From 63ca114c95399e5da8c4cc63cc413bc3c5785bea Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 22:58:00 +0200 Subject: [PATCH] Migrate nested dictionary `meshes` into a list of dictionaries - migrate dictionary `ipv6` into two simple lists - migrate dictionary `forward_zones` into a list --- Readme.md | 42 ++++++------ inventory/group_vars/all | 40 ++++++------ roles/network-batman/README.md | 2 +- roles/network-batman/tasks/main.yml | 8 +-- roles/network-batman/templates/batman.j2 | 18 +++--- roles/network-batman/templates/dummy.j2 | 6 +- roles/network-fastd/README.md | 2 +- roles/network-fastd/tasks/main.yml | 8 +-- .../templates/fastd-intragate.j2 | 6 +- roles/network-fastd/templates/fastd-mesh.j2 | 6 +- roles/network-iptables-gateway/README.md | 2 +- .../templates/rules.v4.j2 | 8 +-- .../templates/rules.v6.j2 | 4 +- roles/network-meshbridge/README.md | 11 ++-- roles/network-meshbridge/tasks/main.yml | 8 +-- roles/network-meshbridge/templates/bridge.j2 | 17 ++--- roles/network-meshbridge/templates/sysfs.j2 | 2 +- roles/service-bind-slave/README.md | 11 ++-- roles/service-bind-slave/tasks/main.yml | 4 +- .../templates/named.conf.j2 | 4 +- .../templates/named.conf.mesh.j2 | 44 ++++++------- .../templates/named.conf.options.j2 | 14 ++-- roles/service-bird-ffrl/README.md | 7 +- .../templates/ffrl_ipv6.conf.j2 | 8 +-- roles/service-bird/README.md | 7 +- roles/service-bird/templates/bird.conf.j2 | 8 +-- roles/service-bird/templates/bird6.conf.j2 | 8 +-- roles/service-dhcpd/README.md | 2 +- roles/service-dhcpd/tasks/main.yml | 2 +- roles/service-dhcpd/templates/dhcpd.conf.j2 | 2 +- roles/service-fastd-intragate/README.md | 2 +- .../service-fastd-intragate/handlers/main.yml | 2 +- roles/service-fastd-intragate/tasks/main.yml | 26 ++++---- .../templates/fastd-intragate.conf.j2 | 14 ++-- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-fastd-mesh/README.md | 2 +- roles/service-fastd-mesh/handlers/main.yml | 2 +- roles/service-fastd-mesh/tasks/main.yml | 34 +++++----- .../templates/fastd-mesh.conf.j2 | 16 ++--- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-radvd/README.md | 11 ++-- roles/service-radvd/templates/radvd.conf.j2 | 36 +++++------ roles/service-rclocal/README.md | 11 ++-- roles/service-rclocal/templates/rc.local.j2 | 64 +++++++++---------- 44 files changed, 263 insertions(+), 272 deletions(-) diff --git a/Readme.md b/Readme.md index e856fc6..6d8973b 100644 --- a/Readme.md +++ b/Readme.md @@ -20,20 +20,19 @@ Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das f ## Variablen für jedes Mesh Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. -Wir verwalten diese Mesh-Informationen in einem Dictionary unter `inventory/group_vars/all`: +Wir verwalten diese Mesh-Informationen in einer Liste von Dictionaries unter `inventory/group_vars/all`: ``` meshes: - mz: + - id: mz site_number: 37 site_code: ffmz site_name: Mainz ipv4_network: 10.37.0.0/18 - ipv6: - ula: - - fd37:b4dc:4b1e::/48 - public: - - 2a03:2260:11a::/48 + ipv6_ula: + - fd37:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11a::/48 dnssl: - ffmz.org - user.ffmz.org @@ -53,23 +52,22 @@ meshes: dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: - ffmz.org: - user.ffmz.org: - bb.ffmz.org: - nodes.ffmz.org: - ffbin: + - name: ffmz.org + - name: user.ffmz.org + - name: bb.ffmz.org + - name: nodes.ffmz.org + - name: ffbin master: fd37:b4dc:4b1e::a25:10c - wi: + - id: wi site_number: 56 site_code: ffwi site_name: Wiesbaden ipv4_network: 10.56.0.0/18 - ipv6: - ula: - - fd56:b4dc:4b1e::/48 - public: - - 2a03:2260:11b::/48 + ipv6_ula: + - fd56:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11b::/48 dnssl: - ffwi.org - user.ffwi.org @@ -88,10 +86,10 @@ meshes: dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: - ffwi.org: - user.ffwi.org: - bb.ffwi.org: - nodes.ffwi.org: + - name: ffwi.org + - name: user.ffwi.org + - name: bb.ffwi.org + - name: nodes.ffwi.org ``` ## Sensible Informationen diff --git a/inventory/group_vars/all b/inventory/group_vars/all index b6be8e2..3b2d411 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -17,16 +17,15 @@ bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 meshes: - mz: + - id: mz site_number: 37 site_code: ffmz site_name: Mainz ipv4_network: 10.37.0.0/18 - ipv6: - ula: - - fd37:b4dc:4b1e::/48 - public: - - 2a03:2260:11a::/48 + ipv6_ula: + - fd37:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11a::/48 dnssl: - ffmz.org - user.ffmz.org @@ -46,23 +45,22 @@ meshes: dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: - ffmz.org: - user.ffmz.org: - bb.ffmz.org: - nodes.ffmz.org: - ffbin: + - name: ffmz.org + - name: user.ffmz.org + - name: bb.ffmz.org + - name: nodes.ffmz.org + - name: ffbin master: fd37:b4dc:4b1e::a25:10c - wi: + - id: wi site_number: 56 site_code: ffwi site_name: Wiesbaden ipv4_network: 10.56.0.0/18 - ipv6: - ula: - - fd56:b4dc:4b1e::/48 - public: - - 2a03:2260:11b::/48 + ipv6_ula: + - fd56:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11b::/48 dnssl: - ffwi.org - user.ffwi.org @@ -82,10 +80,10 @@ meshes: dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: - ffwi.org: - user.ffwi.org: - bb.ffwi.org: - nodes.ffwi.org: + - name: ffwi.org + - name: user.ffwi.org + - name: bb.ffwi.org + - name: nodes.ffwi.org icvpn: prefix: mwu diff --git a/roles/network-batman/README.md b/roles/network-batman/README.md index a47e4e8..c90a6f1 100644 --- a/roles/network-batman/README.md +++ b/roles/network-batman/README.md @@ -12,7 +12,7 @@ Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index d4e065e..3a1f901 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -2,13 +2,13 @@ - name: create dummy interfaces template: src: dummy.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}0" + dest: "/etc/network/interfaces.d/{{ item.id }}0" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create batman interfaces template: src: batman.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}BAT" + dest: "/etc/network/interfaces.d/{{ item.id }}BAT" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 index b907e87..7639794 100644 --- a/roles/network-batman/templates/batman.j2 +++ b/roles/network-batman/templates/batman.j2 @@ -1,14 +1,14 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0201' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}BAT -iface {{ item.key }}BAT +auto {{ item.id }}BAT +iface {{ item.id }}BAT hwaddress {{ mac | hwaddr('linux') }} - batman-ifaces {{ item.key }}0 {{ item.key }}VPN {{ item.key }}igVPN - batman-hop-penalty {{ item.value.batman.hop_penalty }} - post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} - post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} - post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} - post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} + batman-ifaces {{ item.id }}0 {{ item.id }}VPN {{ item.id }}igVPN + batman-hop-penalty {{ item.batman.hop_penalty }} + post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} + post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }} + post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }} + post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }} diff --git a/roles/network-batman/templates/dummy.j2 b/roles/network-batman/templates/dummy.j2 index 6c6af99..a18a325 100644 --- a/roles/network-batman/templates/dummy.j2 +++ b/roles/network-batman/templates/dummy.j2 @@ -1,9 +1,9 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0200' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}0 -iface {{ item.key }}0 +auto {{ item.id }}0 +iface {{ item.id }}0 link-type dummy hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md index 5eac5c6..535178e 100644 --- a/roles/network-fastd/README.md +++ b/roles/network-fastd/README.md @@ -10,7 +10,7 @@ Diese Ansible role konfiguriert Netzwerk Interfaces für fastd. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index d1b2ab5..2b53d6b 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -2,13 +2,13 @@ - name: create fastd mesh interfaces template: src: fastd-mesh.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}VPN" + dest: "/etc/network/interfaces.d/{{ item.id }}VPN" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd intragate interfaces template: src: fastd-intragate.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" + dest: "/etc/network/interfaces.d/{{ item.id }}igVPN" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 index 838ddc5..ffb1d63 100644 --- a/roles/network-fastd/templates/fastd-intragate.j2 +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}igVPN -iface {{ item.key }}igVPN +auto {{ item.id }}igVPN +iface {{ item.id }}igVPN hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 index 1a41329..879ceea 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}VPN -iface {{ item.key }}VPN +auto {{ item.id }}VPN +iface {{ item.id }}VPN hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md index c337694..bd8c854 100644 --- a/roles/network-iptables-gateway/README.md +++ b/roles/network-iptables-gateway/README.md @@ -18,7 +18,7 @@ sysctl_settings_netfilter: - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index 2fe7db6..6687696 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -8,8 +8,8 @@ -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh_id, mesh_value in meshes.iteritems() %} --A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% for mesh in meshes %} +-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -31,8 +31,8 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :ffrl-nat - [0:0] -{% for mesh_id, mesh_value in meshes.iteritems() %} --A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat +{% for mesh in meshes %} +-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat {% endfor %} -A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }} COMMIT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 index b559d33..fba66f1 100644 --- a/roles/network-iptables-gateway/templates/rules.v6.j2 +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -7,8 +7,8 @@ :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh_id, mesh_value in meshes.iteritems() %} --A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% for mesh in meshes %} +-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/network-meshbridge/README.md b/roles/network-meshbridge/README.md index 8b9b4e7..deb0f30 100644 --- a/roles/network-meshbridge/README.md +++ b/roles/network-meshbridge/README.md @@ -11,15 +11,14 @@ Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes. - Dictionary `meshes` ´´´ meshes: - xx: + -id: xx ... ipv4_network: ... - ipv6: - ula: - - fdxx.../48 # ipv6 ula prefix - public: - - 2xxx.../48 # ipv6 public prefix + ipv6_ula: + - fdxx.../48 # ipv6 ula prefix + ipv6_public: + - 2xxx.../48 # ipv6 public prefix ´´´ - Host Variable `magic` diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index a8717c5..ef4e9e9 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -2,13 +2,13 @@ - name: create mesh bridges template: src: bridge.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}BR" + dest: "/etc/network/interfaces.d/{{ item.id }}BR" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: set sysfs variables template: src: sysfs.j2 - dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" - with_dict: "{{ meshes }}" + dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf" + with_items: "{{ meshes }}" notify: activate sysfs variables diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index c13057b..dd6efae 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -1,15 +1,16 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0210' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}BR -iface {{ item.key }}BR +auto {{ item.id }}BR +iface {{ item.id }}BR hwaddress {{ mac | hwaddr('linux') }} - address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} -{% for ip_type, ip_list in item.value.ipv6.iteritems() %} -{% for ip in ip_list %} - address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} + address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} +{% for prefix in item.ipv6_ula %} + address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} +{% for prefix in item.ipv6_public %} + address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} - bridge-ports {{ item.key }}BAT + bridge-ports {{ item.id }}BAT diff --git a/roles/network-meshbridge/templates/sysfs.j2 b/roles/network-meshbridge/templates/sysfs.j2 index 04bed17..b092e3b 100644 --- a/roles/network-meshbridge/templates/sysfs.j2 +++ b/roles/network-meshbridge/templates/sysfs.j2 @@ -1,4 +1,4 @@ # # {{ ansible_managed }} # -class/net/{{ item.key }}BR/bridge/hash_max = 16384 +class/net/{{ item.id }}BR/bridge/hash_max = 16384 diff --git a/roles/service-bind-slave/README.md b/roles/service-bind-slave/README.md index 5062605..42d4f12 100644 --- a/roles/service-bind-slave/README.md +++ b/roles/service-bind-slave/README.md @@ -15,18 +15,17 @@ Die Gateways agieren lediglich als Slave-DNS Server. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_code: # string ipv4_network: - ipv6: - ula: - - # ULA-Prefix - - ... + ipv6_ula: + - # ULA-Prefix + - ... dns: master: # IP-Adresse des DNS Masters forward_zones: - $zone: # DNS-Domain + - name: $zone # DNS-Domain master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht. ´´´ diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index c7578ac..c11409b 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -44,12 +44,12 @@ - name: write named.conf for meshes template: src: named.conf.mesh.j2 - dest: /etc/bind/named.conf.{{ item.value.site_code }} + dest: /etc/bind/named.conf.{{ item.site_code }} owner: root group: bind mode: 0644 notify: restart bind9 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write initial icvpn bind config shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn diff --git a/roles/service-bind-slave/templates/named.conf.j2 b/roles/service-bind-slave/templates/named.conf.j2 index 04a4465..e7d3814 100644 --- a/roles/service-bind-slave/templates/named.conf.j2 +++ b/roles/service-bind-slave/templates/named.conf.j2 @@ -5,7 +5,7 @@ include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.logging"; -{% for mesh_id, mesh_value in meshes.iteritems() %} -include "/etc/bind/named.conf.{{ mesh_value.site_code }}"; +{% for mesh in meshes %} +include "/etc/bind/named.conf.{{ mesh.site_code }}"; {% endfor %} include "/etc/bind/named.conf.icvpn"; diff --git a/roles/service-bind-slave/templates/named.conf.mesh.j2 b/roles/service-bind-slave/templates/named.conf.mesh.j2 index 2daf882..3a9a77a 100644 --- a/roles/service-bind-slave/templates/named.conf.mesh.j2 +++ b/roles/service-bind-slave/templates/named.conf.mesh.j2 @@ -3,35 +3,35 @@ // // ACLs -masters "ns-master-{{ item.value.site_code }}" { - {{ item.value.dns.master }}; +masters "ns-master-{{ item.site_code }}" { + {{ item.dns.master }}; }; -{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} -{% if zone_value.master is defined %} -masters "ns-master-{{ zone_id }}" { - {{ zone_value.master }}; +{% for zone in item.dns.forward_zones %} +{% if zone.master is defined %} +masters "ns-master-{{ zone.name }}" { + {{ zone.master }}; }; {% endif %} {% endfor %} -acl "intern-{{ item.value.site_code }}" { - {{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; -{% for prefix in item.value.ipv6.ula %} +acl "intern-{{ item.site_code }}" { + {{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; +{% for prefix in item.ipv6_ula %} {{ prefix | ipaddr('net') | ipaddr('network/prefix') }}; {% endfor %} }; -// DNS forward zones for {{ item.value.site_code }} -{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} -zone "{{ zone_id }}." { +// DNS forward zones for {{ item.site_code }} +{% for zone in item.dns.forward_zones %} +zone "{{ zone.name }}." { type slave; - file "{{ zone_id }}.db"; -{% if zone_value.master is defined %} - masters { ns-master-{{ zone_id }}; }; + file "{{ zone.name }}.db"; +{% if zone.master is defined %} + masters { ns-master-{{ zone.name }}; }; {% else %} - masters { ns-master-{{ item.value.site_code }}; }; + masters { ns-master-{{ item.site_code }}; }; {% endif %} }; {% if not loop.last %} @@ -39,18 +39,18 @@ zone "{{ zone_id }}." { {% endif %} {% endfor %} -// DNS reverse zones for {{ item.value.site_code }} -zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { +// DNS reverse zones for {{ item.site_code }} +zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { type slave; - file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.value.site_code }}; }; + file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; + masters { ns-master-{{ item.site_code }}; }; }; -{% for prefix in item.value.ipv6.ula %} +{% for prefix in item.ipv6_ula %} zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" { type slave; file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.value.site_code }}; }; + masters { ns-master-{{ item.site_code }}; }; }; {% if not loop.last %} diff --git a/roles/service-bind-slave/templates/named.conf.options.j2 b/roles/service-bind-slave/templates/named.conf.options.j2 index 1fec575..38edce5 100644 --- a/roles/service-bind-slave/templates/named.conf.options.j2 +++ b/roles/service-bind-slave/templates/named.conf.options.j2 @@ -11,25 +11,25 @@ options { allow-recursion { 127.0.0.1; ::1; -{% for mesh_id, mesh_value in meshes.iteritems() %} - intern-{{ mesh_value.site_code }}; +{% for mesh in meshes %} + intern-{{ mesh.site_code }}; {% endfor %} }; allow-transfer { any; }; listen-on { 127.0.0.1; -{% for mesh_id, mesh_value in meshes.iteritems() %} - {{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +{% for mesh in meshes %} + {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; {% endfor %} {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; }; listen-on-v6 { ::1; -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for ip in mesh_value.ipv6.ula %} - {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }}; +{% for mesh in meshes %} +{% for ip in mesh.ipv6_ula %} + {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}; {% endfor %} {% endfor %} {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}; diff --git a/roles/service-bird-ffrl/README.md b/roles/service-bird-ffrl/README.md index 63cd910..78f98b3 100644 --- a/roles/service-bird-ffrl/README.md +++ b/roles/service-bird-ffrl/README.md @@ -11,11 +11,10 @@ Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den I - Dictionary `meshes` ``` meshes: - xx: + - id: xx ... - ipv6: - public: - - # Public IPv6-Netzwerk + ipv6_public: + - # Public IPv6-Netzwerk ``` - Host Dictionary `ffrl_exit_server` ´´´ diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 index 42feffc..57ed1d4 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 @@ -11,8 +11,8 @@ table ffrl; # Functions function is_ffrl_public_nets() { return net ~ [ -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for prefix in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for prefix in mesh.ipv6_public %} {{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {% endfor %} ]; @@ -40,8 +40,8 @@ filter ebgp_ffrl_export_filter { # Protocols protocol static ffrl_public_routes { table ffrl; -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for prefix in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for prefix in mesh.ipv6_public %} route {{ prefix }} reject; route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject; {% endfor %} diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md index 249e4c2..22995c5 100644 --- a/roles/service-bird/README.md +++ b/roles/service-bird/README.md @@ -26,11 +26,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: - ipv6: - ula: - - # IPv6-ULA Network + ipv6_ula: + - # IPv6-ULA Network ´´´ - Host Variable `magic` diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 index 304080a..9f1faf6 100644 --- a/roles/service-bird/templates/bird.conf.j2 +++ b/roles/service-bird/templates/bird.conf.j2 @@ -38,8 +38,8 @@ function is_chaosvpn() { function is_mwu_self_nets() { return net ~ [ -{% for item, value in meshes.iteritems() %} - {{ value.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% for mesh in meshes %} + {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% endfor %} ]; } @@ -50,8 +50,8 @@ protocol device { }; protocol direct mwu_subnets { -{% for item, value in meshes.iteritems() %} - interface "{{ item }}BR"; +{% for mesh in meshes %} + interface "{{ mesh.id }}BR"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 index baebabb..d5988eb 100644 --- a/roles/service-bird/templates/bird6.conf.j2 +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -26,8 +26,8 @@ function is_ula() { function is_mwu_self_nets() { return net ~ [ -{% for item, value in meshes.iteritems() %} -{% for ula in value.ipv6.ula %} +{% for mesh in meshes %} +{% for ula in mesh.ipv6_ula %} {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {% endfor %} ]; @@ -39,8 +39,8 @@ protocol device { }; protocol direct mwu_subnets { -{% for item, value in meshes.iteritems() %} - interface "{{ item }}BR"; +{% for mesh in meshes %} + interface "{{ mesh.id }}BR"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-dhcpd/README.md b/roles/service-dhcpd/README.md index d6e4cf9..45d5742 100644 --- a/roles/service-dhcpd/README.md +++ b/roles/service-dhcpd/README.md @@ -12,7 +12,7 @@ Wir nutzen diesen nur zur Verteilung von IPv4-Adressen. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_name: # string site_code: # string diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 35a4d07..9c463da 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -12,7 +12,7 @@ - name: concatenate meshbridge interfaces set_fact: - dhcp_interfaces: "{% for mesh_id, mesh_value in meshes.iteritems() %}{{ mesh_id }}BR{% if not loop.last %} {% endif %}{% endfor %}" + dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}" - name: set ipv4 interfaces isc dhcp should listen on lineinfile: diff --git a/roles/service-dhcpd/templates/dhcpd.conf.j2 b/roles/service-dhcpd/templates/dhcpd.conf.j2 index 7b21f82..80a7c76 100644 --- a/roles/service-dhcpd/templates/dhcpd.conf.j2 +++ b/roles/service-dhcpd/templates/dhcpd.conf.j2 @@ -12,7 +12,7 @@ default-lease-time 300; min-lease-time 300; max-lease-time 300; -{% for mesh in meshes.values() %} +{% for mesh in meshes %} # DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }}) subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} { range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }}; diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 640e05f..186f744 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -15,7 +15,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunik - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_number: # integer peers_mesh_repo: # String - https Link zum Github Repository diff --git a/roles/service-fastd-intragate/handlers/main.yml b/roles/service-fastd-intragate/handlers/main.yml index 4f95a98..f8e9ab6 100644 --- a/roles/service-fastd-intragate/handlers/main.yml +++ b/roles/service-fastd-intragate/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart fastd intragate instances systemd: - name: "fastd@{{ item.key }}igVPN" + name: "fastd@{{ item.id }}igVPN" state: restarted with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index b311fa3..0d69173 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,45 +1,45 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.key }}igVPN" + name: "fastd@{{ item.id }}igVPN" enabled: yes - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd intragate directories file: - path: "/etc/fastd/{{ item.key }}igVPN" + path: "/etc/fastd/{{ item.id }}igVPN" state: directory mode: 0755 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer intragate directories file: - path: "/etc/fastd/{{ item.key }}igVPN/peers" + path: "/etc/fastd/{{ item.id }}igVPN/peers" state: directory mode: 0755 owner: admin group: admin - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: clone fastd peer intragate repos git: - repo: "{{ item.value.peers_intragate_repo }}" - dest: "/etc/fastd/{{ item.key }}igVPN/peers" + repo: "{{ item.peers_intragate_repo }}" + dest: "/etc/fastd/{{ item.id }}igVPN/peers" version: master update: no - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" become: false - name: template fastd mesh config template: src: fastd-intragate.conf.j2 - dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" + dest: "/etc/fastd/{{ item.id }}igVPN/fastd.conf" notify: restart fastd intragate instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write fastd intragate secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" + dest: "/etc/fastd/{{ item.id }}igVPN/secret.conf" notify: restart fastd intragate instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index db1c807..628d5f9 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} @@ -9,10 +9,10 @@ hide mac addresses yes; method "aes128-ctr+umac"; -interface "{{ item.key }}igVPN"; +interface "{{ item.id }}igVPN"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.value.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.value.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.site_number }}; include "secret.conf"; mtu 1406; @@ -27,11 +27,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.key }}BAT if add $INTERFACE + batctl -m {{ item.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.key }}BAT if del $INTERFACE + batctl -m {{ item.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}igVPN.status"; +status socket "/var/run/fastd-{{ item.id }}igVPN.status"; diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 index a55490b..e6a1a48 100644 --- a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.key + 'igVPN' -%} +{% set local_interface = item.id + 'igVPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 5a116cc..c091d51 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -16,7 +16,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_number: # integer peers_mesh_repo: # String - https Link zum Github Repository diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml index 567648e..05e2a52 100644 --- a/roles/service-fastd-mesh/handlers/main.yml +++ b/roles/service-fastd-mesh/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart fastd mesh instances systemd: - name: "fastd@{{ item.key }}VPN" + name: "fastd@{{ item.id }}VPN" state: restarted with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index a7d376d..688a7bc 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,25 +1,25 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.key }}VPN" + name: "fastd@{{ item.id }}VPN" enabled: yes - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd directories file: - path: "/etc/fastd/{{ item.key }}VPN" + path: "/etc/fastd/{{ item.id }}VPN" state: directory mode: 0755 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer mesh directories file: - path: "/etc/fastd/{{ item.key }}VPN/peers" + path: "/etc/fastd/{{ item.id }}VPN/peers" state: directory mode: 0755 owner: admin group: admin - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer mesh directories for ffbin file: @@ -31,11 +31,11 @@ - name: clone fastd peer mesh repos git: - repo: "{{ item.value.peers_mesh_repo }}" - dest: "/etc/fastd/{{ item.key }}VPN/peers" + repo: "{{ item.peers_mesh_repo }}" + dest: "/etc/fastd/{{ item.id }}VPN/peers" version: master update: no - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" become: false - name: clone fastd peer mesh repo for ffbin @@ -49,36 +49,36 @@ - name: template fastd mesh config template: src: fastd-mesh.conf.j2 - dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" + dest: "/etc/fastd/{{ item.id }}VPN/fastd.conf" notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write fastd mesh secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" + dest: "/etc/fastd/{{ item.id }}VPN/secret.conf" notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: copy peer_limit.conf if not exist copy: src: peer_limit.conf - dest: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + dest: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" owner: admin group: admin mode: 0640 force: no notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: set file attributes for peer_limit.conf file: - path: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + path: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" mode: 0640 owner: admin group: admin notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write systemd unit fastd-sync-meshkeys.service template: diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index f63b0a6..c800e47 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} @@ -9,10 +9,10 @@ hide mac addresses yes; method "salsa2012+umac"; -interface "{{ item.key }}VPN"; +interface "{{ item.id }}VPN"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.value.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.value.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.site_number }}; include "secret.conf"; mtu 1406; @@ -20,7 +20,7 @@ mtu 1406; peer group "vpn_nodes" { include "peer_limit.conf"; include peers from "peers"; -{% if item.key == "mz" %} +{% if item.id == "mz" %} include peers from "peers_bingen"; {% endif %} } @@ -34,11 +34,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.key }}BAT if add $INTERFACE + batctl -m {{ item.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.key }}BAT if del $INTERFACE + batctl -m {{ item.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}VPN.status"; +status socket "/var/run/fastd-{{ item.id }}VPN.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 index 87a4945..958df93 100644 --- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.key + 'VPN' -%} +{% set local_interface = item.id + 'VPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-radvd/README.md b/roles/service-radvd/README.md index 408d83f..be02ed7 100644 --- a/roles/service-radvd/README.md +++ b/roles/service-radvd/README.md @@ -11,13 +11,12 @@ Diese Ansible role installiert und konfiguriert den radvd daemon. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... - ipv6: - ula: - - # ULA-Prefix - String - public: - - # Public-Prefix - String + ipv6_ula: + - # ULA-Prefix - String + ipv6_public: + - # Public-Prefix - String iface_mtu: # Integer ´´´ - Host Variable `magic` diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index c63e016..afd13cf 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -2,37 +2,37 @@ # # {{ ansible_managed }} # -{% for mesh_id, mesh_value in meshes.iteritems() %} -interface {{ mesh_id }}BR +{% for mesh in meshes %} +interface {{ mesh.id }}BR { AdvSendAdvert on; IgnoreIfMissing on; - MaxRtrAdvInterval {{ mesh_value.radvd.maxrtradvinterval }}; - AdvLinkMTU {{ mesh_value.iface_mtu }}; + MaxRtrAdvInterval {{ mesh.radvd.maxrtradvinterval }}; + AdvLinkMTU {{ mesh.iface_mtu }}; -{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} -{% for prefix in ip_list %} -{% if ip_type == "ula" %} - RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }} + RDNSS {% for prefix in mesh.ipv6_ula %}{{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }} +{% endfor %} { FlushRDNSS off; }; + +{% for prefix in mesh.ipv6_ula %} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} + { + AdvValidLifetime {{ mesh.radvd.advvalidlifetime }}; + AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }}; + }; +{% if not loop.last %} + {% endif %} {% endfor %} -{% endfor %} -{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} -{% for prefix in ip_list %} -{% if ip_type == "public" %} +{% for prefix in mesh.ipv6_public %} prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} -{% else %} - prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} -{% endif %} { - AdvValidLifetime {{ mesh_value.radvd.advvalidlifetime }}; - AdvPreferredLifetime {{ mesh_value.radvd.advpreferredlifetime }}; + AdvValidLifetime {{ mesh.radvd.advvalidlifetime }}; + AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }}; }; -{% endfor %} {% if not loop.last %} {% endif %} diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md index 5725ae6..74a820a 100644 --- a/roles/service-rclocal/README.md +++ b/roles/service-rclocal/README.md @@ -10,15 +10,14 @@ All dieses sollte in Zukunft durch systemd units abgelöst werden. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_name: # string ipv4_network: - ipv6: - ula: - - # string - public: - - # string + ipv6_ula: + - # string + ipv6_public: + - # string iface_mtu: # integer ´´´ - Host Variable `magic` diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 5bd9448..9acc716 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -18,59 +18,59 @@ # # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup mwu priority 7 ip -6 rule add to {{ ula }} lookup mwu priority 7 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup mwu priority 7 ip -6 rule add to {{ public }} lookup mwu priority 7 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 +ip -6 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 {% endfor %} # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup icvpn priority 23 ip -6 rule add to {{ ula }} lookup icvpn priority 23 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup icvpn priority 23 ip -6 rule add to {{ public }} lookup icvpn priority 23 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 +ip -6 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 {% endfor %} ip -4 rule add from all oif icVPN lookup icvpn priority 23 ip -6 rule add from all oif icVPN lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup internet priority 41 ip -6 rule add to {{ ula }} lookup internet priority 41 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup internet priority 41 ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41 +ip -6 rule add from all oif {{ mesh.id }}BR lookup internet priority 41 {% endfor %} ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 -ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 +{% for mesh in meshes %} +ip -4 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -6 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 {% endfor %} ip -4 rule add from all iif icVPN type unreachable priority 61 ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 @@ -80,8 +80,8 @@ ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 {% endfor %} ip -6 rule add from all iif icVPN type unreachable priority 61 ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for public in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} type unreachable priority 61 ip -6 rule add to {{ public }} type unreachable priority 61 {% endfor %} @@ -98,15 +98,15 @@ ip -6 rule add from all lookup icvpn priority 107 # IP routes # -{% for mesh_id, mesh_value in meshes.iteritems() %} -# static {{ mesh_value.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu -{% for ula in mesh_value.ipv6.ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu {% endfor %} -{% for public in mesh_value.ipv6.public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu {% endfor %} {% if not loop.last %}