set up meshing server (only local test for now) up to fastd - still missing: batman

This commit is contained in:
ka-ba 2016-09-14 16:39:21 +02:00
parent e301d42066
commit 1a96ad9ef7
14 changed files with 312 additions and 2 deletions

View file

@ -0,0 +1,19 @@
---
communities:
- mz
- wi
community_params:
mz:
fastd_port: 10037
abbreviation: mz
name: mainz
repo: freifunk-mwu/peers-ffmz
xtra_peers:
- peers_bingen
wi:
fastd_port: 10056
abbreviation: wi
name: wiesbaden
repo: freifunk-mwu/peers-ffwi

View file

@ -0,0 +1,5 @@
---
# communities inherited as mz, wi
fastd_alias: TST_local-vm

View file

@ -3,17 +3,19 @@ spinat.freifunk-mwu.de
lotuswurzel.freifunk-mwu.de
wasserfloh.freifunk-mwu.de
# kaschu.freifunk-mwu.de # außer Dienst
ingwer.freifunk-mwu.de
ingwer.freifunk-mwu.de # (Debian)
#mettigel.freifunk-mwu.de
#parmesan.freifunk-mwu.de
[meshing-srv:children]
gates
meshing-only-srv
test-vms
[meshing-only-srv]
aubergine.freifunk-mwu.de # int. DNS-master
zuckerwatte.freifunk-mwu.de #
zuckerwatte.freifunk-mwu.de # web, blogs, wiki
churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian)
glueckskeks.freifunk-mwu.de #
zwiebel.freifunk-mwu.de #
suesskartoffel.freifunk-mwu.de #

11
loctevm-meshing.yml Executable file
View file

@ -0,0 +1,11 @@
#!/usr/bin/ansible-playbook
---
- include: loctevm-provide.yml
- hosts: test-vms
remote_user: admin
strategy: linear
roles:
- ffmwu-meshing

View file

@ -22,6 +22,7 @@
- name: ensure users ssh key to admin user
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
exclusive=no
become: True
- name: ensure users ssh key to bootstrap user

View file

@ -0,0 +1,4 @@
---
dependencies:
- ffmwu-server

View file

@ -0,0 +1,10 @@
---
# arp and python packages
- include: mwu-m-pkgs.yml
# backend scripts
- include: mwu-m-bes.yml
# fastd
- include: mwu-m-fastd.yml

View file

@ -0,0 +1,49 @@
---
- name: ensure backend-scripts-log-dir
file: path=~/.cronlog state=directory mode=0700
- name: clone backend scripts
git:
dest: "~/clones/backend-scripts"
repo: "https://github.com/freifunk-mwu/backend-scripts.git"
accept_hostkey: yes
- name: generate host key
shell: python3 ~/clones/backend-scripts/bootstrap_git_all.py
args:
creates: ~/.ssh/{{ansible_hostname}}_rsa
register: keypair
# FIXME: activate with ansible 2.2 ...
#- block:
# - name: read new pubkey
# shell: cat ~/.ssh/{{ansible_hostname}}_rsa.pub
# register: ssh_pub_key
#
# - name: read existing secret from spinat
# shell: cat ~/.ssh/spinat_rsa
# register: github_access_token
# delegate_to: spinat.freifunk-mwu.de
#
# - name: register new pubkey with github freifunkmwu account
# github_key:
# name: "Server {{ansible_hostname}}"
# token: "{{github_access_token.stdout}}"
# pubkey: "{{ssh_pub_key.stdout}}"
#
# when: keypair.changed
- name: manage crontab - PATH
cron: env=yes name=PATH value="/home/admin/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
- name: manage crontab - entries
cron: name={{mwu_m_item.n}} job={{mwu_m_item.j}} minute={{mwu_m_item.mi}}
hour={{mwu_m_item.h}} day={{mwu_m_item.d}} month={{mwu_m_item.mo}}
weekday={{mwu_m_item.w}}
with_items:
- { n: "sync_meshkeys", mi: "*/15", h: "*", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/sync_meshkeys_gw.py > $HOME/.cronlog/sync_meshkeys.log" }
# FIXME: define hostvar for mi
- { n: "snapshot_configs", mi: "23", h: "5,23", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/snapshot_configs_all.py > $HOME/.cronlog/snapshot_configs.log" }
loop_control:
loop_var: mwu_m_item

View file

@ -0,0 +1,70 @@
---
# this file included in a loop, called seperately for each community
# => configure fastd for one community here
# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
- name: ensure fastd config dir - {{mf_com.abbreviation}}
file: path=/etc/fastd/{{mf_com.abbreviation}}VPN/peers
state=directory mode=0750
#- debug: var=mf_com
#- debug: var=f_ssh_keyfile
- name: clone key repo - {{mf_com.abbreviation}}
git:
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
key_file: "{{f_ssh_keyfile.stdout}}"
repo: "ssh://git@github.com/{{mf_com.repo}}"
update: no
accept_hostkey: yes
- name: generate fastd key pair - {{mf_com.abbreviation}}
command: fastd --generate-key
creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
register: f_key_pair
- block:
# - debug: var=f_key_pair
- name: write out fastd secret key - {{mf_com.abbreviation}}
lineinfile:
backup: yes
create: yes
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
insertbefore: BOF
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
mode: 0400
regexp: '^secret ".*";'
state : present
- name: write out fastd public key - {{mf_com.abbreviation}}
lineinfile:
create: yes
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers/{{fastd_alias}}"
insertbefore: BOF
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
mode: 0440
regexp: '^key ".*";'
state : present
register: f_pub_key
ignore_errors: True
- name: delete secret in case of public failure - {{mf_com.abbreviation}}
file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
when: f_pub_key.failed is defined
- fail: msg="FAILED writing fastd key pair"
when: f_pub_key.failed is defined
when: f_key_pair.changed
# end of block
- name: template out fastd.conf - {{mf_com.abbreviation}}
template:
backup: yes
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
mode: 0640
src: fastd.conf
validate: 'fastd --verify-config -c %s'

View file

@ -0,0 +1,16 @@
---
- name: ensure correct ownership of /etc/fastd
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
become: True
- name: find ssh keyfile name for use with git
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
register: f_ssh_keyfile
changed_when: False
# configure communtity, one by one
- include: mwu-m-fastd-com.yml mf_com={{mwu_mf_item.value}}
with_dict: "{{community_params}}"
loop_control:
loop_var: mwu_mf_item

View file

@ -0,0 +1,29 @@
---
- include: mwu-m-repos.yml
- name: ensure mandatory packages
apt:
state: present
name: "{{mwu_m_item}}"
update_cache: yes
cache_valid_time: 21600
with_items:
- git
- haveged
- python3-pip
- fastd
- batctl
- batman-adv-source
loop_control:
loop_var: mwu_m_item
become: True
- name: ensure manatory python libs
pip: name={{mwu_m_item}} executable=pip3
with_items:
- py-cpuinfo
- photon_core
loop_control:
loop_var: mwu_m_item
become: True

View file

@ -0,0 +1,39 @@
---
- name: ensure neoraider key for fastd package
apt_key:
state: present
id: 16EF3F64CB201D9C
keyserver: keyserver.ubuntu.com
become: True
- name: ensure neoraider fastd repo
apt_repository:
state: present
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
update_cache: no
filename: freifunk
become: True
- name: ensure freifunk-mwu key for batman package
apt_key:
state: present
id: 286CC7A4
keyserver: keyserver.ubuntu.com
become: True
- name: ensure freifunk-mwu batman repo
apt_repository:
state: present
repo: 'deb http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
update_cache: no
filename: freifunk
become: True
- name: ensure freifunk-mwu batman source repo
apt_repository:
state: present
repo: 'deb-src http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
update_cache: yes
filename: freifunk
become: True

View file

@ -0,0 +1,34 @@
# fastd.conf
# from https://github.com/freifunk-mwu/ansible-ffmwu.git
log level warn;
hide ip addresses yes;
hide mac addresses yes;
interface "{{mf_com.abbreviation}}VPN";
method "salsa2012+umac"; # new method (faster)
# Bind to v4 and v6 interfaces
bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
{% if ansible_default_ipv6.address is defined %}
bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
{% endif %}
include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
peer group "vpn_nodes" {
# p#eer limit 200;
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"; # servers 2 b moved out ...
{% if mf_com.xtra_peers is defined %}
{% for xtra in mf_com.xtra_peers %}
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/{{xtra}}";
{% endfor %}
{% endif %}
}
peer group "servers" {
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers"; # yet 2 b filled ...
}
status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";

View file

@ -6,3 +6,24 @@
- name: ensure all wanted ssh keys exclusively
authorized_key: exclusive=True state=present user=admin
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
- name: ensure some basic packages
apt:
state: present
name: "{{mwu_s_item}}"
update_cache: yes
cache_valid_time: 21600
with_items:
- software-properties-common
- apt-transport-https
- man-db
- mosh
- ntp
- sudo
- sysfsutils
- vim
- vnstat
- vnstati
loop_control:
loop_var: mwu_s_item
become: True