This reverts commit ff1dac07ba
.
This commit is contained in:
parent
ff1dac07ba
commit
513e914437
200 changed files with 269 additions and 4715 deletions
19
.yamllint
19
.yamllint
|
@ -1,19 +0,0 @@
|
|||
extends: default
|
||||
|
||||
rules:
|
||||
braces: {max-spaces-inside: 1, level: error}
|
||||
brackets: {max-spaces-inside: 1, level: error}
|
||||
colons: {max-spaces-after: -1, level: error}
|
||||
commas: {max-spaces-after: -1, level: error}
|
||||
comments: disable
|
||||
comments-indentation: disable
|
||||
document-start: disable
|
||||
empty-lines: {max: 3, level: error}
|
||||
hyphens: {level: error}
|
||||
indentation: disable
|
||||
key-duplicates: enable
|
||||
line-length: disable
|
||||
new-line-at-end-of-file: disable
|
||||
new-lines: {type: unix}
|
||||
trailing-spaces: enable
|
||||
truthy: disable
|
203
Readme.md
203
Readme.md
|
@ -1,195 +1,40 @@
|
|||
# Ansible Freifunk MWU
|
||||
# ansible-ffmwu.git
|
||||
|
||||
Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzusetzen und zu konfigurieren. In
|
||||
diesem Repository verwalten wir unsere Ansible Roles und Playbooks.
|
||||
|
||||
Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden
|
||||
kann. Die folgenden Voraussetzungen müssen erfüllt sein:
|
||||
An dieser Stelle soll der ganze ansible-script-junk entstehen, um ein FFMWU-Gateway automagisiert aufzusetzen. Das Geraffel kann später auch auf andere server-Typen erweitert werden, wenn sinnvoll.
|
||||
Ein server muss minimal vorbereitet sein, bevor er mit den hiesigen Skripten zum Gate (oder zu Sonstigem) gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prerequisites.yml` getestet):
|
||||
|
||||
- Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein.
|
||||
- Die Adressen müssen im MWU-DNS eingetragen sein.
|
||||
- Als Betriebssystem muss Debian Stretch installiert sein.
|
||||
- Für Ansible muss Python 2.6 oder höher installiert sein.
|
||||
- Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben.
|
||||
- Die Adressen sollen im MWU-DNS eingetragen sein.
|
||||
- Es muss eine nakte unterstützte linux-Version aufgesetzt sein (aktuell Ubuntu 14.04, bald Debian).
|
||||
- Es muss einen user admin geben, auf den die Admins Zugriff haben; dieser muss root-Zugang über sudo haben.
|
||||
|
||||
Diese Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem
|
||||
Playbook eingebunden sein.
|
||||
Zusätzlich ist sehr empfehlenswert, dass die Admins die Maschinen mit ihren fqdns in ihrer ssh-config definiert haben.
|
||||
|
||||
Voraussetzungen für die Control Machine:
|
||||
Bisher gibt es hier zwei Sammlungen von files: zum Einen der Beginn des eigentlichen Zwecks: bisher kann eine Rolle (auf Basis der obigen Voraussetzungen) alle FFMWU-Server in dem ihnen allen identischen Aspekt vorbereiten, der Pflege der ssh keys der admins. Zum Anderen gibt es ein playbook, das eine lokale Test-VM aufsetzt, auf der man alle eigentlichen playbooks und Rollen testen kann, ohne ernsthaften Schaden anzurichten.
|
||||
|
||||
- Python 2 (Versionen 2.6 oder 2.7) oder 3 (Versionen 3.5 oder höher)
|
||||
- Ansible Version >= 2.4.0.0
|
||||
- Python Modul `netaddr`
|
||||
- Python Modul `dnspython`
|
||||
## Aufsetzen und Pflegen von Gateways
|
||||
|
||||
Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config.
|
||||
Alle FFMWU-Gatways sind auch FFMWU-Server, alle anderen server bei uns überraschenderweise auch; so sind auch Alle im inventory in der Gruppe 'ff-servers' zusammengefasst. Der Aspekt, der allen FFMWU-Servern gemein ist, sind die ssh-keys der admins. Auf einigen servern gibt es allerdings weitere Zugriffsberechtigte (spezialisierte admins).
|
||||
|
||||
## Gruppen-Variablen
|
||||
Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung.
|
||||
Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz):
|
||||
So gibt es eine Rolle ('ffmwu-server'), die allen hosts dieser Gruppe zugewiesen ist (über das playbook 'ffmwu-servers.yml', später auch über Abhängigkeiten der speziellern playbooks). Dieses playbook (einfach starten) weist die Rolle zu, welche ihrerseits die shh keys auf den hosts pflegt.
|
||||
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzbr` oder `mzbat`|
|
||||
|site_number|Variable|37|integer|Fließt in IP-Adress-Berechnung ein|
|
||||
|site_code|Variable|ffmz|string||
|
||||
|site_name|Variable|Mainz|string||
|
||||
|ipv4_network|Variable|10.37.0.0/18|string; Network/Prefix||
|
||||
|ipv6_ula|List|- fd37:b4dc:4b1e::/48|string; Network/Prefix||
|
||||
|ipv6_public|List|- 2a03:2260:11a::/48|string; Network/Prefix||
|
||||
|dnssl|List|- ffmz.org|string|DNS Search List (dhcp/radvd)|
|
||||
|batman|Dictionary||||
|
||||
|batman.it|Key|10000|integer||
|
||||
|batman.gw|Key|server 96mbit/96mbit|string||
|
||||
|batman.mm|Key|0|boolean||
|
||||
|batman.dat|Key|0|boolean||
|
||||
|batman.hop_penalty|Key|60|integer||
|
||||
|radvd|Dictionary||||
|
||||
|radvd.maxrtradvinterval|Key|900|integer||
|
||||
|radvd.advvalidlifetime|Key|864000|integer||
|
||||
|radvd.advpreferredlifetime|Key|172800|integer||
|
||||
|iface_mtu|Variable|1350|integer|Client MTU|
|
||||
|fastd|Dictionary||||
|
||||
|fastd.nodes|Dictionary||||
|
||||
|fastd.nodes.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Node-Kommunikation|
|
||||
|fastd.nodes.instances[x].id|Key|0|integer||
|
||||
|fastd.nodes.instances[x].mtu|Key|1406|integer||
|
||||
|fastd.nodes.instances[x].peers|Dictionary||||
|
||||
|fastd.nodes.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|
||||
|fastd.nodes.instances[x].peers.version|Key|master|string||
|
||||
|fastd.nodes.instances[x].pass|Key|fastd/mzvpn|string||
|
||||
|fastd.intragate|Dictionary||||
|
||||
|fastd.intragate.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Intragate-Kommunikation|
|
||||
|fastd.intragate.instances[x].id|Key|0|integer||
|
||||
|fastd.intragate.instances[x].mtu|Key|1406|integer||
|
||||
|fastd.intragate.instances[x].peers|Dictionary||||
|
||||
|fastd.intragate.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|
||||
|fastd.intragate.instances[x].peers.version|Key|master|string||
|
||||
|fastd.intragate.instances[x].pass|Key|fastd/mzigvpn|string||
|
||||
|dns|Dictionary||||
|
||||
|dns.master|Key|fd37:b4dc:4b1e::a25:103|string; IP-Adresse|DNS-Master IP|
|
||||
|dns.forward_zones|List||||
|
||||
|dns.forward_zones[x].name|Key|ffmz.org|string||
|
||||
|dns.forward_zones[x].master|Key|fd37:b4dc:4b1e::a25:10c|string; IP-Adresse|Optional - überschreibt dns.master|
|
||||
|http_domain_internal|Variable|ffmz.org|string|Haupt-Domain für HTTP-Server(intern)|
|
||||
|http_domain_external|Variable|freifunk-mainz.de|string|Haupt-Domain für HTTP-Server(extern)||
|
||||
Die Rolle besteht aus nur einem task und einer definierten Variable, die die keys der admins enthält. Sind auf einem host weitere ssh keys von Nöten, so werden disse als hostvar definiert.
|
||||
|
||||
Weitere Gruppen-Variablen:
|
||||
## Erzeugen einer test-VM
|
||||
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|as_private_mwu|Variable|65037|integer|Privates AS von Freifunk MWU|
|
||||
|as_public_ffrl|Variable|201701|integer|Public AS von Freifunk Rheinland|
|
||||
|internet_exit_tcp_mss_ipv4|Variable|1240|integer|IPv4 TCP MSS|
|
||||
|internet_exit_tcp_mss_ipv6|Variable|1220|integer|IPv6 TCP MSS|
|
||||
|routing_tables|Dictionary||||
|
||||
|routing_tables.icvpn|Key|23|integer||
|
||||
|routing_tables.mwu|Key|41|integer||
|
||||
|routing_tables.internet|Key|61|integer||
|
||||
|icvpn_ipv4_transfer_net|Variable|10.207.0.0/16|string; Network/Prefix|ICVPN IPv4 Transfernetz|
|
||||
|icvpn_ipv6_transfer_net|Variable|fec0::a:cf:0:0/96|string; Network/Prefix|ICVPN IPv6 Transfernetz|
|
||||
|bgp_loopback_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU Loopback Netz für dynamisches Routing|
|
||||
|bgp_ipv4_transfer_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU IPv4 Transfernetz für dynamisches Routing|
|
||||
|bgp_ipv6_transfer_net|Variable|fd37:b4dc:4b1e::/64|string; Network/Prefix|MWU IPv6 Transfernetz für dynamisches Routing|
|
||||
|http_domain_internal|Variable|ffmwu.org|string|Haupt-Domain für HTTP-Server(intern)|
|
||||
|http_domain_external|Variable|freifunk-mwu.de|string|Haupt-Domain für HTTP-Server(extern)|
|
||||
|icvpn|Dictionary|||ICVPN Informationen|
|
||||
|icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat|
|
||||
|icvpn.interface|Key|icvpn|string|Name für ICVPN Interface + tinc Instanz|
|
||||
|icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository|
|
||||
|bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net|
|
||||
|bgp_mwu_servers.spinat|Dictionary||||
|
||||
|bgp_mwu_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse||
|
||||
|bgp_mwu_server.spinat.ipv6|Variable|fd37:b4dc:4b1e::a25:7|string - IPv6-Adresse||
|
||||
Um die playbooks und Rollen gefahrlos testen zu können, bietet sich ein test host an. Hierfür kann eine lokale VM zu Einsatz kommen, wenn die Voraussetzungen stimmen.
|
||||
|
||||
Damit auf der lokalen Maschine (der ansible controle machine) VMs ablaufen (und mit dem playbook angelegt werden) können, müssen verschiedene Voraussetzungen erfüllt sein. U. a.:
|
||||
|
||||
## Host-Variablen
|
||||
Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgebildet:
|
||||
- installierte Pakete zu libvirt, kvm und qemu und Pakete virt-manager, isomaster
|
||||
- >15G freier Plattenplatz
|
||||
- ansible >= 2.1
|
||||
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|magic|Variable|7|integer|Muss eindeutig unter allen Servern sein|
|
||||
|ipv4_dhcp_range|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe|
|
||||
|ffrl_public_ipv4_nat|Variable|185.66.195.32/32|IP/Prefix|Öffentliche IPv4-NAT-Adresse|
|
||||
|ffrl_exit_server|Dictionary|||Enthält pro FFRL Tunnel ein Dictionary|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.public_ipv4_address|Key|185.66.195.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv4_network|Key|100.64.2.226/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17b::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.public_ipv4_address|Key|185.66.195.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv4_network|Key|100.64.2.228/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17c::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.public_ipv4_address|Key|185.66.193.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv4_network|Key|100.64.2.230/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17d::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.public_ipv4_address|Key|185.66.193.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv4_network|Key|100.64.2.232/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17e::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.public_ipv4_address|Key|185.66.194.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv4_network|Key|100.64.0.186/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:63::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
Leider sind die letzten 2 Meter der Aufgabe offenbar in dieser Art nicht automatisierbar. Deshalb muss der user an einer Stelle mit 'isomaster' kurz etwas manuell durchführen
|
||||
Das playbook 'loctevm-reset.yml' einfach ausführen.
|
||||
|
||||
## Sensible Informationen
|
||||
### bekannte Probleme
|
||||
|
||||
Sensible Daten, z.B. private keys für Dienste wie fastd und tinc verwalten wir in einem [Password Store](https://www.passwordstore.org/).
|
||||
Falls ihr mehrere Password Stores verwaltet, denkt vor Benutzung von Ansible daran, die Umgebungsvariable auf den richtigen Store zu verweisen:
|
||||
```
|
||||
export PASSWORD_STORE_DIR=...
|
||||
```
|
||||
|
||||
## Aufsetzen eines neuen Gateways
|
||||
|
||||
- FQDN im Inventory zur Gruppe ffmwu-gateways hinzufügen
|
||||
- Host-Variablen setzen
|
||||
- inventory/host_vars/$FQDN
|
||||
|
||||
```
|
||||
---
|
||||
# Gateway-Nummer, von der vieles abgeleitet wird. Integer zwischen 1-254. Muss eindeutig unter allen FFMWU Servern sein.
|
||||
magic:
|
||||
|
||||
# Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll.
|
||||
# z.B. 5 für 10.X.16.0/22 (fünftes /22 Subnetz aus 10.X.0.0/18)
|
||||
ipv4_dhcp_range:
|
||||
|
||||
# FFRL (muss vorher bereits zugewiesen worden sein)
|
||||
# Öffentliche IPv4 NAT Adresse, Format: IP/Prefix
|
||||
ffrl_public_ipv4_nat:
|
||||
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
```
|
||||
- Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml`
|
||||
- Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben.
|
||||
- Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbooks/gateways.yml --limit=$FQDN`
|
||||
- Wenn die VM wegen Zugriffsfehler auf die virtuellen volumes nicht startet, können die Berechtigungen der übergeordneten Verzeichnisse Schuld sein -> hier mal schauen.
|
||||
- Ein Schritt scheint nicht automagisierbar, hier werden isomaster & der user benötigt.
|
||||
- Bisher wird direkt die 64bit-Version ausgewählt.
|
||||
|
|
15
ansible.cfg
15
ansible.cfg
|
@ -1,13 +1,10 @@
|
|||
[defaults]
|
||||
inventory = ./inventory
|
||||
retry_files_enabled = False
|
||||
remote_tmp = $HOME/ansible_tmp
|
||||
remote_user = admin
|
||||
ansible_managed = Ansible managed - don't edit this file!
|
||||
roles_path = ./roles
|
||||
|
||||
[privilege_escalation]
|
||||
become = True
|
||||
# local
|
||||
inventory = ./inventory/hosts
|
||||
retry_files_save_path = ~/.ansible/retry-files
|
||||
#vault_password_file = ~/.ansible/vault-password-file
|
||||
# remote
|
||||
remote_tmp = $HOME/ansible_tmp
|
||||
|
||||
#[ssh_connection]
|
||||
#pipelining = True
|
||||
|
|
8
ffmwu-build.yml
Executable file
8
ffmwu-build.yml
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
- hosts: build-servers
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- ffmwu-build
|
|
@ -1,7 +1,9 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: meshing-srv
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-meshing
|
||||
- ffmwu-meshing
|
9
ffmwu-servers.yml
Executable file
9
ffmwu-servers.yml
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: ff-servers
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- ffmwu-server
|
|
@ -125,3 +125,4 @@
|
|||
# remote_src: True # though remote equals local ...
|
||||
# delegate_to: 127.0.0.1 # local action
|
||||
# register: primcopy
|
||||
|
|
@ -18,14 +18,15 @@
|
|||
|
||||
- name: ensure admin user
|
||||
user: comment="FFMWU Administrator" name=admin shell=/bin/bash state=present
|
||||
become: True
|
||||
|
||||
- name: ensure users ssh key to admin user
|
||||
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||
exclusive=no
|
||||
become: True
|
||||
|
||||
- name: ensure users ssh key to bootstrap user
|
||||
authorized_key: user=hein key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||
become: false
|
||||
|
||||
- name: ensure no-pw sudo capability for admin and bootstrap user
|
||||
lineinfile:
|
||||
|
@ -34,6 +35,8 @@
|
|||
line: "admin,hein ALL = (root) NOPASSWD: ALL"
|
||||
mode: 0440
|
||||
validate: visudo -c -f %s
|
||||
become: True
|
||||
|
||||
- name: from this point on prevent pw for bootstrap user
|
||||
user: user=hein password=X
|
||||
become: True
|
|
@ -1,2 +0,0 @@
|
|||
[ffmwu-build-servers]
|
||||
milchreis.freifunk-mwu.de
|
|
@ -1,2 +0,0 @@
|
|||
[ffmwu-gateways]
|
||||
uffschnitt.freifunk-mwu.de
|
|
@ -1,2 +0,0 @@
|
|||
[ffmwu-servers]
|
||||
milchreis.freifunk-mwu.de
|
|
@ -1,174 +0,0 @@
|
|||
---
|
||||
as_private_mwu: 65037
|
||||
as_public_ffrl: 201701
|
||||
|
||||
internet_exit_tcp_mss_ipv4: 1240
|
||||
internet_exit_tcp_mss_ipv6: 1220
|
||||
|
||||
routing_tables:
|
||||
icvpn: 23
|
||||
mwu: 41
|
||||
internet: 61
|
||||
|
||||
icvpn_ipv4_transfer_net: 10.207.0.0/16
|
||||
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
|
||||
bgp_loopback_net: 10.37.0.0/18
|
||||
bgp_ipv4_transfer_net: 10.37.0.0/18
|
||||
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
||||
|
||||
http_domain_internal: ffmwu.org
|
||||
http_domain_external: freifunk-mwu.de
|
||||
|
||||
meshes:
|
||||
- id: mz
|
||||
site_number: 37
|
||||
site_code: ffmz
|
||||
site_name: Mainz
|
||||
ipv4_network: 10.37.0.0/18
|
||||
ipv6_ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11a::/48
|
||||
dnssl:
|
||||
- ffmz.org
|
||||
- user.ffmz.org
|
||||
batman:
|
||||
it: 10000
|
||||
gw: server 96mbit/96mbit
|
||||
mm: 0
|
||||
dat: 0
|
||||
hop_penalty: 60
|
||||
radvd:
|
||||
maxrtradvinterval: 900
|
||||
advvalidlifetime: 864000
|
||||
advpreferredlifetime: 172800
|
||||
iface_mtu: 1350
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffmz.git
|
||||
version: master
|
||||
pass: fastd/mzvpn
|
||||
- id: 1
|
||||
mtu: 1312
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffmz.git
|
||||
version: master
|
||||
pass: fastd/mzvpn
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git
|
||||
version: master
|
||||
pass: fastd/mzigvpn
|
||||
dns:
|
||||
master: fd37:b4dc:4b1e::a25:103
|
||||
forward_zones:
|
||||
- name: ffmz.org
|
||||
- name: user.ffmz.org
|
||||
- name: bb.ffmz.org
|
||||
- name: nodes.ffmz.org
|
||||
- name: ffbin
|
||||
master: fd37:b4dc:4b1e::a25:10c
|
||||
http_domain_internal: ffmz.org
|
||||
http_domain_external: freifunk-mainz.de
|
||||
|
||||
- id: wi
|
||||
site_number: 56
|
||||
site_code: ffwi
|
||||
site_name: Wiesbaden
|
||||
ipv4_network: 10.56.0.0/18
|
||||
ipv6_ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11b::/48
|
||||
dnssl:
|
||||
- ffwi.org
|
||||
- user.ffwi.org
|
||||
batman:
|
||||
it: 10000
|
||||
gw: server 96mbit/96mbit
|
||||
mm: 0
|
||||
dat: 0
|
||||
hop_penalty: 60
|
||||
radvd:
|
||||
maxrtradvinterval: 900
|
||||
advvalidlifetime: 864000
|
||||
advpreferredlifetime: 172800
|
||||
iface_mtu: 1350
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffwi.git
|
||||
version: master
|
||||
pass: fastd/wivpn
|
||||
- id: 1
|
||||
mtu: 1312
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffwi.git
|
||||
version: master
|
||||
pass: fastd/wivpn
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git
|
||||
version: master
|
||||
pass: fastd/wiigvpn
|
||||
dns:
|
||||
master: fd56:b4dc:4b1e::a38:103
|
||||
forward_zones:
|
||||
- name: ffwi.org
|
||||
- name: user.ffwi.org
|
||||
- name: bb.ffwi.org
|
||||
- name: nodes.ffwi.org
|
||||
http_domain_internal: ffwi.org
|
||||
http_domain_external: wiesbaden.freifunk.net
|
||||
|
||||
icvpn:
|
||||
prefix: mwu
|
||||
interface: icvpn
|
||||
icvpn_repo: https://github.com/freifunk/icvpn
|
||||
|
||||
bgp_mwu_servers:
|
||||
spinat:
|
||||
ipv4: 10.37.0.7
|
||||
ipv6: fd37:b4dc:4b1e::a25:7
|
||||
lotuswurzel:
|
||||
ipv4: 10.37.0.23
|
||||
ipv6: fd37:b4dc:4b1e::a25:17
|
||||
ingwer:
|
||||
ipv4: 10.37.0.161
|
||||
ipv6: fd37:b4dc:4b1e::a25:a1
|
||||
wasserfloh:
|
||||
ipv4: 10.37.0.231
|
||||
ipv6: fd37:b4dc:4b1e::a25:e7
|
||||
zuckerwatte:
|
||||
ipv4: 10.37.1.2
|
||||
ipv6: fd37:b4dc:4b1e::a25:102
|
||||
aubergine:
|
||||
ipv4: 10.37.1.3
|
||||
ipv6: fd37:b4dc:4b1e::a25:103
|
||||
zwiebel:
|
||||
ipv4: 10.37.1.0
|
||||
ipv6: fd37:b4dc:4b1e::a25:100
|
||||
glueckskeks:
|
||||
ipv4: 10.37.1.1
|
||||
ipv6: fd37:b4dc:4b1e::a25:101
|
||||
suesskartoffel:
|
||||
ipv4: 10.37.1.4
|
||||
ipv6: fd37:b4dc:4b1e::a25:104
|
||||
|
||||
legacy_gateways:
|
||||
- ingwer
|
||||
- lotuswurzel
|
||||
- spinat
|
3
inventory/group_vars/gates
Normal file
3
inventory/group_vars/gates
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
|
||||
fastd_config: 'gate'
|
3
inventory/group_vars/meshing-only-srv
Normal file
3
inventory/group_vars/meshing-only-srv
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
|
||||
fastd_config: 'meshing-only'
|
19
inventory/group_vars/meshing-srv
Normal file
19
inventory/group_vars/meshing-srv
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
communities:
|
||||
- mz
|
||||
- wi
|
||||
|
||||
community_params:
|
||||
mz:
|
||||
fastd_port: 10037
|
||||
abbreviation: mz
|
||||
name: mainz
|
||||
repo: freifunk-mwu/peers-ffmz
|
||||
xtra_peers:
|
||||
- peers_bingen
|
||||
wi:
|
||||
fastd_port: 10056
|
||||
abbreviation: wi
|
||||
name: wiesbaden
|
||||
repo: freifunk-mwu/peers-ffwi
|
4
inventory/host_vars/aubergine.freifunk-mwu.de
Normal file
4
inventory/host_vars/aubergine.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
4
inventory/host_vars/churro.freifunk-mwu.de
Normal file
4
inventory/host_vars/churro.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
6
inventory/host_vars/extrasahne.freifunk-mwu.de
Normal file
6
inventory/host_vars/extrasahne.freifunk-mwu.de
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
ansible_managed_meshing: True
|
||||
|
||||
fastd_alias: gw_extrasahne
|
4
inventory/host_vars/glueckskeks.freifunk-mwu.de
Normal file
4
inventory/host_vars/glueckskeks.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
4
inventory/host_vars/ingwer.freifunk-mwu.de
Normal file
4
inventory/host_vars/ingwer.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
3
inventory/host_vars/linse.freifunk-mwu.de
Normal file
3
inventory/host_vars/linse.freifunk-mwu.de
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
4
inventory/host_vars/lotuswurzel.freifunk-mwu.de
Normal file
4
inventory/host_vars/lotuswurzel.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
7
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
7
inventory/host_vars/milchreis.freifunk-mwu.de
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
ansible_managed_build: True
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS
|
4
inventory/host_vars/spinat.freifunk-mwu.de
Normal file
4
inventory/host_vars/spinat.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
7
inventory/host_vars/suesskartoffel.freifunk-mwu.de
Normal file
7
inventory/host_vars/suesskartoffel.freifunk-mwu.de
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local
|
|
@ -1,31 +0,0 @@
|
|||
---
|
||||
magic: 101
|
||||
ipv4_dhcp_range: 8
|
||||
|
||||
ffrl_public_ipv4_nat: 185.66.195.37/32
|
||||
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: 100.64.9.42/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3bd::/64
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network: 100.64.9.48/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c0::/64
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network: 100.64.9.46/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3bf::/64
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network: 100.64.9.52/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c2::/64
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network: 100.64.9.44/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3be::/64
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network: 100.64.9.50/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c1::/64
|
4
inventory/host_vars/wasserfloh.freifunk-mwu.de
Normal file
4
inventory/host_vars/wasserfloh.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
12
inventory/host_vars/zuckerwatte.freifunk-mwu.de
Normal file
12
inventory/host_vars/zuckerwatte.freifunk-mwu.de
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs63QNerevCI6wt2Gpq/IpHTPVeHIP8aKIOrRCUlKWR ccgx@small-x
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAwbfFERETgOAF7iOJFTfJAXQwOWykceRXa151PWG+hiln8X2729tdFyEhztL0tJ0ln+VCj29KLc4mG23qCBW48d35btZTkdVUhFSY/PY/bMQEBiWG2MCAWxJ329i/Blw92xvlFARJNhyPzKSxgYYGRhkncbcKXoX9QWhCBY8KfH+08X9tFOxj4osYn/+dXm7Sg5mqJG4ETmdAAy5afNGE+K+NyBafcg35Y+gBfxNzilGc2/2I0lSsiEcUr+StNxhMMZ/NtQ1N2G9iPziqpu/LYlPl/2mtya+6MPtfSfoYpggIyMqcT+KSPsmxyJod0SrI1vgrX7qa0aJV08dN+gThDb8pOBEb6NG2iQEIbmTKy7XoSpF13lnAVDtPv20PjLpUR6IKZtWNnlN2hVtZLhgyeEIDMnVjmNwloItkqsKP1H96eLSoj1g9B9IOYPPxq5pf6VJKizFAI0jsxGZk0gX/QX4DoVxrD57KXrHKEuFAM4eIjHKMXeRq3Ewbn3bHT1QXevjwBtoW2hxY8Pligc0W0sHt2jW0MxaSiE0LM+hGk0Jy9rquC3+gGU7fD2kLM6nff3wzQJXCORkfdyqvMFUqwpkZmjL4qCypt04peTwkWzs/W4LlHWyc4CJGp0jKIAOA8JRxs/FJf9CyN8N+0AY6xXAZ1UPqs+wPkZ9j5hYcaHs= magic
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhrDPtvVZb9I7Z2dXl3IXa34sT41/7YCl0kBJ2pgOzrTqXn6HjM8iY7duMxr1ScWlsaIoJAJmpML1LM7hkRJiray5YgjXjcNaz8HxDkV/JLLUMqzQSeDuVTFZzrQBQknzEehuA6XPTLRcgPMnpKhyt3TU4E3rHTDEFLHGEn2I9IZeImGdrehgWoJQz0gGyXI5h49bj6AXHz4etgH349ZCvQWY2e/127owcoPK5EyFBsDMKgnfdxCpAHa3vWFdUnbwqHiVu445qr2U4PiG2AK6PZKRsMauR9jBG1EfeRrc7STcx3OYRbBaQoHJkvw8dD0bH5tI1VVnXfZ2CYOyIGWHJw== mitch
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDUI92QCs7D8mpCoqUug1fOcKf7V5nyKZJiyFfsz0T/ ccgx@mobile-x
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFx5FdrQYkd11mEBxEZLUjdI1gOlee8kP+imUTInsYGK9r3wuoiVoWX4ZdemhB6ezmJwY7mmqjHpFixct3FDdZDvoQjbbS0jM9zQtLp3quHlgpbhCSCG0NOzsjRMJhV1rQguVXDBcDxXZf1YDr9S4YJWPJ1USPPE9IILdbDl6lgaTxsEpeL6unQ3SHUkwLnQVnof1DAsS9yyyDouKMAnoiLIqOi2firerm+2KjtWXpQGF8d58eXg8FSy6iWHmy+mEOBo5W2vy8CT80hR72Ynyy4JjijvSjUzqHs9bJjxCVWOV1/4sZ5GUgNzNknIduny4tR744JRmWDfeCjCS9T3TdpKbL7Xd6pjPW4/q5Z3u0DZFutR3tBp0Xm69ic4QQZVMa14FZcipKNdE+uTpIzfpClz2e4RBR8DlJn2DexvEGSGJu3t8uOFqVnJrkmJL/eIWkRpYe+JvpaF7M7K+dM/aQWOtoTWQrmujGUqXLvSyFnuUk4PhPc3an+HaxYFCBcVGQHypc7VyAg/Bm14ZBYbj93c0UTUV01VKu5/tCjq42+hDvMsn1ZyuZ66hnnZizLzIZGH3ciGdZwPp+32nC0sT09Y8pbAZFhN6sfQHDvVrHpOjJXmbBKZ2xjYoUKoi4rdds7sLhvuJV0a3i56WR8CCIx94UGjxkfJ0A9RR24AlAuQ== mattsches@gmail.com
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local
|
4
inventory/host_vars/zwiebel.freifunk-mwu.de
Normal file
4
inventory/host_vars/zwiebel.freifunk-mwu.de
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
38
inventory/hosts
Normal file
38
inventory/hosts
Normal file
|
@ -0,0 +1,38 @@
|
|||
[gates]
|
||||
spinat.freifunk-mwu.de
|
||||
lotuswurzel.freifunk-mwu.de
|
||||
wasserfloh.freifunk-mwu.de
|
||||
# kaschu.freifunk-mwu.de # außer Dienst
|
||||
ingwer.freifunk-mwu.de # (Debian)
|
||||
#mettigel.freifunk-mwu.de
|
||||
#parmesan.freifunk-mwu.de
|
||||
extrasahne.freifunk-mwu.de require_dns=False # (Debian 8) FIXME: set IPv6
|
||||
|
||||
[meshing-srv:children]
|
||||
gates
|
||||
meshing-only-srv
|
||||
test-vms
|
||||
|
||||
[meshing-only-srv]
|
||||
aubergine.freifunk-mwu.de # int. DNS-master
|
||||
zuckerwatte.freifunk-mwu.de # web, blogs, wiki
|
||||
churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian)
|
||||
glueckskeks.freifunk-mwu.de #
|
||||
zwiebel.freifunk-mwu.de #
|
||||
suesskartoffel.freifunk-mwu.de #
|
||||
|
||||
[ff-servers:children]
|
||||
gates
|
||||
meshing-only-srv
|
||||
simple-ff-servers
|
||||
build-servers
|
||||
test-vms
|
||||
|
||||
[simple-ff-servers] # not meshing
|
||||
linse.freifunk-mwu.de # ext. DNS-master
|
||||
|
||||
[build-servers]
|
||||
milchreis.freifunk-mwu.de
|
||||
|
||||
[test-vms]
|
||||
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
|
@ -1,2 +0,0 @@
|
|||
[test-vms]
|
||||
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
|
@ -1,9 +1,11 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- include: loctevm-provide.yml
|
||||
|
||||
- hosts: test-vms
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-meshing
|
||||
- ffmwu-meshing
|
|
@ -1,4 +1,5 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
# localhost (aka 127.0.0.1) is the hypervisor (hard-coded)
|
||||
|
||||
- hosts: test-vms
|
9
loctevm-test-prerequisites.yml
Executable file
9
loctevm-test-prerequisites.yml
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: test-vms
|
||||
remote_user: admin
|
||||
strategy: free
|
||||
|
||||
roles:
|
||||
- ffmwu-prereqs
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
|
||||
- hosts: ffmwu-build-servers
|
||||
remote_user: admin
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-build
|
|
@ -1,34 +0,0 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
|
||||
- hosts: ffmwu-gateways
|
||||
remote_user: admin
|
||||
roles:
|
||||
- handlers
|
||||
- prerequisites
|
||||
- server-apt-repos
|
||||
- server-basic
|
||||
- system-sysctl-gateway
|
||||
- git-repos
|
||||
- service-haveged
|
||||
- service-ntpd
|
||||
- kmod-batman
|
||||
- network-routetables
|
||||
- network-batman
|
||||
- network-meshbridge
|
||||
- network-fastd
|
||||
- network-ffrl
|
||||
- network-iptables-gateway
|
||||
- network-routing
|
||||
- service-dhcpd
|
||||
- service-nginx
|
||||
- service-nginx-firmware
|
||||
- service-radvd
|
||||
- service-fastd
|
||||
- service-fastd-mesh
|
||||
- service-fastd-intragate
|
||||
- service-tinc
|
||||
- service-bird
|
||||
- service-bird-icvpn
|
||||
- service-bird-ffrl
|
||||
- service-bind-slave
|
||||
- service-respondd
|
|
@ -7,6 +7,7 @@
|
|||
owner: admin
|
||||
group: bird
|
||||
mode: 0750
|
||||
become: yes
|
||||
|
||||
- name: standardise file ownerships
|
||||
file:
|
||||
|
@ -15,6 +16,7 @@
|
|||
owner: admin
|
||||
group: bird
|
||||
mode: 0750
|
||||
become: yes
|
||||
with_items:
|
||||
- /etc/bird/bird.conf
|
||||
- /etc/bird/mwu_peers_v4.inc
|
||||
|
|
|
@ -1,12 +1,15 @@
|
|||
---
|
||||
- name: check apache syntax
|
||||
command: /usr/sbin/apachectl -t
|
||||
become: true
|
||||
|
||||
- name: restart systemd unit apache2
|
||||
systemd:
|
||||
name: apache2
|
||||
state: restarted
|
||||
become: true
|
||||
|
||||
- name: update apt cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
become: true
|
||||
|
|
|
@ -4,4 +4,3 @@
|
|||
repo: https://github.com/freifunk-mwu/sites-ffmwu.git
|
||||
dest: /home/admin/clones/sites-ffmwu
|
||||
version: stable
|
||||
become: false
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
|
||||
state: present
|
||||
filename: 'neoraider'
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt repository of freifunk-mwu
|
||||
|
@ -11,6 +12,7 @@
|
|||
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
|
||||
state: present
|
||||
filename: 'ffmwu'
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt-key of neoraider
|
||||
|
@ -18,12 +20,14 @@
|
|||
keyserver: keyserver.ubuntu.com
|
||||
id: 16EF3F64CB201D9C
|
||||
state: present
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt-key of freifunk-mwu package sigs
|
||||
apt_key:
|
||||
url: http://repo.freifunk-mwu.de/83A70084.gpg.key
|
||||
state: present
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: install needed packages for build-server
|
||||
|
@ -46,3 +50,4 @@
|
|||
- subversion
|
||||
- unzip
|
||||
- zlib1g-dev
|
||||
become: true
|
||||
|
|
|
@ -4,15 +4,18 @@
|
|||
src: rsyncd.conf
|
||||
dest: /etc/rsyncd.conf
|
||||
mode: 0640
|
||||
become: true
|
||||
|
||||
- name: install rsnyc systemd unit
|
||||
copy:
|
||||
src: rsync.service
|
||||
dest: /etc/systemd/system/
|
||||
mode: 0644
|
||||
become: true
|
||||
|
||||
- name: ensure rsync is started on boot as a daemon
|
||||
systemd:
|
||||
name: rsync
|
||||
state: started
|
||||
enabled: True
|
||||
become: true
|
||||
|
|
|
@ -5,11 +5,13 @@
|
|||
owner: admin
|
||||
group: admin
|
||||
recurse: yes
|
||||
become: true
|
||||
|
||||
- name: enable apache module ssl
|
||||
apache2_module:
|
||||
state: present
|
||||
name: ssl
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -18,6 +20,7 @@
|
|||
command: /usr/sbin/a2dissite 000-default
|
||||
args:
|
||||
removes: /etc/apache2/sites-enabled/000-default.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -26,6 +29,7 @@
|
|||
command: /usr/sbin/a2dissite default-ssl
|
||||
args:
|
||||
removes: /etc/apache2/sites-enabled/default-ssl.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -34,6 +38,7 @@
|
|||
command: /usr/sbin/a2disconf other-vhosts-access-log
|
||||
args:
|
||||
removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -44,6 +49,7 @@
|
|||
regexp: '^([\s\t]+)?SSLCipherSuite'
|
||||
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -54,6 +60,7 @@
|
|||
regexp: '^([\s\t]+)?SSLProtocol'
|
||||
line: "SSLProtocol all -SSLv2 -SSLv3"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -64,6 +71,7 @@
|
|||
regexp: "^ServerTokens"
|
||||
line: "ServerTokens Prod"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -74,6 +82,7 @@
|
|||
regexp: "^ServerSignature"
|
||||
line: "ServerSignature EMail"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -82,6 +91,7 @@
|
|||
template:
|
||||
src: ffmwu-default-http.conf.j2
|
||||
dest: /etc/apache2/sites-available/ffmwu-default-http.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -90,6 +100,7 @@
|
|||
template:
|
||||
src: ffmwu-default-https.conf.j2
|
||||
dest: /etc/apache2/sites-available/ffmwu-default-https.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -98,6 +109,7 @@
|
|||
command: /usr/sbin/a2ensite ffmwu-default-http
|
||||
args:
|
||||
creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -106,6 +118,7 @@
|
|||
command: /usr/sbin/a2ensite ffmwu-default-https
|
||||
args:
|
||||
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
|
||||
mode: 0400
|
||||
regexp: '^secret ".*";'
|
||||
state: present
|
||||
state : present
|
||||
|
||||
- name: write out fastd public key - {{mf_com.abbreviation}}
|
||||
lineinfile:
|
||||
|
@ -50,7 +50,7 @@
|
|||
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
|
||||
mode: 0440
|
||||
regexp: '^key ".*";'
|
||||
state: present
|
||||
state : present
|
||||
register: f_pub_key
|
||||
ignore_errors: True
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
- name: ensure correct ownership of /etc/fastd
|
||||
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
|
||||
become: True
|
||||
|
||||
- name: find ssh keyfile name for use with git
|
||||
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
|
||||
|
|
25
roles/ffmwu-prereqs/tasks/main.yml
Executable file
25
roles/ffmwu-prereqs/tasks/main.yml
Executable file
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
- name: assert IPv4 DNS entry
|
||||
local_action: shell dig A {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
|
||||
changed_when: False
|
||||
when: "{{ require_dns | default('True') }}"
|
||||
|
||||
- name: assert IPv6 DNS entry
|
||||
local_action: shell dig AAAA {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
|
||||
changed_when: False
|
||||
when: "{{ require_dns | default('True') }}"
|
||||
|
||||
- name: test access to admin account (ssh key neccessary!)
|
||||
command: "true"
|
||||
changed_when: False
|
||||
|
||||
- name: test access to root account
|
||||
command: "true"
|
||||
changed_when: False
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- name: fail on wrong OS type and version # TODO: include debian
|
||||
fail: msg="unsupported OS type or version - {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
|
||||
when: not ( ( ansible_distribution=="Ubuntu" and ansible_distribution_major_version|int==14 ) or ( ansible_distribution=="Debian" and ansible_distribution_major_version|int==8 ) )
|
|
@ -10,6 +10,7 @@
|
|||
- block:
|
||||
- name: ensure needed system users are present
|
||||
user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
|
||||
become: True
|
||||
|
||||
- name: ensure all wanted ssh keys exclusively
|
||||
authorized_key: exclusive=True state=present user=admin
|
||||
|
@ -17,9 +18,11 @@
|
|||
|
||||
- name: ensure vim is default editor
|
||||
alternatives: name=editor path=/usr/bin/vim.basic
|
||||
become: True
|
||||
|
||||
- name: set timezone to Europe/Berlin
|
||||
timezone: name=Europe/Berlin
|
||||
become: True
|
||||
|
||||
when: (ansible_managed_server is defined) and (ansible_managed_server)
|
||||
# end block
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
# Ansible role git-repos
|
||||
|
||||
Diese Ansible role klont wichtige git Repositories.
|
||||
|
||||
- installiert git
|
||||
- legt /home/admin/clones an
|
||||
- klont alle git Repositories aus dem Dictionary `common_repos`
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `common_repos` # role variable
|
||||
```
|
||||
common_repos:
|
||||
name: # name des Repositories == Ordner Name
|
||||
repo_url: # HTTP-URL zum Repository
|
||||
...
|
||||
|
||||
```
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
- name: install git packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- git
|
||||
|
||||
- name: ensure git directory is present
|
||||
file:
|
||||
path: /home/admin/clones
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: admin
|
||||
group: admin
|
||||
|
||||
- name: clone git repositories
|
||||
git:
|
||||
repo: "{{ item.value.repo_url }}"
|
||||
dest: "/home/admin/clones/{{ item.key }}"
|
||||
version: "{{ item.value.version }}"
|
||||
with_dict: "{{ common_repos }}"
|
||||
become: false
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
common_repos:
|
||||
backend-scripts:
|
||||
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
|
||||
version: ansible
|
||||
icvpn-meta:
|
||||
repo_url: https://github.com/freifunk/icvpn-meta.git
|
||||
version: master
|
||||
icvpn-scripts:
|
||||
repo_url: https://github.com/freifunk/icvpn-scripts.git
|
||||
version: master
|
|
@ -1,95 +0,0 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: reload network interfaces
|
||||
systemd:
|
||||
name: networking
|
||||
state: reloaded
|
||||
|
||||
- name: activate sysfs variables
|
||||
systemd:
|
||||
name: sysfsutils
|
||||
state: restarted
|
||||
|
||||
- name: restart bind9
|
||||
systemd:
|
||||
name: bind9
|
||||
state: restarted
|
||||
|
||||
- name: reload systemd unit bird
|
||||
systemd:
|
||||
name: bird
|
||||
state: reloaded
|
||||
|
||||
- name: reload systemd unit bird6
|
||||
systemd:
|
||||
name: bird6
|
||||
state: reloaded
|
||||
|
||||
- name: restart isc dhcp server
|
||||
systemd:
|
||||
name: isc-dhcp-server
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: restart fastd intragate instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.0.id }}igvpn-{{ item.1.mtu }}"
|
||||
state: restarted
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.intragate.instances
|
||||
|
||||
- name: restart fastd mesh instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"
|
||||
state: restarted
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.nodes.instances
|
||||
|
||||
- name: restart systemd unit radvd
|
||||
systemd:
|
||||
name: radvd
|
||||
state: restarted
|
||||
|
||||
- name: restart respondd
|
||||
systemd:
|
||||
name: "respondd-{{ item.id }}"
|
||||
state: restarted
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: restart systemd unit tinc
|
||||
systemd:
|
||||
name: tinc
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd unit ffmwu-static-routes
|
||||
systemd:
|
||||
name: ffmwu-static-routes
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd unit ffmwu-ip-rules
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
state: restarted
|
||||
|
||||
- name: restart respondd
|
||||
systemd:
|
||||
name: "respondd-{{ item.id }}"
|
||||
state: restarted
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: iptables-restore
|
||||
shell: iptables-restore < /etc/iptables/rules.v4
|
||||
|
||||
- name: ip6tables-restore
|
||||
shell: ip6tables-restore < /etc/iptables/rules.v6
|
||||
|
||||
- name: reload nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
|
@ -1,6 +0,0 @@
|
|||
# Ansible role kmod-batman
|
||||
Diese Ansible role installiert das Kernel Modul batman-adv:
|
||||
|
||||
- Linux Kernel Headers
|
||||
- Kernel Modul batman-adv
|
||||
- Userspace Tool batctl
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
- name: install batman-module and linux headers
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- linux-headers-amd64
|
||||
- batman-adv-dkms
|
||||
- batctl
|
||||
|
||||
- name: configure batman module to load on system boot
|
||||
template:
|
||||
src: batman-adv.module.conf.j2
|
||||
dest: /etc/modules-load.d/batman-adv.conf
|
||||
|
||||
- name: load batman module
|
||||
modprobe:
|
||||
name: "batman-adv"
|
||||
state: present
|
|
@ -1,5 +0,0 @@
|
|||
#
|
||||
# Load batman-adv module on system boot
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
batman-adv
|
|
@ -1,46 +0,0 @@
|
|||
# Ansible role network-batman
|
||||
|
||||
Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces.
|
||||
|
||||
- dummy interface pro mesh
|
||||
- batman-adv interface pro mesh
|
||||
- konfiguriert sysfs variablen:
|
||||
- Hop Penalty pro batman-adv interface
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
batman:
|
||||
it: # integer: originator interval
|
||||
gw: # string: gateway mode
|
||||
mm: # boolean: multicast mode
|
||||
dat: # boolean: distributed arp table
|
||||
hop_penalty: # integer: hop penalty
|
||||
...
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xx0-prefix: `02:00`
|
||||
xxbat-prefix: `02:01`
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
- name: create dummy interfaces
|
||||
template:
|
||||
src: dummy.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}0"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create batman interfaces
|
||||
template:
|
||||
src: batman.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}bat"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
|
@ -1,15 +0,0 @@
|
|||
#jinja2: trim_blocks:False
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0201' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}bat
|
||||
iface {{ item.id }}bat
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
|
||||
batman-hop-penalty {{ item.batman.hop_penalty }}
|
||||
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
|
||||
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
|
||||
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
|
||||
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
|
|
@ -1,9 +0,0 @@
|
|||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0200' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}0
|
||||
iface {{ item.id }}0
|
||||
link-type dummy
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
|
@ -1,40 +0,0 @@
|
|||
# Ansible role network-fastd
|
||||
|
||||
Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd Instanzen.
|
||||
|
||||
Es wird zwischen node- und intragate-Instanzen unterschieden.
|
||||
|
||||
## Interface-Benamung
|
||||
Node-Interfaces: $mesh.id + vpn + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzvpn-1312"
|
||||
Intragate-Interfaces: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigvpn-1312"
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xxvpn-$mtu prefix: `02:2x` # x = ID der fastd-Instanz
|
||||
xxigvpn-$mtu prefix: `02:3x` # x = ID der fastd-Instanz
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
- name: create fastd mesh interfaces
|
||||
template:
|
||||
src: fastd-mesh.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}"
|
||||
notify: reload network interfaces
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.nodes.instances
|
||||
|
||||
- name: create fastd intragate interfaces
|
||||
template:
|
||||
src: fastd-intragate.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.0.id }}igvpn-{{ item.1.mtu }}"
|
||||
notify: reload network interfaces
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.intragate.instances
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
|
@ -1,8 +0,0 @@
|
|||
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '023' + item.1.id|string + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.0.id }}igvpn-{{ item.1.mtu }}
|
||||
iface {{ item.0.id }}igvpn-{{ item.1.mtu }}
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
|
@ -1,8 +0,0 @@
|
|||
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '022' + item.1.id|string + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.0.id }}vpn-{{ item.1.mtu }}
|
||||
iface {{ item.0.id }}vpn-{{ item.1.mtu }}
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
|
@ -1,33 +0,0 @@
|
|||
# Ansible role network-ffrl
|
||||
|
||||
Diese Ansible role konfiguriert die GRE-Tunnel Interfaces, die für den Internet-Exit über Freifunk Rheinland benötigt werden.
|
||||
|
||||
## Benötigte Variablen
|
||||
- Dictionary `ffrl_exit_server` (Host Variable)
|
||||
´´´
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: # IPv4 Tunnel Transfernetz
|
||||
tunnel_ipv6_network: # IPv6 Tunnel Transfernetz
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
´´´
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: create ffrl interfaces
|
||||
template:
|
||||
src: ffrl.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ ffrl_exit_server }}"
|
||||
|
||||
- name: create ffrl-nat dummy interface
|
||||
template:
|
||||
src: ffrl_nat.j2
|
||||
dest: "/etc/network/interfaces.d/ffrl-nat"
|
||||
notify: reload network interfaces
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
|
@ -1,15 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}
|
||||
iface {{ item.key }} inet tunnel
|
||||
mode gre
|
||||
local {{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }}
|
||||
endpoint {{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }}
|
||||
|
||||
ttl 64
|
||||
mtu 1400
|
||||
tunnel-physdev {{ ansible_default_ipv4.interface }}
|
||||
|
||||
address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }}
|
||||
address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }}
|
|
@ -1,7 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto ffrl-nat
|
||||
iface ffrl-nat
|
||||
link-type dummy
|
||||
address {{ ffrl_public_ipv4_nat | ipaddr('host') }}
|
|
@ -1,29 +0,0 @@
|
|||
# Ansible role network-iptables-gateway
|
||||
|
||||
Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways.
|
||||
|
||||
- installiert iptables+iptables-persistent
|
||||
- schreibt rules.v4 + rules.v6
|
||||
- setzt netfilter sysctl parameter
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- List `sysctl_settings_netfilter` (Rollen Variable)
|
||||
´´´
|
||||
sysctl_settings_netfilter:
|
||||
- name: # sysctl-Parameter
|
||||
value: # zu setzender Wert
|
||||
|
||||
´´´
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
|
||||
´´´
|
||||
- Variable `internet_exit_tcp_mss_ipv4`
|
||||
- Variable `internet_exit_tcp_mss_ipv6`
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
|
@ -1,35 +0,0 @@
|
|||
---
|
||||
- name: install iptables packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- iptables
|
||||
- iptables-persistent
|
||||
|
||||
- name: load netfilter modules
|
||||
modprobe:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- nf_conntrack
|
||||
- nf_conntrack_ipv4
|
||||
|
||||
- name: set netfilter sysctl settings
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
with_items: "{{ sysctl_settings_netfilter }}"
|
||||
|
||||
- name: write iptables configuration
|
||||
template:
|
||||
src: rules.v4.j2
|
||||
dest: /etc/iptables/rules.v4
|
||||
notify: iptables-restore
|
||||
|
||||
- name: write ip6tables configuration
|
||||
template:
|
||||
src: rules.v6.j2
|
||||
dest: /etc/iptables/rules.v6
|
||||
notify: ip6tables-restore
|
|
@ -1,42 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_forward in meshes %}
|
||||
{% for mesh_recursive in meshes recursive %}
|
||||
{% if not mesh_forward.id == mesh_recursive.id %}
|
||||
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv4 }}
|
||||
COMMIT
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
:ffrl-nat - [0:0]
|
||||
{% for mesh in meshes %}
|
||||
-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
|
||||
{% endfor %}
|
||||
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }}
|
||||
COMMIT
|
|
@ -1,35 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_forward in meshes %}
|
||||
{% for mesh_recursive in meshes recursive %}
|
||||
{% if not mesh_forward.id == mesh_recursive.id %}
|
||||
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv6 }}
|
||||
COMMIT
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
sysctl_settings_netfilter:
|
||||
- name: net.netfilter.nf_conntrack_tcp_timeout_established
|
||||
value: 86400
|
||||
- name: net.netfilter.nf_conntrack_max
|
||||
value: 262140
|
|
@ -1,30 +0,0 @@
|
|||
# Ansible role network-meshbridge
|
||||
|
||||
Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes.
|
||||
|
||||
- linux bridge pro mesh inklusive IP-Konfiguration
|
||||
- konfiguriert sysfs variablen:
|
||||
- hash_max
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
-id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
ipv6_ula:
|
||||
- fdxx.../48 # ipv6 ula prefix
|
||||
ipv6_public:
|
||||
- 2xxx.../48 # ipv6 public prefix
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xxbr-prefix: `02:10`
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
- name: create mesh bridges
|
||||
template:
|
||||
src: bridge.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}br"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: set sysfs variables
|
||||
template:
|
||||
src: sysfs.j2
|
||||
dest: "/etc/sysfs.d/99-{{ item.id }}br.conf"
|
||||
with_items: "{{ meshes }}"
|
||||
notify: activate sysfs variables
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
|
@ -1,17 +0,0 @@
|
|||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0210' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}br
|
||||
iface {{ item.id }}br
|
||||
# hwaddress {{ mac | hwaddr('linux') }} <-- preferred way, not working - ipv6 addresses not set on boot
|
||||
pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE # ^^^ dirty workaround to get rid of
|
||||
address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% for prefix in item.ipv6_ula %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
{% for prefix in item.ipv6_public %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
bridge-ports {{ item.id }}bat
|
|
@ -1,4 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
class/net/{{ item.id }}br/bridge/hash_max = 16384
|
|
@ -1,12 +0,0 @@
|
|||
# Ansible role network-routetables
|
||||
|
||||
Diese Ansible role legt die erforderlichen routing tables an.
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- `routing_tables`
|
||||
´´´
|
||||
routing_tables:
|
||||
$name: # integer
|
||||
|
||||
´´´
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: create routing tables
|
||||
lineinfile:
|
||||
path: /etc/iproute2/rt_tables
|
||||
regexp: '^{{ item.value }}'
|
||||
line: "{{ item.value }}{{ '\t' }}{{ item.key }}"
|
||||
state: present
|
||||
with_dict: "{{ routing_tables }}"
|
|
@ -1,33 +0,0 @@
|
|||
# Ansible role network-routing
|
||||
|
||||
Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
|
||||
|
||||
- konfiguriert statische Routen (systemd Unit)
|
||||
- Mesh Routen für die Routing Tabelle `mwu`
|
||||
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
||||
- konfiguriert IP rules (systemd Unit)
|
||||
- konfiguriert sysctl Parameter
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
site_name:
|
||||
ipv4_network:
|
||||
ipv6_ula:
|
||||
ipv6_public:
|
||||
´´´
|
||||
- List `sysctl_settings_gateway` (Rollen-Variable)
|
||||
```
|
||||
sysctl_settings_routing:
|
||||
- name: # sysctl-Parameter
|
||||
value: # zu setzender Wert
|
||||
...
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
||||
- Host Dictionary `ffrl_exit_server
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
- name: write systemd unit ffmwu-static-routes.service
|
||||
template:
|
||||
src: ffmwu-static-routes.service.j2
|
||||
dest: /etc/systemd/system/ffmwu-static-routes.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write static route scripts
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/usr/local/bin/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0750
|
||||
with_items:
|
||||
- ffmwu-add-static-routes.sh
|
||||
- ffmwu-del-static-routes.sh
|
||||
notify: restart systemd unit ffmwu-static-routes
|
||||
|
||||
- name: enable systemd unit ffmwu-static-routes.service
|
||||
systemd:
|
||||
name: ffmwu-static-routes
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: write systemd unit ffmwu-ip-rules.service
|
||||
template:
|
||||
src: ffmwu-ip-rules.service.j2
|
||||
dest: /etc/systemd/system/ffmwu-ip-rules.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write ip rule scripts
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/usr/local/bin/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0750
|
||||
with_items:
|
||||
- ffmwu-add-ip-rules.sh
|
||||
- ffmwu-del-ip-rules.sh
|
||||
notify: restart systemd unit ffmwu-ip-rules
|
||||
|
||||
- name: enable systemd unit ffmwu-ip-rules.service
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: set freifunk gateway sysctl settings
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
with_items: "{{ sysctl_settings_routing }}"
|
|
@ -1,82 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule add from all oif icvpn lookup icvpn priority 23
|
||||
ip -6 rule add from all oif icvpn lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule add to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup internet priority 41
|
||||
ip -6 rule add to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule add from all iif icvpn type unreachable priority 61
|
||||
ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||
ip -4 rule add from all iif {{ server_id }} type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -6 rule add from all iif icvpn type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} type unreachable priority 61
|
||||
ip -6 rule add to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||
ip -4 rule add from all lookup mwu priority 107
|
||||
ip -4 rule add from all lookup icvpn priority 107
|
||||
ip -6 rule add from all lookup mwu priority 107
|
||||
ip -6 rule add from all lookup icvpn priority 107
|
||||
|
||||
exit 0
|
|
@ -1,66 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# static blackhole routes for rt_table internet
|
||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
|
||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
|
||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
|
||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
|
||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
|
||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
|
||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
|
||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
|
||||
/sbin/ip -6 route add blackhole fec0::/10 table internet
|
||||
/sbin/ip -6 route add blackhole fc00::/7 table internet
|
||||
/sbin/ip -6 route add blackhole ff00::/8 table internet
|
||||
/sbin/ip -6 route add blackhole ::/96 table internet
|
||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||
|
||||
# static blackhole routes for rt_table main
|
||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
|
||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
|
||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
|
||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
|
||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
|
||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
|
||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
|
||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
|
||||
/sbin/ip -6 route add blackhole fec0::/10 table main
|
||||
/sbin/ip -6 route add blackhole fc00::/7 table main
|
||||
/sbin/ip -6 route add blackhole ff00::/8 table main
|
||||
/sbin/ip -6 route add blackhole ::/96 table main
|
||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
||||
/sbin/ip -6 route add blackhole ::/0 table main
|
|
@ -1,82 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule del from all oif icvpn lookup icvpn priority 23
|
||||
ip -6 rule del from all oif icvpn lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule del to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup internet priority 41
|
||||
ip -6 rule del to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule del from all iif icvpn type unreachable priority 61
|
||||
ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||
ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -6 rule del from all iif icvpn type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} type unreachable priority 61
|
||||
ip -6 rule del to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||
ip -4 rule del from all lookup mwu priority 107
|
||||
ip -4 rule del from all lookup icvpn priority 107
|
||||
ip -6 rule del from all lookup mwu priority 107
|
||||
ip -6 rule del from all lookup icvpn priority 107
|
||||
|
||||
exit 0
|
|
@ -1,66 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
|
||||
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# static blackhole routes for rt_table internet
|
||||
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet
|
||||
/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet
|
||||
/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet
|
||||
/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet
|
||||
/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet
|
||||
/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet
|
||||
/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet
|
||||
/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet
|
||||
/sbin/ip -6 route del blackhole fec0::/10 table internet
|
||||
/sbin/ip -6 route del blackhole fc00::/7 table internet
|
||||
/sbin/ip -6 route del blackhole ff00::/8 table internet
|
||||
/sbin/ip -6 route del blackhole ::/96 table internet
|
||||
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||
|
||||
# static blackhole routes for rt_table main
|
||||
/sbin/ip -4 route del blackhole 0.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 10.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 100.64.0.0/10 table main
|
||||
/sbin/ip -4 route del blackhole 127.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 169.254.0.0/16 table main
|
||||
/sbin/ip -4 route del blackhole 172.16.0.0/12 table main
|
||||
/sbin/ip -4 route del blackhole 192.0.0.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.0.2.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.88.99.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.168.0.0/16 table main
|
||||
/sbin/ip -4 route del blackhole 198.18.0.0/15 table main
|
||||
/sbin/ip -4 route del blackhole 198.51.100.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 203.0.113.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 224.0.0.0/4 table main
|
||||
/sbin/ip -4 route del blackhole 240.0.0.0/4 table main
|
||||
/sbin/ip -4 route del blackhole 255.255.255.255/32 table main
|
||||
/sbin/ip -6 route del blackhole fec0::/10 table main
|
||||
/sbin/ip -6 route del blackhole fc00::/7 table main
|
||||
/sbin/ip -6 route del blackhole ff00::/8 table main
|
||||
/sbin/ip -6 route del blackhole ::/96 table main
|
||||
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
|
||||
/sbin/ip -6 route del blackhole ::/0 table main
|
|
@ -1,12 +0,0 @@
|
|||
[Unit]
|
||||
Description=Manage Freifunk MWU IP rules
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
|
||||
ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,12 +0,0 @@
|
|||
[Unit]
|
||||
Description=Manage Freifunk MWU static routes
|
||||
After=network-online.target networking.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh
|
||||
ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
sysctl_settings_routing:
|
||||
- name: net.ipv4.ip_forward
|
||||
value: 1
|
||||
- name: net.ipv4.conf.default.rp_filter
|
||||
value: 0
|
||||
- name: net.ipv4.conf.all.rp_filter
|
||||
value: 0
|
||||
- name: net.ipv6.conf.all.forwarding
|
||||
value: 1
|
||||
- name: net.ipv6.conf.all.accept_ra
|
||||
value: 0
|
||||
- name: net.ipv6.conf.default.accept_ra
|
||||
value: 0
|
|
@ -21,6 +21,7 @@
|
|||
with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: pkg_item
|
||||
become: True
|
||||
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined)
|
||||
|
||||
- name: ensure defined apt repos
|
||||
|
@ -32,6 +33,7 @@
|
|||
with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: pkg_item
|
||||
become: True
|
||||
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined)
|
||||
|
||||
# see defaults in with - when: pkg_repo_list is defined
|
||||
|
@ -46,6 +48,7 @@
|
|||
with_items: "{{meshing_pkg_pkg_list | default([])}}"
|
||||
loop_control:
|
||||
loop_var: mwu_m_item
|
||||
become: True
|
||||
# see default in with - when: meshing_pkg_pkg_list is defined
|
||||
|
||||
- name: ensure defined python libs
|
||||
|
@ -53,6 +56,7 @@
|
|||
with_items: "{{meshing_pkg_pip_list | default([])}}"
|
||||
loop_control:
|
||||
loop_var: mwu_m_item
|
||||
become: True
|
||||
# see default in with - when: meshing_pkg_pip_list is defined
|
||||
|
||||
when: (really_do is defined) and (really_do)
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
# Ansible role prerequisites
|
||||
|
||||
Diese Ansible role prüft ob die Voraussetzungen für ein Freifunk Gateway erfüllt sind.
|
||||
|
||||
- Forward-DNS Eintrag $FQDN == ausgelesener IPv4-Adresse
|
||||
- Forward-DNS Eintrag $FQDN == ausgelesener IPv6-Adresse
|
||||
- CNAME Eintrag gate$magic.freifunk-mwu.de == $FQDN
|
||||
- CNAME Eintrag icvpn$magic.freifunk-mwu.de == $FQDN
|
||||
- Linux Distribution == Debian
|
||||
- Debian Version == 9
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
Die folgenden Variablen werden über einen DNS Lookup gesetzt:
|
||||
- Variable `dns_host_ipv4_address` (Rollen-Variable)
|
||||
- Variable `dns_host_ipv6_address` (Rollen-Variable)
|
||||
- Variable `dns_gate_num_cname` (Rollen-Variable)
|
||||
- Variable `dns_gate_icvpn_cname` (Rollen-Variable)
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
|
||||
- name: Check DNS entries and target distribution
|
||||
assert:
|
||||
that:
|
||||
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
|
||||
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
|
||||
- "dns_gate_num_cname == inventory_hostname"
|
||||
- "dns_gate_icvpn_cname == inventory_hostname"
|
||||
- "ansible_distribution == 'Debian'"
|
||||
- "ansible_distribution_major_version == '9'"
|
||||
|
||||
- name: Test root access for admin account
|
||||
command: "true"
|
||||
changed_when: False
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
dns_gate_num: "gate{{ magic }}.{{ http_domain_external }}"
|
||||
dns_gate_icvpn: "icvpn{{ magic }}.{{ http_domain_external }}"
|
||||
|
||||
dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}"
|
||||
dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}"
|
||||
dns_gate_num_cname: "{{ lookup('dig', dns_gate_num, 'qtype=CNAME') | regex_replace('\\.$') }}"
|
||||
dns_gate_icvpn_cname: "{{ lookup('dig', dns_gate_icvpn, 'qtype=CNAME') | regex_replace('\\.$') }}"
|
|
@ -1,13 +0,0 @@
|
|||
# Ansible role server-apt-repos
|
||||
|
||||
Diese Ansible role konfiguriert zusätzliche APT Repositories.
|
||||
|
||||
- installiert Freifunk MWU Debian APT PGP Key
|
||||
- konfiguriert APT Repositories aus der Liste `repos`
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Liste `repos` (Rollen Variable)
|
||||
- `name`: String == Name der Konfigurationsdatei unter /etc/apt/sources.list.d
|
||||
- `repo`: String
|
||||
- `update_cache`: yes|no
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
- name: ensure dirmngr and apt-transport-https are installed
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- dirmngr
|
||||
- apt-transport-https
|
||||
|
||||
- name: ensure apt key for freifunk-mwu is present
|
||||
apt_key:
|
||||
state: present
|
||||
id: 83A70084
|
||||
url: "http://repo.freifunk-mwu.de/83A70084.gpg.key"
|
||||
|
||||
- name: ensure needed apt repos are present
|
||||
apt_repository:
|
||||
state: present
|
||||
repo: "{{ item.repo }}"
|
||||
update_cache: "{{ item.update_cache }}"
|
||||
filename: "{{ item.name }}"
|
||||
with_items: "{{ repos }}"
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
repos:
|
||||
- name: freifunk
|
||||
repo: 'deb http://repo.freifunk-mwu.de/debian stretch main'
|
||||
update_cache: yes
|
||||
- name: freifunk
|
||||
repo: 'deb-src http://repo.freifunk-mwu.de/debian stretch main'
|
||||
update_cache: yes
|
|
@ -1,14 +0,0 @@
|
|||
# Ansible role server-basic
|
||||
|
||||
Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden.
|
||||
|
||||
- installiert Pakete, die auf allen Servern benötigt werden
|
||||
- setzt vim als default Editor
|
||||
- setzt die Zeitzone auf Europe/Berlin
|
||||
- generiert und setzt default locale
|
||||
- konfiguriert das dummy Kernel Modul
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Liste `packages` (Rollen Variable)
|
||||
- Variable `default_locale` (Rollen-Variable)
|
|
@ -1,43 +0,0 @@
|
|||
---
|
||||
- name: ensure common packages are installed
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items: "{{ packages }}"
|
||||
|
||||
- name: ensure vim is default editor
|
||||
alternatives:
|
||||
name: editor
|
||||
path: /usr/bin/vim.basic
|
||||
|
||||
- name: ensure default locale is installed
|
||||
locale_gen:
|
||||
name: "{{ default_locale }}"
|
||||
state: present
|
||||
|
||||
- name: ensure default locale is set
|
||||
command: "/usr/bin/localectl set-locale LANG={{ default_locale }}"
|
||||
changed_when: false
|
||||
|
||||
- name: set timezone to Europe/Berlin
|
||||
timezone:
|
||||
name: Europe/Berlin
|
||||
|
||||
- name: create ffmwu custom config dir
|
||||
file:
|
||||
path: /home/admin/.config
|
||||
state: directory
|
||||
owner: admin
|
||||
group: admin
|
||||
mode: 0750
|
||||
|
||||
- name: configure dummy module to load on system boot
|
||||
template:
|
||||
src: dummy.module.conf.j2
|
||||
dest: /etc/modules-load.d/dummy.conf
|
||||
|
||||
- name: load dummy module
|
||||
modprobe:
|
||||
name: "dummy"
|
||||
state: present
|
||||
params: "numdummies=0"
|
|
@ -1,5 +0,0 @@
|
|||
#
|
||||
# Load dummy module on system boot
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
dummy
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
packages:
|
||||
- apt-transport-https
|
||||
- bridge-utils
|
||||
- ethtool
|
||||
- ifupdown2
|
||||
- man-db
|
||||
- mlocate
|
||||
- mosh
|
||||
- python3-yaml
|
||||
- sudo
|
||||
- sysfsutils
|
||||
- vim
|
||||
|
||||
default_locale: "en_US.UTF-8"
|
|
@ -1,38 +0,0 @@
|
|||
# Ansible role service-bind-slave
|
||||
|
||||
Diese Ansible role installiert und konfiguriert den DNS Server BIND auf einem Freifunk Gateway.
|
||||
Die Gateways agieren lediglich als Slave-DNS Server.
|
||||
|
||||
- installiert BIND Pakete
|
||||
- schreibt named.conf + named.conf.options + named.conf.logging
|
||||
- schreibt named.conf.icvpn nur wenn noch nicht vorhanden
|
||||
- schreibt für jedes Mesh eine Konfigurationsdatei named.conf.$site_code
|
||||
- Forward-Zones müssen im `meshes`-Dict angegeben werden
|
||||
- Reverse DNS Zones werden automatisch aus den benutzten IP-Subnetzen erzeugt
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
site_code: # string
|
||||
ipv4_network:
|
||||
ipv6_ula:
|
||||
- # ULA-Prefix
|
||||
- ...
|
||||
dns:
|
||||
master: # IP-Adresse des DNS Masters
|
||||
forward_zones:
|
||||
- name: $zone # DNS-Domain
|
||||
master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht.
|
||||
|
||||
´´´
|
||||
- Variable `icvpn_ipv4_transfer_net`
|
||||
- Variable `icvpn_ipv6_transfer_net`
|
||||
- Host Variable `magic`
|
||||
|
||||
## Benötigte roles
|
||||
|
||||
- git-repos
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: git-repos }
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue