Migrate nested dictionary meshes
into a list of dictionaries
- migrate dictionary `ipv6` into two simple lists - migrate dictionary `forward_zones` into a list
This commit is contained in:
parent
2bbd39009c
commit
63ca114c95
44 changed files with 263 additions and 272 deletions
42
Readme.md
42
Readme.md
|
@ -20,20 +20,19 @@ Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das f
|
|||
## Variablen für jedes Mesh
|
||||
|
||||
Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc.
|
||||
Wir verwalten diese Mesh-Informationen in einem Dictionary unter `inventory/group_vars/all`:
|
||||
Wir verwalten diese Mesh-Informationen in einer Liste von Dictionaries unter `inventory/group_vars/all`:
|
||||
|
||||
```
|
||||
meshes:
|
||||
mz:
|
||||
- id: mz
|
||||
site_number: 37
|
||||
site_code: ffmz
|
||||
site_name: Mainz
|
||||
ipv4_network: 10.37.0.0/18
|
||||
ipv6:
|
||||
ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
public:
|
||||
- 2a03:2260:11a::/48
|
||||
ipv6_ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11a::/48
|
||||
dnssl:
|
||||
- ffmz.org
|
||||
- user.ffmz.org
|
||||
|
@ -53,23 +52,22 @@ meshes:
|
|||
dns:
|
||||
master: fd37:b4dc:4b1e::a25:103
|
||||
forward_zones:
|
||||
ffmz.org:
|
||||
user.ffmz.org:
|
||||
bb.ffmz.org:
|
||||
nodes.ffmz.org:
|
||||
ffbin:
|
||||
- name: ffmz.org
|
||||
- name: user.ffmz.org
|
||||
- name: bb.ffmz.org
|
||||
- name: nodes.ffmz.org
|
||||
- name: ffbin
|
||||
master: fd37:b4dc:4b1e::a25:10c
|
||||
|
||||
wi:
|
||||
- id: wi
|
||||
site_number: 56
|
||||
site_code: ffwi
|
||||
site_name: Wiesbaden
|
||||
ipv4_network: 10.56.0.0/18
|
||||
ipv6:
|
||||
ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
public:
|
||||
- 2a03:2260:11b::/48
|
||||
ipv6_ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11b::/48
|
||||
dnssl:
|
||||
- ffwi.org
|
||||
- user.ffwi.org
|
||||
|
@ -88,10 +86,10 @@ meshes:
|
|||
dns:
|
||||
master: fd56:b4dc:4b1e::a38:103
|
||||
forward_zones:
|
||||
ffwi.org:
|
||||
user.ffwi.org:
|
||||
bb.ffwi.org:
|
||||
nodes.ffwi.org:
|
||||
- name: ffwi.org
|
||||
- name: user.ffwi.org
|
||||
- name: bb.ffwi.org
|
||||
- name: nodes.ffwi.org
|
||||
```
|
||||
|
||||
## Sensible Informationen
|
||||
|
|
|
@ -17,16 +17,15 @@ bgp_ipv4_transfer_net: 10.37.0.0/18
|
|||
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
||||
|
||||
meshes:
|
||||
mz:
|
||||
- id: mz
|
||||
site_number: 37
|
||||
site_code: ffmz
|
||||
site_name: Mainz
|
||||
ipv4_network: 10.37.0.0/18
|
||||
ipv6:
|
||||
ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
public:
|
||||
- 2a03:2260:11a::/48
|
||||
ipv6_ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11a::/48
|
||||
dnssl:
|
||||
- ffmz.org
|
||||
- user.ffmz.org
|
||||
|
@ -46,23 +45,22 @@ meshes:
|
|||
dns:
|
||||
master: fd37:b4dc:4b1e::a25:103
|
||||
forward_zones:
|
||||
ffmz.org:
|
||||
user.ffmz.org:
|
||||
bb.ffmz.org:
|
||||
nodes.ffmz.org:
|
||||
ffbin:
|
||||
- name: ffmz.org
|
||||
- name: user.ffmz.org
|
||||
- name: bb.ffmz.org
|
||||
- name: nodes.ffmz.org
|
||||
- name: ffbin
|
||||
master: fd37:b4dc:4b1e::a25:10c
|
||||
|
||||
wi:
|
||||
- id: wi
|
||||
site_number: 56
|
||||
site_code: ffwi
|
||||
site_name: Wiesbaden
|
||||
ipv4_network: 10.56.0.0/18
|
||||
ipv6:
|
||||
ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
public:
|
||||
- 2a03:2260:11b::/48
|
||||
ipv6_ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11b::/48
|
||||
dnssl:
|
||||
- ffwi.org
|
||||
- user.ffwi.org
|
||||
|
@ -82,10 +80,10 @@ meshes:
|
|||
dns:
|
||||
master: fd56:b4dc:4b1e::a38:103
|
||||
forward_zones:
|
||||
ffwi.org:
|
||||
user.ffwi.org:
|
||||
bb.ffwi.org:
|
||||
nodes.ffwi.org:
|
||||
- name: ffwi.org
|
||||
- name: user.ffwi.org
|
||||
- name: bb.ffwi.org
|
||||
- name: nodes.ffwi.org
|
||||
|
||||
icvpn:
|
||||
prefix: mwu
|
||||
|
|
|
@ -12,7 +12,7 @@ Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
- name: create dummy interfaces
|
||||
template:
|
||||
src: dummy.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}0"
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}0"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create batman interfaces
|
||||
template:
|
||||
src: batman.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}BAT"
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}BAT"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0201' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}BAT
|
||||
iface {{ item.key }}BAT
|
||||
auto {{ item.id }}BAT
|
||||
iface {{ item.id }}BAT
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
batman-ifaces {{ item.key }}0 {{ item.key }}VPN {{ item.key }}igVPN
|
||||
batman-hop-penalty {{ item.value.batman.hop_penalty }}
|
||||
post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }}
|
||||
post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }}
|
||||
post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }}
|
||||
post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }}
|
||||
batman-ifaces {{ item.id }}0 {{ item.id }}VPN {{ item.id }}igVPN
|
||||
batman-hop-penalty {{ item.batman.hop_penalty }}
|
||||
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
|
||||
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
|
||||
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
|
||||
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0200' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}0
|
||||
iface {{ item.key }}0
|
||||
auto {{ item.id }}0
|
||||
iface {{ item.id }}0
|
||||
link-type dummy
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
|
|
|
@ -10,7 +10,7 @@ Diese Ansible role konfiguriert Netzwerk Interfaces für fastd.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
- name: create fastd mesh interfaces
|
||||
template:
|
||||
src: fastd-mesh.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}VPN"
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}VPN"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd intragate interfaces
|
||||
template:
|
||||
src: fastd-intragate.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}igVPN"
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}igVPN"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0212' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}igVPN
|
||||
iface {{ item.key }}igVPN
|
||||
auto {{ item.id }}igVPN
|
||||
iface {{ item.id }}igVPN
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0211' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}VPN
|
||||
iface {{ item.key }}VPN
|
||||
auto {{ item.id }}VPN
|
||||
iface {{ item.id }}VPN
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
|
|
|
@ -18,7 +18,7 @@ sysctl_settings_netfilter:
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
|
||||
{% for mesh in meshes %}
|
||||
-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
@ -31,8 +31,8 @@ COMMIT
|
|||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
:ffrl-nat - [0:0]
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
|
||||
{% for mesh in meshes %}
|
||||
-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
|
||||
{% endfor %}
|
||||
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }}
|
||||
COMMIT
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT
|
||||
{% for mesh in meshes %}
|
||||
-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
|
|
@ -11,15 +11,14 @@ Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
-id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
ipv6:
|
||||
ula:
|
||||
- fdxx.../48 # ipv6 ula prefix
|
||||
public:
|
||||
- 2xxx.../48 # ipv6 public prefix
|
||||
ipv6_ula:
|
||||
- fdxx.../48 # ipv6 ula prefix
|
||||
ipv6_public:
|
||||
- 2xxx.../48 # ipv6 public prefix
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
- name: create mesh bridges
|
||||
template:
|
||||
src: bridge.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}BR"
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}BR"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: set sysfs variables
|
||||
template:
|
||||
src: sysfs.j2
|
||||
dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf"
|
||||
with_dict: "{{ meshes }}"
|
||||
dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf"
|
||||
with_items: "{{ meshes }}"
|
||||
notify: activate sysfs variables
|
||||
|
|
|
@ -1,15 +1,16 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0210' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}BR
|
||||
iface {{ item.key }}BR
|
||||
auto {{ item.id }}BR
|
||||
iface {{ item.id }}BR
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% for ip_type, ip_list in item.value.ipv6.iteritems() %}
|
||||
{% for ip in ip_list %}
|
||||
address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% for prefix in item.ipv6_ula %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
{% for prefix in item.ipv6_public %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
bridge-ports {{ item.key }}BAT
|
||||
bridge-ports {{ item.id }}BAT
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
class/net/{{ item.key }}BR/bridge/hash_max = 16384
|
||||
class/net/{{ item.id }}BR/bridge/hash_max = 16384
|
||||
|
|
|
@ -15,18 +15,17 @@ Die Gateways agieren lediglich als Slave-DNS Server.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
site_code: # string
|
||||
ipv4_network:
|
||||
ipv6:
|
||||
ula:
|
||||
- # ULA-Prefix
|
||||
- ...
|
||||
ipv6_ula:
|
||||
- # ULA-Prefix
|
||||
- ...
|
||||
dns:
|
||||
master: # IP-Adresse des DNS Masters
|
||||
forward_zones:
|
||||
$zone: # DNS-Domain
|
||||
- name: $zone # DNS-Domain
|
||||
master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht.
|
||||
|
||||
´´´
|
||||
|
|
|
@ -44,12 +44,12 @@
|
|||
- name: write named.conf for meshes
|
||||
template:
|
||||
src: named.conf.mesh.j2
|
||||
dest: /etc/bind/named.conf.{{ item.value.site_code }}
|
||||
dest: /etc/bind/named.conf.{{ item.site_code }}
|
||||
owner: root
|
||||
group: bind
|
||||
mode: 0644
|
||||
notify: restart bind9
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: write initial icvpn bind config
|
||||
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
include "/etc/bind/named.conf.options";
|
||||
include "/etc/bind/named.conf.default-zones";
|
||||
include "/etc/bind/named.conf.logging";
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
include "/etc/bind/named.conf.{{ mesh_value.site_code }}";
|
||||
{% for mesh in meshes %}
|
||||
include "/etc/bind/named.conf.{{ mesh.site_code }}";
|
||||
{% endfor %}
|
||||
include "/etc/bind/named.conf.icvpn";
|
||||
|
|
|
@ -3,35 +3,35 @@
|
|||
//
|
||||
|
||||
// ACLs
|
||||
masters "ns-master-{{ item.value.site_code }}" {
|
||||
{{ item.value.dns.master }};
|
||||
masters "ns-master-{{ item.site_code }}" {
|
||||
{{ item.dns.master }};
|
||||
};
|
||||
|
||||
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %}
|
||||
{% if zone_value.master is defined %}
|
||||
masters "ns-master-{{ zone_id }}" {
|
||||
{{ zone_value.master }};
|
||||
{% for zone in item.dns.forward_zones %}
|
||||
{% if zone.master is defined %}
|
||||
masters "ns-master-{{ zone.name }}" {
|
||||
{{ zone.master }};
|
||||
};
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
acl "intern-{{ item.value.site_code }}" {
|
||||
{{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
|
||||
{% for prefix in item.value.ipv6.ula %}
|
||||
acl "intern-{{ item.site_code }}" {
|
||||
{{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
|
||||
{% for prefix in item.ipv6_ula %}
|
||||
{{ prefix | ipaddr('net') | ipaddr('network/prefix') }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
// DNS forward zones for {{ item.value.site_code }}
|
||||
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %}
|
||||
zone "{{ zone_id }}." {
|
||||
// DNS forward zones for {{ item.site_code }}
|
||||
{% for zone in item.dns.forward_zones %}
|
||||
zone "{{ zone.name }}." {
|
||||
type slave;
|
||||
file "{{ zone_id }}.db";
|
||||
{% if zone_value.master is defined %}
|
||||
masters { ns-master-{{ zone_id }}; };
|
||||
file "{{ zone.name }}.db";
|
||||
{% if zone.master is defined %}
|
||||
masters { ns-master-{{ zone.name }}; };
|
||||
{% else %}
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
masters { ns-master-{{ item.site_code }}; };
|
||||
{% endif %}
|
||||
};
|
||||
{% if not loop.last %}
|
||||
|
@ -39,18 +39,18 @@ zone "{{ zone_id }}." {
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
// DNS reverse zones for {{ item.value.site_code }}
|
||||
zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
|
||||
// DNS reverse zones for {{ item.site_code }}
|
||||
zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
|
||||
type slave;
|
||||
file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
|
||||
masters { ns-master-{{ item.site_code }}; };
|
||||
};
|
||||
|
||||
{% for prefix in item.value.ipv6.ula %}
|
||||
{% for prefix in item.ipv6_ula %}
|
||||
zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" {
|
||||
type slave;
|
||||
file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}";
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
masters { ns-master-{{ item.site_code }}; };
|
||||
};
|
||||
{% if not loop.last %}
|
||||
|
||||
|
|
|
@ -11,25 +11,25 @@ options {
|
|||
allow-recursion {
|
||||
127.0.0.1;
|
||||
::1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
intern-{{ mesh_value.site_code }};
|
||||
{% for mesh in meshes %}
|
||||
intern-{{ mesh.site_code }};
|
||||
{% endfor %}
|
||||
};
|
||||
allow-transfer { any; };
|
||||
|
||||
listen-on {
|
||||
127.0.0.1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
|
||||
{% for mesh in meshes %}
|
||||
{{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
|
||||
{% endfor %}
|
||||
{{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||
};
|
||||
|
||||
listen-on-v6 {
|
||||
::1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{% for ip in mesh_value.ipv6.ula %}
|
||||
{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }};
|
||||
{% for mesh in meshes %}
|
||||
{% for ip in mesh.ipv6_ula %}
|
||||
{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }};
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||
|
|
|
@ -11,11 +11,10 @@ Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den I
|
|||
- Dictionary `meshes`
|
||||
```
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv6:
|
||||
public:
|
||||
- # Public IPv6-Netzwerk
|
||||
ipv6_public:
|
||||
- # Public IPv6-Netzwerk
|
||||
```
|
||||
- Host Dictionary `ffrl_exit_server`
|
||||
´´´
|
||||
|
|
|
@ -11,8 +11,8 @@ table ffrl;
|
|||
# Functions
|
||||
function is_ffrl_public_nets() {
|
||||
return net ~ [
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{% for prefix in mesh_value.ipv6.public %}
|
||||
{% for mesh in meshes %}
|
||||
{% for prefix in mesh.ipv6_public %}
|
||||
{{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
|
||||
{% endfor %}
|
||||
];
|
||||
|
@ -40,8 +40,8 @@ filter ebgp_ffrl_export_filter {
|
|||
# Protocols
|
||||
protocol static ffrl_public_routes {
|
||||
table ffrl;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{% for prefix in mesh_value.ipv6.public %}
|
||||
{% for mesh in meshes %}
|
||||
{% for prefix in mesh.ipv6_public %}
|
||||
route {{ prefix }} reject;
|
||||
route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject;
|
||||
{% endfor %}
|
||||
|
|
|
@ -26,11 +26,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
ipv6:
|
||||
ula:
|
||||
- # IPv6-ULA Network
|
||||
ipv6_ula:
|
||||
- # IPv6-ULA Network
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
|
|
@ -38,8 +38,8 @@ function is_chaosvpn() {
|
|||
|
||||
function is_mwu_self_nets() {
|
||||
return net ~ [
|
||||
{% for item, value in meshes.iteritems() %}
|
||||
{{ value.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }}
|
||||
{% for mesh in meshes %}
|
||||
{{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }}
|
||||
{% endfor %}
|
||||
];
|
||||
}
|
||||
|
@ -50,8 +50,8 @@ protocol device {
|
|||
};
|
||||
|
||||
protocol direct mwu_subnets {
|
||||
{% for item, value in meshes.iteritems() %}
|
||||
interface "{{ item }}BR";
|
||||
{% for mesh in meshes %}
|
||||
interface "{{ mesh.id }}BR";
|
||||
{% endfor %}
|
||||
import where is_mwu_self_nets();
|
||||
};
|
||||
|
|
|
@ -26,8 +26,8 @@ function is_ula() {
|
|||
|
||||
function is_mwu_self_nets() {
|
||||
return net ~ [
|
||||
{% for item, value in meshes.iteritems() %}
|
||||
{% for ula in value.ipv6.ula %}
|
||||
{% for mesh in meshes %}
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
{{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
|
||||
{% endfor %}
|
||||
];
|
||||
|
@ -39,8 +39,8 @@ protocol device {
|
|||
};
|
||||
|
||||
protocol direct mwu_subnets {
|
||||
{% for item, value in meshes.iteritems() %}
|
||||
interface "{{ item }}BR";
|
||||
{% for mesh in meshes %}
|
||||
interface "{{ mesh.id }}BR";
|
||||
{% endfor %}
|
||||
import where is_mwu_self_nets();
|
||||
};
|
||||
|
|
|
@ -12,7 +12,7 @@ Wir nutzen diesen nur zur Verteilung von IPv4-Adressen.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
site_name: # string
|
||||
site_code: # string
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
- name: concatenate meshbridge interfaces
|
||||
set_fact:
|
||||
dhcp_interfaces: "{% for mesh_id, mesh_value in meshes.iteritems() %}{{ mesh_id }}BR{% if not loop.last %} {% endif %}{% endfor %}"
|
||||
dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}"
|
||||
|
||||
- name: set ipv4 interfaces isc dhcp should listen on
|
||||
lineinfile:
|
||||
|
|
|
@ -12,7 +12,7 @@ default-lease-time 300;
|
|||
min-lease-time 300;
|
||||
max-lease-time 300;
|
||||
|
||||
{% for mesh in meshes.values() %}
|
||||
{% for mesh in meshes %}
|
||||
# DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }})
|
||||
subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} {
|
||||
range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }};
|
||||
|
|
|
@ -15,7 +15,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunik
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
site_number: # integer
|
||||
peers_mesh_repo: # String - https Link zum Github Repository
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: restart fastd intragate instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.key }}igVPN"
|
||||
name: "fastd@{{ item.id }}igVPN"
|
||||
state: restarted
|
||||
with_dict: "{{ meshes }}"
|
||||
|
|
|
@ -1,45 +1,45 @@
|
|||
---
|
||||
- name: configure systemd unit fastd@
|
||||
systemd:
|
||||
name: "fastd@{{ item.key }}igVPN"
|
||||
name: "fastd@{{ item.id }}igVPN"
|
||||
enabled: yes
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd intragate directories
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.key }}igVPN"
|
||||
path: "/etc/fastd/{{ item.id }}igVPN"
|
||||
state: directory
|
||||
mode: 0755
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd peer intragate directories
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.key }}igVPN/peers"
|
||||
path: "/etc/fastd/{{ item.id }}igVPN/peers"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: admin
|
||||
group: admin
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: clone fastd peer intragate repos
|
||||
git:
|
||||
repo: "{{ item.value.peers_intragate_repo }}"
|
||||
dest: "/etc/fastd/{{ item.key }}igVPN/peers"
|
||||
repo: "{{ item.peers_intragate_repo }}"
|
||||
dest: "/etc/fastd/{{ item.id }}igVPN/peers"
|
||||
version: master
|
||||
update: no
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
become: false
|
||||
|
||||
- name: template fastd mesh config
|
||||
template:
|
||||
src: fastd-intragate.conf.j2
|
||||
dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf"
|
||||
dest: "/etc/fastd/{{ item.id }}igVPN/fastd.conf"
|
||||
notify: restart fastd intragate instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: write fastd intragate secret
|
||||
template:
|
||||
src: fastd-secret.conf.j2
|
||||
dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf"
|
||||
dest: "/etc/fastd/{{ item.id }}igVPN/secret.conf"
|
||||
notify: restart fastd intragate instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0212' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
|
@ -9,10 +9,10 @@ hide mac addresses yes;
|
|||
|
||||
method "aes128-ctr+umac";
|
||||
|
||||
interface "{{ item.key }}igVPN";
|
||||
interface "{{ item.id }}igVPN";
|
||||
|
||||
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.value.site_number }};
|
||||
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.value.site_number }};
|
||||
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.site_number }};
|
||||
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.site_number }};
|
||||
|
||||
include "secret.conf";
|
||||
mtu 1406;
|
||||
|
@ -27,11 +27,11 @@ on up "
|
|||
ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE
|
||||
ip link set $INTERFACE up
|
||||
|
||||
batctl -m {{ item.key }}BAT if add $INTERFACE
|
||||
batctl -m {{ item.id }}BAT if add $INTERFACE
|
||||
";
|
||||
|
||||
on down "
|
||||
batctl -m {{ item.key }}BAT if del $INTERFACE
|
||||
batctl -m {{ item.id }}BAT if del $INTERFACE
|
||||
";
|
||||
|
||||
status socket "/var/run/fastd-{{ item.key }}igVPN.status";
|
||||
status socket "/var/run/fastd-{{ item.id }}igVPN.status";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% set local_interface = item.key + 'igVPN' -%}
|
||||
{% set local_interface = item.id + 'igVPN' -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
|
|
@ -16,7 +16,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
site_number: # integer
|
||||
peers_mesh_repo: # String - https Link zum Github Repository
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: restart fastd mesh instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.key }}VPN"
|
||||
name: "fastd@{{ item.id }}VPN"
|
||||
state: restarted
|
||||
with_dict: "{{ meshes }}"
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
---
|
||||
- name: configure systemd unit fastd@
|
||||
systemd:
|
||||
name: "fastd@{{ item.key }}VPN"
|
||||
name: "fastd@{{ item.id }}VPN"
|
||||
enabled: yes
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd directories
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.key }}VPN"
|
||||
path: "/etc/fastd/{{ item.id }}VPN"
|
||||
state: directory
|
||||
mode: 0755
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd peer mesh directories
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.key }}VPN/peers"
|
||||
path: "/etc/fastd/{{ item.id }}VPN/peers"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: admin
|
||||
group: admin
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create fastd peer mesh directories for ffbin
|
||||
file:
|
||||
|
@ -31,11 +31,11 @@
|
|||
|
||||
- name: clone fastd peer mesh repos
|
||||
git:
|
||||
repo: "{{ item.value.peers_mesh_repo }}"
|
||||
dest: "/etc/fastd/{{ item.key }}VPN/peers"
|
||||
repo: "{{ item.peers_mesh_repo }}"
|
||||
dest: "/etc/fastd/{{ item.id }}VPN/peers"
|
||||
version: master
|
||||
update: no
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
become: false
|
||||
|
||||
- name: clone fastd peer mesh repo for ffbin
|
||||
|
@ -49,36 +49,36 @@
|
|||
- name: template fastd mesh config
|
||||
template:
|
||||
src: fastd-mesh.conf.j2
|
||||
dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf"
|
||||
dest: "/etc/fastd/{{ item.id }}VPN/fastd.conf"
|
||||
notify: restart fastd mesh instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: write fastd mesh secret
|
||||
template:
|
||||
src: fastd-secret.conf.j2
|
||||
dest: "/etc/fastd/{{ item.key }}VPN/secret.conf"
|
||||
dest: "/etc/fastd/{{ item.id }}VPN/secret.conf"
|
||||
notify: restart fastd mesh instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: copy peer_limit.conf if not exist
|
||||
copy:
|
||||
src: peer_limit.conf
|
||||
dest: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf"
|
||||
dest: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf"
|
||||
owner: admin
|
||||
group: admin
|
||||
mode: 0640
|
||||
force: no
|
||||
notify: restart fastd mesh instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: set file attributes for peer_limit.conf
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf"
|
||||
path: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf"
|
||||
mode: 0640
|
||||
owner: admin
|
||||
group: admin
|
||||
notify: restart fastd mesh instances
|
||||
with_dict: "{{ meshes }}"
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: write systemd unit fastd-sync-meshkeys.service
|
||||
template:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0211' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
|
@ -9,10 +9,10 @@ hide mac addresses yes;
|
|||
|
||||
method "salsa2012+umac";
|
||||
|
||||
interface "{{ item.key }}VPN";
|
||||
interface "{{ item.id }}VPN";
|
||||
|
||||
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.value.site_number }};
|
||||
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.value.site_number }};
|
||||
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.site_number }};
|
||||
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.site_number }};
|
||||
|
||||
include "secret.conf";
|
||||
mtu 1406;
|
||||
|
@ -20,7 +20,7 @@ mtu 1406;
|
|||
peer group "vpn_nodes" {
|
||||
include "peer_limit.conf";
|
||||
include peers from "peers";
|
||||
{% if item.key == "mz" %}
|
||||
{% if item.id == "mz" %}
|
||||
include peers from "peers_bingen";
|
||||
{% endif %}
|
||||
}
|
||||
|
@ -34,11 +34,11 @@ on up "
|
|||
ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE
|
||||
ip link set $INTERFACE up
|
||||
|
||||
batctl -m {{ item.key }}BAT if add $INTERFACE
|
||||
batctl -m {{ item.id }}BAT if add $INTERFACE
|
||||
";
|
||||
|
||||
on down "
|
||||
batctl -m {{ item.key }}BAT if del $INTERFACE
|
||||
batctl -m {{ item.id }}BAT if del $INTERFACE
|
||||
";
|
||||
|
||||
status socket "/var/run/fastd-{{ item.key }}VPN.status";
|
||||
status socket "/var/run/fastd-{{ item.id }}VPN.status";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% set local_interface = item.key + 'VPN' -%}
|
||||
{% set local_interface = item.id + 'VPN' -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
|
|
@ -11,13 +11,12 @@ Diese Ansible role installiert und konfiguriert den radvd daemon.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
ipv6:
|
||||
ula:
|
||||
- # ULA-Prefix - String
|
||||
public:
|
||||
- # Public-Prefix - String
|
||||
ipv6_ula:
|
||||
- # ULA-Prefix - String
|
||||
ipv6_public:
|
||||
- # Public-Prefix - String
|
||||
iface_mtu: # Integer
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
|
|
@ -2,37 +2,37 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
interface {{ mesh_id }}BR
|
||||
{% for mesh in meshes %}
|
||||
interface {{ mesh.id }}BR
|
||||
{
|
||||
AdvSendAdvert on;
|
||||
IgnoreIfMissing on;
|
||||
MaxRtrAdvInterval {{ mesh_value.radvd.maxrtradvinterval }};
|
||||
AdvLinkMTU {{ mesh_value.iface_mtu }};
|
||||
MaxRtrAdvInterval {{ mesh.radvd.maxrtradvinterval }};
|
||||
AdvLinkMTU {{ mesh.iface_mtu }};
|
||||
|
||||
{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %}
|
||||
{% for prefix in ip_list %}
|
||||
{% if ip_type == "ula" %}
|
||||
RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}
|
||||
RDNSS {% for prefix in mesh.ipv6_ula %}{{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}
|
||||
{% endfor %}
|
||||
{
|
||||
FlushRDNSS off;
|
||||
};
|
||||
|
||||
{% for prefix in mesh.ipv6_ula %}
|
||||
prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }}
|
||||
{
|
||||
AdvValidLifetime {{ mesh.radvd.advvalidlifetime }};
|
||||
AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }};
|
||||
};
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %}
|
||||
{% for prefix in ip_list %}
|
||||
{% if ip_type == "public" %}
|
||||
{% for prefix in mesh.ipv6_public %}
|
||||
prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }}
|
||||
{% else %}
|
||||
prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }}
|
||||
{% endif %}
|
||||
{
|
||||
AdvValidLifetime {{ mesh_value.radvd.advvalidlifetime }};
|
||||
AdvPreferredLifetime {{ mesh_value.radvd.advpreferredlifetime }};
|
||||
AdvValidLifetime {{ mesh.radvd.advvalidlifetime }};
|
||||
AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }};
|
||||
};
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
|
|
|
@ -10,15 +10,14 @@ All dieses sollte in Zukunft durch systemd units abgelöst werden.
|
|||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
- id: xx
|
||||
...
|
||||
site_name: # string
|
||||
ipv4_network:
|
||||
ipv6:
|
||||
ula:
|
||||
- # string
|
||||
public:
|
||||
- # string
|
||||
ipv6_ula:
|
||||
- # string
|
||||
ipv6_public:
|
||||
- # string
|
||||
iface_mtu: # integer
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
|
|
@ -18,59 +18,59 @@
|
|||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7
|
||||
{% for ula in mesh_value.ipv6.ula %}
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh_value.ipv6.public %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7
|
||||
ip -6 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23
|
||||
{% for ula in mesh_value.ipv6.ula %}
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh_value.ipv6.public %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23
|
||||
ip -6 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule add from all oif icVPN lookup icvpn priority 23
|
||||
ip -6 rule add from all oif icVPN lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh_value.ipv6.ula %}
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule add to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh_value.ipv6.public %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup internet priority 41
|
||||
ip -6 rule add to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41
|
||||
ip -6 rule add from all oif {{ mesh.id }}BR lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule add from all iif icVPN type unreachable priority 61
|
||||
ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
|
@ -80,8 +80,8 @@ ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
|
|||
{% endfor %}
|
||||
ip -6 rule add from all iif icVPN type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{% for public in mesh_value.ipv6.public %}
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} type unreachable priority 61
|
||||
ip -6 rule add to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
|
@ -98,15 +98,15 @@ ip -6 rule add from all lookup icvpn priority 107
|
|||
# IP routes
|
||||
#
|
||||
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
# static {{ mesh_value.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu
|
||||
{% for ula in mesh_value.ipv6.ula %}
|
||||
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||
{% endfor %}
|
||||
{% for public in mesh_value.ipv6.public %}
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu
|
||||
{% for public in mesh.ipv6_public %}
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
|
|
Loading…
Reference in a new issue