set up meshing server (only local test for now) up to fastd - still missing: batman

inventory/group_vars/meshing-srv

@@ -0,0 +1,19 @@
+---
+
+communities:
+  - mz
+  - wi
+
+community_params:
+  mz:
+    fastd_port: 10037
+    abbreviation: mz
+    name: mainz
+    repo: freifunk-mwu/peers-ffmz
+    xtra_peers:
+    - peers_bingen
+  wi:
+    fastd_port: 10056
+    abbreviation: wi
+    name: wiesbaden
+    repo: freifunk-mwu/peers-ffwi

inventory/host_vars/local-test-vm.ffmwu.local

@@ -0,0 +1,5 @@
+---
+
+# communities inherited as mz, wi
+
+fastd_alias: TST_local-vm

inventory/hosts

@@ -3,17 +3,19 @@ spinat.freifunk-mwu.de
 lotuswurzel.freifunk-mwu.de
 wasserfloh.freifunk-mwu.de
 # kaschu.freifunk-mwu.de  # außer Dienst
-ingwer.freifunk-mwu.de
+ingwer.freifunk-mwu.de # (Debian)
 #mettigel.freifunk-mwu.de
 #parmesan.freifunk-mwu.de
 
 [meshing-srv:children]
 gates
 meshing-only-srv
+test-vms
 
 [meshing-only-srv]
 aubergine.freifunk-mwu.de  # int. DNS-master
-zuckerwatte.freifunk-mwu.de  #
+zuckerwatte.freifunk-mwu.de  # web, blogs, wiki
+churro.freifunk-mwu.de  # Abloesung: web, blogs, wiki (Debian)
 glueckskeks.freifunk-mwu.de  #
 zwiebel.freifunk-mwu.de  #
 suesskartoffel.freifunk-mwu.de  #

loctevm-meshing.yml

@@ -0,0 +1,11 @@
+#!/usr/bin/ansible-playbook
+---
+
+- include: loctevm-provide.yml
+
+- hosts: test-vms
+  remote_user: admin
+  strategy: linear
+
+  roles: 
+  - ffmwu-meshing

loctevm-provide-prereq.inc.yml

@@ -22,6 +22,7 @@
 
 - name: ensure users ssh key to admin user
   authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+                  exclusive=no
   become: True
 
 - name: ensure users ssh key to bootstrap user

roles/ffmwu-meshing/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+- ffmwu-server

roles/ffmwu-meshing/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+  # arp and python packages
+- include: mwu-m-pkgs.yml
+
+  # backend scripts
+- include: mwu-m-bes.yml
+
+  # fastd
+- include: mwu-m-fastd.yml

roles/ffmwu-meshing/tasks/mwu-m-bes.yml

@@ -0,0 +1,49 @@
+---
+
+- name: ensure backend-scripts-log-dir
+  file: path=~/.cronlog state=directory mode=0700
+
+- name: clone backend scripts
+  git:
+    dest: "~/clones/backend-scripts"
+    repo: "https://github.com/freifunk-mwu/backend-scripts.git"
+    accept_hostkey: yes
+
+- name: generate host key
+  shell: python3 ~/clones/backend-scripts/bootstrap_git_all.py
+  args:
+    creates: ~/.ssh/{{ansible_hostname}}_rsa
+  register: keypair
+
+# FIXME: activate with ansible 2.2 ...
+#- block:
+#  - name: read new pubkey
+#    shell: cat ~/.ssh/{{ansible_hostname}}_rsa.pub
+#    register: ssh_pub_key
+#
+#  - name: read existing secret from spinat
+#    shell: cat ~/.ssh/spinat_rsa
+#    register: github_access_token
+#    delegate_to: spinat.freifunk-mwu.de
+#
+#  - name: register new pubkey with github freifunkmwu account
+#    github_key:
+#      name: "Server {{ansible_hostname}}"
+#      token: "{{github_access_token.stdout}}"
+#      pubkey: "{{ssh_pub_key.stdout}}"
+#
+#  when: keypair.changed
+
+- name: manage crontab - PATH
+  cron: env=yes name=PATH value="/home/admin/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
+
+- name: manage crontab - entries
+  cron: name={{mwu_m_item.n}} job={{mwu_m_item.j}} minute={{mwu_m_item.mi}}
+        hour={{mwu_m_item.h}} day={{mwu_m_item.d}} month={{mwu_m_item.mo}}
+        weekday={{mwu_m_item.w}}
+  with_items:
+  - { n: "sync_meshkeys", mi: "*/15", h: "*", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/sync_meshkeys_gw.py > $HOME/.cronlog/sync_meshkeys.log" }
+    # FIXME: define hostvar for mi
+  - { n: "snapshot_configs", mi: "23", h: "5,23", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/snapshot_configs_all.py > $HOME/.cronlog/snapshot_configs.log" }
+  loop_control:
+    loop_var: mwu_m_item

roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml

@@ -0,0 +1,70 @@
+---
+# this file included in a loop, called seperately for each community
+# => configure fastd for one community here
+# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
+
+- name: ensure fastd config dir - {{mf_com.abbreviation}}
+  file: path=/etc/fastd/{{mf_com.abbreviation}}VPN/peers
+        state=directory mode=0750
+
+#- debug: var=mf_com
+
+#- debug: var=f_ssh_keyfile
+
+- name: clone key repo - {{mf_com.abbreviation}}
+  git:
+    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
+    key_file: "{{f_ssh_keyfile.stdout}}"
+    repo: "ssh://git@github.com/{{mf_com.repo}}"
+    update: no
+    accept_hostkey: yes
+
+- name: generate fastd key pair - {{mf_com.abbreviation}}
+  command: fastd --generate-key
+           creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
+  register: f_key_pair
+
+- block:
+
+#  - debug: var=f_key_pair
+
+  - name: write out fastd secret key - {{mf_com.abbreviation}}
+    lineinfile:
+      backup: yes
+      create: yes
+      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
+      insertbefore: BOF
+      line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
+      mode: 0400
+      regexp: '^secret ".*";'
+      state : present
+
+  - name: write out fastd public key - {{mf_com.abbreviation}}
+    lineinfile:
+      create: yes
+      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers/{{fastd_alias}}"
+      insertbefore: BOF
+      line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
+      mode: 0440
+      regexp: '^key ".*";'
+      state : present
+    register: f_pub_key
+    ignore_errors: True
+
+  - name: delete secret in case of public failure - {{mf_com.abbreviation}}
+    file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
+    when: f_pub_key.failed is defined
+
+  - fail: msg="FAILED writing fastd key pair"
+    when: f_pub_key.failed is defined
+
+  when: f_key_pair.changed
+  # end of block
+
+- name: template out fastd.conf - {{mf_com.abbreviation}}
+  template:
+    backup: yes
+    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
+    mode: 0640
+    src: fastd.conf
+    validate: 'fastd --verify-config -c %s'

roles/ffmwu-meshing/tasks/mwu-m-fastd.yml

@@ -0,0 +1,16 @@
+---
+
+- name: ensure correct ownership of /etc/fastd
+  file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
+  become: True
+
+- name: find ssh keyfile name for use with git
+  shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
+  register: f_ssh_keyfile
+  changed_when: False
+
+  # configure communtity, one by one
+- include: mwu-m-fastd-com.yml  mf_com={{mwu_mf_item.value}}
+  with_dict: "{{community_params}}"
+  loop_control:
+    loop_var: mwu_mf_item

roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml

@@ -0,0 +1,29 @@
+---
+
+- include: mwu-m-repos.yml
+
+- name: ensure mandatory packages
+  apt:
+    state: present
+    name: "{{mwu_m_item}}"
+    update_cache: yes
+    cache_valid_time: 21600
+  with_items:
+    - git
+    - haveged
+    - python3-pip
+    - fastd
+    - batctl
+    - batman-adv-source
+  loop_control:
+    loop_var: mwu_m_item
+  become: True
+
+- name: ensure manatory python libs
+  pip: name={{mwu_m_item}} executable=pip3
+  with_items:
+    - py-cpuinfo
+    - photon_core
+  loop_control:
+    loop_var: mwu_m_item
+  become: True

roles/ffmwu-meshing/tasks/mwu-m-repos.yml

@@ -0,0 +1,39 @@
+---
+
+- name: ensure neoraider key for fastd package
+  apt_key:
+    state: present
+    id: 16EF3F64CB201D9C
+    keyserver: keyserver.ubuntu.com
+  become: True
+
+- name: ensure neoraider fastd repo
+  apt_repository:
+    state: present
+    repo: 'deb https://repo.universe-factory.net/debian/ sid main'
+    update_cache: no
+    filename: freifunk
+  become: True
+
+- name: ensure freifunk-mwu key for batman package
+  apt_key:
+    state: present
+    id: 286CC7A4
+    keyserver: keyserver.ubuntu.com
+  become: True
+
+- name: ensure freifunk-mwu batman repo
+  apt_repository:
+    state: present
+    repo: 'deb http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
+    update_cache: no
+    filename: freifunk
+  become: True
+
+- name: ensure freifunk-mwu batman source repo
+  apt_repository:
+    state: present
+    repo: 'deb-src http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
+    update_cache: yes
+    filename: freifunk
+  become: True

roles/ffmwu-meshing/templates/fastd.conf

@@ -0,0 +1,34 @@
+# fastd.conf
+# from https://github.com/freifunk-mwu/ansible-ffmwu.git
+
+log level warn;
+hide ip addresses yes;
+hide mac addresses yes;
+
+interface "{{mf_com.abbreviation}}VPN";
+method "salsa2012+umac";	# new method (faster)
+
+# Bind to v4 and v6 interfaces
+bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
+{% if ansible_default_ipv6.address is defined %}
+bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
+{% endif %}
+
+include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
+mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
+
+peer group "vpn_nodes" {
+#    p#eer limit 200;
+    include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"; # servers 2 b moved out ...
+{% if mf_com.xtra_peers is defined %}
+ {% for xtra in mf_com.xtra_peers %}
+    include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/{{xtra}}";
+ {% endfor %}
+{% endif %}
+}
+
+peer group "servers" {
+    include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers";  # yet 2 b filled ...
+}
+
+status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";

roles/ffmwu-server/tasks/main.yml

@@ -6,3 +6,24 @@
 - name: ensure all wanted ssh keys exclusively
   authorized_key: exclusive=True state=present user=admin
               key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
+
+- name: ensure some basic packages
+  apt:
+    state: present
+    name: "{{mwu_s_item}}"
+    update_cache: yes
+    cache_valid_time: 21600
+  with_items:
+    - software-properties-common
+    - apt-transport-https
+    - man-db
+    - mosh
+    - ntp
+    - sudo
+    - sysfsutils
+    - vim
+    - vnstat
+    - vnstati
+  loop_control:
+    loop_var: mwu_s_item
+  become: True