ansible-ffibk/roles/service-fastd-mesh/tasks/main.yml

---
- name: create fastd directories
  file:
    path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}"
    state: directory
    mode: 0755
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: create fastd peer mesh directories
  file:
    path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
    state: directory
    mode: 0755
    owner: admin
    group: admin
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: create fastd peer mesh directories for ffbin
  file:
    path: "/etc/fastd/mzvpn-{{ item }}/peers_bingen"
    state: directory
    mode: 0755
    owner: admin
    group: admin
  with_items:
    - 1406
    - 1312

- name: clone fastd peer mesh repos
  git:
    repo: "{{ item.1.peers.repo }}"
    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
    version: "{{ item.1.peers.version }}"
    update: no
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances
  become: false

- name: clone fastd peer mesh repo for ffbin
  git:
    repo: https://github.com/freifunk-bingen/peers-ffbin.git
    dest: "/etc/fastd/mzvpn-{{ item }}/peers_bingen"
    version: master
    update: no
  with_items:
    - 1406
    - 1312
  become: false

- name: template fastd mesh config
  template:
    src: fastd-mesh.conf.j2
    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/fastd.conf"
  notify: restart fastd mesh instances
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: write fastd mesh secret
  template:
    src: fastd-secret.conf.j2
    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/secret.conf"
  notify: restart fastd mesh instances
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: copy peer_limit.conf if not exist
  copy:
    src: peer_limit.conf
    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
    owner: admin
    group: admin
    mode: 0640
    force: no
  notify: restart fastd mesh instances
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: set file attributes for peer_limit.conf
  file:
    path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
    mode: 0640
    owner: admin
    group: admin
  notify: restart fastd mesh instances
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances

- name: write systemd unit fastd-sync-meshkeys.service
  template:
    src: fastd-sync-meshkeys.service.j2
    dest: /etc/systemd/system/fastd-sync-meshkeys.service
    owner: root
    group: root
    mode: 0644
  notify: reload systemd

- name: write systemd timer fastd-sync-meshkeys.timer
  template:
    src: fastd-sync-meshkeys.timer.j2
    dest: /etc/systemd/system/fastd-sync-meshkeys.timer
    owner: root
    group: root
    mode: 0644
  notify: reload systemd

- name: create fastd_status.json file
  file:
    path: /var/www/html/fastd_status.json
    state: touch
    owner: admin
    group: admin
    mode: 0644

- name: write configuration for fastd-peer-limit-update script
  template:
    src: fastd_peer_limit_config.yaml.j2
    dest: /home/admin/.config/fastd_peer_limit_config.yaml
    owner: admin
    group: admin
    mode: 0644

- name: write systemd unit fastd-peer-limit-update.service
  template:
    src: fastd-peer-limit-update.service.j2
    dest: /etc/systemd/system/fastd-peer-limit-update.service
    owner: root
    group: root
    mode: 0644
  notify: reload systemd

- name: write systemd timer fastd-peer-limit-update.timer
  template:
    src: fastd-peer-limit-update.timer.j2
    dest: /etc/systemd/system/fastd-peer-limit-update.timer
    owner: root
    group: root
    mode: 0644
  notify: reload systemd

- name: configure systemd timers for fastd-mesh instance
  systemd:
    name: "{{ item }}.timer"
    enabled: yes
    state: started
  with_items:
    - fastd-sync-meshkeys
    - fastd-peer-limit-update

- name: configure systemd unit fastd@
  systemd:
    name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"
    enabled: yes
    state: started
  with_subelements:
    - "{{ meshes }}"
    - fastd.nodes.instances
Restructure ansible (#8) * Add filename prefix to playbooks * Inventory: clean up & rename role ffmwu-prereq to test-prerequisites Remove all hosts which aren't set up by ansible, yet. Prepare to start from scratch. Only add hosts to the inventory which will be set up completly by ansible. * Role test-prerequisites: improve tasks; update OS to current debian stable * Add a bunch of new roles - Update Readme - Update ansible.cfg - Add playbook to set up gateways - Add group variables * Roles: add role documentation * Some restructuring (#3) * Modify prerequisites role and integrate prerequisites role into all playbooks (#4) * Add relaxed yamllint config and fix errors * Add role service-rclocal * Add role service-bird * Move localtestvm to separate role (untested) (#6) * Add role git-repos * Add role service-bird-icvpn; add python3-yaml package to server-basic role * Add role service-bird-ffrl * Set 'become' default to True (#7) * Retouch tasks due to 'become' defaults to True * Add role service-bird-ffrl to playbook gateways * Role service-bird-ffrl: correct ipaddr filters * Update readme of roles service-fastd-mesh + service-fastd-intragate * Update Readme.md - update passwordstore lookup for fastd secrets - add explanation about sensible informations * Role server-basic: add package bridge-utils * Add role service-tinc * Add role system-sysctl-gateway * Add version to git modules in roles: - git-fastd-peers - git-repos - service-tinc * Add readme for role prerequisites * Add role network-iptables-gateway - move netfilter specific sysctl settings * Role kmod-batman: load kernel modules * Role service-bird-icvpn: use a task and not a handler to set file attrs * Add role service-bind-slave * Restructure network interfaces in order to use ifupdown2 - rewrite interface templates for batman, fastd, ffrl and meshbridge - add package ethtool to role server-basic - use more ipaddr filters and get rid of unneeded variables in dict ffrl_exit_server - change ffrl_public_ipv4_nat variable to ip/prefix format - update readme files * Role service-dhcpd: fix disabled notify * Role service-fastd-mesh + service-fastd-intragate: fix mac address format * Restructure service-fastd roles - migrate role git-fastd-peers - add role service-fastd - add repo clone for ffbin peers (currently hardcoded) - add role dependency to role service-fastd-mesh + service-fastd-intragate - add systemd handlers * Role service-tinc: use a task instead of a handler for systemd stuff * Role service-radvd: update handlers * Update loop keys * Role service-radvd: optimize ipaddr filters * Role service-radvd: make more parameters configurable * Update Readme.md * Role service-fastd-mesh: add systemd unit + timer to update mesh peers * Role service-bird + service-bird-icvpn: add systemd unit + timer to update roa+peers+tinc hosts * Role git-repos: change branch of backend-scripts repo to drop-photon * Role service-bind-slave: fix file permissions * Role service-bind-slave: add systemd unit + timer to update icvpn bind config * Role service-bird-icvpn: rename systemd unit+timer icvpn-update to icvpn-tinc-bgp-update * Roles service-fastd-mesh + service-fastd-intragate: rename fastd socket * Role service-rclocal: fix wrong interface * Role network-iptables-gateway: rename var internet_exit_mtu_ipv[4\|6] to internet_exit_tcp_mss_ipv[4\|6] * FFRL Internet Exit: move IPv4 NAT address to a single dummy interface * Roles service-bird[\|-ffrl\|-icvpn]: rework handlers * Update some ipaddr filters * Fix wrong IP subnet calculation in roles service-radvd + service-rclocal * Role service-fastd-mesh: move peer limit to a separate file which isn't managed by ansible * Role service-fastd: ensure fastd service is masked * Role service-fastd-mesh: add systemd timer for fastd peer limit update script * Update Readme.md * Migrate nested dictionary `meshes` into a list of dictionaries - migrate dictionary `ipv6` into two simple lists - migrate dictionary `forward_zones` into a list * Restructure fastd configuration to define multiple instances easily - introduce mesh subdictionary `fastd` - change fastd instance naming - change fastd network interface naming (identical with fastd instance names) - change mac address prefixes * Roles service-fastd-[mesh\|intragate]: update role dependencies * Role network-batman: update batman-ifaces due to fastd instance change - update README.md * Role network-fastd: update README.md * Readme.md: add control machine requirements * Role service-fastd-mesh: fix typo in handler * Role service-fastd: use own systemd unit fastd@.service - original uses %I which does not escaping, so dashes will be replaced by slashes - use %i instead of %I * Add role network-routing - move static routes from role service-rclocal to scripts run by systemd unit - mv routing specific sysctl settings * Use package module where possible instead of apt * Remove unnecessary handlers * Move all handlers to one single role * Update Readme.md * Move IP rules from role `service-rclocal` to role `network-routing` - add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler * Role network-routing: fix typos in ffmwu-del-ip-rules.sh template * Add role service-respondd * Roles service-fastd-[intragate\|mesh]: update mac prefixes due to fastd instances change * Fix some whitespaces * Ensure systemd units are started * Add role service-nginx * Add role service-nginx-firmware * Add missing variables for role service-nginx-firmware * Add roles service-nginx(-firmware) to playbook gateways * Role service-nginx: add autoindex options to default vhost * Flush handlers after configuring network interfaces * Role service-respondd: also listen on fastd-interfaces * Update fastd peer limit configuration * add list of legacy gateways (temporarily) * change backend-scripts branch to ansible * Role server-basic: ensure ffmwu config directory is present * Role service-fastd: add fastd-status script * role service-fastd-mesh: add templating for fastd peer limit configuration * Update Readme.md * Lowercase all network interface names * Inventory: add new gateway uffschnitt.freifunk-mwu.de * Role server-repos: change ffmwu repo to stretch * Role service-respondd: install python3 module dependency * Role server-repos: remove universe-factory repo since fastd package is available in debian upstream * Pretty format ansible.cfg * Inventory host_vars: use single file instead of subfolder * Role prerequisites: add cname asserts * Role network-meshbridge: workaround to set mac address on boot and get ipv6 address configured correctly * Playbook gateways: reorder roles * Rename role server-repos to server-apt-repos - Role server-apt-repos: add readme * Role server-basic: add locale setting * Roles service-fastd-mesh + service-fastd-intragate - remove on-up\|on-down stanzas from fastd.conf - update readme * Move dummy module from role kmod-batman to server-basic * Roles service-fastd-[mesh\|intragate]: reload networking on fastd instance start * Rework passwordstore lookup handling in roles service-fastd-mesh und service-fastd-intragate * Role service-tinc: rework passwordstore lookup * Role network-iptables-gateway: fix freifunk bridge rules * Role service-fastd-mesh: ensure fastd_status.json file is present; reorder nginx roles * Role network-routing: add missing service dependency for ffmwu-static-routes service unit * Role service-tinc: add task to enable post-merge script * Add prometheus role (#9) 2017-12-05 05:59:06 +01:00			`---`
			`- name: create fastd directories`
			`file:`
			`path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}"`
			`state: directory`
			`mode: 0755`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: create fastd peer mesh directories`
			`file:`
			`path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"`
			`state: directory`
			`mode: 0755`
			`owner: admin`
			`group: admin`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: create fastd peer mesh directories for ffbin`
			`file:`
			`path: "/etc/fastd/mzvpn-{{ item }}/peers_bingen"`
			`state: directory`
			`mode: 0755`
			`owner: admin`
			`group: admin`
			`with_items:`
			`- 1406`
			`- 1312`

			`- name: clone fastd peer mesh repos`
			`git:`
			`repo: "{{ item.1.peers.repo }}"`
			`dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"`
			`version: "{{ item.1.peers.version }}"`
			`update: no`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`
			`become: false`

			`- name: clone fastd peer mesh repo for ffbin`
			`git:`
			`repo: https://github.com/freifunk-bingen/peers-ffbin.git`
			`dest: "/etc/fastd/mzvpn-{{ item }}/peers_bingen"`
			`version: master`
			`update: no`
			`with_items:`
			`- 1406`
			`- 1312`
			`become: false`

			`- name: template fastd mesh config`
			`template:`
			`src: fastd-mesh.conf.j2`
			`dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/fastd.conf"`
			`notify: restart fastd mesh instances`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: write fastd mesh secret`
			`template:`
			`src: fastd-secret.conf.j2`
			`dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/secret.conf"`
			`notify: restart fastd mesh instances`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: copy peer_limit.conf if not exist`
			`copy:`
			`src: peer_limit.conf`
			`dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"`
			`owner: admin`
			`group: admin`
			`mode: 0640`
			`force: no`
			`notify: restart fastd mesh instances`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: set file attributes for peer_limit.conf`
			`file:`
			`path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"`
			`mode: 0640`
			`owner: admin`
			`group: admin`
			`notify: restart fastd mesh instances`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`

			`- name: write systemd unit fastd-sync-meshkeys.service`
			`template:`
			`src: fastd-sync-meshkeys.service.j2`
			`dest: /etc/systemd/system/fastd-sync-meshkeys.service`
			`owner: root`
			`group: root`
			`mode: 0644`
			`notify: reload systemd`

			`- name: write systemd timer fastd-sync-meshkeys.timer`
			`template:`
			`src: fastd-sync-meshkeys.timer.j2`
			`dest: /etc/systemd/system/fastd-sync-meshkeys.timer`
			`owner: root`
			`group: root`
			`mode: 0644`
			`notify: reload systemd`

			`- name: create fastd_status.json file`
			`file:`
			`path: /var/www/html/fastd_status.json`
			`state: touch`
			`owner: admin`
			`group: admin`
			`mode: 0644`

			`- name: write configuration for fastd-peer-limit-update script`
			`template:`
			`src: fastd_peer_limit_config.yaml.j2`
			`dest: /home/admin/.config/fastd_peer_limit_config.yaml`
			`owner: admin`
			`group: admin`
			`mode: 0644`

			`- name: write systemd unit fastd-peer-limit-update.service`
			`template:`
			`src: fastd-peer-limit-update.service.j2`
			`dest: /etc/systemd/system/fastd-peer-limit-update.service`
			`owner: root`
			`group: root`
			`mode: 0644`
			`notify: reload systemd`

			`- name: write systemd timer fastd-peer-limit-update.timer`
			`template:`
			`src: fastd-peer-limit-update.timer.j2`
			`dest: /etc/systemd/system/fastd-peer-limit-update.timer`
			`owner: root`
			`group: root`
			`mode: 0644`
			`notify: reload systemd`

			`- name: configure systemd timers for fastd-mesh instance`
			`systemd:`
			`name: "{{ item }}.timer"`
			`enabled: yes`
			`state: started`
			`with_items:`
			`- fastd-sync-meshkeys`
			`- fastd-peer-limit-update`

			`- name: configure systemd unit fastd@`
			`systemd:`
			`name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"`
			`enabled: yes`
			`state: started`
			`with_subelements:`
			`- "{{ meshes }}"`
			`- fastd.nodes.instances`