freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Delete old Roles

Browse source
This commit is contained in:
Tobias Hachmer 2019-03-22 22:09:23 +01:00
parent 8212fc243c
commit 3320ee053f
No known key found for this signature in database
GPG key ID: E112788464CA5C60
16 changed files with 0 additions and 778 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
roles/ffmwu-bird/read.me
View file

@ -1,6 +0,0 @@
The ffmwu-bird role sets up the bird config for gates or other meshing
servers (distinction made by group membership). It will ensure empty
include files for ICVPN integration; integration itself to be configured
by different role. bird package should be installed elsewhere.
Relies on host_var "ffrl_exit_conf" and ... .

46
roles/ffmwu-bird/tasks/main.yml
View file

@ -1,46 +0,0 @@
---
- name: standardise dir ownership
file:
path: /etc/bird
state: directory
owner: admin
group: bird
mode: 0750
- name: standardise file ownerships
file:
path: "{{b_item}}"
state: touch
owner: admin
group: bird
mode: 0750
with_items:
- /etc/bird/bird.conf
- /etc/bird/mwu_peers_v4.inc
- /etc/bird/ffrl_peers_v4.inc
- /etc/bird/icvpn_peers_v4.inc
- /etc/bird/icvpn_roa_v4.inc
- /etc/bird/bird6.conf
- /etc/bird/icvpn_peers_v6.inc
- /etc/bird/icvpn_roa_v6.inc
- /etc/bird/mwu_peers_v6.inc
- /etc/bird/ffrl_peers_v6.inc
loop_control:
loop_var: b_item
- name: template out bird.confs
template:
backup: yes
dest: /etc/bird/{{b_item}}
src: "{{b_item}}"
#validate !!!
with_items:
- bird.conf
- bird6.conf
loop_control:
loop_var: b_item
# FIXME: construct mwu includes
# FIXME: construct ffrl includes

258
roles/ffmwu-bird/templates/bird.conf
View file

@ -1,258 +0,0 @@
timeformat protocol iso long;
# local addresses
{% if 'gates' in group_names %}
define local_addr_ffrl = {{hostvar}}185.66.195.38;
define local_addr_icvpn = {{hostvar}}10.207.37.161; # ingwer = mwu161
define local_addr_mwu = 10.37.0.{{mwu server id}};
{% else %}
define local_addr_mwu = 10.37.1.{{mwu server id}};
{% endif %}
# AS
define mwu_as = 65037; # private AS of mwu
{% if 'gates' in group_names %}
define ffrl_as = 201701; # public AS of rheinland
{% endif %}
{% if 'gates' in group_names %}
router id local_addr_ffrl;
table ffrl; # BGP Peerings FFRL
# ROA
roa table roa_icvpn {
include "ebgp_roa_v4.inc";
}
{% else %}
router id local_addr_mwu;
{% endif %}
# functions
function is_default() {
return net ~ [
0.0.0.0/0
];
}
function is_freifunk() {
return net ~ [
10.0.0.0/8{16,24}
];
}
function is_dn42() {
return net ~ [
172.20.0.0/14{20,28}
];
}
function is_chaosvpn() {
return net ~ [
172.31.0.0/16+
];
}
function is_mwu_self_nets() {
return net ~ [
10.56.0.0/16+,
10.37.0.0/16+
];
}
function is_wi_self_net() {
return net ~ [
10.56.0.0/16+
];
}
function is_mz_self_net() {
return net ~ [
10.37.0.0/16+
];
}
{% if 'gates' in group_names %}
function is_local_addr_ffrl() {
return net ~ [
{{hostvar}}185.66.195.38/32
];
}
function is_ffrl_tunnel_nets() {
return net ~ [
{{hostvar}}100.64.2.234/31,
{{hostvar}}100.64.2.236/31,
{{hostvar}}100.64.2.238/31,
{{hostvar}}100.64.2.240/31,
{{hostvar}}100.64.1.112/31,
{{hostvar}}100.64.1.114/31
];
}
{% endif %}
# filters
{% if 'gates' in group_names %}
filter ebgp_icvpn_import_filter {
if is_mwu_self_nets() then reject;
if is_chaosvpn() then accept;
if roa_check(roa_icvpn) = ROA_VALID then {
if is_freifunk() then accept;
if is_dn42() then accept;
} else {
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
if is_dn42() then {
# print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
accept;
}
if is_freifunk() then {
# print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
accept;
}
}
if roa_check(roa_icvpn) = ROA_INVALID then {
if is_freifunk() then {
# print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last;
accept;
}
}
reject;
}
reject;
}
filter ebgp_ffrl_import_filter {
if is_default() then accept;
reject;
}
filter ebgp_ffrl_export_filter {
if is_local_addr_ffrl() then accept;
reject;
}
{% else %}
# sanity check: don't allow critical overrides
filter ebgp_icvpn_import_filter {
if is_mwu_self_nets() then reject;
if is_default() then reject;
if is_freifunk() then accept;
if is_dn42() then accept;
if is_chaosvpn() then accept;
reject;
}
{% endif %}
# protocols
# necessary to inform bird about devices
protocol device {
scan time 30;
};
protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
if is_mwu_self_nets() then
reject;
krt_prefsrc = local_addr_icvpn;
accept;
};
kernel table ipt_icvpn;
};
{% if 'gates' in group_names %}
# learn about directly connected community subnets
protocol direct mwu_subnets {
interface "mzBR";
interface "wiBR";
import where is_mwu_self_nets();
};
protocol static ffrl_uplink_hostroute {
table ffrl;
route 185.66.195.38/32 reject;
}
protocol direct ffrl_tunnels {
table ffrl;
interface "ffrl-*";
import where is_ffrl_tunnel_nets();
}
protocol kernel kernel_ffrl {
scan time 30;
import none;
export filter {
krt_prefsrc = local_addr_ffrl;
accept;
};
table ffrl;
kernel table ipt_ffinetexit;
};
{% endif %}
# Templates
# templates for iBGP
{% if 'gates' in group_names %}
template bgp bgp_ibgp_mwu {
local local_addr_mwu as mwu_as;
import keep filtered on;
import all; # EXPERIMENT !!!!!
export where source = RTS_BGP;
direct;
gateway direct;
};
{% else %}
template bgp bgp_ibgp_mwu {
local local_addr_mwu as mwu_as;
import filter ebgp_icvpn_import_filter;
export none;
direct;
gateway direct;
};
{% endif %}
{% if 'gates' in group_names %}
# templates for eBGP
template bgp ebgp_ic {
local local_addr_icvpn as mwu_as;
import keep filtered on;
import filter ebgp_icvpn_import_filter;
export filter {
if is_mwu_self_nets() then { # own nets
accept;
}
if source = RTS_BGP then {
if is_freifunk() || is_dn42() then {
accept;
}
}
reject;
};
direct;
};
template bgp ffrl_uplink {
table ffrl;
local as mwu_as;
import keep filtered;
import filter ebgp_ffrl_import_filter;
export filter ebgp_ffrl_export_filter;
next hop self;
direct;
};
{% endif %}
# P E E R I N G S
# iBGP
include "mwu_peers_v4.inc";
{% if 'gates' in group_names %}
# P E E R I N G S
# eBGP FFRL exit
include "ffrl_peers_v4.inc";
# P E E R I N G S
# eBGP ICVPN
include "icvpn_peers_v4.inc";
{% endif %}

8
roles/ffmwu-meshing/meta/main.yml
View file

@ -1,8 +0,0 @@
---
dependencies:
- { role: ffmwu-server }
- { role: packages, pkg_repo_list: "{{meshing_pkg_repo_list}}",
pkg_pkg_list: "{{meshing_pkg_pkg_list}}",
pkg_pip_list: "{{meshing_pkg_pip_list}}",
really_do: "{{ansible_managed_meshing}}" }

80
roles/ffmwu-meshing/tasks/backend-scripts.yml
View file

@ -1,80 +0,0 @@
---
- name: ensure backend-scripts-log-dir
file: path=~/.cronlog state=directory mode=0700
# FIXME: maybe move behind next block?
- name: clone backend scripts
git:
dest: "~/clones/backend-scripts"
repo: "https://github.com/freifunk-mwu/backend-scripts.git"
accept_hostkey: yes
- block: # replaces backend script bootstrap_git_all.py
- name: generate host key
command: ssh-keygen -t ed25519 -N "" -f {{ansible_hostname}}_rsa
args:
chdir: ~/.ssh
creates: ~/.ssh/{{ansible_hostname}}_rsa
register: keypair
- name: generate ssh config entry
blockinfile:
block: |
Host github_mwu
User git
Hostname github.com
PreferredAuthentications publickey
IdentityFile ~/.ssh/{{ansible_hostname}}_rsa
create: yes
dest: ~/.ssh/config
marker: "# {mark} ANSIBLE MANAGED BLOCK github_mwu"
mode: 0640
- name: change git user name
git_config:
scope: global
name: "user.name"
value: "{{ansible_hostname}}"
- name: change git user email
git_config:
scope: global
name: "user.email"
value: "{{ansible_hostname}}@{{ansible_fqdn}}"
# block end
- block:
- name: read new pubkey
shell: cat ~/.ssh/{{ansible_hostname}}_rsa.pub
register: ssh_pub_key
- name: read existing github token from spinat
shell: cat ~/.ssh/github-ansible-token
register: github_access_token
delegate_to: spinat.freifunk-mwu.de
- name: register new pubkey with github freifunkmwu account
github_key:
name: "Server {{ansible_hostname}}"
token: "{{github_access_token.stdout}}"
pubkey: "{{ssh_pub_key.stdout}}"
# FIXME: force yes ???
force: no
when: keypair.changed
- name: manage crontab - PATH
cron: env=yes name=PATH value="/home/admin/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
- name: manage crontab - entries
cron: name={{mwu_m_item.n}} job={{mwu_m_item.j}} minute={{mwu_m_item.mi}}
hour={{mwu_m_item.h}} day={{mwu_m_item.d}} month={{mwu_m_item.mo}}
weekday={{mwu_m_item.w}}
with_items:
- { n: "sync_meshkeys", mi: "*/15", h: "*", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/sync_meshkeys_gw.py > $HOME/.cronlog/sync_meshkeys.log" }
# FIXME: define hostvar for mi
- { n: "snapshot_configs", mi: "23", h: "5,23", d: "*", mo: "*", w: "*", j: "/usr/bin/python3 $HOME/clones/backend-scripts/snapshot_configs_all.py > $HOME/.cronlog/snapshot_configs.log" }
loop_control:
loop_var: mwu_m_item

21
roles/ffmwu-meshing/tasks/fastd-community.yml
View file

@ -1,21 +0,0 @@
---
# this file included in a loop, called seperately for each community
# => configure fastd for one community here
# make a difference between gates an meshing-only servers
# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
- name: ensure fastd config dir - {{mf_com.abbreviation}}
file: path=/etc/fastd/{{mf_com.abbreviation}}VPN/peers
state=directory mode=0750
#- debug: var=mf_com
#- debug: var=f_ssh_keyfile
- name: include either gate ...
include: fastd-gate.yml
when: fastd_config == 'gate'
- name: ... or meshing-only style
include: fastd-meshonly.yml
when: fastd_config == 'meshing-only'

73
roles/ffmwu-meshing/tasks/fastd-config.yml
View file

@ -1,73 +0,0 @@
---
# hash describing community expected as "mf_com";
# also expected: "f_ssh_keyfile" and "mf_com_repo"
- name: clone key repo - {{mf_com.abbreviation}}
git:
dest: "{{mf_com_repo}}"
key_file: "{{f_ssh_keyfile.stdout}}"
repo: "ssh://git@github.com/{{mf_com.repo}}"
update: no
accept_hostkey: yes
# the following is a crude but functional work-around the problem that
# the git module wouldn't clone the repo with the ssh-config-entry
# in the url, but git wouldn't push without it (due to missing
# connection to the ssh key)
- name: change git url to pushable
git_config:
repo: "{{mf_com_repo}}"
scope: local
name: "remote.origin.url"
value: "ssh://github_mwu/{{mf_com.repo}}"
- name: generate fastd key pair - {{mf_com.abbreviation}}
command: fastd --generate-key
creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
register: f_key_pair
- block:
# - debug: var=f_key_pair
- name: write out fastd secret key - {{mf_com.abbreviation}}
lineinfile:
backup: yes
create: yes
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
insertbefore: BOF
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
mode: 0400
regexp: '^secret ".*";'
state: present
- name: write out fastd public key - {{mf_com.abbreviation}}
lineinfile:
create: yes
dest: "{{mf_com_repo}}/servers/{{fastd_alias}}"
insertbefore: BOF
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
mode: 0440
regexp: '^key ".*";'
state: present
register: f_pub_key
ignore_errors: True
- name: delete secret in case of public failure - {{mf_com.abbreviation}}
file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
when: f_pub_key.failed is defined
- fail: msg="FAILED writing fastd key pair"
when: f_pub_key.failed is defined
when: f_key_pair.changed
# end of block
- name: template out fastd.conf - {{mf_com.abbreviation}}
template:
backup: yes
dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
mode: 0640
src: "{{mf_com_templ}}"
validate: 'fastd --verify-config -c %s'

15
roles/ffmwu-meshing/tasks/fastd-gate.yml
View file

@ -1,15 +0,0 @@
---
# this file included by fastd-community.yml, which is included in a loop,
# called seperately for each community
# => configure fastd for one community here
# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
#- debug: var=mf_com
#- debug: var=f_ssh_keyfile
- set_fact:
mf_com_repo: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
mf_com_templ: "fastd.conf-gate"
- include: fastd-config.yml

34
roles/ffmwu-meshing/tasks/fastd-meshonly.yml
View file

@ -1,34 +0,0 @@
---
# this file included by fastd-community.yml, which is included in a loop,
# called seperately for each community
# => configure fastd for one community here
# hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
#- debug: var=mf_com
#- debug: var=f_ssh_keyfile
- name: prepare secure temp dir
command: mktemp -d --tmpdir ansible-tmp-mf{{mf_com.abbreviation}}.XXXXXXXXXX
register: tmpdir
- set_fact:
mf_com_repo: "{{tmpdir.stdout}}"
mf_com_templ: "fastd.conf-meshing"
- include: fastd-config.yml
- name: git add new public key
command: git add servers
chdir="{{mf_com_repo}}"
- name: git commit new public key
command: git commit -m "add {{ansible_hostname}}"
chdir="{{mf_com_repo}}"
- name: git push new public key
command: git push
chdir="{{mf_com_repo}}"
- name: clean up
file: path="{{mf_com_repo}}" state=absent

15
roles/ffmwu-meshing/tasks/fastd.yml
View file

@ -1,15 +0,0 @@
---
- name: ensure correct ownership of /etc/fastd
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
- name: find ssh keyfile name for use with git
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
register: f_ssh_keyfile
changed_when: False
# configure communtity, one by one
- include: fastd-community.yml mf_com={{mwu_mf_item.value}}
with_dict: "{{community_params}}"
loop_control:
loop_var: mwu_mf_item

19
roles/ffmwu-meshing/tasks/main.yml
View file

@ -1,19 +0,0 @@
---
# we don't want to disrupt servers where this role is manually maintained!
# thus: warning and block statement
- name: full-stop if meshing role is manually maintained on this server
debug: msg="meshing role skipped to not disrupt manual maintenance - set ansible_managed_meshing to True to enable ansible control"
when: (not ansible_managed_meshing is defined) or (not ansible_managed_meshing)
- block:
# backend scripts
- include: backend-scripts.yml
# fastd
- include: fastd.yml
when: (ansible_managed_meshing is defined) and (ansible_managed_meshing)
# end block

34
roles/ffmwu-meshing/templates/fastd.conf-gate
View file

@ -1,34 +0,0 @@
# fastd.conf
# from https://github.com/freifunk-mwu/ansible-ffmwu.git
log level warn;
hide ip addresses yes;
hide mac addresses yes;
interface "{{mf_com.abbreviation}}VPN";
method "salsa2012+umac"; # new method (faster)
# Bind to v4 and v6 interfaces
bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
{% if ansible_default_ipv6.address is defined %}
bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
{% endif %}
include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
peer group "vpn_nodes" {
# p#eer limit 200;
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"; # servers 2 b moved out ...
{% if mf_com.xtra_peers is defined %}
{% for xtra in mf_com.xtra_peers %}
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/{{xtra}}";
{% endfor %}
{% endif %}
}
peer group "servers" {
include peers from "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers"; # yet 2 b filled ...
}
status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";

43
roles/ffmwu-meshing/templates/fastd.conf-meshing
View file

@ -1,43 +0,0 @@
# fastd.conf
# from https://github.com/freifunk-mwu/ansible-ffmwu.git
log level warn;
hide ip addresses yes;
hide mac addresses yes;
interface "{{mf_com.abbreviation}}VPN";
method "salsa2012+umac"; # new method (faster)
# Bind to v4 and v6 interfaces
bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
{% if ansible_default_ipv6.address is defined %}
bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
{% endif %}
include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
secure handshakes yes;
mode tap;
peer group "mesh_vpn_backbone" {
peer limit 4;
peer "gw_ingwer" {
key "9b74e90fd68df749e45718eced65268260872e4cf74369b9bf9e9fb42411efe9";
remote ipv6 "ingwer.freifunk-mwu.de" port {{mf_com.fastd_port}};
}
peer "gw_lotuswurzel" {
key "d73479cc97a87ffd4b256a873e505f3264408ed077b248358c52e8dc82bbfc07";
remote ipv6 "lotuswurzel.freifunk-mwu.de" port {{mf_com.fastd_port}};
}
peer "gw_spinat" {
key "9e59a202eccabe1aac37d8000e762ecb05e17b3e521f7a54ab693af66e4adfb7";
remote ipv6 "spinat.freifunk-mwu.de" port {{mf_com.fastd_port}};
}
peer "gw_wasserfloh" {
key "9c00e0534a9dc5232e9bfacb304261f21f24604ad233b648bf52d6b40ca60884";
remote ipv6 "wasserfloh.freifunk-mwu.de" port {{mf_com.fastd_port}};
}
}
status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";

33
roles/ffmwu-meshing/vars/main.yml
View file

@ -1,33 +0,0 @@
---
meshing_pkg_repo_list:
repo_keys:
- neoraider:
id: "16EF3F64CB201D9C"
server: keyserver.ubuntu.com
- freifunk-mwu:
id: "286CC7A4"
server: keyserver.ubuntu.com
repos:
- fastd:
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
update_cache: no
- batman:
repo: 'deb http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
update_cache: no
- batman_src:
repo: 'deb-src http://ppa.launchpad.net/freifunk-mwu/batman-adv/ubuntu trusty main'
update_cache: yes
meshing_pkg_pkg_list:
- git
- haveged
- python3-pip
- fastd
- batctl
- batman-adv-source
meshing_pkg_pip_list: # example
- py-cpuinfo
#- photon_core

34
roles/packages/README.md
View file

@ -1,34 +0,0 @@
This role installs apt and python packages on the target host. Necessary
apt repos can be defined.
It expects the arguments pkg_repo_list, pkg_pkg_list and pkg_pip_list
to be filled. If any argument is undefined, the repectibe action will
be skipped. See below for examples.
```
pkg_repo_list: # example
repo_keys:
- cool_guy:
id: "67678686"
server: keyserver.ubuntu.com
- smart_guy:
id: "2f2f2f2f2"
server: keyserver.ubuntu.com
repos:
- cool_game:
repo: 'deb http://ppa.launchpad.net/cool/game/ubuntu trusty main'
update_cache: no
- smart_tool:
repo: 'deb http://ppa.launchpad.net/samrt/tool/ubuntu trusty main'
update_cache: yes # smart to have yes on last and only last entry
pkg_pkg_list: # example
- cool-game
- smart-tool
- python3-pip # remember this one when wanting to use pkg_pip_list
pkg_pip_list: # example
- smart-tool-py-interface
# this flag controls the execution of the role; used to subdue if needed
really_do: True
```

59
roles/packages/tasks/main.yml
View file

@ -1,59 +0,0 @@
---
# we don't want to disrupt servers where this role is manually maintained!
# thus: warning and block statement
- name: full-stop if package role is manually maintained on this server
debug: msg="package role skipped to not disrupt manual maintenance - set really_do to True to enable ansible control"
when: (not really_do is defined) or (not really_do)
# observe value of really_do
- block:
# ensure apt keys and apt repos if defined
- block:
- name: ensure defined apt keys
apt_key:
state: present
id: "{{pkg_item.id}}"
keyserver: "{{pkg_item.server}}"
with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}"
loop_control:
loop_var: pkg_item
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined)
- name: ensure defined apt repos
apt_repository:
state: present
repo: "{{pkg_item.repo}}"
update_cache: "{{pkg_item.update_cache}}"
filename: freifunk
with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}"
loop_control:
loop_var: pkg_item
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined)
# see defaults in with - when: pkg_repo_list is defined
# end block
- name: ensure defined apt packages
apt:
state: present
name: "{{mwu_m_item}}"
update_cache: yes
cache_valid_time: 21600
with_items: "{{meshing_pkg_pkg_list | default([])}}"
loop_control:
loop_var: mwu_m_item
# see default in with - when: meshing_pkg_pkg_list is defined
- name: ensure defined python libs
pip: name={{mwu_m_item}} executable=pip3
with_items: "{{meshing_pkg_pip_list | default([])}}"
loop_control:
loop_var: mwu_m_item
# see default in with - when: meshing_pkg_pip_list is defined
when: (really_do is defined) and (really_do)
# end block