split out gateway specific stuff to use roles for generic meshing servers
This commit is contained in:
parent
37596e917d
commit
8d7af519a5
15 changed files with 101 additions and 26 deletions
|
@ -5,16 +5,13 @@ as_public_ffrl: 201701
|
||||||
internet_exit_tcp_mss_ipv4: 1240
|
internet_exit_tcp_mss_ipv4: 1240
|
||||||
internet_exit_tcp_mss_ipv6: 1220
|
internet_exit_tcp_mss_ipv6: 1220
|
||||||
|
|
||||||
routing_tables:
|
|
||||||
icvpn: 23
|
|
||||||
mwu: 41
|
|
||||||
internet: 61
|
|
||||||
|
|
||||||
icvpn_ipv4_transfer_net: 10.207.0.0/16
|
icvpn_ipv4_transfer_net: 10.207.0.0/16
|
||||||
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
|
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
|
||||||
bgp_loopback_net: 10.37.0.0/18
|
bgp_loopback_net: 10.37.0.0/18
|
||||||
bgp_ipv4_transfer_net: 10.37.0.0/18
|
bgp_ipv4_transfer_net: 10.37.0.0/18
|
||||||
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
||||||
|
bgp_groups:
|
||||||
|
- ffmwu-gateways
|
||||||
|
|
||||||
http_domain_internal: ffmwu.org
|
http_domain_internal: ffmwu.org
|
||||||
http_domain_external: freifunk-mwu.de
|
http_domain_external: freifunk-mwu.de
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
---
|
---
|
||||||
|
routing_tables:
|
||||||
|
icvpn: 23
|
||||||
|
mwu: 41
|
||||||
|
internet: 61
|
||||||
|
|
||||||
common_repos:
|
common_repos:
|
||||||
backend-scripts:
|
backend-scripts:
|
||||||
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
|
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
|
||||||
|
@ -9,3 +14,6 @@ common_repos:
|
||||||
icvpn-scripts:
|
icvpn-scripts:
|
||||||
repo_url: https://github.com/freifunk/icvpn-scripts.git
|
repo_url: https://github.com/freifunk/icvpn-scripts.git
|
||||||
version: master
|
version: master
|
||||||
|
|
||||||
|
prometheus_components:
|
||||||
|
- node_exporter
|
|
@ -10,6 +10,6 @@ iface {{ item.id }}bat
|
||||||
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
|
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
|
||||||
batman-hop-penalty {{ item.batman.hop_penalty }}
|
batman-hop-penalty {{ item.batman.hop_penalty }}
|
||||||
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
|
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
|
||||||
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
|
|
||||||
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
|
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
|
||||||
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
|
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
|
||||||
|
{% if ffmwu_server_type == 'gateway' %} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}{% endif %}
|
||||||
|
|
|
@ -53,9 +53,17 @@
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
- name: set sysctl settings for routing
|
- name: set basic sysctl settings for routing
|
||||||
sysctl:
|
sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
value: "{{ item.value }}"
|
value: "{{ item.value }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ sysctl_settings_routing }}"
|
with_items: "{{ sysctl_settings_routing_basic }}"
|
||||||
|
|
||||||
|
- name: set gateway sysctl settings for routing
|
||||||
|
when: ffmwu_server_type == "gateway"
|
||||||
|
sysctl:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ sysctl_settings_routing_gateway }}"
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
#
|
#
|
||||||
|
|
||||||
|
{% if ffmwu_server_type == 'gateway' %}
|
||||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
{% for mesh in meshes %}
|
{% for mesh in meshes %}
|
||||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||||
|
@ -78,5 +79,16 @@ ip -4 rule add from all lookup mwu priority 107
|
||||||
ip -4 rule add from all lookup icvpn priority 107
|
ip -4 rule add from all lookup icvpn priority 107
|
||||||
ip -6 rule add from all lookup mwu priority 107
|
ip -6 rule add from all lookup mwu priority 107
|
||||||
ip -6 rule add from all lookup icvpn priority 107
|
ip -6 rule add from all lookup icvpn priority 107
|
||||||
|
{% else %}
|
||||||
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
|
||||||
|
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
ip -6 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
|
||||||
|
ip -6 rule add from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% if ffmwu_server_type == 'gateway' %}
|
||||||
# static blackhole routes for rt_table internet
|
# static blackhole routes for rt_table internet
|
||||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
||||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
||||||
|
@ -64,3 +65,10 @@
|
||||||
/sbin/ip -6 route add blackhole ::/96 table main
|
/sbin/ip -6 route add blackhole ::/96 table main
|
||||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
||||||
/sbin/ip -6 route add blackhole ::/0 table main
|
/sbin/ip -6 route add blackhole ::/0 table main
|
||||||
|
{% else %}
|
||||||
|
# static routes for icvpn
|
||||||
|
/sbin/ip -4 route add {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
|
||||||
|
|
||||||
|
/sbin/ip -6 route add {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
#
|
#
|
||||||
|
|
||||||
|
{% if ffmwu_server_type == 'gateway' %}
|
||||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
{% for mesh in meshes %}
|
{% for mesh in meshes %}
|
||||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||||
|
@ -78,5 +79,16 @@ ip -4 rule del from all lookup mwu priority 107
|
||||||
ip -4 rule del from all lookup icvpn priority 107
|
ip -4 rule del from all lookup icvpn priority 107
|
||||||
ip -6 rule del from all lookup mwu priority 107
|
ip -6 rule del from all lookup mwu priority 107
|
||||||
ip -6 rule del from all lookup icvpn priority 107
|
ip -6 rule del from all lookup icvpn priority 107
|
||||||
|
{% else %}
|
||||||
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
|
||||||
|
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
ip -6 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
|
||||||
|
ip -6 rule del from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
{% if ffmwu_server_type == 'gateway' %}
|
||||||
# static blackhole routes for rt_table internet
|
# static blackhole routes for rt_table internet
|
||||||
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
|
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
|
||||||
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
|
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
|
||||||
|
@ -64,3 +65,10 @@
|
||||||
/sbin/ip -6 route del blackhole ::/96 table main
|
/sbin/ip -6 route del blackhole ::/96 table main
|
||||||
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
|
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
|
||||||
/sbin/ip -6 route del blackhole ::/0 table main
|
/sbin/ip -6 route del blackhole ::/0 table main
|
||||||
|
{% else %}
|
||||||
|
# static routes for icvpn
|
||||||
|
/sbin/ip -4 route del {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
|
||||||
|
|
||||||
|
/sbin/ip -6 route del {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
---
|
---
|
||||||
sysctl_settings_routing:
|
sysctl_settings_routing_basic:
|
||||||
- name: net.ipv4.ip_forward
|
|
||||||
value: 1
|
|
||||||
- name: net.ipv4.conf.default.rp_filter
|
- name: net.ipv4.conf.default.rp_filter
|
||||||
value: 0
|
value: 0
|
||||||
- name: net.ipv4.conf.all.rp_filter
|
- name: net.ipv4.conf.all.rp_filter
|
||||||
value: 0
|
value: 0
|
||||||
- name: net.ipv6.conf.all.forwarding
|
|
||||||
value: 1
|
|
||||||
- name: net.ipv6.conf.all.accept_ra
|
- name: net.ipv6.conf.all.accept_ra
|
||||||
value: 0
|
value: 0
|
||||||
- name: net.ipv6.conf.default.accept_ra
|
- name: net.ipv6.conf.default.accept_ra
|
||||||
value: 0
|
value: 0
|
||||||
|
|
||||||
|
sysctl_settings_routing_gateway:
|
||||||
|
- name: net.ipv4.ip_forward
|
||||||
|
value: 1
|
||||||
|
- name: net.ipv6.conf.all.forwarding
|
||||||
|
value: 1
|
||||||
|
|
|
@ -1,15 +1,20 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Check DNS entries and target distribution
|
- name: Check basic DNS entries and target distribution
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
|
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
|
||||||
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
|
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
|
||||||
- "dns_gate_num_cname == inventory_hostname"
|
|
||||||
- "dns_gate_icvpn_cname == inventory_hostname"
|
|
||||||
- "ansible_distribution == 'Debian'"
|
- "ansible_distribution == 'Debian'"
|
||||||
- "ansible_distribution_major_version == '9'"
|
- "ansible_distribution_major_version == '9'"
|
||||||
|
|
||||||
|
- name: Check gateway specific DNS entries
|
||||||
|
when: ffmwu_server_type == "gateway"
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "dns_gate_num_cname == inventory_hostname"
|
||||||
|
- "dns_gate_icvpn_cname == inventory_hostname"
|
||||||
|
|
||||||
- name: Test root access for admin account
|
- name: Test root access for admin account
|
||||||
command: "true"
|
command: "true"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
|
|
@ -15,6 +15,7 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
|
||||||
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
|
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
|
||||||
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
|
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
|
||||||
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
|
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
|
||||||
|
- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
|
||||||
- Dictionary `bgp_mwu_servers`
|
- Dictionary `bgp_mwu_servers`
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -2,14 +2,16 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
#
|
#
|
||||||
|
|
||||||
{% for gateway in groups['ffmwu-gateways'] %}
|
{% for group in bgp_groups %}
|
||||||
{% if gateway != inventory_hostname %}
|
{% for host in groups[group] %}
|
||||||
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
|
{% if host != inventory_hostname %}
|
||||||
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
|
protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
|
||||||
|
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
|
||||||
};
|
};
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
{% for item, value in bgp_mwu_servers.items() %}
|
{% for item, value in bgp_mwu_servers.items() %}
|
||||||
{% if item != inventory_hostname_short %}
|
{% if item != inventory_hostname_short %}
|
||||||
protocol bgp mwu_{{ item }} from ibgp_mwu {
|
protocol bgp mwu_{{ item }} from ibgp_mwu {
|
||||||
|
|
|
@ -2,14 +2,16 @@
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
#
|
#
|
||||||
|
|
||||||
{% for gateway in groups['ffmwu-gateways'] %}
|
{% for group in bgp_groups %}
|
||||||
{% if gateway != inventory_hostname %}
|
{% for host in groups[group] %}
|
||||||
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
|
{% if host != inventory_hostname %}
|
||||||
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
|
protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
|
||||||
|
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
|
||||||
};
|
};
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
{% for item, value in bgp_mwu_servers.items() %}
|
{% for item, value in bgp_mwu_servers.items() %}
|
||||||
{% if item != inventory_hostname_short %}
|
{% if item != inventory_hostname_short %}
|
||||||
protocol bgp mwu_{{ item }} from ibgp_mwu {
|
protocol bgp mwu_{{ item }} from ibgp_mwu {
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<meta charset="UTF-8" />
|
<meta charset="UTF-8" />
|
||||||
<title>Freifunk MWU Gateway "{{ inventory_hostname_short }}" </title>
|
<title>Freifunk MWU Server "{{ inventory_hostname_short }}" </title>
|
||||||
<link href="./static/favicon.ico" rel="shortcut icon" />
|
<link href="./static/favicon.ico" rel="shortcut icon" />
|
||||||
<link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" />
|
<link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" />
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
|
@ -17,9 +17,11 @@
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<header>
|
<header>
|
||||||
<h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
|
<h1>Freifunk MWU Server <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
|
||||||
</header>
|
</header>
|
||||||
|
{% if ffmwu_server_type == "firmware-build" or ffmwu_server_type == "gateway" %}
|
||||||
<div class="block"><a href="firmware">Firmware</a></div>
|
<div class="block"><a href="firmware">Firmware</a></div>
|
||||||
|
{% endif %}
|
||||||
{% if ffmwu_server_type == "firmware-build" %}
|
{% if ffmwu_server_type == "firmware-build" %}
|
||||||
<div class="block"><a href="_archive">Firmware Archiv</a></div>
|
<div class="block"><a href="_archive">Firmware Archiv</a></div>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
@ -11,6 +11,14 @@
|
||||||
version: mwu-respondd
|
version: mwu-respondd
|
||||||
become: false
|
become: false
|
||||||
|
|
||||||
|
- name: set respondd vpn flag to false
|
||||||
|
when: ffmwu_server_type != "gateway"
|
||||||
|
copy:
|
||||||
|
content: "False"
|
||||||
|
dest: /home/admin/clones/mesh-announce/nodeinfo.d/vpn
|
||||||
|
notify:
|
||||||
|
- restart respondd
|
||||||
|
|
||||||
- name: write systemd unit files
|
- name: write systemd unit files
|
||||||
template:
|
template:
|
||||||
src: respondd.service.j2
|
src: respondd.service.j2
|
||||||
|
|
Loading…
Reference in a new issue