diff --git a/inventory/group_vars/meshing-srv b/inventory/group_vars/meshing-srv new file mode 100644 index 0000000..922f42c --- /dev/null +++ b/inventory/group_vars/meshing-srv @@ -0,0 +1,19 @@ +--- + +communities: + - mz + - wi + +community_params: + mz: + fastd_port: 10037 + abbreviation: mz + name: mainz + repo: freifunk-mwu/peers-ffmz + xtra_peers: + - peers_bingen + wi: + fastd_port: 10056 + abbreviation: wi + name: wiesbaden + repo: freifunk-mwu/peers-ffwi diff --git a/inventory/host_vars/local-test-vm.ffmwu.local b/inventory/host_vars/local-test-vm.ffmwu.local new file mode 100644 index 0000000..7745757 --- /dev/null +++ b/inventory/host_vars/local-test-vm.ffmwu.local @@ -0,0 +1,5 @@ +--- + +# communities inherited as mz, wi + +fastd_alias: TST_local-vm diff --git a/inventory/hosts b/inventory/hosts index cab4512..b91bf82 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -3,17 +3,19 @@ spinat.freifunk-mwu.de lotuswurzel.freifunk-mwu.de wasserfloh.freifunk-mwu.de # kaschu.freifunk-mwu.de # außer Dienst -ingwer.freifunk-mwu.de +ingwer.freifunk-mwu.de # (Debian) #mettigel.freifunk-mwu.de #parmesan.freifunk-mwu.de [meshing-srv:children] gates meshing-only-srv +test-vms [meshing-only-srv] aubergine.freifunk-mwu.de # int. DNS-master -zuckerwatte.freifunk-mwu.de # +zuckerwatte.freifunk-mwu.de # web, blogs, wiki +churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian) glueckskeks.freifunk-mwu.de # zwiebel.freifunk-mwu.de # suesskartoffel.freifunk-mwu.de # diff --git a/loctevm-meshing.yml b/loctevm-meshing.yml new file mode 100755 index 0000000..0d6cd3a --- /dev/null +++ b/loctevm-meshing.yml @@ -0,0 +1,11 @@ +#!/usr/bin/ansible-playbook +--- + +- include: loctevm-provide.yml + +- hosts: test-vms + remote_user: admin + strategy: linear + + roles: + - ffmwu-meshing diff --git a/loctevm-provide-prereq.inc.yml b/loctevm-provide-prereq.inc.yml index de0a0fc..2112b07 100644 --- a/loctevm-provide-prereq.inc.yml +++ b/loctevm-provide-prereq.inc.yml @@ -22,6 +22,7 @@ - name: ensure users ssh key to admin user authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + exclusive=no become: True - name: ensure users ssh key to bootstrap user diff --git a/roles/ffmwu-meshing/meta/main.yml b/roles/ffmwu-meshing/meta/main.yml new file mode 100644 index 0000000..773c9a3 --- /dev/null +++ b/roles/ffmwu-meshing/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: +- ffmwu-server diff --git a/roles/ffmwu-meshing/tasks/main.yml b/roles/ffmwu-meshing/tasks/main.yml new file mode 100644 index 0000000..ff92209 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/main.yml @@ -0,0 +1,10 @@ +--- + + # arp and python packages +- include: mwu-m-pkgs.yml + + # backend scripts +- include: mwu-m-bes.yml + + # fastd +- include: mwu-m-fastd.yml diff --git a/roles/ffmwu-meshing/tasks/mwu-m-bes.yml b/roles/ffmwu-meshing/tasks/mwu-m-bes.yml new file mode 100644 index 0000000..554ac21 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/mwu-m-bes.yml @@ -0,0 +1,49 @@ +--- + +- name: ensure backend-scripts-log-dir + file: path=~/.cronlog state=directory mode=0700 + +- name: clone backend scripts + git: + dest: "~/clones/backend-scripts" + repo: "https://github.com/freifunk-mwu/backend-scripts.git" + accept_hostkey: yes + +- name: generate host key + shell: python3 ~/clones/backend-scripts/bootstrap_git_all.py + args: + creates: ~/.ssh/{{ansible_hostname}}_rsa + register: keypair + +# FIXME: activate with ansible 2.2 ... +#- block: +# - name: read new pubkey +# shell: cat ~/.ssh/{{ansible_hostname}}_rsa.pub +# register: ssh_pub_key +# +# - name: read existing secret from spinat +# shell: cat ~/.ssh/spinat_rsa +# register: github_access_token +# delegate_to: spinat.freifunk-mwu.de +# +# - name: register new pubkey with github freifunkmwu account +# github_key: +# name: "Server {{ansible_hostname}}" +# token: "{{github_access_token.stdout}}" +# pubkey: "{{ssh_pub_key.stdout}}" +# +# when: keypair.changed + +- name: manage crontab - PATH + cron: env=yes name=PATH value="/home/admin/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" + +- name: manage crontab - entries + cron: name={{mwu_m_item.n}} job={{mwu_m_item.j}} minute={{mwu_m_item.mi}} + hour={{mwu_m_item.h}} day={{mwu_m_item.d}} month={{mwu_m_item.mo}} + weekday={{mwu_m_item.w}} + with_items: + - { n: "sync_meshkeys", mi: "*/15", h: "*", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/sync_meshkeys_gw.py > $HOME/.cronlog/sync_meshkeys.log" } + # FIXME: define hostvar for mi + - { n: "snapshot_configs", mi: "23", h: "5,23", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/snapshot_configs_all.py > $HOME/.cronlog/snapshot_configs.log" } + loop_control: + loop_var: mwu_m_item diff --git a/roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml new file mode 100644 index 0000000..a9b3243 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml @@ -0,0 +1,70 @@ +--- +# this file included in a loop, called seperately for each community +# => configure fastd for one community here +# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile" + +- name: ensure fastd config dir - {{mf_com.abbreviation}} + file: path=/etc/fastd/{{mf_com.abbreviation}}VPN/peers + state=directory mode=0750 + +#- debug: var=mf_com + +#- debug: var=f_ssh_keyfile + +- name: clone key repo - {{mf_com.abbreviation}} + git: + dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers" + key_file: "{{f_ssh_keyfile.stdout}}" + repo: "ssh://git@github.com/{{mf_com.repo}}" + update: no + accept_hostkey: yes + +- name: generate fastd key pair - {{mf_com.abbreviation}} + command: fastd --generate-key + creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" + register: f_key_pair + +- block: + +# - debug: var=f_key_pair + + - name: write out fastd secret key - {{mf_com.abbreviation}} + lineinfile: + backup: yes + create: yes + dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" + insertbefore: BOF + line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}"; + mode: 0400 + regexp: '^secret ".*";' + state : present + + - name: write out fastd public key - {{mf_com.abbreviation}} + lineinfile: + create: yes + dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers/{{fastd_alias}}" + insertbefore: BOF + line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}"; + mode: 0440 + regexp: '^key ".*";' + state : present + register: f_pub_key + ignore_errors: True + + - name: delete secret in case of public failure - {{mf_com.abbreviation}} + file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent + when: f_pub_key.failed is defined + + - fail: msg="FAILED writing fastd key pair" + when: f_pub_key.failed is defined + + when: f_key_pair.changed + # end of block + +- name: template out fastd.conf - {{mf_com.abbreviation}} + template: + backup: yes + dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf" + mode: 0640 + src: fastd.conf + validate: 'fastd --verify-config -c %s' diff --git a/roles/ffmwu-meshing/tasks/mwu-m-fastd.yml b/roles/ffmwu-meshing/tasks/mwu-m-fastd.yml new file mode 100644 index 0000000..b813413 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd.yml @@ -0,0 +1,16 @@ +--- + +- name: ensure correct ownership of /etc/fastd + file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin + become: True + +- name: find ssh keyfile name for use with git + shell: grep IdentityFile ~/.ssh/config | awk '{print $2}' + register: f_ssh_keyfile + changed_when: False + + # configure communtity, one by one +- include: mwu-m-fastd-com.yml mf_com={{mwu_mf_item.value}} + with_dict: "{{community_params}}" + loop_control: + loop_var: mwu_mf_item diff --git a/roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml b/roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml new file mode 100644 index 0000000..7542827 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml @@ -0,0 +1,29 @@ +--- + +- include: mwu-m-repos.yml + +- name: ensure mandatory packages + apt: + state: present + name: "{{mwu_m_item}}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - git + - haveged + - python3-pip + - fastd + - batctl + - batman-adv-source + loop_control: + loop_var: mwu_m_item + become: True + +- name: ensure manatory python libs + pip: name={{mwu_m_item}} executable=pip3 + with_items: + - py-cpuinfo + - photon_core + loop_control: + loop_var: mwu_m_item + become: True diff --git a/roles/ffmwu-meshing/tasks/mwu-m-repos.yml b/roles/ffmwu-meshing/tasks/mwu-m-repos.yml new file mode 100644 index 0000000..c303300 --- /dev/null +++ b/roles/ffmwu-meshing/tasks/mwu-m-repos.yml @@ -0,0 +1,39 @@ +--- + +- name: ensure neoraider key for fastd package + apt_key: + state: present + id: 16EF3F64CB201D9C + keyserver: keyserver.ubuntu.com + become: True + +- name: ensure neoraider fastd repo + apt_repository: + state: present + repo: 'deb https://repo.universe-factory.net/debian/ sid main' + update_cache: no + filename: freifunk + become: True + +- name: ensure freifunk-mwu key for batman package + apt_key: + state: present + id: 286CC7A4 + keyserver: keyserver.ubuntu.com + become: True + +- name: ensure freifunk-mwu batman repo + apt_repository: + state: present + repo: 'deb http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main' + update_cache: no + filename: freifunk + become: True + +- name: ensure freifunk-mwu batman source repo + apt_repository: + state: present + repo: 'deb-src http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main' + update_cache: yes + filename: freifunk + become: True diff --git a/roles/ffmwu-meshing/templates/fastd.conf b/roles/ffmwu-meshing/templates/fastd.conf new file mode 100644 index 0000000..ac953db --- /dev/null +++ b/roles/ffmwu-meshing/templates/fastd.conf @@ -0,0 +1,34 @@ +# fastd.conf +# from https://github.com/freifunk-mwu/ansible-ffmwu.git + +log level warn; +hide ip addresses yes; +hide mac addresses yes; + +interface "{{mf_com.abbreviation}}VPN"; +method "salsa2012+umac"; # new method (faster) + +# Bind to v4 and v6 interfaces +bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}}; +{% if ansible_default_ipv6.address is defined %} +bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}}; +{% endif %} + +include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"; +mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header... + +peer group "vpn_nodes" { +# p#eer limit 200; + include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"; # servers 2 b moved out ... +{% if mf_com.xtra_peers is defined %} + {% for xtra in mf_com.xtra_peers %} + include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/{{xtra}}"; + {% endfor %} +{% endif %} +} + +peer group "servers" { + include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers"; # yet 2 b filled ... +} + +status socket "/var/run/fastd-{{mf_com.abbreviation}}.status"; diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml index 189dbd6..21bc53a 100644 --- a/roles/ffmwu-server/tasks/main.yml +++ b/roles/ffmwu-server/tasks/main.yml @@ -6,3 +6,24 @@ - name: ensure all wanted ssh keys exclusively authorized_key: exclusive=True state=present user=admin key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }} + +- name: ensure some basic packages + apt: + state: present + name: "{{mwu_s_item}}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - software-properties-common + - apt-transport-https + - man-db + - mosh + - ntp + - sudo + - sysfsutils + - vim + - vnstat + - vnstati + loop_control: + loop_var: mwu_s_item + become: True