split out gateway specific stuff to use roles for generic meshing servers

This commit is contained in:
Julian Labus 2018-09-09 10:26:23 +02:00
parent 37596e917d
commit 8d7af519a5
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
15 changed files with 101 additions and 26 deletions

View file

@ -5,16 +5,13 @@ as_public_ffrl: 201701
internet_exit_tcp_mss_ipv4: 1240 internet_exit_tcp_mss_ipv4: 1240
internet_exit_tcp_mss_ipv6: 1220 internet_exit_tcp_mss_ipv6: 1220
routing_tables:
icvpn: 23
mwu: 41
internet: 61
icvpn_ipv4_transfer_net: 10.207.0.0/16 icvpn_ipv4_transfer_net: 10.207.0.0/16
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
bgp_loopback_net: 10.37.0.0/18 bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
bgp_groups:
- ffmwu-gateways
http_domain_internal: ffmwu.org http_domain_internal: ffmwu.org
http_domain_external: freifunk-mwu.de http_domain_external: freifunk-mwu.de

View file

@ -1,4 +1,9 @@
--- ---
routing_tables:
icvpn: 23
mwu: 41
internet: 61
common_repos: common_repos:
backend-scripts: backend-scripts:
repo_url: https://github.com/freifunk-mwu/backend-scripts.git repo_url: https://github.com/freifunk-mwu/backend-scripts.git
@ -9,3 +14,6 @@ common_repos:
icvpn-scripts: icvpn-scripts:
repo_url: https://github.com/freifunk/icvpn-scripts.git repo_url: https://github.com/freifunk/icvpn-scripts.git
version: master version: master
prometheus_components:
- node_exporter

View file

@ -10,6 +10,6 @@ iface {{ item.id }}bat
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
batman-hop-penalty {{ item.batman.hop_penalty }} batman-hop-penalty {{ item.batman.hop_penalty }}
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }} post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }} post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
{% if ffmwu_server_type == 'gateway' %} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}{% endif %}

View file

@ -53,9 +53,17 @@
enabled: yes enabled: yes
state: started state: started
- name: set sysctl settings for routing - name: set basic sysctl settings for routing
sysctl: sysctl:
name: "{{ item.name }}" name: "{{ item.name }}"
value: "{{ item.value }}" value: "{{ item.value }}"
state: present state: present
with_items: "{{ sysctl_settings_routing }}" with_items: "{{ sysctl_settings_routing_basic }}"
- name: set gateway sysctl settings for routing
when: ffmwu_server_type == "gateway"
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_routing_gateway }}"

View file

@ -3,6 +3,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# #
{% if ffmwu_server_type == 'gateway' %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %} {% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@ -78,5 +79,16 @@ ip -4 rule add from all lookup mwu priority 107
ip -4 rule add from all lookup icvpn priority 107 ip -4 rule add from all lookup icvpn priority 107
ip -6 rule add from all lookup mwu priority 107 ip -6 rule add from all lookup mwu priority 107
ip -6 rule add from all lookup icvpn priority 107 ip -6 rule add from all lookup icvpn priority 107
{% else %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
ip -6 rule add from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
{% endfor %}
{% endfor %}
{% endif %}
exit 0 exit 0

View file

@ -18,6 +18,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if ffmwu_server_type == 'gateway' %}
# static blackhole routes for rt_table internet # static blackhole routes for rt_table internet
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet /sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet /sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
@ -64,3 +65,10 @@
/sbin/ip -6 route add blackhole ::/96 table main /sbin/ip -6 route add blackhole ::/96 table main
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main /sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route add blackhole ::/0 table main /sbin/ip -6 route add blackhole ::/0 table main
{% else %}
# static routes for icvpn
/sbin/ip -4 route add {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
/sbin/ip -6 route add {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
{% endif %}

View file

@ -3,6 +3,7 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# #
{% if ffmwu_server_type == 'gateway' %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %} {% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@ -78,5 +79,16 @@ ip -4 rule del from all lookup mwu priority 107
ip -4 rule del from all lookup icvpn priority 107 ip -4 rule del from all lookup icvpn priority 107
ip -6 rule del from all lookup mwu priority 107 ip -6 rule del from all lookup mwu priority 107
ip -6 rule del from all lookup icvpn priority 107 ip -6 rule del from all lookup icvpn priority 107
{% else %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
ip -6 rule del from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
{% endfor %}
{% endfor %}
{% endif %}
exit 0 exit 0

View file

@ -18,6 +18,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if ffmwu_server_type == 'gateway' %}
# static blackhole routes for rt_table internet # static blackhole routes for rt_table internet
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet /sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet /sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
@ -64,3 +65,10 @@
/sbin/ip -6 route del blackhole ::/96 table main /sbin/ip -6 route del blackhole ::/96 table main
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main /sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route del blackhole ::/0 table main /sbin/ip -6 route del blackhole ::/0 table main
{% else %}
# static routes for icvpn
/sbin/ip -4 route del {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
/sbin/ip -6 route del {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
{% endif %}

View file

@ -1,14 +1,16 @@
--- ---
sysctl_settings_routing: sysctl_settings_routing_basic:
- name: net.ipv4.ip_forward
value: 1
- name: net.ipv4.conf.default.rp_filter - name: net.ipv4.conf.default.rp_filter
value: 0 value: 0
- name: net.ipv4.conf.all.rp_filter - name: net.ipv4.conf.all.rp_filter
value: 0 value: 0
- name: net.ipv6.conf.all.forwarding
value: 1
- name: net.ipv6.conf.all.accept_ra - name: net.ipv6.conf.all.accept_ra
value: 0 value: 0
- name: net.ipv6.conf.default.accept_ra - name: net.ipv6.conf.default.accept_ra
value: 0 value: 0
sysctl_settings_routing_gateway:
- name: net.ipv4.ip_forward
value: 1
- name: net.ipv6.conf.all.forwarding
value: 1

View file

@ -1,15 +1,20 @@
--- ---
- name: Check DNS entries and target distribution - name: Check basic DNS entries and target distribution
assert: assert:
that: that:
- "dns_host_ipv4_address in ansible_all_ipv4_addresses" - "dns_host_ipv4_address in ansible_all_ipv4_addresses"
- "dns_host_ipv6_address in ansible_all_ipv6_addresses" - "dns_host_ipv6_address in ansible_all_ipv6_addresses"
- "dns_gate_num_cname == inventory_hostname"
- "dns_gate_icvpn_cname == inventory_hostname"
- "ansible_distribution == 'Debian'" - "ansible_distribution == 'Debian'"
- "ansible_distribution_major_version == '9'" - "ansible_distribution_major_version == '9'"
- name: Check gateway specific DNS entries
when: ffmwu_server_type == "gateway"
assert:
that:
- "dns_gate_num_cname == inventory_hostname"
- "dns_gate_icvpn_cname == inventory_hostname"
- name: Test root access for admin account - name: Test root access for admin account
command: "true" command: "true"
changed_when: False changed_when: False

View file

@ -15,6 +15,7 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
- Dictionary `bgp_mwu_servers` - Dictionary `bgp_mwu_servers`
``` ```

View file

@ -2,14 +2,16 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# #
{% for gateway in groups['ffmwu-gateways'] %} {% for group in bgp_groups %}
{% if gateway != inventory_hostname %} {% for host in groups[group] %}
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu { {% if host != inventory_hostname %}
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as; protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
}; };
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %} {% for item, value in bgp_mwu_servers.items() %}
{% if item != inventory_hostname_short %} {% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu { protocol bgp mwu_{{ item }} from ibgp_mwu {

View file

@ -2,14 +2,16 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# #
{% for gateway in groups['ffmwu-gateways'] %} {% for group in bgp_groups %}
{% if gateway != inventory_hostname %} {% for host in groups[group] %}
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu { {% if host != inventory_hostname %}
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as; protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
}; };
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %} {% for item, value in bgp_mwu_servers.items() %}
{% if item != inventory_hostname_short %} {% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu { protocol bgp mwu_{{ item }} from ibgp_mwu {

View file

@ -2,7 +2,7 @@
<html> <html>
<head> <head>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<title>Freifunk MWU Gateway "{{ inventory_hostname_short }}" </title> <title>Freifunk MWU Server "{{ inventory_hostname_short }}" </title>
<link href="./static/favicon.ico" rel="shortcut icon" /> <link href="./static/favicon.ico" rel="shortcut icon" />
<link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" /> <link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" />
<script type="text/javascript"> <script type="text/javascript">
@ -17,9 +17,11 @@
</head> </head>
<body> <body>
<header> <header>
<h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1> <h1>Freifunk MWU Server <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
</header> </header>
{% if ffmwu_server_type == "firmware-build" or ffmwu_server_type == "gateway" %}
<div class="block"><a href="firmware">Firmware</a></div> <div class="block"><a href="firmware">Firmware</a></div>
{% endif %}
{% if ffmwu_server_type == "firmware-build" %} {% if ffmwu_server_type == "firmware-build" %}
<div class="block"><a href="_archive">Firmware Archiv</a></div> <div class="block"><a href="_archive">Firmware Archiv</a></div>
{% endif %} {% endif %}

View file

@ -11,6 +11,14 @@
version: mwu-respondd version: mwu-respondd
become: false become: false
- name: set respondd vpn flag to false
when: ffmwu_server_type != "gateway"
copy:
content: "False"
dest: /home/admin/clones/mesh-announce/nodeinfo.d/vpn
notify:
- restart respondd
- name: write systemd unit files - name: write systemd unit files
template: template:
src: respondd.service.j2 src: respondd.service.j2