freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Roles: improve multidomain support

Browse source
This commit is contained in:
Julian Labus 2019-03-02 18:10:48 +01:00
parent 4127e56524
commit 721b278d3b
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
57 changed files with 344 additions and 223 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Readme.md
View file

@ -78,7 +78,7 @@ Weitere Gruppen-Variablen:
|Name|Type|Value|Format|Comment|
|----|----|-----|------|-------|
|as_private_mwu|Variable|65037|integer|Privates AS von Freifunk MWU|
|as_private|Variable|65037|integer|Privates AS von Freifunk MWU|
|as_public_ffrl|Variable|201701|integer|Public AS von Freifunk Rheinland|
|internet_exit_tcp_mss_ipv4|Variable|1240|integer|IPv4 TCP MSS|
|internet_exit_tcp_mss_ipv6|Variable|1220|integer|IPv6 TCP MSS|
@ -97,9 +97,9 @@ Weitere Gruppen-Variablen:
|icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat|
|icvpn.interface|Key|icvpn|string|Name für ICVPN Interface + tinc Instanz|
|icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository|
|bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net|
|bgp_mwu_servers.spinat|Dictionary||||
|bgp_mwu_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse||
|bgp_legacy_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net|
|bgp_legacy_servers.spinat|Dictionary||||
|bgp_legacy_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse||
|bgp_mwu_server.spinat.ipv6|Variable|fd37:b4dc:4b1e::a25:7|string - IPv6-Adresse||
@ -109,7 +109,7 @@ Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgeb
|Name|Type|Value|Format|Comment|
|----|----|-----|------|-------|
|magic|Variable|7|integer|Muss eindeutig unter allen Servern sein|
|ipv4_dhcp_range|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe|
|ipv4_dhcp|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe|
|ffrl_public_ipv4_nat|Variable|185.66.195.32/32|IP/Prefix|Öffentliche IPv4-NAT-Adresse|
|ffrl_exit_server|Dictionary|||Enthält pro FFRL Tunnel ein Dictionary|
|ffrl_exit_server.ffrl-a-ak-ber|Dictionary|||Name = Interface|
@ -158,7 +158,7 @@ magic:
# Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll.
# z.B. 5 für 10.X.16.0/22 (fünftes /22 Subnetz aus 10.X.0.0/18)
ipv4_dhcp_range:
ipv4_dhcp:
# FFRL (muss vorher bereits zugewiesen worden sein)
# Öffentliche IPv4 NAT Adresse, Format: IP/Prefix

4
ansible.cfg
View file

@ -11,5 +11,5 @@ bin_ansible_callbacks = True
[privilege_escalation]
become = True
#[ssh_connection]
#pipelining = True
[ssh_connection]
pipelining = True

53
inventory/group_vars/all
View file

@ -2,7 +2,10 @@
ansible_version_minimum: "2.6"
debug_fastd: False
as_private_mwu: 65037
site_code: ffmwu
site_name: "Mainz, Wiesbaden und Umgebung"
as_private: 65037
as_public_ffrl: 201701
internet_exit_tcp_mss_ipv4: 1240
@ -11,16 +14,22 @@ internet_exit_tcp_mss_ipv6: 1220
icvpn_ipv4_transfer_net: 10.207.0.0/16
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
ffmwu_loopback_net_ipv4: 10.37.255.0/24
ffmwu_loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64
ffmwu_anycast_ipv4: 10.37.255.255/32
ffmwu_anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128
loopback_net_ipv4: 10.37.255.0/24
loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64
anycast_ipv4: 10.37.255.255/32
anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128
ffmwu_internal_prefixes:
internal_prefixes:
- ipv4: 10.37.0.0/16
ipv6: fd37:b4dc:4b1e::/48
- ipv4: 10.56.0.0/16
ipv6: fd56:b4dc:4b1e::/48
- ipv4: 10.86.0.0/15
ipv6: fd86:b4dc:4b1e::/48
public_prefixes:
- ipv6: 2a03:2260:11a::/48
- ipv6: 2a03:2260:11b::/48
bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18
@ -29,6 +38,10 @@ bgp_groups:
- ffmwu-gateways
- ffmwu-monitoring
fastd_groups:
- ffmwu-gateways
- ffmwu-monitoring
prometheus_groups:
- ffmwu-gateways
- ffmwu-monitoring
@ -48,17 +61,18 @@ gopath: "/opt/go"
meshes:
- id: mz
site_number: 37
site_code: ffmz
site_name: Mainz
sites_virtual:
legacy: true
domain_number: 37
domain_code: ffmz
domain_name: Mainz
aliases:
ffbin: Bingen
ffrhg: Rheingau
ipv4_network: 10.37.0.0/18
ipv6_ula:
- fd37:b4dc:4b1e::/48
- fd37:b4dc:4b1e::/64
ipv6_public:
- 2a03:2260:11a::/48
- 2a03:2260:11a::/64
dnssl:
- ffmz.org
- user.ffmz.org
@ -102,16 +116,17 @@ meshes:
http_domain_external: freifunk-mainz.de
- id: wi
site_number: 56
site_code: ffwi
site_name: Wiesbaden
sites_virtual:
legacy: true
domain_number: 56
domain_code: ffwi
domain_name: Wiesbaden
aliases:
ffta: Taunus
ipv4_network: 10.56.0.0/18
ipv6_ula:
- fd56:b4dc:4b1e::/48
- fd56:b4dc:4b1e::/64
ipv6_public:
- 2a03:2260:11b::/48
- 2a03:2260:11b::/64
dnssl:
- ffwi.org
- user.ffwi.org
@ -159,7 +174,7 @@ icvpn:
interface: icvpn
icvpn_repo: https://github.com/freifunk/icvpn
bgp_mwu_servers:
bgp_legacy_servers:
zuckerwatte:
ipv4: 10.37.1.2
ipv6: fd37:b4dc:4b1e::a25:102

17
inventory/host_vars/ingwer.freifunk-mwu.de
View file

@ -1,8 +1,21 @@
---
ffmwu_server_type: "gateway"
server_type: "gateway"
magic: 161
ipv4_dhcp_range: 7
public_gw_prefixes:
- ipv6: 2a03:2260:11a:a100::/56
- ipv6: 2a03:2260:11b:a100::/56
mesh_gw_prefixes:
mz:
ipv4_dhcp: 10.37.24.0/22
ipv6_public:
- 2a03:2260:11a:a100::/64
wi:
ipv4_dhcp: 10.56.24.0/22
ipv6_public:
- 2a03:2260:11b:a100::/64
ffrl_public_ipv4_nat: 185.66.195.38/32

17
inventory/host_vars/lotuswurzel.freifunk-mwu.de
View file

@ -1,8 +1,21 @@
---
ffmwu_server_type: "gateway"
server_type: "gateway"
magic: 23
ipv4_dhcp_range: 4
public_gw_prefixes:
- ipv6: 2a03:2260:11a:1700::/56
- ipv6: 2a03:2260:11b:1700::/56
mesh_gw_prefixes:
mz:
ipv4_dhcp: 10.37.16.0/22
ipv6_public:
- 2a03:2260:11a:1700::/64
wi:
ipv4_dhcp: 10.56.16.0/22
ipv6_public:
- 2a03:2260:11b:1700::/64
ffrl_public_ipv4_nat: 185.66.195.36/32

2
inventory/host_vars/milchreis.freifunk-mwu.de
View file

@ -1,2 +1,2 @@
---
ffmwu_server_type: "firmware-build"
server_type: "firmware-build"

17
inventory/host_vars/spinat.freifunk-mwu.de
View file

@ -1,8 +1,21 @@
---
ffmwu_server_type: "gateway"
server_type: "gateway"
magic: 7
ipv4_dhcp_range: 5
public_gw_prefixes:
- ipv6: 2a03:2260:11a:0700::/56
- ipv6: 2a03:2260:11b:0700::/56
mesh_gw_prefixes:
mz:
ipv4_dhcp: 10.37.20.0/22
ipv6_public:
- 2a03:2260:11a:0700::/64
wi:
ipv4_dhcp: 10.56.20.0/22
ipv6_public:
- 2a03:2260:11b:0700::/64
ffrl_public_ipv4_nat: 185.66.195.32/32

2
inventory/host_vars/suesskartoffel.freifunk-mwu.de
View file

@ -1,4 +1,4 @@
---
ffmwu_server_type: "monitoring"
server_type: "monitoring"
magic: 32

17
inventory/host_vars/uffschnitt.freifunk-mwu.de
View file

@ -1,8 +1,21 @@
---
ffmwu_server_type: "gateway"
server_type: "gateway"
magic: 101
ipv4_dhcp_range: 8
public_gw_prefixes:
- ipv6: 2a03:2260:11a:6500::/56
- ipv6: 2a03:2260:11b:6500::/56
mesh_gw_prefixes:
mz:
ipv4_dhcp: 10.37.32.0/22
ipv6_public:
- 2a03:2260:11a:6500::/64
wi:
ipv4_dhcp: 10.56.32.0/22
ipv6_public:
- 2a03:2260:11b:6500::/64
ffrl_public_ipv4_nat: 185.66.195.37/32

17
inventory/host_vars/wasserfloh.freifunk-mwu.de
View file

@ -1,8 +1,21 @@
---
ffmwu_server_type: "gateway"
server_type: "gateway"
magic: 231
ipv4_dhcp_range: 9
public_gw_prefixes:
- ipv6: 2a03:2260:11a:e700::/56
- ipv6: 2a03:2260:11b:e700::/56
mesh_gw_prefixes:
mz:
ipv4_dhcp: 10.37.36.0/22
ipv6_public:
- 2a03:2260:11a:e700::/64
wi:
ipv4_dhcp: 10.56.36.0/22
ipv6_public:
- 2a03:2260:11b:e700::/64
ffrl_public_ipv4_nat: 185.66.195.33/32

4
roles/network-anycast/README.md
View file

@ -7,5 +7,5 @@ Diese Ansible role konfiguriert das FFMWU Anycast Interface.
## Benötigte Variablen
- ffmwu_anycast_ipv4 # Anycast IPv4 Adresse
- ffmwu_anycast_ipv6 # Anycast IPv6 Adresse
- anycast_ipv4 # Anycast IPv4 Adresse
- anycast_ipv6 # Anycast IPv6 Adresse

4
roles/network-anycast/templates/anycast.j2
View file

@ -4,5 +4,5 @@
auto anycast
iface anycast
link-type dummy
address {{ ffmwu_anycast_ipv4 | ipaddr('network/prefix') }}
address {{ ffmwu_anycast_ipv6 | ipaddr('network/prefix') }}
address {{ anycast_ipv4 | ipaddr('network/prefix') }}
address {{ anycast_ipv6 | ipaddr('network/prefix') }}

2
roles/network-batman/README.md
View file

@ -40,7 +40,7 @@ meshes:
- Host Variable `magic`
- Host Variable `ffmwu_server_type`
- Host Variable `server_type`
## MAC-Adressen

2
roles/network-batman/tasks/main.yml
View file

@ -2,7 +2,7 @@
- name: create dummy interfaces
template:
src: dummy.j2
dest: "/etc/network/interfaces.d/{{ item.id }}0"
dest: "/etc/network/interfaces.d/{{ item.id }}"
notify: reload network interfaces
loop: "{{ meshes }}"

4
roles/network-batman/templates/batman.j2
View file

@ -7,9 +7,9 @@
auto {{ item.id }}bat
iface {{ item.id }}bat
hwaddress {{ mac | hwaddr('linux') }}
batman-ifaces {{ item.id }}0 {% if ffmwu_server_type == 'gateway' %}{% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% endif %}{% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
batman-ifaces {{ item.id }} {% if server_type == 'gateway' %}{% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% endif %}{% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
batman-hop-penalty {{ item.batman.hop_penalty }}
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
post-up /usr/sbin/batctl -m $IFACE gw {% if ffmwu_server_type == 'gateway' %}{{ item.batman.gw }}{% else %}off{% endif %}
post-up /usr/sbin/batctl -m $IFACE gw {% if server_type == 'gateway' %}{{ item.batman.gw }}{% else %}off{% endif %}

4
roles/network-batman/templates/dummy.j2
View file

@ -3,7 +3,7 @@
#
# {{ ansible_managed }}
#
auto {{ item.id }}0
iface {{ item.id }}0
auto {{ item.id }}
iface {{ item.id }}
link-type dummy
hwaddress {{ mac | hwaddr('linux') }}

2
roles/network-fastd/README.md
View file

@ -34,7 +34,7 @@ meshes:
- Host Variable `magic`
- Host Variable `ffmwu_server_type`
- Host Variable `server_type`
## MAC-Adressen

2
roles/network-fastd/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: create fastd mesh interfaces
when: ffmwu_server_type == "gateway"
when: server_type == "gateway"
template:
src: fastd-mesh.j2
dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}"

4
roles/network-loopback/README.md
View file

@ -7,5 +7,5 @@ Diese Ansible role konfiguriert das FFMWU Loopback Interface.
## Benötigte Variablen
- ffmwu_loopback_net_ipv4 # IPv4-Subnetz aus dem die Loopback IPs berechnet werden
- ffmwu_loopback_net_ipv6 # IPv6-Subnetz aus dem die Loopback IPs berechnet werden
- loopback_net_ipv4 # IPv4-Subnetz aus dem die Loopback IPs berechnet werden
- loopback_net_ipv6 # IPv6-Subnetz aus dem die Loopback IPs berechnet werden

4
roles/network-loopback/templates/loopback.j2
View file

@ -4,5 +4,5 @@
auto loopback
iface loopback
link-type dummy
address {{ ffmwu_loopback_net_ipv4 | ipsubnet(32, magic) | ipaddr('network/prefix') }}
address {{ ffmwu_loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}/128
address {{ loopback_net_ipv4 | ipsubnet(32, magic) | ipaddr('network/prefix') }}
address {{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}/128

9
roles/network-meshbridge/templates/bridge.j2
View file

@ -1,6 +1,7 @@
#
# {{ ansible_managed }}
#
auto {{ item.id }}br
iface {{ item.id }}br
address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
@ -9,8 +10,10 @@ iface {{ item.id }}br
{% endfor %}
{% for prefix in item.ipv6_public %}
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
{% if ffmwu_server_type == "gateway" %}
address {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr(1) | ipaddr('ip/prefix') }}
{% endif %}
{% endfor %}
{% if mesh_gw_prefixes is defined %}
{% for prefix in mesh_gw_prefixes[item.id].ipv6_public %}
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(1) | ipaddr('ip/prefix') }}
{% endfor %}
{% endif %}
bridge-ports {{ item.id }}bat

2
roles/network-routing/README.md
View file

@ -36,4 +36,4 @@ sysctl_settings_routing_(basic|gateway):
- Host Variable `magic`
- Host Variable `ffmwu_server_type`
- Host Variable `server_type`

2
roles/network-routing/tasks/main.yml
View file

@ -61,7 +61,7 @@
loop: "{{ sysctl_settings_routing_basic }}"
- name: set gateway sysctl settings for routing
when: ffmwu_server_type == "gateway"
when: server_type == "gateway"
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"

68
roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
View file

@ -5,52 +5,52 @@
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup mwu priority 7
ip -6 rule add to {{ ula }} lookup mwu priority 7
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup mwu priority 7
ip -6 rule add to {{ public }} lookup mwu priority 7
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule add from {{ prefix.ipv4 }} lookup mwu priority 7
ip -4 rule add to {{ prefix.ipv4 }} lookup mwu priority 7
ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7
ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7
ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
{% if server_type == 'gateway' %}
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup icvpn priority 23
ip -6 rule add to {{ ula }} lookup icvpn priority 23
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup icvpn priority 23
ip -6 rule add to {{ public }} lookup icvpn priority 23
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule add from {{ prefix.ipv4 }} lookup icvpn priority 23
ip -4 rule add to {{ prefix.ipv4 }} lookup icvpn priority 23
ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23
ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23
ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23
{% endfor %}
ip -4 rule add from all oif icvpn lookup icvpn priority 23
ip -6 rule add from all oif icvpn lookup icvpn priority 23
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup internet priority 41
ip -6 rule add to {{ ula }} lookup internet priority 41
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup internet priority 41
ip -6 rule add to {{ public }} lookup internet priority 41
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule add from {{ prefix.ipv4 }} lookup internet priority 41
ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41
ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41
ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41
{% endfor %}
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
@ -67,11 +67,9 @@ ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
{% endfor %}
ip -6 rule add from all iif icvpn type unreachable priority 61
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
{% for mesh in meshes %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} type unreachable priority 61
ip -6 rule add to {{ public }} type unreachable priority 61
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule add from {{ prefix.ipv6 }} type unreachable priority 61
ip -6 rule add to {{ prefix.ipv6 }} type unreachable priority 61
{% endfor %}
# Priority 107 - lookup policies for the gateway host self originating traffic

10
roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
View file

@ -4,21 +4,25 @@
#
{% for mesh in meshes %}
# static {{ mesh.site_name }} routes for rt_table mwu
# static {{ mesh.domain_name }} routes for rt_table mwu
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
{% for ula in mesh.ipv6_ula %}
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% for public in mesh.ipv6_public %}
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% if mesh_gw_prefixes is defined %}
{% for public in mesh_gw_prefixes[mesh.id].ipv6_public %}
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% endif %}
{% if not loop.last %}
{% endif %}
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
{% if server_type == 'gateway' %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet

68
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
View file

@ -5,52 +5,52 @@
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup mwu priority 7
ip -6 rule del to {{ ula }} lookup mwu priority 7
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup mwu priority 7
ip -6 rule del to {{ public }} lookup mwu priority 7
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule del from {{ prefix.ipv4 }} lookup mwu priority 7
ip -4 rule del to {{ prefix.ipv4 }} lookup mwu priority 7
ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7
ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7
ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
{% if server_type == 'gateway' %}
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup icvpn priority 23
ip -6 rule del to {{ ula }} lookup icvpn priority 23
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup icvpn priority 23
ip -6 rule del to {{ public }} lookup icvpn priority 23
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule del from {{ prefix.ipv4 }} lookup icvpn priority 23
ip -4 rule del to {{ prefix.ipv4 }} lookup icvpn priority 23
ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23
ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23
ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23
{% endfor %}
ip -4 rule del from all oif icvpn lookup icvpn priority 23
ip -6 rule del from all oif icvpn lookup icvpn priority 23
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup internet priority 41
ip -6 rule del to {{ ula }} lookup internet priority 41
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup internet priority 41
ip -6 rule del to {{ public }} lookup internet priority 41
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41
{% endfor %}
{% for prefix in internal_prefixes %}
ip -4 rule del from {{ prefix.ipv4 }} lookup internet priority 41
ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41
ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41
ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41
{% endfor %}
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
@ -67,11 +67,9 @@ ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
{% endfor %}
ip -6 rule del from all iif icvpn type unreachable priority 61
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
{% for mesh in meshes %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} type unreachable priority 61
ip -6 rule del to {{ public }} type unreachable priority 61
{% endfor %}
{% for prefix in public_prefixes %}
ip -6 rule del from {{ prefix.ipv6 }} type unreachable priority 61
ip -6 rule del to {{ prefix.ipv6 }} type unreachable priority 61
{% endfor %}
# Priority 107 - lookup policies for the gateway host self originating traffic

10
roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
View file

@ -4,21 +4,25 @@
#
{% for mesh in meshes %}
# static {{ mesh.site_name }} routes for rt_table mwu
# static {{ mesh.domain_name }} routes for rt_table mwu
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
{% for ula in mesh.ipv6_ula %}
/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% for public in mesh.ipv6_public %}
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% if mesh_gw_prefixes is defined %}
{% for public in mesh_gw_prefixes[mesh.id].ipv6_public %}
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% endif%}
{% if not loop.last %}
{% endif %}
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
{% if server_type == 'gateway' %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet

2
roles/prerequisites/README.md
View file

@ -16,4 +16,4 @@ Die folgenden Variablen werden über einen DNS Lookup gesetzt:
- Variable `dns_host_ipv6_address` (Rollen-Variable)
- Variable `dns_gate_num_cname` (Rollen-Variable)
- Variable `dns_gate_icvpn_cname` (Rollen-Variable)
- Variable `ffmwu_server_type`
- Variable `server_type`

2
roles/prerequisites/tasks/main.yml
View file

@ -14,7 +14,7 @@
- "ansible_distribution_major_version == '9'"
- name: Check gateway specific DNS entries
when: ffmwu_server_type == "gateway"
when: server_type == "gateway"
assert:
that:
- "dns_gate_num_cname == inventory_hostname"

2
roles/service-bind-slave/tasks/main.yml
View file

@ -38,7 +38,7 @@
- name: write named.conf for meshes
template:
src: named.conf.mesh.j2
dest: /etc/bind/named.conf.{{ item.site_code }}
dest: /etc/bind/named.conf.{{ item.domain_code }}
owner: root
group: bind
mode: 0644

2
roles/service-bind-slave/templates/named.conf.j2
View file

@ -6,6 +6,6 @@ include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.logging";
{% for mesh in meshes %}
include "/etc/bind/named.conf.{{ mesh.site_code }}";
include "/etc/bind/named.conf.{{ mesh.domain_code }}";
{% endfor %}
include "/etc/bind/named.conf.icvpn";

18
roles/service-bind-slave/templates/named.conf.mesh.j2
View file

@ -3,10 +3,11 @@
//
// ACLs
masters "ns-master-{{ item.site_code }}" {
masters "ns-master-{{ item.domain_code }}" {
{{ item.dns.master }};
};
{% if item.dns.forward_zones is defined %}
{% for zone in item.dns.forward_zones %}
{% if zone.master is defined %}
masters "ns-master-{{ zone.name }}" {
@ -15,15 +16,17 @@ masters "ns-master-{{ zone.name }}" {
{% endif %}
{% endfor %}
{% endif %}
acl "intern-{{ item.site_code }}" {
acl "intern-{{ item.domain_code }}" {
{{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
{% for prefix in item.ipv6_ula %}
{{ prefix | ipaddr('net') | ipaddr('network/prefix') }};
{% endfor %}
};
// DNS forward zones for {{ item.site_code }}
{% if item.dns.forward_zones is defined %}
// DNS forward zones for {{ item.domain_code }}
{% for zone in item.dns.forward_zones %}
zone "{{ zone.name }}." {
type slave;
@ -31,26 +34,27 @@ zone "{{ zone.name }}." {
{% if zone.master is defined %}
masters { ns-master-{{ zone.name }}; };
{% else %}
masters { ns-master-{{ item.site_code }}; };
masters { ns-master-{{ item.domain_code }}; };
{% endif %}
};
{% if not loop.last %}
{% endif %}
{% endfor %}
{% endif %}
// DNS reverse zones for {{ item.site_code }}
// DNS reverse zones for {{ item.domain_code }}
zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
type slave;
file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.site_code }}; };
masters { ns-master-{{ item.domain_code }}; };
};
{% for prefix in item.ipv6_ula %}
zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" {
type slave;
file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.site_code }}; };
masters { ns-master-{{ item.domain_code }}; };
};
{% if not loop.last %}

10
roles/service-bind-slave/templates/named.conf.options.j2
View file

@ -12,15 +12,15 @@ options {
127.0.0.1;
::1;
{% for mesh in meshes %}
intern-{{ mesh.site_code }};
intern-{{ mesh.domain_code }};
{% endfor %}
};
allow-transfer { any; };
listen-on {
127.0.0.1;
{{ ffmwu_anycast_ipv4 | ipaddr('address') }};
{{ ffmwu_loopback_net_ipv4 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{{ anycast_ipv4 | ipaddr('address') }};
{{ loopback_net_ipv4 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{% for mesh in meshes %}
{{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{% endfor %}
@ -29,8 +29,8 @@ options {
listen-on-v6 {
::1;
{{ ffmwu_anycast_ipv6 | ipaddr('address') }};
{{ ffmwu_loopback_net_ipv6 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{{ anycast_ipv6 | ipaddr('address') }};
{{ loopback_net_ipv6 | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{% for mesh in meshes %}
{% for ip in mesh.ipv6_ula %}
{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }};

13
roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2
View file

@ -11,9 +11,8 @@ table ffrl;
# Functions
function is_ffrl_public_nets() {
return net ~ [
{% for mesh in meshes %}
{% for prefix in mesh.ipv6_public %}
{{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
{% for prefix in public_gw_prefixes %}
{{ prefix.ipv6 }}{48,56}{{ "," if not loop.last else "" }}
{% endfor %}
];
}
@ -40,11 +39,11 @@ filter ebgp_ffrl_export_filter {
# Protocols
protocol static ffrl_public_routes {
table ffrl;
{% for mesh in meshes %}
{% for prefix in mesh.ipv6_public %}
route {{ prefix }} reject;
route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject;
{% for prefix in public_prefixes %}
route {{ prefix.ipv6 }} reject;
{% endfor %}
{% for prefix in public_gw_prefixes %}
route {{ prefix.ipv6 }} reject;
{% endfor %}
}

4
roles/service-bird-lg/tasks/main.yml
View file

@ -35,9 +35,9 @@
group: "{{ lg_user }}"
- name: configure lg-proxy
when: ffmwu_server_type == "gateway"
when: server_type == "gateway"
include_tasks: lg-proxy.yml
- name: configure lg-webservice
when: ffmwu_server_type == "monitoring"
when: server_type == "monitoring"
include_tasks: lg-webservice.yml

2
roles/service-bird-lg/templates/lg.cfg.j2
View file

@ -22,7 +22,7 @@ ROUTER_IP = {
AS_NUMBER = {
{% for host in groups["ffmwu-gateways"] %}
"{{ host.rsplit('.freifunk-mwu.de')[0] }}" : "{{ as_private_mwu }}",
"{{ host.rsplit('.freifunk-mwu.de')[0] }}" : "{{ as_private }}",
{% endfor %}
}

14
roles/service-bird/README.md
View file

@ -13,16 +13,16 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
## Benötigte Variablen
- Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt.
- Variable `ffmwu_loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen
- Variable `ffmwu_loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen
- Variable `ffmwu_anycast_ipv4` # Anycast IPv4-Adresse
- Variable `ffmwu_anycast_ipv6` # Anycast IPv6-Adresse
- Variable `loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen
- Variable `loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen
- Variable `anycast_ipv4` # Anycast IPv4-Adresse
- Variable `anycast_ipv6` # Anycast IPv6-Adresse
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
- Variable `bgp_as_private` # Private ASN von Freifunk MWU
- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
- Liste `ffmwu_internal_prefixes`
- Dictionary `bgp_mwu_servers`
- Liste `internal_prefixes`
- Dictionary `bgp_legacy_servers`
```
spinat: # kurzer Hostname des Peers

2
roles/service-bird/tasks/main.yml
View file

@ -52,7 +52,7 @@
notify: reload systemd unit bird6
- name: write radv.conf
when: ffmwu_server_type == "gateway"
when: server_type == "gateway"
template:
src: radv.conf.j2
dest: /etc/bird/radv.conf

20
roles/service-bird/templates/bird.conf.j2
View file

@ -4,7 +4,7 @@
# Variables
define mwu_address = {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
define mwu_as = {{ as_private_mwu }};
define mwu_as = {{ as_private }};
define router_id = {{ bgp_loopback_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
# General
@ -38,7 +38,7 @@ function is_chaosvpn() {
function is_mwu_self_nets_loose() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
{{ prefix.ipv4 | ipaddr('net') }}+{{ "," if not loop.last else "" }}
{% endfor %}
];
@ -46,7 +46,7 @@ function is_mwu_self_nets_loose() {
function is_mwu_self_nets_strict() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
{{ prefix.ipv4 | ipaddr('net') }}{{ "," if not loop.last else "" }}
{% endfor %}
];
@ -54,13 +54,13 @@ function is_mwu_self_nets_strict() {
function is_mwu_loopback() {
return net ~ [
{{ ffmwu_loopback_net_ipv4 }}+
{{ loopback_net_ipv4 }}+
];
}
function is_mwu_anycast() {
return net ~ [
{{ ffmwu_anycast_ipv4 }}
{{ anycast_ipv4 }}
];
}
@ -81,7 +81,7 @@ protocol direct mwu_loopback {
import where is_mwu_loopback();
};
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
protocol direct mwu_anycast {
interface "anycast";
import where is_mwu_anycast();
@ -89,7 +89,7 @@ protocol direct mwu_anycast {
{% endif %}
protocol static {
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
route {{ prefix.ipv4 }} reject;
{% endfor %}
};
@ -98,7 +98,7 @@ protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
if is_mwu_anycast() then reject;
{% else %}
if is_mwu_anycast() then accept;
@ -114,7 +114,7 @@ template bgp ibgp_mwu {
local mwu_address as mwu_as;
import keep filtered on;
import filter {
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
if is_mwu_anycast() then reject;
{% endif %}
if is_mwu_self_nets_loose() then accept;
@ -134,7 +134,7 @@ template bgp ibgp_mwu {
# Include IPv4 MWU peers
include "mwu_ipv4_peers.con?";
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
# Include IPv4 ICVPN configuration
include "icvpn_ipv4.con?";

20
roles/service-bird/templates/bird6.conf.j2
View file

@ -5,7 +5,7 @@
# Variables
define router_id = {{ bgp_loopback_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
define mwu_address = {{ bgp_ipv6_transfer_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
define mwu_as = {{ as_private_mwu }};
define mwu_as = {{ as_private }};
# General
timeformat protocol iso long;
@ -26,7 +26,7 @@ function is_ula() {
function is_mwu_self_nets_loose() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
{{ prefix.ipv6 | ipaddr('net') }}+{{ "," if not loop.last else "" }}
{% endfor %}
];
@ -34,7 +34,7 @@ function is_mwu_self_nets_loose() {
function is_mwu_self_nets_strict() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
{{ prefix.ipv6 | ipaddr('net') }}{{ "," if not loop.last else "" }}
{% endfor %}
];
@ -42,13 +42,13 @@ function is_mwu_self_nets_strict() {
function is_mwu_loopback() {
return net ~ [
{{ ffmwu_loopback_net_ipv6 }}+
{{ loopback_net_ipv6 }}+
];
};
function is_mwu_anycast() {
return net ~ [
{{ ffmwu_anycast_ipv6 }}+
{{ anycast_ipv6 }}+
];
};
@ -69,7 +69,7 @@ protocol direct mwu_loopback {
import where is_mwu_loopback();
};
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
protocol direct mwu_anycast {
interface "anycast";
import where is_mwu_anycast();
@ -77,7 +77,7 @@ protocol direct mwu_anycast {
{% endif %}
protocol static {
{% for prefix in ffmwu_internal_prefixes %}
{% for prefix in internal_prefixes %}
route {{ prefix.ipv6 }} reject;
{% endfor %}
};
@ -86,7 +86,7 @@ protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
if is_mwu_anycast() then reject;
{% else %}
if is_mwu_anycast() then accept;
@ -102,7 +102,7 @@ template bgp ibgp_mwu {
local mwu_address as mwu_as;
import keep filtered on;
import filter {
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
if is_mwu_anycast() then reject;
{% endif %}
if is_mwu_self_nets_loose() then accept;
@ -120,7 +120,7 @@ template bgp ibgp_mwu {
# Include IPv6 MWU peers
include "mwu_ipv6_peers.con?";
{% if ffmwu_server_type == "gateway" %}
{% if server_type == "gateway" %}
# Include IPv6 ICVPN configuration
include "icvpn_ipv6.con?";

2
roles/service-bird/templates/mwu_ipv4_peers.conf.j2
View file

@ -12,7 +12,7 @@ protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
{% endif %}
{% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %}
{% for item, value in bgp_legacy_servers.items() %}
{% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu {
neighbor {{ value.ipv4 }} as mwu_as;

2
roles/service-bird/templates/mwu_ipv6_peers.conf.j2
View file

@ -12,7 +12,7 @@ protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
{% endif %}
{% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %}
{% for item, value in bgp_legacy_servers.items() %}
{% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu {
neighbor {{ value.ipv6 }} as mwu_as;

14
roles/service-bird/templates/radv.conf.j2
View file

@ -11,27 +11,31 @@ protocol radv radv_{{ mesh.id }} {
{% endfor %}
{% for prefix in mesh.ipv6_public %}
prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} {
valid lifetime {{ mesh.radvd.advvalidlifetime }};
preferred lifetime {{ mesh.radvd.advpreferredlifetime }};
};
prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} {
skip yes;
};
{% endfor %}
{% for prefix in mesh_gw_prefixes[mesh.id].ipv6_public %}
prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} {
valid lifetime {{ mesh.radvd.advvalidlifetime }};
preferred lifetime {{ mesh.radvd.advpreferredlifetime }};
};
{% endfor %}
rdnss {
{% for prefix in mesh.ipv6_ula %}
ns {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }};
{% endfor %}
};
{% if mesh.dnssl is defined %}
dnssl {
{% for dnssl in mesh.dnssl %}
domain "{{ dnssl }}";
{% endfor %}
};
{% endif %}
link mtu {{ mesh.iface_mtu }};
};

4
roles/service-dhcpd/README.md
View file

@ -24,8 +24,8 @@ meshes:
```
- Host Variable `magic`
- Host Variable `ipv4_dhcp_range`
- Host Variable `ipv4_dhcp`
## DHCP Range
In der Host-Variable `ipv4_dhcp_range` wird als Integer die Nummer des /22 Blocks aus `ipv4_network` definiert, welcher als DHCP Range verwendet werden soll. Dem Gateway Lotuswurzel ist die DHCP-Range 10.X.16.0-10.X.19.255 zugewiesen. Diese ist der 4. /22er Block, also wird in der Host-Variable für die Lotuswurzel `4` geschrieben.
In der Host-Variable `ipv4_dhcp` wird als Integer die Nummer des /22 Blocks aus `ipv4_network` definiert, welcher als DHCP Range verwendet werden soll. Dem Gateway Lotuswurzel ist die DHCP-Range 10.X.16.0-10.X.19.255 zugewiesen. Diese ist der 4. /22er Block, also wird in der Host-Variable für die Lotuswurzel `4` geschrieben.

5
roles/service-dhcpd/templates/kea_dhcp4.conf.j2
View file

@ -38,7 +38,7 @@
{% for mesh in meshes %}
{
"subnet": "{{ mesh.ipv4_network | ipaddr('network/prefix') }}",
"pools": [ { "pool": "{{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('range_usable') }}" } ],
"pools": [ { "pool": "{{ mesh_gw_prefixes[mesh.id].ipv4_dhcp | ipaddr('net') | ipaddr('range_usable') }}" } ],
"option-data": [
{
"name": "routers",
@ -51,11 +51,12 @@
{
"name": "domain-name-servers",
"data": "{{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}"
},
}{% if mesh.dnssl is defined %},
{
"name": "domain-search",
"data": "{% for dnssl in mesh.dnssl %}{{ dnssl }}{% if not loop.last %}, {% endif %}{% endfor %}"
}
{% endif %}
]
{% if not loop.last %}
},

4
roles/service-fastd-backbone/tasks/main.yml
View file

@ -13,7 +13,7 @@
mode: 0755
owner: admin
group: admin
loop: "{{ meshes | subelements('fastd.backbone.instances') }}"
loop: "{{ meshes | selectattr('legacy', 'defined') | list | subelements('fastd.backbone.instances') }}"
- name: clone fastd peer backbone repos
git:
@ -23,7 +23,7 @@
update: yes
tags: sync-peers
notify: reload fastd backbone instances
loop: "{{ meshes | subelements('fastd.backbone.instances') }}"
loop: "{{ meshes | selectattr('legacy', 'defined') | list | subelements('fastd.backbone.instances') }}"
become: false
- name: template fastd backbone config

18
roles/service-fastd-backbone/templates/fastd-backbone.conf.j2
View file

@ -13,15 +13,29 @@ method "aes128-ctr+umac";
interface "{{ item.0.id }}igvpn-{{ item.1.mtu }}";
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:11{{ item.1.id }}{{ item.0.site_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:11{{ item.1.id }}{{ item.0.site_number }};
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:11{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:11{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
include "secret.conf";
mtu {{ item.1.mtu }};
peer group "servers" {
{% if item.0.legacy is defined %}
include peers from "peers/gates";
include peers from "peers/services";
{% else %}
{% for group in fastd_groups %}
{% for host in groups[group] %}
{% set peer = host.rsplit('.')[0] %}
{% if host != inventory_hostname %}
peer "{{ peer }}" {
key "{{ lookup('passwordstore', item.1.pass + '/' + peer + ' subkey=public') }}";
remote ipv6 "{{ host }}" port 11{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
}
on up "/bin/systemctl reload networking";

4
roles/service-fastd-mesh/templates/fastd-mesh.conf.j2
View file

@ -13,8 +13,8 @@ method "salsa2012+umac";
interface "{{ item.0.id }}vpn-{{ item.1.mtu }}";
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ item.0.site_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ item.0.site_number }};
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
include "secret.conf";
mtu {{ item.1.mtu }};

6
roles/service-nginx-firmware/templates/firmware_vhost.conf.j2
View file

@ -38,6 +38,7 @@ server {
}
{% for mesh in meshes %}
{% if mesh.legacy is defined %}
server {
listen 80;
listen [::]:80;
@ -52,7 +53,7 @@ server {
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
root /var/www/html/firmware/{{ mesh.site_name.lower() }};
root /var/www/html/firmware/{{ mesh.domain_name.lower() }};
location / {
autoindex on;
autoindex_exact_size off;
@ -78,7 +79,7 @@ server {
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
root /var/www/html/firmware/{{ mesh.site_name.lower() }};
root /var/www/html/firmware/{{ mesh.domain_name.lower() }};
location / {
autoindex on;
autoindex_exact_size off;
@ -86,5 +87,6 @@ server {
}
{% if not loop.last %}
{% endif %}
{% endif %}
{% endfor %}

10
roles/service-nginx-meshviewer/templates/config.js.j2
View file

@ -88,13 +88,13 @@ module.exports = function () {
'domainNames': [
{% for mesh in meshes %}
{
'domain': '{{ mesh.site_code }}',
'name': '{{ mesh.site_name }}'
'domain': '{{ mesh.domain_code }}',
'name': '{{ mesh.domain_name }}'
},
{% if mesh.sites_virtual is defined %}
{% for site, name in mesh.sites_virtual.items() %}
{% if mesh.aliases is defined %}
{% for domain, name in mesh.aliases.items() %}
{
'domain': '{{ site }}',
'domain': '{{ domain }}',
'name': '{{ name }}'
},
{% endfor %}

2
roles/service-nginx-meshviewer/templates/meshviewer_vhost.conf.j2
View file

@ -55,6 +55,7 @@ server {
}
{% for mesh in meshes %}
{% if mesh.http_domain_internal is defined %}
server {
listen 80;
listen [::]:80;
@ -82,5 +83,6 @@ server {
}
{% if not loop.last %}
{% endif %}
{% endif %}
{% endfor %}

2
roles/service-nginx/README.md
View file

@ -11,5 +11,5 @@ Diese Ansible role installiert und konfiguriert den Web Server nginx.
## Benötigte Variablen
- Variable `acme_server`
- Variable `ffmwu_server_type`
- Variable `server_type`
- Variable `inventory_hostname_short`

4
roles/service-nginx/templates/index.html.j2
View file

@ -19,10 +19,10 @@
<header>
<h1>Freifunk MWU Server <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
</header>
{% if ffmwu_server_type == "firmware-build" or ffmwu_server_type == "gateway" %}
{% if server_type == "firmware-build" or server_type == "gateway" %}
<div class="block"><a href="firmware">Firmware</a></div>
{% endif %}
{% if ffmwu_server_type == "firmware-build" %}
{% if server_type == "firmware-build" %}
<div class="block"><a href="_archive">Firmware Archiv</a></div>
{% endif %}
</body>

2
roles/service-prometheus/templates/prometheus.yml.j2
View file

@ -71,7 +71,7 @@ scrape_configs:
{% endif %}
{% endfor %}
{% endfor %}
{% for host, _ in bgp_mwu_servers.items() %}
{% for host, _ in bgp_legacy_servers.items() %}
{% if host not in ['extrasahne'] %}
- "{{ host }}.ffwi.org"
- "{{ host }}.ffmz.org"

2
roles/service-respondd/tasks/main.yml
View file

@ -13,7 +13,7 @@
become: false
- name: set respondd vpn flag to false
when: ffmwu_server_type != "gateway"
when: server_type != "gateway"
copy:
content: "False"
dest: /home/admin/clones/mesh-announce/nodeinfo.d/vpn

2
roles/service-respondd/templates/respondd.service.j2
View file

@ -4,7 +4,7 @@ After={% for interface in item.fastd.nodes.instances %}fastd@{{ item.id }}vpn-{{
[Service]
ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}br {% for interface in item.fastd.nodes.instances %}-i {{ item.id }}vpn-{{ interface.mtu }}{% if not loop.last %} {% endif %}{% endfor %} -b {{ item.id }}bat -s {{ item.site_code }} -d {{ item.site_code }} --data-provider-directory /home/admin/clones/mesh-announce/
ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}br {% for interface in item.fastd.nodes.instances %}-i {{ item.id }}vpn-{{ interface.mtu }}{% if not loop.last %} {% endif %}{% endfor %} -b {{ item.id }}bat -s {{ site_code }} -d {{ item.domain_code }} --data-provider-directory /home/admin/clones/mesh-announce/
Restart=always
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

14
roles/service-yanic/templates/yanic.conf.j2
View file

@ -7,12 +7,20 @@ enable = true
synchronize = "1m"
collect_interval = "1m"
[respondd.sites.{{ site_code }}]
domains = [
{% for mesh in meshes %}
[respondd.sites.{{ mesh.site_code }}]
{% if mesh.sites_virtual is defined %}
domains = ["{{ mesh.site_code }}",{% for domain, name in mesh.sites_virtual.items() %}"{{ domain }}"{% if not loop.last %},{% endif %}{% endfor %}]
{% if mesh.aliases is defined %}
{% for domain, name in mesh.aliases.items() %}
"{{ domain }}",
{% endfor %}
{% endif %}
"{{ mesh.domain_code }}"{% if not loop.last %},
{% else %}
{% endif %}
{% endfor %}
]
{% for mesh in meshes %}
[[respondd.interfaces]]