireguard/enable \$wginterface\r\
|
|
||||||
\n:log info \"Restart wireguard-tunnel: \$wginterface\"\r\
|
|
||||||
\nping 192.168.2.1\r\
|
|
||||||
\n" host=192.168.2.1 interval=30s timeout=1s type=simple
|
|
File diff suppressed because it is too large
Load diff
37
x
37
x
|
@ -1,20 +1,24 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# setze Variable
|
# setze Variable
|
||||||
|
# Format <fqdn>,<path to ssh-private-key(passwordless)>
|
||||||
devices="rb5009.grote.lan,/home/mg/oxidized-selfmade/neu
|
devices="rb5009.grote.lan,/home/mg/oxidized-selfmade/neu
|
||||||
hex.grote.lan,/ssh/keys/hex"
|
hex.grote.lan,/ssh/keys/hex"
|
||||||
|
|
||||||
# teste auf dependencies
|
|
||||||
GIT_REPO_PATH=/home/mg/oxidized-selfmade
|
GIT_REPO_PATH=/home/mg/oxidized-selfmade # wo soll das Repo angelegt werden
|
||||||
GIT_REPO_BRANCH=master
|
GIT_REPO_BRANCH=master
|
||||||
GIT_USERNAME=oxidized
|
GIT_USERNAME=oxidized-selfmade
|
||||||
GIT_USER_MAIL=michael.grote@posteo.de
|
GIT_USER_MAIL=michael.grote@posteo.de
|
||||||
if [ -d "$GIT_REPO_PATH" ]; then
|
GIT_REPO_REMOTE_NAME=origin
|
||||||
|
|
||||||
git config --global user.email "$GIT_USER_MAIL"
|
git config --global user.email "$GIT_USER_MAIL"
|
||||||
git config --global user.name "$GIT_USERNAME"
|
git config --global user.name "$GIT_USERNAME"
|
||||||
|
|
||||||
|
if [ -d "$GIT_REPO_PATH" ]; then
|
||||||
cd "$GIT_REPO_PATH"
|
cd "$GIT_REPO_PATH"
|
||||||
if [ -d ".git" ]; then
|
if [ -d ".git" ]; then
|
||||||
git pull origin $GIT_REPO_BRANCH
|
git pull "$GIT_REPO_REMOTE_NAME" "$GIT_REPO_BRANCH"
|
||||||
else
|
else
|
||||||
echo "Error: The directory exists but is not a Git repository."
|
echo "Error: The directory exists but is not a Git repository."
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -23,32 +27,22 @@ GIT_USER_MAIL=michael.grote@posteo.de
|
||||||
git clone "$GIT_REPO_URL" "$GIT_REPO_PATH"
|
git clone "$GIT_REPO_URL" "$GIT_REPO_PATH"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
pwd
|
|
||||||
|
|
||||||
# Save the current value of IFS to restore later
|
# Save the current value of IFS to restore later
|
||||||
OLD_IFS=$IFS
|
OLD_IFS=$IFS
|
||||||
|
|
||||||
# Set the IFS to a comma to split the values
|
# Set the IFS to a comma to split the values
|
||||||
IFS=','
|
IFS=','
|
||||||
|
|
||||||
# Loop through the lines in the variable
|
|
||||||
while read -r fqdn path; do
|
while read -r fqdn path; do
|
||||||
# Print the variables (you can perform any actions you need here)
|
# bereinige FQDN
|
||||||
fqdn=$(echo $fqdn | tr -d "[:space:]")
|
fqdn=$(echo $fqdn | tr -d "[:space:]")
|
||||||
#!/bin/bash
|
# prüfe ob Key existiert
|
||||||
|
|
||||||
|
|
||||||
if [ ! -e "$path" ]; then
|
if [ ! -e "$path" ]; then
|
||||||
echo "File file_path does not exist."
|
echo "File file_path does not exist."
|
||||||
exit 1
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
ssh -n -i "$path" "$fqdn" "/export show-sensitive" > "config_${fqdn}.rsc"
|
||||||
|
git add "config_${fqdn}.rsc"
|
||||||
ssh -n -i ${path} ${fqdn} "/export show-sensitive" > config_${fqdn}.rsc
|
|
||||||
echo add
|
|
||||||
git add config_${fqdn}.rsc
|
|
||||||
echo commit
|
|
||||||
git commit -m "update config_${fqdn}"
|
git commit -m "update config_${fqdn}"
|
||||||
done <<< "$devices"
|
done <<< "$devices"
|
||||||
|
|
||||||
|
@ -57,3 +51,6 @@ git push
|
||||||
# Restore the original IFS value
|
# Restore the original IFS value
|
||||||
IFS=$OLD_IFS
|
IFS=$OLD_IFS
|
||||||
|
|
||||||
|
|
||||||
|
# test mitvolume
|
||||||
|
# ohne volume wg git clone
|
||||||
|
|
Loading…
Reference in a new issue