set up meshing server (only local test for now) up to fastd - still missing: batman
This commit is contained in:
parent
e301d42066
commit
1a96ad9ef7
14 changed files with 312 additions and 2 deletions
19
inventory/group_vars/meshing-srv
Normal file
19
inventory/group_vars/meshing-srv
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
communities:
|
||||||
|
- mz
|
||||||
|
- wi
|
||||||
|
|
||||||
|
community_params:
|
||||||
|
mz:
|
||||||
|
fastd_port: 10037
|
||||||
|
abbreviation: mz
|
||||||
|
name: mainz
|
||||||
|
repo: freifunk-mwu/peers-ffmz
|
||||||
|
xtra_peers:
|
||||||
|
- peers_bingen
|
||||||
|
wi:
|
||||||
|
fastd_port: 10056
|
||||||
|
abbreviation: wi
|
||||||
|
name: wiesbaden
|
||||||
|
repo: freifunk-mwu/peers-ffwi
|
5
inventory/host_vars/local-test-vm.ffmwu.local
Normal file
5
inventory/host_vars/local-test-vm.ffmwu.local
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# communities inherited as mz, wi
|
||||||
|
|
||||||
|
fastd_alias: TST_local-vm
|
|
@ -3,17 +3,19 @@ spinat.freifunk-mwu.de
|
||||||
lotuswurzel.freifunk-mwu.de
|
lotuswurzel.freifunk-mwu.de
|
||||||
wasserfloh.freifunk-mwu.de
|
wasserfloh.freifunk-mwu.de
|
||||||
# kaschu.freifunk-mwu.de # außer Dienst
|
# kaschu.freifunk-mwu.de # außer Dienst
|
||||||
ingwer.freifunk-mwu.de
|
ingwer.freifunk-mwu.de # (Debian)
|
||||||
#mettigel.freifunk-mwu.de
|
#mettigel.freifunk-mwu.de
|
||||||
#parmesan.freifunk-mwu.de
|
#parmesan.freifunk-mwu.de
|
||||||
|
|
||||||
[meshing-srv:children]
|
[meshing-srv:children]
|
||||||
gates
|
gates
|
||||||
meshing-only-srv
|
meshing-only-srv
|
||||||
|
test-vms
|
||||||
|
|
||||||
[meshing-only-srv]
|
[meshing-only-srv]
|
||||||
aubergine.freifunk-mwu.de # int. DNS-master
|
aubergine.freifunk-mwu.de # int. DNS-master
|
||||||
zuckerwatte.freifunk-mwu.de #
|
zuckerwatte.freifunk-mwu.de # web, blogs, wiki
|
||||||
|
churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian)
|
||||||
glueckskeks.freifunk-mwu.de #
|
glueckskeks.freifunk-mwu.de #
|
||||||
zwiebel.freifunk-mwu.de #
|
zwiebel.freifunk-mwu.de #
|
||||||
suesskartoffel.freifunk-mwu.de #
|
suesskartoffel.freifunk-mwu.de #
|
||||||
|
|
11
loctevm-meshing.yml
Executable file
11
loctevm-meshing.yml
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/usr/bin/ansible-playbook
|
||||||
|
---
|
||||||
|
|
||||||
|
- include: loctevm-provide.yml
|
||||||
|
|
||||||
|
- hosts: test-vms
|
||||||
|
remote_user: admin
|
||||||
|
strategy: linear
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- ffmwu-meshing
|
|
@ -22,6 +22,7 @@
|
||||||
|
|
||||||
- name: ensure users ssh key to admin user
|
- name: ensure users ssh key to admin user
|
||||||
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||||
|
exclusive=no
|
||||||
become: True
|
become: True
|
||||||
|
|
||||||
- name: ensure users ssh key to bootstrap user
|
- name: ensure users ssh key to bootstrap user
|
||||||
|
|
4
roles/ffmwu-meshing/meta/main.yml
Normal file
4
roles/ffmwu-meshing/meta/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- ffmwu-server
|
10
roles/ffmwu-meshing/tasks/main.yml
Normal file
10
roles/ffmwu-meshing/tasks/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
# arp and python packages
|
||||||
|
- include: mwu-m-pkgs.yml
|
||||||
|
|
||||||
|
# backend scripts
|
||||||
|
- include: mwu-m-bes.yml
|
||||||
|
|
||||||
|
# fastd
|
||||||
|
- include: mwu-m-fastd.yml
|
49
roles/ffmwu-meshing/tasks/mwu-m-bes.yml
Normal file
49
roles/ffmwu-meshing/tasks/mwu-m-bes.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: ensure backend-scripts-log-dir
|
||||||
|
file: path=~/.cronlog state=directory mode=0700
|
||||||
|
|
||||||
|
- name: clone backend scripts
|
||||||
|
git:
|
||||||
|
dest: "~/clones/backend-scripts"
|
||||||
|
repo: "https://github.com/freifunk-mwu/backend-scripts.git"
|
||||||
|
accept_hostkey: yes
|
||||||
|
|
||||||
|
- name: generate host key
|
||||||
|
shell: python3 ~/clones/backend-scripts/bootstrap_git_all.py
|
||||||
|
args:
|
||||||
|
creates: ~/.ssh/{{ansible_hostname}}_rsa
|
||||||
|
register: keypair
|
||||||
|
|
||||||
|
# FIXME: activate with ansible 2.2 ...
|
||||||
|
#- block:
|
||||||
|
# - name: read new pubkey
|
||||||
|
# shell: cat ~/.ssh/{{ansible_hostname}}_rsa.pub
|
||||||
|
# register: ssh_pub_key
|
||||||
|
#
|
||||||
|
# - name: read existing secret from spinat
|
||||||
|
# shell: cat ~/.ssh/spinat_rsa
|
||||||
|
# register: github_access_token
|
||||||
|
# delegate_to: spinat.freifunk-mwu.de
|
||||||
|
#
|
||||||
|
# - name: register new pubkey with github freifunkmwu account
|
||||||
|
# github_key:
|
||||||
|
# name: "Server {{ansible_hostname}}"
|
||||||
|
# token: "{{github_access_token.stdout}}"
|
||||||
|
# pubkey: "{{ssh_pub_key.stdout}}"
|
||||||
|
#
|
||||||
|
# when: keypair.changed
|
||||||
|
|
||||||
|
- name: manage crontab - PATH
|
||||||
|
cron: env=yes name=PATH value="/home/admin/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
|
||||||
|
|
||||||
|
- name: manage crontab - entries
|
||||||
|
cron: name={{mwu_m_item.n}} job={{mwu_m_item.j}} minute={{mwu_m_item.mi}}
|
||||||
|
hour={{mwu_m_item.h}} day={{mwu_m_item.d}} month={{mwu_m_item.mo}}
|
||||||
|
weekday={{mwu_m_item.w}}
|
||||||
|
with_items:
|
||||||
|
- { n: "sync_meshkeys", mi: "*/15", h: "*", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/sync_meshkeys_gw.py > $HOME/.cronlog/sync_meshkeys.log" }
|
||||||
|
# FIXME: define hostvar for mi
|
||||||
|
- { n: "snapshot_configs", mi: "23", h: "5,23", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/snapshot_configs_all.py > $HOME/.cronlog/snapshot_configs.log" }
|
||||||
|
loop_control:
|
||||||
|
loop_var: mwu_m_item
|
70
roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml
Normal file
70
roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
---
|
||||||
|
# this file included in a loop, called seperately for each community
|
||||||
|
# => configure fastd for one community here
|
||||||
|
# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
|
||||||
|
|
||||||
|
- name: ensure fastd config dir - {{mf_com.abbreviation}}
|
||||||
|
file: path=/etc/fastd/{{mf_com.abbreviation}}VPN/peers
|
||||||
|
state=directory mode=0750
|
||||||
|
|
||||||
|
#- debug: var=mf_com
|
||||||
|
|
||||||
|
#- debug: var=f_ssh_keyfile
|
||||||
|
|
||||||
|
- name: clone key repo - {{mf_com.abbreviation}}
|
||||||
|
git:
|
||||||
|
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
|
||||||
|
key_file: "{{f_ssh_keyfile.stdout}}"
|
||||||
|
repo: "ssh://git@github.com/{{mf_com.repo}}"
|
||||||
|
update: no
|
||||||
|
accept_hostkey: yes
|
||||||
|
|
||||||
|
- name: generate fastd key pair - {{mf_com.abbreviation}}
|
||||||
|
command: fastd --generate-key
|
||||||
|
creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
|
||||||
|
register: f_key_pair
|
||||||
|
|
||||||
|
- block:
|
||||||
|
|
||||||
|
# - debug: var=f_key_pair
|
||||||
|
|
||||||
|
- name: write out fastd secret key - {{mf_com.abbreviation}}
|
||||||
|
lineinfile:
|
||||||
|
backup: yes
|
||||||
|
create: yes
|
||||||
|
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
|
||||||
|
insertbefore: BOF
|
||||||
|
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
|
||||||
|
mode: 0400
|
||||||
|
regexp: '^secret ".*";'
|
||||||
|
state : present
|
||||||
|
|
||||||
|
- name: write out fastd public key - {{mf_com.abbreviation}}
|
||||||
|
lineinfile:
|
||||||
|
create: yes
|
||||||
|
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers/{{fastd_alias}}"
|
||||||
|
insertbefore: BOF
|
||||||
|
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
|
||||||
|
mode: 0440
|
||||||
|
regexp: '^key ".*";'
|
||||||
|
state : present
|
||||||
|
register: f_pub_key
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: delete secret in case of public failure - {{mf_com.abbreviation}}
|
||||||
|
file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
|
||||||
|
when: f_pub_key.failed is defined
|
||||||
|
|
||||||
|
- fail: msg="FAILED writing fastd key pair"
|
||||||
|
when: f_pub_key.failed is defined
|
||||||
|
|
||||||
|
when: f_key_pair.changed
|
||||||
|
# end of block
|
||||||
|
|
||||||
|
- name: template out fastd.conf - {{mf_com.abbreviation}}
|
||||||
|
template:
|
||||||
|
backup: yes
|
||||||
|
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
|
||||||
|
mode: 0640
|
||||||
|
src: fastd.conf
|
||||||
|
validate: 'fastd --verify-config -c %s'
|
16
roles/ffmwu-meshing/tasks/mwu-m-fastd.yml
Normal file
16
roles/ffmwu-meshing/tasks/mwu-m-fastd.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: ensure correct ownership of /etc/fastd
|
||||||
|
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: find ssh keyfile name for use with git
|
||||||
|
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
|
||||||
|
register: f_ssh_keyfile
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
# configure communtity, one by one
|
||||||
|
- include: mwu-m-fastd-com.yml mf_com={{mwu_mf_item.value}}
|
||||||
|
with_dict: "{{community_params}}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: mwu_mf_item
|
29
roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml
Normal file
29
roles/ffmwu-meshing/tasks/mwu-m-pkgs.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- include: mwu-m-repos.yml
|
||||||
|
|
||||||
|
- name: ensure mandatory packages
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: "{{mwu_m_item}}"
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 21600
|
||||||
|
with_items:
|
||||||
|
- git
|
||||||
|
- haveged
|
||||||
|
- python3-pip
|
||||||
|
- fastd
|
||||||
|
- batctl
|
||||||
|
- batman-adv-source
|
||||||
|
loop_control:
|
||||||
|
loop_var: mwu_m_item
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: ensure manatory python libs
|
||||||
|
pip: name={{mwu_m_item}} executable=pip3
|
||||||
|
with_items:
|
||||||
|
- py-cpuinfo
|
||||||
|
- photon_core
|
||||||
|
loop_control:
|
||||||
|
loop_var: mwu_m_item
|
||||||
|
become: True
|
39
roles/ffmwu-meshing/tasks/mwu-m-repos.yml
Normal file
39
roles/ffmwu-meshing/tasks/mwu-m-repos.yml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: ensure neoraider key for fastd package
|
||||||
|
apt_key:
|
||||||
|
state: present
|
||||||
|
id: 16EF3F64CB201D9C
|
||||||
|
keyserver: keyserver.ubuntu.com
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: ensure neoraider fastd repo
|
||||||
|
apt_repository:
|
||||||
|
state: present
|
||||||
|
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
|
||||||
|
update_cache: no
|
||||||
|
filename: freifunk
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: ensure freifunk-mwu key for batman package
|
||||||
|
apt_key:
|
||||||
|
state: present
|
||||||
|
id: 286CC7A4
|
||||||
|
keyserver: keyserver.ubuntu.com
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: ensure freifunk-mwu batman repo
|
||||||
|
apt_repository:
|
||||||
|
state: present
|
||||||
|
repo: 'deb http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
|
||||||
|
update_cache: no
|
||||||
|
filename: freifunk
|
||||||
|
become: True
|
||||||
|
|
||||||
|
- name: ensure freifunk-mwu batman source repo
|
||||||
|
apt_repository:
|
||||||
|
state: present
|
||||||
|
repo: 'deb-src http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
|
||||||
|
update_cache: yes
|
||||||
|
filename: freifunk
|
||||||
|
become: True
|
34
roles/ffmwu-meshing/templates/fastd.conf
Normal file
34
roles/ffmwu-meshing/templates/fastd.conf
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# fastd.conf
|
||||||
|
# from https://github.com/freifunk-mwu/ansible-ffmwu.git
|
||||||
|
|
||||||
|
log level warn;
|
||||||
|
hide ip addresses yes;
|
||||||
|
hide mac addresses yes;
|
||||||
|
|
||||||
|
interface "{{mf_com.abbreviation}}VPN";
|
||||||
|
method "salsa2012+umac"; # new method (faster)
|
||||||
|
|
||||||
|
# Bind to v4 and v6 interfaces
|
||||||
|
bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
|
||||||
|
{% if ansible_default_ipv6.address is defined %}
|
||||||
|
bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
|
||||||
|
mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
|
||||||
|
|
||||||
|
peer group "vpn_nodes" {
|
||||||
|
# p#eer limit 200;
|
||||||
|
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"; # servers 2 b moved out ...
|
||||||
|
{% if mf_com.xtra_peers is defined %}
|
||||||
|
{% for xtra in mf_com.xtra_peers %}
|
||||||
|
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/{{xtra}}";
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
peer group "servers" {
|
||||||
|
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers"; # yet 2 b filled ...
|
||||||
|
}
|
||||||
|
|
||||||
|
status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";
|
|
@ -6,3 +6,24 @@
|
||||||
- name: ensure all wanted ssh keys exclusively
|
- name: ensure all wanted ssh keys exclusively
|
||||||
authorized_key: exclusive=True state=present user=admin
|
authorized_key: exclusive=True state=present user=admin
|
||||||
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
|
key={{ mwu_s_admin_keys ~ ( h_v_add_auth_keys | default('') ) }}
|
||||||
|
|
||||||
|
- name: ensure some basic packages
|
||||||
|
apt:
|
||||||
|
state: present
|
||||||
|
name: "{{mwu_s_item}}"
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 21600
|
||||||
|
with_items:
|
||||||
|
- software-properties-common
|
||||||
|
- apt-transport-https
|
||||||
|
- man-db
|
||||||
|
- mosh
|
||||||
|
- ntp
|
||||||
|
- sudo
|
||||||
|
- sysfsutils
|
||||||
|
- vim
|
||||||
|
- vnstat
|
||||||
|
- vnstati
|
||||||
|
loop_control:
|
||||||
|
loop_var: mwu_s_item
|
||||||
|
become: True
|
||||||
|
|
Loading…
Reference in a new issue