freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

split out gateway specific stuff to use roles for generic meshing servers

Browse source
This commit is contained in:
Julian Labus 2018-09-09 10:26:23 +02:00
parent 37596e917d
commit 8d7af519a5
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
15 changed files with 101 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
inventory/group_vars/all
View file

@ -5,16 +5,13 @@ as_public_ffrl: 201701
internet_exit_tcp_mss_ipv4: 1240
internet_exit_tcp_mss_ipv6: 1220
routing_tables:
icvpn: 23
mwu: 41
internet: 61
icvpn_ipv4_transfer_net: 10.207.0.0/16
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
bgp_groups:
- ffmwu-gateways
http_domain_internal: ffmwu.org
http_domain_external: freifunk-mwu.de

8
roles/git-repos/vars/main.yml → inventory/group_vars/ffmwu-gateways
View file

@ -1,4 +1,9 @@
---
routing_tables:
icvpn: 23
mwu: 41
internet: 61
common_repos:
backend-scripts:
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
@ -9,3 +14,6 @@ common_repos:
icvpn-scripts:
repo_url: https://github.com/freifunk/icvpn-scripts.git
version: master
prometheus_components:
- node_exporter

2
roles/network-batman/templates/batman.j2
View file

@ -10,6 +10,6 @@ iface {{ item.id }}bat
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
batman-hop-penalty {{ item.batman.hop_penalty }}
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
{% if ffmwu_server_type == 'gateway' %} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}{% endif %}

12
roles/network-routing/tasks/main.yml
View file

@ -53,9 +53,17 @@
enabled: yes
state: started
- name: set sysctl settings for routing
- name: set basic sysctl settings for routing
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_routing }}"
with_items: "{{ sysctl_settings_routing_basic }}"
- name: set gateway sysctl settings for routing
when: ffmwu_server_type == "gateway"
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_routing_gateway }}"

12
roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
View file

@ -3,6 +3,7 @@
# {{ ansible_managed }}
#
{% if ffmwu_server_type == 'gateway' %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@ -78,5 +79,16 @@ ip -4 rule add from all lookup mwu priority 107
ip -4 rule add from all lookup icvpn priority 107
ip -6 rule add from all lookup mwu priority 107
ip -6 rule add from all lookup icvpn priority 107
{% else %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from all iif {{ mesh.id }}br lookup mwu priority 7
ip -6 rule add from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
{% endfor %}
{% endfor %}
{% endif %}
exit 0

8
roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
View file

@ -18,6 +18,7 @@
{% endif %}
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
@ -64,3 +65,10 @@
/sbin/ip -6 route add blackhole ::/96 table main
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route add blackhole ::/0 table main
{% else %}
# static routes for icvpn
/sbin/ip -4 route add {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
/sbin/ip -6 route add {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
{% endif %}

12
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
View file

@ -3,6 +3,7 @@
# {{ ansible_managed }}
#
{% if ffmwu_server_type == 'gateway' %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
@ -78,5 +79,16 @@ ip -4 rule del from all lookup mwu priority 107
ip -4 rule del from all lookup icvpn priority 107
ip -6 rule del from all lookup mwu priority 107
ip -6 rule del from all lookup icvpn priority 107
{% else %}
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}/32 lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from all iif {{ mesh.id }}br lookup mwu priority 7
ip -6 rule del from {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}/128 lookup mwu priority 7
{% endfor %}
{% endfor %}
{% endif %}
exit 0

8
roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
View file

@ -18,6 +18,7 @@
{% endif %}
{% endfor %}
{% if ffmwu_server_type == 'gateway' %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
@ -64,3 +65,10 @@
/sbin/ip -6 route del blackhole ::/96 table main
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route del blackhole ::/0 table main
{% else %}
# static routes for icvpn
/sbin/ip -4 route del {{ icvpn_ipv4_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
/sbin/ip -6 route del {{ icvpn_ipv6_transfer_net }}{% for host in groups['ffmwu-gateways'] %} nexthop via {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }}{% endfor %}
{% endif %}

12
roles/network-routing/vars/main.yml
View file

@ -1,14 +1,16 @@
---
sysctl_settings_routing:
- name: net.ipv4.ip_forward
value: 1
sysctl_settings_routing_basic:
- name: net.ipv4.conf.default.rp_filter
value: 0
- name: net.ipv4.conf.all.rp_filter
value: 0
- name: net.ipv6.conf.all.forwarding
value: 1
- name: net.ipv6.conf.all.accept_ra
value: 0
- name: net.ipv6.conf.default.accept_ra
value: 0
sysctl_settings_routing_gateway:
- name: net.ipv4.ip_forward
value: 1
- name: net.ipv6.conf.all.forwarding
value: 1

11
roles/prerequisites/tasks/main.yml
View file

@ -1,15 +1,20 @@
---
- name: Check DNS entries and target distribution
- name: Check basic DNS entries and target distribution
assert:
that:
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
- "dns_gate_num_cname == inventory_hostname"
- "dns_gate_icvpn_cname == inventory_hostname"
- "ansible_distribution == 'Debian'"
- "ansible_distribution_major_version == '9'"
- name: Check gateway specific DNS entries
when: ffmwu_server_type == "gateway"
assert:
that:
- "dns_gate_num_cname == inventory_hostname"
- "dns_gate_icvpn_cname == inventory_hostname"
- name: Test root access for admin account
command: "true"
changed_when: False

1
roles/service-bird/README.md
View file

@ -15,6 +15,7 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
- Dictionary `bgp_mwu_servers`
```

10
roles/service-bird/templates/mwu_ipv4_peers.conf.j2
View file

@ -2,14 +2,16 @@
# {{ ansible_managed }}
#
{% for gateway in groups['ffmwu-gateways'] %}
{% if gateway != inventory_hostname %}
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
{% for group in bgp_groups %}
{% for host in groups[group] %}
{% if host != inventory_hostname %}
protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
};
{% endif %}
{% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %}
{% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu {

10
roles/service-bird/templates/mwu_ipv6_peers.conf.j2
View file

@ -2,14 +2,16 @@
# {{ ansible_managed }}
#
{% for gateway in groups['ffmwu-gateways'] %}
{% if gateway != inventory_hostname %}
protocol bgp mwu_{{ gateway.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[gateway]['magic']) | ipaddr('ip') }} as mwu_as;
{% for group in bgp_groups %}
{% for host in groups[group] %}
{% if host != inventory_hostname %}
protocol bgp mwu_{{ host.rsplit('.freifunk-mwu.de')[0] }} from ibgp_mwu {
neighbor {{ bgp_ipv6_transfer_net | ipaddr('net') | ipsubnet(64, 0) | ipaddr(hostvars[host]['magic']) | ipaddr('ip') }} as mwu_as;
};
{% endif %}
{% endfor %}
{% endfor %}
{% for item, value in bgp_mwu_servers.items() %}
{% if item != inventory_hostname_short %}
protocol bgp mwu_{{ item }} from ibgp_mwu {

6
roles/service-nginx/templates/index.html.j2
View file

@ -2,7 +2,7 @@
<html>
<head>
<meta charset="UTF-8" />
<title>Freifunk MWU Gateway "{{ inventory_hostname_short }}" </title>
<title>Freifunk MWU Server "{{ inventory_hostname_short }}" </title>
<link href="./static/favicon.ico" rel="shortcut icon" />
<link href="./static/style.css" rel="stylesheet" type="text/css" media="screen" />
<script type="text/javascript">
@ -17,9 +17,11 @@
</head>
<body>
<header>
<h1>Freifunk MWU Gateway <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
<h1>Freifunk MWU Server <a href="./index.html">{{ inventory_hostname_short }}</a></h1>
</header>
{% if ffmwu_server_type == "firmware-build" or ffmwu_server_type == "gateway" %}
<div class="block"><a href="firmware">Firmware</a></div>
{% endif %}
{% if ffmwu_server_type == "firmware-build" %}
<div class="block"><a href="_archive">Firmware Archiv</a></div>
{% endif %}

8
roles/service-respondd/tasks/main.yml
View file

@ -11,6 +11,14 @@
version: mwu-respondd
become: false
- name: set respondd vpn flag to false
when: ffmwu_server_type != "gateway"
copy:
content: "False"
dest: /home/admin/clones/mesh-announce/nodeinfo.d/vpn
notify:
- restart respondd
- name: write systemd unit files
template:
src: respondd.service.j2