From 8d7af519a519a8e862a9443f51497e4bd217b885 Mon Sep 17 00:00:00 2001
From: Julian Labus <julian@labus-online.de>
Date: Sun, 9 Sep 2018 10:26:23 +0200
Subject: [PATCH] split out gateway specific stuff to use roles for generic
 meshing servers

---
 inventory/group_vars/all                             |  7 ++-----
 .../main.yml => inventory/group_vars/ffmwu-gateways  |  8 ++++++++
 roles/network-batman/templates/batman.j2             |  2 +-
 roles/network-routing/tasks/main.yml                 | 12 ++++++++++--
 .../templates/ffmwu-add-ip-rules.sh.j2               | 12 ++++++++++++
 .../templates/ffmwu-add-static-routes.sh.j2          |  8 ++++++++
 .../templates/ffmwu-del-ip-rules.sh.j2               | 12 ++++++++++++
 .../templates/ffmwu-del-static-routes.sh.j2          |  8 ++++++++
 roles/network-routing/vars/main.yml                  | 12 +++++++-----
 roles/prerequisites/tasks/main.yml                   | 11 ++++++++---
 roles/service-bird/README.md                         |  1 +
 roles/service-bird/templates/mwu_ipv4_peers.conf.j2  | 10 ++++++----
 roles/service-bird/templates/mwu_ipv6_peers.conf.j2  | 10 ++++++----
 roles/service-nginx/templates/index.html.j2          |  6 ++++--
 roles/service-respondd/tasks/main.yml                |  8 ++++++++
 15 files changed, 101 insertions(+), 26 deletions(-)
 rename roles/git-repos/vars/main.yml => inventory/group_vars/ffmwu-gateways (76%)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 28837f9..a89ccef 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -5,16 +5,13 @@ as_public_ffrl: 201701
 internet_exit_tcp_mss_ipv4: 1240
 internet_exit_tcp_mss_ipv6: 1220
 
-routing_tables:
-  icvpn: 23
-  mwu: 41
-  internet: 61
-
 icvpn_ipv4_transfer_net: 10.207.0.0/16
 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
 bgp_loopback_net: 10.37.0.0/18
 bgp_ipv4_transfer_net: 10.37.0.0/18
 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
+bgp_groups:
+  - ffmwu-gateways
 
 http_domain_internal: ffmwu.org
 http_domain_external: freifunk-mwu.de
diff --git a/roles/git-repos/vars/main.yml b/inventory/group_vars/ffmwu-gateways
similarity index 76%
rename from roles/git-repos/vars/main.yml
rename to inventory/group_vars/ffmwu-gateways
index 57b5cad..1f51382 100644
--- a/roles/git-repos/vars/main.yml
+++ b/inventory/group_vars/ffmwu-gateways
@@ -1,4 +1,9 @@
 ---
+routing_tables:
+  icvpn: 23
+  mwu: 41
+  internet: 61
+
 common_repos:
   backend-scripts:
     repo_url: https://github.com/freifunk-mwu/backend-scripts.git
@@ -9,3 +14,6 @@ common_repos:
   icvpn-scripts:
     repo_url: https://github.com/freifunk/icvpn-scripts.git
     version: master
+
+prometheus_components:
+  - node_exporter
diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2
index 2408aa1..3f6435c 100644
--- a/roles/network-batman/templates/batman.j2
+++ b/roles/network-batman/templates/batman.j2
@@ -10,6 +10,6 @@ iface {{ item.id }}bat
     batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
     batman-hop-penalty {{ item.batman.hop_penalty }}
     post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
-    post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
     post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
     post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
+{% if ffmwu_server_type == 'gateway' %}    post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}{% endif %}
diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml
index 547c837..939285e 100644
--- a/roles/network-routing/tasks/main.yml
+++ b/roles/network-routing/tasks/main.yml
@@ -53,9 +53,17 @@
     enabled: yes
     state: started
 
-- name: set sysctl settings for routing
+- name: set basic sysctl settings for routing
   sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
     state: present
-  with_items: "{{ sysctl_settings_routing }}"
+  with_items: "{{ sysctl_settings_routing_basic }}"
+
+- name: set gateway sysctl settings for routing
+  when: ffmwu_server_type == "gateway"
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+  with_items: "{{ sysctl_settings_routing_gateway }}"
diff --git a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
index ee461f9..09ec269 100644
--- a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
+++ b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
@@ -3,6 +3,7 @@
 # {{ ansible_managed }}
 #
 
+{% if ffmwu_server_type == 'gateway' %}
 # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
 {% for mesh in meshes %}
 ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@@ -78,5 +79,16 @@ ip -4 rule add from all lookup mwu priority 107
 ip -4 rule add from all lookup icvpn priority 107
 ip -6 rule add from all lookup mwu priority 107
 ip -6 rule add from all lookup icvpn priority 107
+{% else %}
+# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
+{% for mesh in meshes %}
+ip -4 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
+ip -4 rule add from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
+{% for ula in mesh.ipv6_ula %}
+ip -6 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
+ip -6 rule add from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
+{% endfor %}
+{% endfor %}
+{% endif %}
 
 exit 0
diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
index 07834e8..a31dcb9 100644
--- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
+++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
@@ -18,6 +18,7 @@
 {% endif %}
 {% endfor %}
 
+{% if ffmwu_server_type == 'gateway' %}
 # static blackhole routes for rt_table internet
 /sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
 /sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
@@ -64,3 +65,10 @@
 /sbin/ip -6 route add blackhole ::/96 table main
 /sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
 /sbin/ip -6 route add blackhole ::/0 table main
+{% else %}
+# static routes for icvpn
+/sbin/ip -4 route add {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
+
+/sbin/ip -6 route add {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
+
+{% endif %}
diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
index 00acaed..b978216 100644
--- a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
+++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
@@ -3,6 +3,7 @@
 # {{ ansible_managed }}
 #
 
+{% if ffmwu_server_type == 'gateway' %}
 # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
 {% for mesh in meshes %}
 ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@@ -78,5 +79,16 @@ ip -4 rule del from all lookup mwu priority 107
 ip -4 rule del from all lookup icvpn priority 107
 ip -6 rule del from all lookup mwu priority 107
 ip -6 rule del from all lookup icvpn priority 107
+{% else %}
+# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
+{% for mesh in meshes %}
+ip -4 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
+ip -4 rule del from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
+{% for ula in mesh.ipv6_ula %}
+ip -6 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
+ip -6 rule del from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
+{% endfor %}
+{% endfor %}
+{% endif %}
 
 exit 0
diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
index 2f72c10..3090b16 100644
--- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
+++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
@@ -18,6 +18,7 @@
 {% endif %}
 {% endfor %}
 
+{% if ffmwu_server_type == 'gateway' %}
 # static blackhole routes for rt_table internet
 /sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
 /sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
@@ -64,3 +65,10 @@
 /sbin/ip -6 route del blackhole ::/96 table main
 /sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
 /sbin/ip -6 route del blackhole ::/0 table main
+{% else %}
+# static routes for icvpn
+/sbin/ip -4 route del {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
+
+/sbin/ip -6 route del {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
+
+{% endif %}
diff --git a/roles/network-routing/vars/main.yml b/roles/network-routing/vars/main.yml
index 97dd4ea..a3d85c8 100644
--- a/roles/network-routing/vars/main.yml
+++ b/roles/network-routing/vars/main.yml
@@ -1,14 +1,16 @@
 ---
-sysctl_settings_routing:
-  - name: net.ipv4.ip_forward
-    value: 1
+sysctl_settings_routing_basic:
   - name: net.ipv4.conf.default.rp_filter
     value: 0
   - name: net.ipv4.conf.all.rp_filter
     value: 0
-  - name: net.ipv6.conf.all.forwarding
-    value: 1
   - name: net.ipv6.conf.all.accept_ra
     value: 0
   - name: net.ipv6.conf.default.accept_ra
     value: 0
+
+sysctl_settings_routing_gateway:
+  - name: net.ipv4.ip_forward
+    value: 1
+  - name: net.ipv6.conf.all.forwarding
+    value: 1
diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml
index eaa3a65..3625cb1 100755
--- a/roles/prerequisites/tasks/main.yml
+++ b/roles/prerequisites/tasks/main.yml
@@ -1,15 +1,20 @@
 ---
 
-- name: Check DNS entries and target distribution
+- name: Check basic DNS entries and target distribution
   assert:
     that:
       - "dns_host_ipv4_address in ansible_all_ipv4_addresses"
       - "dns_host_ipv6_address in ansible_all_ipv6_addresses"
-      - "dns_gate_num_cname == inventory_hostname"
-      - "dns_gate_icvpn_cname == inventory_hostname"
       - "ansible_distribution == 'Debian'"
       - "ansible_distribution_major_version == '9'"
 
+- name: Check gateway specific DNS entries
+  when: ffmwu_server_type == "gateway"
+  assert:
+    that:
+      - "dns_gate_num_cname == inventory_hostname"
+      - "dns_gate_icvpn_cname == inventory_hostname"
+
 - name: Test root access for admin account
   command: "true"
   changed_when: False
diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md
index 9224ece..6d45a03 100644
--- a/roles/service-bird/README.md
+++ b/roles/service-bird/README.md
@@ -15,6 +15,7 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
 - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
 - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
 - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
+- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
 - Dictionary `bgp_mwu_servers`
 
 ```
diff --git a/roles/service-bird/templates/mwu_ipv4_peers.conf.j2 b/roles/service-bird/templates/mwu_ipv4_peers.conf.j2
index e5c3077..751cfac 100644
--- a/roles/service-bird/templates/mwu_ipv4_peers.conf.j2
+++ b/roles/service-bird/templates/mwu_ipv4_peers.conf.j2
@@ -2,14 +2,16 @@
 # {{ ansible_managed }}
 #
 
-{% for gateway in groups['ffmwu-gateways'] %}
-{% if gateway != inventory_hostname %}
-protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
-    neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
+{% for group in bgp_groups %}
+{% for host in groups[group] %}
+{% if host != inventory_hostname %}
+protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
+    neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
 };
 
 {% endif %}
 {% endfor %}
+{% endfor %}
 {% for item, value in bgp_mwu_servers.items() %}
 {% if item != inventory_hostname_short %}
 protocol bgp mwu_{{ item }} from ibgp_mwu {
diff --git a/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2
index 44f8c6a..5dc864d 100644
--- a/roles/service-bird/templates/mwu_ipv6_peers.conf.j2
+++ b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2
@@ -2,14 +2,16 @@
 # {{ ansible_managed }}
 #
 
-{% for gateway in groups['ffmwu-gateways'] %}
-{% if gateway != inventory_hostname %}
-protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
-    neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
+{% for group in bgp_groups %}
+{% for host in groups[group] %}
+{% if host != inventory_hostname %}
+protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
+    neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
 };
 
 {% endif %}
 {% endfor %}
+{% endfor %}
 {% for item, value in bgp_mwu_servers.items() %}
 {% if item != inventory_hostname_short %}
 protocol bgp mwu_{{ item }} from ibgp_mwu {
diff --git a/roles/service-nginx/templates/index.html.j2 b/roles/service-nginx/templates/index.html.j2
index b2f034f..699953c 100644
--- a/roles/service-nginx/templates/index.html.j2
+++ b/roles/service-nginx/templates/index.html.j2
@@ -2,7 +2,7 @@
 <html>
 <head>
     <meta charset="UTF-8" />
-    <title>Freifunk MWU Gateway "{{ inventory_hostname_short }}" </title>
+    <title>Freifunk MWU Server "{{ inventory_hostname_short }}" </title>
     <link href="./static/favicon.ico" rel="shortcut icon" />
     <link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" />
     <script type="text/javascript">
@@ -17,9 +17,11 @@
 </head>
 <body>
     <header>
-        <h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
+        <h1>Freifunk MWU Server <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
     </header>
+{% if ffmwu_server_type == "firmware-build" or ffmwu_server_type == "gateway" %}
     <div class="block"><a href="firmware">Firmware</a></div>
+{% endif %}
 {% if ffmwu_server_type == "firmware-build" %}
     <div class="block"><a href="_archive">Firmware Archiv</a></div>
 {% endif %}
diff --git a/roles/service-respondd/tasks/main.yml b/roles/service-respondd/tasks/main.yml
index 4ae43cc..bd9dabc 100644
--- a/roles/service-respondd/tasks/main.yml
+++ b/roles/service-respondd/tasks/main.yml
@@ -11,6 +11,14 @@
     version: mwu-respondd
   become: false
 
+- name: set respondd vpn flag to false
+  when: ffmwu_server_type != "gateway"
+  copy:
+    content: "False"
+    dest: /home/admin/clones/mesh-announce/nodeinfo.d/vpn
+  notify:
+    - restart respondd
+
 - name: write systemd unit files
   template:
     src: respondd.service.j2