From 49de8d0486cb1a0d7e9d65f594c24f7cbc4c9438 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 5 Sep 2017 11:09:50 +0200 Subject: [PATCH 001/106] Add filename prefix to playbooks --- ffmwu-build.yml => playbook-build-server.yml | 0 loctevm-meshing.yml => playbook-localtestvm-meshing.yml | 0 loctevm-provide.yml => playbook-localtestvm-provide.yml | 0 ...est-prerequisites.yml => playbook-localtestvm-test-prereqs.yml | 0 ffmwu-meshing.yml => playbook-meshing.yml | 0 ffmwu-servers.yml => playbook-servers.yml | 0 test-prerequisites.yml => playbook-test-prereqs.yml | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename ffmwu-build.yml => playbook-build-server.yml (100%) rename loctevm-meshing.yml => playbook-localtestvm-meshing.yml (100%) rename loctevm-provide.yml => playbook-localtestvm-provide.yml (100%) rename loctevm-test-prerequisites.yml => playbook-localtestvm-test-prereqs.yml (100%) rename ffmwu-meshing.yml => playbook-meshing.yml (100%) rename ffmwu-servers.yml => playbook-servers.yml (100%) rename test-prerequisites.yml => playbook-test-prereqs.yml (100%) diff --git a/ffmwu-build.yml b/playbook-build-server.yml similarity index 100% rename from ffmwu-build.yml rename to playbook-build-server.yml diff --git a/loctevm-meshing.yml b/playbook-localtestvm-meshing.yml similarity index 100% rename from loctevm-meshing.yml rename to playbook-localtestvm-meshing.yml diff --git a/loctevm-provide.yml b/playbook-localtestvm-provide.yml similarity index 100% rename from loctevm-provide.yml rename to playbook-localtestvm-provide.yml diff --git a/loctevm-test-prerequisites.yml b/playbook-localtestvm-test-prereqs.yml similarity index 100% rename from loctevm-test-prerequisites.yml rename to playbook-localtestvm-test-prereqs.yml diff --git a/ffmwu-meshing.yml b/playbook-meshing.yml similarity index 100% rename from ffmwu-meshing.yml rename to playbook-meshing.yml diff --git a/ffmwu-servers.yml b/playbook-servers.yml similarity index 100% rename from ffmwu-servers.yml rename to playbook-servers.yml diff --git a/test-prerequisites.yml b/playbook-test-prereqs.yml similarity index 100% rename from test-prerequisites.yml rename to playbook-test-prereqs.yml From 3270b5cc3ee02009819853c834fa0b3ab38de0d4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 5 Sep 2017 11:25:13 +0200 Subject: [PATCH 002/106] Inventory: clean up & rename role ffmwu-prereq to test-prerequisites Remove all hosts which aren't set up by ansible, yet. Prepare to start from scratch. Only add hosts to the inventory which will be set up completly by ansible. --- inventory/group_vars/gates | 3 -- inventory/group_vars/meshing-only-srv | 3 -- inventory/group_vars/meshing-srv | 19 ---------- inventory/host_vars/aubergine.freifunk-mwu.de | 4 -- inventory/host_vars/churro.freifunk-mwu.de | 4 -- .../host_vars/extrasahne.freifunk-mwu.de | 6 --- .../host_vars/glueckskeks.freifunk-mwu.de | 4 -- inventory/host_vars/ingwer.freifunk-mwu.de | 4 -- inventory/host_vars/linse.freifunk-mwu.de | 3 -- .../host_vars/lotuswurzel.freifunk-mwu.de | 4 -- inventory/host_vars/milchreis.freifunk-mwu.de | 7 ---- inventory/host_vars/spinat.freifunk-mwu.de | 4 -- .../host_vars/suesskartoffel.freifunk-mwu.de | 7 ---- .../host_vars/wasserfloh.freifunk-mwu.de | 4 -- .../host_vars/zuckerwatte.freifunk-mwu.de | 12 ------ inventory/host_vars/zwiebel.freifunk-mwu.de | 4 -- inventory/hosts | 37 +++---------------- playbook-build-server.yml | 3 +- playbook-test-prereqs.yml | 5 +-- .../tasks/main.yml | 0 20 files changed, 8 insertions(+), 129 deletions(-) delete mode 100644 inventory/group_vars/gates delete mode 100644 inventory/group_vars/meshing-only-srv delete mode 100644 inventory/group_vars/meshing-srv delete mode 100644 inventory/host_vars/aubergine.freifunk-mwu.de delete mode 100644 inventory/host_vars/churro.freifunk-mwu.de delete mode 100644 inventory/host_vars/extrasahne.freifunk-mwu.de delete mode 100644 inventory/host_vars/glueckskeks.freifunk-mwu.de delete mode 100644 inventory/host_vars/ingwer.freifunk-mwu.de delete mode 100644 inventory/host_vars/linse.freifunk-mwu.de delete mode 100644 inventory/host_vars/lotuswurzel.freifunk-mwu.de delete mode 100644 inventory/host_vars/milchreis.freifunk-mwu.de delete mode 100644 inventory/host_vars/spinat.freifunk-mwu.de delete mode 100644 inventory/host_vars/suesskartoffel.freifunk-mwu.de delete mode 100644 inventory/host_vars/wasserfloh.freifunk-mwu.de delete mode 100644 inventory/host_vars/zuckerwatte.freifunk-mwu.de delete mode 100644 inventory/host_vars/zwiebel.freifunk-mwu.de rename roles/{ffmwu-prereqs => test-prerequisites}/tasks/main.yml (100%) diff --git a/inventory/group_vars/gates b/inventory/group_vars/gates deleted file mode 100644 index a074597..0000000 --- a/inventory/group_vars/gates +++ /dev/null @@ -1,3 +0,0 @@ ---- - -fastd_config: 'gate' diff --git a/inventory/group_vars/meshing-only-srv b/inventory/group_vars/meshing-only-srv deleted file mode 100644 index a1d400f..0000000 --- a/inventory/group_vars/meshing-only-srv +++ /dev/null @@ -1,3 +0,0 @@ ---- - -fastd_config: 'meshing-only' diff --git a/inventory/group_vars/meshing-srv b/inventory/group_vars/meshing-srv deleted file mode 100644 index 922f42c..0000000 --- a/inventory/group_vars/meshing-srv +++ /dev/null @@ -1,19 +0,0 @@ ---- - -communities: - - mz - - wi - -community_params: - mz: - fastd_port: 10037 - abbreviation: mz - name: mainz - repo: freifunk-mwu/peers-ffmz - xtra_peers: - - peers_bingen - wi: - fastd_port: 10056 - abbreviation: wi - name: wiesbaden - repo: freifunk-mwu/peers-ffwi diff --git a/inventory/host_vars/aubergine.freifunk-mwu.de b/inventory/host_vars/aubergine.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/aubergine.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/churro.freifunk-mwu.de b/inventory/host_vars/churro.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/churro.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/extrasahne.freifunk-mwu.de b/inventory/host_vars/extrasahne.freifunk-mwu.de deleted file mode 100644 index ff09e51..0000000 --- a/inventory/host_vars/extrasahne.freifunk-mwu.de +++ /dev/null @@ -1,6 +0,0 @@ ---- - -ansible_managed_server: True -ansible_managed_meshing: True - -fastd_alias: gw_extrasahne diff --git a/inventory/host_vars/glueckskeks.freifunk-mwu.de b/inventory/host_vars/glueckskeks.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/glueckskeks.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/ingwer.freifunk-mwu.de b/inventory/host_vars/ingwer.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/ingwer.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/linse.freifunk-mwu.de b/inventory/host_vars/linse.freifunk-mwu.de deleted file mode 100644 index 5b67d99..0000000 --- a/inventory/host_vars/linse.freifunk-mwu.de +++ /dev/null @@ -1,3 +0,0 @@ ---- - -ansible_managed_server: True diff --git a/inventory/host_vars/lotuswurzel.freifunk-mwu.de b/inventory/host_vars/lotuswurzel.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/lotuswurzel.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/milchreis.freifunk-mwu.de b/inventory/host_vars/milchreis.freifunk-mwu.de deleted file mode 100644 index a6193da..0000000 --- a/inventory/host_vars/milchreis.freifunk-mwu.de +++ /dev/null @@ -1,7 +0,0 @@ ---- - -ansible_managed_server: True -ansible_managed_build: True - -h_v_add_auth_keys: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS diff --git a/inventory/host_vars/spinat.freifunk-mwu.de b/inventory/host_vars/spinat.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/spinat.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/suesskartoffel.freifunk-mwu.de b/inventory/host_vars/suesskartoffel.freifunk-mwu.de deleted file mode 100644 index 9e44bdf..0000000 --- a/inventory/host_vars/suesskartoffel.freifunk-mwu.de +++ /dev/null @@ -1,7 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing - -h_v_add_auth_keys: | - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local diff --git a/inventory/host_vars/wasserfloh.freifunk-mwu.de b/inventory/host_vars/wasserfloh.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/wasserfloh.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/host_vars/zuckerwatte.freifunk-mwu.de b/inventory/host_vars/zuckerwatte.freifunk-mwu.de deleted file mode 100644 index 9fa8544..0000000 --- a/inventory/host_vars/zuckerwatte.freifunk-mwu.de +++ /dev/null @@ -1,12 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing - -h_v_add_auth_keys: | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs63QNerevCI6wt2Gpq/IpHTPVeHIP8aKIOrRCUlKWR ccgx@small-x - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAwbfFERETgOAF7iOJFTfJAXQwOWykceRXa151PWG+hiln8X2729tdFyEhztL0tJ0ln+VCj29KLc4mG23qCBW48d35btZTkdVUhFSY/PY/bMQEBiWG2MCAWxJ329i/Blw92xvlFARJNhyPzKSxgYYGRhkncbcKXoX9QWhCBY8KfH+08X9tFOxj4osYn/+dXm7Sg5mqJG4ETmdAAy5afNGE+K+NyBafcg35Y+gBfxNzilGc2/2I0lSsiEcUr+StNxhMMZ/NtQ1N2G9iPziqpu/LYlPl/2mtya+6MPtfSfoYpggIyMqcT+KSPsmxyJod0SrI1vgrX7qa0aJV08dN+gThDb8pOBEb6NG2iQEIbmTKy7XoSpF13lnAVDtPv20PjLpUR6IKZtWNnlN2hVtZLhgyeEIDMnVjmNwloItkqsKP1H96eLSoj1g9B9IOYPPxq5pf6VJKizFAI0jsxGZk0gX/QX4DoVxrD57KXrHKEuFAM4eIjHKMXeRq3Ewbn3bHT1QXevjwBtoW2hxY8Pligc0W0sHt2jW0MxaSiE0LM+hGk0Jy9rquC3+gGU7fD2kLM6nff3wzQJXCORkfdyqvMFUqwpkZmjL4qCypt04peTwkWzs/W4LlHWyc4CJGp0jKIAOA8JRxs/FJf9CyN8N+0AY6xXAZ1UPqs+wPkZ9j5hYcaHs= magic - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhrDPtvVZb9I7Z2dXl3IXa34sT41/7YCl0kBJ2pgOzrTqXn6HjM8iY7duMxr1ScWlsaIoJAJmpML1LM7hkRJiray5YgjXjcNaz8HxDkV/JLLUMqzQSeDuVTFZzrQBQknzEehuA6XPTLRcgPMnpKhyt3TU4E3rHTDEFLHGEn2I9IZeImGdrehgWoJQz0gGyXI5h49bj6AXHz4etgH349ZCvQWY2e/127owcoPK5EyFBsDMKgnfdxCpAHa3vWFdUnbwqHiVu445qr2U4PiG2AK6PZKRsMauR9jBG1EfeRrc7STcx3OYRbBaQoHJkvw8dD0bH5tI1VVnXfZ2CYOyIGWHJw== mitch - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDUI92QCs7D8mpCoqUug1fOcKf7V5nyKZJiyFfsz0T/ ccgx@mobile-x - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFx5FdrQYkd11mEBxEZLUjdI1gOlee8kP+imUTInsYGK9r3wuoiVoWX4ZdemhB6ezmJwY7mmqjHpFixct3FDdZDvoQjbbS0jM9zQtLp3quHlgpbhCSCG0NOzsjRMJhV1rQguVXDBcDxXZf1YDr9S4YJWPJ1USPPE9IILdbDl6lgaTxsEpeL6unQ3SHUkwLnQVnof1DAsS9yyyDouKMAnoiLIqOi2firerm+2KjtWXpQGF8d58eXg8FSy6iWHmy+mEOBo5W2vy8CT80hR72Ynyy4JjijvSjUzqHs9bJjxCVWOV1/4sZ5GUgNzNknIduny4tR744JRmWDfeCjCS9T3TdpKbL7Xd6pjPW4/q5Z3u0DZFutR3tBp0Xm69ic4QQZVMa14FZcipKNdE+uTpIzfpClz2e4RBR8DlJn2DexvEGSGJu3t8uOFqVnJrkmJL/eIWkRpYe+JvpaF7M7K+dM/aQWOtoTWQrmujGUqXLvSyFnuUk4PhPc3an+HaxYFCBcVGQHypc7VyAg/Bm14ZBYbj93c0UTUV01VKu5/tCjq42+hDvMsn1ZyuZ66hnnZizLzIZGH3ciGdZwPp+32nC0sT09Y8pbAZFhN6sfQHDvVrHpOjJXmbBKZ2xjYoUKoi4rdds7sLhvuJV0a3i56WR8CCIx94UGjxkfJ0A9RR24AlAuQ== mattsches@gmail.com - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local diff --git a/inventory/host_vars/zwiebel.freifunk-mwu.de b/inventory/host_vars/zwiebel.freifunk-mwu.de deleted file mode 100644 index bc82ec6..0000000 --- a/inventory/host_vars/zwiebel.freifunk-mwu.de +++ /dev/null @@ -1,4 +0,0 @@ ---- - -ansible_managed_server: True -# not yet: ansible_managed_meshing diff --git a/inventory/hosts b/inventory/hosts index 4dc8637..835030a 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -1,37 +1,10 @@ -[gates] -spinat.freifunk-mwu.de -lotuswurzel.freifunk-mwu.de -wasserfloh.freifunk-mwu.de -# kaschu.freifunk-mwu.de # außer Dienst -ingwer.freifunk-mwu.de # (Debian) -#mettigel.freifunk-mwu.de -#parmesan.freifunk-mwu.de -extrasahne.freifunk-mwu.de require_dns=False # (Debian 8) FIXME: set IPv6 +[ffmwu-servers:children] +ffmwu-gateways +ffmwu-build-servers -[meshing-srv:children] -gates -meshing-only-srv -test-vms +[ffmwu-gateways] -[meshing-only-srv] -aubergine.freifunk-mwu.de # int. DNS-master -zuckerwatte.freifunk-mwu.de # web, blogs, wiki -churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian) -glueckskeks.freifunk-mwu.de # -zwiebel.freifunk-mwu.de # -suesskartoffel.freifunk-mwu.de # - -[ff-servers:children] -gates -meshing-only-srv -simple-ff-servers -build-servers -test-vms - -[simple-ff-servers] # not meshing -linse.freifunk-mwu.de # ext. DNS-master - -[build-servers] +[ffmwu-build-servers] milchreis.freifunk-mwu.de [test-vms] diff --git a/playbook-build-server.yml b/playbook-build-server.yml index 958d485..7b76e33 100755 --- a/playbook-build-server.yml +++ b/playbook-build-server.yml @@ -1,8 +1,7 @@ #!/usr/bin/ansible-playbook --- -- hosts: build-servers +- hosts: ffmwu-build-servers remote_user: admin - strategy: linear roles: - ffmwu-build diff --git a/playbook-test-prereqs.yml b/playbook-test-prereqs.yml index 7f740e5..f96d426 100755 --- a/playbook-test-prereqs.yml +++ b/playbook-test-prereqs.yml @@ -1,9 +1,8 @@ #!/usr/bin/ansible-playbook --- -- hosts: ff-servers +- hosts: ffmwu-servers remote_user: admin - strategy: free roles: - - ffmwu-prereqs + - test-prerequisites diff --git a/roles/ffmwu-prereqs/tasks/main.yml b/roles/test-prerequisites/tasks/main.yml similarity index 100% rename from roles/ffmwu-prereqs/tasks/main.yml rename to roles/test-prerequisites/tasks/main.yml From 1f0b5925a8a78a40cdb8ff604e3cacc78ce9b3ff Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 5 Sep 2017 11:29:13 +0200 Subject: [PATCH 003/106] Role test-prerequisites: improve tasks; update OS to current debian stable --- roles/test-prerequisites/tasks/main.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/roles/test-prerequisites/tasks/main.yml b/roles/test-prerequisites/tasks/main.yml index 912db2e..9b45590 100755 --- a/roles/test-prerequisites/tasks/main.yml +++ b/roles/test-prerequisites/tasks/main.yml @@ -1,25 +1,23 @@ --- - - name: assert IPv4 DNS entry - local_action: shell dig A {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}' + local_action: shell dig +short A {{ inventory_hostname }} | egrep '^{{ ansible_default_ipv4.address }}' changed_when: False - when: "{{ require_dns | default('True') }}" - name: assert IPv6 DNS entry - local_action: shell dig AAAA {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}' + local_action: shell dig +short AAAA {{ inventory_hostname }} | egrep '^{{ ansible_default_ipv6.address }}' changed_when: False - when: "{{ require_dns | default('True') }}" -- name: test access to admin account (ssh key neccessary!) +- name: Test access to admin account command: "true" changed_when: False -- name: test access to root account +- name: Test root access for admin account command: "true" changed_when: False become: True - become_user: root -- name: fail on wrong OS type and version # TODO: include debian +- name: Check for correct OS type and version fail: msg="unsupported OS type or version - {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: not ( ( ansible_distribution=="Ubuntu" and ansible_distribution_major_version|int==14 ) or ( ansible_distribution=="Debian" and ansible_distribution_major_version|int==8 ) ) + when: + - ansible_distribution != "Debian" + - ansible_distribution_major_version|int != "9" From 94cb21daad1b2e9594b34c171fc527b4f08527bc Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 5 Sep 2017 12:01:27 +0200 Subject: [PATCH 004/106] Add a bunch of new roles - Update Readme - Update ansible.cfg - Add playbook to set up gateways - Add group variables --- Readme.md | 146 +++++++++++++++--- ansible.cfg | 3 +- inventory/group_vars/all | 86 +++++++++++ playbook-gateways.yml | 22 +++ roles/git-fastd-peers/tasks/main.yml | 42 +++++ roles/kmod-batman/tasks/main.yml | 18 +++ .../templates/batman-adv.module.conf.j2 | 6 + roles/network-batman/handlers/main.yml | 6 + roles/network-batman/tasks/main.yml | 22 +++ roles/network-batman/templates/batman.j2 | 18 +++ roles/network-batman/templates/dummy.j2 | 12 ++ roles/network-batman/templates/sysfs.j2 | 4 + roles/network-fastd/tasks/main.yml | 14 ++ .../templates/fastd-intragate.j2 | 10 ++ roles/network-fastd/templates/fastd-mesh.j2 | 10 ++ roles/network-ffrl/tasks/main.yml | 7 + roles/network-ffrl/templates/ffrl.j2 | 16 ++ roles/network-meshbridge/handlers/main.yml | 6 + roles/network-meshbridge/tasks/main.yml | 15 ++ roles/network-meshbridge/templates/bridge.j2 | 22 +++ roles/network-meshbridge/templates/sysfs.j2 | 4 + roles/network-routetables/tasks/main.yml | 9 ++ roles/server-basic/tasks/main.yml | 20 +++ roles/server-basic/vars/main.yml | 10 ++ roles/server-repos/tasks/main.yml | 34 ++++ roles/server-repos/vars/main.yml | 12 ++ roles/service-dhcpd/handlers/main.yml | 7 + roles/service-dhcpd/tasks/main.yml | 39 +++++ roles/service-dhcpd/templates/dhcpd.conf.j2 | 28 ++++ roles/service-fastd-intragate/tasks/main.yml | 28 ++++ .../templates/fastd-intragate.conf.j2 | 23 +++ .../templates/fastd-secret.conf.j2 | 9 ++ roles/service-fastd-mesh/tasks/main.yml | 28 ++++ .../templates/fastd-mesh.conf.j2 | 30 ++++ .../templates/fastd-secret.conf.j2 | 9 ++ roles/service-haveged/handlers/main.yml | 5 + roles/service-haveged/tasks/main.yml | 14 ++ roles/service-ntpd/tasks/main.yml | 29 ++++ roles/service-radvd/tasks/main.yml | 20 +++ roles/service-radvd/templates/radvd.conf.j2 | 43 ++++++ 40 files changed, 860 insertions(+), 26 deletions(-) create mode 100644 inventory/group_vars/all create mode 100755 playbook-gateways.yml create mode 100644 roles/git-fastd-peers/tasks/main.yml create mode 100644 roles/kmod-batman/tasks/main.yml create mode 100644 roles/kmod-batman/templates/batman-adv.module.conf.j2 create mode 100644 roles/network-batman/handlers/main.yml create mode 100644 roles/network-batman/tasks/main.yml create mode 100644 roles/network-batman/templates/batman.j2 create mode 100644 roles/network-batman/templates/dummy.j2 create mode 100644 roles/network-batman/templates/sysfs.j2 create mode 100644 roles/network-fastd/tasks/main.yml create mode 100644 roles/network-fastd/templates/fastd-intragate.j2 create mode 100644 roles/network-fastd/templates/fastd-mesh.j2 create mode 100644 roles/network-ffrl/tasks/main.yml create mode 100644 roles/network-ffrl/templates/ffrl.j2 create mode 100644 roles/network-meshbridge/handlers/main.yml create mode 100644 roles/network-meshbridge/tasks/main.yml create mode 100644 roles/network-meshbridge/templates/bridge.j2 create mode 100644 roles/network-meshbridge/templates/sysfs.j2 create mode 100644 roles/network-routetables/tasks/main.yml create mode 100644 roles/server-basic/tasks/main.yml create mode 100644 roles/server-basic/vars/main.yml create mode 100644 roles/server-repos/tasks/main.yml create mode 100644 roles/server-repos/vars/main.yml create mode 100644 roles/service-dhcpd/handlers/main.yml create mode 100644 roles/service-dhcpd/tasks/main.yml create mode 100644 roles/service-dhcpd/templates/dhcpd.conf.j2 create mode 100644 roles/service-fastd-intragate/tasks/main.yml create mode 100644 roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 create mode 100644 roles/service-fastd-intragate/templates/fastd-secret.conf.j2 create mode 100644 roles/service-fastd-mesh/tasks/main.yml create mode 100644 roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 create mode 100644 roles/service-fastd-mesh/templates/fastd-secret.conf.j2 create mode 100644 roles/service-haveged/handlers/main.yml create mode 100644 roles/service-haveged/tasks/main.yml create mode 100644 roles/service-ntpd/tasks/main.yml create mode 100644 roles/service-radvd/tasks/main.yml create mode 100644 roles/service-radvd/templates/radvd.conf.j2 diff --git a/Readme.md b/Readme.md index c3ed9b9..c4ecc2b 100644 --- a/Readme.md +++ b/Readme.md @@ -1,40 +1,138 @@ -# ansible-ffmwu.git +# Ansible Freifunk MWU -An dieser Stelle soll der ganze ansible-script-junk entstehen, um ein FFMWU-Gateway automagisiert aufzusetzen. Das Geraffel kann später auch auf andere server-Typen erweitert werden, wenn sinnvoll. -Ein server muss minimal vorbereitet sein, bevor er mit den hiesigen Skripten zum Gate (oder zu Sonstigem) gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prerequisites.yml` getestet): +Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzusetzen und zu konfigurieren. In +diesem Repository verwalten wir unsere Ansible Roles und Playbooks. + +Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `playbook-test-prereqs.yml` getestet): - Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein. -- Die Adressen sollen im MWU-DNS eingetragen sein. -- Es muss eine nakte unterstützte linux-Version aufgesetzt sein (aktuell Ubuntu 14.04, bald Debian). -- Es muss einen user admin geben, auf den die Admins Zugriff haben; dieser muss root-Zugang über sudo haben. +- Die Adressen müssen im MWU-DNS eingetragen sein. +- Als Betriebssystem muss das aktuelle Debian Stable installiert sein. +- Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben. -Zusätzlich ist sehr empfehlenswert, dass die Admins die Maschinen mit ihren fqdns in ihrer ssh-config definiert haben. +Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. -Bisher gibt es hier zwei Sammlungen von files: zum Einen der Beginn des eigentlichen Zwecks: bisher kann eine Rolle (auf Basis der obigen Voraussetzungen) alle FFMWU-Server in dem ihnen allen identischen Aspekt vorbereiten, der Pflege der ssh keys der admins. Zum Anderen gibt es ein playbook, das eine lokale Test-VM aufsetzt, auf der man alle eigentlichen playbooks und Rollen testen kann, ohne ernsthaften Schaden anzurichten. +## Variablen für jedes Mesh -## Aufsetzen und Pflegen von Gateways +Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. +Wir verwalten diese Mesh-Informationen in einem Dictionary unter `inventory/group_vars/all`: -Alle FFMWU-Gatways sind auch FFMWU-Server, alle anderen server bei uns überraschenderweise auch; so sind auch Alle im inventory in der Gruppe 'ff-servers' zusammengefasst. Der Aspekt, der allen FFMWU-Servern gemein ist, sind die ssh-keys der admins. Auf einigen servern gibt es allerdings weitere Zugriffsberechtigte (spezialisierte admins). +``` +meshes: + mz: + site_number: 37 + site_code: ffmz + site_name: Mainz + ipv4_network: 10.37.0.0/18 + ipv6: + ula: + - fd37:b4dc:4b1e::/48 + public: + - 2a03:2260:11a::/48 + dnssl: + - ffmz.org + - user.ffmz.org + batman: + it: 10000 + gw: server 96mbit/96mbit + mm: 0 + dat: 0 + iface_mtu: 1350 + peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git + peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git -So gibt es eine Rolle ('ffmwu-server'), die allen hosts dieser Gruppe zugewiesen ist (über das playbook 'ffmwu-servers.yml', später auch über Abhängigkeiten der speziellern playbooks). Dieses playbook (einfach starten) weist die Rolle zu, welche ihrerseits die shh keys auf den hosts pflegt. + wi: + site_number: 56 + site_code: ffwi + site_name: Wiesbaden + ipv4_network: 10.56.0.0/18 + ipv6: + ula: + - fd56:b4dc:4b1e::/48 + public: + - 2a03:2260:11b::/48 + dnssl: + - ffwi.org + - user.ffwi.org + batman: + it: 10000 + gw: server 96mbit/96mbit + mm: 0 + dat: 0 + iface_mtu: 1350 + peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git + peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git +``` -Die Rolle besteht aus nur einem task und einer definierten Variable, die die keys der admins enthält. Sind auf einem host weitere ssh keys von Nöten, so werden disse als hostvar definiert. -## Erzeugen einer test-VM +## Aufsetzen eines neuen Gateways -Um die playbooks und Rollen gefahrlos testen zu können, bietet sich ein test host an. Hierfür kann eine lokale VM zu Einsatz kommen, wenn die Voraussetzungen stimmen. +- FQDN im Inventory zur Gruppe ffmwu-gateways hinzufügen +- Host-Variablen setzen + - inventory/host_vars/$FQDN -Damit auf der lokalen Maschine (der ansible controle machine) VMs ablaufen (und mit dem playbook angelegt werden) können, müssen verschiedene Voraussetzungen erfüllt sein. U. a.: +``` +--- +# Gateway-Nummer, von der vieles abgeleitet wird. Integer zwischen 1-254. Muss eindeutig unter allen FFMWU Servern sein. +magic: -- installierte Pakete zu libvirt, kvm und qemu und Pakete virt-manager, isomaster -- >15G freier Plattenplatz -- ansible >= 2.1 +# Pfade zu den fastd secrets im passwordstore +fastd_secrets: + mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname') }}" + wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname') }}" + mzigVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname') }}" + wiigVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname') }}" -Leider sind die letzten 2 Meter der Aufgabe offenbar in dieser Art nicht automatisierbar. Deshalb muss der user an einer Stelle mit 'isomaster' kurz etwas manuell durchführen -Das playbook 'loctevm-reset.yml' einfach ausführen. +# FFRL (muss vorher bereits zugewiesen worden sein) +# Öffentliche IPv4 NAT Adresse +ffrl_public_ipv4_nat: -### bekannte Probleme +ffrl_exit_server: + ffrl-a-ak-ber: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: + ffrl-b-ak-ber: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: + ffrl-a-ix-dus: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: + ffrl-b-ix-dus: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: + ffrl-a-fra2-fra: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: + ffrl-b-fra2-fra: + public_ipv4_address: + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv4_address: + tunnel_ipv4_netmask: + tunnel_ipv6_address: + tunnel_ipv6_netmask: -- Wenn die VM wegen Zugriffsfehler auf die virtuellen volumes nicht startet, können die Berechtigungen der übergeordneten Verzeichnisse Schuld sein -> hier mal schauen. -- Ein Schritt scheint nicht automagisierbar, hier werden isomaster & der user benötigt. -- Bisher wird direkt die 64bit-Version ausgewählt. +``` +- Testen, ob alle Voraussetzungen erfüllt sind: `ansible-playbook playbook-test-prerequisites.yml` +- Neues Gateway aufsetzen per `ansible-playbook playbook-gateways.yml` + - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. + - Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbook-gateways.yml --limit=$FQDN` diff --git a/ansible.cfg b/ansible.cfg index 3d96197..81d49c2 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,10 +1,9 @@ [defaults] -# local inventory = ./inventory/hosts retry_files_save_path = ~/.ansible/retry-files #vault_password_file = ~/.ansible/vault-password-file -# remote remote_tmp = $HOME/ansible_tmp +ansible_managed = Ansible managed - don't edit this file! #[ssh_connection] #pipelining = True diff --git a/inventory/group_vars/all b/inventory/group_vars/all new file mode 100644 index 0000000..a7b254f --- /dev/null +++ b/inventory/group_vars/all @@ -0,0 +1,86 @@ +--- +as_private_mwu: 65037 +as_public_ffrl: 201701 + +routing_tables: + icvpn: 23 + mwu: 41 + internet: 61 + +icvpn_ipv4_network: 10.207.0.0/16 +mwu_icvpn_ipv4_network: 10.207.37.0/24 +bgp_loopback_net: 10.37.0.0/18 + +meshes: + mz: + site_number: 37 + site_code: ffmz + site_name: Mainz + ipv4_network: 10.37.0.0/18 + ipv6: + ula: + - fd37:b4dc:4b1e::/48 + public: + - 2a03:2260:11a::/48 + dnssl: + - ffmz.org + - user.ffmz.org + batman: + it: 10000 + gw: server 96mbit/96mbit + mm: 0 + dat: 0 + iface_mtu: 1350 + peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git + peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + + wi: + site_number: 56 + site_code: ffwi + site_name: Wiesbaden + ipv4_network: 10.56.0.0/18 + ipv6: + ula: + - fd56:b4dc:4b1e::/48 + public: + - 2a03:2260:11b::/48 + dnssl: + - ffwi.org + - user.ffwi.org + batman: + it: 10000 + gw: server 96mbit/96mbit + mm: 0 + dat: 0 + iface_mtu: 1350 + peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git + peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + +bgp_mwu_servers: + spinat: + ipv4: 10.37.0.7 + ipv6: fd37:b4dc:4b1e::a25:7 + lotuswurzel: + ipv4: 10.37.0.23 + ipv6: fd37:b4dc:4b1e::a25:17 + ingwer: + ipv4: 10.37.0.161 + ipv6: fd37:b4dc:4b1e::a25:a1 + wasserfloh: + ipv4: 10.37.0.231 + ipv6: fd37:b4dc:4b1e::a25:e7 + zuckerwatte: + ipv4: 10.37.1.2 + ipv6: fd37:b4dc:4b1e::a25:102 + aubergine: + ipv4: 10.37.1.3 + ipv6: fd37:b4dc:4b1e::a25:103 + zwiebel: + ipv4: 10.37.1.0 + ipv6: fd37:b4dc:4b1e::a25:100 + glueckskeks: + ipv4: 10.37.1.1 + ipv6: fd37:b4dc:4b1e::a25:101 + suesskartoffel: + ipv4: 10.37.1.4 + ipv6: fd37:b4dc:4b1e::a25:104 diff --git a/playbook-gateways.yml b/playbook-gateways.yml new file mode 100755 index 0000000..87fe129 --- /dev/null +++ b/playbook-gateways.yml @@ -0,0 +1,22 @@ +#!/usr/bin/ansible-playbook +--- + +- hosts: ffmwu-gateways + remote_user: admin + + roles: + - server-repos + - server-basic + - service-haveged + - service-ntpd + - kmod-batman + - network-routetables + - network-batman + - network-meshbridge + - service-dhcpd + - service-radvd + - service-fastd-mesh + - service-fastd-intragate + - git-fastd-peers + - network-fastd + - network-ffrl diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml new file mode 100644 index 0000000..d3086dd --- /dev/null +++ b/roles/git-fastd-peers/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: install git packages + apt: + name: "{{ item }}" + state: present + with_items: + - git + become: true + +- name: create fastd peer mesh directories + file: + path: "/etc/fastd/{{ item.key }}VPN/peers" + state: directory + mode: 0755 + owner: admin + group: admin + with_dict: "{{ meshes }}" + become: true + +- name: create fastd peer intragate directories + file: + path: "/etc/fastd/{{ item.key }}igVPN/peers" + state: directory + mode: 0755 + owner: admin + group: admin + with_dict: "{{ meshes }}" + become: true + +- name: clone fastd peer mesh repos + git: + repo: "{{ item.value.peers_mesh_repo }}" + dest: "/etc/fastd/{{ item.key }}VPN/peers" + update: no + with_dict: "{{ meshes }}" + +- name: clone fastd peer intragate repos + git: + repo: "{{ item.value.peers_intragate_repo }}" + dest: "/etc/fastd/{{ item.key }}igVPN/peers" + update: no + with_dict: "{{ meshes }}" diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml new file mode 100644 index 0000000..1ee26f7 --- /dev/null +++ b/roles/kmod-batman/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: install batman-module and linux headers + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - linux-headers-amd64 + - batman-adv-dkms + - batctl + become: true + +- name: configure batman module to load on system boot + template: + src: batman-adv.module.conf.j2 + dest: /etc/modules-load.d/batman-adv.conf + become: true diff --git a/roles/kmod-batman/templates/batman-adv.module.conf.j2 b/roles/kmod-batman/templates/batman-adv.module.conf.j2 new file mode 100644 index 0000000..35d76b4 --- /dev/null +++ b/roles/kmod-batman/templates/batman-adv.module.conf.j2 @@ -0,0 +1,6 @@ +# +# Load batman-adv module on system boot +# {{ ansible_managed }} +# +batman-adv +dummy diff --git a/roles/network-batman/handlers/main.yml b/roles/network-batman/handlers/main.yml new file mode 100644 index 0000000..545dadd --- /dev/null +++ b/roles/network-batman/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: activate sysfs variables + systemd: + name: sysfsutils + state: restarted + become: true diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml new file mode 100644 index 0000000..bc0ff67 --- /dev/null +++ b/roles/network-batman/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: create dummy interfaces + template: + src: dummy.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}0" + with_dict: "{{ meshes }}" + become: true + +- name: create batman interfaces + template: + src: batman.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}BAT" + with_dict: "{{ meshes }}" + become: true + +- name: set sysfs variables + template: + src: sysfs.j2 + dest: "/etc/sysfs.d/99-{{ item.key }}BAT.conf" + with_dict: "{{ meshes }}" + notify: activate sysfs variables + become: true diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 new file mode 100644 index 0000000..4a21e56 --- /dev/null +++ b/roles/network-batman/templates/batman.j2 @@ -0,0 +1,18 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0201' + ip4hex -%} +# +# {{ ansible_managed }} +# +auto {{ item.key }}BAT +iface {{ item.key }}BAT inet manual + pre-up /sbin/ip link add name $IFACE type batadv + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE + pre-up /sbin/ip link set dev {{ item.key }}0 master $IFACE + pre-up /sbin/ip link set up dev $IFACE + post-up /sbin/ip addr flush dev $IFACE + post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} + post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} + post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} + post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} + post-down /sbin/ip link set dev {{ item.key }}0 nomaster + post-down /sbin/ip link delete $IFACE 2>&1 || true diff --git a/roles/network-batman/templates/dummy.j2 b/roles/network-batman/templates/dummy.j2 new file mode 100644 index 0000000..6427cf2 --- /dev/null +++ b/roles/network-batman/templates/dummy.j2 @@ -0,0 +1,12 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0200' + ip4hex -%} +# +# {{ ansible_managed }} +# +auto {{ item.key }}0 +iface {{ item.key }}0 inet manual + pre-up /sbin/ip link add $IFACE type dummy + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE + pre-up /sbin/ip link set up dev $IFACE + post-up /sbin/ip addr flush dev $IFACE + post-down /sbin/ip link delete $IFACE 2>&1 || true diff --git a/roles/network-batman/templates/sysfs.j2 b/roles/network-batman/templates/sysfs.j2 new file mode 100644 index 0000000..63aeea6 --- /dev/null +++ b/roles/network-batman/templates/sysfs.j2 @@ -0,0 +1,4 @@ +# +# {{ ansible_managed }} +# +class/net/{{ item.key }}BAT/mesh/hop_penalty = 60 diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml new file mode 100644 index 0000000..1474772 --- /dev/null +++ b/roles/network-fastd/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: create fastd mesh interfaces + template: + src: fastd-mesh.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}VPN" + with_dict: "{{ meshes }}" + become: true + +- name: create fastd intragate interfaces + template: + src: fastd-intragate.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" + with_dict: "{{ meshes }}" + become: true diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 new file mode 100644 index 0000000..f9d105b --- /dev/null +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -0,0 +1,10 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0212' + ip4hex -%} +# +# {{ ansible_managed }} +# +allow-hotplug {{ item.key }}igVPN +iface {{ item.key }}igVPN inet manual + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE + post-up /sbin/ip link set dev $IFACE up + post-up /sbin/ip link set dev $IFACE master {{ item.key }}BAT diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 new file mode 100644 index 0000000..cc64fcb --- /dev/null +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -0,0 +1,10 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0211' + ip4hex -%} +# +# {{ ansible_managed }} +# +allow-hotplug {{ item.key }}VPN +iface {{ item.key }}VPN inet manual + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE + post-up /sbin/ip link set dev $IFACE up + post-up /sbin/ip link set dev $IFACE master {{ item.key }}BAT diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml new file mode 100644 index 0000000..439c2de --- /dev/null +++ b/roles/network-ffrl/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: create ffrl interfaces + template: + src: ffrl.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}" + with_dict: "{{ ffrl_exit_server }}" + become: true diff --git a/roles/network-ffrl/templates/ffrl.j2 b/roles/network-ffrl/templates/ffrl.j2 new file mode 100644 index 0000000..2dddfc0 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl.j2 @@ -0,0 +1,16 @@ +# +# {{ ansible_managed }} +# +auto {{ item.key }} +iface {{ item.key }} inet static + address {{ item.value.tunnel_ipv4_address }} + netmask {{ item.value.tunnel_ipv4_netmask }} + pre-up /sbin/ip tunnel add $IFACE mode gre local {{ ansible_default_ipv4.address | ipaddr('public') }} remote {{ item.value.public_ipv4_address | ipaddr('public') }} ttl 255 + post-up /sbin/ip link set $IFACE mtu 1400 + post-up /sbin/ip addr add {{ ffrl_public_ipv4_nat }}/32 dev $IFACE + post-down /sbin/ip tunnel del $IFACE + +iface {{ item.key }} inet6 static + address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }} + netmask {{ item.value.tunnel_ipv6_netmask }} + diff --git a/roles/network-meshbridge/handlers/main.yml b/roles/network-meshbridge/handlers/main.yml new file mode 100644 index 0000000..545dadd --- /dev/null +++ b/roles/network-meshbridge/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: activate sysfs variables + systemd: + name: sysfsutils + state: restarted + become: true diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml new file mode 100644 index 0000000..06ea01b --- /dev/null +++ b/roles/network-meshbridge/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: create mesh bridges + template: + src: bridge.j2 + dest: "/etc/network/interfaces.d/{{ item.key }}BR" + with_dict: "{{ meshes }}" + become: true + +- name: set sysfs variables + template: + src: sysfs.j2 + dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" + with_dict: "{{ meshes }}" + notify: activate sysfs variables + become: true diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 new file mode 100644 index 0000000..7a81040 --- /dev/null +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -0,0 +1,22 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0210' + ip4hex -%} +# +# {{ ansible_managed }} +# +auto {{ item.key }}BR +iface {{ item.key }}BR inet manual + address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }} + network {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('network') }} + netmask {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('netmask') }} + broadcast {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('broadcast') }} + pre-up /sbin/ip link add name $IFACE type bridge + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE + pre-up /sbin/ip link set dev {{ item.key }}BAT master $IFACE + pre-up /sbin/ip link set up dev $IFACE +{% for ip_type, ip_list in item.value.ipv6.iteritems() %} +{% for ip in ip_list %} + up /sbin/ip address add {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }} dev $IFACE +{% endfor %} +{% endfor %} + post-down /sbin/ip link set dev {{ item.key }}BAT nomaster + post-down /sbin/ip link delete $IFACE 2>&1 || true diff --git a/roles/network-meshbridge/templates/sysfs.j2 b/roles/network-meshbridge/templates/sysfs.j2 new file mode 100644 index 0000000..04bed17 --- /dev/null +++ b/roles/network-meshbridge/templates/sysfs.j2 @@ -0,0 +1,4 @@ +# +# {{ ansible_managed }} +# +class/net/{{ item.key }}BR/bridge/hash_max = 16384 diff --git a/roles/network-routetables/tasks/main.yml b/roles/network-routetables/tasks/main.yml new file mode 100644 index 0000000..ba14fc9 --- /dev/null +++ b/roles/network-routetables/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: create routing tables + lineinfile: + path: /etc/iproute2/rt_tables + regexp: '^{{ item.value }}' + line: "{{ item.value }}{{ '\t' }}{{ item.key }}" + state: present + with_dict: "{{ routing_tables }}" + become: true diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml new file mode 100644 index 0000000..f5e28b4 --- /dev/null +++ b/roles/server-basic/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: ensure common packages are installed + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: "{{ packages }}" + become: true + +- name: ensure vim is default editor + alternatives: + name: editor + path: /usr/bin/vim.basic + become: true + +- name: set timezone to Europe/Berlin + timezone: + name: Europe/Berlin + become: true diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml new file mode 100644 index 0000000..45cb744 --- /dev/null +++ b/roles/server-basic/vars/main.yml @@ -0,0 +1,10 @@ +--- +packages: + - apt-transport-https + - ifupdown2 + - man-db + - mlocate + - mosh + - sudo + - sysfsutils + - vim diff --git a/roles/server-repos/tasks/main.yml b/roles/server-repos/tasks/main.yml new file mode 100644 index 0000000..c7a6724 --- /dev/null +++ b/roles/server-repos/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: ensure dirmngr and apt-transport-https are installed + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - dirmngr + - apt-transport-https + become: true + +- name: ensure apt key for universe-factory is present + apt_key: + state: present + id: 16ef3f64cb201d9c + keyserver: pgp.mit.edu + become: true + +- name: ensure apt key for freifunk-mwu is present + apt_key: + state: present + id: 83A70084 + url: "http://repo.freifunk-mwu.de/83A70084.gpg.key" + become: true + +- name: ensure needed apt repos are present + apt_repository: + state: present + repo: "{{ item.repo }}" + update_cache: "{{ item.update_cache }}" + filename: "{{ item.name }}" + with_items: "{{ repos }}" + become: true diff --git a/roles/server-repos/vars/main.yml b/roles/server-repos/vars/main.yml new file mode 100644 index 0000000..40a6cb1 --- /dev/null +++ b/roles/server-repos/vars/main.yml @@ -0,0 +1,12 @@ +--- +repos: + - name: fastd + repo: 'deb https://repo.universe-factory.net/debian/ sid main' + update_cache: yes + - name: freifunk + repo: 'deb http://repo.freifunk-mwu.de/debian jessie main' + update_cache: yes + - name: freifunk + repo: 'deb-src http://repo.freifunk-mwu.de/debian jessie main' + update_cache: yes + diff --git a/roles/service-dhcpd/handlers/main.yml b/roles/service-dhcpd/handlers/main.yml new file mode 100644 index 0000000..88a46e2 --- /dev/null +++ b/roles/service-dhcpd/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart isc dhcp server + systemd: + name: isc-dhcp-server + enabled: yes + state: restarted + become: true diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml new file mode 100644 index 0000000..b958b4f --- /dev/null +++ b/roles/service-dhcpd/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: install dhcp packages + apt: + name: isc-dhcp-server + state: present + become: true + +- name: enable systemd unit isc-dhcp-server + systemd: + name: isc-dhcp-server + enabled: yes + daemon_reload: yes + become: true + +- name: concatenate meshbridge interfaces + set_fact: + dhcp_interfaces: "{% for key, value in meshes.iteritems() %}{{ key }}BR{% if not loop.last %} {% endif %}{% endfor %}" + +- name: set ipv4 interfaces isc dhcp should listen on + lineinfile: + path: /etc/default/isc-dhcp-server + regexp: '^INTERFACESv4="' + line: 'INTERFACESv4="{{ dhcp_interfaces }}"' + notify: restart isc dhcp server + become: true + +- name: set ipv6 interfaces isc dhcp should listen on + lineinfile: + path: /etc/default/isc-dhcp-server + regexp: '^INTERFACESv6="' + line: 'INTERFACESv6=""' + become: true + +- name: configure isc dhcp server + template: + src: dhcpd.conf.j2 + dest: /etc/dhcp/dhcpd.conf +# notify: restart isc dhcp server + become: true diff --git a/roles/service-dhcpd/templates/dhcpd.conf.j2 b/roles/service-dhcpd/templates/dhcpd.conf.j2 new file mode 100644 index 0000000..7b21f82 --- /dev/null +++ b/roles/service-dhcpd/templates/dhcpd.conf.j2 @@ -0,0 +1,28 @@ +# +# {{ ansible_managed }} +# +ddns-update-style none; + +authoritative; +server-name "{{ inventory_hostname_short }}"; + +log-facility local7; + +default-lease-time 300; +min-lease-time 300; +max-lease-time 300; + +{% for mesh in meshes.values() %} +# DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }}) +subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} { + range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }}; + option routers {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; + option domain-name-servers {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; + option domain-search {% for domain in mesh.dnssl %}"{{ domain }}"{% if not loop.last %}, {% endif %}{% endfor %}; + option ntp-servers {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; + option interface-mtu {{ mesh.iface_mtu }}; +} +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml new file mode 100644 index 0000000..9284cf1 --- /dev/null +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: install fastd packages + apt: + name: fastd + state: present + become: true + +- name: create fastd intragate directories + file: + path: "/etc/fastd/{{ item.key }}igVPN" + state: directory + mode: 0755 + with_dict: "{{ meshes }}" + become: true + +- name: template fastd mesh config + template: + src: fastd-intragate.conf.j2 + dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" + with_dict: "{{ meshes }}" + become: true + +- name: write fastd intragate secret + template: + src: fastd-secret.conf.j2 + dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" + with_dict: "{{ meshes }}" + become: true diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 new file mode 100644 index 0000000..7f84c1c --- /dev/null +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -0,0 +1,23 @@ +# +# {{ ansible_managed }} +# +log level warn; +hide ip addresses yes; +hide mac addresses yes; + +method "aes128-ctr+umac"; + +interface "{{ item.key }}igVPN"; + +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.value.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.value.site_number }}; + +include "secret.conf"; +mtu 1406; + +peer group "servers" { + include peers from "peers/gates"; + include peers from "peers/services"; +} + +status socket "/var/run/fastd-{{ item.key }}ig.status"; diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 new file mode 100644 index 0000000..a55490b --- /dev/null +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -0,0 +1,9 @@ +{% set local_interface = item.key + 'igVPN' -%} +# +# {{ ansible_managed }} +# +{% for interface in fastd_secrets %} +{% if local_interface == interface %} +secret "{{ fastd_secrets[interface] }}"; +{% endif %} +{% endfor %} diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml new file mode 100644 index 0000000..dc377de --- /dev/null +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: install fastd packages + apt: + name: fastd + state: present + become: true + +- name: create fastd directories + file: + path: "/etc/fastd/{{ item.key }}VPN" + state: directory + mode: 0755 + with_dict: "{{ meshes }}" + become: true + +- name: template fastd mesh config + template: + src: fastd-mesh.conf.j2 + dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" + with_dict: "{{ meshes }}" + become: true + +- name: write fastd mesh secret + template: + src: fastd-secret.conf.j2 + dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" + with_dict: "{{ meshes }}" + become: true diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 new file mode 100644 index 0000000..eb81c7b --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -0,0 +1,30 @@ +# +# {{ ansible_managed }} +# +log level warn; +hide ip addresses yes; +hide mac addresses yes; + +method "salsa2012+umac"; + +interface "{{ item.key }}VPN"; + +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.value.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.value.site_number }}; + +include "secret.conf"; +mtu 1406; + +peer group "vpn_nodes" { + peer limit 150; + include peers from "peers"; +{% if item.key == "mz" %} + include peers from "peers_bingen"; +{% endif %} +} + +peer group "servers" { + include peers from "peers/servers"; +} + +status socket "/var/run/fastd-{{ item.key }}.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 new file mode 100644 index 0000000..87a4945 --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -0,0 +1,9 @@ +{% set local_interface = item.key + 'VPN' -%} +# +# {{ ansible_managed }} +# +{% for interface in fastd_secrets %} +{% if local_interface == interface %} +secret "{{ fastd_secrets[interface] }}"; +{% endif %} +{% endfor %} diff --git a/roles/service-haveged/handlers/main.yml b/roles/service-haveged/handlers/main.yml new file mode 100644 index 0000000..8c64ad5 --- /dev/null +++ b/roles/service-haveged/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + become: true diff --git a/roles/service-haveged/tasks/main.yml b/roles/service-haveged/tasks/main.yml new file mode 100644 index 0000000..3e3f5a7 --- /dev/null +++ b/roles/service-haveged/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: install haveged + apt: + name: haveged + state: present + notify: reload systemd + become: true + +- name: start and enable systemd unit haveged + systemd: + name: haveged + enabled: yes + state: started + become: true diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml new file mode 100644 index 0000000..072f0f8 --- /dev/null +++ b/roles/service-ntpd/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: ensure systemd-timesyncd is disabled + systemd: + name: systemd-timesyncd + enabled: no + state: stopped + become: true + +- name: install ntp packages + apt: + state: present + name: "{{ item }}" + update_cache: yes + cache_valid_time: 21600 + with_items: + - ntp + - ntp-doc + - ntpdate + - ntpstat + become: true + +- name: enable and start ntp daemon + systemd: + name: ntp + enabled: yes + state: started + daemon_reload: yes + become: true + diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml new file mode 100644 index 0000000..71d1521 --- /dev/null +++ b/roles/service-radvd/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: install radvd packages + apt: + name: radvd + state: present + become: true + +- name: enable systemd unit radvd + systemd: + name: radvd + enabled: yes + daemon_reload: yes + become: true + +- name: configure radvd + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + #notify: restart radvd + become: true diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..4e6bd86 --- /dev/null +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -0,0 +1,43 @@ +# +# {{ ansible_managed }} +# +{% for key, value in meshes.iteritems() %} +interface {{ key }}BR +{ + AdvSendAdvert on; + IgnoreIfMissing on; + MaxRtrAdvInterval 900; + AdvLinkMTU {{ value.iface_mtu }}; + +{% for ip_type, ip_list in value.ipv6.iteritems() %} +{% for prefix in ip_list %} +{% if ip_type == "ula" %} + RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }} + { + FlushRDNSS off; + }; +{% endif %} +{% endfor %} +{% endfor %} + +{% for ip_type, ip_list in value.ipv6.iteritems() %} +{% for prefix in ip_list %} +{% if ip_type == "public" %} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, magic) }} +{% else %} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) }} +{% endif %} + { + AdvValidLifetime 864000; + AdvPreferredLifetime 172800; + }; +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} From ed03ad85736759f9e718c3b71dfbf97a87ec9ae1 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 6 Sep 2017 11:17:38 +0200 Subject: [PATCH 005/106] Roles: add role documentation --- roles/git-fastd-peers/README.md | 21 ++++++++++ roles/kmod-batman/README.md | 6 +++ roles/network-batman/README.md | 33 ++++++++++++++++ roles/network-fastd/README.md | 26 +++++++++++++ roles/network-ffrl/README.md | 51 +++++++++++++++++++++++++ roles/network-meshbridge/README.md | 31 +++++++++++++++ roles/network-routetables/README.md | 12 ++++++ roles/server-basic/README.md | 11 ++++++ roles/service-dhcpd/README.md | 29 ++++++++++++++ roles/service-fastd-intragate/README.md | 38 ++++++++++++++++++ roles/service-fastd-mesh/README.md | 38 ++++++++++++++++++ roles/service-haveged/README.md | 3 ++ roles/service-ntpd/README.md | 7 ++++ roles/service-radvd/README.md | 23 +++++++++++ 14 files changed, 329 insertions(+) create mode 100644 roles/git-fastd-peers/README.md create mode 100644 roles/kmod-batman/README.md create mode 100644 roles/network-batman/README.md create mode 100644 roles/network-fastd/README.md create mode 100644 roles/network-ffrl/README.md create mode 100644 roles/network-meshbridge/README.md create mode 100644 roles/network-routetables/README.md create mode 100644 roles/server-basic/README.md create mode 100644 roles/service-dhcpd/README.md create mode 100644 roles/service-fastd-intragate/README.md create mode 100644 roles/service-fastd-mesh/README.md create mode 100644 roles/service-haveged/README.md create mode 100644 roles/service-ntpd/README.md create mode 100644 roles/service-radvd/README.md diff --git a/roles/git-fastd-peers/README.md b/roles/git-fastd-peers/README.md new file mode 100644 index 0000000..0f1ed05 --- /dev/null +++ b/roles/git-fastd-peers/README.md @@ -0,0 +1,21 @@ +# Ansible role git-fastd-peers +Diese Ansible role hängt von der role service-fastd-mesh bzw. service-fastd-intragate ab und sollte danach ausgeführt werden. + +- installiert die erforderlichen git Pakete +- erstellt die erforderlichen peers Ordner +- klont die fastd peer repos + +## Abhängigkeiten: +- service-fastd-* + +## Benötigte Variablen +- Dictionary `meshes` +``` +meshes: + xx: +... + peers_mesh_repo: # String - https Link zum Github Repository + peers_intragate_repo: # String - https Link zum Github Repository + +´´´ + diff --git a/roles/kmod-batman/README.md b/roles/kmod-batman/README.md new file mode 100644 index 0000000..552fbf6 --- /dev/null +++ b/roles/kmod-batman/README.md @@ -0,0 +1,6 @@ +# Ansible role kmod-batman +Diese Ansible role installiert das Kernel Modul batman-adv: + +- Linux Kernel Headers +- Kernel Modul batman-adv +- Userspace Tool batctl diff --git a/roles/network-batman/README.md b/roles/network-batman/README.md new file mode 100644 index 0000000..a47e4e8 --- /dev/null +++ b/roles/network-batman/README.md @@ -0,0 +1,33 @@ +# Ansible role network-batman + +Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces. + +- dummy interface pro mesh +- batman-adv interface pro mesh +- konfiguriert sysfs variablen: + - Hop Penalty pro batman-adv interface + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: +... + batman: + it: # integer: originator interval + gw: # string: gateway mode + mm: # boolean: multicast mode + dat: # boolean: distributed arp table + +´´´ +- Host Variable `magic` + +## MAC-Adressen + +Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. + +xx0-prefix: `02:00` +xxBAT-prefix: `02:01` diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md new file mode 100644 index 0000000..5eac5c6 --- /dev/null +++ b/roles/network-fastd/README.md @@ -0,0 +1,26 @@ +# Ansible role network-fastd + +Diese Ansible role konfiguriert Netzwerk Interfaces für fastd. + +- xxVPN pro Mesh +- xxigVPN pro Mesh + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: +... + +´´´ +- Host Variable `magic` + +## MAC-Adressen + +Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummerdes Hosts berechnet. + +xxVPN-prefix: `02:11` +xxigVPN-prefix: `02:12` diff --git a/roles/network-ffrl/README.md b/roles/network-ffrl/README.md new file mode 100644 index 0000000..c19e007 --- /dev/null +++ b/roles/network-ffrl/README.md @@ -0,0 +1,51 @@ +# Ansible role network-ffrl + +Diese Ansible role konfiguriert die GRE-Tunnel Interfaces, die für den Internet-Exit über Freifunk Rheinland benötigt werden. + +## Benötigte Variablen +- Dictionary `ffrl_exit_server` (Host Variable) +´´´ +ffrl_exit_server: + ffrl-a-ak-ber: + public_ipv4_address: 185.66.195.0 + tunnel_ipv4_network: # IPv4 Tunnel Transfernetz + tunnel_ipv4_address: # Eigene Tunnel IPv4 Adresse + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: # IPv6 Tunnel Transfernetz + tunnel_ipv6_netmask: 64 + ffrl-b-ak-ber: + public_ipv4_address: 185.66.195.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-a-ix-dus: + public_ipv4_address: 185.66.193.0 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-b-ix-dus: + public_ipv4_address: 185.66.193.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-a-fra2-fra: + public_ipv4_address: 185.66.194.0 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-b-fra2-fra: + public_ipv4_address: 185.66.194.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 +´´´ diff --git a/roles/network-meshbridge/README.md b/roles/network-meshbridge/README.md new file mode 100644 index 0000000..8b9b4e7 --- /dev/null +++ b/roles/network-meshbridge/README.md @@ -0,0 +1,31 @@ +# Ansible role network-meshbridge + +Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes. + +- linux bridge pro mesh inklusive IP-Konfiguration +- konfiguriert sysfs variablen: + - hash_max + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: +... + ipv6: + ula: + - fdxx.../48 # ipv6 ula prefix + public: + - 2xxx.../48 # ipv6 public prefix + +´´´ +- Host Variable `magic` + +## MAC-Adressen + +Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. + +xxBR-prefix: `02:10` diff --git a/roles/network-routetables/README.md b/roles/network-routetables/README.md new file mode 100644 index 0000000..0ecc6d1 --- /dev/null +++ b/roles/network-routetables/README.md @@ -0,0 +1,12 @@ +# Ansible role network-routetables + +Diese Ansible role legt die erforderlichen routing tables an. + +## Benötigte Variablen + +- `routing_tables` +´´´ +routing_tables: + $name: # integer + +´´´ diff --git a/roles/server-basic/README.md b/roles/server-basic/README.md new file mode 100644 index 0000000..ebb8121 --- /dev/null +++ b/roles/server-basic/README.md @@ -0,0 +1,11 @@ +# Ansible role server-basic + +Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden. + +- installiert Pakete, die auf allen Servern benötigt werden +- setzt als default Editor +- setzt die Zeitzone auf Europe/Berlin + +## Benötigte Variablen + +- Liste `packages` (Rollen Variable) diff --git a/roles/service-dhcpd/README.md b/roles/service-dhcpd/README.md new file mode 100644 index 0000000..d6e4cf9 --- /dev/null +++ b/roles/service-dhcpd/README.md @@ -0,0 +1,29 @@ +# Ansible role service-dhcpd + +Diese Ansible role installiert und konfiguriert den isc dhcp daemon. +Wir nutzen diesen nur zur Verteilung von IPv4-Adressen. + +- installiert isc-dhcp-server +- setzt interfaces in /etc/default/isc-dhcp-server +- schreibt dhcpd.conf + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + site_name: # string + site_code: # string + ipv4_network: + dnssl: + - $domain # string + iface_mtu: # integer +´´´ +- Host Variable `magic` +- Host Variable `ipv4_dhcp_range` + +## DHCP Range + +In der Host-Variable `ipv4_dhcp_range` wird als Integer die Nummer des /22 Blocks aus `ipv4_network` definiert, welcher als DHCP Range verwendet werden soll. Dem Gateway Lotuswurzel ist die DHCP-Range 10.X.16.0-10.X.19.255 zugewiesen. Diese ist der 4. /22er Block, also wird in der Host-Variable für die Lotuswurzel `4` geschrieben. diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md new file mode 100644 index 0000000..8302520 --- /dev/null +++ b/roles/service-fastd-intragate/README.md @@ -0,0 +1,38 @@ +# Ansible role service-fastd-intragate + +Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Intra-Server Kommunikation. + +- installiert fastd +- konfiguriert xxigVPN-Instanzen +- stellt sicher, dass die Instanz-Verzeichnisse existieren +- schreibt fastd.conf +- schreibt secret.conf + - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + site_number: # integer +´´´ +- Dictionary `fastd_secrets` (Host-Variable) +´´´ +fastd_secrets: + mzigVPN: "{{ lookup('passwordstore', 'fastd/mzigVPN/sparegate4') }}" + wiigVPN: "{{ lookup('passwordstore', 'fastd/wiigVPN/sparegate4') }}" + ... + +´´´ + +## fastd Secrets + +Die privaten Schlüssel der fastd Instanzen sind sehr sensible Informationen, weshalb wir diese in ein nicht öffentliches passwordstore ausgelagert haben. +Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benötigten fastd Instanzen generiert und im passwordstore hinterlegt werden. +Das Dictionary `fastd_secrets` folgt dem Aufbau: +``` +fastd_secrets: + $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore') }}" +``` diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md new file mode 100644 index 0000000..18f1f60 --- /dev/null +++ b/roles/service-fastd-mesh/README.md @@ -0,0 +1,38 @@ +# Ansible role service-fastd-mesh + +Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Knoten Kommunikation. + +- installiert fastd +- konfiguriert xxVPN-Instanzen +- stellt sicher, dass die Instanz-Verzeichnisse existieren +- schreibt fastd.conf +- schreibt secret.conf + - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + site_number: # integer +´´´ +- Dictionary `fastd_secrets` (Host-Variable) +´´´ +fastd_secrets: + mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/sparegate4') }}" + wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/sparegate4') }}" + ... + +´´´ + +## fastd Secrets + +Die privaten Schlüssel der fastd Instanzen sind sehr sensible Informationen, weshalb wir diese in ein nicht öffentliches passwordstore ausgelagert haben. +Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benötigten fastd Instanzen generiert und im passwordstore hinterlegt werden. +Das Dictionary `fastd_secrets` folgt dem Aufbau: +``` +fastd_secrets: + $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore') }}" +``` diff --git a/roles/service-haveged/README.md b/roles/service-haveged/README.md new file mode 100644 index 0000000..a6b81ad --- /dev/null +++ b/roles/service-haveged/README.md @@ -0,0 +1,3 @@ +# Ansible role service-haveged + +Diese Ansible role installiert und startet den haveged daemon. diff --git a/roles/service-ntpd/README.md b/roles/service-ntpd/README.md new file mode 100644 index 0000000..6d9dfaa --- /dev/null +++ b/roles/service-ntpd/README.md @@ -0,0 +1,7 @@ +# Ansible role service-ntpd + +Diese Ansible role installiert und startet den haveged daemon. + +- stellt sicher, dass systemd-timesyncd nicht läuft +- installiert ntp pakete +- startet den ntp daemon diff --git a/roles/service-radvd/README.md b/roles/service-radvd/README.md new file mode 100644 index 0000000..408d83f --- /dev/null +++ b/roles/service-radvd/README.md @@ -0,0 +1,23 @@ +# Ansible role service-radvd + +Diese Ansible role installiert und konfiguriert den radvd daemon. + +- installiert radvd +- aktiviert systemd unit +- schreibt radvd.conf + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv6: + ula: + - # ULA-Prefix - String + public: + - # Public-Prefix - String + iface_mtu: # Integer +´´´ +- Host Variable `magic` From d05233a26d7edd77c9c7cb57f4675beecce78f2d Mon Sep 17 00:00:00 2001 From: n0trax Date: Wed, 6 Sep 2017 12:05:22 +0200 Subject: [PATCH 006/106] Some restructuring (#3) --- Readme.md | 12 +++++++----- ansible.cfg | 7 ++++--- inventory/ffmwu-build-servers | 2 ++ inventory/ffmwu-gateways | 1 + inventory/ffmwu-servers | 2 ++ inventory/hosts | 11 ----------- inventory/test-vms | 2 ++ .../build-server.yml | 0 playbook-gateways.yml => playbooks/gateways.yml | 0 .../localtestvm-meshing.yml | 0 .../localtestvm-provide.yml | 0 .../localtestvm-test-prereqs.yml | 0 playbook-meshing.yml => playbooks/meshing.yml | 0 playbook-servers.yml => playbooks/servers.yml | 0 .../test-prereqs.yml | 0 15 files changed, 18 insertions(+), 19 deletions(-) create mode 100644 inventory/ffmwu-build-servers create mode 100644 inventory/ffmwu-gateways create mode 100644 inventory/ffmwu-servers delete mode 100644 inventory/hosts create mode 100644 inventory/test-vms rename playbook-build-server.yml => playbooks/build-server.yml (100%) rename playbook-gateways.yml => playbooks/gateways.yml (100%) rename playbook-localtestvm-meshing.yml => playbooks/localtestvm-meshing.yml (100%) rename playbook-localtestvm-provide.yml => playbooks/localtestvm-provide.yml (100%) rename playbook-localtestvm-test-prereqs.yml => playbooks/localtestvm-test-prereqs.yml (100%) rename playbook-meshing.yml => playbooks/meshing.yml (100%) rename playbook-servers.yml => playbooks/servers.yml (100%) rename playbook-test-prereqs.yml => playbooks/test-prereqs.yml (100%) diff --git a/Readme.md b/Readme.md index c4ecc2b..528b142 100644 --- a/Readme.md +++ b/Readme.md @@ -3,11 +3,13 @@ Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzusetzen und zu konfigurieren. In diesem Repository verwalten wir unsere Ansible Roles und Playbooks. -Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `playbook-test-prereqs.yml` getestet): +Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden +kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prereqs.yml` getestet): - Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein. - Die Adressen müssen im MWU-DNS eingetragen sein. -- Als Betriebssystem muss das aktuelle Debian Stable installiert sein. +- Als Betriebssystem muss Debian stretch installiert sein. +- Für ansible muss Python 2.5 oder Python 2.4 + python-simplejson installiert sein. - Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben. Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. @@ -132,7 +134,7 @@ ffrl_exit_server: tunnel_ipv6_netmask: ``` -- Testen, ob alle Voraussetzungen erfüllt sind: `ansible-playbook playbook-test-prerequisites.yml` -- Neues Gateway aufsetzen per `ansible-playbook playbook-gateways.yml` +- Testen, ob alle Voraussetzungen erfüllt sind: `ansible-playbook playbooks/test-prerequisites.yml` +- Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml` - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. - - Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbook-gateways.yml --limit=$FQDN` + - Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbooks/gateways.yml --limit=$FQDN` diff --git a/ansible.cfg b/ansible.cfg index 81d49c2..b330c5c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,9 +1,10 @@ [defaults] -inventory = ./inventory/hosts -retry_files_save_path = ~/.ansible/retry-files -#vault_password_file = ~/.ansible/vault-password-file +inventory = ./inventory +retry_files_enabled = False +#vault_password_file = ~/.ansible/vault-password-file remote_tmp = $HOME/ansible_tmp ansible_managed = Ansible managed - don't edit this file! +roles_path = ./roles #[ssh_connection] #pipelining = True diff --git a/inventory/ffmwu-build-servers b/inventory/ffmwu-build-servers new file mode 100644 index 0000000..515e960 --- /dev/null +++ b/inventory/ffmwu-build-servers @@ -0,0 +1,2 @@ +[ffmwu-build-servers] +milchreis.freifunk-mwu.de diff --git a/inventory/ffmwu-gateways b/inventory/ffmwu-gateways new file mode 100644 index 0000000..2978865 --- /dev/null +++ b/inventory/ffmwu-gateways @@ -0,0 +1 @@ +[ffmwu-gateways] diff --git a/inventory/ffmwu-servers b/inventory/ffmwu-servers new file mode 100644 index 0000000..b7b5ead --- /dev/null +++ b/inventory/ffmwu-servers @@ -0,0 +1,2 @@ +[ffmwu-servers] +milchreis.freifunk-mwu.de diff --git a/inventory/hosts b/inventory/hosts deleted file mode 100644 index 835030a..0000000 --- a/inventory/hosts +++ /dev/null @@ -1,11 +0,0 @@ -[ffmwu-servers:children] -ffmwu-gateways -ffmwu-build-servers - -[ffmwu-gateways] - -[ffmwu-build-servers] -milchreis.freifunk-mwu.de - -[test-vms] -local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False diff --git a/inventory/test-vms b/inventory/test-vms new file mode 100644 index 0000000..64d8c34 --- /dev/null +++ b/inventory/test-vms @@ -0,0 +1,2 @@ +[test-vms] +local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False diff --git a/playbook-build-server.yml b/playbooks/build-server.yml similarity index 100% rename from playbook-build-server.yml rename to playbooks/build-server.yml diff --git a/playbook-gateways.yml b/playbooks/gateways.yml similarity index 100% rename from playbook-gateways.yml rename to playbooks/gateways.yml diff --git a/playbook-localtestvm-meshing.yml b/playbooks/localtestvm-meshing.yml similarity index 100% rename from playbook-localtestvm-meshing.yml rename to playbooks/localtestvm-meshing.yml diff --git a/playbook-localtestvm-provide.yml b/playbooks/localtestvm-provide.yml similarity index 100% rename from playbook-localtestvm-provide.yml rename to playbooks/localtestvm-provide.yml diff --git a/playbook-localtestvm-test-prereqs.yml b/playbooks/localtestvm-test-prereqs.yml similarity index 100% rename from playbook-localtestvm-test-prereqs.yml rename to playbooks/localtestvm-test-prereqs.yml diff --git a/playbook-meshing.yml b/playbooks/meshing.yml similarity index 100% rename from playbook-meshing.yml rename to playbooks/meshing.yml diff --git a/playbook-servers.yml b/playbooks/servers.yml similarity index 100% rename from playbook-servers.yml rename to playbooks/servers.yml diff --git a/playbook-test-prereqs.yml b/playbooks/test-prereqs.yml similarity index 100% rename from playbook-test-prereqs.yml rename to playbooks/test-prereqs.yml From 4131825286caf29a36da7d5749ae46ab6347dc9a Mon Sep 17 00:00:00 2001 From: n0trax Date: Thu, 7 Sep 2017 09:32:15 +0200 Subject: [PATCH 007/106] Modify prerequisites role and integrate prerequisites role into all playbooks (#4) --- Readme.md | 6 ++++-- playbooks/build-server.yml | 6 +++--- playbooks/gateways.yml | 3 +-- playbooks/localtestvm-meshing.yml | 8 +++----- playbooks/localtestvm-provide.yml | 1 - playbooks/localtestvm-test-prereqs.yml | 9 --------- playbooks/meshing.yml | 8 +++----- playbooks/servers.yml | 6 ++---- playbooks/test-prereqs.yml | 8 -------- roles/prerequisites/tasks/main.yml | 14 ++++++++++++++ roles/prerequisites/vars/main.yml | 4 ++++ roles/test-prerequisites/tasks/main.yml | 23 ----------------------- 12 files changed, 34 insertions(+), 62 deletions(-) delete mode 100755 playbooks/localtestvm-test-prereqs.yml delete mode 100755 playbooks/test-prereqs.yml create mode 100755 roles/prerequisites/tasks/main.yml create mode 100644 roles/prerequisites/vars/main.yml delete mode 100755 roles/test-prerequisites/tasks/main.yml diff --git a/Readme.md b/Readme.md index 528b142..05759ce 100644 --- a/Readme.md +++ b/Readme.md @@ -4,7 +4,7 @@ Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzus diesem Repository verwalten wir unsere Ansible Roles und Playbooks. Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden -kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prereqs.yml` getestet): +kann. Die folgenden Voraussetzungen müssen erfüllt sein: - Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein. - Die Adressen müssen im MWU-DNS eingetragen sein. @@ -12,6 +12,9 @@ kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese we - Für ansible muss Python 2.5 oder Python 2.4 + python-simplejson installiert sein. - Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben. +Die Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem +Playbook eingebunden sein. + Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. ## Variablen für jedes Mesh @@ -134,7 +137,6 @@ ffrl_exit_server: tunnel_ipv6_netmask: ``` -- Testen, ob alle Voraussetzungen erfüllt sind: `ansible-playbook playbooks/test-prerequisites.yml` - Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml` - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. - Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbooks/gateways.yml --limit=$FQDN` diff --git a/playbooks/build-server.yml b/playbooks/build-server.yml index 7b76e33..3bf1f7c 100755 --- a/playbooks/build-server.yml +++ b/playbooks/build-server.yml @@ -1,7 +1,7 @@ #!/usr/bin/ansible-playbook ---- + - hosts: ffmwu-build-servers remote_user: admin - roles: - - ffmwu-build + - prerequisites + - ffmwu-build diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 87fe129..5a0231c 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -1,10 +1,9 @@ #!/usr/bin/ansible-playbook ---- - hosts: ffmwu-gateways remote_user: admin - roles: + - prerequisites - server-repos - server-basic - service-haveged diff --git a/playbooks/localtestvm-meshing.yml b/playbooks/localtestvm-meshing.yml index 0d6cd3a..e6cde23 100755 --- a/playbooks/localtestvm-meshing.yml +++ b/playbooks/localtestvm-meshing.yml @@ -1,11 +1,9 @@ #!/usr/bin/ansible-playbook ---- - include: loctevm-provide.yml - hosts: test-vms remote_user: admin - strategy: linear - - roles: - - ffmwu-meshing + roles: + - prerequisites + - ffmwu-meshing diff --git a/playbooks/localtestvm-provide.yml b/playbooks/localtestvm-provide.yml index 2fca683..6f75733 100755 --- a/playbooks/localtestvm-provide.yml +++ b/playbooks/localtestvm-provide.yml @@ -1,5 +1,4 @@ #!/usr/bin/ansible-playbook ---- # localhost (aka 127.0.0.1) is the hypervisor (hard-coded) - hosts: test-vms diff --git a/playbooks/localtestvm-test-prereqs.yml b/playbooks/localtestvm-test-prereqs.yml deleted file mode 100755 index 46a4096..0000000 --- a/playbooks/localtestvm-test-prereqs.yml +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/ansible-playbook ---- - -- hosts: test-vms - remote_user: admin - strategy: free - - roles: - - ffmwu-prereqs diff --git a/playbooks/meshing.yml b/playbooks/meshing.yml index c1bfe50..6dc49f4 100755 --- a/playbooks/meshing.yml +++ b/playbooks/meshing.yml @@ -1,9 +1,7 @@ #!/usr/bin/ansible-playbook ---- - hosts: meshing-srv remote_user: admin - strategy: linear - - roles: - - ffmwu-meshing + roles: + - prerequisites + - ffmwu-meshing diff --git a/playbooks/servers.yml b/playbooks/servers.yml index 157eb00..d5a05d0 100755 --- a/playbooks/servers.yml +++ b/playbooks/servers.yml @@ -1,9 +1,7 @@ #!/usr/bin/ansible-playbook ---- - hosts: ff-servers remote_user: admin - strategy: linear - roles: - - ffmwu-server + - prerequisites + - ffmwu-server diff --git a/playbooks/test-prereqs.yml b/playbooks/test-prereqs.yml deleted file mode 100755 index f96d426..0000000 --- a/playbooks/test-prereqs.yml +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/ansible-playbook ---- - -- hosts: ffmwu-servers - remote_user: admin - - roles: - - test-prerequisites diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml new file mode 100755 index 0000000..6ec8837 --- /dev/null +++ b/roles/prerequisites/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +- name: Check DNS entries and target distribution + assert: + that: + - "dns_host_ipv4_address in ansible_all_ipv4_addresses" + - "dns_host_ipv6_address in ansible_all_ipv6_addresses" + - "ansible_distribution == 'Debian'" + - "ansible_distribution_major_version == '9'" + +- name: Test root access for admin account + command: "true" + changed_when: False + become: True diff --git a/roles/prerequisites/vars/main.yml b/roles/prerequisites/vars/main.yml new file mode 100644 index 0000000..f0e8dca --- /dev/null +++ b/roles/prerequisites/vars/main.yml @@ -0,0 +1,4 @@ +--- + +dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}" +dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}" diff --git a/roles/test-prerequisites/tasks/main.yml b/roles/test-prerequisites/tasks/main.yml deleted file mode 100755 index 9b45590..0000000 --- a/roles/test-prerequisites/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: assert IPv4 DNS entry - local_action: shell dig +short A {{ inventory_hostname }} | egrep '^{{ ansible_default_ipv4.address }}' - changed_when: False - -- name: assert IPv6 DNS entry - local_action: shell dig +short AAAA {{ inventory_hostname }} | egrep '^{{ ansible_default_ipv6.address }}' - changed_when: False - -- name: Test access to admin account - command: "true" - changed_when: False - -- name: Test root access for admin account - command: "true" - changed_when: False - become: True - -- name: Check for correct OS type and version - fail: msg="unsupported OS type or version - {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - ansible_distribution != "Debian" - - ansible_distribution_major_version|int != "9" From 166c67477bce5efd80c3664b0613e8dcae0cf5ec Mon Sep 17 00:00:00 2001 From: n0trax Date: Fri, 8 Sep 2017 17:17:26 +0200 Subject: [PATCH 008/106] Add relaxed yamllint config and fix errors --- .yamllint | 19 +++++++++++++++++++ include/loctevm-provide-iso.inc.yml | 5 ++--- playbooks/servers.yml | 2 +- roles/ffmwu-meshing/tasks/fastd-config.yml | 4 ++-- roles/server-repos/vars/main.yml | 1 - roles/service-ntpd/tasks/main.yml | 1 - 6 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 .yamllint diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..6284cf1 --- /dev/null +++ b/.yamllint @@ -0,0 +1,19 @@ +extends: default + +rules: + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: {type: unix} + trailing-spaces: enable + truthy: disable diff --git a/include/loctevm-provide-iso.inc.yml b/include/loctevm-provide-iso.inc.yml index d5273b6..632a344 100644 --- a/include/loctevm-provide-iso.inc.yml +++ b/include/loctevm-provide-iso.inc.yml @@ -1,7 +1,7 @@ --- - name: retrieve install iso - get_url: + get_url: checksum: "sha1:23dde0f195170d9fbe99547f9df75838acc95b5e" dest: "{{ vm_path }}/debian-8.6.0-amd64-i386-netinst.iso" force: no @@ -24,7 +24,7 @@ loop_control: loop_var: lri_item delegate_to: 127.0.0.1 # local action - + - name: manual intervention 1 - extract configs debug: msg: | @@ -125,4 +125,3 @@ # remote_src: True # though remote equals local ... # delegate_to: 127.0.0.1 # local action # register: primcopy - diff --git a/playbooks/servers.yml b/playbooks/servers.yml index d5a05d0..5a45db1 100755 --- a/playbooks/servers.yml +++ b/playbooks/servers.yml @@ -2,6 +2,6 @@ - hosts: ff-servers remote_user: admin - roles: + roles: - prerequisites - ffmwu-server diff --git a/roles/ffmwu-meshing/tasks/fastd-config.yml b/roles/ffmwu-meshing/tasks/fastd-config.yml index d30e95a..2054e28 100644 --- a/roles/ffmwu-meshing/tasks/fastd-config.yml +++ b/roles/ffmwu-meshing/tasks/fastd-config.yml @@ -40,7 +40,7 @@ line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}"; mode: 0400 regexp: '^secret ".*";' - state : present + state: present - name: write out fastd public key - {{mf_com.abbreviation}} lineinfile: @@ -50,7 +50,7 @@ line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}"; mode: 0440 regexp: '^key ".*";' - state : present + state: present register: f_pub_key ignore_errors: True diff --git a/roles/server-repos/vars/main.yml b/roles/server-repos/vars/main.yml index 40a6cb1..5690253 100644 --- a/roles/server-repos/vars/main.yml +++ b/roles/server-repos/vars/main.yml @@ -9,4 +9,3 @@ repos: - name: freifunk repo: 'deb-src http://repo.freifunk-mwu.de/debian jessie main' update_cache: yes - diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml index 072f0f8..907c8ae 100644 --- a/roles/service-ntpd/tasks/main.yml +++ b/roles/service-ntpd/tasks/main.yml @@ -26,4 +26,3 @@ state: started daemon_reload: yes become: true - From 6c238c7416804ede39b421b0d38bcc1f87b40296 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 9 Sep 2017 11:06:54 +0200 Subject: [PATCH 009/106] Add role service-rclocal --- playbooks/gateways.yml | 1 + roles/service-rclocal/README.md | 26 ++++ roles/service-rclocal/tasks/main.yml | 13 ++ roles/service-rclocal/templates/rc.local.j2 | 163 ++++++++++++++++++++ 4 files changed, 203 insertions(+) create mode 100644 roles/service-rclocal/README.md create mode 100644 roles/service-rclocal/tasks/main.yml create mode 100644 roles/service-rclocal/templates/rc.local.j2 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 5a0231c..8642784 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -19,3 +19,4 @@ - git-fastd-peers - network-fastd - network-ffrl + - service-rclocal diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md new file mode 100644 index 0000000..bc3d228 --- /dev/null +++ b/roles/service-rclocal/README.md @@ -0,0 +1,26 @@ +# Ansible role service-rclocal + +Diese Ansible role schreibt die rc.local. +Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert. + +All dieses sollte in Zukunft durch systemd units abgelöst werden. + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + site_name: # string + ipv4_network: + ipv6: + ula: + - # string + public: + - # string + iface_mtu: # integer +´´´ +- Host Variable `magic` +- Host Variable `ffrl_public_ipv4_nat` +- Host Dictionary `ffrl_exit_server` diff --git a/roles/service-rclocal/tasks/main.yml b/roles/service-rclocal/tasks/main.yml new file mode 100644 index 0000000..8a161f4 --- /dev/null +++ b/roles/service-rclocal/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: write rc.local + template: + src: rc.local.j2 + dest: /etc/rc.local + mode: 0755 + become: true + +- name: enable systemd unit rc.local + systemd: + name: rc.local + enabled: yes + become: true diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 new file mode 100644 index 0000000..797a2fa --- /dev/null +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -0,0 +1,163 @@ +#!/bin/sh -e +# +# {{ ansible_managed }} +# +# rc.local +# +# This script is executed at the end of each multiuser runlevel. +# Make sure that the script will "exit 0" on success or any other +# value on error. +# +# In order to enable or disable this script just change the execution +# bits. +# +# By default this script does nothing. + +# +# IP rules +# + +# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces +{% for key, value in meshes.iteritems() %} +ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add to {{ value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add from all oif {{ key }}BR lookup mwu priority 7 +{% for ula in value.ipv6.ula %} +ip -6 rule add from {{ ula }} lookup mwu priority 7 +ip -6 rule add to {{ ula }} lookup mwu priority 7 +{% endfor %} +{% for public in value.ipv6.public %} +ip -6 rule add from {{ public }} lookup mwu priority 7 +ip -6 rule add to {{ public }} lookup mwu priority 7 +{% endfor %} +ip -6 rule add from all oif {{ key }}BR lookup mwu priority 7 +{% endfor %} + +# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges +{% for key, value in meshes.iteritems() %} +ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add to {{ value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add from all oif {{ key }}BR lookup icvpn priority 23 +{% for ula in value.ipv6.ula %} +ip -6 rule add from {{ ula }} lookup icvpn priority 23 +ip -6 rule add to {{ ula }} lookup icvpn priority 23 +{% endfor %} +{% for public in value.ipv6.public %} +ip -6 rule add from {{ public }} lookup icvpn priority 23 +ip -6 rule add to {{ public }} lookup icvpn priority 23 +{% endfor %} +ip -6 rule add from all oif {{ key }}BR lookup icvpn priority 23 +{% endfor %} +ip -4 rule add from all oif icVPN lookup icvpn priority 23 +ip -6 rule add from all oif icVPN lookup icvpn priority 23 + +# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges +{% for key, value in meshes.iteritems() %} +ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 +{% for ula in value.ipv6.ula %} +ip -6 rule add from {{ ula }} lookup internet priority 41 +ip -6 rule add to {{ ula }} lookup internet priority 41 +{% endfor %} +{% for public in value.ipv6.public %} +ip -6 rule add from {{ public }} lookup internet priority 41 +ip -6 rule add to {{ public }} lookup internet priority 41 +{% endfor %} +ip -6 rule add from all oif {{ key }}BR lookup internet priority 41 +{% endfor %} +ip -4 rule add from {{ ffrl_public_ipv4_nat }}/32 lookup internet priority 41 +ip -4 rule add to {{ ffrl_public_ipv4_nat }}/32 lookup internet priority 41 + +# Priority 61 - at this point this is the end of policy routing for freifunk related routes +{% for key, value in meshes.iteritems() %} +ip -4 rule add from all iif {{ key }}BR type unreachable priority 61 +ip -6 rule add from all iif {{ key }}BR type unreachable priority 61 +{% endfor %} +ip -4 rule add from all iif icVPN type unreachable priority 61 +ip -4 rule add from all iif eth0 type unreachable priority 61 +{% for key, value in ffrl_exit_server.iteritems() %} +ip -4 rule add from all iif {{ key }} type unreachable priority 61 +ip -6 rule add from all iif {{ key }} type unreachable priority 61 +{% endfor %} +ip -6 rule add from all iif icVPN type unreachable priority 61 +ip -6 rule add from all iif eth0 type unreachable priority 61 +{% for key, value in meshes.iteritems() %} +{% for public in value.ipv6.public %} +ip -6 rule add from {{ public }} type unreachable priority 61 +ip -6 rule add to {{ public }} type unreachable priority 61 +{% endfor %} +{% endfor %} + +# Priority 107 - lookup policies for the gateway host self originating traffic +ip -4 rule add from all lookup mwu priority 107 +ip -4 rule add from all lookup icvpn priority 107 +ip -6 rule add from all lookup mwu priority 107 +ip -6 rule add from all lookup icvpn priority 107 + + +# +# IP routes +# + +{% for key, value in meshes.iteritems() %} +# static {{ value.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ value.ipv4_network }} proto static dev {{ key }}BR table mwu +{% for ula in value.ipv6.ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ key }}BR table mwu +{% endfor %} +{% for public in value.ipv6.public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ key }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ key }}BR table mwu +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} + +# static blackhole routes for rt_table internet +/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet +/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet +/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet +/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet +/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet +/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet +/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet +/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet +/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet +/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet +/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet +/sbin/ip -6 route add blackhole fec0::/10 table internet +/sbin/ip -6 route add blackhole fc00::/7 table internet +/sbin/ip -6 route add blackhole ff00::/8 table internet +/sbin/ip -6 route add blackhole ::/96 table internet +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet + +# static blackhole routes for rt_table main +/sbin/ip -4 route add blackhole 0.0.0.0/8 table main +/sbin/ip -4 route add blackhole 10.0.0.0/8 table main +/sbin/ip -4 route add blackhole 100.64.0.0/10 table main +/sbin/ip -4 route add blackhole 127.0.0.0/8 table main +/sbin/ip -4 route add blackhole 169.254.0.0/16 table main +/sbin/ip -4 route add blackhole 172.16.0.0/12 table main +/sbin/ip -4 route add blackhole 192.0.0.0/24 table main +/sbin/ip -4 route add blackhole 192.0.2.0/24 table main +/sbin/ip -4 route add blackhole 192.88.99.0/24 table main +/sbin/ip -4 route add blackhole 192.168.0.0/16 table main +/sbin/ip -4 route add blackhole 198.18.0.0/15 table main +/sbin/ip -4 route add blackhole 198.51.100.0/24 table main +/sbin/ip -4 route add blackhole 203.0.113.0/24 table main +/sbin/ip -4 route add blackhole 224.0.0.0/4 table main +/sbin/ip -4 route add blackhole 240.0.0.0/4 table main +/sbin/ip -4 route add blackhole 255.255.255.255/32 table main +/sbin/ip -6 route add blackhole fec0::/10 table main +/sbin/ip -6 route add blackhole fc00::/7 table main +/sbin/ip -6 route add blackhole ff00::/8 table main +/sbin/ip -6 route add blackhole ::/96 table main +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main +/sbin/ip -6 route add blackhole ::/0 table main + +exit 0 From 34369638dc946026cad9ea4a145a30eac325e50b Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 10 Sep 2017 23:56:34 +0200 Subject: [PATCH 010/106] Add role service-bird --- inventory/group_vars/all | 2 + playbooks/gateways.yml | 1 + roles/service-bird/README.md | 36 +++++++++ roles/service-bird/handlers/main.yml | 17 +++++ roles/service-bird/tasks/main.yml | 46 +++++++++++ roles/service-bird/templates/bird.conf.j2 | 76 +++++++++++++++++++ roles/service-bird/templates/bird6.conf.j2 | 65 ++++++++++++++++ .../templates/mwu_ipv4_peers.conf.j2 | 12 +++ .../templates/mwu_ipv6_peers.conf.j2 | 12 +++ 9 files changed, 267 insertions(+) create mode 100644 roles/service-bird/README.md create mode 100644 roles/service-bird/handlers/main.yml create mode 100644 roles/service-bird/tasks/main.yml create mode 100644 roles/service-bird/templates/bird.conf.j2 create mode 100644 roles/service-bird/templates/bird6.conf.j2 create mode 100644 roles/service-bird/templates/mwu_ipv4_peers.conf.j2 create mode 100644 roles/service-bird/templates/mwu_ipv6_peers.conf.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index a7b254f..effbd11 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -10,6 +10,8 @@ routing_tables: icvpn_ipv4_network: 10.207.0.0/16 mwu_icvpn_ipv4_network: 10.207.37.0/24 bgp_loopback_net: 10.37.0.0/18 +bgp_ipv4_transfer_net: 10.37.0.0/18 +bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 meshes: mz: diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 8642784..d22c61f 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -19,4 +19,5 @@ - git-fastd-peers - network-fastd - network-ffrl + - service-bird - service-rclocal diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md new file mode 100644 index 0000000..249e4c2 --- /dev/null +++ b/roles/service-bird/README.md @@ -0,0 +1,36 @@ +# Ansible role service-bird + +Diese Ansible role installiert und konfiguriert den bird daemon. + +- installiert bird +- aktiviert systemd units bird + bird6 +- schreibt bird.conf + bird6.conf +- konfiguriert bird für iBGP mit allen anderen FFMWU-Servern + +Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Netz. + +## Benötigte Variablen + +- Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt. +- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. +- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. +- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU +- Dictionary `bgp_mwu_servers` +``` + spinat: # kurzer Hostname des Peers + ipv4: 10.37.0.7 # IPv4-Adresse des Peers + ipv6: fd37:b4dc:4b1e::a25:7 # IPv6-Adresse des Peers +... + +``` +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: + ipv6: + ula: + - # IPv6-ULA Network +´´´ +- Host Variable `magic` diff --git a/roles/service-bird/handlers/main.yml b/roles/service-bird/handlers/main.yml new file mode 100644 index 0000000..15478b4 --- /dev/null +++ b/roles/service-bird/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + become: true + +- name: reload bird + systemd: + name: bird + state: reloaded + become: true + +- name: reload bird6 + systemd: + name: bird6 + state: reloaded + become: true diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml new file mode 100644 index 0000000..152a1ee --- /dev/null +++ b/roles/service-bird/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- name: install bird packages + apt: + name: "{{ item }}" + state: present + notify: reload systemd + with_items: + - bird-bgp + - bird-doc + become: true + +- name: write bird configuration + template: + src: bird{{ item }}.conf.j2 + dest: /etc/bird/bird{{ item }}.conf + mode: 0640 + owner: bird + group: bird + notify: reload bird{{ item }} + with_items: + - "" + - 6 + become: true + +- name: configure mwu peers + template: + src: mwu_ipv{{ item }}_peers.conf.j2 + dest: /etc/bird/mwu_ipv{{ item }}_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload bird{{ item }} + with_items: + - 4 + - 6 + become: true + +- name: enable + start systemd units bird + bird6 + systemd: + name: bird{{ item }} + enabled: yes + state: started + with_items: + - "" + - 6 + become: true diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 new file mode 100644 index 0000000..304080a --- /dev/null +++ b/roles/service-bird/templates/bird.conf.j2 @@ -0,0 +1,76 @@ +# +# {{ ansible_managed }} +# + +# Variables +define mwu_address = {{ bgp_ipv4_transfer_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +define mwu_as = {{ as_private_mwu }}; +define router_id = {{ bgp_loopback_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; + +# General +timeformat protocol iso long; +router id router_id; + +# Functions +function is_default() { + return net ~ [ + 0.0.0.0/0 + ]; +} + +function is_freifunk() { + return net ~ [ + 10.0.0.0/8{16,24} + ]; +} + +function is_dn42() { + return net ~ [ + 172.20.0.0/14{20,28} + ]; +} + +function is_chaosvpn() { + return net ~ [ + 172.31.0.0/16+ + ]; +} + +function is_mwu_self_nets() { + return net ~ [ +{% for item, value in meshes.iteritems() %} + {{ value.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +# Protocols +protocol device { + scan time 30; +}; + +protocol direct mwu_subnets { +{% for item, value in meshes.iteritems() %} + interface "{{ item }}BR"; +{% endfor %} + import where is_mwu_self_nets(); +}; + +# Templates +template bgp ibgp_mwu { + local mwu_address as mwu_as; + import keep filtered on; + import all; + export where source = RTS_BGP; + direct; + gateway direct; +}; + +# Include IPv4 MWU peers +include "mwu_ipv4_peers.con?"; + +# Include IPv4 ICVPN configuration +include "icvpn_ipv4.con?"; + +# Include IPv4 FFRL configuration +include "ffrl_ipv4.con?"; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 new file mode 100644 index 0000000..baebabb --- /dev/null +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -0,0 +1,65 @@ +# +# {{ ansible_managed }} +# + +# Variables +define router_id = {{ bgp_loopback_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +define mwu_address = {{ bgp_ipv6_transfer_net | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +define mwu_as = {{ as_private_mwu }}; + +# General +timeformat protocol iso long; +router id router_id; + +# Functions +function is_default() { + return net ~ [ + ::/0 + ]; +} + +function is_ula() { + return net ~ [ + fc00::/7{48,64} + ]; +} + +function is_mwu_self_nets() { + return net ~ [ +{% for item, value in meshes.iteritems() %} +{% for ula in value.ipv6.ula %} + {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +# Protocols +protocol device { + scan time 30; +}; + +protocol direct mwu_subnets { +{% for item, value in meshes.iteritems() %} + interface "{{ item }}BR"; +{% endfor %} + import where is_mwu_self_nets(); +}; + +# Templates +template bgp ibgp_mwu { + local mwu_address as mwu_as; + import keep filtered on; + import all; + export where source = RTS_BGP; + direct; + gateway direct; +}; + +# Include IPv6 MWU peers +include "mwu_ipv6_peers.con?"; + +# Include IPv6 ICVPN configuration +include "icvpn_ipv6.con?"; + +# Include IPv6 FFRL configuration +include "ffrl_ipv6.con?"; diff --git a/roles/service-bird/templates/mwu_ipv4_peers.conf.j2 b/roles/service-bird/templates/mwu_ipv4_peers.conf.j2 new file mode 100644 index 0000000..153c36a --- /dev/null +++ b/roles/service-bird/templates/mwu_ipv4_peers.conf.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# + +{% for item, value in bgp_mwu_servers.iteritems() %} +{% if item != inventory_hostname_short %} +protocol bgp mwu_{{ item }} from ibgp_mwu { + neighbor {{ value.ipv4 }} as mwu_as; +}; +{% endif %} + +{% endfor %} diff --git a/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 new file mode 100644 index 0000000..59051ff --- /dev/null +++ b/roles/service-bird/templates/mwu_ipv6_peers.conf.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# + +{% for item, value in bgp_mwu_servers.iteritems() %} +{% if item != inventory_hostname_short %} +protocol bgp mwu_{{ item }} from ibgp_mwu { + neighbor {{ value.ipv6 }} as mwu_as; +}; +{% endif %} + +{% endfor %} From 84755f8bb942dfc78b5dddef1312d66a875aa44c Mon Sep 17 00:00:00 2001 From: n0trax Date: Mon, 11 Sep 2017 00:00:49 +0200 Subject: [PATCH 011/106] Move localtestvm to separate role (untested) (#6) --- {include => roles/localtestvm/tasks}/loctevm-provide-iso.inc.yml | 0 {include => roles/localtestvm/tasks}/loctevm-provide-net.inc.yml | 0 .../localtestvm/tasks}/loctevm-provide-prereq.inc.yml | 0 {include => roles/localtestvm/tasks}/loctevm-provide-vm.inc.yml | 0 {templates => roles/localtestvm/templates}/loctenet.xml | 0 {templates => roles/localtestvm/templates}/loctevm-pool.xml | 0 {templates => roles/localtestvm/templates}/loctevm.xml | 0 {templates => roles/localtestvm/templates}/preseed.cfg | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename {include => roles/localtestvm/tasks}/loctevm-provide-iso.inc.yml (100%) rename {include => roles/localtestvm/tasks}/loctevm-provide-net.inc.yml (100%) rename {include => roles/localtestvm/tasks}/loctevm-provide-prereq.inc.yml (100%) rename {include => roles/localtestvm/tasks}/loctevm-provide-vm.inc.yml (100%) rename {templates => roles/localtestvm/templates}/loctenet.xml (100%) rename {templates => roles/localtestvm/templates}/loctevm-pool.xml (100%) rename {templates => roles/localtestvm/templates}/loctevm.xml (100%) rename {templates => roles/localtestvm/templates}/preseed.cfg (100%) diff --git a/include/loctevm-provide-iso.inc.yml b/roles/localtestvm/tasks/loctevm-provide-iso.inc.yml similarity index 100% rename from include/loctevm-provide-iso.inc.yml rename to roles/localtestvm/tasks/loctevm-provide-iso.inc.yml diff --git a/include/loctevm-provide-net.inc.yml b/roles/localtestvm/tasks/loctevm-provide-net.inc.yml similarity index 100% rename from include/loctevm-provide-net.inc.yml rename to roles/localtestvm/tasks/loctevm-provide-net.inc.yml diff --git a/include/loctevm-provide-prereq.inc.yml b/roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml similarity index 100% rename from include/loctevm-provide-prereq.inc.yml rename to roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml diff --git a/include/loctevm-provide-vm.inc.yml b/roles/localtestvm/tasks/loctevm-provide-vm.inc.yml similarity index 100% rename from include/loctevm-provide-vm.inc.yml rename to roles/localtestvm/tasks/loctevm-provide-vm.inc.yml diff --git a/templates/loctenet.xml b/roles/localtestvm/templates/loctenet.xml similarity index 100% rename from templates/loctenet.xml rename to roles/localtestvm/templates/loctenet.xml diff --git a/templates/loctevm-pool.xml b/roles/localtestvm/templates/loctevm-pool.xml similarity index 100% rename from templates/loctevm-pool.xml rename to roles/localtestvm/templates/loctevm-pool.xml diff --git a/templates/loctevm.xml b/roles/localtestvm/templates/loctevm.xml similarity index 100% rename from templates/loctevm.xml rename to roles/localtestvm/templates/loctevm.xml diff --git a/templates/preseed.cfg b/roles/localtestvm/templates/preseed.cfg similarity index 100% rename from templates/preseed.cfg rename to roles/localtestvm/templates/preseed.cfg From a2816a152e12b7aba913babab96c65acb3db7dc4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 11 Sep 2017 12:48:16 +0200 Subject: [PATCH 012/106] Add role git-repos --- playbooks/gateways.yml | 1 + roles/git-repos/README.md | 18 ++++++++++++++++++ roles/git-repos/tasks/main.yml | 23 +++++++++++++++++++++++ roles/git-repos/vars/main.yml | 8 ++++++++ 4 files changed, 50 insertions(+) create mode 100644 roles/git-repos/README.md create mode 100644 roles/git-repos/tasks/main.yml create mode 100644 roles/git-repos/vars/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index d22c61f..9fd38ed 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -6,6 +6,7 @@ - prerequisites - server-repos - server-basic + - git-repos - service-haveged - service-ntpd - kmod-batman diff --git a/roles/git-repos/README.md b/roles/git-repos/README.md new file mode 100644 index 0000000..51f5acb --- /dev/null +++ b/roles/git-repos/README.md @@ -0,0 +1,18 @@ +# Ansible role git-repos + +Diese Ansible role klont wichtige git Repositories. + +- installiert git +- legt /home/admin/clones an +- klont alle git Repositories aus dem Dictionary `common_repos` + +## Benötigte Variablen + +- Dictionary `common_repos` # role variable +``` +common_repos: + name: # name des Repositories == Ordner Name + repo_url: # HTTP-URL zum Repository +... + +``` diff --git a/roles/git-repos/tasks/main.yml b/roles/git-repos/tasks/main.yml new file mode 100644 index 0000000..46d5c33 --- /dev/null +++ b/roles/git-repos/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: install git packages + apt: + name: "{{ item }}" + state: present + with_items: + - git + become: true + +- name: ensure git directory is present + file: + path: /home/admin/clones + state: directory + mode: 0755 + owner: admin + group: admin + become: true + +- name: clone git repositories + git: + repo: "{{ item.value.repo_url }}" + dest: "/home/admin/clones/{{ item.key }}" + with_dict: "{{ common_repos }}" diff --git a/roles/git-repos/vars/main.yml b/roles/git-repos/vars/main.yml new file mode 100644 index 0000000..572463e --- /dev/null +++ b/roles/git-repos/vars/main.yml @@ -0,0 +1,8 @@ +--- +common_repos: + backend-scripts: + repo_url: https://github.com/freifunk-mwu/backend-scripts.git + icvpn-meta: + repo_url: https://github.com/freifunk/icvpn-meta.git + icvpn-scripts: + repo_url: https://github.com/freifunk/icvpn-scripts.git From dd6d5b6ec5a281b57202219ea866757d96e646c0 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 11 Sep 2017 13:10:39 +0200 Subject: [PATCH 013/106] Add role service-bird-icvpn; add python3-yaml package to server-basic role --- inventory/group_vars/all | 4 +- playbooks/gateways.yml | 1 + roles/server-basic/vars/main.yml | 1 + roles/service-bird-icvpn/README.md | 19 +++++ roles/service-bird-icvpn/handlers/main.yml | 28 +++++++ roles/service-bird-icvpn/meta/main.yml | 4 + roles/service-bird-icvpn/tasks/main.yml | 41 ++++++++++ .../templates/icvpn_ipv4.conf.j2 | 75 +++++++++++++++++++ .../templates/icvpn_ipv6.conf.j2 | 67 +++++++++++++++++ 9 files changed, 238 insertions(+), 2 deletions(-) create mode 100644 roles/service-bird-icvpn/README.md create mode 100644 roles/service-bird-icvpn/handlers/main.yml create mode 100644 roles/service-bird-icvpn/meta/main.yml create mode 100644 roles/service-bird-icvpn/tasks/main.yml create mode 100644 roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 create mode 100644 roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index effbd11..bc72b66 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -7,8 +7,8 @@ routing_tables: mwu: 41 internet: 61 -icvpn_ipv4_network: 10.207.0.0/16 -mwu_icvpn_ipv4_network: 10.207.37.0/24 +icvpn_ipv4_transfer_net: 10.207.0.0/16 +icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96 bgp_loopback_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 9fd38ed..616cf0b 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -21,4 +21,5 @@ - network-fastd - network-ffrl - service-bird + - service-bird-icvpn - service-rclocal diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index 45cb744..5588e09 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -5,6 +5,7 @@ packages: - man-db - mlocate - mosh + - python3-yaml - sudo - sysfsutils - vim diff --git a/roles/service-bird-icvpn/README.md b/roles/service-bird-icvpn/README.md new file mode 100644 index 0000000..d999fc6 --- /dev/null +++ b/roles/service-bird-icvpn/README.md @@ -0,0 +1,19 @@ +# Ansible role service-bird-icvpn + +Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für das Freifunk Intercity VPN. + +- installiert bird +- schreibt icvpn_ipv4.conf + icvpn_ipv6.conf +- schreibt initiale ICVPN peers config (nur wenn nicht vorhanden) +- schreibt initiale ICVPN ROA config (nur wenn nicht vorhanden) + +## Benötigte Variablen + +- Variable `icvpn_ipv4_transfer_net` # IPv4-Range des ICVPN Transfer Netzes +- Variable `icvpn_ipv6_transfer_net` # IPv6-Range des ICVPN Transfer Netzes +- Host Variable `magic` + +## Benötigte roles + +- git-repos +- service-bird diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml new file mode 100644 index 0000000..1a37e5c --- /dev/null +++ b/roles/service-bird-icvpn/handlers/main.yml @@ -0,0 +1,28 @@ +--- +- name: reload bird4 + systemd: + name: bird + state: reloaded + become: true + +- name: reload bird6 + systemd: + name: bird6 + state: reloaded + become: true + +- name: set file attrs 4 + file: + path: /etc/bird/icvpn_ipv4_peers.conf + mode: 0640 + owner: bird + group: bird + become: true + +- name: set file attrs 6 + file: + path: /etc/bird/icvpn_ipv6_peers.conf + mode: 0640 + owner: bird + group: bird + become: true diff --git a/roles/service-bird-icvpn/meta/main.yml b/roles/service-bird-icvpn/meta/main.yml new file mode 100644 index 0000000..ad1a852 --- /dev/null +++ b/roles/service-bird-icvpn/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: git-repos } + - { role: service-bird } diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml new file mode 100644 index 0000000..0570e41 --- /dev/null +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: write initial icvpn peers + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -{{ item }} -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item }}_peers.conf + args: + chdir: /home/admin/clones/icvpn-scripts + creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf + notify: + - reload bird{{ item }} + - set file attrs {{ item }} + with_items: + - 4 + - 6 + become: true + +- name: write initial icvpn roa config + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf + args: + chdir: /home/admin/clones/icvpn-scripts + creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf + notify: + - reload bird{{ item.key }} + - set file attrs {{ item.key }} + with_dict: + 4: + max_prefix: 20 + 6: + max_prefix: 64 + become: true + +- name: write icvpn bird configuration + template: + src: icvpn_ipv{{ item }}.conf.j2 + dest: /etc/bird/icvpn_ipv{{ item }}.conf + mode: 0640 + owner: bird + group: bird + notify: reload bird{{ item }} + with_items: + - 4 + - 6 + become: true diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 new file mode 100644 index 0000000..d5409db --- /dev/null +++ b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 @@ -0,0 +1,75 @@ +# +# {{ ansible_managed }} +# + +# Variables +define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; + +# ROA +roa table roa_icvpn { + include "icvpn_ipv4_roa.con?"; +} + +# Filters +filter icvpn_import_filter { + if is_mwu_self_nets() then reject; + if is_chaosvpn() then accept; + if roa_check(roa_icvpn) = ROA_VALID then { + if is_freifunk() then accept; + if is_dn42() then accept; + } else { + if roa_check(roa_icvpn) = ROA_UNKNOWN then { + if is_dn42() then { + print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last; + accept; + } + if is_freifunk() then { + print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last; + accept; + } + } + if roa_check(roa_icvpn) = ROA_INVALID then { + if is_freifunk() then { + print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last; + accept; + } + } + reject; + } + reject; +} + +# Protocols +protocol kernel kernel_mwu { + scan time 30; + import none; + export filter { + if is_mwu_self_nets() then + reject; + krt_prefsrc = icvpn_address; + accept; + }; + kernel table ipt_icvpn; +}; + +# Templates +template bgp ebgp_icvpn { + local icvpn_address as mwu_as; + import keep filtered on; + import filter icvpn_import_filter; + export filter { + if is_mwu_self_nets() then { + accept; + } + if source = RTS_BGP then { + if is_freifunk() || is_dn42() then { + accept; + } + } + reject; + }; + direct; +} + +# Include ICVPN IPv4 peers +include "icvpn_ipv4_peers.con?"; diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 new file mode 100644 index 0000000..eb41c3f --- /dev/null +++ b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 @@ -0,0 +1,67 @@ +# +# {{ ansible_managed }} +# + +# Variables +define icvpn_address = {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}; + +# ROA +roa table roa_icvpn { + include "icvpn_ipv6_roa.con?"; +} + +# Filters +filter icvpn_import_filter { + if is_mwu_self_nets() then reject; + if roa_check(roa_icvpn) = ROA_VALID then { + if is_ula() then accept; + } else { + if roa_check(roa_icvpn) = ROA_UNKNOWN then { + if is_ula() then { + print "ROA UNKNOWN for net, accepting: ", net, " ASN: ", bgp_path.last; + accept; + } + } + if roa_check(roa_icvpn) = ROA_INVALID then { + if is_ula() then { + print "ROA INVALID for net, accept: ", net, " ASN: ", bgp_path.last; + accept; + } + } + reject; + } + reject; +} + +# Protocols +protocol kernel kernel_mwu { + scan time 30; + import none; + export filter { + if is_mwu_self_nets() then + reject; + krt_prefsrc = icvpn_address; + accept; + }; + kernel table ipt_icvpn; +}; + +# Templates +template bgp ebgp_icvpn { + local icvpn_address as mwu_as; + import keep filtered on; + import filter icvpn_import_filter; + export filter { + if is_mwu_self_nets() then { + accept; + } + if source = RTS_BGP then { + accept; + } + reject; + }; + direct; +} + +# Include ICVPN IPv6 peers +include "icvpn_ipv6_peers.con?"; From 6792950fca067e4a39fc4cacac1681b3a7d47225 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 11 Sep 2017 23:49:11 +0200 Subject: [PATCH 014/106] Add role service-bird-ffrl --- roles/service-bird-ffrl/README.md | 71 ++++++++++++++++ roles/service-bird-ffrl/handlers/main.yml | 12 +++ roles/service-bird-ffrl/meta/main.yml | 3 + roles/service-bird-ffrl/tasks/main.yml | 26 ++++++ .../templates/ffrl_ipv4.conf.j2 | 73 +++++++++++++++++ .../templates/ffrl_ipv4_peers.conf.j2 | 13 +++ .../templates/ffrl_ipv6.conf.j2 | 80 +++++++++++++++++++ .../templates/ffrl_ipv6_peers.conf.j2 | 13 +++ 8 files changed, 291 insertions(+) create mode 100644 roles/service-bird-ffrl/README.md create mode 100644 roles/service-bird-ffrl/handlers/main.yml create mode 100644 roles/service-bird-ffrl/meta/main.yml create mode 100644 roles/service-bird-ffrl/tasks/main.yml create mode 100644 roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 create mode 100644 roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 create mode 100644 roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 create mode 100644 roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 diff --git a/roles/service-bird-ffrl/README.md b/roles/service-bird-ffrl/README.md new file mode 100644 index 0000000..5bed19b --- /dev/null +++ b/roles/service-bird-ffrl/README.md @@ -0,0 +1,71 @@ +# Ansible role service-bird-ffrl + +Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den Internet-Uplink über Freifunk Rheinland. + +- schreibt ffrl_ipv4.conf + ffrl_ipv6.conf +- schreibt ffrl_ipv4_peers.conf + ffrl_ipv6_peers.conf + +## Benötigte Variablen + +- Variable `as_public_ffrl` # Public ASN Freifunk Rheinland +- Dictionary `meshes` +``` +meshes: + xx: +... + ipv6: + public: + - # Public IPv6-Netzwerk +``` +- Host Dictionary `ffrl_exit_server` +´´´ +ffrl_exit_server: + ffrl-a-ak-ber: + public_ipv4_address: 185.66.195.0 + tunnel_ipv4_network: # Tunnel-Netzwerk in CIDR + tunnel_ipv4_address: # Eigene Tunnel IPv4 Adresse + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: # IPv6 Transfernetz + tunnel_ipv6_netmask: 64 + ffrl-b-ak-ber: + public_ipv4_address: 185.66.195.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-a-ix-dus: + public_ipv4_address: 185.66.193.0 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-b-ix-dus: + public_ipv4_address: 185.66.193.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-a-fra2-fra: + public_ipv4_address: 185.66.194.0 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 + ffrl-b-fra2-fra: + public_ipv4_address: 185.66.194.1 + tunnel_ipv4_network: + tunnel_ipv4_address: + tunnel_ipv4_netmask: 255.255.255.254 + tunnel_ipv6_network: + tunnel_ipv6_netmask: 64 +´´´ +- Host Variable `ffrl_public_ipv4_nat` # IPv4 NAT Adresse für das Gateway +- Host Variable `magic` + +## Benötigte roles + +- service-bird diff --git a/roles/service-bird-ffrl/handlers/main.yml b/roles/service-bird-ffrl/handlers/main.yml new file mode 100644 index 0000000..6a31b7b --- /dev/null +++ b/roles/service-bird-ffrl/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: reload bird4 + systemd: + name: bird + state: reloaded + become: true + +- name: reload bird6 + systemd: + name: bird6 + state: reloaded + become: true diff --git a/roles/service-bird-ffrl/meta/main.yml b/roles/service-bird-ffrl/meta/main.yml new file mode 100644 index 0000000..04e04b1 --- /dev/null +++ b/roles/service-bird-ffrl/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-bird } diff --git a/roles/service-bird-ffrl/tasks/main.yml b/roles/service-bird-ffrl/tasks/main.yml new file mode 100644 index 0000000..6c27749 --- /dev/null +++ b/roles/service-bird-ffrl/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: write ffrl bird configuration + template: + src: ffrl_ipv{{ item }}.conf.j2 + dest: /etc/bird/ffrl_ipv{{ item }}.conf + mode: 0640 + owner: bird + group: bird + notify: reload bird{{ item }} + with_items: + - 4 + - 6 + become: true + +- name: write ffrl peer configuration + template: + src: ffrl_ipv{{ item }}_peers.conf.j2 + dest: /etc/bird/ffrl_ipv{{ item }}_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload bird{{ item }} + with_items: + - 4 + - 6 + become: true diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 new file mode 100644 index 0000000..ba7c5b3 --- /dev/null +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 @@ -0,0 +1,73 @@ +# +# {{ ansible_managed }} +# + +# Variables +define ffrl_as = {{ as_public_ffrl }}; +define ffrl_nat_address = {{ ffrl_public_ipv4_nat }}; + +# Routing Table +table ffrl; + +# Functions +function is_ffrl_nat() { + return net ~ [ + {{ ffrl_public_ipv4_nat }} + ]; +} + +function is_ffrl_tunnel_nets() { + return net ~ [ +{% for peer_id, peer_value in ffrl_exit_server.iteritems() %} + {{ peer_value.tunnel_ipv4_network }}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +# Filters +filter ebgp_ffrl_import_filter { + if is_default() then accept; + reject; +} + +filter ebgp_ffrl_export_filter { + if is_ffrl_nat() then accept; + reject; +} + +# Protocols +protocol static ffrl_uplink_hostroute { + table ffrl; + route {{ ffrl_public_ipv4_nat }}/32 reject; +} + +protocol direct ffrl_tunnels { + table ffrl; + interface "ffrl-*"; + import where is_ffrl_tunnel_nets(); +} + +protocol kernel kernel_ffrl { + scan time 30; + import none; + export filter { + krt_prefsrc = ffrl_nat_address; + accept; + }; + table ffrl; + kernel table ipt_internet; +}; + +# Templates +template bgp ffrl_uplink { + table ffrl; + local as mwu_as; + import keep filtered; + import filter ebgp_ffrl_import_filter; + export filter ebgp_ffrl_export_filter; + next hop self; + direct; +}; + +# Include FFRL IPv4 peers +include "ffrl_ipv4_peers.con?"; diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 new file mode 100644 index 0000000..da21eb1 --- /dev/null +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 @@ -0,0 +1,13 @@ +# +# {{ ansible_managed }} +# + +{% for peer_id, peer_value in ffrl_exit_server.iteritems() %} +protocol bgp {{ peer_id }} from ffrl_uplink { + source address {{ peer_value.tunnel_ipv4_address | ipaddr('address') }}; + neighbor {{ peer_value.tunnel_ipv4_network | ipaddr('address') }} as ffrl_as; +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 new file mode 100644 index 0000000..05541fd --- /dev/null +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 @@ -0,0 +1,80 @@ +# +# {{ ansible_managed }} +# + +# Variables +define ffrl_as = {{ as_public_ffrl }}; + +# Routing Table +table ffrl; + +# Functions +function is_ffrl_public_nets() { + return net ~ [ +{% for mesh_id, mesh_value in meshes.iteritems() %} +{% for prefix in mesh_value.ipv6.public %} + {{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +function is_ffrl_tunnel_nets() { + return net ~ [ +{% for peer_id, peer_value in ffrl_exit_server.iteritems() %} + {{ peer_value.tunnel_ipv6_network }}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +# Filters +filter ebgp_ffrl_import_filter { + if is_default() then accept; + reject; +} + +filter ebgp_ffrl_export_filter { + if is_ffrl_public_nets() then accept; + reject; +} + +# Protocols +protocol static ffrl_public_routes { + table ffrl; +{% for mesh_id, mesh_value in meshes.iteritems() %} +{% for prefix in mesh_value.ipv6.public %} + route {{ prefix }} reject; + route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network') }} reject; +{% endfor %} +{% endfor %} +} + +protocol direct ffrl_tunnels { + table ffrl; + interface "ffrl-*"; + import where is_ffrl_tunnel_nets(); +} + +protocol kernel kernel_ffrl { + scan time 30; + import none; + export filter { + if is_default() then accept; + reject; + }; + table ffrl; + kernel table ipt_internet; +}; + +# Templates +template bgp ffrl_uplink { + table ffrl; + local as mwu_as; + import keep filtered; + import filter ebgp_ffrl_import_filter; + export filter ebgp_ffrl_export_filter; + next hop self; + direct; +}; + +# Include FFRL IPv4 peers +include "ffrl_ipv6_peers.con?"; diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 new file mode 100644 index 0000000..98e776c --- /dev/null +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 @@ -0,0 +1,13 @@ +# +# {{ ansible_managed }} +# + +{% for peer_id, peer_value in ffrl_exit_server.iteritems() %} +protocol bgp {{ peer_id }} from ffrl_uplink { + source address {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }}; + neighbor {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }} as ffrl_as; +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} From 951ab924a5defbda3e14c38867c8f11ec65d0175 Mon Sep 17 00:00:00 2001 From: n0trax Date: Sun, 17 Sep 2017 10:11:45 +0200 Subject: [PATCH 015/106] Set 'become' default to True (#7) --- ansible.cfg | 4 ++++ roles/ffmwu-bird/tasks/main.yml | 2 -- roles/ffmwu-build/tasks/packages.yml | 5 ----- roles/ffmwu-build/tasks/rsyncd.yml | 3 --- roles/ffmwu-build/tasks/web.yml | 13 ------------- roles/ffmwu-meshing/tasks/fastd.yml | 1 - roles/ffmwu-server/tasks/main.yml | 3 --- roles/git-fastd-peers/tasks/main.yml | 3 --- roles/kmod-batman/tasks/main.yml | 2 -- roles/network-batman/tasks/main.yml | 3 --- roles/network-fastd/tasks/main.yml | 2 -- roles/network-ffrl/tasks/main.yml | 1 - roles/network-meshbridge/tasks/main.yml | 2 -- roles/network-routetables/tasks/main.yml | 1 - roles/packages/tasks/main.yml | 4 ---- roles/prerequisites/tasks/main.yml | 1 - roles/server-basic/tasks/main.yml | 3 --- roles/server-repos/tasks/main.yml | 4 ---- roles/service-bird/tasks/main.yml | 4 ---- roles/service-dhcpd/tasks/main.yml | 5 ----- roles/service-fastd-intragate/tasks/main.yml | 4 ---- roles/service-fastd-mesh/tasks/main.yml | 4 ---- roles/service-haveged/tasks/main.yml | 2 -- roles/service-ntpd/tasks/main.yml | 3 --- roles/service-radvd/tasks/main.yml | 3 --- roles/service-rclocal/tasks/main.yml | 2 -- 26 files changed, 4 insertions(+), 80 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index b330c5c..ea9a9df 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,8 +3,12 @@ inventory = ./inventory retry_files_enabled = False #vault_password_file = ~/.ansible/vault-password-file remote_tmp = $HOME/ansible_tmp +remote_user = admin ansible_managed = Ansible managed - don't edit this file! roles_path = ./roles +[privilege_escalation] +become=True + #[ssh_connection] #pipelining = True diff --git a/roles/ffmwu-bird/tasks/main.yml b/roles/ffmwu-bird/tasks/main.yml index be1ba94..cd2807e 100644 --- a/roles/ffmwu-bird/tasks/main.yml +++ b/roles/ffmwu-bird/tasks/main.yml @@ -7,7 +7,6 @@ owner: admin group: bird mode: 0750 - become: yes - name: standardise file ownerships file: @@ -16,7 +15,6 @@ owner: admin group: bird mode: 0750 - become: yes with_items: - /etc/bird/bird.conf - /etc/bird/mwu_peers_v4.inc diff --git a/roles/ffmwu-build/tasks/packages.yml b/roles/ffmwu-build/tasks/packages.yml index 6838671..71b26b5 100644 --- a/roles/ffmwu-build/tasks/packages.yml +++ b/roles/ffmwu-build/tasks/packages.yml @@ -4,7 +4,6 @@ repo: 'deb https://repo.universe-factory.net/debian/ sid main' state: present filename: 'neoraider' - become: true notify: update apt cache - name: add apt repository of freifunk-mwu @@ -12,7 +11,6 @@ repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main' state: present filename: 'ffmwu' - become: true notify: update apt cache - name: add apt-key of neoraider @@ -20,14 +18,12 @@ keyserver: keyserver.ubuntu.com id: 16EF3F64CB201D9C state: present - become: true notify: update apt cache - name: add apt-key of freifunk-mwu package sigs apt_key: url: http://repo.freifunk-mwu.de/83A70084.gpg.key state: present - become: true notify: update apt cache - name: install needed packages for build-server @@ -50,4 +46,3 @@ - subversion - unzip - zlib1g-dev - become: true diff --git a/roles/ffmwu-build/tasks/rsyncd.yml b/roles/ffmwu-build/tasks/rsyncd.yml index 208fd74..bc838e7 100644 --- a/roles/ffmwu-build/tasks/rsyncd.yml +++ b/roles/ffmwu-build/tasks/rsyncd.yml @@ -4,18 +4,15 @@ src: rsyncd.conf dest: /etc/rsyncd.conf mode: 0640 - become: true - name: install rsnyc systemd unit copy: src: rsync.service dest: /etc/systemd/system/ mode: 0644 - become: true - name: ensure rsync is started on boot as a daemon systemd: name: rsync state: started enabled: True - become: true diff --git a/roles/ffmwu-build/tasks/web.yml b/roles/ffmwu-build/tasks/web.yml index 311865b..710f607 100644 --- a/roles/ffmwu-build/tasks/web.yml +++ b/roles/ffmwu-build/tasks/web.yml @@ -5,13 +5,11 @@ owner: admin group: admin recurse: yes - become: true - name: enable apache module ssl apache2_module: state: present name: ssl - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -20,7 +18,6 @@ command: /usr/sbin/a2dissite 000-default args: removes: /etc/apache2/sites-enabled/000-default.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -29,7 +26,6 @@ command: /usr/sbin/a2dissite default-ssl args: removes: /etc/apache2/sites-enabled/default-ssl.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -38,7 +34,6 @@ command: /usr/sbin/a2disconf other-vhosts-access-log args: removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -49,7 +44,6 @@ regexp: '^([\s\t]+)?SSLCipherSuite' line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -60,7 +54,6 @@ regexp: '^([\s\t]+)?SSLProtocol' line: "SSLProtocol all -SSLv2 -SSLv3" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -71,7 +64,6 @@ regexp: "^ServerTokens" line: "ServerTokens Prod" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -82,7 +74,6 @@ regexp: "^ServerSignature" line: "ServerSignature EMail" state: present - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -91,7 +82,6 @@ template: src: ffmwu-default-http.conf.j2 dest: /etc/apache2/sites-available/ffmwu-default-http.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -100,7 +90,6 @@ template: src: ffmwu-default-https.conf.j2 dest: /etc/apache2/sites-available/ffmwu-default-https.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -109,7 +98,6 @@ command: /usr/sbin/a2ensite ffmwu-default-http args: creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf - become: true notify: - check apache syntax - restart systemd unit apache2 @@ -118,7 +106,6 @@ command: /usr/sbin/a2ensite ffmwu-default-https args: creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf - become: true notify: - check apache syntax - restart systemd unit apache2 diff --git a/roles/ffmwu-meshing/tasks/fastd.yml b/roles/ffmwu-meshing/tasks/fastd.yml index 3a212bb..623339e 100644 --- a/roles/ffmwu-meshing/tasks/fastd.yml +++ b/roles/ffmwu-meshing/tasks/fastd.yml @@ -2,7 +2,6 @@ - name: ensure correct ownership of /etc/fastd file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin - become: True - name: find ssh keyfile name for use with git shell: grep IdentityFile ~/.ssh/config | awk '{print $2}' diff --git a/roles/ffmwu-server/tasks/main.yml b/roles/ffmwu-server/tasks/main.yml index 265cd6e..07e8678 100644 --- a/roles/ffmwu-server/tasks/main.yml +++ b/roles/ffmwu-server/tasks/main.yml @@ -10,7 +10,6 @@ - block: - name: ensure needed system users are present user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present - become: True - name: ensure all wanted ssh keys exclusively authorized_key: exclusive=True state=present user=admin @@ -18,11 +17,9 @@ - name: ensure vim is default editor alternatives: name=editor path=/usr/bin/vim.basic - become: True - name: set timezone to Europe/Berlin timezone: name=Europe/Berlin - become: True when: (ansible_managed_server is defined) and (ansible_managed_server) # end block diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml index d3086dd..5a1ffa0 100644 --- a/roles/git-fastd-peers/tasks/main.yml +++ b/roles/git-fastd-peers/tasks/main.yml @@ -5,7 +5,6 @@ state: present with_items: - git - become: true - name: create fastd peer mesh directories file: @@ -15,7 +14,6 @@ owner: admin group: admin with_dict: "{{ meshes }}" - become: true - name: create fastd peer intragate directories file: @@ -25,7 +23,6 @@ owner: admin group: admin with_dict: "{{ meshes }}" - become: true - name: clone fastd peer mesh repos git: diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml index 1ee26f7..15fe652 100644 --- a/roles/kmod-batman/tasks/main.yml +++ b/roles/kmod-batman/tasks/main.yml @@ -9,10 +9,8 @@ - linux-headers-amd64 - batman-adv-dkms - batctl - become: true - name: configure batman module to load on system boot template: src: batman-adv.module.conf.j2 dest: /etc/modules-load.d/batman-adv.conf - become: true diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index bc0ff67..9e181cb 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -4,14 +4,12 @@ src: dummy.j2 dest: "/etc/network/interfaces.d/{{ item.key }}0" with_dict: "{{ meshes }}" - become: true - name: create batman interfaces template: src: batman.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BAT" with_dict: "{{ meshes }}" - become: true - name: set sysfs variables template: @@ -19,4 +17,3 @@ dest: "/etc/sysfs.d/99-{{ item.key }}BAT.conf" with_dict: "{{ meshes }}" notify: activate sysfs variables - become: true diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 1474772..978d76d 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -4,11 +4,9 @@ src: fastd-mesh.j2 dest: "/etc/network/interfaces.d/{{ item.key }}VPN" with_dict: "{{ meshes }}" - become: true - name: create fastd intragate interfaces template: src: fastd-intragate.j2 dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" with_dict: "{{ meshes }}" - become: true diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index 439c2de..13c7fd0 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -4,4 +4,3 @@ src: ffrl.j2 dest: "/etc/network/interfaces.d/{{ item.key }}" with_dict: "{{ ffrl_exit_server }}" - become: true diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index 06ea01b..3b360e3 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -4,7 +4,6 @@ src: bridge.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BR" with_dict: "{{ meshes }}" - become: true - name: set sysfs variables template: @@ -12,4 +11,3 @@ dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" with_dict: "{{ meshes }}" notify: activate sysfs variables - become: true diff --git a/roles/network-routetables/tasks/main.yml b/roles/network-routetables/tasks/main.yml index ba14fc9..d816c2f 100644 --- a/roles/network-routetables/tasks/main.yml +++ b/roles/network-routetables/tasks/main.yml @@ -6,4 +6,3 @@ line: "{{ item.value }}{{ '\t' }}{{ item.key }}" state: present with_dict: "{{ routing_tables }}" - become: true diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml index 62beb1d..81c049c 100644 --- a/roles/packages/tasks/main.yml +++ b/roles/packages/tasks/main.yml @@ -21,7 +21,6 @@ with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}" loop_control: loop_var: pkg_item - become: True # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined) - name: ensure defined apt repos @@ -33,7 +32,6 @@ with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}" loop_control: loop_var: pkg_item - become: True # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined) # see defaults in with - when: pkg_repo_list is defined @@ -48,7 +46,6 @@ with_items: "{{meshing_pkg_pkg_list | default([])}}" loop_control: loop_var: mwu_m_item - become: True # see default in with - when: meshing_pkg_pkg_list is defined - name: ensure defined python libs @@ -56,7 +53,6 @@ with_items: "{{meshing_pkg_pip_list | default([])}}" loop_control: loop_var: mwu_m_item - become: True # see default in with - when: meshing_pkg_pip_list is defined when: (really_do is defined) and (really_do) diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml index 6ec8837..b5f19bc 100755 --- a/roles/prerequisites/tasks/main.yml +++ b/roles/prerequisites/tasks/main.yml @@ -11,4 +11,3 @@ - name: Test root access for admin account command: "true" changed_when: False - become: True diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index f5e28b4..a33f925 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -6,15 +6,12 @@ update_cache: yes cache_valid_time: 21600 with_items: "{{ packages }}" - become: true - name: ensure vim is default editor alternatives: name: editor path: /usr/bin/vim.basic - become: true - name: set timezone to Europe/Berlin timezone: name: Europe/Berlin - become: true diff --git a/roles/server-repos/tasks/main.yml b/roles/server-repos/tasks/main.yml index c7a6724..016900d 100644 --- a/roles/server-repos/tasks/main.yml +++ b/roles/server-repos/tasks/main.yml @@ -8,21 +8,18 @@ with_items: - dirmngr - apt-transport-https - become: true - name: ensure apt key for universe-factory is present apt_key: state: present id: 16ef3f64cb201d9c keyserver: pgp.mit.edu - become: true - name: ensure apt key for freifunk-mwu is present apt_key: state: present id: 83A70084 url: "http://repo.freifunk-mwu.de/83A70084.gpg.key" - become: true - name: ensure needed apt repos are present apt_repository: @@ -31,4 +28,3 @@ update_cache: "{{ item.update_cache }}" filename: "{{ item.name }}" with_items: "{{ repos }}" - become: true diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index 152a1ee..822b130 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -7,7 +7,6 @@ with_items: - bird-bgp - bird-doc - become: true - name: write bird configuration template: @@ -20,7 +19,6 @@ with_items: - "" - 6 - become: true - name: configure mwu peers template: @@ -33,7 +31,6 @@ with_items: - 4 - 6 - become: true - name: enable + start systemd units bird + bird6 systemd: @@ -43,4 +40,3 @@ with_items: - "" - 6 - become: true diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index b958b4f..9430dd6 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -3,14 +3,12 @@ apt: name: isc-dhcp-server state: present - become: true - name: enable systemd unit isc-dhcp-server systemd: name: isc-dhcp-server enabled: yes daemon_reload: yes - become: true - name: concatenate meshbridge interfaces set_fact: @@ -22,18 +20,15 @@ regexp: '^INTERFACESv4="' line: 'INTERFACESv4="{{ dhcp_interfaces }}"' notify: restart isc dhcp server - become: true - name: set ipv6 interfaces isc dhcp should listen on lineinfile: path: /etc/default/isc-dhcp-server regexp: '^INTERFACESv6="' line: 'INTERFACESv6=""' - become: true - name: configure isc dhcp server template: src: dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf # notify: restart isc dhcp server - become: true diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 9284cf1..4228108 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fastd state: present - become: true - name: create fastd intragate directories file: @@ -11,18 +10,15 @@ state: directory mode: 0755 with_dict: "{{ meshes }}" - become: true - name: template fastd mesh config template: src: fastd-intragate.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" with_dict: "{{ meshes }}" - become: true - name: write fastd intragate secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" with_dict: "{{ meshes }}" - become: true diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index dc377de..cf0036a 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fastd state: present - become: true - name: create fastd directories file: @@ -11,18 +10,15 @@ state: directory mode: 0755 with_dict: "{{ meshes }}" - become: true - name: template fastd mesh config template: src: fastd-mesh.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" with_dict: "{{ meshes }}" - become: true - name: write fastd mesh secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" with_dict: "{{ meshes }}" - become: true diff --git a/roles/service-haveged/tasks/main.yml b/roles/service-haveged/tasks/main.yml index 3e3f5a7..d57f916 100644 --- a/roles/service-haveged/tasks/main.yml +++ b/roles/service-haveged/tasks/main.yml @@ -4,11 +4,9 @@ name: haveged state: present notify: reload systemd - become: true - name: start and enable systemd unit haveged systemd: name: haveged enabled: yes state: started - become: true diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml index 907c8ae..50cabca 100644 --- a/roles/service-ntpd/tasks/main.yml +++ b/roles/service-ntpd/tasks/main.yml @@ -4,7 +4,6 @@ name: systemd-timesyncd enabled: no state: stopped - become: true - name: install ntp packages apt: @@ -17,7 +16,6 @@ - ntp-doc - ntpdate - ntpstat - become: true - name: enable and start ntp daemon systemd: @@ -25,4 +23,3 @@ enabled: yes state: started daemon_reload: yes - become: true diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 71d1521..42c4ba7 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -3,18 +3,15 @@ apt: name: radvd state: present - become: true - name: enable systemd unit radvd systemd: name: radvd enabled: yes daemon_reload: yes - become: true - name: configure radvd template: src: radvd.conf.j2 dest: /etc/radvd.conf #notify: restart radvd - become: true diff --git a/roles/service-rclocal/tasks/main.yml b/roles/service-rclocal/tasks/main.yml index 8a161f4..1400aa1 100644 --- a/roles/service-rclocal/tasks/main.yml +++ b/roles/service-rclocal/tasks/main.yml @@ -4,10 +4,8 @@ src: rc.local.j2 dest: /etc/rc.local mode: 0755 - become: true - name: enable systemd unit rc.local systemd: name: rc.local enabled: yes - become: true From 1c928881fcc9761b598a56898b7a05868f15886d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 17 Sep 2017 14:43:54 +0200 Subject: [PATCH 016/106] Retouch tasks due to 'become' defaults to True --- roles/ffmwu-build/handlers/main.yml | 3 --- roles/ffmwu-build/tasks/git-repos.yml | 1 + roles/git-fastd-peers/tasks/main.yml | 2 ++ roles/git-repos/tasks/main.yml | 3 +-- roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml | 5 +---- roles/network-batman/handlers/main.yml | 1 - roles/network-meshbridge/handlers/main.yml | 1 - roles/service-bird-ffrl/handlers/main.yml | 2 -- roles/service-bird-ffrl/tasks/main.yml | 2 -- roles/service-bird-icvpn/handlers/main.yml | 4 ---- roles/service-bird-icvpn/tasks/main.yml | 3 --- roles/service-bird/handlers/main.yml | 3 --- roles/service-dhcpd/handlers/main.yml | 1 - roles/service-haveged/handlers/main.yml | 1 - 14 files changed, 5 insertions(+), 27 deletions(-) diff --git a/roles/ffmwu-build/handlers/main.yml b/roles/ffmwu-build/handlers/main.yml index 7996492..fc9d637 100644 --- a/roles/ffmwu-build/handlers/main.yml +++ b/roles/ffmwu-build/handlers/main.yml @@ -1,15 +1,12 @@ --- - name: check apache syntax command: /usr/sbin/apachectl -t - become: true - name: restart systemd unit apache2 systemd: name: apache2 state: restarted - become: true - name: update apt cache apt: update_cache: yes - become: true diff --git a/roles/ffmwu-build/tasks/git-repos.yml b/roles/ffmwu-build/tasks/git-repos.yml index 52f1d4d..daeeb16 100644 --- a/roles/ffmwu-build/tasks/git-repos.yml +++ b/roles/ffmwu-build/tasks/git-repos.yml @@ -4,3 +4,4 @@ repo: https://github.com/freifunk-mwu/sites-ffmwu.git dest: /home/admin/clones/sites-ffmwu version: stable + become: false diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml index 5a1ffa0..3339069 100644 --- a/roles/git-fastd-peers/tasks/main.yml +++ b/roles/git-fastd-peers/tasks/main.yml @@ -30,6 +30,7 @@ dest: "/etc/fastd/{{ item.key }}VPN/peers" update: no with_dict: "{{ meshes }}" + become: false - name: clone fastd peer intragate repos git: @@ -37,3 +38,4 @@ dest: "/etc/fastd/{{ item.key }}igVPN/peers" update: no with_dict: "{{ meshes }}" + become: false diff --git a/roles/git-repos/tasks/main.yml b/roles/git-repos/tasks/main.yml index 46d5c33..ad6703e 100644 --- a/roles/git-repos/tasks/main.yml +++ b/roles/git-repos/tasks/main.yml @@ -5,7 +5,6 @@ state: present with_items: - git - become: true - name: ensure git directory is present file: @@ -14,10 +13,10 @@ mode: 0755 owner: admin group: admin - become: true - name: clone git repositories git: repo: "{{ item.value.repo_url }}" dest: "/home/admin/clones/{{ item.key }}" with_dict: "{{ common_repos }}" + become: false diff --git a/roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml b/roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml index 2112b07..a310745 100644 --- a/roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml +++ b/roles/localtestvm/tasks/loctevm-provide-prereq.inc.yml @@ -18,15 +18,14 @@ - name: ensure admin user user: comment="FFMWU Administrator" name=admin shell=/bin/bash state=present - become: True - name: ensure users ssh key to admin user authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" exclusive=no - become: True - name: ensure users ssh key to bootstrap user authorized_key: user=hein key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + become: false - name: ensure no-pw sudo capability for admin and bootstrap user lineinfile: @@ -35,8 +34,6 @@ line: "admin,hein ALL = (root) NOPASSWD: ALL" mode: 0440 validate: visudo -c -f %s - become: True - name: from this point on prevent pw for bootstrap user user: user=hein password=X - become: True diff --git a/roles/network-batman/handlers/main.yml b/roles/network-batman/handlers/main.yml index 545dadd..6eb2fa0 100644 --- a/roles/network-batman/handlers/main.yml +++ b/roles/network-batman/handlers/main.yml @@ -3,4 +3,3 @@ systemd: name: sysfsutils state: restarted - become: true diff --git a/roles/network-meshbridge/handlers/main.yml b/roles/network-meshbridge/handlers/main.yml index 545dadd..6eb2fa0 100644 --- a/roles/network-meshbridge/handlers/main.yml +++ b/roles/network-meshbridge/handlers/main.yml @@ -3,4 +3,3 @@ systemd: name: sysfsutils state: restarted - become: true diff --git a/roles/service-bird-ffrl/handlers/main.yml b/roles/service-bird-ffrl/handlers/main.yml index 6a31b7b..7dd9273 100644 --- a/roles/service-bird-ffrl/handlers/main.yml +++ b/roles/service-bird-ffrl/handlers/main.yml @@ -3,10 +3,8 @@ systemd: name: bird state: reloaded - become: true - name: reload bird6 systemd: name: bird6 state: reloaded - become: true diff --git a/roles/service-bird-ffrl/tasks/main.yml b/roles/service-bird-ffrl/tasks/main.yml index 6c27749..3b4b03f 100644 --- a/roles/service-bird-ffrl/tasks/main.yml +++ b/roles/service-bird-ffrl/tasks/main.yml @@ -10,7 +10,6 @@ with_items: - 4 - 6 - become: true - name: write ffrl peer configuration template: @@ -23,4 +22,3 @@ with_items: - 4 - 6 - become: true diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml index 1a37e5c..af1a036 100644 --- a/roles/service-bird-icvpn/handlers/main.yml +++ b/roles/service-bird-icvpn/handlers/main.yml @@ -3,13 +3,11 @@ systemd: name: bird state: reloaded - become: true - name: reload bird6 systemd: name: bird6 state: reloaded - become: true - name: set file attrs 4 file: @@ -17,7 +15,6 @@ mode: 0640 owner: bird group: bird - become: true - name: set file attrs 6 file: @@ -25,4 +22,3 @@ mode: 0640 owner: bird group: bird - become: true diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml index 0570e41..c9dfd6b 100644 --- a/roles/service-bird-icvpn/tasks/main.yml +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -10,7 +10,6 @@ with_items: - 4 - 6 - become: true - name: write initial icvpn roa config shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf @@ -25,7 +24,6 @@ max_prefix: 20 6: max_prefix: 64 - become: true - name: write icvpn bird configuration template: @@ -38,4 +36,3 @@ with_items: - 4 - 6 - become: true diff --git a/roles/service-bird/handlers/main.yml b/roles/service-bird/handlers/main.yml index 15478b4..12fe53a 100644 --- a/roles/service-bird/handlers/main.yml +++ b/roles/service-bird/handlers/main.yml @@ -2,16 +2,13 @@ - name: reload systemd systemd: daemon_reload: yes - become: true - name: reload bird systemd: name: bird state: reloaded - become: true - name: reload bird6 systemd: name: bird6 state: reloaded - become: true diff --git a/roles/service-dhcpd/handlers/main.yml b/roles/service-dhcpd/handlers/main.yml index 88a46e2..f7d522c 100644 --- a/roles/service-dhcpd/handlers/main.yml +++ b/roles/service-dhcpd/handlers/main.yml @@ -4,4 +4,3 @@ name: isc-dhcp-server enabled: yes state: restarted - become: true diff --git a/roles/service-haveged/handlers/main.yml b/roles/service-haveged/handlers/main.yml index 8c64ad5..bb7fde2 100644 --- a/roles/service-haveged/handlers/main.yml +++ b/roles/service-haveged/handlers/main.yml @@ -2,4 +2,3 @@ - name: reload systemd systemd: daemon_reload: yes - become: true From ce1a690db211da5b5431c47bf219ad4342bfa55c Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 17 Sep 2017 14:45:03 +0200 Subject: [PATCH 017/106] Add role service-bird-ffrl to playbook gateways --- playbooks/gateways.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 616cf0b..584ee41 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -22,4 +22,5 @@ - network-ffrl - service-bird - service-bird-icvpn + - service-bird-ffrl - service-rclocal From 0edd928ec8fed048823222829deed2d3ebbfddc7 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 17 Sep 2017 14:53:06 +0200 Subject: [PATCH 018/106] Role service-bird-ffrl: correct ipaddr filters --- roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 | 2 +- roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 | 2 +- roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 index da21eb1..d646e33 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 @@ -3,7 +3,7 @@ # {% for peer_id, peer_value in ffrl_exit_server.iteritems() %} -protocol bgp {{ peer_id }} from ffrl_uplink { +protocol bgp '{{ peer_id }}' from ffrl_uplink { source address {{ peer_value.tunnel_ipv4_address | ipaddr('address') }}; neighbor {{ peer_value.tunnel_ipv4_network | ipaddr('address') }} as ffrl_as; }; diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 index 05541fd..42feffc 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 @@ -43,7 +43,7 @@ protocol static ffrl_public_routes { {% for mesh_id, mesh_value in meshes.iteritems() %} {% for prefix in mesh_value.ipv6.public %} route {{ prefix }} reject; - route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network') }} reject; + route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject; {% endfor %} {% endfor %} } diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 index 98e776c..ef495ed 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2 @@ -3,7 +3,7 @@ # {% for peer_id, peer_value in ffrl_exit_server.iteritems() %} -protocol bgp {{ peer_id }} from ffrl_uplink { +protocol bgp '{{ peer_id }}' from ffrl_uplink { source address {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }}; neighbor {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }} as ffrl_as; }; From c87cb61a6b8260a98c762b117ef55c81dfde576d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 28 Sep 2017 20:09:18 +0200 Subject: [PATCH 019/106] Update readme of roles service-fastd-mesh + service-fastd-intragate --- roles/service-fastd-intragate/README.md | 8 ++++---- roles/service-fastd-mesh/README.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 8302520..0e10d0e 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -7,7 +7,7 @@ Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Intra - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf - - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen + - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen (YAML key secret) ## Benötigte Variablen @@ -21,8 +21,8 @@ meshes: - Dictionary `fastd_secrets` (Host-Variable) ´´´ fastd_secrets: - mzigVPN: "{{ lookup('passwordstore', 'fastd/mzigVPN/sparegate4') }}" - wiigVPN: "{{ lookup('passwordstore', 'fastd/wiigVPN/sparegate4') }}" + mzigVPN: "{{ lookup('passwordstore', 'fastd/mzigVPN/sparegate4 subkey=secret') }}" + wiigVPN: "{{ lookup('passwordstore', 'fastd/wiigVPN/sparegate4 subkey=secret') }}" ... ´´´ @@ -34,5 +34,5 @@ Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benöt Das Dictionary `fastd_secrets` folgt dem Aufbau: ``` fastd_secrets: - $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore') }}" + $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" ``` diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 18f1f60..a3e414a 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -7,7 +7,7 @@ Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Knote - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf - - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen + - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen (YAML key secret) ## Benötigte Variablen @@ -21,8 +21,8 @@ meshes: - Dictionary `fastd_secrets` (Host-Variable) ´´´ fastd_secrets: - mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/sparegate4') }}" - wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/sparegate4') }}" + mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/sparegate4 subkey=secret') }}" + wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/sparegate4 subkey=secret') }}" ... ´´´ @@ -34,5 +34,5 @@ Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benöt Das Dictionary `fastd_secrets` folgt dem Aufbau: ``` fastd_secrets: - $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore') }}" + $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" ``` From 36e5e5c6701b1e7d9a117887d7a61cb2c18101fa Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 28 Sep 2017 20:14:58 +0200 Subject: [PATCH 020/106] Update Readme.md - update passwordstore lookup for fastd secrets - add explanation about sensible informations --- Readme.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/Readme.md b/Readme.md index 05759ce..fe88ff7 100644 --- a/Readme.md +++ b/Readme.md @@ -69,6 +69,13 @@ meshes: peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git ``` +## Sensible Informationen + +Sensible Daten, z.B. private keys für Dienste wie fastd und tinc verwalten wir in einem [Password Store](https://www.passwordstore.org/). +Falls ihr mehrere Password Stores verwaltet, denkt vor Benutzung von Ansible daran, die Umgebungsvariable auf den richtigen Store zu verweisen: +``` +export PASSWORD_STORE_DIR=... +``` ## Aufsetzen eines neuen Gateways @@ -83,10 +90,10 @@ magic: # Pfade zu den fastd secrets im passwordstore fastd_secrets: - mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname') }}" - wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname') }}" - mzigVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname') }}" - wiigVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname') }}" + mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname subkey=secret') }}" + wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname subkey=secret') }}" + mzigVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname subkey=secret') }}" + wiigVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname subkey=secret') }}" # FFRL (muss vorher bereits zugewiesen worden sein) # Öffentliche IPv4 NAT Adresse From ab456225709e42d463981f1fc8bb5a9b6e28559a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 29 Sep 2017 13:17:46 +0200 Subject: [PATCH 021/106] Role server-basic: add package bridge-utils --- roles/server-basic/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index 5588e09..ea015d5 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -1,6 +1,7 @@ --- packages: - apt-transport-https + - bridge-utils - ifupdown2 - man-db - mlocate From 846f385a215e24bf2283ebcb8d76c6448e92f0e8 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 29 Sep 2017 13:32:20 +0200 Subject: [PATCH 022/106] Add role service-tinc --- inventory/group_vars/all | 5 ++ playbooks/gateways.yml | 1 + roles/service-bird-icvpn/meta/main.yml | 1 + roles/service-tinc/README.md | 45 ++++++++++++ roles/service-tinc/handlers/main.yml | 12 ++++ roles/service-tinc/tasks/main.yml | 72 ++++++++++++++++++++ roles/service-tinc/templates/nets.boot.j2 | 5 ++ roles/service-tinc/templates/rsa_key.priv.j2 | 1 + roles/service-tinc/templates/tinc-down.j2 | 11 +++ roles/service-tinc/templates/tinc-up.j2 | 14 ++++ roles/service-tinc/templates/tinc.conf.j2 | 12 ++++ 11 files changed, 179 insertions(+) create mode 100644 roles/service-tinc/README.md create mode 100644 roles/service-tinc/handlers/main.yml create mode 100644 roles/service-tinc/tasks/main.yml create mode 100644 roles/service-tinc/templates/nets.boot.j2 create mode 100644 roles/service-tinc/templates/rsa_key.priv.j2 create mode 100644 roles/service-tinc/templates/tinc-down.j2 create mode 100644 roles/service-tinc/templates/tinc-up.j2 create mode 100644 roles/service-tinc/templates/tinc.conf.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index bc72b66..3c0a1b6 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -58,6 +58,11 @@ meshes: peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git +icvpn: + prefix: mwu + interface: icVPN + icvpn_repo: https://github.com/freifunk/icvpn + bgp_mwu_servers: spinat: ipv4: 10.37.0.7 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 584ee41..b9dc606 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -20,6 +20,7 @@ - git-fastd-peers - network-fastd - network-ffrl + - service-tinc - service-bird - service-bird-icvpn - service-bird-ffrl diff --git a/roles/service-bird-icvpn/meta/main.yml b/roles/service-bird-icvpn/meta/main.yml index ad1a852..0c405d4 100644 --- a/roles/service-bird-icvpn/meta/main.yml +++ b/roles/service-bird-icvpn/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: - { role: git-repos } + - { role: service-tinc } - { role: service-bird } diff --git a/roles/service-tinc/README.md b/roles/service-tinc/README.md new file mode 100644 index 0000000..f2ad562 --- /dev/null +++ b/roles/service-tinc/README.md @@ -0,0 +1,45 @@ +# Ansible role service-tinc + +Diese Ansible role installiert und konfiguriert den tinc daemon, der für die Verbindung in das InterCity-VPN benötigt wird. + +- installiert tinc +- erzeugt icVPN tinc Instanz + - klont freifunk/icvpn repo + - schreibt tinc.conf + - schreibt tinc-up hook script + - schreibt tinc-down hook script + - liest tinc private key aus dem pass + +## Benötigte Variablen + +- Dictionary `icvpn` +``` +icvpn: + prefix: mwu + interface: icVPN + icvpn_repo: https://github.com/freifunk/icvpn +``` +- Variable `icvpn_ipv4_transfer_net` +- Variable `icvpn_ipv6_transfer_net` +- Dictionary `routing_tables` +``` +routing_tables: + icvpn: 23 + ... +``` +- Host Variable `magic` +- Host Variable `tinc_private_key` +``` +tinc_private_key: "{{ lookup('passwordstore', 'tinc/icVPN/$Hostname_private returnall=true') }}" +``` + +## tinc private key + +Der private Schlüssel der icVPN tinc-Instanz liegt im passwordstore. +Bevor man ein Gateway aufsetzt, muss der private Schlüssel generiert und im passwordstore hinterlegt werden. +Die Variable `tinc_private_key` folgt dem Aufbau: +``` +tinc_private_key: + $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore returnall=true') }}" +``` + diff --git a/roles/service-tinc/handlers/main.yml b/roles/service-tinc/handlers/main.yml new file mode 100644 index 0000000..b88ce92 --- /dev/null +++ b/roles/service-tinc/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: configure systemd unit tinc + systemd: + name: tinc + enabled: yes + daemon_reload: yes + +- name: restart systemd unit tinc + systemd: + name: tinc + enabled: yes + state: restarted diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml new file mode 100644 index 0000000..994f480 --- /dev/null +++ b/roles/service-tinc/tasks/main.yml @@ -0,0 +1,72 @@ +--- +- name: install tinc packages + apt: + name: "{{ item }}" + state: present + with_items: + - tinc + notify: configure systemd unit tinc + +- name: clone icvpn repo + git: + repo: "{{ icvpn.icvpn_repo }}" + dest: /etc/tinc/{{ icvpn.interface }} + update: no + +- name: set directory permissions + file: + path: /etc/tinc/{{ icvpn.interface }} + state: directory + owner: admin + group: admin + recurse: yes + +- name: register metanodes + command: cat /etc/tinc/{{ icvpn.interface }}/metanodes + register: metanodes + changed_when: false + +- name: write tinc.conf + template: + src: tinc.conf.j2 + dest: /etc/tinc/{{ icvpn.interface }}/tinc.conf + mode: 0664 + owner: admin + group: admin + notify: restart systemd unit tinc + +- name: write tinc-up hook script + template: + src: tinc-up.j2 + dest: /etc/tinc/{{ icvpn.interface }}/tinc-up + mode: 0775 + owner: admin + group: admin + notify: restart systemd unit tinc + +- name: write tinc-down hook script + template: + src: tinc-down.j2 + dest: /etc/tinc/{{ icvpn.interface }}/tinc-down + mode: 0775 + owner: admin + group: admin + notify: restart systemd unit tinc + +- name: write tinc private key + template: + src: rsa_key.priv.j2 + dest: /etc/tinc/{{ icvpn.interface }}/rsa_key.priv + mode: 0600 + owner: admin + group: admin + notify: restart systemd unit tinc + +- name: write nets.boot + template: + src: nets.boot.j2 + dest: /etc/tinc/nets.boot + mode: 0644 + owner: root + group: root + notify: restart systemd unit tinc diff --git a/roles/service-tinc/templates/nets.boot.j2 b/roles/service-tinc/templates/nets.boot.j2 new file mode 100644 index 0000000..5e4cdf7 --- /dev/null +++ b/roles/service-tinc/templates/nets.boot.j2 @@ -0,0 +1,5 @@ +# +# {{ ansible_managed }} +# +# This file contains all names of the networks to be started on system startup. +{{ icvpn.interface }} diff --git a/roles/service-tinc/templates/rsa_key.priv.j2 b/roles/service-tinc/templates/rsa_key.priv.j2 new file mode 100644 index 0000000..7c952bc --- /dev/null +++ b/roles/service-tinc/templates/rsa_key.priv.j2 @@ -0,0 +1 @@ +{{ tinc_private_key }} diff --git a/roles/service-tinc/templates/tinc-down.j2 b/roles/service-tinc/templates/tinc-down.j2 new file mode 100644 index 0000000..f0a44b0 --- /dev/null +++ b/roles/service-tinc/templates/tinc-down.j2 @@ -0,0 +1,11 @@ +#!/bin/sh +# +# {{ ansible_managed }} +# +/sbin/ip addr del dev ${INTERFACE} {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}/16 broadcast {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipaddr('broadcast') }} +/sbin/ip -6 addr del dev ${INTERFACE} {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}/96 + +/sbin/ip -4 route del {{ icvpn_ipv4_transfer_net }} proto static dev ${INTERFACE} table {{ routing_tables.icvpn }} +/sbin/ip -6 route del {{ icvpn_ipv6_transfer_net }} proto static dev ${INTERFACE} table {{ routing_tables.icvpn }} + +/sbin/ip link set dev ${INTERFACE} down diff --git a/roles/service-tinc/templates/tinc-up.j2 b/roles/service-tinc/templates/tinc-up.j2 new file mode 100644 index 0000000..5fb6692 --- /dev/null +++ b/roles/service-tinc/templates/tinc-up.j2 @@ -0,0 +1,14 @@ +{% set ip4hex = icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0220' + ip4hex -%} +#!/bin/sh +# +# {{ ansible_managed }} +# +/sbin/ifconfig ${INTERFACE} hw ether {{ mac | hwaddr('linux') }} +/sbin/ip link set dev ${INTERFACE} up + +/sbin/ip -4 route add {{ icvpn_ipv4_transfer_net }} proto static dev ${INTERFACE} table {{ routing_tables.icvpn }} +/sbin/ip -6 route add {{ icvpn_ipv6_transfer_net }} proto static dev ${INTERFACE} table {{ routing_tables.icvpn }} + +/sbin/ip addr add dev ${INTERFACE} {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}/16 broadcast {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipaddr('broadcast') }} scope link +/sbin/ip -6 addr add dev ${INTERFACE} {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}/96 preferred_lft 0 diff --git a/roles/service-tinc/templates/tinc.conf.j2 b/roles/service-tinc/templates/tinc.conf.j2 new file mode 100644 index 0000000..15f2e96 --- /dev/null +++ b/roles/service-tinc/templates/tinc.conf.j2 @@ -0,0 +1,12 @@ +Name = {{ icvpn.prefix }}{{ magic }} +PrivateKeyFile = /etc/tinc/{{ icvpn.interface }}/rsa_key.priv +Mode = Switch +PingTimeout = 30 +Port = 10655 +Hostnames = yes +GraphDumpFile = /etc/tinc/{{ icvpn.interface }}/topo.dot +Interface = {{ icvpn.interface }} + +{% for metanode in metanodes.stdout_lines %} +ConnectTo = {{ metanode }} +{% endfor %} From 41d6fb0ff1ee7d14b9fa73e52b8d692cfe7ecf84 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 30 Sep 2017 14:36:48 +0200 Subject: [PATCH 023/106] Add role system-sysctl-gateway --- playbooks/gateways.yml | 1 + roles/system-sysctl-gateway/README.md | 12 ++++++++ roles/system-sysctl-gateway/tasks/main.yml | 7 +++++ roles/system-sysctl-gateway/vars/main.yml | 34 ++++++++++++++++++++++ 4 files changed, 54 insertions(+) create mode 100644 roles/system-sysctl-gateway/README.md create mode 100644 roles/system-sysctl-gateway/tasks/main.yml create mode 100644 roles/system-sysctl-gateway/vars/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index b9dc606..3ae578b 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -25,3 +25,4 @@ - service-bird-icvpn - service-bird-ffrl - service-rclocal + - system-sysctl-gateway diff --git a/roles/system-sysctl-gateway/README.md b/roles/system-sysctl-gateway/README.md new file mode 100644 index 0000000..13c5d33 --- /dev/null +++ b/roles/system-sysctl-gateway/README.md @@ -0,0 +1,12 @@ +# Ansible role system-sysctl-gateway +Diese Ansible role setzt Freifunk Gateway spezifische sysctl-Parameter. + +## Benötigte Variablen +- List `sysctl_settings_gateway` (Rollen-Variable) +``` +sysctl_settings_gateway: + - name: # sysctl-Parameter + value: # zu setzender Wert +... + +´´´ diff --git a/roles/system-sysctl-gateway/tasks/main.yml b/roles/system-sysctl-gateway/tasks/main.yml new file mode 100644 index 0000000..f46d562 --- /dev/null +++ b/roles/system-sysctl-gateway/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: set freifunk gateway sysctl settings + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + with_items: "{{ sysctl_settings_gateway }}" diff --git a/roles/system-sysctl-gateway/vars/main.yml b/roles/system-sysctl-gateway/vars/main.yml new file mode 100644 index 0000000..c0e4223 --- /dev/null +++ b/roles/system-sysctl-gateway/vars/main.yml @@ -0,0 +1,34 @@ +--- +sysctl_settings_gateway: + - name: net.ipv4.ip_forward + value: 1 + - name: net.ipv4.conf.default.rp_filter + value: 0 + - name: net.ipv4.conf.all.rp_filter + value: 0 + - name: net.ipv4.neigh.default.gc_thresh1 + value: 1024 + - name: net.ipv4.neigh.default.gc_thresh2 + value: 2048 + - name: net.ipv4.neigh.default.gc_thresh3 + value: 4096 + - name: net.netfilter.nf_conntrack_tcp_timeout_established + value: 86400 + - name: net.netfilter.nf_conntrack_max + value: 262140 + - name: net.ipv6.conf.all.forwarding + value: 1 + - name: net.ipv6.conf.all.autoconf + value: 0 + - name: net.ipv6.conf.default.autoconf + value: 0 + - name: net.ipv6.conf.all.accept_ra + value: 0 + - name: net.ipv6.conf.default.accept_ra + value: 0 + - name: net.ipv6.neigh.default.gc_thresh1 + value: 1024 + - name: net.ipv6.neigh.default.gc_thresh2 + value: 2048 + - name: net.ipv6.neigh.default.gc_thresh3 + value: 4096 From 3a9edaa666e86fe201ba527ce5ce0a50f4b4e172 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 30 Sep 2017 23:00:09 +0200 Subject: [PATCH 024/106] Add version to git modules in roles: - git-fastd-peers - git-repos - service-tinc --- roles/git-fastd-peers/tasks/main.yml | 2 ++ roles/git-repos/tasks/main.yml | 1 + roles/git-repos/vars/main.yml | 3 +++ roles/service-tinc/tasks/main.yml | 1 + 4 files changed, 7 insertions(+) diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml index 3339069..98eff5d 100644 --- a/roles/git-fastd-peers/tasks/main.yml +++ b/roles/git-fastd-peers/tasks/main.yml @@ -28,6 +28,7 @@ git: repo: "{{ item.value.peers_mesh_repo }}" dest: "/etc/fastd/{{ item.key }}VPN/peers" + version: master update: no with_dict: "{{ meshes }}" become: false @@ -36,6 +37,7 @@ git: repo: "{{ item.value.peers_intragate_repo }}" dest: "/etc/fastd/{{ item.key }}igVPN/peers" + version: master update: no with_dict: "{{ meshes }}" become: false diff --git a/roles/git-repos/tasks/main.yml b/roles/git-repos/tasks/main.yml index ad6703e..56eaa62 100644 --- a/roles/git-repos/tasks/main.yml +++ b/roles/git-repos/tasks/main.yml @@ -18,5 +18,6 @@ git: repo: "{{ item.value.repo_url }}" dest: "/home/admin/clones/{{ item.key }}" + version: "{{ item.value.version }}" with_dict: "{{ common_repos }}" become: false diff --git a/roles/git-repos/vars/main.yml b/roles/git-repos/vars/main.yml index 572463e..b5bbb31 100644 --- a/roles/git-repos/vars/main.yml +++ b/roles/git-repos/vars/main.yml @@ -2,7 +2,10 @@ common_repos: backend-scripts: repo_url: https://github.com/freifunk-mwu/backend-scripts.git + version: master icvpn-meta: repo_url: https://github.com/freifunk/icvpn-meta.git + version: master icvpn-scripts: repo_url: https://github.com/freifunk/icvpn-scripts.git + version: master diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index 994f480..c1ff01f 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -11,6 +11,7 @@ git: repo: "{{ icvpn.icvpn_repo }}" dest: /etc/tinc/{{ icvpn.interface }} + version: master update: no - name: set directory permissions From 4596743a5637ba548e5308a14bed31b450c339f7 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 11:11:43 +0200 Subject: [PATCH 025/106] Add readme for role prerequisites --- roles/prerequisites/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 roles/prerequisites/README.md diff --git a/roles/prerequisites/README.md b/roles/prerequisites/README.md new file mode 100644 index 0000000..f1120c9 --- /dev/null +++ b/roles/prerequisites/README.md @@ -0,0 +1,19 @@ +# Ansible role prerequisites + +Diese Ansible role prüft ob die Voraussetzungen für ein Freifunk Gateway erfüllt sind. + +- Forward-DNS Eintrag == ausgelesener IPv4-Adresse +- Forward-DNS Eintrag == ausgelesener IPv6-Adresse +- Linux Distribution == Debian +- Debian Version == 9 + +## Benötigte Variablen + +- Variable `dns_host_ipv4_address` (Rollen-Variable) +``` +dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}" +``` +- Variable `dns_host_ipv6_address` (Rollen-Variable) +``` +dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}" +``` From b285305fe17daf3e0dd39ce2ead5ac3f16173cef Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 11:18:16 +0200 Subject: [PATCH 026/106] Add role network-iptables-gateway - move netfilter specific sysctl settings --- inventory/group_vars/all | 3 ++ playbooks/gateways.yml | 1 + roles/network-iptables-gateway/README.md | 29 ++++++++++++++ .../handlers/main.yml | 6 +++ roles/network-iptables-gateway/tasks/main.yml | 35 +++++++++++++++++ .../templates/rules.v4.j2 | 38 +++++++++++++++++++ .../templates/rules.v6.j2 | 31 +++++++++++++++ roles/network-iptables-gateway/vars/main.yml | 6 +++ roles/system-sysctl-gateway/vars/main.yml | 4 -- 9 files changed, 149 insertions(+), 4 deletions(-) create mode 100644 roles/network-iptables-gateway/README.md create mode 100644 roles/network-iptables-gateway/handlers/main.yml create mode 100644 roles/network-iptables-gateway/tasks/main.yml create mode 100644 roles/network-iptables-gateway/templates/rules.v4.j2 create mode 100644 roles/network-iptables-gateway/templates/rules.v6.j2 create mode 100644 roles/network-iptables-gateway/vars/main.yml diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 3c0a1b6..1c841da 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -2,6 +2,9 @@ as_private_mwu: 65037 as_public_ffrl: 201701 +internet_exit_mtu_ipv4: 1240 +internet_exit_mtu_ipv6: 1220 + routing_tables: icvpn: 23 mwu: 41 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 3ae578b..e8b18ea 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -19,6 +19,7 @@ - service-fastd-intragate - git-fastd-peers - network-fastd + - network-iptables-gateway - network-ffrl - service-tinc - service-bird diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md new file mode 100644 index 0000000..75cc545 --- /dev/null +++ b/roles/network-iptables-gateway/README.md @@ -0,0 +1,29 @@ +# Ansible role network-iptables-gateway + +Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways. + +- installiert iptables+iptables-persistent +- schreibt rules.v4 + rules.v6 +- setzt netfilter sysctl parameter + +## Benötigte Variablen + +- List `sysctl_settings_netfilter` (Rollen Variable) +´´´ +sysctl_settings_netfilter: + - name: # sysctl-Parameter + value: # zu setzender Wert + +´´´ +- Dictionary `meshes` +´´´ +meshes: + xx: +... + ipv4_network: +... + +´´´ +- Variable `internet_exit_mtu_ipv4` +- Variable `internet_exit_mtu_ipv6` +- Host Variable `ffrl_public_ipv4_nat` diff --git a/roles/network-iptables-gateway/handlers/main.yml b/roles/network-iptables-gateway/handlers/main.yml new file mode 100644 index 0000000..5dfa033 --- /dev/null +++ b/roles/network-iptables-gateway/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: iptables-restore + shell: iptables-restore < /etc/iptables/rules.v4 + +- name: ip6tables-restore + shell: ip6tables-restore < /etc/iptables/rules.v6 diff --git a/roles/network-iptables-gateway/tasks/main.yml b/roles/network-iptables-gateway/tasks/main.yml new file mode 100644 index 0000000..93eed04 --- /dev/null +++ b/roles/network-iptables-gateway/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: install iptables packages + apt: + name: "{{ item }}" + state: present + with_items: + - iptables + - iptables-persistent + +- name: load netfilter modules + modprobe: + name: "{{ item }}" + state: present + with_items: + - nf_conntrack + - nf_conntrack_ipv4 + +- name: set netfilter sysctl settings + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + with_items: "{{ sysctl_settings_netfilter }}" + +- name: write iptables configuration + template: + src: rules.v4.j2 + dest: /etc/iptables/rules.v4 + notify: iptables-restore + +- name: write ip6tables configuration + template: + src: rules.v6.j2 + dest: /etc/iptables/rules.v6 + notify: ip6tables-restore diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 new file mode 100644 index 0000000..b3f0cce --- /dev/null +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -0,0 +1,38 @@ +# +# {{ ansible_managed }} +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% endfor %} +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT +-A OUTPUT -m conntrack --ctstate INVALID -j DROP +-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv4 }} +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:ffrl-nat - [0:0] +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat +{% endfor %} +-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat }} +COMMIT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 new file mode 100644 index 0000000..fbc36ab --- /dev/null +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -0,0 +1,31 @@ +# +# {{ ansible_managed }} +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +{% for mesh_id, mesh_value in meshes.iteritems() %} +-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% endfor %} +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m conntrack --ctstate INVALID -j DROP +-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv6 }} +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/roles/network-iptables-gateway/vars/main.yml b/roles/network-iptables-gateway/vars/main.yml new file mode 100644 index 0000000..1d44152 --- /dev/null +++ b/roles/network-iptables-gateway/vars/main.yml @@ -0,0 +1,6 @@ +--- +sysctl_settings_netfilter: + - name: net.netfilter.nf_conntrack_tcp_timeout_established + value: 86400 + - name: net.netfilter.nf_conntrack_max + value: 262140 diff --git a/roles/system-sysctl-gateway/vars/main.yml b/roles/system-sysctl-gateway/vars/main.yml index c0e4223..648b476 100644 --- a/roles/system-sysctl-gateway/vars/main.yml +++ b/roles/system-sysctl-gateway/vars/main.yml @@ -12,10 +12,6 @@ sysctl_settings_gateway: value: 2048 - name: net.ipv4.neigh.default.gc_thresh3 value: 4096 - - name: net.netfilter.nf_conntrack_tcp_timeout_established - value: 86400 - - name: net.netfilter.nf_conntrack_max - value: 262140 - name: net.ipv6.conf.all.forwarding value: 1 - name: net.ipv6.conf.all.autoconf From 2e0e474ba7c4f15fd3dbbc14b8a93e04d31f4629 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 11:21:01 +0200 Subject: [PATCH 027/106] Role kmod-batman: load kernel modules --- roles/kmod-batman/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml index 15fe652..14b3b62 100644 --- a/roles/kmod-batman/tasks/main.yml +++ b/roles/kmod-batman/tasks/main.yml @@ -14,3 +14,11 @@ template: src: batman-adv.module.conf.j2 dest: /etc/modules-load.d/batman-adv.conf + +- name: load batman + dummy module + modprobe: + name: "{{ item }}" + state: present + with_items: + - batman-adv + - dummy From 5e38e4f6fb061d86c19f7d744c3eea749be6e82d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 23:08:53 +0200 Subject: [PATCH 028/106] Role service-bird-icvpn: use a task and not a handler to set file attrs --- roles/service-bird-icvpn/handlers/main.yml | 14 ------------ roles/service-bird-icvpn/tasks/main.yml | 26 ++++++++++++++++++++-- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml index af1a036..7dd9273 100644 --- a/roles/service-bird-icvpn/handlers/main.yml +++ b/roles/service-bird-icvpn/handlers/main.yml @@ -8,17 +8,3 @@ systemd: name: bird6 state: reloaded - -- name: set file attrs 4 - file: - path: /etc/bird/icvpn_ipv4_peers.conf - mode: 0640 - owner: bird - group: bird - -- name: set file attrs 6 - file: - path: /etc/bird/icvpn_ipv6_peers.conf - mode: 0640 - owner: bird - group: bird diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml index c9dfd6b..4d99db1 100644 --- a/roles/service-bird-icvpn/tasks/main.yml +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -6,7 +6,6 @@ creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf notify: - reload bird{{ item }} - - set file attrs {{ item }} with_items: - 4 - 6 @@ -18,7 +17,6 @@ creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf notify: - reload bird{{ item.key }} - - set file attrs {{ item.key }} with_dict: 4: max_prefix: 20 @@ -36,3 +34,27 @@ with_items: - 4 - 6 + +- name: set file attributes for ipv4 roa and peer config + file: + path: "{{ item }}" + mode: 0640 + owner: bird + group: bird + notify: + - reload bird4 + with_items: + - /etc/bird/icvpn_ipv4_peers.conf + - /etc/bird/icvpn_ipv4_roa.conf + +- name: set file attributes for ipv6 roa and peer config + file: + path: "{{ item }}" + mode: 0640 + owner: bird + group: bird + notify: + - reload bird6 + with_items: + - /etc/bird/icvpn_ipv6_peers.conf + - /etc/bird/icvpn_ipv6_roa.conf From 821834c4b80b15766c8e25094b78bad7fa27d833 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 2 Oct 2017 23:34:53 +0200 Subject: [PATCH 029/106] Add role service-bind-slave --- inventory/group_vars/all | 16 +++++ playbooks/gateways.yml | 1 + roles/service-bind-slave/README.md | 39 +++++++++++ roles/service-bind-slave/handlers/main.yml | 9 +++ roles/service-bind-slave/meta/main.yml | 3 + roles/service-bind-slave/tasks/main.yml | 67 +++++++++++++++++++ .../templates/named.conf.j2 | 11 +++ .../templates/named.conf.logging.j2 | 9 +++ .../templates/named.conf.mesh.j2 | 58 ++++++++++++++++ .../templates/named.conf.options.j2 | 37 ++++++++++ 10 files changed, 250 insertions(+) create mode 100644 roles/service-bind-slave/README.md create mode 100644 roles/service-bind-slave/handlers/main.yml create mode 100644 roles/service-bind-slave/meta/main.yml create mode 100644 roles/service-bind-slave/tasks/main.yml create mode 100644 roles/service-bind-slave/templates/named.conf.j2 create mode 100644 roles/service-bind-slave/templates/named.conf.logging.j2 create mode 100644 roles/service-bind-slave/templates/named.conf.mesh.j2 create mode 100644 roles/service-bind-slave/templates/named.conf.options.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 1c841da..94a0b71 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -38,6 +38,15 @@ meshes: iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + dns: + master: fd37:b4dc:4b1e::a25:103 + forward_zones: + ffmz.org: + user.ffmz.org: + bb.ffmz.org: + nodes.ffmz.org: + ffbin: + master: fd37:b4dc:4b1e::a25:10c wi: site_number: 56 @@ -60,6 +69,13 @@ meshes: iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + dns: + master: fd56:b4dc:4b1e::a38:103 + forward_zones: + ffwi.org: + user.ffwi.org: + bb.ffwi.org: + nodes.ffwi.org: icvpn: prefix: mwu diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index e8b18ea..d60c0c1 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -25,5 +25,6 @@ - service-bird - service-bird-icvpn - service-bird-ffrl + - service-bind-slave - service-rclocal - system-sysctl-gateway diff --git a/roles/service-bind-slave/README.md b/roles/service-bind-slave/README.md new file mode 100644 index 0000000..5062605 --- /dev/null +++ b/roles/service-bind-slave/README.md @@ -0,0 +1,39 @@ +# Ansible role service-bind-slave + +Diese Ansible role installiert und konfiguriert den DNS Server BIND auf einem Freifunk Gateway. +Die Gateways agieren lediglich als Slave-DNS Server. + +- installiert BIND Pakete +- schreibt named.conf + named.conf.options + named.conf.logging +- schreibt named.conf.icvpn nur wenn noch nicht vorhanden +- schreibt für jedes Mesh eine Konfigurationsdatei named.conf.$site_code + - Forward-Zones müssen im `meshes`-Dict angegeben werden + - Reverse DNS Zones werden automatisch aus den benutzten IP-Subnetzen erzeugt + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + xx: +... + site_code: # string + ipv4_network: + ipv6: + ula: + - # ULA-Prefix + - ... + dns: + master: # IP-Adresse des DNS Masters + forward_zones: + $zone: # DNS-Domain + master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht. + +´´´ +- Variable `icvpn_ipv4_transfer_net` +- Variable `icvpn_ipv6_transfer_net` +- Host Variable `magic` + +## Benötigte roles + +- git-repos diff --git a/roles/service-bind-slave/handlers/main.yml b/roles/service-bind-slave/handlers/main.yml new file mode 100644 index 0000000..e1b2000 --- /dev/null +++ b/roles/service-bind-slave/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: restart bind9 + systemd: + name: bind9 + state: restarted diff --git a/roles/service-bind-slave/meta/main.yml b/roles/service-bind-slave/meta/main.yml new file mode 100644 index 0000000..9a46e8e --- /dev/null +++ b/roles/service-bind-slave/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: git-repos } diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml new file mode 100644 index 0000000..5327055 --- /dev/null +++ b/roles/service-bind-slave/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: install dns server packages + apt: + name: "{{ item }}" + state: present + notify: reload systemd + with_items: + - bind9 + - bind9-doc + - bind9utils + +- name: enable systemd unit bind9 + systemd: + name: bind9 + enabled: yes + +- name: write named.conf + template: + src: named.conf.j2 + dest: /etc/bind/named.conf + owner: root + group: bind + mode: 0644 + notify: restart bind9 + +- name: write named.conf.options + template: + src: named.conf.options.j2 + dest: /etc/bind/named.conf.options + owner: root + group: bind + mode: 0644 + notify: restart bind9 + +- name: write named.conf.logging + template: + src: named.conf.logging.j2 + dest: /etc/bind/named.conf.logging + owner: root + group: bind + mode: 0644 + notify: restart bind9 + +- name: write named.conf for meshes + template: + src: named.conf.mesh.j2 + dest: /etc/bind/named.conf.{{ item.value.site_code }} + owner: root + group: bind + mode: 0644 + notify: restart bind9 + with_dict: "{{ meshes }}" + +- name: write initial icvpn bind config + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn + args: + chdir: /home/admin/clones/icvpn-scripts + creates: /etc/bind/named.conf.icvpn + notify: restart bind9 + +- name: set file attributes for icvpn config + file: + path: /etc/bind/ + mode: 0644 + owner: root + group: bird + notify: restart bind9 diff --git a/roles/service-bind-slave/templates/named.conf.j2 b/roles/service-bind-slave/templates/named.conf.j2 new file mode 100644 index 0000000..04a4465 --- /dev/null +++ b/roles/service-bind-slave/templates/named.conf.j2 @@ -0,0 +1,11 @@ +// +// {{ ansible_managed }} +// + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.default-zones"; +include "/etc/bind/named.conf.logging"; +{% for mesh_id, mesh_value in meshes.iteritems() %} +include "/etc/bind/named.conf.{{ mesh_value.site_code }}"; +{% endfor %} +include "/etc/bind/named.conf.icvpn"; diff --git a/roles/service-bind-slave/templates/named.conf.logging.j2 b/roles/service-bind-slave/templates/named.conf.logging.j2 new file mode 100644 index 0000000..21908ef --- /dev/null +++ b/roles/service-bind-slave/templates/named.conf.logging.j2 @@ -0,0 +1,9 @@ +// +// {{ ansible_managed }} +// + +logging { + channel null { null; }; + category default { null; }; +}; + diff --git a/roles/service-bind-slave/templates/named.conf.mesh.j2 b/roles/service-bind-slave/templates/named.conf.mesh.j2 new file mode 100644 index 0000000..2daf882 --- /dev/null +++ b/roles/service-bind-slave/templates/named.conf.mesh.j2 @@ -0,0 +1,58 @@ +// +// {{ ansible_managed }} +// + +// ACLs +masters "ns-master-{{ item.value.site_code }}" { + {{ item.value.dns.master }}; +}; + +{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} +{% if zone_value.master is defined %} +masters "ns-master-{{ zone_id }}" { + {{ zone_value.master }}; +}; + +{% endif %} +{% endfor %} + +acl "intern-{{ item.value.site_code }}" { + {{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; +{% for prefix in item.value.ipv6.ula %} + {{ prefix | ipaddr('net') | ipaddr('network/prefix') }}; +{% endfor %} +}; + +// DNS forward zones for {{ item.value.site_code }} +{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} +zone "{{ zone_id }}." { + type slave; + file "{{ zone_id }}.db"; +{% if zone_value.master is defined %} + masters { ns-master-{{ zone_id }}; }; +{% else %} + masters { ns-master-{{ item.value.site_code }}; }; +{% endif %} +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} + +// DNS reverse zones for {{ item.value.site_code }} +zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { + type slave; + file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; + masters { ns-master-{{ item.value.site_code }}; }; +}; + +{% for prefix in item.value.ipv6.ula %} +zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" { + type slave; + file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}"; + masters { ns-master-{{ item.value.site_code }}; }; +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/roles/service-bind-slave/templates/named.conf.options.j2 b/roles/service-bind-slave/templates/named.conf.options.j2 new file mode 100644 index 0000000..1fec575 --- /dev/null +++ b/roles/service-bind-slave/templates/named.conf.options.j2 @@ -0,0 +1,37 @@ +// +// {{ ansible_managed }} +// +options { + directory "/var/cache/bind"; + + dnssec-validation no; + auth-nxdomain no; + + allow-query { any; }; + allow-recursion { + 127.0.0.1; + ::1; +{% for mesh_id, mesh_value in meshes.iteritems() %} + intern-{{ mesh_value.site_code }}; +{% endfor %} + }; + allow-transfer { any; }; + + listen-on { + 127.0.0.1; +{% for mesh_id, mesh_value in meshes.iteritems() %} + {{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +{% endfor %} + {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; + }; + + listen-on-v6 { + ::1; +{% for mesh_id, mesh_value in meshes.iteritems() %} +{% for ip in mesh_value.ipv6.ula %} + {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }}; +{% endfor %} +{% endfor %} + {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}; + }; +}; From 2f32bd6c1e6da0a8c8988c9e503cf7fcb2585508 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 14:37:39 +0200 Subject: [PATCH 030/106] Restructure network interfaces in order to use ifupdown2 - rewrite interface templates for batman, fastd, ffrl and meshbridge - add package ethtool to role server-basic - use more ipaddr filters and get rid of unneeded variables in dict ffrl_exit_server - change ffrl_public_ipv4_nat variable to ip/prefix format - update readme files --- inventory/group_vars/all | 2 ++ roles/network-batman/handlers/main.yml | 6 +++--- roles/network-batman/tasks/main.yml | 9 ++------- roles/network-batman/templates/batman.j2 | 20 ++++++++----------- roles/network-batman/templates/dummy.j2 | 9 +++------ roles/network-batman/templates/sysfs.j2 | 4 ---- roles/network-fastd/handlers/main.yml | 5 +++++ roles/network-fastd/tasks/main.yml | 2 ++ .../templates/fastd-intragate.j2 | 8 +++----- roles/network-fastd/templates/fastd-mesh.j2 | 8 +++----- roles/network-ffrl/README.md | 18 ----------------- roles/network-ffrl/handlers/main.yml | 5 +++++ roles/network-ffrl/tasks/main.yml | 1 + roles/network-ffrl/templates/ffrl.j2 | 20 +++++++++---------- roles/network-iptables-gateway/README.md | 2 +- .../templates/rules.v4.j2 | 2 +- roles/network-meshbridge/handlers/main.yml | 5 +++++ roles/network-meshbridge/tasks/main.yml | 1 + roles/network-meshbridge/templates/bridge.j2 | 17 +++++----------- roles/server-basic/vars/main.yml | 1 + roles/service-bird-ffrl/README.md | 20 +------------------ .../templates/ffrl_ipv4.conf.j2 | 6 +++--- .../templates/ffrl_ipv4_peers.conf.j2 | 4 ++-- .../templates/fastd-intragate.conf.j2 | 14 +++++++++++++ .../templates/fastd-mesh.conf.j2 | 14 +++++++++++++ roles/service-rclocal/README.md | 2 +- roles/service-rclocal/templates/rc.local.j2 | 4 ++-- 27 files changed, 98 insertions(+), 111 deletions(-) delete mode 100644 roles/network-batman/templates/sysfs.j2 create mode 100644 roles/network-fastd/handlers/main.yml create mode 100644 roles/network-ffrl/handlers/main.yml diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 94a0b71..d6edaf7 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -35,6 +35,7 @@ meshes: gw: server 96mbit/96mbit mm: 0 dat: 0 + hop_penalty: 60 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git @@ -66,6 +67,7 @@ meshes: gw: server 96mbit/96mbit mm: 0 dat: 0 + hop_penalty: 60 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git diff --git a/roles/network-batman/handlers/main.yml b/roles/network-batman/handlers/main.yml index 6eb2fa0..191d07d 100644 --- a/roles/network-batman/handlers/main.yml +++ b/roles/network-batman/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: activate sysfs variables +- name: reload network interfaces systemd: - name: sysfsutils - state: restarted + name: networking + state: reloaded diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index 9e181cb..d4e065e 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -3,17 +3,12 @@ template: src: dummy.j2 dest: "/etc/network/interfaces.d/{{ item.key }}0" + notify: reload network interfaces with_dict: "{{ meshes }}" - name: create batman interfaces template: src: batman.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BAT" + notify: reload network interfaces with_dict: "{{ meshes }}" - -- name: set sysfs variables - template: - src: sysfs.j2 - dest: "/etc/sysfs.d/99-{{ item.key }}BAT.conf" - with_dict: "{{ meshes }}" - notify: activate sysfs variables diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 index 4a21e56..b907e87 100644 --- a/roles/network-batman/templates/batman.j2 +++ b/roles/network-batman/templates/batman.j2 @@ -4,15 +4,11 @@ # {{ ansible_managed }} # auto {{ item.key }}BAT -iface {{ item.key }}BAT inet manual - pre-up /sbin/ip link add name $IFACE type batadv - pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE - pre-up /sbin/ip link set dev {{ item.key }}0 master $IFACE - pre-up /sbin/ip link set up dev $IFACE - post-up /sbin/ip addr flush dev $IFACE - post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} - post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} - post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} - post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} - post-down /sbin/ip link set dev {{ item.key }}0 nomaster - post-down /sbin/ip link delete $IFACE 2>&1 || true +iface {{ item.key }}BAT + hwaddress {{ mac | hwaddr('linux') }} + batman-ifaces {{ item.key }}0 {{ item.key }}VPN {{ item.key }}igVPN + batman-hop-penalty {{ item.value.batman.hop_penalty }} + post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} + post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} + post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} + post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} diff --git a/roles/network-batman/templates/dummy.j2 b/roles/network-batman/templates/dummy.j2 index 6427cf2..6c6af99 100644 --- a/roles/network-batman/templates/dummy.j2 +++ b/roles/network-batman/templates/dummy.j2 @@ -4,9 +4,6 @@ # {{ ansible_managed }} # auto {{ item.key }}0 -iface {{ item.key }}0 inet manual - pre-up /sbin/ip link add $IFACE type dummy - pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE - pre-up /sbin/ip link set up dev $IFACE - post-up /sbin/ip addr flush dev $IFACE - post-down /sbin/ip link delete $IFACE 2>&1 || true +iface {{ item.key }}0 + link-type dummy + hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-batman/templates/sysfs.j2 b/roles/network-batman/templates/sysfs.j2 deleted file mode 100644 index 63aeea6..0000000 --- a/roles/network-batman/templates/sysfs.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# -# {{ ansible_managed }} -# -class/net/{{ item.key }}BAT/mesh/hop_penalty = 60 diff --git a/roles/network-fastd/handlers/main.yml b/roles/network-fastd/handlers/main.yml new file mode 100644 index 0000000..191d07d --- /dev/null +++ b/roles/network-fastd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload network interfaces + systemd: + name: networking + state: reloaded diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 978d76d..d1b2ab5 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -3,10 +3,12 @@ template: src: fastd-mesh.j2 dest: "/etc/network/interfaces.d/{{ item.key }}VPN" + notify: reload network interfaces with_dict: "{{ meshes }}" - name: create fastd intragate interfaces template: src: fastd-intragate.j2 dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" + notify: reload network interfaces with_dict: "{{ meshes }}" diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 index f9d105b..838ddc5 100644 --- a/roles/network-fastd/templates/fastd-intragate.j2 +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -3,8 +3,6 @@ # # {{ ansible_managed }} # -allow-hotplug {{ item.key }}igVPN -iface {{ item.key }}igVPN inet manual - pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE - post-up /sbin/ip link set dev $IFACE up - post-up /sbin/ip link set dev $IFACE master {{ item.key }}BAT +auto {{ item.key }}igVPN +iface {{ item.key }}igVPN + hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 index cc64fcb..1a41329 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -3,8 +3,6 @@ # # {{ ansible_managed }} # -allow-hotplug {{ item.key }}VPN -iface {{ item.key }}VPN inet manual - pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE - post-up /sbin/ip link set dev $IFACE up - post-up /sbin/ip link set dev $IFACE master {{ item.key }}BAT +auto {{ item.key }}VPN +iface {{ item.key }}VPN + hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-ffrl/README.md b/roles/network-ffrl/README.md index c19e007..4ba787e 100644 --- a/roles/network-ffrl/README.md +++ b/roles/network-ffrl/README.md @@ -9,43 +9,25 @@ ffrl_exit_server: ffrl-a-ak-ber: public_ipv4_address: 185.66.195.0 tunnel_ipv4_network: # IPv4 Tunnel Transfernetz - tunnel_ipv4_address: # Eigene Tunnel IPv4 Adresse - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: # IPv6 Tunnel Transfernetz - tunnel_ipv6_netmask: 64 ffrl-b-ak-ber: public_ipv4_address: 185.66.195.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-a-ix-dus: public_ipv4_address: 185.66.193.0 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-b-ix-dus: public_ipv4_address: 185.66.193.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-a-fra2-fra: public_ipv4_address: 185.66.194.0 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-b-fra2-fra: public_ipv4_address: 185.66.194.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ´´´ diff --git a/roles/network-ffrl/handlers/main.yml b/roles/network-ffrl/handlers/main.yml new file mode 100644 index 0000000..191d07d --- /dev/null +++ b/roles/network-ffrl/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload network interfaces + systemd: + name: networking + state: reloaded diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index 13c7fd0..6a0050b 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -3,4 +3,5 @@ template: src: ffrl.j2 dest: "/etc/network/interfaces.d/{{ item.key }}" + notify: reload network interfaces with_dict: "{{ ffrl_exit_server }}" diff --git a/roles/network-ffrl/templates/ffrl.j2 b/roles/network-ffrl/templates/ffrl.j2 index 2dddfc0..4dbc6f1 100644 --- a/roles/network-ffrl/templates/ffrl.j2 +++ b/roles/network-ffrl/templates/ffrl.j2 @@ -2,15 +2,15 @@ # {{ ansible_managed }} # auto {{ item.key }} -iface {{ item.key }} inet static - address {{ item.value.tunnel_ipv4_address }} - netmask {{ item.value.tunnel_ipv4_netmask }} - pre-up /sbin/ip tunnel add $IFACE mode gre local {{ ansible_default_ipv4.address | ipaddr('public') }} remote {{ item.value.public_ipv4_address | ipaddr('public') }} ttl 255 - post-up /sbin/ip link set $IFACE mtu 1400 - post-up /sbin/ip addr add {{ ffrl_public_ipv4_nat }}/32 dev $IFACE - post-down /sbin/ip tunnel del $IFACE +iface {{ item.key }} inet tunnel + mode gre + local {{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }} + endpoint {{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }} -iface {{ item.key }} inet6 static - address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }} - netmask {{ item.value.tunnel_ipv6_netmask }} + ttl 64 + mtu 1400 + tunnel-physdev {{ ansible_default_ipv4.interface }} + address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }}/{{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('prefix') }} + address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }}/{{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('prefix') }} + address {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md index 75cc545..3809044 100644 --- a/roles/network-iptables-gateway/README.md +++ b/roles/network-iptables-gateway/README.md @@ -26,4 +26,4 @@ meshes: ´´´ - Variable `internet_exit_mtu_ipv4` - Variable `internet_exit_mtu_ipv6` -- Host Variable `ffrl_public_ipv4_nat` +- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index b3f0cce..f348113 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -34,5 +34,5 @@ COMMIT {% for mesh_id, mesh_value in meshes.iteritems() %} -A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat {% endfor %} --A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat }} +-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }} COMMIT diff --git a/roles/network-meshbridge/handlers/main.yml b/roles/network-meshbridge/handlers/main.yml index 6eb2fa0..a07c6fa 100644 --- a/roles/network-meshbridge/handlers/main.yml +++ b/roles/network-meshbridge/handlers/main.yml @@ -3,3 +3,8 @@ systemd: name: sysfsutils state: restarted + +- name: reload network interfaces + systemd: + name: networking + state: reloaded diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index 3b360e3..a8717c5 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -3,6 +3,7 @@ template: src: bridge.j2 dest: "/etc/network/interfaces.d/{{ item.key }}BR" + notify: reload network interfaces with_dict: "{{ meshes }}" - name: set sysfs variables diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index 7a81040..b3f47ec 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -4,19 +4,12 @@ # {{ ansible_managed }} # auto {{ item.key }}BR -iface {{ item.key }}BR inet manual - address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }} - network {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('network') }} - netmask {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('netmask') }} - broadcast {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('broadcast') }} - pre-up /sbin/ip link add name $IFACE type bridge - pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE - pre-up /sbin/ip link set dev {{ item.key }}BAT master $IFACE - pre-up /sbin/ip link set up dev $IFACE +iface {{ item.key }}BR + hwaddress {{ mac | hwaddr('linux') }} + address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}/{{ item.value.ipv4_network | ipaddr('net') | ipaddr('prefix') }} {% for ip_type, ip_list in item.value.ipv6.iteritems() %} {% for ip in ip_list %} - up /sbin/ip address add {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }} dev $IFACE + address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}/{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr('prefix') }} {% endfor %} {% endfor %} - post-down /sbin/ip link set dev {{ item.key }}BAT nomaster - post-down /sbin/ip link delete $IFACE 2>&1 || true + bridge-ports {{ item.key }}BAT diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index ea015d5..68bc696 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -2,6 +2,7 @@ packages: - apt-transport-https - bridge-utils + - ethtool - ifupdown2 - man-db - mlocate diff --git a/roles/service-bird-ffrl/README.md b/roles/service-bird-ffrl/README.md index 5bed19b..63cd910 100644 --- a/roles/service-bird-ffrl/README.md +++ b/roles/service-bird-ffrl/README.md @@ -23,47 +23,29 @@ ffrl_exit_server: ffrl-a-ak-ber: public_ipv4_address: 185.66.195.0 tunnel_ipv4_network: # Tunnel-Netzwerk in CIDR - tunnel_ipv4_address: # Eigene Tunnel IPv4 Adresse - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: # IPv6 Transfernetz - tunnel_ipv6_netmask: 64 ffrl-b-ak-ber: public_ipv4_address: 185.66.195.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-a-ix-dus: public_ipv4_address: 185.66.193.0 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-b-ix-dus: public_ipv4_address: 185.66.193.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-a-fra2-fra: public_ipv4_address: 185.66.194.0 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ffrl-b-fra2-fra: public_ipv4_address: 185.66.194.1 tunnel_ipv4_network: - tunnel_ipv4_address: - tunnel_ipv4_netmask: 255.255.255.254 tunnel_ipv6_network: - tunnel_ipv6_netmask: 64 ´´´ -- Host Variable `ffrl_public_ipv4_nat` # IPv4 NAT Adresse für das Gateway +- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix - Host Variable `magic` ## Benötigte roles diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 index ba7c5b3..66d8fd8 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 @@ -4,7 +4,7 @@ # Variables define ffrl_as = {{ as_public_ffrl }}; -define ffrl_nat_address = {{ ffrl_public_ipv4_nat }}; +define ffrl_nat_address = {{ ffrl_public_ipv4_nat | ipaddr('address') }}; # Routing Table table ffrl; @@ -12,7 +12,7 @@ table ffrl; # Functions function is_ffrl_nat() { return net ~ [ - {{ ffrl_public_ipv4_nat }} + {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} ]; } @@ -38,7 +38,7 @@ filter ebgp_ffrl_export_filter { # Protocols protocol static ffrl_uplink_hostroute { table ffrl; - route {{ ffrl_public_ipv4_nat }}/32 reject; + route {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} reject; } protocol direct ffrl_tunnels { diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 index d646e33..5f6f1fb 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2 @@ -4,8 +4,8 @@ {% for peer_id, peer_value in ffrl_exit_server.iteritems() %} protocol bgp '{{ peer_id }}' from ffrl_uplink { - source address {{ peer_value.tunnel_ipv4_address | ipaddr('address') }}; - neighbor {{ peer_value.tunnel_ipv4_network | ipaddr('address') }} as ffrl_as; + source address {{ peer_value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }}; + neighbor {{ peer_value.tunnel_ipv4_network | ipaddr('net') | ipaddr('address') }} as ffrl_as; }; {% if not loop.last %} diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index 7f84c1c..d9e435d 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,3 +1,5 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} # @@ -20,4 +22,16 @@ peer group "servers" { include peers from "peers/services"; } +on up " + ip link set $INTERFACE down + ip link set address {{ mac }} dev $INTERFACE + ip link set $INTERFACE up + + batctl -m {{ item.key }}BAT if add $INTERFACE +"; + +on down " + batctl -m {{ item.key }}BAT if del $INTERFACE +"; + status socket "/var/run/fastd-{{ item.key }}ig.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index eb81c7b..33d919c 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,3 +1,5 @@ +{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} # @@ -27,4 +29,16 @@ peer group "servers" { include peers from "peers/servers"; } +on up " + ip link set $INTERFACE down + ip link set address {{ mac }} dev $INTERFACE + ip link set $INTERFACE up + + batctl -m {{ item.key }}BAT if add $INTERFACE +"; + +on down " + batctl -m {{ item.key }}BAT if del $INTERFACE +"; + status socket "/var/run/fastd-{{ item.key }}.status"; diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md index bc3d228..5725ae6 100644 --- a/roles/service-rclocal/README.md +++ b/roles/service-rclocal/README.md @@ -22,5 +22,5 @@ meshes: iface_mtu: # integer ´´´ - Host Variable `magic` -- Host Variable `ffrl_public_ipv4_nat` +- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix - Host Dictionary `ffrl_exit_server` diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 797a2fa..144e106 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -64,8 +64,8 @@ ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} ip -6 rule add from all oif {{ key }}BR lookup internet priority 41 {% endfor %} -ip -4 rule add from {{ ffrl_public_ipv4_nat }}/32 lookup internet priority 41 -ip -4 rule add to {{ ffrl_public_ipv4_nat }}/32 lookup internet priority 41 +ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 +ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes {% for key, value in meshes.iteritems() %} From a112f6305e7d7e7fe0dc25666982dc6dd4e1c0e1 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 14:44:38 +0200 Subject: [PATCH 031/106] Role service-dhcpd: fix disabled notify --- roles/service-dhcpd/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 9430dd6..0104156 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -31,4 +31,4 @@ template: src: dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf -# notify: restart isc dhcp server + notify: restart isc dhcp server From 01af6903e6d11372ef5d53c0bb1b8923feca976e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 15:13:00 +0200 Subject: [PATCH 032/106] Role service-fastd-mesh + service-fastd-intragate: fix mac address format --- roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 | 2 +- roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index d9e435d..fb46a4c 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -24,7 +24,7 @@ peer group "servers" { on up " ip link set $INTERFACE down - ip link set address {{ mac }} dev $INTERFACE + ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up batctl -m {{ item.key }}BAT if add $INTERFACE diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index 33d919c..9345fad 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -31,7 +31,7 @@ peer group "servers" { on up " ip link set $INTERFACE down - ip link set address {{ mac }} dev $INTERFACE + ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up batctl -m {{ item.key }}BAT if add $INTERFACE From 3ee405bdf2fe4cb2d28ffc2ee38830d44394ecc0 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 20:25:17 +0200 Subject: [PATCH 033/106] Restructure service-fastd roles - migrate role git-fastd-peers - add role service-fastd - add repo clone for ffbin peers (currently hardcoded) - add role dependency to role service-fastd-mesh + service-fastd-intragate - add systemd handlers --- playbooks/gateways.yml | 4 +- roles/git-fastd-peers/README.md | 21 --------- roles/git-fastd-peers/tasks/main.yml | 43 ------------------ roles/service-fastd-intragate/README.md | 11 ++++- .../service-fastd-intragate/handlers/main.yml | 6 +++ roles/service-fastd-intragate/meta/main.yml | 3 ++ roles/service-fastd-intragate/tasks/main.yml | 29 ++++++++++-- roles/service-fastd-mesh/README.md | 12 ++++- roles/service-fastd-mesh/handlers/main.yml | 6 +++ roles/service-fastd-mesh/meta/main.yml | 3 ++ roles/service-fastd-mesh/tasks/main.yml | 45 +++++++++++++++++-- roles/service-fastd/README.md | 5 +++ roles/service-fastd/handlers/main.yml | 4 ++ roles/service-fastd/tasks/main.yml | 9 ++++ 14 files changed, 123 insertions(+), 78 deletions(-) delete mode 100644 roles/git-fastd-peers/README.md delete mode 100644 roles/git-fastd-peers/tasks/main.yml create mode 100644 roles/service-fastd-intragate/handlers/main.yml create mode 100644 roles/service-fastd-intragate/meta/main.yml create mode 100644 roles/service-fastd-mesh/handlers/main.yml create mode 100644 roles/service-fastd-mesh/meta/main.yml create mode 100644 roles/service-fastd/README.md create mode 100644 roles/service-fastd/handlers/main.yml create mode 100644 roles/service-fastd/tasks/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index d60c0c1..7f9a8f9 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -15,10 +15,10 @@ - network-meshbridge - service-dhcpd - service-radvd + - network-fastd + - service-fastd - service-fastd-mesh - service-fastd-intragate - - git-fastd-peers - - network-fastd - network-iptables-gateway - network-ffrl - service-tinc diff --git a/roles/git-fastd-peers/README.md b/roles/git-fastd-peers/README.md deleted file mode 100644 index 0f1ed05..0000000 --- a/roles/git-fastd-peers/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Ansible role git-fastd-peers -Diese Ansible role hängt von der role service-fastd-mesh bzw. service-fastd-intragate ab und sollte danach ausgeführt werden. - -- installiert die erforderlichen git Pakete -- erstellt die erforderlichen peers Ordner -- klont die fastd peer repos - -## Abhängigkeiten: -- service-fastd-* - -## Benötigte Variablen -- Dictionary `meshes` -``` -meshes: - xx: -... - peers_mesh_repo: # String - https Link zum Github Repository - peers_intragate_repo: # String - https Link zum Github Repository - -´´´ - diff --git a/roles/git-fastd-peers/tasks/main.yml b/roles/git-fastd-peers/tasks/main.yml deleted file mode 100644 index 98eff5d..0000000 --- a/roles/git-fastd-peers/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: install git packages - apt: - name: "{{ item }}" - state: present - with_items: - - git - -- name: create fastd peer mesh directories - file: - path: "/etc/fastd/{{ item.key }}VPN/peers" - state: directory - mode: 0755 - owner: admin - group: admin - with_dict: "{{ meshes }}" - -- name: create fastd peer intragate directories - file: - path: "/etc/fastd/{{ item.key }}igVPN/peers" - state: directory - mode: 0755 - owner: admin - group: admin - with_dict: "{{ meshes }}" - -- name: clone fastd peer mesh repos - git: - repo: "{{ item.value.peers_mesh_repo }}" - dest: "/etc/fastd/{{ item.key }}VPN/peers" - version: master - update: no - with_dict: "{{ meshes }}" - become: false - -- name: clone fastd peer intragate repos - git: - repo: "{{ item.value.peers_intragate_repo }}" - dest: "/etc/fastd/{{ item.key }}igVPN/peers" - version: master - update: no - with_dict: "{{ meshes }}" - become: false diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 0e10d0e..640e05f 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -1,13 +1,14 @@ # Ansible role service-fastd-intragate -Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Intra-Server Kommunikation. +Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunikation. -- installiert fastd - konfiguriert xxigVPN-Instanzen - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen (YAML key secret) +- erstellt die erforderlichen peers Ordner +- klont die fastd peer repos ## Benötigte Variablen @@ -17,6 +18,8 @@ meshes: xx: ... site_number: # integer + peers_mesh_repo: # String - https Link zum Github Repository + peers_intragate_repo: # String - https Link zum Github Repository ´´´ - Dictionary `fastd_secrets` (Host-Variable) ´´´ @@ -36,3 +39,7 @@ Das Dictionary `fastd_secrets` folgt dem Aufbau: fastd_secrets: $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" ``` + +## Abhängigkeiten + +- role `service-fastd` diff --git a/roles/service-fastd-intragate/handlers/main.yml b/roles/service-fastd-intragate/handlers/main.yml new file mode 100644 index 0000000..4f95a98 --- /dev/null +++ b/roles/service-fastd-intragate/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart fastd intragate instances + systemd: + name: "fastd@{{ item.key }}igVPN" + state: restarted + with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-intragate/meta/main.yml b/roles/service-fastd-intragate/meta/main.yml new file mode 100644 index 0000000..d0f177f --- /dev/null +++ b/roles/service-fastd-intragate/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-fastd } diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 4228108..b311fa3 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,8 +1,9 @@ --- -- name: install fastd packages - apt: - name: fastd - state: present +- name: configure systemd unit fastd@ + systemd: + name: "fastd@{{ item.key }}igVPN" + enabled: yes + with_dict: "{{ meshes }}" - name: create fastd intragate directories file: @@ -11,14 +12,34 @@ mode: 0755 with_dict: "{{ meshes }}" +- name: create fastd peer intragate directories + file: + path: "/etc/fastd/{{ item.key }}igVPN/peers" + state: directory + mode: 0755 + owner: admin + group: admin + with_dict: "{{ meshes }}" + +- name: clone fastd peer intragate repos + git: + repo: "{{ item.value.peers_intragate_repo }}" + dest: "/etc/fastd/{{ item.key }}igVPN/peers" + version: master + update: no + with_dict: "{{ meshes }}" + become: false + - name: template fastd mesh config template: src: fastd-intragate.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" + notify: restart fastd intragate instances with_dict: "{{ meshes }}" - name: write fastd intragate secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" + notify: restart fastd intragate instances with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index a3e414a..5a116cc 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -1,13 +1,15 @@ # Ansible role service-fastd-mesh -Diese Ansible role installiert und konfiguriert die fastd-Instanz für die Knoten Kommunikation. +Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. -- installiert fastd - konfiguriert xxVPN-Instanzen - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf - der private fastd Schlüssel wird aus dem Admin passwordstore gelesen (YAML key secret) +- erstellt die erforderlichen peers Ordner +- klont die fastd peer repos +- klont bingener fastd peer repo (im Moment hardcoded) ## Benötigte Variablen @@ -17,6 +19,8 @@ meshes: xx: ... site_number: # integer + peers_mesh_repo: # String - https Link zum Github Repository + peers_intragate_repo: # String - https Link zum Github Repository ´´´ - Dictionary `fastd_secrets` (Host-Variable) ´´´ @@ -36,3 +40,7 @@ Das Dictionary `fastd_secrets` folgt dem Aufbau: fastd_secrets: $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" ``` + +## Abhängigkeiten + +- role `service-fastd` diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml new file mode 100644 index 0000000..567648e --- /dev/null +++ b/roles/service-fastd-mesh/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart fastd mesh instances + systemd: + name: "fastd@{{ item.key }}VPN" + state: restarted + with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-mesh/meta/main.yml b/roles/service-fastd-mesh/meta/main.yml new file mode 100644 index 0000000..d0f177f --- /dev/null +++ b/roles/service-fastd-mesh/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-fastd } diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index cf0036a..0e2c3c9 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,8 +1,9 @@ --- -- name: install fastd packages - apt: - name: fastd - state: present +- name: configure systemd unit fastd@ + systemd: + name: "fastd@{{ item.key }}VPN" + enabled: yes + with_dict: "{{ meshes }}" - name: create fastd directories file: @@ -11,14 +12,50 @@ mode: 0755 with_dict: "{{ meshes }}" +- name: create fastd peer mesh directories + file: + path: "/etc/fastd/{{ item.key }}VPN/peers" + state: directory + mode: 0755 + owner: admin + group: admin + with_dict: "{{ meshes }}" + +- name: create fastd peer mesh directories for ffbin + file: + path: "/etc/fastd/mzVPN/peers_bingen" + state: directory + mode: 0755 + owner: admin + group: admin + +- name: clone fastd peer mesh repos + git: + repo: "{{ item.value.peers_mesh_repo }}" + dest: "/etc/fastd/{{ item.key }}VPN/peers" + version: master + update: no + with_dict: "{{ meshes }}" + become: false + +- name: clone fastd peer mesh repo for ffbin + git: + repo: https://github.com/freifunk-bingen/peers-ffbin.git + dest: /etc/fastd/mzVPN/peers_bingen + version: master + update: no + become: false + - name: template fastd mesh config template: src: fastd-mesh.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" + notify: restart fastd mesh instances with_dict: "{{ meshes }}" - name: write fastd mesh secret template: src: fastd-secret.conf.j2 dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" + notify: restart fastd mesh instances with_dict: "{{ meshes }}" diff --git a/roles/service-fastd/README.md b/roles/service-fastd/README.md new file mode 100644 index 0000000..345c9be --- /dev/null +++ b/roles/service-fastd/README.md @@ -0,0 +1,5 @@ +# Ansible role service-fastd + +Diese Ansible role installiert die erforderlichen Pakete für die fastd Rollen. + +- installiert fastd + git diff --git a/roles/service-fastd/handlers/main.yml b/roles/service-fastd/handlers/main.yml new file mode 100644 index 0000000..bb7fde2 --- /dev/null +++ b/roles/service-fastd/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml new file mode 100644 index 0000000..3d71fab --- /dev/null +++ b/roles/service-fastd/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: install fastd packages + apt: + name: "{{ item }}" + state: present + notify: reload systemd + with_items: + - fastd + - git From 7506fae8a52c8c374ebff82f3457ecc070c14696 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 20:33:08 +0200 Subject: [PATCH 034/106] Role service-tinc: use a task instead of a handler for systemd stuff --- roles/service-tinc/handlers/main.yml | 6 ++---- roles/service-tinc/tasks/main.yml | 7 ++++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/roles/service-tinc/handlers/main.yml b/roles/service-tinc/handlers/main.yml index b88ce92..c829add 100644 --- a/roles/service-tinc/handlers/main.yml +++ b/roles/service-tinc/handlers/main.yml @@ -1,9 +1,7 @@ --- -- name: configure systemd unit tinc +- name: reload systemd systemd: - name: tinc - enabled: yes - daemon_reload: yes + daemon_reload: yes - name: restart systemd unit tinc systemd: diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index c1ff01f..01adf45 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -3,9 +3,14 @@ apt: name: "{{ item }}" state: present + notify: reload systemd with_items: - tinc - notify: configure systemd unit tinc + +- name: configure systemd unit tinc + systemd: + name: tinc + enabled: yes - name: clone icvpn repo git: From 937238d26e3e1ec33a2786bfc9376f9f05e623f2 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 20:43:23 +0200 Subject: [PATCH 035/106] Role service-radvd: update handlers --- roles/service-radvd/handlers/main.yml | 9 +++++++++ roles/service-radvd/tasks/main.yml | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 roles/service-radvd/handlers/main.yml diff --git a/roles/service-radvd/handlers/main.yml b/roles/service-radvd/handlers/main.yml new file mode 100644 index 0000000..6bc9334 --- /dev/null +++ b/roles/service-radvd/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: restart systemd unit radvd + systemd: + name: radvd + state: restarted diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 42c4ba7..2197bec 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -3,15 +3,15 @@ apt: name: radvd state: present + notify: reload systemd - name: enable systemd unit radvd systemd: name: radvd enabled: yes - daemon_reload: yes - name: configure radvd template: src: radvd.conf.j2 dest: /etc/radvd.conf - #notify: restart radvd + notify: restart systemd unit radvd From ef6bedfee5e83f9ae0bdfd8a926f3eca31377945 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 20:52:02 +0200 Subject: [PATCH 036/106] Update loop keys --- roles/service-dhcpd/tasks/main.yml | 2 +- roles/service-radvd/templates/radvd.conf.j2 | 10 +-- roles/service-rclocal/templates/rc.local.j2 | 70 ++++++++++----------- 3 files changed, 41 insertions(+), 41 deletions(-) diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 0104156..35a4d07 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -12,7 +12,7 @@ - name: concatenate meshbridge interfaces set_fact: - dhcp_interfaces: "{% for key, value in meshes.iteritems() %}{{ key }}BR{% if not loop.last %} {% endif %}{% endfor %}" + dhcp_interfaces: "{% for mesh_id, mesh_value in meshes.iteritems() %}{{ mesh_id }}BR{% if not loop.last %} {% endif %}{% endfor %}" - name: set ipv4 interfaces isc dhcp should listen on lineinfile: diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index 4e6bd86..d1b8385 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -1,15 +1,15 @@ # # {{ ansible_managed }} # -{% for key, value in meshes.iteritems() %} -interface {{ key }}BR +{% for mesh_id, mesh_value in meshes.iteritems() %} +interface {{ mesh_id }}BR { AdvSendAdvert on; IgnoreIfMissing on; MaxRtrAdvInterval 900; - AdvLinkMTU {{ value.iface_mtu }}; + AdvLinkMTU {{ mesh_value.iface_mtu }}; -{% for ip_type, ip_list in value.ipv6.iteritems() %} +{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in ip_list %} {% if ip_type == "ula" %} RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }} @@ -20,7 +20,7 @@ interface {{ key }}BR {% endfor %} {% endfor %} -{% for ip_type, ip_list in value.ipv6.iteritems() %} +{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in ip_list %} {% if ip_type == "public" %} prefix {{ prefix | ipaddr('net') | ipsubnet(64, magic) }} diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 144e106..611cf22 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -18,70 +18,70 @@ # # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces -{% for key, value in meshes.iteritems() %} -ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add to {{ value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add from all oif {{ key }}BR lookup mwu priority 7 -{% for ula in value.ipv6.ula %} +{% for mesh_id, mesh_value in meshes.iteritems() %} +ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 +{% for ula in mesh_value.ipv6.ula %} ip -6 rule add from {{ ula }} lookup mwu priority 7 ip -6 rule add to {{ ula }} lookup mwu priority 7 {% endfor %} -{% for public in value.ipv6.public %} +{% for public in mesh_value.ipv6.public %} ip -6 rule add from {{ public }} lookup mwu priority 7 ip -6 rule add to {{ public }} lookup mwu priority 7 {% endfor %} -ip -6 rule add from all oif {{ key }}BR lookup mwu priority 7 +ip -6 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 {% endfor %} # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges -{% for key, value in meshes.iteritems() %} -ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add to {{ value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add from all oif {{ key }}BR lookup icvpn priority 23 -{% for ula in value.ipv6.ula %} +{% for mesh_id, mesh_value in meshes.iteritems() %} +ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 +{% for ula in mesh_value.ipv6.ula %} ip -6 rule add from {{ ula }} lookup icvpn priority 23 ip -6 rule add to {{ ula }} lookup icvpn priority 23 {% endfor %} -{% for public in value.ipv6.public %} +{% for public in mesh_value.ipv6.public %} ip -6 rule add from {{ public }} lookup icvpn priority 23 ip -6 rule add to {{ public }} lookup icvpn priority 23 {% endfor %} -ip -6 rule add from all oif {{ key }}BR lookup icvpn priority 23 +ip -6 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 {% endfor %} ip -4 rule add from all oif icVPN lookup icvpn priority 23 ip -6 rule add from all oif icVPN lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges -{% for key, value in meshes.iteritems() %} -ip -4 rule add from {{ value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 -{% for ula in value.ipv6.ula %} +{% for mesh_id, mesh_value in meshes.iteritems() %} +ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 +{% for ula in mesh_value.ipv6.ula %} ip -6 rule add from {{ ula }} lookup internet priority 41 ip -6 rule add to {{ ula }} lookup internet priority 41 {% endfor %} -{% for public in value.ipv6.public %} +{% for public in mesh_value.ipv6.public %} ip -6 rule add from {{ public }} lookup internet priority 41 ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} -ip -6 rule add from all oif {{ key }}BR lookup internet priority 41 +ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41 {% endfor %} ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes -{% for key, value in meshes.iteritems() %} -ip -4 rule add from all iif {{ key }}BR type unreachable priority 61 -ip -6 rule add from all iif {{ key }}BR type unreachable priority 61 +{% for mesh_id, mesh_value in meshes.iteritems() %} +ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 +ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 {% endfor %} ip -4 rule add from all iif icVPN type unreachable priority 61 ip -4 rule add from all iif eth0 type unreachable priority 61 -{% for key, value in ffrl_exit_server.iteritems() %} -ip -4 rule add from all iif {{ key }} type unreachable priority 61 -ip -6 rule add from all iif {{ key }} type unreachable priority 61 +{% for server_id, server_value in ffrl_exit_server.iteritems() %} +ip -4 rule add from all iif {{ server_id }} type unreachable priority 61 +ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 {% endfor %} ip -6 rule add from all iif icVPN type unreachable priority 61 ip -6 rule add from all iif eth0 type unreachable priority 61 -{% for key, value in meshes.iteritems() %} -{% for public in value.ipv6.public %} +{% for mesh_id, mesh_value in meshes.iteritems() %} +{% for public in mesh_value.ipv6.public %} ip -6 rule add from {{ public }} type unreachable priority 61 ip -6 rule add to {{ public }} type unreachable priority 61 {% endfor %} @@ -98,15 +98,15 @@ ip -6 rule add from all lookup icvpn priority 107 # IP routes # -{% for key, value in meshes.iteritems() %} -# static {{ value.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ value.ipv4_network }} proto static dev {{ key }}BR table mwu -{% for ula in value.ipv6.ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ key }}BR table mwu +{% for mesh_id, mesh_value in meshes.iteritems() %} +# static {{ mesh_value.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu +{% for ula in mesh_value.ipv6.ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh_id }}BR table mwu {% endfor %} -{% for public in value.ipv6.public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ key }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ key }}BR table mwu +{% for public in mesh_value.ipv6.public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh_id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh_id }}BR table mwu {% endfor %} {% if not loop.last %} From a1705da9a0adc18d78900f96acdbac8603e7ec6d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 21:18:39 +0200 Subject: [PATCH 037/106] Role service-radvd: optimize ipaddr filters --- roles/service-radvd/templates/radvd.conf.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index d1b8385..9fe390a 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -1,3 +1,4 @@ + # # {{ ansible_managed }} # @@ -12,7 +13,7 @@ interface {{ mesh_id }}BR {% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in ip_list %} {% if ip_type == "ula" %} - RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }} + RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }} { FlushRDNSS off; }; @@ -23,9 +24,9 @@ interface {{ mesh_id }}BR {% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in ip_list %} {% if ip_type == "public" %} - prefix {{ prefix | ipaddr('net') | ipsubnet(64, magic) }} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, magic) | ipaddr('subnet') }} {% else %} - prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) }} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} {% endif %} { AdvValidLifetime 864000; From 07a0b25a0908f4d2cfa42ffe817e020a5b608b01 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 21:24:36 +0200 Subject: [PATCH 038/106] Role service-radvd: make more parameters configurable --- inventory/group_vars/all | 8 ++++++++ roles/service-radvd/templates/radvd.conf.j2 | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index d6edaf7..a577ed9 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -36,6 +36,10 @@ meshes: mm: 0 dat: 0 hop_penalty: 60 + radvd: + maxrtradvinterval: 900 + advvalidlifetime: 864000 + advpreferredlifetime: 172800 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git @@ -68,6 +72,10 @@ meshes: mm: 0 dat: 0 hop_penalty: 60 + radvd: + maxrtradvinterval: 900 + advvalidlifetime: 864000 + advpreferredlifetime: 172800 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index 9fe390a..c8ee2d7 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -7,7 +7,7 @@ interface {{ mesh_id }}BR { AdvSendAdvert on; IgnoreIfMissing on; - MaxRtrAdvInterval 900; + MaxRtrAdvInterval {{ mesh_value.radvd.maxrtradvinterval }}; AdvLinkMTU {{ mesh_value.iface_mtu }}; {% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} @@ -29,8 +29,8 @@ interface {{ mesh_id }}BR prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} {% endif %} { - AdvValidLifetime 864000; - AdvPreferredLifetime 172800; + AdvValidLifetime {{ mesh_value.radvd.advvalidlifetime }}; + AdvPreferredLifetime {{ mesh_value.radvd.advpreferredlifetime }}; }; {% endfor %} {% if not loop.last %} From 04d12c1fb5250e4659a53c8e043432b526122d40 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 21:36:14 +0200 Subject: [PATCH 039/106] Update Readme.md --- Readme.md | 112 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 62 insertions(+), 50 deletions(-) diff --git a/Readme.md b/Readme.md index fe88ff7..cf7fc04 100644 --- a/Readme.md +++ b/Readme.md @@ -42,9 +42,23 @@ meshes: gw: server 96mbit/96mbit mm: 0 dat: 0 + hop_penalty: 60 + radvd: + maxrtradvinterval: 900 + advvalidlifetime: 864000 + advpreferredlifetime: 172800 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + dns: + master: fd37:b4dc:4b1e::a25:103 + forward_zones: + ffmz.org: + user.ffmz.org: + bb.ffmz.org: + nodes.ffmz.org: + ffbin: + master: fd37:b4dc:4b1e::a25:10c wi: site_number: 56 @@ -64,9 +78,20 @@ meshes: gw: server 96mbit/96mbit mm: 0 dat: 0 + hop_penalty: 60 + radvd: + maxrtradvinterval: 900 + advvalidlifetime: 864000 iface_mtu: 1350 peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + dns: + master: fd56:b4dc:4b1e::a38:103 + forward_zones: + ffwi.org: + user.ffwi.org: + bb.ffwi.org: + nodes.ffwi.org: ``` ## Sensible Informationen @@ -74,7 +99,7 @@ meshes: Sensible Daten, z.B. private keys für Dienste wie fastd und tinc verwalten wir in einem [Password Store](https://www.passwordstore.org/). Falls ihr mehrere Password Stores verwaltet, denkt vor Benutzung von Ansible daran, die Umgebungsvariable auf den richtigen Store zu verweisen: ``` -export PASSWORD_STORE_DIR=... +export PASSWORD_STORE_DIR=... ``` ## Aufsetzen eines neuen Gateways @@ -86,7 +111,40 @@ export PASSWORD_STORE_DIR=... ``` --- # Gateway-Nummer, von der vieles abgeleitet wird. Integer zwischen 1-254. Muss eindeutig unter allen FFMWU Servern sein. -magic: +magic: + +# Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll. +ipv4_dhcp_range: + +# FFRL (muss vorher bereits zugewiesen worden sein) +# Öffentliche IPv4 NAT Adresse, Format: IP/Prefix +ffrl_public_ipv4_nat: + +ffrl_exit_server: + ffrl-a-ak-ber: + public_ipv4_address: 185.66.195.0 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: + ffrl-b-ak-ber: + public_ipv4_address: 185.66.195.1 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: + ffrl-a-ix-dus: + public_ipv4_address: 185.66.193.0 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: + ffrl-b-ix-dus: + public_ipv4_address: 185.66.193.1 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: + ffrl-a-fra2-fra: + public_ipv4_address: 185.66.194.0 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: + ffrl-b-fra2-fra: + public_ipv4_address: 185.66.194.1 + tunnel_ipv4_network: # Format: IP/Maske + tunnel_ipv6_network: # Pfade zu den fastd secrets im passwordstore fastd_secrets: @@ -95,54 +153,8 @@ fastd_secrets: mzigVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname subkey=secret') }}" wiigVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname subkey=secret') }}" -# FFRL (muss vorher bereits zugewiesen worden sein) -# Öffentliche IPv4 NAT Adresse -ffrl_public_ipv4_nat: - -ffrl_exit_server: - ffrl-a-ak-ber: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - ffrl-b-ak-ber: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - ffrl-a-ix-dus: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - ffrl-b-ix-dus: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - ffrl-a-fra2-fra: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - ffrl-b-fra2-fra: - public_ipv4_address: - tunnel_ipv4_network: # Format: IP/Maske - tunnel_ipv4_address: - tunnel_ipv4_netmask: - tunnel_ipv6_address: - tunnel_ipv6_netmask: - +# Pfade zum tinc secret im passwordstore +tinc_private_key: "{{ lookup('passwordstore', 'tinc/icVPN/$hostname_private returnall=true') }}" ``` - Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml` - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. From 0fa92eef1cd210b0abdc6d40ea7e9f7e8a65f462 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 23:30:02 +0200 Subject: [PATCH 040/106] Role service-fastd-mesh: add systemd unit + timer to update mesh peers --- roles/service-fastd-mesh/meta/main.yml | 1 + roles/service-fastd-mesh/tasks/main.yml | 24 +++++++++++++++++++ .../templates/fastd-sync-meshkeys.service.j2 | 10 ++++++++ .../templates/fastd-sync-meshkeys.timer.j2 | 12 ++++++++++ 4 files changed, 47 insertions(+) create mode 100644 roles/service-fastd-mesh/templates/fastd-sync-meshkeys.service.j2 create mode 100644 roles/service-fastd-mesh/templates/fastd-sync-meshkeys.timer.j2 diff --git a/roles/service-fastd-mesh/meta/main.yml b/roles/service-fastd-mesh/meta/main.yml index d0f177f..a5b2bf1 100644 --- a/roles/service-fastd-mesh/meta/main.yml +++ b/roles/service-fastd-mesh/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: + - { role: git-repos } - { role: service-fastd } diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 0e2c3c9..41a4f18 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -59,3 +59,27 @@ dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" notify: restart fastd mesh instances with_dict: "{{ meshes }}" + +- name: write systemd unit fastd-sync-meshkeys.service + template: + src: fastd-sync-meshkeys.service.j2 + dest: /etc/systemd/system/fastd-sync-meshkeys.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write systemd timer fastd-sync-meshkeys.timer + template: + src: fastd-sync-meshkeys.timer.j2 + dest: /etc/systemd/system/fastd-sync-meshkeys.timer + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: configure systemd unit/timer fastd-sync-meshkeys + systemd: + name: fastd-sync-meshkeys.timer + enabled: yes + state: started diff --git a/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.service.j2 b/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.service.j2 new file mode 100644 index 0000000..70a181b --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.service.j2 @@ -0,0 +1,10 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Update fastd mesh peers repos + +[Service] +ExecStart=/home/admin/clones/backend-scripts/sync_meshkeys_gw.sh +User=admin +Group=admin diff --git a/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.timer.j2 b/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.timer.j2 new file mode 100644 index 0000000..cea04f0 --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-sync-meshkeys.timer.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Update fastd mesh peers repos timer + +[Timer] +OnBootSec=5m +OnUnitActiveSec=15m + +[Install] +WantedBy=timers.target From 224a61a48115267e074ae6c4f563070e26937c20 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 23:31:15 +0200 Subject: [PATCH 041/106] Role service-bird + service-bird-icvpn: add systemd unit + timer to update roa+peers+tinc hosts --- roles/service-bird-icvpn/tasks/main.yml | 28 +++++++++++++++++-- .../templates/icvpn-update.service.j2 | 10 +++++++ .../templates/icvpn-update.timer.j2 | 12 ++++++++ roles/service-bird/tasks/main.yml | 6 ++++ 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 roles/service-bird-icvpn/templates/icvpn-update.service.j2 create mode 100644 roles/service-bird-icvpn/templates/icvpn-update.timer.j2 diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml index 4d99db1..adbf20b 100644 --- a/roles/service-bird-icvpn/tasks/main.yml +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -39,7 +39,7 @@ file: path: "{{ item }}" mode: 0640 - owner: bird + owner: admin group: bird notify: - reload bird4 @@ -51,10 +51,34 @@ file: path: "{{ item }}" mode: 0640 - owner: bird + owner: admin group: bird notify: - reload bird6 with_items: - /etc/bird/icvpn_ipv6_peers.conf - /etc/bird/icvpn_ipv6_roa.conf + +- name: write systemd unit icvpn-update.service + template: + src: icvpn-update.service.j2 + dest: /etc/systemd/system/icvpn-update.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write systemd timer icvpn-update.timer + template: + src: icvpn-update.timer.j2 + dest: /etc/systemd/system/icvpn-update.timer + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: configure systemd unit/timer icvpn-update + systemd: + name: icvpn-update.timer + enabled: yes + state: started diff --git a/roles/service-bird-icvpn/templates/icvpn-update.service.j2 b/roles/service-bird-icvpn/templates/icvpn-update.service.j2 new file mode 100644 index 0000000..d4c964d --- /dev/null +++ b/roles/service-bird-icvpn/templates/icvpn-update.service.j2 @@ -0,0 +1,10 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Update tinc hosts and bgp peers for icvpn + +[Service] +ExecStart=/home/admin/clones/backend-scripts/gen_icvpn_bgp_gw.sh +User=admin +Group=admin diff --git a/roles/service-bird-icvpn/templates/icvpn-update.timer.j2 b/roles/service-bird-icvpn/templates/icvpn-update.timer.j2 new file mode 100644 index 0000000..55c464a --- /dev/null +++ b/roles/service-bird-icvpn/templates/icvpn-update.timer.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Timer which schedules icvpn-update.service + +[Timer] +OnBootSec=1h +OnUnitActiveSec=2d + +[Install] +WantedBy=timers.target diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index 822b130..4cd2845 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -8,6 +8,12 @@ - bird-bgp - bird-doc +- name: set directory permissions for /etc/bird + file: + path: /etc/bird + state: directory + mode: 0755 + - name: write bird configuration template: src: bird{{ item }}.conf.j2 From 1f7ab3c620df7aac9179ac269cc2c49956cc8c6a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 3 Oct 2017 23:32:00 +0200 Subject: [PATCH 042/106] Role git-repos: change branch of backend-scripts repo to drop-photon --- roles/git-repos/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/git-repos/vars/main.yml b/roles/git-repos/vars/main.yml index b5bbb31..432e906 100644 --- a/roles/git-repos/vars/main.yml +++ b/roles/git-repos/vars/main.yml @@ -2,7 +2,7 @@ common_repos: backend-scripts: repo_url: https://github.com/freifunk-mwu/backend-scripts.git - version: master + version: drop-photon icvpn-meta: repo_url: https://github.com/freifunk/icvpn-meta.git version: master From 31e0b6da6799b8fe202d6ee02152874702727a79 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 00:05:53 +0200 Subject: [PATCH 043/106] Role service-bind-slave: fix file permissions --- roles/service-bind-slave/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index 5327055..15dd816 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -60,8 +60,8 @@ - name: set file attributes for icvpn config file: - path: /etc/bind/ + path: /etc/bind/named.conf.icvpn mode: 0644 - owner: root - group: bird + owner: admin + group: bind notify: restart bind9 From b0f0d633837c7e1392f11371a4a28c6c142af01e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 00:20:50 +0200 Subject: [PATCH 044/106] Role service-bind-slave: add systemd unit + timer to update icvpn bind config --- roles/service-bind-slave/tasks/main.yml | 24 +++++++++++++++++++ .../templates/icvpn-dns-update.service.j2 | 10 ++++++++ .../templates/icvpn-dns-update.timer.j2 | 12 ++++++++++ 3 files changed, 46 insertions(+) create mode 100644 roles/service-bind-slave/templates/icvpn-dns-update.service.j2 create mode 100644 roles/service-bind-slave/templates/icvpn-dns-update.timer.j2 diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index 15dd816..c7578ac 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -65,3 +65,27 @@ owner: admin group: bind notify: restart bind9 + +- name: write systemd unit icvpn-dns-update.service + template: + src: icvpn-dns-update.service.j2 + dest: /etc/systemd/system/icvpn-dns-update.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write systemd timer icvpn-dns-update.timer + template: + src: icvpn-dns-update.timer.j2 + dest: /etc/systemd/system/icvpn-dns-update.timer + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: configure systemd unit/timer icvpn-dns-update + systemd: + name: icvpn-dns-update.timer + enabled: yes + state: started diff --git a/roles/service-bind-slave/templates/icvpn-dns-update.service.j2 b/roles/service-bind-slave/templates/icvpn-dns-update.service.j2 new file mode 100644 index 0000000..3a21e89 --- /dev/null +++ b/roles/service-bind-slave/templates/icvpn-dns-update.service.j2 @@ -0,0 +1,10 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Update icvpn bind configuration + +[Service] +ExecStart=/home/admin/clones/backend-scripts/gen_icvpn_dns_gw.sh +User=admin +Group=admin diff --git a/roles/service-bind-slave/templates/icvpn-dns-update.timer.j2 b/roles/service-bind-slave/templates/icvpn-dns-update.timer.j2 new file mode 100644 index 0000000..261691c --- /dev/null +++ b/roles/service-bind-slave/templates/icvpn-dns-update.timer.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Timer which schedules icvpn-bind-update.service + +[Timer] +OnBootSec=2h +OnUnitActiveSec=2d + +[Install] +WantedBy=timers.target From 817f86abb7000da2d25fc74850947780e5223b70 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 00:25:29 +0200 Subject: [PATCH 045/106] Role service-bird-icvpn: rename systemd unit+timer icvpn-update to icvpn-tinc-bgp-update --- roles/service-bird-icvpn/tasks/main.yml | 16 ++++++++-------- ...rvice.j2 => icvpn-tinc-bgp-update.service.j2} | 0 ...e.timer.j2 => icvpn-tinc-bgp-update.timer.j2} | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) rename roles/service-bird-icvpn/templates/{icvpn-update.service.j2 => icvpn-tinc-bgp-update.service.j2} (100%) rename roles/service-bird-icvpn/templates/{icvpn-update.timer.j2 => icvpn-tinc-bgp-update.timer.j2} (63%) diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml index adbf20b..a06a25e 100644 --- a/roles/service-bird-icvpn/tasks/main.yml +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -59,26 +59,26 @@ - /etc/bird/icvpn_ipv6_peers.conf - /etc/bird/icvpn_ipv6_roa.conf -- name: write systemd unit icvpn-update.service +- name: write systemd unit icvpn-tinc-bgp-update.service template: - src: icvpn-update.service.j2 - dest: /etc/systemd/system/icvpn-update.service + src: icvpn-tinc-bgp-update.service.j2 + dest: /etc/systemd/system/icvpn-tinc-bgp-update.service owner: root group: root mode: 0644 notify: reload systemd -- name: write systemd timer icvpn-update.timer +- name: write systemd timer icvpn-tinc-bgp-update.timer template: - src: icvpn-update.timer.j2 - dest: /etc/systemd/system/icvpn-update.timer + src: icvpn-tinc-bgp-update.timer.j2 + dest: /etc/systemd/system/icvpn-tinc-bgp-update.timer owner: root group: root mode: 0644 notify: reload systemd -- name: configure systemd unit/timer icvpn-update +- name: configure systemd unit/timer icvpn-tinc-bgp-update systemd: - name: icvpn-update.timer + name: icvpn-tinc-bgp-update.timer enabled: yes state: started diff --git a/roles/service-bird-icvpn/templates/icvpn-update.service.j2 b/roles/service-bird-icvpn/templates/icvpn-tinc-bgp-update.service.j2 similarity index 100% rename from roles/service-bird-icvpn/templates/icvpn-update.service.j2 rename to roles/service-bird-icvpn/templates/icvpn-tinc-bgp-update.service.j2 diff --git a/roles/service-bird-icvpn/templates/icvpn-update.timer.j2 b/roles/service-bird-icvpn/templates/icvpn-tinc-bgp-update.timer.j2 similarity index 63% rename from roles/service-bird-icvpn/templates/icvpn-update.timer.j2 rename to roles/service-bird-icvpn/templates/icvpn-tinc-bgp-update.timer.j2 index 55c464a..b2c612e 100644 --- a/roles/service-bird-icvpn/templates/icvpn-update.timer.j2 +++ b/roles/service-bird-icvpn/templates/icvpn-tinc-bgp-update.timer.j2 @@ -2,7 +2,7 @@ # {{ ansible_managed }} # [Unit] -Description=Timer which schedules icvpn-update.service +Description=Timer which schedules icvpn-tinc-bgp-update.service [Timer] OnBootSec=1h From 98e1b60e004297ce2e1fc7a7b01e73482de3fed8 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 00:51:18 +0200 Subject: [PATCH 046/106] Roles service-fastd-mesh + service-fastd-intragate: rename fastd socket --- roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 | 2 +- roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index fb46a4c..db1c807 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -34,4 +34,4 @@ on down " batctl -m {{ item.key }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}ig.status"; +status socket "/var/run/fastd-{{ item.key }}igVPN.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index 9345fad..8c7b2ec 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -41,4 +41,4 @@ on down " batctl -m {{ item.key }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}.status"; +status socket "/var/run/fastd-{{ item.key }}VPN.status"; From b46be69a26f37cc170e90ad4094abeffe569aa8a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 01:02:15 +0200 Subject: [PATCH 047/106] Role service-rclocal: fix wrong interface --- roles/service-rclocal/templates/rc.local.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 611cf22..25772e9 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -73,13 +73,13 @@ ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 {% endfor %} ip -4 rule add from all iif icVPN type unreachable priority 61 -ip -4 rule add from all iif eth0 type unreachable priority 61 +ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 {% for server_id, server_value in ffrl_exit_server.iteritems() %} ip -4 rule add from all iif {{ server_id }} type unreachable priority 61 ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 {% endfor %} ip -6 rule add from all iif icVPN type unreachable priority 61 -ip -6 rule add from all iif eth0 type unreachable priority 61 +ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 {% for mesh_id, mesh_value in meshes.iteritems() %} {% for public in mesh_value.ipv6.public %} ip -6 rule add from {{ public }} type unreachable priority 61 From cc43741a91bde81617ffe6f89f5668cc99497a5d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 12:55:29 +0200 Subject: [PATCH 048/106] Role network-iptables-gateway: rename var internet_exit_mtu_ipv[4|6] to internet_exit_tcp_mss_ipv[4|6] --- inventory/group_vars/all | 4 ++-- roles/network-iptables-gateway/README.md | 4 ++-- roles/network-iptables-gateway/templates/rules.v4.j2 | 2 +- roles/network-iptables-gateway/templates/rules.v6.j2 | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index a577ed9..b6be8e2 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -2,8 +2,8 @@ as_private_mwu: 65037 as_public_ffrl: 201701 -internet_exit_mtu_ipv4: 1240 -internet_exit_mtu_ipv6: 1220 +internet_exit_tcp_mss_ipv4: 1240 +internet_exit_tcp_mss_ipv6: 1220 routing_tables: icvpn: 23 diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md index 3809044..c337694 100644 --- a/roles/network-iptables-gateway/README.md +++ b/roles/network-iptables-gateway/README.md @@ -24,6 +24,6 @@ meshes: ... ´´´ -- Variable `internet_exit_mtu_ipv4` -- Variable `internet_exit_mtu_ipv6` +- Variable `internet_exit_tcp_mss_ipv4` +- Variable `internet_exit_tcp_mss_ipv6` - Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index f348113..2fe7db6 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -23,7 +23,7 @@ COMMIT :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv4 }} +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv4 }} COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 index fbc36ab..b559d33 100644 --- a/roles/network-iptables-gateway/templates/rules.v6.j2 +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -21,7 +21,7 @@ COMMIT :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_mtu_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_mtu_ipv6 }} +-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv6 }} COMMIT *nat :PREROUTING ACCEPT [0:0] From 94da0613a444232ee36e3572775e18862d94e9aa Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 13:38:00 +0200 Subject: [PATCH 049/106] FFRL Internet Exit: move IPv4 NAT address to a single dummy interface --- roles/network-ffrl/tasks/main.yml | 6 ++++++ roles/network-ffrl/templates/ffrl.j2 | 1 - roles/network-ffrl/templates/ffrl_nat.j2 | 7 +++++++ roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 | 5 +++-- 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 roles/network-ffrl/templates/ffrl_nat.j2 diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index 6a0050b..ae0870d 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -5,3 +5,9 @@ dest: "/etc/network/interfaces.d/{{ item.key }}" notify: reload network interfaces with_dict: "{{ ffrl_exit_server }}" + +- name: create ffrl-nat dummy interface + template: + src: ffrl_nat.j2 + dest: "/etc/network/interfaces.d/ffrl-nat" + notify: reload network interfaces diff --git a/roles/network-ffrl/templates/ffrl.j2 b/roles/network-ffrl/templates/ffrl.j2 index 4dbc6f1..bf107db 100644 --- a/roles/network-ffrl/templates/ffrl.j2 +++ b/roles/network-ffrl/templates/ffrl.j2 @@ -13,4 +13,3 @@ iface {{ item.key }} inet tunnel address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }}/{{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('prefix') }} address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }}/{{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('prefix') }} - address {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} diff --git a/roles/network-ffrl/templates/ffrl_nat.j2 b/roles/network-ffrl/templates/ffrl_nat.j2 new file mode 100644 index 0000000..8e0ff23 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl_nat.j2 @@ -0,0 +1,7 @@ +# +# {{ ansible_managed }} +# +auto ffrl-nat +iface ffrl-nat + link-type dummy + address {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 index 66d8fd8..4a16d6f 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 @@ -36,9 +36,10 @@ filter ebgp_ffrl_export_filter { } # Protocols -protocol static ffrl_uplink_hostroute { +protocol direct ffrl_nat { table ffrl; - route {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} reject; + interface "ffrl-nat"; + import where is_ffrl_nat(); } protocol direct ffrl_tunnels { From c4ed75ed3690c32c58601e913f9678083969170f Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 4 Oct 2017 19:46:16 +0200 Subject: [PATCH 050/106] Roles service-bird[|-ffrl|-icvpn]: rework handlers --- roles/service-bird-ffrl/handlers/main.yml | 4 +- roles/service-bird-ffrl/tasks/main.yml | 40 ++++++++----- roles/service-bird-icvpn/handlers/main.yml | 4 +- roles/service-bird-icvpn/tasks/main.yml | 66 ++++++++++++---------- roles/service-bird/handlers/main.yml | 4 +- roles/service-bird/tasks/main.yml | 40 ++++++++----- 6 files changed, 95 insertions(+), 63 deletions(-) diff --git a/roles/service-bird-ffrl/handlers/main.yml b/roles/service-bird-ffrl/handlers/main.yml index 7dd9273..a9d5fb3 100644 --- a/roles/service-bird-ffrl/handlers/main.yml +++ b/roles/service-bird-ffrl/handlers/main.yml @@ -1,10 +1,10 @@ --- -- name: reload bird4 +- name: reload systemd unit bird systemd: name: bird state: reloaded -- name: reload bird6 +- name: reload systemd unit bird6 systemd: name: bird6 state: reloaded diff --git a/roles/service-bird-ffrl/tasks/main.yml b/roles/service-bird-ffrl/tasks/main.yml index 3b4b03f..400e414 100644 --- a/roles/service-bird-ffrl/tasks/main.yml +++ b/roles/service-bird-ffrl/tasks/main.yml @@ -1,24 +1,36 @@ --- -- name: write ffrl bird configuration +- name: write ffrl_ipv4.conf.j2 template: - src: ffrl_ipv{{ item }}.conf.j2 - dest: /etc/bird/ffrl_ipv{{ item }}.conf + src: ffrl_ipv4.conf.j2 + dest: /etc/bird/ffrl_ipv4.conf mode: 0640 owner: bird group: bird - notify: reload bird{{ item }} - with_items: - - 4 - - 6 + notify: reload systemd unit bird -- name: write ffrl peer configuration +- name: write ffrl_ipv6.conf.j2 template: - src: ffrl_ipv{{ item }}_peers.conf.j2 - dest: /etc/bird/ffrl_ipv{{ item }}_peers.conf + src: ffrl_ipv6.conf.j2 + dest: /etc/bird/ffrl_ipv6.conf mode: 0640 owner: bird group: bird - notify: reload bird{{ item }} - with_items: - - 4 - - 6 + notify: reload systemd unit bird6 + +- name: write ffrl_ipv4_peers.conf + template: + src: ffrl_ipv4_peers.conf.j2 + dest: /etc/bird/ffrl_ipv4_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload systemd unit bird + +- name: write ffrl_ipv6_peers.conf + template: + src: ffrl_ipv6_peers.conf.j2 + dest: /etc/bird/ffrl_ipv6_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload systemd unit bird6 diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml index 7dd9273..a9d5fb3 100644 --- a/roles/service-bird-icvpn/handlers/main.yml +++ b/roles/service-bird-icvpn/handlers/main.yml @@ -1,10 +1,10 @@ --- -- name: reload bird4 +- name: reload systemd unit bird systemd: name: bird state: reloaded -- name: reload bird6 +- name: reload systemd unit bird6 systemd: name: bird6 state: reloaded diff --git a/roles/service-bird-icvpn/tasks/main.yml b/roles/service-bird-icvpn/tasks/main.yml index a06a25e..6d50e99 100644 --- a/roles/service-bird-icvpn/tasks/main.yml +++ b/roles/service-bird-icvpn/tasks/main.yml @@ -1,39 +1,49 @@ --- -- name: write initial icvpn peers - shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -{{ item }} -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item }}_peers.conf +- name: generate initial icvpn_ipv4_peers.conf + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -4 -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv4_peers.conf args: chdir: /home/admin/clones/icvpn-scripts - creates: /etc/bird/icvpn_ipv{{ item }}_peers.conf - notify: - - reload bird{{ item }} - with_items: - - 4 - - 6 + creates: /etc/bird/icvpn_ipv4_peers.conf + notify: reload systemd unit bird -- name: write initial icvpn roa config - shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -{{ item.key }} -f bird -x mwu -m {{ item.value.max_prefix }} -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv{{ item.key }}_roa.conf +- name: generate initial icvpn_ipv6_peers.conf + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkbgp -6 -f bird -x mwu -d ebgp_icvpn -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv6_peers.conf args: chdir: /home/admin/clones/icvpn-scripts - creates: /etc/bird/icvpn_ipv{{ item.key }}_roa.conf - notify: - - reload bird{{ item.key }} - with_dict: - 4: - max_prefix: 20 - 6: - max_prefix: 64 + creates: /etc/bird/icvpn_ipv6_peers.conf + notify: reload systemd unit bird6 -- name: write icvpn bird configuration +- name: generate initial icvpn_ipv4_roa.conf + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -4 -f bird -x mwu -m 20 -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv4_roa.conf + args: + chdir: /home/admin/clones/icvpn-scripts + creates: /etc/bird/icvpn_ipv4_roa.conf + notify: reload systemd unit bird + +- name: generate initial icvpn_ipv6_roa.conf + shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkroa -6 -f bird -x mwu -m 64 -s /home/admin/clones/icvpn-meta > /etc/bird/icvpn_ipv6_roa.conf + args: + chdir: /home/admin/clones/icvpn-scripts + creates: /etc/bird/icvpn_ipv6_roa.conf + notify: reload systemd unit bird6 + +- name: write icvpn_ipv4.conf template: - src: icvpn_ipv{{ item }}.conf.j2 - dest: /etc/bird/icvpn_ipv{{ item }}.conf + src: icvpn_ipv4.conf.j2 + dest: /etc/bird/icvpn_ipv4.conf mode: 0640 owner: bird group: bird - notify: reload bird{{ item }} - with_items: - - 4 - - 6 + notify: reload systemd unit bird + +- name: write icvpn_ipv6.conf + template: + src: icvpn_ipv6.conf.j2 + dest: /etc/bird/icvpn_ipv6.conf + mode: 0640 + owner: bird + group: bird + notify: reload systemd unit bird6 - name: set file attributes for ipv4 roa and peer config file: @@ -41,8 +51,7 @@ mode: 0640 owner: admin group: bird - notify: - - reload bird4 + notify: reload systemd unit bird with_items: - /etc/bird/icvpn_ipv4_peers.conf - /etc/bird/icvpn_ipv4_roa.conf @@ -53,8 +62,7 @@ mode: 0640 owner: admin group: bird - notify: - - reload bird6 + notify: reload systemd unit bird6 with_items: - /etc/bird/icvpn_ipv6_peers.conf - /etc/bird/icvpn_ipv6_roa.conf diff --git a/roles/service-bird/handlers/main.yml b/roles/service-bird/handlers/main.yml index 12fe53a..3d840fc 100644 --- a/roles/service-bird/handlers/main.yml +++ b/roles/service-bird/handlers/main.yml @@ -3,12 +3,12 @@ systemd: daemon_reload: yes -- name: reload bird +- name: reload systemd unit bird systemd: name: bird state: reloaded -- name: reload bird6 +- name: reload systemd unit bird6 systemd: name: bird6 state: reloaded diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index 4cd2845..3269d22 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -14,29 +14,41 @@ state: directory mode: 0755 -- name: write bird configuration +- name: write bird.conf template: - src: bird{{ item }}.conf.j2 - dest: /etc/bird/bird{{ item }}.conf + src: bird.conf.j2 + dest: /etc/bird/bird.conf mode: 0640 owner: bird group: bird - notify: reload bird{{ item }} - with_items: - - "" - - 6 + notify: reload systemd unit bird -- name: configure mwu peers +- name: write bird6.conf template: - src: mwu_ipv{{ item }}_peers.conf.j2 - dest: /etc/bird/mwu_ipv{{ item }}_peers.conf + src: bird6.conf.j2 + dest: /etc/bird/bird6.conf mode: 0640 owner: bird group: bird - notify: reload bird{{ item }} - with_items: - - 4 - - 6 + notify: reload systemd unit bird6 + +- name: write mwu_ipv4_peers.conf + template: + src: mwu_ipv4_peers.conf.j2 + dest: /etc/bird/mwu_ipv4_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload systemd unit bird + +- name: write mwu_ipv6_peers.conf + template: + src: mwu_ipv6_peers.conf.j2 + dest: /etc/bird/mwu_ipv6_peers.conf + mode: 0640 + owner: bird + group: bird + notify: reload systemd unit bird6 - name: enable + start systemd units bird + bird6 systemd: From ea08c856ac013c0c28ab024f6c00e5aa56991b66 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 00:15:31 +0200 Subject: [PATCH 051/106] Update some ipaddr filters --- roles/network-ffrl/templates/ffrl.j2 | 4 ++-- roles/network-ffrl/templates/ffrl_nat.j2 | 2 +- roles/network-meshbridge/templates/bridge.j2 | 4 ++-- roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 | 2 +- roles/service-rclocal/templates/rc.local.j2 | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/network-ffrl/templates/ffrl.j2 b/roles/network-ffrl/templates/ffrl.j2 index bf107db..f8323c3 100644 --- a/roles/network-ffrl/templates/ffrl.j2 +++ b/roles/network-ffrl/templates/ffrl.j2 @@ -11,5 +11,5 @@ iface {{ item.key }} inet tunnel mtu 1400 tunnel-physdev {{ ansible_default_ipv4.interface }} - address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }}/{{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('prefix') }} - address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }}/{{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('prefix') }} + address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }} + address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }} diff --git a/roles/network-ffrl/templates/ffrl_nat.j2 b/roles/network-ffrl/templates/ffrl_nat.j2 index 8e0ff23..39523e9 100644 --- a/roles/network-ffrl/templates/ffrl_nat.j2 +++ b/roles/network-ffrl/templates/ffrl_nat.j2 @@ -4,4 +4,4 @@ auto ffrl-nat iface ffrl-nat link-type dummy - address {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} + address {{ ffrl_public_ipv4_nat | ipaddr('host') }} diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index b3f47ec..c13057b 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -6,10 +6,10 @@ auto {{ item.key }}BR iface {{ item.key }}BR hwaddress {{ mac | hwaddr('linux') }} - address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}/{{ item.value.ipv4_network | ipaddr('net') | ipaddr('prefix') }} + address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} {% for ip_type, ip_list in item.value.ipv6.iteritems() %} {% for ip in ip_list %} - address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}/{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr('prefix') }} + address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} {% endfor %} bridge-ports {{ item.key }}BAT diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 index 4a16d6f..c20abc7 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2 @@ -12,7 +12,7 @@ table ffrl; # Functions function is_ffrl_nat() { return net ~ [ - {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} + {{ ffrl_public_ipv4_nat | ipaddr('host') }} ]; } diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 25772e9..beeae5e 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -64,8 +64,8 @@ ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41 {% endfor %} -ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 -ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('address') }}/{{ ffrl_public_ipv4_nat | ipaddr('prefix') }} lookup internet priority 41 +ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 +ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes {% for mesh_id, mesh_value in meshes.iteritems() %} From 900eacafb231acd4165bfd2243b0f28b37d4b558 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 09:56:14 +0200 Subject: [PATCH 052/106] Fix wrong IP subnet calculation in roles service-radvd + service-rclocal --- roles/service-radvd/templates/radvd.conf.j2 | 2 +- roles/service-rclocal/templates/rc.local.j2 | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index c8ee2d7..c63e016 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -24,7 +24,7 @@ interface {{ mesh_id }}BR {% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in ip_list %} {% if ip_type == "public" %} - prefix {{ prefix | ipaddr('net') | ipsubnet(64, magic) | ipaddr('subnet') }} + prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} {% else %} prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} {% endif %} diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index beeae5e..5bd9448 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -102,11 +102,11 @@ ip -6 rule add from all lookup icvpn priority 107 # static {{ mesh_value.site_name }} routes for rt_table mwu /sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu {% for ula in mesh_value.ipv6.ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh_id }}BR table mwu +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu {% endfor %} {% for public in mesh_value.ipv6.public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh_id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh_id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu {% endfor %} {% if not loop.last %} From a2fa5ff22321a5e0eb0e4c14aba6aca15056f030 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 10:33:38 +0200 Subject: [PATCH 053/106] Role service-fastd-mesh: move peer limit to a separate file which isn't managed by ansible --- .../service-fastd-mesh/files/peer_limit.conf | 1 + roles/service-fastd-mesh/tasks/main.yml | 20 +++++++++++++++++++ .../templates/fastd-mesh.conf.j2 | 2 +- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 roles/service-fastd-mesh/files/peer_limit.conf diff --git a/roles/service-fastd-mesh/files/peer_limit.conf b/roles/service-fastd-mesh/files/peer_limit.conf new file mode 100644 index 0000000..f294c83 --- /dev/null +++ b/roles/service-fastd-mesh/files/peer_limit.conf @@ -0,0 +1 @@ +peer limit 200; diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 41a4f18..c45e907 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -60,6 +60,26 @@ notify: restart fastd mesh instances with_dict: "{{ meshes }}" +- name: copy peer_limit.conf if not exist + copy: + src: peer_limit.conf + dest: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + owner: admin + group: admin + mode: 0640 + force: no + notify: restart fastd mesh instances + with_dict: "{{ meshes }}" + +- name: set file attributes for peer_limit.conf + file: + path: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + mode: 0640 + owner: admin + group: admin + notify: restart fastd mesh instances + with_dict: "{{ meshes }}" + - name: write systemd unit fastd-sync-meshkeys.service template: src: fastd-sync-meshkeys.service.j2 diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index 8c7b2ec..f63b0a6 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -18,7 +18,7 @@ include "secret.conf"; mtu 1406; peer group "vpn_nodes" { - peer limit 150; + include "peer_limit.conf"; include peers from "peers"; {% if item.key == "mz" %} include peers from "peers_bingen"; From 7e181923b3cc4b61ed936cbfae4b23f8d1535e9b Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 10:49:41 +0200 Subject: [PATCH 054/106] Role service-fastd: ensure fastd service is masked --- roles/service-fastd/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml index 3d71fab..4b59534 100644 --- a/roles/service-fastd/tasks/main.yml +++ b/roles/service-fastd/tasks/main.yml @@ -7,3 +7,8 @@ with_items: - fastd - git + +- name: mask legacy service fastd + systemd: + name: fastd + masked: yes From 829d931ff982ac9929cbbd6e2476a455895a01eb Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 11:47:09 +0200 Subject: [PATCH 055/106] Role service-fastd-mesh: add systemd timer for fastd peer limit update script --- roles/service-fastd-mesh/tasks/main.yml | 25 +++++++++++++++++-- .../fastd-peer-limit-update.service.j2 | 10 ++++++++ .../fastd-peer-limit-update.timer.j2 | 12 +++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2 create mode 100644 roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2 diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index c45e907..a7d376d 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -98,8 +98,29 @@ mode: 0644 notify: reload systemd -- name: configure systemd unit/timer fastd-sync-meshkeys +- name: write systemd unit fastd-peer-limit-update.service + template: + src: fastd-peer-limit-update.service.j2 + dest: /etc/systemd/system/fastd-peer-limit-update.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write systemd timer fastd-peer-limit-update.timer + template: + src: fastd-peer-limit-update.timer.j2 + dest: /etc/systemd/system/fastd-peer-limit-update.timer + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: configure systemd timers for fastd-mesh instance systemd: - name: fastd-sync-meshkeys.timer + name: "{{ item }}.timer" enabled: yes state: started + with_items: + - fastd-sync-meshkeys + - fastd-peer-limit-update diff --git a/roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2 b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2 new file mode 100644 index 0000000..963809e --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2 @@ -0,0 +1,10 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Update fastd peer limits + +[Service] +ExecStart=/home/admin/clones/backend-scripts/limit_fastd_peers_gw.py +User=admin +Group=admin diff --git a/roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2 b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2 new file mode 100644 index 0000000..880c912 --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Timer which schedules fastd-peer-limit-update.service + +[Timer] +OnBootSec=5min +OnUnitActiveSec=5min + +[Install] +WantedBy=timers.target From 2bbd39009cd8a82dfb5ce6ba1ff4881e8f88b607 Mon Sep 17 00:00:00 2001 From: Julian Labus Date: Fri, 6 Oct 2017 14:04:29 +0200 Subject: [PATCH 056/106] Update Readme.md --- Readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Readme.md b/Readme.md index cf7fc04..e856fc6 100644 --- a/Readme.md +++ b/Readme.md @@ -114,6 +114,7 @@ export PASSWORD_STORE_DIR=... magic: # Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll. +# z.B. 5 für 10.X.16.0/22 (fünftes /22 Subnetz aus 10.X.0.0/18) ipv4_dhcp_range: # FFRL (muss vorher bereits zugewiesen worden sein) From 63ca114c95399e5da8c4cc63cc413bc3c5785bea Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 6 Oct 2017 22:58:00 +0200 Subject: [PATCH 057/106] Migrate nested dictionary `meshes` into a list of dictionaries - migrate dictionary `ipv6` into two simple lists - migrate dictionary `forward_zones` into a list --- Readme.md | 42 ++++++------ inventory/group_vars/all | 40 ++++++------ roles/network-batman/README.md | 2 +- roles/network-batman/tasks/main.yml | 8 +-- roles/network-batman/templates/batman.j2 | 18 +++--- roles/network-batman/templates/dummy.j2 | 6 +- roles/network-fastd/README.md | 2 +- roles/network-fastd/tasks/main.yml | 8 +-- .../templates/fastd-intragate.j2 | 6 +- roles/network-fastd/templates/fastd-mesh.j2 | 6 +- roles/network-iptables-gateway/README.md | 2 +- .../templates/rules.v4.j2 | 8 +-- .../templates/rules.v6.j2 | 4 +- roles/network-meshbridge/README.md | 11 ++-- roles/network-meshbridge/tasks/main.yml | 8 +-- roles/network-meshbridge/templates/bridge.j2 | 17 ++--- roles/network-meshbridge/templates/sysfs.j2 | 2 +- roles/service-bind-slave/README.md | 11 ++-- roles/service-bind-slave/tasks/main.yml | 4 +- .../templates/named.conf.j2 | 4 +- .../templates/named.conf.mesh.j2 | 44 ++++++------- .../templates/named.conf.options.j2 | 14 ++-- roles/service-bird-ffrl/README.md | 7 +- .../templates/ffrl_ipv6.conf.j2 | 8 +-- roles/service-bird/README.md | 7 +- roles/service-bird/templates/bird.conf.j2 | 8 +-- roles/service-bird/templates/bird6.conf.j2 | 8 +-- roles/service-dhcpd/README.md | 2 +- roles/service-dhcpd/tasks/main.yml | 2 +- roles/service-dhcpd/templates/dhcpd.conf.j2 | 2 +- roles/service-fastd-intragate/README.md | 2 +- .../service-fastd-intragate/handlers/main.yml | 2 +- roles/service-fastd-intragate/tasks/main.yml | 26 ++++---- .../templates/fastd-intragate.conf.j2 | 14 ++-- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-fastd-mesh/README.md | 2 +- roles/service-fastd-mesh/handlers/main.yml | 2 +- roles/service-fastd-mesh/tasks/main.yml | 34 +++++----- .../templates/fastd-mesh.conf.j2 | 16 ++--- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-radvd/README.md | 11 ++-- roles/service-radvd/templates/radvd.conf.j2 | 36 +++++------ roles/service-rclocal/README.md | 11 ++-- roles/service-rclocal/templates/rc.local.j2 | 64 +++++++++---------- 44 files changed, 263 insertions(+), 272 deletions(-) diff --git a/Readme.md b/Readme.md index e856fc6..6d8973b 100644 --- a/Readme.md +++ b/Readme.md @@ -20,20 +20,19 @@ Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das f ## Variablen für jedes Mesh Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. -Wir verwalten diese Mesh-Informationen in einem Dictionary unter `inventory/group_vars/all`: +Wir verwalten diese Mesh-Informationen in einer Liste von Dictionaries unter `inventory/group_vars/all`: ``` meshes: - mz: + - id: mz site_number: 37 site_code: ffmz site_name: Mainz ipv4_network: 10.37.0.0/18 - ipv6: - ula: - - fd37:b4dc:4b1e::/48 - public: - - 2a03:2260:11a::/48 + ipv6_ula: + - fd37:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11a::/48 dnssl: - ffmz.org - user.ffmz.org @@ -53,23 +52,22 @@ meshes: dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: - ffmz.org: - user.ffmz.org: - bb.ffmz.org: - nodes.ffmz.org: - ffbin: + - name: ffmz.org + - name: user.ffmz.org + - name: bb.ffmz.org + - name: nodes.ffmz.org + - name: ffbin master: fd37:b4dc:4b1e::a25:10c - wi: + - id: wi site_number: 56 site_code: ffwi site_name: Wiesbaden ipv4_network: 10.56.0.0/18 - ipv6: - ula: - - fd56:b4dc:4b1e::/48 - public: - - 2a03:2260:11b::/48 + ipv6_ula: + - fd56:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11b::/48 dnssl: - ffwi.org - user.ffwi.org @@ -88,10 +86,10 @@ meshes: dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: - ffwi.org: - user.ffwi.org: - bb.ffwi.org: - nodes.ffwi.org: + - name: ffwi.org + - name: user.ffwi.org + - name: bb.ffwi.org + - name: nodes.ffwi.org ``` ## Sensible Informationen diff --git a/inventory/group_vars/all b/inventory/group_vars/all index b6be8e2..3b2d411 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -17,16 +17,15 @@ bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 meshes: - mz: + - id: mz site_number: 37 site_code: ffmz site_name: Mainz ipv4_network: 10.37.0.0/18 - ipv6: - ula: - - fd37:b4dc:4b1e::/48 - public: - - 2a03:2260:11a::/48 + ipv6_ula: + - fd37:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11a::/48 dnssl: - ffmz.org - user.ffmz.org @@ -46,23 +45,22 @@ meshes: dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: - ffmz.org: - user.ffmz.org: - bb.ffmz.org: - nodes.ffmz.org: - ffbin: + - name: ffmz.org + - name: user.ffmz.org + - name: bb.ffmz.org + - name: nodes.ffmz.org + - name: ffbin master: fd37:b4dc:4b1e::a25:10c - wi: + - id: wi site_number: 56 site_code: ffwi site_name: Wiesbaden ipv4_network: 10.56.0.0/18 - ipv6: - ula: - - fd56:b4dc:4b1e::/48 - public: - - 2a03:2260:11b::/48 + ipv6_ula: + - fd56:b4dc:4b1e::/48 + ipv6_public: + - 2a03:2260:11b::/48 dnssl: - ffwi.org - user.ffwi.org @@ -82,10 +80,10 @@ meshes: dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: - ffwi.org: - user.ffwi.org: - bb.ffwi.org: - nodes.ffwi.org: + - name: ffwi.org + - name: user.ffwi.org + - name: bb.ffwi.org + - name: nodes.ffwi.org icvpn: prefix: mwu diff --git a/roles/network-batman/README.md b/roles/network-batman/README.md index a47e4e8..c90a6f1 100644 --- a/roles/network-batman/README.md +++ b/roles/network-batman/README.md @@ -12,7 +12,7 @@ Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index d4e065e..3a1f901 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -2,13 +2,13 @@ - name: create dummy interfaces template: src: dummy.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}0" + dest: "/etc/network/interfaces.d/{{ item.id }}0" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create batman interfaces template: src: batman.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}BAT" + dest: "/etc/network/interfaces.d/{{ item.id }}BAT" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 index b907e87..7639794 100644 --- a/roles/network-batman/templates/batman.j2 +++ b/roles/network-batman/templates/batman.j2 @@ -1,14 +1,14 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0201' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}BAT -iface {{ item.key }}BAT +auto {{ item.id }}BAT +iface {{ item.id }}BAT hwaddress {{ mac | hwaddr('linux') }} - batman-ifaces {{ item.key }}0 {{ item.key }}VPN {{ item.key }}igVPN - batman-hop-penalty {{ item.value.batman.hop_penalty }} - post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} - post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} - post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} - post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} + batman-ifaces {{ item.id }}0 {{ item.id }}VPN {{ item.id }}igVPN + batman-hop-penalty {{ item.batman.hop_penalty }} + post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} + post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }} + post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }} + post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }} diff --git a/roles/network-batman/templates/dummy.j2 b/roles/network-batman/templates/dummy.j2 index 6c6af99..a18a325 100644 --- a/roles/network-batman/templates/dummy.j2 +++ b/roles/network-batman/templates/dummy.j2 @@ -1,9 +1,9 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0200' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}0 -iface {{ item.key }}0 +auto {{ item.id }}0 +iface {{ item.id }}0 link-type dummy hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md index 5eac5c6..535178e 100644 --- a/roles/network-fastd/README.md +++ b/roles/network-fastd/README.md @@ -10,7 +10,7 @@ Diese Ansible role konfiguriert Netzwerk Interfaces für fastd. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index d1b2ab5..2b53d6b 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -2,13 +2,13 @@ - name: create fastd mesh interfaces template: src: fastd-mesh.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}VPN" + dest: "/etc/network/interfaces.d/{{ item.id }}VPN" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd intragate interfaces template: src: fastd-intragate.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" + dest: "/etc/network/interfaces.d/{{ item.id }}igVPN" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 index 838ddc5..ffb1d63 100644 --- a/roles/network-fastd/templates/fastd-intragate.j2 +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}igVPN -iface {{ item.key }}igVPN +auto {{ item.id }}igVPN +iface {{ item.id }}igVPN hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 index 1a41329..879ceea 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}VPN -iface {{ item.key }}VPN +auto {{ item.id }}VPN +iface {{ item.id }}VPN hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-iptables-gateway/README.md b/roles/network-iptables-gateway/README.md index c337694..bd8c854 100644 --- a/roles/network-iptables-gateway/README.md +++ b/roles/network-iptables-gateway/README.md @@ -18,7 +18,7 @@ sysctl_settings_netfilter: - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: ... diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index 2fe7db6..6687696 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -8,8 +8,8 @@ -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh_id, mesh_value in meshes.iteritems() %} --A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% for mesh in meshes %} +-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -31,8 +31,8 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :ffrl-nat - [0:0] -{% for mesh_id, mesh_value in meshes.iteritems() %} --A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat +{% for mesh in meshes %} +-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat {% endfor %} -A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }} COMMIT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 index b559d33..fba66f1 100644 --- a/roles/network-iptables-gateway/templates/rules.v6.j2 +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -7,8 +7,8 @@ :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh_id, mesh_value in meshes.iteritems() %} --A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT +{% for mesh in meshes %} +-A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/network-meshbridge/README.md b/roles/network-meshbridge/README.md index 8b9b4e7..deb0f30 100644 --- a/roles/network-meshbridge/README.md +++ b/roles/network-meshbridge/README.md @@ -11,15 +11,14 @@ Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes. - Dictionary `meshes` ´´´ meshes: - xx: + -id: xx ... ipv4_network: ... - ipv6: - ula: - - fdxx.../48 # ipv6 ula prefix - public: - - 2xxx.../48 # ipv6 public prefix + ipv6_ula: + - fdxx.../48 # ipv6 ula prefix + ipv6_public: + - 2xxx.../48 # ipv6 public prefix ´´´ - Host Variable `magic` diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index a8717c5..ef4e9e9 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -2,13 +2,13 @@ - name: create mesh bridges template: src: bridge.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}BR" + dest: "/etc/network/interfaces.d/{{ item.id }}BR" notify: reload network interfaces - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: set sysfs variables template: src: sysfs.j2 - dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" - with_dict: "{{ meshes }}" + dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf" + with_items: "{{ meshes }}" notify: activate sysfs variables diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index c13057b..dd6efae 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -1,15 +1,16 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0210' + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.key }}BR -iface {{ item.key }}BR +auto {{ item.id }}BR +iface {{ item.id }}BR hwaddress {{ mac | hwaddr('linux') }} - address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} -{% for ip_type, ip_list in item.value.ipv6.iteritems() %} -{% for ip in ip_list %} - address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} + address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} +{% for prefix in item.ipv6_ula %} + address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} +{% for prefix in item.ipv6_public %} + address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} - bridge-ports {{ item.key }}BAT + bridge-ports {{ item.id }}BAT diff --git a/roles/network-meshbridge/templates/sysfs.j2 b/roles/network-meshbridge/templates/sysfs.j2 index 04bed17..b092e3b 100644 --- a/roles/network-meshbridge/templates/sysfs.j2 +++ b/roles/network-meshbridge/templates/sysfs.j2 @@ -1,4 +1,4 @@ # # {{ ansible_managed }} # -class/net/{{ item.key }}BR/bridge/hash_max = 16384 +class/net/{{ item.id }}BR/bridge/hash_max = 16384 diff --git a/roles/service-bind-slave/README.md b/roles/service-bind-slave/README.md index 5062605..42d4f12 100644 --- a/roles/service-bind-slave/README.md +++ b/roles/service-bind-slave/README.md @@ -15,18 +15,17 @@ Die Gateways agieren lediglich als Slave-DNS Server. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_code: # string ipv4_network: - ipv6: - ula: - - # ULA-Prefix - - ... + ipv6_ula: + - # ULA-Prefix + - ... dns: master: # IP-Adresse des DNS Masters forward_zones: - $zone: # DNS-Domain + - name: $zone # DNS-Domain master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht. ´´´ diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index c7578ac..c11409b 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -44,12 +44,12 @@ - name: write named.conf for meshes template: src: named.conf.mesh.j2 - dest: /etc/bind/named.conf.{{ item.value.site_code }} + dest: /etc/bind/named.conf.{{ item.site_code }} owner: root group: bind mode: 0644 notify: restart bind9 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write initial icvpn bind config shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn diff --git a/roles/service-bind-slave/templates/named.conf.j2 b/roles/service-bind-slave/templates/named.conf.j2 index 04a4465..e7d3814 100644 --- a/roles/service-bind-slave/templates/named.conf.j2 +++ b/roles/service-bind-slave/templates/named.conf.j2 @@ -5,7 +5,7 @@ include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.logging"; -{% for mesh_id, mesh_value in meshes.iteritems() %} -include "/etc/bind/named.conf.{{ mesh_value.site_code }}"; +{% for mesh in meshes %} +include "/etc/bind/named.conf.{{ mesh.site_code }}"; {% endfor %} include "/etc/bind/named.conf.icvpn"; diff --git a/roles/service-bind-slave/templates/named.conf.mesh.j2 b/roles/service-bind-slave/templates/named.conf.mesh.j2 index 2daf882..3a9a77a 100644 --- a/roles/service-bind-slave/templates/named.conf.mesh.j2 +++ b/roles/service-bind-slave/templates/named.conf.mesh.j2 @@ -3,35 +3,35 @@ // // ACLs -masters "ns-master-{{ item.value.site_code }}" { - {{ item.value.dns.master }}; +masters "ns-master-{{ item.site_code }}" { + {{ item.dns.master }}; }; -{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} -{% if zone_value.master is defined %} -masters "ns-master-{{ zone_id }}" { - {{ zone_value.master }}; +{% for zone in item.dns.forward_zones %} +{% if zone.master is defined %} +masters "ns-master-{{ zone.name }}" { + {{ zone.master }}; }; {% endif %} {% endfor %} -acl "intern-{{ item.value.site_code }}" { - {{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; -{% for prefix in item.value.ipv6.ula %} +acl "intern-{{ item.site_code }}" { + {{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; +{% for prefix in item.ipv6_ula %} {{ prefix | ipaddr('net') | ipaddr('network/prefix') }}; {% endfor %} }; -// DNS forward zones for {{ item.value.site_code }} -{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} -zone "{{ zone_id }}." { +// DNS forward zones for {{ item.site_code }} +{% for zone in item.dns.forward_zones %} +zone "{{ zone.name }}." { type slave; - file "{{ zone_id }}.db"; -{% if zone_value.master is defined %} - masters { ns-master-{{ zone_id }}; }; + file "{{ zone.name }}.db"; +{% if zone.master is defined %} + masters { ns-master-{{ zone.name }}; }; {% else %} - masters { ns-master-{{ item.value.site_code }}; }; + masters { ns-master-{{ item.site_code }}; }; {% endif %} }; {% if not loop.last %} @@ -39,18 +39,18 @@ zone "{{ zone_id }}." { {% endif %} {% endfor %} -// DNS reverse zones for {{ item.value.site_code }} -zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { +// DNS reverse zones for {{ item.site_code }} +zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { type slave; - file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.value.site_code }}; }; + file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; + masters { ns-master-{{ item.site_code }}; }; }; -{% for prefix in item.value.ipv6.ula %} +{% for prefix in item.ipv6_ula %} zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" { type slave; file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.value.site_code }}; }; + masters { ns-master-{{ item.site_code }}; }; }; {% if not loop.last %} diff --git a/roles/service-bind-slave/templates/named.conf.options.j2 b/roles/service-bind-slave/templates/named.conf.options.j2 index 1fec575..38edce5 100644 --- a/roles/service-bind-slave/templates/named.conf.options.j2 +++ b/roles/service-bind-slave/templates/named.conf.options.j2 @@ -11,25 +11,25 @@ options { allow-recursion { 127.0.0.1; ::1; -{% for mesh_id, mesh_value in meshes.iteritems() %} - intern-{{ mesh_value.site_code }}; +{% for mesh in meshes %} + intern-{{ mesh.site_code }}; {% endfor %} }; allow-transfer { any; }; listen-on { 127.0.0.1; -{% for mesh_id, mesh_value in meshes.iteritems() %} - {{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; +{% for mesh in meshes %} + {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; {% endfor %} {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; }; listen-on-v6 { ::1; -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for ip in mesh_value.ipv6.ula %} - {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }}; +{% for mesh in meshes %} +{% for ip in mesh.ipv6_ula %} + {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}; {% endfor %} {% endfor %} {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}; diff --git a/roles/service-bird-ffrl/README.md b/roles/service-bird-ffrl/README.md index 63cd910..78f98b3 100644 --- a/roles/service-bird-ffrl/README.md +++ b/roles/service-bird-ffrl/README.md @@ -11,11 +11,10 @@ Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den I - Dictionary `meshes` ``` meshes: - xx: + - id: xx ... - ipv6: - public: - - # Public IPv6-Netzwerk + ipv6_public: + - # Public IPv6-Netzwerk ``` - Host Dictionary `ffrl_exit_server` ´´´ diff --git a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 index 42feffc..57ed1d4 100644 --- a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 +++ b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2 @@ -11,8 +11,8 @@ table ffrl; # Functions function is_ffrl_public_nets() { return net ~ [ -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for prefix in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for prefix in mesh.ipv6_public %} {{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {% endfor %} ]; @@ -40,8 +40,8 @@ filter ebgp_ffrl_export_filter { # Protocols protocol static ffrl_public_routes { table ffrl; -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for prefix in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for prefix in mesh.ipv6_public %} route {{ prefix }} reject; route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject; {% endfor %} diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md index 249e4c2..22995c5 100644 --- a/roles/service-bird/README.md +++ b/roles/service-bird/README.md @@ -26,11 +26,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... ipv4_network: - ipv6: - ula: - - # IPv6-ULA Network + ipv6_ula: + - # IPv6-ULA Network ´´´ - Host Variable `magic` diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 index 304080a..9f1faf6 100644 --- a/roles/service-bird/templates/bird.conf.j2 +++ b/roles/service-bird/templates/bird.conf.j2 @@ -38,8 +38,8 @@ function is_chaosvpn() { function is_mwu_self_nets() { return net ~ [ -{% for item, value in meshes.iteritems() %} - {{ value.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% for mesh in meshes %} + {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% endfor %} ]; } @@ -50,8 +50,8 @@ protocol device { }; protocol direct mwu_subnets { -{% for item, value in meshes.iteritems() %} - interface "{{ item }}BR"; +{% for mesh in meshes %} + interface "{{ mesh.id }}BR"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 index baebabb..d5988eb 100644 --- a/roles/service-bird/templates/bird6.conf.j2 +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -26,8 +26,8 @@ function is_ula() { function is_mwu_self_nets() { return net ~ [ -{% for item, value in meshes.iteritems() %} -{% for ula in value.ipv6.ula %} +{% for mesh in meshes %} +{% for ula in mesh.ipv6_ula %} {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {% endfor %} ]; @@ -39,8 +39,8 @@ protocol device { }; protocol direct mwu_subnets { -{% for item, value in meshes.iteritems() %} - interface "{{ item }}BR"; +{% for mesh in meshes %} + interface "{{ mesh.id }}BR"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-dhcpd/README.md b/roles/service-dhcpd/README.md index d6e4cf9..45d5742 100644 --- a/roles/service-dhcpd/README.md +++ b/roles/service-dhcpd/README.md @@ -12,7 +12,7 @@ Wir nutzen diesen nur zur Verteilung von IPv4-Adressen. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_name: # string site_code: # string diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 35a4d07..9c463da 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -12,7 +12,7 @@ - name: concatenate meshbridge interfaces set_fact: - dhcp_interfaces: "{% for mesh_id, mesh_value in meshes.iteritems() %}{{ mesh_id }}BR{% if not loop.last %} {% endif %}{% endfor %}" + dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}" - name: set ipv4 interfaces isc dhcp should listen on lineinfile: diff --git a/roles/service-dhcpd/templates/dhcpd.conf.j2 b/roles/service-dhcpd/templates/dhcpd.conf.j2 index 7b21f82..80a7c76 100644 --- a/roles/service-dhcpd/templates/dhcpd.conf.j2 +++ b/roles/service-dhcpd/templates/dhcpd.conf.j2 @@ -12,7 +12,7 @@ default-lease-time 300; min-lease-time 300; max-lease-time 300; -{% for mesh in meshes.values() %} +{% for mesh in meshes %} # DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }}) subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} { range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }}; diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 640e05f..186f744 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -15,7 +15,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunik - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_number: # integer peers_mesh_repo: # String - https Link zum Github Repository diff --git a/roles/service-fastd-intragate/handlers/main.yml b/roles/service-fastd-intragate/handlers/main.yml index 4f95a98..f8e9ab6 100644 --- a/roles/service-fastd-intragate/handlers/main.yml +++ b/roles/service-fastd-intragate/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart fastd intragate instances systemd: - name: "fastd@{{ item.key }}igVPN" + name: "fastd@{{ item.id }}igVPN" state: restarted with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index b311fa3..0d69173 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,45 +1,45 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.key }}igVPN" + name: "fastd@{{ item.id }}igVPN" enabled: yes - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd intragate directories file: - path: "/etc/fastd/{{ item.key }}igVPN" + path: "/etc/fastd/{{ item.id }}igVPN" state: directory mode: 0755 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer intragate directories file: - path: "/etc/fastd/{{ item.key }}igVPN/peers" + path: "/etc/fastd/{{ item.id }}igVPN/peers" state: directory mode: 0755 owner: admin group: admin - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: clone fastd peer intragate repos git: - repo: "{{ item.value.peers_intragate_repo }}" - dest: "/etc/fastd/{{ item.key }}igVPN/peers" + repo: "{{ item.peers_intragate_repo }}" + dest: "/etc/fastd/{{ item.id }}igVPN/peers" version: master update: no - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" become: false - name: template fastd mesh config template: src: fastd-intragate.conf.j2 - dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" + dest: "/etc/fastd/{{ item.id }}igVPN/fastd.conf" notify: restart fastd intragate instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write fastd intragate secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" + dest: "/etc/fastd/{{ item.id }}igVPN/secret.conf" notify: restart fastd intragate instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index db1c807..628d5f9 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} @@ -9,10 +9,10 @@ hide mac addresses yes; method "aes128-ctr+umac"; -interface "{{ item.key }}igVPN"; +interface "{{ item.id }}igVPN"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.value.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.value.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.site_number }}; include "secret.conf"; mtu 1406; @@ -27,11 +27,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.key }}BAT if add $INTERFACE + batctl -m {{ item.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.key }}BAT if del $INTERFACE + batctl -m {{ item.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}igVPN.status"; +status socket "/var/run/fastd-{{ item.id }}igVPN.status"; diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 index a55490b..e6a1a48 100644 --- a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.key + 'igVPN' -%} +{% set local_interface = item.id + 'igVPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 5a116cc..c091d51 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -16,7 +16,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_number: # integer peers_mesh_repo: # String - https Link zum Github Repository diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml index 567648e..05e2a52 100644 --- a/roles/service-fastd-mesh/handlers/main.yml +++ b/roles/service-fastd-mesh/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart fastd mesh instances systemd: - name: "fastd@{{ item.key }}VPN" + name: "fastd@{{ item.id }}VPN" state: restarted with_dict: "{{ meshes }}" diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index a7d376d..688a7bc 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,25 +1,25 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.key }}VPN" + name: "fastd@{{ item.id }}VPN" enabled: yes - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd directories file: - path: "/etc/fastd/{{ item.key }}VPN" + path: "/etc/fastd/{{ item.id }}VPN" state: directory mode: 0755 - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer mesh directories file: - path: "/etc/fastd/{{ item.key }}VPN/peers" + path: "/etc/fastd/{{ item.id }}VPN/peers" state: directory mode: 0755 owner: admin group: admin - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: create fastd peer mesh directories for ffbin file: @@ -31,11 +31,11 @@ - name: clone fastd peer mesh repos git: - repo: "{{ item.value.peers_mesh_repo }}" - dest: "/etc/fastd/{{ item.key }}VPN/peers" + repo: "{{ item.peers_mesh_repo }}" + dest: "/etc/fastd/{{ item.id }}VPN/peers" version: master update: no - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" become: false - name: clone fastd peer mesh repo for ffbin @@ -49,36 +49,36 @@ - name: template fastd mesh config template: src: fastd-mesh.conf.j2 - dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" + dest: "/etc/fastd/{{ item.id }}VPN/fastd.conf" notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write fastd mesh secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" + dest: "/etc/fastd/{{ item.id }}VPN/secret.conf" notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: copy peer_limit.conf if not exist copy: src: peer_limit.conf - dest: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + dest: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" owner: admin group: admin mode: 0640 force: no notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: set file attributes for peer_limit.conf file: - path: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" + path: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" mode: 0640 owner: admin group: admin notify: restart fastd mesh instances - with_dict: "{{ meshes }}" + with_items: "{{ meshes }}" - name: write systemd unit fastd-sync-meshkeys.service template: diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index f63b0a6..c800e47 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} @@ -9,10 +9,10 @@ hide mac addresses yes; method "salsa2012+umac"; -interface "{{ item.key }}VPN"; +interface "{{ item.id }}VPN"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.value.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.value.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.site_number }}; include "secret.conf"; mtu 1406; @@ -20,7 +20,7 @@ mtu 1406; peer group "vpn_nodes" { include "peer_limit.conf"; include peers from "peers"; -{% if item.key == "mz" %} +{% if item.id == "mz" %} include peers from "peers_bingen"; {% endif %} } @@ -34,11 +34,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.key }}BAT if add $INTERFACE + batctl -m {{ item.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.key }}BAT if del $INTERFACE + batctl -m {{ item.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.key }}VPN.status"; +status socket "/var/run/fastd-{{ item.id }}VPN.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 index 87a4945..958df93 100644 --- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.key + 'VPN' -%} +{% set local_interface = item.id + 'VPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-radvd/README.md b/roles/service-radvd/README.md index 408d83f..be02ed7 100644 --- a/roles/service-radvd/README.md +++ b/roles/service-radvd/README.md @@ -11,13 +11,12 @@ Diese Ansible role installiert und konfiguriert den radvd daemon. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... - ipv6: - ula: - - # ULA-Prefix - String - public: - - # Public-Prefix - String + ipv6_ula: + - # ULA-Prefix - String + ipv6_public: + - # Public-Prefix - String iface_mtu: # Integer ´´´ - Host Variable `magic` diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index c63e016..afd13cf 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -2,37 +2,37 @@ # # {{ ansible_managed }} # -{% for mesh_id, mesh_value in meshes.iteritems() %} -interface {{ mesh_id }}BR +{% for mesh in meshes %} +interface {{ mesh.id }}BR { AdvSendAdvert on; IgnoreIfMissing on; - MaxRtrAdvInterval {{ mesh_value.radvd.maxrtradvinterval }}; - AdvLinkMTU {{ mesh_value.iface_mtu }}; + MaxRtrAdvInterval {{ mesh.radvd.maxrtradvinterval }}; + AdvLinkMTU {{ mesh.iface_mtu }}; -{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} -{% for prefix in ip_list %} -{% if ip_type == "ula" %} - RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }} + RDNSS {% for prefix in mesh.ipv6_ula %}{{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }} +{% endfor %} { FlushRDNSS off; }; + +{% for prefix in mesh.ipv6_ula %} + prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} + { + AdvValidLifetime {{ mesh.radvd.advvalidlifetime }}; + AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }}; + }; +{% if not loop.last %} + {% endif %} {% endfor %} -{% endfor %} -{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} -{% for prefix in ip_list %} -{% if ip_type == "public" %} +{% for prefix in mesh.ipv6_public %} prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} -{% else %} - prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} -{% endif %} { - AdvValidLifetime {{ mesh_value.radvd.advvalidlifetime }}; - AdvPreferredLifetime {{ mesh_value.radvd.advpreferredlifetime }}; + AdvValidLifetime {{ mesh.radvd.advvalidlifetime }}; + AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }}; }; -{% endfor %} {% if not loop.last %} {% endif %} diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md index 5725ae6..74a820a 100644 --- a/roles/service-rclocal/README.md +++ b/roles/service-rclocal/README.md @@ -10,15 +10,14 @@ All dieses sollte in Zukunft durch systemd units abgelöst werden. - Dictionary `meshes` ´´´ meshes: - xx: + - id: xx ... site_name: # string ipv4_network: - ipv6: - ula: - - # string - public: - - # string + ipv6_ula: + - # string + ipv6_public: + - # string iface_mtu: # integer ´´´ - Host Variable `magic` diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 5bd9448..9acc716 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -18,59 +18,59 @@ # # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup mwu priority 7 ip -6 rule add to {{ ula }} lookup mwu priority 7 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup mwu priority 7 ip -6 rule add to {{ public }} lookup mwu priority 7 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 +ip -6 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 {% endfor %} # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup icvpn priority 23 ip -6 rule add to {{ ula }} lookup icvpn priority 23 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup icvpn priority 23 ip -6 rule add to {{ public }} lookup icvpn priority 23 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 +ip -6 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 {% endfor %} ip -4 rule add from all oif icVPN lookup icvpn priority 23 ip -6 rule add from all oif icVPN lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 -{% for ula in mesh_value.ipv6.ula %} +{% for mesh in meshes %} +ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 +{% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup internet priority 41 ip -6 rule add to {{ ula }} lookup internet priority 41 {% endfor %} -{% for public in mesh_value.ipv6.public %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} lookup internet priority 41 ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} -ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41 +ip -6 rule add from all oif {{ mesh.id }}BR lookup internet priority 41 {% endfor %} ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes -{% for mesh_id, mesh_value in meshes.iteritems() %} -ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 -ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 +{% for mesh in meshes %} +ip -4 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -6 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 {% endfor %} ip -4 rule add from all iif icVPN type unreachable priority 61 ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 @@ -80,8 +80,8 @@ ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 {% endfor %} ip -6 rule add from all iif icVPN type unreachable priority 61 ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 -{% for mesh_id, mesh_value in meshes.iteritems() %} -{% for public in mesh_value.ipv6.public %} +{% for mesh in meshes %} +{% for public in mesh.ipv6_public %} ip -6 rule add from {{ public }} type unreachable priority 61 ip -6 rule add to {{ public }} type unreachable priority 61 {% endfor %} @@ -98,15 +98,15 @@ ip -6 rule add from all lookup icvpn priority 107 # IP routes # -{% for mesh_id, mesh_value in meshes.iteritems() %} -# static {{ mesh_value.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu -{% for ula in mesh_value.ipv6.ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu {% endfor %} -{% for public in mesh_value.ipv6.public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu {% endfor %} {% if not loop.last %} From 53d30c8dedbea7ac19a5bb5deba9419b96070827 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 7 Oct 2017 00:57:35 +0200 Subject: [PATCH 058/106] Restructure fastd configuration to define multiple instances easily - introduce mesh subdictionary `fastd` - change fastd instance naming - change fastd network interface naming (identical with fastd instance names) - change mac address prefixes --- Readme.md | 44 +++++++++++-- inventory/group_vars/all | 44 +++++++++++-- roles/network-fastd/README.md | 15 +++-- roles/network-fastd/tasks/main.yml | 12 ++-- .../templates/fastd-intragate.j2 | 8 +-- roles/network-fastd/templates/fastd-mesh.j2 | 8 +-- roles/service-fastd-intragate/README.md | 11 +++- .../service-fastd-intragate/handlers/main.yml | 6 +- roles/service-fastd-intragate/tasks/main.yml | 40 +++++++----- .../templates/fastd-intragate.conf.j2 | 16 ++--- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-fastd-mesh/README.md | 16 ++++- roles/service-fastd-mesh/handlers/main.yml | 6 +- roles/service-fastd-mesh/tasks/main.yml | 62 +++++++++++++------ .../templates/fastd-mesh.conf.j2 | 18 +++--- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-tinc/templates/tinc-up.j2 | 2 +- 17 files changed, 223 insertions(+), 89 deletions(-) diff --git a/Readme.md b/Readme.md index 6d8973b..f754ebc 100644 --- a/Readme.md +++ b/Readme.md @@ -47,8 +47,26 @@ meshes: advvalidlifetime: 864000 advpreferredlifetime: 172800 iface_mtu: 1350 - peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git - peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + fastd: + nodes: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/peers-ffmz.git + version: master + - id: 1 + mtu: 1312 + peers: + repo: https://github.com/freifunk-mwu/peers-ffmz.git + version: master + intragate: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + version: master dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: @@ -81,8 +99,26 @@ meshes: maxrtradvinterval: 900 advvalidlifetime: 864000 iface_mtu: 1350 - peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git - peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + fastd: + nodes: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/peers-ffwi.git + version: master + - id: 1 + mtu: 1312 + peers: + repo: https://github.com/freifunk-mwu/peers-ffwi.git + version: master + intragate: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + version: master dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 3b2d411..6955e93 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -40,8 +40,26 @@ meshes: advvalidlifetime: 864000 advpreferredlifetime: 172800 iface_mtu: 1350 - peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git - peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + fastd: + nodes: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/peers-ffmz.git + version: master + - id: 1 + mtu: 1312 + peers: + repo: https://github.com/freifunk-mwu/peers-ffmz.git + version: master + intragate: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git + version: master dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: @@ -75,8 +93,26 @@ meshes: advvalidlifetime: 864000 advpreferredlifetime: 172800 iface_mtu: 1350 - peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git - peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + fastd: + nodes: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/peers-ffwi.git + version: master + - id: 1 + mtu: 1312 + peers: + repo: https://github.com/freifunk-mwu/peers-ffwi.git + version: master + intragate: + instances: + - id: 0 + mtu: 1406 + peers: + repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git + version: master dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md index 535178e..e54f946 100644 --- a/roles/network-fastd/README.md +++ b/roles/network-fastd/README.md @@ -1,9 +1,12 @@ # Ansible role network-fastd -Diese Ansible role konfiguriert Netzwerk Interfaces für fastd. +Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd Instanzen. -- xxVPN pro Mesh -- xxigVPN pro Mesh +Es wird zwischen node- und intragate-Instanzen unterschieden. + +## Interface-Benamung +Node-Interfaces: $mesh.id + VPN + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzVPN-1312" +Intragate-Interfaces: $mesh.id + 'ig' + VPN + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigVPN-1312" ## Benötigte Variablen @@ -20,7 +23,7 @@ meshes: ## MAC-Adressen -Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummerdes Hosts berechnet. +Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. -xxVPN-prefix: `02:11` -xxigVPN-prefix: `02:12` +xxVPN-$mtu prefix: `02:2x` # x = ID der fastd-Instanz +xxigVPN-$mtu prefix: `02:3x` # x = ID der fastd-Instanz diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 2b53d6b..2cf7998 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -2,13 +2,17 @@ - name: create fastd mesh interfaces template: src: fastd-mesh.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}VPN" + dest: "/etc/network/interfaces.d/{{ item.0.id }}VPN-{{ item.1.mtu }}" notify: reload network interfaces - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: create fastd intragate interfaces template: src: fastd-intragate.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}igVPN" + dest: "/etc/network/interfaces.d/{{ item.0.id }}igVPN-{{ item.1.mtu }}" notify: reload network interfaces - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 index ffb1d63..9d049a2 100644 --- a/roles/network-fastd/templates/fastd-intragate.j2 +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0212' + ip4hex -%} +{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '023' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.id }}igVPN -iface {{ item.id }}igVPN +auto {{ item.0.id }}igVPN-{{ item.1.mtu }} +iface {{ item.0.id }}igVPN-{{ item.1.mtu }} hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 index 879ceea..207cd79 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -1,8 +1,8 @@ -{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0211' + ip4hex -%} +{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '022' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # -auto {{ item.id }}VPN -iface {{ item.id }}VPN +auto {{ item.0.id }}VPN-{{ item.1.mtu }} +iface {{ item.0.id }}VPN-{{ item.1.mtu }} hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 186f744..399b8b1 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -18,8 +18,15 @@ meshes: - id: xx ... site_number: # integer - peers_mesh_repo: # String - https Link zum Github Repository - peers_intragate_repo: # String - https Link zum Github Repository + fastd: + nodes: + instances: + - id: 0 # integer + mtu: # integer + peers: + repo: # String - https Link zum Github Repository + version: # String - Branch oder Commit ID + ... ´´´ - Dictionary `fastd_secrets` (Host-Variable) ´´´ diff --git a/roles/service-fastd-intragate/handlers/main.yml b/roles/service-fastd-intragate/handlers/main.yml index f8e9ab6..f61c999 100644 --- a/roles/service-fastd-intragate/handlers/main.yml +++ b/roles/service-fastd-intragate/handlers/main.yml @@ -1,6 +1,8 @@ --- - name: restart fastd intragate instances systemd: - name: "fastd@{{ item.id }}igVPN" + name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" state: restarted - with_dict: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 0d69173..1800909 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,45 +1,57 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.id }}igVPN" + name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" enabled: yes - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances - name: create fastd intragate directories file: - path: "/etc/fastd/{{ item.id }}igVPN" + path: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}" state: directory mode: 0755 - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances - name: create fastd peer intragate directories file: - path: "/etc/fastd/{{ item.id }}igVPN/peers" + path: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/peers" state: directory mode: 0755 owner: admin group: admin - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances - name: clone fastd peer intragate repos git: - repo: "{{ item.peers_intragate_repo }}" - dest: "/etc/fastd/{{ item.id }}igVPN/peers" - version: master + repo: "{{ item.1.peers.repo }}" + dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/peers" + version: "{{ item.1.peers.version }}" update: no - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances become: false - name: template fastd mesh config template: src: fastd-intragate.conf.j2 - dest: "/etc/fastd/{{ item.id }}igVPN/fastd.conf" + dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/fastd.conf" notify: restart fastd intragate instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances - name: write fastd intragate secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.id }}igVPN/secret.conf" + dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/secret.conf" notify: restart fastd intragate instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index 628d5f9..817ffa5 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0212' + ip4hex -%} # # {{ ansible_managed }} @@ -9,13 +9,13 @@ hide mac addresses yes; method "aes128-ctr+umac"; -interface "{{ item.id }}igVPN"; +interface "{{ item.0.id }}igVPN-{{ item.1.mtu }}"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:11{{ item.1.id }}{{ item.0.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:11{{ item.1.id }}{{ item.0.site_number }}; include "secret.conf"; -mtu 1406; +mtu {{ item.1.mtu }}; peer group "servers" { include peers from "peers/gates"; @@ -27,11 +27,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.id }}BAT if add $INTERFACE + batctl -m {{ item.0.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.id }}BAT if del $INTERFACE + batctl -m {{ item.0.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.id }}igVPN.status"; +status socket "/var/run/fastd-{{ item.0.id }}igVPN-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 index e6a1a48..b4a8077 100644 --- a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.id + 'igVPN' -%} +{% set local_interface = item.0.id + 'igVPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index c091d51..84f93e1 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -2,7 +2,6 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. -- konfiguriert xxVPN-Instanzen - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf @@ -11,6 +10,10 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. - klont die fastd peer repos - klont bingener fastd peer repo (im Moment hardcoded) +## Instanz-Benamung +Node-Instanzen: $mesh.id + VPN + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzVPN-1312" +Intragate-Instanzen: $mesh.id + 'ig' + VPN + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigVPN-1312" + ## Benötigte Variablen - Dictionary `meshes` @@ -19,8 +22,15 @@ meshes: - id: xx ... site_number: # integer - peers_mesh_repo: # String - https Link zum Github Repository - peers_intragate_repo: # String - https Link zum Github Repository + fastd: + nodes: + instances: + - id: 0 # integer + mtu: # integer + peers: + repo: # String - https Link zum Github Repository + version: # String - Branch oder Commit ID + ... ´´´ - Dictionary `fastd_secrets` (Host-Variable) ´´´ diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml index 05e2a52..542401e 100644 --- a/roles/service-fastd-mesh/handlers/main.yml +++ b/roles/service-fastd-mesh/handlers/main.yml @@ -1,6 +1,8 @@ --- - name: restart fastd mesh instances systemd: - name: "fastd@{{ item.id }}VPN" + name: "fastd@{{ item.0.id }}VPN{{ item.1.mtu }}" state: restarted - with_dict: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 688a7bc..9d0ba57 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,84 +1,106 @@ --- - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.id }}VPN" + name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" enabled: yes - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: create fastd directories file: - path: "/etc/fastd/{{ item.id }}VPN" + path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}" state: directory mode: 0755 - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: create fastd peer mesh directories file: - path: "/etc/fastd/{{ item.id }}VPN/peers" + path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peers" state: directory mode: 0755 owner: admin group: admin - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: create fastd peer mesh directories for ffbin file: - path: "/etc/fastd/mzVPN/peers_bingen" + path: "/etc/fastd/mzVPN-{{ item }}/peers_bingen" state: directory mode: 0755 owner: admin group: admin + with_items: + - 1406 + - 1312 - name: clone fastd peer mesh repos git: - repo: "{{ item.peers_mesh_repo }}" - dest: "/etc/fastd/{{ item.id }}VPN/peers" - version: master + repo: "{{ item.1.peers.repo }}" + dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peers" + version: "{{ item.1.peers.version }}" update: no - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances become: false - name: clone fastd peer mesh repo for ffbin git: repo: https://github.com/freifunk-bingen/peers-ffbin.git - dest: /etc/fastd/mzVPN/peers_bingen + dest: "/etc/fastd/mzVPN-{{ item }}/peers_bingen" version: master update: no + with_items: + - 1406 + - 1312 become: false - name: template fastd mesh config template: src: fastd-mesh.conf.j2 - dest: "/etc/fastd/{{ item.id }}VPN/fastd.conf" + dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/fastd.conf" notify: restart fastd mesh instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: write fastd mesh secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.id }}VPN/secret.conf" + dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/secret.conf" notify: restart fastd mesh instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: copy peer_limit.conf if not exist copy: src: peer_limit.conf - dest: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" + dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peer_limit.conf" owner: admin group: admin mode: 0640 force: no notify: restart fastd mesh instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: set file attributes for peer_limit.conf file: - path: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf" + path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peer_limit.conf" mode: 0640 owner: admin group: admin notify: restart fastd mesh instances - with_items: "{{ meshes }}" + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances - name: write systemd unit fastd-sync-meshkeys.service template: diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index c800e47..038ac4d 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,4 +1,4 @@ -{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0211' + ip4hex -%} # # {{ ansible_managed }} @@ -9,18 +9,18 @@ hide mac addresses yes; method "salsa2012+umac"; -interface "{{ item.id }}VPN"; +interface "{{ item.0.id }}VPN-{{ item.1.mtu }}"; -bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.site_number }}; -bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.site_number }}; +bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ item.0.site_number }}; +bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ item.0.site_number }}; include "secret.conf"; -mtu 1406; +mtu {{ item.1.mtu }}; peer group "vpn_nodes" { include "peer_limit.conf"; include peers from "peers"; -{% if item.id == "mz" %} +{% if item.0.id == "mz" %} include peers from "peers_bingen"; {% endif %} } @@ -34,11 +34,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.id }}BAT if add $INTERFACE + batctl -m {{ item.0.id }}BAT if add $INTERFACE "; on down " - batctl -m {{ item.id }}BAT if del $INTERFACE + batctl -m {{ item.0.id }}BAT if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.id }}VPN.status"; +status socket "/var/run/fastd-{{ item.0.id }}VPN-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 index 958df93..a30308c 100644 --- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.id + 'VPN' -%} +{% set local_interface = item.0.id + 'VPN' -%} # # {{ ansible_managed }} # diff --git a/roles/service-tinc/templates/tinc-up.j2 b/roles/service-tinc/templates/tinc-up.j2 index 5fb6692..57f0131 100644 --- a/roles/service-tinc/templates/tinc-up.j2 +++ b/roles/service-tinc/templates/tinc-up.j2 @@ -1,5 +1,5 @@ {% set ip4hex = icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0220' + ip4hex -%} +{% set mac = '02f0' + ip4hex -%} #!/bin/sh # # {{ ansible_managed }} From 4732338cee2b26f6e5f6e668fa4ba8d082413a4b Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 7 Oct 2017 01:08:48 +0200 Subject: [PATCH 059/106] Roles service-fastd-[mesh|intragate]: update role dependencies --- roles/service-fastd-intragate/meta/main.yml | 2 ++ roles/service-fastd-mesh/meta/main.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/roles/service-fastd-intragate/meta/main.yml b/roles/service-fastd-intragate/meta/main.yml index d0f177f..2f66f75 100644 --- a/roles/service-fastd-intragate/meta/main.yml +++ b/roles/service-fastd-intragate/meta/main.yml @@ -1,3 +1,5 @@ --- dependencies: + - { role: git-repos } + - { role: network-fastd } - { role: service-fastd } diff --git a/roles/service-fastd-mesh/meta/main.yml b/roles/service-fastd-mesh/meta/main.yml index a5b2bf1..2f66f75 100644 --- a/roles/service-fastd-mesh/meta/main.yml +++ b/roles/service-fastd-mesh/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: - { role: git-repos } + - { role: network-fastd } - { role: service-fastd } From e1e723809fe15a5bdf6484a17b3979942ffcd840 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 8 Oct 2017 09:29:55 +0200 Subject: [PATCH 060/106] Role network-batman: update batman-ifaces due to fastd instance change - update README.md --- roles/network-batman/README.md | 13 +++++++++++++ roles/network-batman/templates/batman.j2 | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/network-batman/README.md b/roles/network-batman/README.md index c90a6f1..5b93e05 100644 --- a/roles/network-batman/README.md +++ b/roles/network-batman/README.md @@ -21,6 +21,19 @@ meshes: gw: # string: gateway mode mm: # boolean: multicast mode dat: # boolean: distributed arp table + hop_penalty: # integer: hop penalty +... + fastd: + nodes: + instances: + - id: 0 # integer + mtu: # integer + ... + intragate: + instances: + - id: 0 # integer + mtu: # integer + ... ´´´ - Host Variable `magic` diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 index 7639794..9c655cb 100644 --- a/roles/network-batman/templates/batman.j2 +++ b/roles/network-batman/templates/batman.j2 @@ -1,3 +1,4 @@ +#jinja2: trim_blocks:False {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set mac = '0201' + ip4hex -%} # @@ -6,7 +7,7 @@ auto {{ item.id }}BAT iface {{ item.id }}BAT hwaddress {{ mac | hwaddr('linux') }} - batman-ifaces {{ item.id }}0 {{ item.id }}VPN {{ item.id }}igVPN + batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}VPN-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igVPN-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} batman-hop-penalty {{ item.batman.hop_penalty }} post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }} From 534b0d045cbc2f5a13f3c00cb14fc9bb6f5e175f Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 8 Oct 2017 09:44:42 +0200 Subject: [PATCH 061/106] Role network-fastd: update README.md --- roles/network-fastd/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md index e54f946..c18c1cd 100644 --- a/roles/network-fastd/README.md +++ b/roles/network-fastd/README.md @@ -17,6 +17,17 @@ meshes: ... ipv4_network: ... + fastd: + nodes: + instances: + - id: 0 # integer + mtu: # integer + ... + intragate: + instances: + - id: 0 # integer + mtu: # integer + ... ´´´ - Host Variable `magic` From 37ef87bea961b30cbab409a1f36341e0ea5f3067 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 8 Oct 2017 09:55:30 +0200 Subject: [PATCH 062/106] Readme.md: add control machine requirements --- Readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Readme.md b/Readme.md index f754ebc..369aabb 100644 --- a/Readme.md +++ b/Readme.md @@ -17,6 +17,11 @@ Playbook eingebunden sein. Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. +Voraussetzungen für die Control Machine: + +- Python 2 (Versionen 2.6 oder 2.7) oder 3 (Versionen 3.5 oder höher) +- Ansible Version >= 2.4.0.0 + ## Variablen für jedes Mesh Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. From c56dc3504c59bb372709d26bdb8f666ef547df53 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 8 Oct 2017 10:51:04 +0200 Subject: [PATCH 063/106] Role service-fastd-mesh: fix typo in handler --- roles/service-fastd-mesh/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml index 542401e..c7357c1 100644 --- a/roles/service-fastd-mesh/handlers/main.yml +++ b/roles/service-fastd-mesh/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart fastd mesh instances systemd: - name: "fastd@{{ item.0.id }}VPN{{ item.1.mtu }}" + name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" state: restarted with_subelements: - "{{ meshes }}" From f18e53e4e70e5642b9dcd0a1ad79ba64ed2bcd5c Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 8 Oct 2017 11:35:22 +0200 Subject: [PATCH 064/106] Role service-fastd: use own systemd unit fastd@.service - original uses %I which does not escaping, so dashes will be replaced by slashes - use %i instead of %I --- roles/service-fastd/tasks/main.yml | 9 +++++++++ roles/service-fastd/templates/fastd@.service.j2 | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/service-fastd/templates/fastd@.service.j2 diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml index 4b59534..161b954 100644 --- a/roles/service-fastd/tasks/main.yml +++ b/roles/service-fastd/tasks/main.yml @@ -12,3 +12,12 @@ systemd: name: fastd masked: yes + +- name: write systemd unit fastd@.service + template: + src: fastd@.service.j2 + dest: /etc/systemd/system/fastd@.service + owner: root + group: root + mode: 0644 + notify: reload systemd diff --git a/roles/service-fastd/templates/fastd@.service.j2 b/roles/service-fastd/templates/fastd@.service.j2 new file mode 100644 index 0000000..47c30c1 --- /dev/null +++ b/roles/service-fastd/templates/fastd@.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Fast and Secure Tunnelling Daemon (connection %i) +After=network.target + +[Service] +Type=notify +ExecStart=/usr/bin/fastd --syslog-level info --syslog-ident fastd@%i -c /etc/fastd/%i/fastd.conf +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target From 4ce00a6ac373fe454b59e329e81ad90a8bf58a5e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 11 Oct 2017 06:52:24 +0200 Subject: [PATCH 065/106] Add role network-routing - move static routes from role service-rclocal to scripts run by systemd unit - mv routing specific sysctl settings --- playbooks/gateways.yml | 1 + roles/network-routing/README.md | 30 +++++++++ roles/network-routing/handlers/main.yml | 9 +++ roles/network-routing/tasks/main.yml | 34 ++++++++++ .../templates/ffmwu-add-static-routes.sh.j2 | 62 +++++++++++++++++ .../templates/ffmwu-del-static-routes.sh.j2 | 62 +++++++++++++++++ .../templates/ffmwu-static-routes.service.j2 | 12 ++++ roles/network-routing/vars/main.yml | 14 ++++ roles/service-rclocal/templates/rc.local.j2 | 67 ------------------- roles/system-sysctl-gateway/vars/main.yml | 12 ---- 10 files changed, 224 insertions(+), 79 deletions(-) create mode 100644 roles/network-routing/README.md create mode 100644 roles/network-routing/handlers/main.yml create mode 100644 roles/network-routing/tasks/main.yml create mode 100644 roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-static-routes.service.j2 create mode 100644 roles/network-routing/vars/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 7f9a8f9..b2303d5 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -26,5 +26,6 @@ - service-bird-icvpn - service-bird-ffrl - service-bind-slave + - network-routing - service-rclocal - system-sysctl-gateway diff --git a/roles/network-routing/README.md b/roles/network-routing/README.md new file mode 100644 index 0000000..7bb45f6 --- /dev/null +++ b/roles/network-routing/README.md @@ -0,0 +1,30 @@ +# Ansible role network-routing + +Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing. + +- konfiguriert statische Routen (systemd Unit) + - Mesh Routen für die Routing Tabelle `mwu` + - Blackhole Routes für die Routing Tabellen `internet` + `main` +- konfiguriert sysctl Parameter + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + - id: xx +... + site_name: + ipv4_network: + ipv6_ula + ipv6_public: +´´´ +- List `sysctl_settings_gateway` (Rollen-Variable) +``` +sysctl_settings_routing: + - name: # sysctl-Parameter + value: # zu setzender Wert +... + +´´´ +- Host Variable `magic` diff --git a/roles/network-routing/handlers/main.yml b/roles/network-routing/handlers/main.yml new file mode 100644 index 0000000..c18c7a6 --- /dev/null +++ b/roles/network-routing/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: restart systemd unit ffmwu-static-routes + systemd: + name: ffmwu-static-routes + state: restarted diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml new file mode 100644 index 0000000..923d366 --- /dev/null +++ b/roles/network-routing/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: write systemd unit ffmwu-static-routes.service + template: + src: ffmwu-static-routes.service.j2 + dest: /etc/systemd/system/ffmwu-static-routes.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write static route scripts + template: + src: "{{ item }}.j2" + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: 0750 + with_items: + - ffmwu-add-static-routes.sh + - ffmwu-del-static-routes.sh + notify: restart systemd unit ffmwu-static-routes + +- name: enable systemd unit ffmwu-static-routes.service + systemd: + name: ffmwu-static-routes + enabled: yes + state: started + +- name: set freifunk gateway sysctl settings + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + with_items: "{{ sysctl_settings_routing }}" diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 new file mode 100644 index 0000000..3f2cc03 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -0,0 +1,62 @@ +#!/bin/sh +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} + +# static blackhole routes for rt_table internet +/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet +/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet +/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet +/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet +/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet +/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet +/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet +/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet +/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet +/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet +/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet +/sbin/ip -6 route add blackhole fec0::/10 table internet +/sbin/ip -6 route add blackhole fc00::/7 table internet +/sbin/ip -6 route add blackhole ff00::/8 table internet +/sbin/ip -6 route add blackhole ::/96 table internet +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet + +# static blackhole routes for rt_table main +/sbin/ip -4 route add blackhole 0.0.0.0/8 table main +/sbin/ip -4 route add blackhole 10.0.0.0/8 table main +/sbin/ip -4 route add blackhole 100.64.0.0/10 table main +/sbin/ip -4 route add blackhole 127.0.0.0/8 table main +/sbin/ip -4 route add blackhole 169.254.0.0/16 table main +/sbin/ip -4 route add blackhole 172.16.0.0/12 table main +/sbin/ip -4 route add blackhole 192.0.0.0/24 table main +/sbin/ip -4 route add blackhole 192.0.2.0/24 table main +/sbin/ip -4 route add blackhole 192.88.99.0/24 table main +/sbin/ip -4 route add blackhole 192.168.0.0/16 table main +/sbin/ip -4 route add blackhole 198.18.0.0/15 table main +/sbin/ip -4 route add blackhole 198.51.100.0/24 table main +/sbin/ip -4 route add blackhole 203.0.113.0/24 table main +/sbin/ip -4 route add blackhole 224.0.0.0/4 table main +/sbin/ip -4 route add blackhole 240.0.0.0/4 table main +/sbin/ip -4 route add blackhole 255.255.255.255/32 table main +/sbin/ip -6 route add blackhole fec0::/10 table main +/sbin/ip -6 route add blackhole fc00::/7 table main +/sbin/ip -6 route add blackhole ff00::/8 table main +/sbin/ip -6 route add blackhole ::/96 table main +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main +/sbin/ip -6 route add blackhole ::/0 table main diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 new file mode 100644 index 0000000..ac57aa0 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -0,0 +1,62 @@ +#!/bin/sh +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} + +# static blackhole routes for rt_table internet +/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet +/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet +/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet +/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet +/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet +/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet +/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet +/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet +/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet +/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet +/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet +/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet +/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet +/sbin/ip -6 route del blackhole fec0::/10 table internet +/sbin/ip -6 route del blackhole fc00::/7 table internet +/sbin/ip -6 route del blackhole ff00::/8 table internet +/sbin/ip -6 route del blackhole ::/96 table internet +/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet + +# static blackhole routes for rt_table main +/sbin/ip -4 route del blackhole 0.0.0.0/8 table main +/sbin/ip -4 route del blackhole 10.0.0.0/8 table main +/sbin/ip -4 route del blackhole 100.64.0.0/10 table main +/sbin/ip -4 route del blackhole 127.0.0.0/8 table main +/sbin/ip -4 route del blackhole 169.254.0.0/16 table main +/sbin/ip -4 route del blackhole 172.16.0.0/12 table main +/sbin/ip -4 route del blackhole 192.0.0.0/24 table main +/sbin/ip -4 route del blackhole 192.0.2.0/24 table main +/sbin/ip -4 route del blackhole 192.88.99.0/24 table main +/sbin/ip -4 route del blackhole 192.168.0.0/16 table main +/sbin/ip -4 route del blackhole 198.18.0.0/15 table main +/sbin/ip -4 route del blackhole 198.51.100.0/24 table main +/sbin/ip -4 route del blackhole 203.0.113.0/24 table main +/sbin/ip -4 route del blackhole 224.0.0.0/4 table main +/sbin/ip -4 route del blackhole 240.0.0.0/4 table main +/sbin/ip -4 route del blackhole 255.255.255.255/32 table main +/sbin/ip -6 route del blackhole fec0::/10 table main +/sbin/ip -6 route del blackhole fc00::/7 table main +/sbin/ip -6 route del blackhole ff00::/8 table main +/sbin/ip -6 route del blackhole ::/96 table main +/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main +/sbin/ip -6 route del blackhole ::/0 table main diff --git a/roles/network-routing/templates/ffmwu-static-routes.service.j2 b/roles/network-routing/templates/ffmwu-static-routes.service.j2 new file mode 100644 index 0000000..ad342f0 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-static-routes.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Manage Freifunk MWU static routes +After=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh +ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh + +[Install] +WantedBy=multi-user.target diff --git a/roles/network-routing/vars/main.yml b/roles/network-routing/vars/main.yml new file mode 100644 index 0000000..97dd4ea --- /dev/null +++ b/roles/network-routing/vars/main.yml @@ -0,0 +1,14 @@ +--- +sysctl_settings_routing: + - name: net.ipv4.ip_forward + value: 1 + - name: net.ipv4.conf.default.rp_filter + value: 0 + - name: net.ipv4.conf.all.rp_filter + value: 0 + - name: net.ipv6.conf.all.forwarding + value: 1 + - name: net.ipv6.conf.all.accept_ra + value: 0 + - name: net.ipv6.conf.default.accept_ra + value: 0 diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 9acc716..53ec415 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -93,71 +93,4 @@ ip -4 rule add from all lookup icvpn priority 107 ip -6 rule add from all lookup mwu priority 107 ip -6 rule add from all lookup icvpn priority 107 - -# -# IP routes -# - -{% for mesh in meshes %} -# static {{ mesh.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu -{% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -{% endfor %} -{% for public in mesh.ipv6_public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -{% endfor %} -{% if not loop.last %} - -{% endif %} -{% endfor %} - -# static blackhole routes for rt_table internet -/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet -/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet -/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet -/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet -/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet -/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet -/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet -/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet -/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet -/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet -/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet -/sbin/ip -6 route add blackhole fec0::/10 table internet -/sbin/ip -6 route add blackhole fc00::/7 table internet -/sbin/ip -6 route add blackhole ff00::/8 table internet -/sbin/ip -6 route add blackhole ::/96 table internet -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet - -# static blackhole routes for rt_table main -/sbin/ip -4 route add blackhole 0.0.0.0/8 table main -/sbin/ip -4 route add blackhole 10.0.0.0/8 table main -/sbin/ip -4 route add blackhole 100.64.0.0/10 table main -/sbin/ip -4 route add blackhole 127.0.0.0/8 table main -/sbin/ip -4 route add blackhole 169.254.0.0/16 table main -/sbin/ip -4 route add blackhole 172.16.0.0/12 table main -/sbin/ip -4 route add blackhole 192.0.0.0/24 table main -/sbin/ip -4 route add blackhole 192.0.2.0/24 table main -/sbin/ip -4 route add blackhole 192.88.99.0/24 table main -/sbin/ip -4 route add blackhole 192.168.0.0/16 table main -/sbin/ip -4 route add blackhole 198.18.0.0/15 table main -/sbin/ip -4 route add blackhole 198.51.100.0/24 table main -/sbin/ip -4 route add blackhole 203.0.113.0/24 table main -/sbin/ip -4 route add blackhole 224.0.0.0/4 table main -/sbin/ip -4 route add blackhole 240.0.0.0/4 table main -/sbin/ip -4 route add blackhole 255.255.255.255/32 table main -/sbin/ip -6 route add blackhole fec0::/10 table main -/sbin/ip -6 route add blackhole fc00::/7 table main -/sbin/ip -6 route add blackhole ff00::/8 table main -/sbin/ip -6 route add blackhole ::/96 table main -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main -/sbin/ip -6 route add blackhole ::/0 table main - exit 0 diff --git a/roles/system-sysctl-gateway/vars/main.yml b/roles/system-sysctl-gateway/vars/main.yml index 648b476..77211d4 100644 --- a/roles/system-sysctl-gateway/vars/main.yml +++ b/roles/system-sysctl-gateway/vars/main.yml @@ -1,27 +1,15 @@ --- sysctl_settings_gateway: - - name: net.ipv4.ip_forward - value: 1 - - name: net.ipv4.conf.default.rp_filter - value: 0 - - name: net.ipv4.conf.all.rp_filter - value: 0 - name: net.ipv4.neigh.default.gc_thresh1 value: 1024 - name: net.ipv4.neigh.default.gc_thresh2 value: 2048 - name: net.ipv4.neigh.default.gc_thresh3 value: 4096 - - name: net.ipv6.conf.all.forwarding - value: 1 - name: net.ipv6.conf.all.autoconf value: 0 - name: net.ipv6.conf.default.autoconf value: 0 - - name: net.ipv6.conf.all.accept_ra - value: 0 - - name: net.ipv6.conf.default.accept_ra - value: 0 - name: net.ipv6.neigh.default.gc_thresh1 value: 1024 - name: net.ipv6.neigh.default.gc_thresh2 From 79017f02d6e46027ecbe2c07194ca3f3c6f25837 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 11 Oct 2017 17:53:20 +0200 Subject: [PATCH 066/106] Use package module where possible instead of apt --- roles/git-repos/tasks/main.yml | 2 +- roles/kmod-batman/tasks/main.yml | 6 ++---- roles/network-iptables-gateway/tasks/main.yml | 2 +- roles/server-basic/tasks/main.yml | 6 ++---- roles/server-repos/tasks/main.yml | 6 ++---- roles/service-bind-slave/tasks/main.yml | 2 +- roles/service-bird/tasks/main.yml | 2 +- roles/service-dhcpd/tasks/main.yml | 2 +- roles/service-fastd/tasks/main.yml | 2 +- roles/service-haveged/tasks/main.yml | 2 +- roles/service-ntpd/tasks/main.yml | 6 ++---- roles/service-radvd/tasks/main.yml | 2 +- roles/service-tinc/tasks/main.yml | 2 +- 13 files changed, 17 insertions(+), 25 deletions(-) diff --git a/roles/git-repos/tasks/main.yml b/roles/git-repos/tasks/main.yml index 56eaa62..05ce77d 100644 --- a/roles/git-repos/tasks/main.yml +++ b/roles/git-repos/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install git packages - apt: + package: name: "{{ item }}" state: present with_items: diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml index 14b3b62..0991b4e 100644 --- a/roles/kmod-batman/tasks/main.yml +++ b/roles/kmod-batman/tasks/main.yml @@ -1,10 +1,8 @@ --- - name: install batman-module and linux headers - apt: - state: present + package: name: "{{ item }}" - update_cache: yes - cache_valid_time: 21600 + state: present with_items: - linux-headers-amd64 - batman-adv-dkms diff --git a/roles/network-iptables-gateway/tasks/main.yml b/roles/network-iptables-gateway/tasks/main.yml index 93eed04..a8a2e84 100644 --- a/roles/network-iptables-gateway/tasks/main.yml +++ b/roles/network-iptables-gateway/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install iptables packages - apt: + package: name: "{{ item }}" state: present with_items: diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index a33f925..3c186b9 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -1,10 +1,8 @@ --- - name: ensure common packages are installed - apt: - state: present + package: name: "{{ item }}" - update_cache: yes - cache_valid_time: 21600 + state: present with_items: "{{ packages }}" - name: ensure vim is default editor diff --git a/roles/server-repos/tasks/main.yml b/roles/server-repos/tasks/main.yml index 016900d..14db38b 100644 --- a/roles/server-repos/tasks/main.yml +++ b/roles/server-repos/tasks/main.yml @@ -1,10 +1,8 @@ --- - name: ensure dirmngr and apt-transport-https are installed - apt: - state: present + package: name: "{{ item }}" - update_cache: yes - cache_valid_time: 21600 + state: present with_items: - dirmngr - apt-transport-https diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index c11409b..e85c1de 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install dns server packages - apt: + package: name: "{{ item }}" state: present notify: reload systemd diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index 3269d22..fa5909e 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install bird packages - apt: + package: name: "{{ item }}" state: present notify: reload systemd diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 9c463da..28265e7 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install dhcp packages - apt: + package: name: isc-dhcp-server state: present diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml index 161b954..8b6d7f8 100644 --- a/roles/service-fastd/tasks/main.yml +++ b/roles/service-fastd/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install fastd packages - apt: + package: name: "{{ item }}" state: present notify: reload systemd diff --git a/roles/service-haveged/tasks/main.yml b/roles/service-haveged/tasks/main.yml index d57f916..a798baa 100644 --- a/roles/service-haveged/tasks/main.yml +++ b/roles/service-haveged/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install haveged - apt: + package: name: haveged state: present notify: reload systemd diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml index 50cabca..28db3f4 100644 --- a/roles/service-ntpd/tasks/main.yml +++ b/roles/service-ntpd/tasks/main.yml @@ -6,11 +6,9 @@ state: stopped - name: install ntp packages - apt: - state: present + package: name: "{{ item }}" - update_cache: yes - cache_valid_time: 21600 + state: present with_items: - ntp - ntp-doc diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 2197bec..168d7a8 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install radvd packages - apt: + package: name: radvd state: present notify: reload systemd diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index 01adf45..c1cee21 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: install tinc packages - apt: + package: name: "{{ item }}" state: present notify: reload systemd From f56215f03c5933a59b4acc30644aaeeb740cf97a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 11 Oct 2017 22:04:36 +0200 Subject: [PATCH 067/106] Remove unnecessary handlers --- roles/service-bind-slave/tasks/main.yml | 1 - roles/service-bird/tasks/main.yml | 1 - roles/service-fastd/tasks/main.yml | 1 - roles/service-haveged/handlers/main.yml | 4 ---- roles/service-haveged/tasks/main.yml | 1 - roles/service-radvd/handlers/main.yml | 4 ---- roles/service-radvd/tasks/main.yml | 1 - roles/service-tinc/handlers/main.yml | 4 ---- roles/service-tinc/tasks/main.yml | 1 - 9 files changed, 18 deletions(-) delete mode 100644 roles/service-haveged/handlers/main.yml diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index e85c1de..8b025fe 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -3,7 +3,6 @@ package: name: "{{ item }}" state: present - notify: reload systemd with_items: - bind9 - bind9-doc diff --git a/roles/service-bird/tasks/main.yml b/roles/service-bird/tasks/main.yml index fa5909e..5239d3a 100644 --- a/roles/service-bird/tasks/main.yml +++ b/roles/service-bird/tasks/main.yml @@ -3,7 +3,6 @@ package: name: "{{ item }}" state: present - notify: reload systemd with_items: - bird-bgp - bird-doc diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml index 8b6d7f8..7d731fb 100644 --- a/roles/service-fastd/tasks/main.yml +++ b/roles/service-fastd/tasks/main.yml @@ -3,7 +3,6 @@ package: name: "{{ item }}" state: present - notify: reload systemd with_items: - fastd - git diff --git a/roles/service-haveged/handlers/main.yml b/roles/service-haveged/handlers/main.yml deleted file mode 100644 index bb7fde2..0000000 --- a/roles/service-haveged/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes diff --git a/roles/service-haveged/tasks/main.yml b/roles/service-haveged/tasks/main.yml index a798baa..e7fac1b 100644 --- a/roles/service-haveged/tasks/main.yml +++ b/roles/service-haveged/tasks/main.yml @@ -3,7 +3,6 @@ package: name: haveged state: present - notify: reload systemd - name: start and enable systemd unit haveged systemd: diff --git a/roles/service-radvd/handlers/main.yml b/roles/service-radvd/handlers/main.yml index 6bc9334..a534dd6 100644 --- a/roles/service-radvd/handlers/main.yml +++ b/roles/service-radvd/handlers/main.yml @@ -1,8 +1,4 @@ --- -- name: reload systemd - systemd: - daemon_reload: yes - - name: restart systemd unit radvd systemd: name: radvd diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 168d7a8..6311819 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -3,7 +3,6 @@ package: name: radvd state: present - notify: reload systemd - name: enable systemd unit radvd systemd: diff --git a/roles/service-tinc/handlers/main.yml b/roles/service-tinc/handlers/main.yml index c829add..9293bc9 100644 --- a/roles/service-tinc/handlers/main.yml +++ b/roles/service-tinc/handlers/main.yml @@ -1,8 +1,4 @@ --- -- name: reload systemd - systemd: - daemon_reload: yes - - name: restart systemd unit tinc systemd: name: tinc diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index c1cee21..ad57773 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -3,7 +3,6 @@ package: name: "{{ item }}" state: present - notify: reload systemd with_items: - tinc From f934a8866158bf82d685051d770c48c6fc2e1db4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 13 Oct 2017 07:28:41 +0200 Subject: [PATCH 068/106] Move all handlers to one single role --- playbooks/gateways.yml | 1 + roles/handlers/handlers/main.yml | 79 +++++++++++++++++++ roles/network-batman/handlers/main.yml | 5 -- roles/network-fastd/handlers/main.yml | 5 -- roles/network-ffrl/handlers/main.yml | 5 -- .../handlers/main.yml | 6 -- roles/network-meshbridge/handlers/main.yml | 10 --- roles/network-routing/handlers/main.yml | 9 --- roles/service-bind-slave/handlers/main.yml | 9 --- roles/service-bird-ffrl/handlers/main.yml | 10 --- roles/service-bird-icvpn/handlers/main.yml | 10 --- roles/service-bird/handlers/main.yml | 14 ---- roles/service-dhcpd/handlers/main.yml | 6 -- .../service-fastd-intragate/handlers/main.yml | 8 -- roles/service-fastd-mesh/handlers/main.yml | 8 -- roles/service-fastd/handlers/main.yml | 4 - roles/service-radvd/handlers/main.yml | 5 -- roles/service-tinc/handlers/main.yml | 6 -- 18 files changed, 80 insertions(+), 120 deletions(-) create mode 100644 roles/handlers/handlers/main.yml delete mode 100644 roles/network-batman/handlers/main.yml delete mode 100644 roles/network-fastd/handlers/main.yml delete mode 100644 roles/network-ffrl/handlers/main.yml delete mode 100644 roles/network-iptables-gateway/handlers/main.yml delete mode 100644 roles/network-meshbridge/handlers/main.yml delete mode 100644 roles/network-routing/handlers/main.yml delete mode 100644 roles/service-bind-slave/handlers/main.yml delete mode 100644 roles/service-bird-ffrl/handlers/main.yml delete mode 100644 roles/service-bird-icvpn/handlers/main.yml delete mode 100644 roles/service-bird/handlers/main.yml delete mode 100644 roles/service-dhcpd/handlers/main.yml delete mode 100644 roles/service-fastd-intragate/handlers/main.yml delete mode 100644 roles/service-fastd-mesh/handlers/main.yml delete mode 100644 roles/service-fastd/handlers/main.yml delete mode 100644 roles/service-radvd/handlers/main.yml delete mode 100644 roles/service-tinc/handlers/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index b2303d5..84de721 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -3,6 +3,7 @@ - hosts: ffmwu-gateways remote_user: admin roles: + - handlers - prerequisites - server-repos - server-basic diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml new file mode 100644 index 0000000..e666ba5 --- /dev/null +++ b/roles/handlers/handlers/main.yml @@ -0,0 +1,79 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload network interfaces + systemd: + name: networking + state: reloaded + +- name: activate sysfs variables + systemd: + name: sysfsutils + state: restarted + +- name: restart bind9 + systemd: + name: bind9 + state: restarted + +- name: reload systemd unit bird + systemd: + name: bird + state: reloaded + +- name: reload systemd unit bird6 + systemd: + name: bird6 + state: reloaded + +- name: restart isc dhcp server + systemd: + name: isc-dhcp-server + enabled: yes + state: restarted + +- name: restart fastd intragate instances + systemd: + name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" + state: restarted + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances + +- name: restart fastd mesh instances + systemd: + name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" + state: restarted + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances + +- name: restart systemd unit radvd + systemd: + name: radvd + state: restarted + +- name: restart respondd + systemd: + name: "respondd-{{ item.id }}" + state: restarted + with_items: "{{ meshes }}" + +- name: restart systemd unit tinc + systemd: + name: tinc + enabled: yes + state: restarted + +- name: restart systemd unit ffmwu-static-routes + systemd: + name: ffmwu-static-routes + state: restarted + +- name: iptables-restore + shell: iptables-restore < /etc/iptables/rules.v4 + +- name: ip6tables-restore + shell: ip6tables-restore < /etc/iptables/rules.v6 diff --git a/roles/network-batman/handlers/main.yml b/roles/network-batman/handlers/main.yml deleted file mode 100644 index 191d07d..0000000 --- a/roles/network-batman/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-fastd/handlers/main.yml b/roles/network-fastd/handlers/main.yml deleted file mode 100644 index 191d07d..0000000 --- a/roles/network-fastd/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-ffrl/handlers/main.yml b/roles/network-ffrl/handlers/main.yml deleted file mode 100644 index 191d07d..0000000 --- a/roles/network-ffrl/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-iptables-gateway/handlers/main.yml b/roles/network-iptables-gateway/handlers/main.yml deleted file mode 100644 index 5dfa033..0000000 --- a/roles/network-iptables-gateway/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: iptables-restore - shell: iptables-restore < /etc/iptables/rules.v4 - -- name: ip6tables-restore - shell: ip6tables-restore < /etc/iptables/rules.v6 diff --git a/roles/network-meshbridge/handlers/main.yml b/roles/network-meshbridge/handlers/main.yml deleted file mode 100644 index a07c6fa..0000000 --- a/roles/network-meshbridge/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: activate sysfs variables - systemd: - name: sysfsutils - state: restarted - -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-routing/handlers/main.yml b/roles/network-routing/handlers/main.yml deleted file mode 100644 index c18c7a6..0000000 --- a/roles/network-routing/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: restart systemd unit ffmwu-static-routes - systemd: - name: ffmwu-static-routes - state: restarted diff --git a/roles/service-bind-slave/handlers/main.yml b/roles/service-bind-slave/handlers/main.yml deleted file mode 100644 index e1b2000..0000000 --- a/roles/service-bind-slave/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: restart bind9 - systemd: - name: bind9 - state: restarted diff --git a/roles/service-bird-ffrl/handlers/main.yml b/roles/service-bird-ffrl/handlers/main.yml deleted file mode 100644 index a9d5fb3..0000000 --- a/roles/service-bird-ffrl/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: reload systemd unit bird - systemd: - name: bird - state: reloaded - -- name: reload systemd unit bird6 - systemd: - name: bird6 - state: reloaded diff --git a/roles/service-bird-icvpn/handlers/main.yml b/roles/service-bird-icvpn/handlers/main.yml deleted file mode 100644 index a9d5fb3..0000000 --- a/roles/service-bird-icvpn/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: reload systemd unit bird - systemd: - name: bird - state: reloaded - -- name: reload systemd unit bird6 - systemd: - name: bird6 - state: reloaded diff --git a/roles/service-bird/handlers/main.yml b/roles/service-bird/handlers/main.yml deleted file mode 100644 index 3d840fc..0000000 --- a/roles/service-bird/handlers/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes - -- name: reload systemd unit bird - systemd: - name: bird - state: reloaded - -- name: reload systemd unit bird6 - systemd: - name: bird6 - state: reloaded diff --git a/roles/service-dhcpd/handlers/main.yml b/roles/service-dhcpd/handlers/main.yml deleted file mode 100644 index f7d522c..0000000 --- a/roles/service-dhcpd/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart isc dhcp server - systemd: - name: isc-dhcp-server - enabled: yes - state: restarted diff --git a/roles/service-fastd-intragate/handlers/main.yml b/roles/service-fastd-intragate/handlers/main.yml deleted file mode 100644 index f61c999..0000000 --- a/roles/service-fastd-intragate/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: restart fastd intragate instances - systemd: - name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" - state: restarted - with_subelements: - - "{{ meshes }}" - - fastd.intragate.instances diff --git a/roles/service-fastd-mesh/handlers/main.yml b/roles/service-fastd-mesh/handlers/main.yml deleted file mode 100644 index c7357c1..0000000 --- a/roles/service-fastd-mesh/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: restart fastd mesh instances - systemd: - name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" - state: restarted - with_subelements: - - "{{ meshes }}" - - fastd.nodes.instances diff --git a/roles/service-fastd/handlers/main.yml b/roles/service-fastd/handlers/main.yml deleted file mode 100644 index bb7fde2..0000000 --- a/roles/service-fastd/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- name: reload systemd - systemd: - daemon_reload: yes diff --git a/roles/service-radvd/handlers/main.yml b/roles/service-radvd/handlers/main.yml deleted file mode 100644 index a534dd6..0000000 --- a/roles/service-radvd/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart systemd unit radvd - systemd: - name: radvd - state: restarted diff --git a/roles/service-tinc/handlers/main.yml b/roles/service-tinc/handlers/main.yml deleted file mode 100644 index 9293bc9..0000000 --- a/roles/service-tinc/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart systemd unit tinc - systemd: - name: tinc - enabled: yes - state: restarted From dd03118c992e929c0ca428a1d5a948841bc46a73 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 13 Oct 2017 07:42:08 +0200 Subject: [PATCH 069/106] Update Readme.md --- Readme.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Readme.md b/Readme.md index 369aabb..41a06c6 100644 --- a/Readme.md +++ b/Readme.md @@ -8,19 +8,21 @@ kann. Die folgenden Voraussetzungen müssen erfüllt sein: - Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein. - Die Adressen müssen im MWU-DNS eingetragen sein. -- Als Betriebssystem muss Debian stretch installiert sein. -- Für ansible muss Python 2.5 oder Python 2.4 + python-simplejson installiert sein. +- Als Betriebssystem muss Debian Stretch installiert sein. +- Für Ansible muss Python 2.6 oder höher installiert sein. - Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben. -Die Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem +Diese Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem Playbook eingebunden sein. -Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. - Voraussetzungen für die Control Machine: - Python 2 (Versionen 2.6 oder 2.7) oder 3 (Versionen 3.5 oder höher) - Ansible Version >= 2.4.0.0 +- Python Modul `netaddr` +- Python Modul `dnspython` + +Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. ## Variablen für jedes Mesh From 00307bc9be3d810ba8bb9353e755ebd99dd78052 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 13 Oct 2017 07:59:43 +0200 Subject: [PATCH 070/106] Move IP rules from role `service-rclocal` to role `network-routing` - add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler --- playbooks/gateways.yml | 1 - roles/handlers/handlers/main.yml | 5 ++ roles/network-routing/README.md | 5 +- roles/network-routing/tasks/main.yml | 27 ++++++ .../templates/ffmwu-add-ip-rules.sh.j2} | 16 +--- .../templates/ffmwu-add-static-routes.sh.j2 | 4 + .../templates/ffmwu-del-ip-rules.sh.j2 | 82 +++++++++++++++++++ .../templates/ffmwu-del-static-routes.sh.j2 | 4 + .../templates/ffmwu-ip-rules.service.j2 | 12 +++ roles/service-rclocal/README.md | 25 ------ roles/service-rclocal/tasks/main.yml | 11 --- 11 files changed, 139 insertions(+), 53 deletions(-) rename roles/{service-rclocal/templates/rc.local.j2 => network-routing/templates/ffmwu-add-ip-rules.sh.j2} (92%) create mode 100644 roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-ip-rules.service.j2 delete mode 100644 roles/service-rclocal/README.md delete mode 100644 roles/service-rclocal/tasks/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 84de721..015f1e8 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -28,5 +28,4 @@ - service-bird-ffrl - service-bind-slave - network-routing - - service-rclocal - system-sysctl-gateway diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index e666ba5..d91953f 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -71,6 +71,11 @@ systemd: name: ffmwu-static-routes state: restarted + +- name: restart systemd unit ffmwu-ip-rules + systemd: + name: ffmwu-ip-rules + state: restarted - name: iptables-restore shell: iptables-restore < /etc/iptables/rules.v4 diff --git a/roles/network-routing/README.md b/roles/network-routing/README.md index 7bb45f6..db00a5b 100644 --- a/roles/network-routing/README.md +++ b/roles/network-routing/README.md @@ -5,6 +5,7 @@ Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing. - konfiguriert statische Routen (systemd Unit) - Mesh Routen für die Routing Tabelle `mwu` - Blackhole Routes für die Routing Tabellen `internet` + `main` +- konfiguriert IP rules (systemd Unit) - konfiguriert sysctl Parameter ## Benötigte Variablen @@ -16,7 +17,7 @@ meshes: ... site_name: ipv4_network: - ipv6_ula + ipv6_ula: ipv6_public: ´´´ - List `sysctl_settings_gateway` (Rollen-Variable) @@ -25,6 +26,8 @@ sysctl_settings_routing: - name: # sysctl-Parameter value: # zu setzender Wert ... +- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix +- Host Dictionary `ffrl_exit_server ´´´ - Host Variable `magic` diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml index 923d366..8091636 100644 --- a/roles/network-routing/tasks/main.yml +++ b/roles/network-routing/tasks/main.yml @@ -26,6 +26,33 @@ enabled: yes state: started +- name: write systemd unit ffmwu-ip-rules.service + template: + src: ffmwu-ip-rules.service.j2 + dest: /etc/systemd/system/ffmwu-ip-rules.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write ip rule scripts + template: + src: "{{ item }}.j2" + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: 0750 + with_items: + - ffmwu-add-ip-rules.sh + - ffmwu-del-ip-rules.sh + notify: restart systemd unit ffmwu-ip-rules + +- name: enable systemd unit ffmwu-ip-rules.service + systemd: + name: ffmwu-ip-rules + enabled: yes + state: started + - name: set freifunk gateway sysctl settings sysctl: name: "{{ item.name }}" diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 similarity index 92% rename from roles/service-rclocal/templates/rc.local.j2 rename to roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 index 53ec415..cd8e6a4 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 @@ -1,21 +1,7 @@ -#!/bin/sh -e +#!/bin/sh # # {{ ansible_managed }} # -# rc.local -# -# This script is executed at the end of each multiuser runlevel. -# Make sure that the script will "exit 0" on success or any other -# value on error. -# -# In order to enable or disable this script just change the execution -# bits. -# -# By default this script does nothing. - -# -# IP rules -# # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces {% for mesh in meshes %} diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 index 3f2cc03..b5bc7d8 100644 --- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -1,4 +1,8 @@ #!/bin/sh +# +# {{ ansible_managed }} +# + {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu /sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 new file mode 100644 index 0000000..d6bee9f --- /dev/null +++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 @@ -0,0 +1,82 @@ +#!/bin/sh +# +# {{ ansible_managed }} +# + +# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 +ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 +ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup mwu priority 7 +ip -6 rule del to {{ ula }} lookup mwu priority 7 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup mwu priority 7 +ip -6 rule del to {{ public }} lookup mwu priority 7 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% endfor %} + +# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup icvpn priority 23 +ip -6 rule del to {{ ula }} lookup icvpn priority 23 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup icvpn priority 23 +ip -6 rule del to {{ public }} lookup icvpn priority 23 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% endfor %} +ip -4 rule del from all oif icVPN lookup icvpn priority 23 +ip -6 rule del from all oif icVPN lookup icvpn priority 23 + +# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup internet priority 41 +ip -6 rule del to {{ ula }} lookup internet priority 41 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup internet priority 41 +ip -6 rule del to {{ public }} lookup internet priority 41 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41 +{% endfor %} +ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 +ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 + +# Priority 61 - at this point this is the end of policy routing for freifunk related routes +{% for mesh in meshes %} +ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 +{% endfor %} +ip -4 rule del from all iif icVPN type unreachable priority 61 +ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 +{% for server_id, server_value in ffrl_exit_server.iteritems() %} +ip -4 rule del from all iif {{ server_id }} type unreachable priority 61 +ip -6 rule del from all iif {{ server_id }} type unreachable priority 61 +{% endfor %} +ip -6 rule del from all iif icVPN type unreachable priority 61 +ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 +{% for mesh in meshes %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} type unreachable priority 61 +ip -6 rule del to {{ public }} type unreachable priority 61 +{% endfor %} +{% endfor %} + +# Priority 107 - lookup policies for the gateway host self originating traffic +ip -4 rule del from all lookup mwu priority 107 +ip -4 rule del from all lookup icvpn priority 107 +ip -6 rule del from all lookup mwu priority 107 +ip -6 rule del from all lookup icvpn priority 107 + +exit 0 diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 index ac57aa0..b09e9cc 100644 --- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -1,4 +1,8 @@ #!/bin/sh +# +# {{ ansible_managed }} +# + {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu /sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu diff --git a/roles/network-routing/templates/ffmwu-ip-rules.service.j2 b/roles/network-routing/templates/ffmwu-ip-rules.service.j2 new file mode 100644 index 0000000..0ef051a --- /dev/null +++ b/roles/network-routing/templates/ffmwu-ip-rules.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Manage Freifunk MWU IP rules +After=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh +ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh + +[Install] +WantedBy=multi-user.target diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md deleted file mode 100644 index 74a820a..0000000 --- a/roles/service-rclocal/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Ansible role service-rclocal - -Diese Ansible role schreibt die rc.local. -Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert. - -All dieses sollte in Zukunft durch systemd units abgelöst werden. - -## Benötigte Variablen - -- Dictionary `meshes` -´´´ -meshes: - - id: xx -... - site_name: # string - ipv4_network: - ipv6_ula: - - # string - ipv6_public: - - # string - iface_mtu: # integer -´´´ -- Host Variable `magic` -- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix -- Host Dictionary `ffrl_exit_server` diff --git a/roles/service-rclocal/tasks/main.yml b/roles/service-rclocal/tasks/main.yml deleted file mode 100644 index 1400aa1..0000000 --- a/roles/service-rclocal/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: write rc.local - template: - src: rc.local.j2 - dest: /etc/rc.local - mode: 0755 - -- name: enable systemd unit rc.local - systemd: - name: rc.local - enabled: yes From 130980d8637e413ddfbc9026f6ad9f6f4dac07b5 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 14 Oct 2017 22:07:01 +0200 Subject: [PATCH 071/106] Role network-routing: fix typos in ffmwu-del-ip-rules.sh template --- .../templates/ffmwu-del-ip-rules.sh.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 index d6bee9f..24a77f3 100644 --- a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 @@ -5,8 +5,8 @@ # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces {% for mesh in meshes %} -ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 -ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 +ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 +ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 {% for ula in mesh.ipv6_ula %} ip -6 rule del from {{ ula }} lookup mwu priority 7 @@ -21,8 +21,8 @@ ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges {% for mesh in meshes %} -ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 -ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 {% for ula in mesh.ipv6_ula %} ip -6 rule del from {{ ula }} lookup icvpn priority 23 @@ -39,7 +39,7 @@ ip -6 rule del from all oif icVPN lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges {% for mesh in meshes %} -ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41 +ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 {% for ula in mesh.ipv6_ula %} ip -6 rule del from {{ ula }} lookup internet priority 41 ip -6 rule del to {{ ula }} lookup internet priority 41 @@ -50,8 +50,8 @@ ip -6 rule del to {{ public }} lookup internet priority 41 {% endfor %} ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41 {% endfor %} -ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 -ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 +ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 +ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes {% for mesh in meshes %} From 57fff0410eb8ff22fb36134257a01c57a8888c65 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 15 Oct 2017 10:18:26 +0200 Subject: [PATCH 072/106] Add role service-respondd --- playbooks/gateways.yml | 1 + roles/handlers/handlers/main.yml | 6 +++++ roles/service-respondd/README.md | 16 ++++++++++++ roles/service-respondd/tasks/main.yml | 26 +++++++++++++++++++ .../templates/respondd.service.j2 | 10 +++++++ 5 files changed, 59 insertions(+) create mode 100644 roles/service-respondd/README.md create mode 100644 roles/service-respondd/tasks/main.yml create mode 100644 roles/service-respondd/templates/respondd.service.j2 diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 015f1e8..f595b30 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -29,3 +29,4 @@ - service-bind-slave - network-routing - system-sysctl-gateway + - service-respondd diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index d91953f..c88c76d 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -76,6 +76,12 @@ systemd: name: ffmwu-ip-rules state: restarted + +- name: restart respondd + systemd: + name: "respondd-{{ item.id }}" + state: restarted + with_items: "{{ meshes }}" - name: iptables-restore shell: iptables-restore < /etc/iptables/rules.v4 diff --git a/roles/service-respondd/README.md b/roles/service-respondd/README.md new file mode 100644 index 0000000..e8a5579 --- /dev/null +++ b/roles/service-respondd/README.md @@ -0,0 +1,16 @@ +# Ansible role service-respondd + +Diese Ansible role installiert und konfiguriert die respondd Implementierung `mesh-announce`. +Pro Mesh Netzwerk muss eine `mesh-announce`-Instanz laufen. + +- installiert `mesh-announce` (Github Clone) +- installiert pro Mesh Netzwerk eine systemd unit + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + - id: xx + site_code: # string +´´´ diff --git a/roles/service-respondd/tasks/main.yml b/roles/service-respondd/tasks/main.yml new file mode 100644 index 0000000..3e49feb --- /dev/null +++ b/roles/service-respondd/tasks/main.yml @@ -0,0 +1,26 @@ +--- +- name: clone respondd repo + git: + repo: https://github.com/freifunk-mwu/mesh-announce.git + dest: /home/admin/clones/mesh-announce + version: mwu-respondd + become: false + +- name: write systemd unit files + template: + src: respondd.service.j2 + dest: "/etc/systemd/system/respondd-{{ item.id }}.service" + owner: root + group: root + mode: 0644 + notify: + - reload systemd + - restart respondd + with_items: "{{ meshes }}" + +- name: configure systemd unit files + systemd: + name: "respondd-{{ item.id }}" + enabled: yes + state: started + with_items: "{{ meshes }}" diff --git a/roles/service-respondd/templates/respondd.service.j2 b/roles/service-respondd/templates/respondd.service.j2 new file mode 100644 index 0000000..56789d1 --- /dev/null +++ b/roles/service-respondd/templates/respondd.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=respondd instance {{ item.id }} + +[Service] +ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}BR -b {{ item.id }}BAT -s {{ item.site_code }} -d /home/admin/clones/mesh-announce/ +Restart=always +Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +[Install] +WantedBy=multi-user.target From ac48746a11d3810fb1e1c7499bc3e273bb42cb04 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 25 Oct 2017 19:50:06 +0200 Subject: [PATCH 073/106] Roles service-fastd-[intragate|mesh]: update mac prefixes due to fastd instances change --- roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 | 2 +- roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index 817ffa5..e1019c6 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,5 +1,5 @@ {% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0212' + ip4hex -%} +{% set mac = '023' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index 038ac4d..99fc1f6 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,5 +1,5 @@ {% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0211' + ip4hex -%} +{% set mac = '022' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # From a2110b33eeb345fa347cbdddc241759fb44b160f Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 26 Oct 2017 22:29:15 +0200 Subject: [PATCH 074/106] Fix some whitespaces --- roles/handlers/handlers/main.yml | 2 +- roles/service-fastd-intragate/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index c88c76d..3e86213 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -82,7 +82,7 @@ name: "respondd-{{ item.id }}" state: restarted with_items: "{{ meshes }}" - + - name: iptables-restore shell: iptables-restore < /etc/iptables/rules.v4 diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 1800909..7c9495f 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -44,7 +44,7 @@ dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/fastd.conf" notify: restart fastd intragate instances with_subelements: - - "{{ meshes }}" + - "{{ meshes }}" - fastd.intragate.instances - name: write fastd intragate secret From 8212e17d6ac0724d5c9c34a0d320fde882e214c6 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 26 Oct 2017 22:35:55 +0200 Subject: [PATCH 075/106] Ensure systemd units are started --- roles/service-bind-slave/tasks/main.yml | 11 ++++++----- roles/service-dhcpd/tasks/main.yml | 12 ++++++------ roles/service-fastd-intragate/tasks/main.yml | 17 +++++++++-------- roles/service-fastd-mesh/tasks/main.yml | 17 +++++++++-------- roles/service-ntpd/tasks/main.yml | 1 - roles/service-radvd/tasks/main.yml | 11 ++++++----- roles/service-tinc/tasks/main.yml | 11 ++++++----- 7 files changed, 42 insertions(+), 38 deletions(-) diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index 8b025fe..d985682 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -8,11 +8,6 @@ - bind9-doc - bind9utils -- name: enable systemd unit bind9 - systemd: - name: bind9 - enabled: yes - - name: write named.conf template: src: named.conf.j2 @@ -88,3 +83,9 @@ name: icvpn-dns-update.timer enabled: yes state: started + +- name: enable systemd unit bind9 + systemd: + name: bind9 + enabled: yes + state: started diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 28265e7..42c5194 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -4,12 +4,6 @@ name: isc-dhcp-server state: present -- name: enable systemd unit isc-dhcp-server - systemd: - name: isc-dhcp-server - enabled: yes - daemon_reload: yes - - name: concatenate meshbridge interfaces set_fact: dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}" @@ -32,3 +26,9 @@ src: dhcpd.conf.j2 dest: /etc/dhcp/dhcpd.conf notify: restart isc dhcp server + +- name: enable systemd unit isc-dhcp-server + systemd: + name: isc-dhcp-server + enabled: yes + state: started diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index 7c9495f..d36a93e 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,12 +1,4 @@ --- -- name: configure systemd unit fastd@ - systemd: - name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" - enabled: yes - with_subelements: - - "{{ meshes }}" - - fastd.intragate.instances - - name: create fastd intragate directories file: path: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}" @@ -55,3 +47,12 @@ with_subelements: - "{{ meshes }}" - fastd.intragate.instances + +- name: configure systemd unit fastd@ + systemd: + name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" + enabled: yes + state: started + with_subelements: + - "{{ meshes }}" + - fastd.intragate.instances diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 9d0ba57..237652c 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,12 +1,4 @@ --- -- name: configure systemd unit fastd@ - systemd: - name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" - enabled: yes - with_subelements: - - "{{ meshes }}" - - fastd.nodes.instances - - name: create fastd directories file: path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}" @@ -146,3 +138,12 @@ with_items: - fastd-sync-meshkeys - fastd-peer-limit-update + +- name: configure systemd unit fastd@ + systemd: + name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" + enabled: yes + state: started + with_subelements: + - "{{ meshes }}" + - fastd.nodes.instances diff --git a/roles/service-ntpd/tasks/main.yml b/roles/service-ntpd/tasks/main.yml index 28db3f4..e2e6cde 100644 --- a/roles/service-ntpd/tasks/main.yml +++ b/roles/service-ntpd/tasks/main.yml @@ -20,4 +20,3 @@ name: ntp enabled: yes state: started - daemon_reload: yes diff --git a/roles/service-radvd/tasks/main.yml b/roles/service-radvd/tasks/main.yml index 6311819..feeb46d 100644 --- a/roles/service-radvd/tasks/main.yml +++ b/roles/service-radvd/tasks/main.yml @@ -4,13 +4,14 @@ name: radvd state: present -- name: enable systemd unit radvd - systemd: - name: radvd - enabled: yes - - name: configure radvd template: src: radvd.conf.j2 dest: /etc/radvd.conf notify: restart systemd unit radvd + +- name: enable systemd unit radvd + systemd: + name: radvd + enabled: yes + state: started diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index ad57773..034350f 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -6,11 +6,6 @@ with_items: - tinc -- name: configure systemd unit tinc - systemd: - name: tinc - enabled: yes - - name: clone icvpn repo git: repo: "{{ icvpn.icvpn_repo }}" @@ -75,3 +70,9 @@ owner: root group: root notify: restart systemd unit tinc + +- name: configure systemd unit tinc + systemd: + name: tinc + enabled: yes + state: started From 545162a46fe94797fb092325f4666950d8ef767e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 27 Oct 2017 11:38:02 +0200 Subject: [PATCH 076/106] Add role service-nginx --- roles/handlers/handlers/main.yml | 5 ++ roles/service-nginx/README.md | 12 +++++ roles/service-nginx/files/style.css | 53 +++++++++++++++++++ roles/service-nginx/tasks/main.yml | 52 ++++++++++++++++++ roles/service-nginx/templates/default.conf.j2 | 12 +++++ roles/service-nginx/templates/index.html.j2 | 25 +++++++++ 6 files changed, 159 insertions(+) create mode 100644 roles/service-nginx/README.md create mode 100644 roles/service-nginx/files/style.css create mode 100644 roles/service-nginx/tasks/main.yml create mode 100644 roles/service-nginx/templates/default.conf.j2 create mode 100644 roles/service-nginx/templates/index.html.j2 diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index 3e86213..5ca2b47 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -88,3 +88,8 @@ - name: ip6tables-restore shell: ip6tables-restore < /etc/iptables/rules.v6 + +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/service-nginx/README.md b/roles/service-nginx/README.md new file mode 100644 index 0000000..b45bba2 --- /dev/null +++ b/roles/service-nginx/README.md @@ -0,0 +1,12 @@ +# Ansible role service-nginx + +Diese Ansible role installiert und konfiguriert den Web Server nginx. + +- installiert das offizielle Debian Repository von nginx.org +- installiert nginx +- schreibt default.conf +- installiert die Standard MWU Gateway Webseite + +## Benötigte Variablen + +- Variable `inventory_hostname_short` diff --git a/roles/service-nginx/files/style.css b/roles/service-nginx/files/style.css new file mode 100644 index 0000000..1dea88f --- /dev/null +++ b/roles/service-nginx/files/style.css @@ -0,0 +1,53 @@ +body +{ + background: #ffffff; + color: #000000; + font-family: "Source Code Pro", "Consolas", "Courier New", "Monaco", monospace; + font-size: 12px; + white-space: nowrap; +} + +footer +{ + margin: 2em 0; +} + +a +{ + color: #ff4b57; +} + +.block +{ + margin: 1em; + padding: .5em; + border-radius: .5em; + border: #f9f9f9 1px solid; +} + +.cblock +{ + background: #000000; + color: #ffffff; + margin: 1em; + padding: .5em; + border-radius: .5em; + display: block; +} + +.ifblock +{ + display: inline-block; + vertical-align: top; + text-align: center; + margin: .1em; + padding: .5em; + min-width: 10em; + border: #f9f9f9 1px solid; + border-radius: .5em; +} + +.ifimg +{ + display: block; +} diff --git a/roles/service-nginx/tasks/main.yml b/roles/service-nginx/tasks/main.yml new file mode 100644 index 0000000..912e588 --- /dev/null +++ b/roles/service-nginx/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: add official nginx apt key + apt_key: + state: present + id: 7BD9BF62 + url: "https://nginx.org/keys/nginx_signing.key" + +- name: add official nginx apt repository + apt_repository: + state: present + repo: "{{ item }}" + update_cache: yes + filename: nginx + with_items: + - deb http://nginx.org/packages/debian/ stretch nginx + - deb-src http://nginx.org/packages/debian/ stretch nginx + +- name: install nginx packages + package: + name: nginx + state: present + +- name: write nginx configuration default.conf + template: + src: default.conf.j2 + dest: /etc/nginx/conf.d/default.conf + mode: 0644 + notify: reload nginx + +- name: manage html directory for static files + file: + path: /var/www/html/static + state: directory + mode: 0755 + +- name: copy css stylesheet + copy: + src: style.css + dest: /var/www/html/static/style.css + mode: 0644 + +- name: write index.html + template: + src: index.html.j2 + dest: /var/www/html/index.html + mode: 0644 + +- name: configure systemd unit nginx + systemd: + name: nginx + state: started + enabled: yes diff --git a/roles/service-nginx/templates/default.conf.j2 b/roles/service-nginx/templates/default.conf.j2 new file mode 100644 index 0000000..15892b6 --- /dev/null +++ b/roles/service-nginx/templates/default.conf.j2 @@ -0,0 +1,12 @@ +server { + listen 80 default_server; + server_name _; + + charset utf-8; + server_tokens off; + + root /var/www/html; + location / { + index index.html; + } +} diff --git a/roles/service-nginx/templates/index.html.j2 b/roles/service-nginx/templates/index.html.j2 new file mode 100644 index 0000000..eb8c0fd --- /dev/null +++ b/roles/service-nginx/templates/index.html.j2 @@ -0,0 +1,25 @@ + + + + + Freifunk MWU Gateway "{{ inventory_hostname_short }}" + + + + + +
+

Freifunk MWU Gateway {{ inventory_hostname_short }}

+
+
Firmware
+
Traffic
+ + From dc146df5f7e863065708b8e49e07e4007216626b Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 27 Oct 2017 11:41:00 +0200 Subject: [PATCH 077/106] Add role service-nginx-firmware --- roles/service-nginx-firmware/README.md | 22 ++++++++++ roles/service-nginx-firmware/meta/main.yml | 3 ++ roles/service-nginx-firmware/tasks/main.yml | 41 +++++++++++++++++++ .../templates/firmware-sync.service.j2 | 11 +++++ .../templates/firmware-sync.timer.j2 | 12 ++++++ .../templates/firmware_vhost.conf.j2 | 32 +++++++++++++++ 6 files changed, 121 insertions(+) create mode 100644 roles/service-nginx-firmware/README.md create mode 100644 roles/service-nginx-firmware/meta/main.yml create mode 100644 roles/service-nginx-firmware/tasks/main.yml create mode 100644 roles/service-nginx-firmware/templates/firmware-sync.service.j2 create mode 100644 roles/service-nginx-firmware/templates/firmware-sync.timer.j2 create mode 100644 roles/service-nginx-firmware/templates/firmware_vhost.conf.j2 diff --git a/roles/service-nginx-firmware/README.md b/roles/service-nginx-firmware/README.md new file mode 100644 index 0000000..77e5c75 --- /dev/null +++ b/roles/service-nginx-firmware/README.md @@ -0,0 +1,22 @@ +# Ansible role service-nginx-firmware + +Diese Ansible role konfiguriert die Firmware Synchronisation und die erforderlichen nginx vHosts. + +- verwaltet `/var/www/html/firmware` +- installiert und konfiguriert den systemd timer firmware-sync +- schreibt firmware.conf + +## Benötigte Variablen + +- Variable `http_domain_external` # string: Externe Freifunk MWU Domain +- Variable `http_domain_internal` # string: Interne Freifunk MWU Domain +- Dictionary `meshes` +´´´ +meshes: + - id: xx +... + site_name: # string +... + http_domain_external: # string: Externe Mesh Domain + http_domain_internal: # string: Interne Mesh Domain +´´´ diff --git a/roles/service-nginx-firmware/meta/main.yml b/roles/service-nginx-firmware/meta/main.yml new file mode 100644 index 0000000..814b458 --- /dev/null +++ b/roles/service-nginx-firmware/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: service-nginx } diff --git a/roles/service-nginx-firmware/tasks/main.yml b/roles/service-nginx-firmware/tasks/main.yml new file mode 100644 index 0000000..ffde07a --- /dev/null +++ b/roles/service-nginx-firmware/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: manage firmware directory + file: + path: /var/www/html/firmware + state: directory + mode: 0755 + owner: www-data + group: www-data + +- name: write systemd unit firmware-sync.service + template: + src: firmware-sync.service.j2 + dest: /etc/systemd/system/firmware-sync.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write systemd timer firmware-sync.timer + template: + src: firmware-sync.timer.j2 + dest: /etc/systemd/system/firmware-sync.timer + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: configure systemd unit/timer firmware-sync + systemd: + name: firmware-sync.timer + enabled: yes + state: started + +- name: write firmware.conf + template: + src: firmware_vhost.conf.j2 + dest: /etc/nginx/conf.d/firmware.conf + owner: root + group: root + mode: 0644 + notify: reload nginx diff --git a/roles/service-nginx-firmware/templates/firmware-sync.service.j2 b/roles/service-nginx-firmware/templates/firmware-sync.service.j2 new file mode 100644 index 0000000..cc79408 --- /dev/null +++ b/roles/service-nginx-firmware/templates/firmware-sync.service.j2 @@ -0,0 +1,11 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Synchronize Freifunk MWU Firmware directory + +[Service] +Type=oneshot +ExecStart=/usr/bin/rsync -avh4 --delete rsync://milchreis.freifunk-mwu.de:873/firmware /var/www/html/firmware +User=www-data +Group=www-data diff --git a/roles/service-nginx-firmware/templates/firmware-sync.timer.j2 b/roles/service-nginx-firmware/templates/firmware-sync.timer.j2 new file mode 100644 index 0000000..1d995c3 --- /dev/null +++ b/roles/service-nginx-firmware/templates/firmware-sync.timer.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[Unit] +Description=Timer which schedules firmware-sync.service + +[Timer] +OnBootSec=30min +OnUnitActiveSec=10min + +[Install] +WantedBy=timers.target diff --git a/roles/service-nginx-firmware/templates/firmware_vhost.conf.j2 b/roles/service-nginx-firmware/templates/firmware_vhost.conf.j2 new file mode 100644 index 0000000..e966631 --- /dev/null +++ b/roles/service-nginx-firmware/templates/firmware_vhost.conf.j2 @@ -0,0 +1,32 @@ +server { + listen 80; + server_name firmware.{{ http_domain_internal }} firmware.{{ http_domain_external }}; + + charset utf-8; + server_tokens off; + + root /var/www/html/firmware; + location / { + autoindex on; + autoindex_exact_size off; + } +} + +{% for mesh in meshes %} +server { + listen 80; + server_name firmware.{{ mesh.http_domain_internal }} firmware.{{ mesh.http_domain_external }}; + + charset utf-8; + server_tokens off; + + root /var/www/html/firmware/{{ mesh.site_name.lower() }}; + location / { + autoindex on; + autoindex_exact_size off; + } +} +{% if not loop.last %} + +{% endif %} +{% endfor %} From a19510fad3b3590f05d404e960347d36f68c29b4 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 29 Oct 2017 21:23:04 +0100 Subject: [PATCH 078/106] Add missing variables for role service-nginx-firmware --- inventory/group_vars/all | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 6955e93..14e0724 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -16,6 +16,9 @@ bgp_loopback_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 +http_domain_internal: ffmwu.org +http_domain_external: freifunk-mwu.de + meshes: - id: mz site_number: 37 @@ -69,6 +72,8 @@ meshes: - name: nodes.ffmz.org - name: ffbin master: fd37:b4dc:4b1e::a25:10c + http_domain_internal: ffmz.org + http_domain_external: freifunk-mainz.de - id: wi site_number: 56 @@ -120,6 +125,8 @@ meshes: - name: user.ffwi.org - name: bb.ffwi.org - name: nodes.ffwi.org + http_domain_internal: ffwi.org + http_domain_external: wiesbaden.freifunk.net icvpn: prefix: mwu From 4876f88bc59eda797f776d3b6c4f48992439ef05 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 29 Oct 2017 21:23:47 +0100 Subject: [PATCH 079/106] Add roles service-nginx(-firmware) to playbook gateways --- playbooks/gateways.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index f595b30..176daf3 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -30,3 +30,5 @@ - network-routing - system-sysctl-gateway - service-respondd + - service-nginx + - service-nginx-firmware From f00a216fefaaaf6830cf42af78842ae6bb58779a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 29 Oct 2017 21:24:48 +0100 Subject: [PATCH 080/106] Role service-nginx: add autoindex options to default vhost --- roles/service-nginx/templates/default.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/service-nginx/templates/default.conf.j2 b/roles/service-nginx/templates/default.conf.j2 index 15892b6..f09ede1 100644 --- a/roles/service-nginx/templates/default.conf.j2 +++ b/roles/service-nginx/templates/default.conf.j2 @@ -8,5 +8,7 @@ server { root /var/www/html; location / { index index.html; + autoindex on; + autoindex_exact_size off; } } From d6eea602b72afdf2794d7e4d43708ee4048c6f40 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 29 Oct 2017 21:26:10 +0100 Subject: [PATCH 081/106] Flush handlers after configuring network interfaces --- roles/network-batman/tasks/main.yml | 3 +++ roles/network-fastd/tasks/main.yml | 3 +++ roles/network-ffrl/tasks/main.yml | 3 +++ roles/network-meshbridge/tasks/main.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index 3a1f901..de4e7e4 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -12,3 +12,6 @@ dest: "/etc/network/interfaces.d/{{ item.id }}BAT" notify: reload network interfaces with_items: "{{ meshes }}" + +- name: flush handlers + meta: flush_handlers diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 2cf7998..320a6c9 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -16,3 +16,6 @@ with_subelements: - "{{ meshes }}" - fastd.intragate.instances + +- name: flush handlers + meta: flush_handlers diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index ae0870d..8ef075a 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -11,3 +11,6 @@ src: ffrl_nat.j2 dest: "/etc/network/interfaces.d/ffrl-nat" notify: reload network interfaces + +- name: flush handlers + meta: flush_handlers diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index ef4e9e9..0ed113a 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -12,3 +12,6 @@ dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf" with_items: "{{ meshes }}" notify: activate sysfs variables + +- name: flush handlers + meta: flush_handlers From 67c915e8772e74c2045bd59984ee8619edcbc46e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 31 Oct 2017 22:54:58 +0100 Subject: [PATCH 082/106] Role service-respondd: also listen on fastd-interfaces --- roles/service-respondd/templates/respondd.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/service-respondd/templates/respondd.service.j2 b/roles/service-respondd/templates/respondd.service.j2 index 56789d1..9a9a433 100644 --- a/roles/service-respondd/templates/respondd.service.j2 +++ b/roles/service-respondd/templates/respondd.service.j2 @@ -2,7 +2,7 @@ Description=respondd instance {{ item.id }} [Service] -ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}BR -b {{ item.id }}BAT -s {{ item.site_code }} -d /home/admin/clones/mesh-announce/ +ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}BR {% for interface in item.fastd.nodes.instances %}-i {{ item.id }}VPN-{{ interface.mtu }}{% if not loop.last %} {% endif %}{% endfor %} -b {{ item.id }}BAT -s {{ item.site_code }} -d /home/admin/clones/mesh-announce/ Restart=always Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 387f3bbf6b88d3d93b77cfdb28e973b2b0daac50 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 6 Nov 2017 17:41:17 +0100 Subject: [PATCH 083/106] Update fastd peer limit configuration * add list of legacy gateways (temporarily) * change backend-scripts branch to ansible * Role server-basic: ensure ffmwu config directory is present * Role service-fastd: add fastd-status script * role service-fastd-mesh: add templating for fastd peer limit configuration --- inventory/group_vars/all | 5 ++++ roles/git-repos/vars/main.yml | 2 +- roles/server-basic/tasks/main.yml | 8 ++++++ roles/service-fastd-mesh/tasks/main.yml | 8 ++++++ .../templates/fastd_peer_limit_config.yaml.j2 | 26 +++++++++++++++++++ roles/service-fastd/files/fastd-status | 17 ++++++++++++ roles/service-fastd/tasks/main.yml | 8 ++++++ 7 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 create mode 100644 roles/service-fastd/files/fastd-status diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 14e0724..a1ccb15 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -161,3 +161,8 @@ bgp_mwu_servers: suesskartoffel: ipv4: 10.37.1.4 ipv6: fd37:b4dc:4b1e::a25:104 + +legacy_gateways: + - ingwer + - lotuswurzel + - spinat diff --git a/roles/git-repos/vars/main.yml b/roles/git-repos/vars/main.yml index 432e906..57b5cad 100644 --- a/roles/git-repos/vars/main.yml +++ b/roles/git-repos/vars/main.yml @@ -2,7 +2,7 @@ common_repos: backend-scripts: repo_url: https://github.com/freifunk-mwu/backend-scripts.git - version: drop-photon + version: ansible icvpn-meta: repo_url: https://github.com/freifunk/icvpn-meta.git version: master diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index 3c186b9..1de5f78 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -13,3 +13,11 @@ - name: set timezone to Europe/Berlin timezone: name: Europe/Berlin + +- name: create ffmwu custom config dir + file: + path: /home/admin/.config + state: directory + owner: admin + group: admin + mode: 0750 diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 237652c..2c2376d 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -112,6 +112,14 @@ mode: 0644 notify: reload systemd +- name: write configuration for fastd-peer-limit-update script + template: + src: fastd_peer_limit_config.yaml.j2 + dest: /home/admin/.config/fastd_peer_limit_config.yaml + owner: admin + group: admin + mode: 0644 + - name: write systemd unit fastd-peer-limit-update.service template: src: fastd-peer-limit-update.service.j2 diff --git a/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 b/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 new file mode 100644 index 0000000..c5a5c17 --- /dev/null +++ b/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 @@ -0,0 +1,26 @@ +# +# {{ ansible_managed }} +# +ansible_gate: True +additional: 8 +fastd_instances: +{% for mesh in meshes %} +{% for instance in mesh.fastd.nodes.instances %} + - {{ mesh.id }}VPN-{{ instance.mtu }} +{% endfor %} +{% endfor %} +cronlog: '/home/admin/.cronlog/limit.%s.log' +fastd_config: '/etc/fastd/%s/peer_limit.conf' +fastd_status: '/usr/local/bin/fastd-status' +gateways: +{% for gateway in groups['ffmwu-gateways'] %} + - {{ gateway.rstrip('.freifunk-mwu.de') }} +{% endfor %} +{% for gateway in legacy_gateways %} + - {{ gateway }} +{% endfor %} +restart_max: 43200 +stat: 'fastd_status.json' +stat_ext: 'http://%s.freifunk-mwu.de/%s' +stat_local: '/var/www/html/%s' +timeout: 900 diff --git a/roles/service-fastd/files/fastd-status b/roles/service-fastd/files/fastd-status new file mode 100644 index 0000000..286b026 --- /dev/null +++ b/roles/service-fastd/files/fastd-status @@ -0,0 +1,17 @@ +#!/usr/bin/perl -w + +use strict; + +use IO::Socket::UNIX qw( SOCK_STREAM ); + +$ARGV[0] or die("Usage: fastd-status \n"); + +my $socket = IO::Socket::UNIX->new( + Type => SOCK_STREAM, + Peer => $ARGV[0], +) + or die("Can't connect to server: $!\n"); + +foreach my $line (<$socket>) { + print $line; +} diff --git a/roles/service-fastd/tasks/main.yml b/roles/service-fastd/tasks/main.yml index 7d731fb..dcd65ad 100644 --- a/roles/service-fastd/tasks/main.yml +++ b/roles/service-fastd/tasks/main.yml @@ -20,3 +20,11 @@ group: root mode: 0644 notify: reload systemd + +- name: copy fastd status script + copy: + src: fastd-status + dest: /usr/local/bin/fastd-status + owner: root + group: root + mode: 0755 From c6a15b38c244fc9e40e13336bd1698fe43130a1d Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 6 Nov 2017 20:49:58 +0100 Subject: [PATCH 084/106] Update Readme.md --- Readme.md | 220 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 113 insertions(+), 107 deletions(-) diff --git a/Readme.md b/Readme.md index 41a06c6..e53c30e 100644 --- a/Readme.md +++ b/Readme.md @@ -24,116 +24,122 @@ Voraussetzungen für die Control Machine: Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. -## Variablen für jedes Mesh +## Gruppen-Variablen +Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung. +Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz): -Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. -Wir verwalten diese Mesh-Informationen in einer Liste von Dictionaries unter `inventory/group_vars/all`: +|Name|Type|Value|Format|Comment| +|----|----|-----|------|-------| +|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzBR` oder `mzBAT`| +|site_number|Variable|37|integer|Fließt in IP-Adress-Berechnung ein| +|site_code|Variable|ffmz|string|| +|site_name|Variable|Mainz|string|| +|ipv4_network|Variable|10.37.0.0/18|string; Network/Prefix|| +|ipv6_ula|List|- fd37:b4dc:4b1e::/48|string; Network/Prefix|| +|ipv6_public|List|- 2a03:2260:11a::/48|string; Network/Prefix|| +|dnssl|List|- ffmz.org|string|DNS Search List (dhcp/radvd)| +|batman|Dictionary|||| +|batman.it|Key|10000|integer|| +|batman.gw|Key|server 96mbit/96mbit|string|| +|batman.mm|Key|0|boolean|| +|batman.dat|Key|0|boolean|| +|batman.hop_penalty|Key|60|integer|| +|radvd|Dictionary|||| +|radvd.maxrtradvinterval|Key|900|integer|| +|radvd.advvalidlifetime|Key|864000|integer|| +|radvd.advpreferredlifetime|Key|172800|integer|| +|iface_mtu|Variable|1350|integer|Client MTU| +|fastd|Dictionary|||| +|fastd.nodes|Dictionary|||| +|fastd.nodes.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Node-Kommunikation| +|fastd.nodes.instances[x].id|Key|0|integer|| +|fastd.nodes.instances[x].mtu|Key|1406|integer|| +|fastd.nodes.instances[x].peers|Dictionary|||| +|fastd.nodes.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL|| +|fastd.nodes.instances[x].peers.version|Key|master|string|| +|fastd.intragate|Dictionary|||| +|fastd.intragate.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Intragate-Kommunikation| +|fastd.intragate.instances[x].id|Key|0|integer|| +|fastd.intragate.instances[x].mtu|Key|1406|integer|| +|fastd.intragate.instances[x].peers|Dictionary|||| +|fastd.intragate.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL|| +|fastd.intragate.instances[x].peers.version|Key|master|string|| +|dns|Dictionary|||| +|dns.master|Key|fd37:b4dc:4b1e::a25:103|string; IP-Adresse|DNS-Master IP| +|dns.forward_zones|List|||| +|dns.forward_zones[x].name|Key|ffmz.org|string|| +|dns.forward_zones[x].master|Key|fd37:b4dc:4b1e::a25:10c|string; IP-Adresse|Optional - überschreibt dns.master| +|http_domain_internal|Variable|ffmz.org|string|Haupt-Domain für HTTP-Server(intern)| +|http_domain_external|Variable|freifunk-mainz.de|string|Haupt-Domain für HTTP-Server(extern)|| -``` -meshes: - - id: mz - site_number: 37 - site_code: ffmz - site_name: Mainz - ipv4_network: 10.37.0.0/18 - ipv6_ula: - - fd37:b4dc:4b1e::/48 - ipv6_public: - - 2a03:2260:11a::/48 - dnssl: - - ffmz.org - - user.ffmz.org - batman: - it: 10000 - gw: server 96mbit/96mbit - mm: 0 - dat: 0 - hop_penalty: 60 - radvd: - maxrtradvinterval: 900 - advvalidlifetime: 864000 - advpreferredlifetime: 172800 - iface_mtu: 1350 - fastd: - nodes: - instances: - - id: 0 - mtu: 1406 - peers: - repo: https://github.com/freifunk-mwu/peers-ffmz.git - version: master - - id: 1 - mtu: 1312 - peers: - repo: https://github.com/freifunk-mwu/peers-ffmz.git - version: master - intragate: - instances: - - id: 0 - mtu: 1406 - peers: - repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git - version: master - dns: - master: fd37:b4dc:4b1e::a25:103 - forward_zones: - - name: ffmz.org - - name: user.ffmz.org - - name: bb.ffmz.org - - name: nodes.ffmz.org - - name: ffbin - master: fd37:b4dc:4b1e::a25:10c +Weitere Gruppen-Variablen: - - id: wi - site_number: 56 - site_code: ffwi - site_name: Wiesbaden - ipv4_network: 10.56.0.0/18 - ipv6_ula: - - fd56:b4dc:4b1e::/48 - ipv6_public: - - 2a03:2260:11b::/48 - dnssl: - - ffwi.org - - user.ffwi.org - batman: - it: 10000 - gw: server 96mbit/96mbit - mm: 0 - dat: 0 - hop_penalty: 60 - radvd: - maxrtradvinterval: 900 - advvalidlifetime: 864000 - iface_mtu: 1350 - fastd: - nodes: - instances: - - id: 0 - mtu: 1406 - peers: - repo: https://github.com/freifunk-mwu/peers-ffwi.git - version: master - - id: 1 - mtu: 1312 - peers: - repo: https://github.com/freifunk-mwu/peers-ffwi.git - version: master - intragate: - instances: - - id: 0 - mtu: 1406 - peers: - repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git - version: master - dns: - master: fd56:b4dc:4b1e::a38:103 - forward_zones: - - name: ffwi.org - - name: user.ffwi.org - - name: bb.ffwi.org - - name: nodes.ffwi.org -``` +|Name|Type|Value|Format|Comment| +|----|----|-----|------|-------| +|as_private_mwu|Variable|65037|integer|Privates AS von Freifunk MWU| +|as_public_ffrl|Variable|201701|integer|Public AS von Freifunk Rheinland| +|internet_exit_tcp_mss_ipv4|Variable|1240|integer|IPv4 TCP MSS| +|internet_exit_tcp_mss_ipv6|Variable|1220|integer|IPv6 TCP MSS| +|routing_tables|Dictionary|||| +|routing_tables.icvpn|Key|23|integer|| +|routing_tables.mwu|Key|41|integer|| +|routing_tables.internet|Key|61|integer|| +|icvpn_ipv4_transfer_net|Variable|10.207.0.0/16|string; Network/Prefix|ICVPN IPv4 Transfernetz| +|icvpn_ipv6_transfer_net|Variable|fec0::a:cf:0:0/96|string; Network/Prefix|ICVPN IPv6 Transfernetz| +|bgp_loopback_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU Loopback Netz für dynamisches Routing| +|bgp_ipv4_transfer_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU IPv4 Transfernetz für dynamisches Routing| +|bgp_ipv6_transfer_net|Variable|fd37:b4dc:4b1e::/64|string; Network/Prefix|MWU IPv6 Transfernetz für dynamisches Routing| +|http_domain_internal|Variable|ffmwu.org|string|Haupt-Domain für HTTP-Server(intern)| +|http_domain_external|Variable|freifunk-mwu.de|string|Haupt-Domain für HTTP-Server(extern)| +|icvpn|Dictionary|||ICVPN Informationen| +|icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat| +|icvpn.interface|Key|icVPN|string|Name für ICVPN Interface + tinc Instanz| +|icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository| +|bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net| +|bgp_mwu_servers.spinat|Dictionary|||| +|bgp_mwu_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse|| +|bgp_mwu_server.spinat.ipv6|Variable|fd37:b4dc:4b1e::a25:7|string - IPv6-Adresse|| + + +## Host-Variablen +Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgebildet: + +|Name|Type|Value|Format|Comment| +|----|----|-----|------|-------| +|magic|Variable|7|integer|Muss eindeutig unter allen Servern sein| +|ipv4_dhcp_range|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe| +|ffrl_public_ipv4_nat|Variable|185.66.195.32/32|IP/Prefix|Öffentliche IPv4-NAT-Adresse| +|ffrl_exit_server|Dictionary|||Enthält pro FFRL Tunnel ein Dictionary| +|ffrl_exit_server.ffrl-a-ak-ber|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-a-ak-ber.public_ipv4_address|Key|185.66.195.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv4_network|Key|100.64.2.226/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17b::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-ak-ber|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-b-ak-ber.public_ipv4_address|Key|185.66.195.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv4_network|Key|100.64.2.228/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17c::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-a-ix-dus|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-a-ix-dus.public_ipv4_address|Key|185.66.193.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv4_network|Key|100.64.2.230/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17d::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-ix-dus|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-b-ix-dus.public_ipv4_address|Key|185.66.193.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv4_network|Key|100.64.2.232/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17e::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-a-fra2-fra|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-a-fra2-fra.public_ipv4_address|Key|185.66.194.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv4_network|Key|100.64.0.186/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:63::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-fra2-fra|Dictionary|||Name = Interface| +|ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| +|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| +|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| +|fastd_secrets|Dictionary|||Ein Eintrag pro fastd-Interface mit passwordstore lookup zum pass-Pfad| +|fastd_secrets.mzVPN|Key|"{{ lookup('passwordstore', 'fastd/mzVPN/spinat subkey=secret') }}"||| +|fastd_secrets.wiVPN|Key|"{{ lookup('passwordstore', 'fastd/wiVPN/spinat subkey=secret') }}"||| +|fastd_secrets.mzigVPN|Key|"{{ lookup('passwordstore', 'fastd/mzVPN/spinat subkey=secret') }}"||| +|fastd_secrets.wiigVPN|Key|"{{ lookup('passwordstore', 'fastd/wiVPN/spinat subkey=secret') }}"||| +|tinc_private_key|Variable|"{{ lookup('passwordstore', 'tinc/icVPN/spinat_private returnall=true') }}"||Passwordstore lookup zum pass-Pfad| ## Sensible Informationen From fc04651e8b07eeca3df63ad4d116284f276b5e31 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 6 Nov 2017 21:24:56 +0100 Subject: [PATCH 085/106] Lowercase all network interface names --- Readme.md | 24 +++++++++---------- inventory/group_vars/all | 2 +- roles/handlers/handlers/main.yml | 4 ++-- roles/network-batman/README.md | 2 +- roles/network-batman/tasks/main.yml | 2 +- roles/network-batman/templates/batman.j2 | 6 ++--- roles/network-fastd/README.md | 8 +++---- roles/network-fastd/tasks/main.yml | 4 ++-- .../templates/fastd-intragate.j2 | 4 ++-- roles/network-fastd/templates/fastd-mesh.j2 | 4 ++-- .../templates/rules.v4.j2 | 2 +- .../templates/rules.v6.j2 | 2 +- roles/network-meshbridge/README.md | 2 +- roles/network-meshbridge/tasks/main.yml | 4 ++-- roles/network-meshbridge/templates/bridge.j2 | 6 ++--- roles/network-meshbridge/templates/sysfs.j2 | 2 +- .../templates/ffmwu-add-ip-rules.sh.j2 | 22 ++++++++--------- .../templates/ffmwu-add-static-routes.sh.j2 | 8 +++---- .../templates/ffmwu-del-ip-rules.sh.j2 | 22 ++++++++--------- .../templates/ffmwu-del-static-routes.sh.j2 | 8 +++---- roles/service-bird/templates/bird.conf.j2 | 2 +- roles/service-bird/templates/bird6.conf.j2 | 2 +- roles/service-dhcpd/tasks/main.yml | 2 +- roles/service-fastd-intragate/README.md | 6 ++--- roles/service-fastd-intragate/tasks/main.yml | 12 +++++----- .../templates/fastd-intragate.conf.j2 | 8 +++---- .../templates/fastd-secret.conf.j2 | 2 +- roles/service-fastd-mesh/README.md | 8 +++---- roles/service-fastd-mesh/tasks/main.yml | 20 ++++++++-------- .../templates/fastd-mesh.conf.j2 | 8 +++---- .../templates/fastd-secret.conf.j2 | 2 +- .../templates/fastd_peer_limit_config.yaml.j2 | 2 +- roles/service-radvd/templates/radvd.conf.j2 | 2 +- .../templates/respondd.service.j2 | 2 +- roles/service-tinc/README.md | 8 +++---- 35 files changed, 112 insertions(+), 112 deletions(-) diff --git a/Readme.md b/Readme.md index e53c30e..a23e4f9 100644 --- a/Readme.md +++ b/Readme.md @@ -30,7 +30,7 @@ Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Par |Name|Type|Value|Format|Comment| |----|----|-----|------|-------| -|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzBR` oder `mzBAT`| +|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzbr` oder `mzbat`| |site_number|Variable|37|integer|Fließt in IP-Adress-Berechnung ein| |site_code|Variable|ffmz|string|| |site_name|Variable|Mainz|string|| @@ -93,7 +93,7 @@ Weitere Gruppen-Variablen: |http_domain_external|Variable|freifunk-mwu.de|string|Haupt-Domain für HTTP-Server(extern)| |icvpn|Dictionary|||ICVPN Informationen| |icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat| -|icvpn.interface|Key|icVPN|string|Name für ICVPN Interface + tinc Instanz| +|icvpn.interface|Key|icvpn|string|Name für ICVPN Interface + tinc Instanz| |icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository| |bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net| |bgp_mwu_servers.spinat|Dictionary|||| @@ -135,11 +135,11 @@ Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgeb |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| |fastd_secrets|Dictionary|||Ein Eintrag pro fastd-Interface mit passwordstore lookup zum pass-Pfad| -|fastd_secrets.mzVPN|Key|"{{ lookup('passwordstore', 'fastd/mzVPN/spinat subkey=secret') }}"||| -|fastd_secrets.wiVPN|Key|"{{ lookup('passwordstore', 'fastd/wiVPN/spinat subkey=secret') }}"||| -|fastd_secrets.mzigVPN|Key|"{{ lookup('passwordstore', 'fastd/mzVPN/spinat subkey=secret') }}"||| -|fastd_secrets.wiigVPN|Key|"{{ lookup('passwordstore', 'fastd/wiVPN/spinat subkey=secret') }}"||| -|tinc_private_key|Variable|"{{ lookup('passwordstore', 'tinc/icVPN/spinat_private returnall=true') }}"||Passwordstore lookup zum pass-Pfad| +|fastd_secrets.mzvpn|Key|"{{ lookup('passwordstore', 'fastd/mzvpn/spinat subkey=secret') }}"||| +|fastd_secrets.wivpn|Key|"{{ lookup('passwordstore', 'fastd/wivpn/spinat subkey=secret') }}"||| +|fastd_secrets.mzigvpn|Key|"{{ lookup('passwordstore', 'fastd/mzvpn/spinat subkey=secret') }}"||| +|fastd_secrets.wiigvpn|Key|"{{ lookup('passwordstore', 'fastd/wivpn/spinat subkey=secret') }}"||| +|tinc_private_key|Variable|"{{ lookup('passwordstore', 'tinc/icvpn/spinat_private returnall=true') }}"||Passwordstore lookup zum pass-Pfad| ## Sensible Informationen @@ -196,13 +196,13 @@ ffrl_exit_server: # Pfade zu den fastd secrets im passwordstore fastd_secrets: - mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname subkey=secret') }}" - wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname subkey=secret') }}" - mzigVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/$Hostname subkey=secret') }}" - wiigVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/$Hostname subkey=secret') }}" + mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/$Hostname subkey=secret') }}" + wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/$Hostname subkey=secret') }}" + mzigvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/$Hostname subkey=secret') }}" + wiigvpn: "{{ lookup('passwordstore', 'fastd/wivpn/$Hostname subkey=secret') }}" # Pfade zum tinc secret im passwordstore -tinc_private_key: "{{ lookup('passwordstore', 'tinc/icVPN/$hostname_private returnall=true') }}" +tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/$hostname_private returnall=true') }}" ``` - Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml` - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. diff --git a/inventory/group_vars/all b/inventory/group_vars/all index a1ccb15..a9fd666 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -130,7 +130,7 @@ meshes: icvpn: prefix: mwu - interface: icVPN + interface: icvpn icvpn_repo: https://github.com/freifunk/icvpn bgp_mwu_servers: diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index 5ca2b47..b0dd612 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -36,7 +36,7 @@ - name: restart fastd intragate instances systemd: - name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" + name: "fastd@{{ item.0.id }}igvpn-{{ item.1.mtu }}" state: restarted with_subelements: - "{{ meshes }}" @@ -44,7 +44,7 @@ - name: restart fastd mesh instances systemd: - name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" + name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}" state: restarted with_subelements: - "{{ meshes }}" diff --git a/roles/network-batman/README.md b/roles/network-batman/README.md index 5b93e05..0e11f2d 100644 --- a/roles/network-batman/README.md +++ b/roles/network-batman/README.md @@ -43,4 +43,4 @@ meshes: Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. xx0-prefix: `02:00` -xxBAT-prefix: `02:01` +xxbat-prefix: `02:01` diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml index de4e7e4..99f7477 100644 --- a/roles/network-batman/tasks/main.yml +++ b/roles/network-batman/tasks/main.yml @@ -9,7 +9,7 @@ - name: create batman interfaces template: src: batman.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}BAT" + dest: "/etc/network/interfaces.d/{{ item.id }}bat" notify: reload network interfaces with_items: "{{ meshes }}" diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 index 9c655cb..557af93 100644 --- a/roles/network-batman/templates/batman.j2 +++ b/roles/network-batman/templates/batman.j2 @@ -4,10 +4,10 @@ # # {{ ansible_managed }} # -auto {{ item.id }}BAT -iface {{ item.id }}BAT +auto {{ item.id }}bat +iface {{ item.id }}bat hwaddress {{ mac | hwaddr('linux') }} - batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}VPN-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igVPN-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} + batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} batman-hop-penalty {{ item.batman.hop_penalty }} post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }} diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md index c18c1cd..10202a8 100644 --- a/roles/network-fastd/README.md +++ b/roles/network-fastd/README.md @@ -5,8 +5,8 @@ Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd I Es wird zwischen node- und intragate-Instanzen unterschieden. ## Interface-Benamung -Node-Interfaces: $mesh.id + VPN + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzVPN-1312" -Intragate-Interfaces: $mesh.id + 'ig' + VPN + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigVPN-1312" +Node-Interfaces: $mesh.id + vpn + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzvpn-1312" +Intragate-Interfaces: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigvpn-1312" ## Benötigte Variablen @@ -36,5 +36,5 @@ meshes: Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. -xxVPN-$mtu prefix: `02:2x` # x = ID der fastd-Instanz -xxigVPN-$mtu prefix: `02:3x` # x = ID der fastd-Instanz +xxvpn-$mtu prefix: `02:2x` # x = ID der fastd-Instanz +xxigvpn-$mtu prefix: `02:3x` # x = ID der fastd-Instanz diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml index 320a6c9..d82aede 100644 --- a/roles/network-fastd/tasks/main.yml +++ b/roles/network-fastd/tasks/main.yml @@ -2,7 +2,7 @@ - name: create fastd mesh interfaces template: src: fastd-mesh.j2 - dest: "/etc/network/interfaces.d/{{ item.0.id }}VPN-{{ item.1.mtu }}" + dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}" notify: reload network interfaces with_subelements: - "{{ meshes }}" @@ -11,7 +11,7 @@ - name: create fastd intragate interfaces template: src: fastd-intragate.j2 - dest: "/etc/network/interfaces.d/{{ item.0.id }}igVPN-{{ item.1.mtu }}" + dest: "/etc/network/interfaces.d/{{ item.0.id }}igvpn-{{ item.1.mtu }}" notify: reload network interfaces with_subelements: - "{{ meshes }}" diff --git a/roles/network-fastd/templates/fastd-intragate.j2 b/roles/network-fastd/templates/fastd-intragate.j2 index 9d049a2..aa5b4c1 100644 --- a/roles/network-fastd/templates/fastd-intragate.j2 +++ b/roles/network-fastd/templates/fastd-intragate.j2 @@ -3,6 +3,6 @@ # # {{ ansible_managed }} # -auto {{ item.0.id }}igVPN-{{ item.1.mtu }} -iface {{ item.0.id }}igVPN-{{ item.1.mtu }} +auto {{ item.0.id }}igvpn-{{ item.1.mtu }} +iface {{ item.0.id }}igvpn-{{ item.1.mtu }} hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-fastd/templates/fastd-mesh.j2 index 207cd79..0e484fc 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-fastd/templates/fastd-mesh.j2 @@ -3,6 +3,6 @@ # # {{ ansible_managed }} # -auto {{ item.0.id }}VPN-{{ item.1.mtu }} -iface {{ item.0.id }}VPN-{{ item.1.mtu }} +auto {{ item.0.id }}vpn-{{ item.1.mtu }} +iface {{ item.0.id }}vpn-{{ item.1.mtu }} hwaddress {{ mac | hwaddr('linux') }} diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index 6687696..4359b2b 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -9,7 +9,7 @@ -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT {% for mesh in meshes %} --A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT +-A FORWARD -i {{ mesh.id }}br -o {{ mesh.id }}br -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 index fba66f1..f1644f9 100644 --- a/roles/network-iptables-gateway/templates/rules.v6.j2 +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -8,7 +8,7 @@ -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT {% for mesh in meshes %} --A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT +-A FORWARD -i {{ mesh.id }}br -o {{ mesh.id }}br -j ACCEPT {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/network-meshbridge/README.md b/roles/network-meshbridge/README.md index deb0f30..ada7e95 100644 --- a/roles/network-meshbridge/README.md +++ b/roles/network-meshbridge/README.md @@ -27,4 +27,4 @@ meshes: Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. -xxBR-prefix: `02:10` +xxbr-prefix: `02:10` diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml index 0ed113a..c1796d1 100644 --- a/roles/network-meshbridge/tasks/main.yml +++ b/roles/network-meshbridge/tasks/main.yml @@ -2,14 +2,14 @@ - name: create mesh bridges template: src: bridge.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}BR" + dest: "/etc/network/interfaces.d/{{ item.id }}br" notify: reload network interfaces with_items: "{{ meshes }}" - name: set sysfs variables template: src: sysfs.j2 - dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf" + dest: "/etc/sysfs.d/99-{{ item.id }}br.conf" with_items: "{{ meshes }}" notify: activate sysfs variables diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index dd6efae..984d3ac 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -3,8 +3,8 @@ # # {{ ansible_managed }} # -auto {{ item.id }}BR -iface {{ item.id }}BR +auto {{ item.id }}br +iface {{ item.id }}br hwaddress {{ mac | hwaddr('linux') }} address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} {% for prefix in item.ipv6_ula %} @@ -13,4 +13,4 @@ iface {{ item.id }}BR {% for prefix in item.ipv6_public %} address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} {% endfor %} - bridge-ports {{ item.id }}BAT + bridge-ports {{ item.id }}bat diff --git a/roles/network-meshbridge/templates/sysfs.j2 b/roles/network-meshbridge/templates/sysfs.j2 index b092e3b..45f71ad 100644 --- a/roles/network-meshbridge/templates/sysfs.j2 +++ b/roles/network-meshbridge/templates/sysfs.j2 @@ -1,4 +1,4 @@ # # {{ ansible_managed }} # -class/net/{{ item.id }}BR/bridge/hash_max = 16384 +class/net/{{ item.id }}br/bridge/hash_max = 16384 diff --git a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 index cd8e6a4..7dcee4f 100644 --- a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 +++ b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 @@ -7,7 +7,7 @@ {% for mesh in meshes %} ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 +ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7 {% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup mwu priority 7 ip -6 rule add to {{ ula }} lookup mwu priority 7 @@ -16,14 +16,14 @@ ip -6 rule add to {{ ula }} lookup mwu priority 7 ip -6 rule add from {{ public }} lookup mwu priority 7 ip -6 rule add to {{ public }} lookup mwu priority 7 {% endfor %} -ip -6 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7 +ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7 {% endfor %} # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges {% for mesh in meshes %} ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 +ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23 {% for ula in mesh.ipv6_ula %} ip -6 rule add from {{ ula }} lookup icvpn priority 23 ip -6 rule add to {{ ula }} lookup icvpn priority 23 @@ -32,10 +32,10 @@ ip -6 rule add to {{ ula }} lookup icvpn priority 23 ip -6 rule add from {{ public }} lookup icvpn priority 23 ip -6 rule add to {{ public }} lookup icvpn priority 23 {% endfor %} -ip -6 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23 +ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23 {% endfor %} -ip -4 rule add from all oif icVPN lookup icvpn priority 23 -ip -6 rule add from all oif icVPN lookup icvpn priority 23 +ip -4 rule add from all oif icvpn lookup icvpn priority 23 +ip -6 rule add from all oif icvpn lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges {% for mesh in meshes %} @@ -48,23 +48,23 @@ ip -6 rule add to {{ ula }} lookup internet priority 41 ip -6 rule add from {{ public }} lookup internet priority 41 ip -6 rule add to {{ public }} lookup internet priority 41 {% endfor %} -ip -6 rule add from all oif {{ mesh.id }}BR lookup internet priority 41 +ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41 {% endfor %} ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes {% for mesh in meshes %} -ip -4 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 -ip -6 rule add from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61 +ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61 {% endfor %} -ip -4 rule add from all iif icVPN type unreachable priority 61 +ip -4 rule add from all iif icvpn type unreachable priority 61 ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 {% for server_id, server_value in ffrl_exit_server.iteritems() %} ip -4 rule add from all iif {{ server_id }} type unreachable priority 61 ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 {% endfor %} -ip -6 rule add from all iif icVPN type unreachable priority 61 +ip -6 rule add from all iif icvpn type unreachable priority 61 ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 {% for mesh in meshes %} {% for public in mesh.ipv6_public %} diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 index b5bc7d8..07834e8 100644 --- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -5,13 +5,13 @@ {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu {% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu {% endfor %} {% for public in mesh.ipv6_public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu {% endfor %} {% if not loop.last %} diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 index 24a77f3..8fcfd36 100644 --- a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 @@ -7,7 +7,7 @@ {% for mesh in meshes %} ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 -ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7 {% for ula in mesh.ipv6_ula %} ip -6 rule del from {{ ula }} lookup mwu priority 7 ip -6 rule del to {{ ula }} lookup mwu priority 7 @@ -16,14 +16,14 @@ ip -6 rule del to {{ ula }} lookup mwu priority 7 ip -6 rule del from {{ public }} lookup mwu priority 7 ip -6 rule del to {{ public }} lookup mwu priority 7 {% endfor %} -ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7 {% endfor %} # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges {% for mesh in meshes %} ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 -ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23 {% for ula in mesh.ipv6_ula %} ip -6 rule del from {{ ula }} lookup icvpn priority 23 ip -6 rule del to {{ ula }} lookup icvpn priority 23 @@ -32,10 +32,10 @@ ip -6 rule del to {{ ula }} lookup icvpn priority 23 ip -6 rule del from {{ public }} lookup icvpn priority 23 ip -6 rule del to {{ public }} lookup icvpn priority 23 {% endfor %} -ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23 {% endfor %} -ip -4 rule del from all oif icVPN lookup icvpn priority 23 -ip -6 rule del from all oif icVPN lookup icvpn priority 23 +ip -4 rule del from all oif icvpn lookup icvpn priority 23 +ip -6 rule del from all oif icvpn lookup icvpn priority 23 # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges {% for mesh in meshes %} @@ -48,23 +48,23 @@ ip -6 rule del to {{ ula }} lookup internet priority 41 ip -6 rule del from {{ public }} lookup internet priority 41 ip -6 rule del to {{ public }} lookup internet priority 41 {% endfor %} -ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41 +ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41 {% endfor %} ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 # Priority 61 - at this point this is the end of policy routing for freifunk related routes {% for mesh in meshes %} -ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 -ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61 +ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61 {% endfor %} -ip -4 rule del from all iif icVPN type unreachable priority 61 +ip -4 rule del from all iif icvpn type unreachable priority 61 ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 {% for server_id, server_value in ffrl_exit_server.iteritems() %} ip -4 rule del from all iif {{ server_id }} type unreachable priority 61 ip -6 rule del from all iif {{ server_id }} type unreachable priority 61 {% endfor %} -ip -6 rule del from all iif icVPN type unreachable priority 61 +ip -6 rule del from all iif icvpn type unreachable priority 61 ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 {% for mesh in meshes %} {% for public in mesh.ipv6_public %} diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 index b09e9cc..1a71a32 100644 --- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -5,13 +5,13 @@ {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu -/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu {% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu {% endfor %} {% for public in mesh.ipv6_public %} -/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu -/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}br table mwu {% endfor %} {% if not loop.last %} diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 index 9f1faf6..ee231a1 100644 --- a/roles/service-bird/templates/bird.conf.j2 +++ b/roles/service-bird/templates/bird.conf.j2 @@ -51,7 +51,7 @@ protocol device { protocol direct mwu_subnets { {% for mesh in meshes %} - interface "{{ mesh.id }}BR"; + interface "{{ mesh.id }}br"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 index d5988eb..650c0ce 100644 --- a/roles/service-bird/templates/bird6.conf.j2 +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -40,7 +40,7 @@ protocol device { protocol direct mwu_subnets { {% for mesh in meshes %} - interface "{{ mesh.id }}BR"; + interface "{{ mesh.id }}br"; {% endfor %} import where is_mwu_self_nets(); }; diff --git a/roles/service-dhcpd/tasks/main.yml b/roles/service-dhcpd/tasks/main.yml index 42c5194..f4a82a1 100644 --- a/roles/service-dhcpd/tasks/main.yml +++ b/roles/service-dhcpd/tasks/main.yml @@ -6,7 +6,7 @@ - name: concatenate meshbridge interfaces set_fact: - dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}" + dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}br{% if not loop.last %} {% endif %}{% endfor %}" - name: set ipv4 interfaces isc dhcp should listen on lineinfile: diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 399b8b1..016bbdb 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -2,7 +2,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunikation. -- konfiguriert xxigVPN-Instanzen +- konfiguriert xxigvpn-Instanzen - stellt sicher, dass die Instanz-Verzeichnisse existieren - schreibt fastd.conf - schreibt secret.conf @@ -31,8 +31,8 @@ meshes: - Dictionary `fastd_secrets` (Host-Variable) ´´´ fastd_secrets: - mzigVPN: "{{ lookup('passwordstore', 'fastd/mzigVPN/sparegate4 subkey=secret') }}" - wiigVPN: "{{ lookup('passwordstore', 'fastd/wiigVPN/sparegate4 subkey=secret') }}" + mzigvpn: "{{ lookup('passwordstore', 'fastd/mzigvpn/sparegate4 subkey=secret') }}" + wiigvpn: "{{ lookup('passwordstore', 'fastd/wiigvpn/sparegate4 subkey=secret') }}" ... ´´´ diff --git a/roles/service-fastd-intragate/tasks/main.yml b/roles/service-fastd-intragate/tasks/main.yml index d36a93e..d7bb227 100644 --- a/roles/service-fastd-intragate/tasks/main.yml +++ b/roles/service-fastd-intragate/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: create fastd intragate directories file: - path: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}" + path: "/etc/fastd/{{ item.0.id }}igvpn-{{ item.1.mtu }}" state: directory mode: 0755 with_subelements: @@ -10,7 +10,7 @@ - name: create fastd peer intragate directories file: - path: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/peers" + path: "/etc/fastd/{{ item.0.id }}igvpn-{{ item.1.mtu }}/peers" state: directory mode: 0755 owner: admin @@ -22,7 +22,7 @@ - name: clone fastd peer intragate repos git: repo: "{{ item.1.peers.repo }}" - dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/peers" + dest: "/etc/fastd/{{ item.0.id }}igvpn-{{ item.1.mtu }}/peers" version: "{{ item.1.peers.version }}" update: no with_subelements: @@ -33,7 +33,7 @@ - name: template fastd mesh config template: src: fastd-intragate.conf.j2 - dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/fastd.conf" + dest: "/etc/fastd/{{ item.0.id }}igvpn-{{ item.1.mtu }}/fastd.conf" notify: restart fastd intragate instances with_subelements: - "{{ meshes }}" @@ -42,7 +42,7 @@ - name: write fastd intragate secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.0.id }}igVPN-{{ item.1.mtu }}/secret.conf" + dest: "/etc/fastd/{{ item.0.id }}igvpn-{{ item.1.mtu }}/secret.conf" notify: restart fastd intragate instances with_subelements: - "{{ meshes }}" @@ -50,7 +50,7 @@ - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.0.id }}igVPN-{{ item.1.mtu }}" + name: "fastd@{{ item.0.id }}igvpn-{{ item.1.mtu }}" enabled: yes state: started with_subelements: diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index e1019c6..fa068ac 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -9,7 +9,7 @@ hide mac addresses yes; method "aes128-ctr+umac"; -interface "{{ item.0.id }}igVPN-{{ item.1.mtu }}"; +interface "{{ item.0.id }}igvpn-{{ item.1.mtu }}"; bind {{ ansible_default_ipv4.address | ipaddr('public') }}:11{{ item.1.id }}{{ item.0.site_number }}; bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:11{{ item.1.id }}{{ item.0.site_number }}; @@ -27,11 +27,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.0.id }}BAT if add $INTERFACE + batctl -m {{ item.0.id }}bat if add $INTERFACE "; on down " - batctl -m {{ item.0.id }}BAT if del $INTERFACE + batctl -m {{ item.0.id }}bat if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.0.id }}igVPN-{{ item.1.mtu }}.status"; +status socket "/var/run/fastd-{{ item.0.id }}igvpn-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 index b4a8077..a61bca7 100644 --- a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.0.id + 'igVPN' -%} +{% set local_interface = item.0.id + 'igvpn' -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 84f93e1..78b4ad4 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -11,8 +11,8 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation. - klont bingener fastd peer repo (im Moment hardcoded) ## Instanz-Benamung -Node-Instanzen: $mesh.id + VPN + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzVPN-1312" -Intragate-Instanzen: $mesh.id + 'ig' + VPN + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigVPN-1312" +Node-Instanzen: $mesh.id + vpn + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzvpn-1312" +Intragate-Instanzen: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigvpn-1312" ## Benötigte Variablen @@ -35,8 +35,8 @@ meshes: - Dictionary `fastd_secrets` (Host-Variable) ´´´ fastd_secrets: - mzVPN: "{{ lookup('passwordstore', 'fastd/mzVPN/sparegate4 subkey=secret') }}" - wiVPN: "{{ lookup('passwordstore', 'fastd/wiVPN/sparegate4 subkey=secret') }}" + mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/sparegate4 subkey=secret') }}" + wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/sparegate4 subkey=secret') }}" ... ´´´ diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index 2c2376d..c8b9f8e 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: create fastd directories file: - path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}" + path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}" state: directory mode: 0755 with_subelements: @@ -10,7 +10,7 @@ - name: create fastd peer mesh directories file: - path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peers" + path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers" state: directory mode: 0755 owner: admin @@ -21,7 +21,7 @@ - name: create fastd peer mesh directories for ffbin file: - path: "/etc/fastd/mzVPN-{{ item }}/peers_bingen" + path: "/etc/fastd/mzvpn-{{ item }}/peers_bingen" state: directory mode: 0755 owner: admin @@ -33,7 +33,7 @@ - name: clone fastd peer mesh repos git: repo: "{{ item.1.peers.repo }}" - dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peers" + dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers" version: "{{ item.1.peers.version }}" update: no with_subelements: @@ -44,7 +44,7 @@ - name: clone fastd peer mesh repo for ffbin git: repo: https://github.com/freifunk-bingen/peers-ffbin.git - dest: "/etc/fastd/mzVPN-{{ item }}/peers_bingen" + dest: "/etc/fastd/mzvpn-{{ item }}/peers_bingen" version: master update: no with_items: @@ -55,7 +55,7 @@ - name: template fastd mesh config template: src: fastd-mesh.conf.j2 - dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/fastd.conf" + dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/fastd.conf" notify: restart fastd mesh instances with_subelements: - "{{ meshes }}" @@ -64,7 +64,7 @@ - name: write fastd mesh secret template: src: fastd-secret.conf.j2 - dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/secret.conf" + dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/secret.conf" notify: restart fastd mesh instances with_subelements: - "{{ meshes }}" @@ -73,7 +73,7 @@ - name: copy peer_limit.conf if not exist copy: src: peer_limit.conf - dest: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peer_limit.conf" + dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf" owner: admin group: admin mode: 0640 @@ -85,7 +85,7 @@ - name: set file attributes for peer_limit.conf file: - path: "/etc/fastd/{{ item.0.id }}VPN-{{ item.1.mtu }}/peer_limit.conf" + path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf" mode: 0640 owner: admin group: admin @@ -149,7 +149,7 @@ - name: configure systemd unit fastd@ systemd: - name: "fastd@{{ item.0.id }}VPN-{{ item.1.mtu }}" + name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}" enabled: yes state: started with_subelements: diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index 99fc1f6..a9954bc 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -9,7 +9,7 @@ hide mac addresses yes; method "salsa2012+umac"; -interface "{{ item.0.id }}VPN-{{ item.1.mtu }}"; +interface "{{ item.0.id }}vpn-{{ item.1.mtu }}"; bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ item.0.site_number }}; bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ item.0.site_number }}; @@ -34,11 +34,11 @@ on up " ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set $INTERFACE up - batctl -m {{ item.0.id }}BAT if add $INTERFACE + batctl -m {{ item.0.id }}bat if add $INTERFACE "; on down " - batctl -m {{ item.0.id }}BAT if del $INTERFACE + batctl -m {{ item.0.id }}bat if del $INTERFACE "; -status socket "/var/run/fastd-{{ item.0.id }}VPN-{{ item.1.mtu }}.status"; +status socket "/var/run/fastd-{{ item.0.id }}vpn-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 index a30308c..8b85738 100644 --- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -1,4 +1,4 @@ -{% set local_interface = item.0.id + 'VPN' -%} +{% set local_interface = item.0.id + 'vpn' -%} # # {{ ansible_managed }} # diff --git a/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 b/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 index c5a5c17..1139226 100644 --- a/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 +++ b/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2 @@ -6,7 +6,7 @@ additional: 8 fastd_instances: {% for mesh in meshes %} {% for instance in mesh.fastd.nodes.instances %} - - {{ mesh.id }}VPN-{{ instance.mtu }} + - {{ mesh.id }}vpn-{{ instance.mtu }} {% endfor %} {% endfor %} cronlog: '/home/admin/.cronlog/limit.%s.log' diff --git a/roles/service-radvd/templates/radvd.conf.j2 b/roles/service-radvd/templates/radvd.conf.j2 index afd13cf..e38b42a 100644 --- a/roles/service-radvd/templates/radvd.conf.j2 +++ b/roles/service-radvd/templates/radvd.conf.j2 @@ -3,7 +3,7 @@ # {{ ansible_managed }} # {% for mesh in meshes %} -interface {{ mesh.id }}BR +interface {{ mesh.id }}br { AdvSendAdvert on; IgnoreIfMissing on; diff --git a/roles/service-respondd/templates/respondd.service.j2 b/roles/service-respondd/templates/respondd.service.j2 index 9a9a433..201a1f6 100644 --- a/roles/service-respondd/templates/respondd.service.j2 +++ b/roles/service-respondd/templates/respondd.service.j2 @@ -2,7 +2,7 @@ Description=respondd instance {{ item.id }} [Service] -ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}BR {% for interface in item.fastd.nodes.instances %}-i {{ item.id }}VPN-{{ interface.mtu }}{% if not loop.last %} {% endif %}{% endfor %} -b {{ item.id }}BAT -s {{ item.site_code }} -d /home/admin/clones/mesh-announce/ +ExecStart=/home/admin/clones/mesh-announce/respondd.py -i {{ item.id }}br {% for interface in item.fastd.nodes.instances %}-i {{ item.id }}vpn-{{ interface.mtu }}{% if not loop.last %} {% endif %}{% endfor %} -b {{ item.id }}bat -s {{ item.site_code }} -d /home/admin/clones/mesh-announce/ Restart=always Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin diff --git a/roles/service-tinc/README.md b/roles/service-tinc/README.md index f2ad562..e4829e6 100644 --- a/roles/service-tinc/README.md +++ b/roles/service-tinc/README.md @@ -3,7 +3,7 @@ Diese Ansible role installiert und konfiguriert den tinc daemon, der für die Verbindung in das InterCity-VPN benötigt wird. - installiert tinc -- erzeugt icVPN tinc Instanz +- erzeugt icvpn tinc Instanz - klont freifunk/icvpn repo - schreibt tinc.conf - schreibt tinc-up hook script @@ -16,7 +16,7 @@ Diese Ansible role installiert und konfiguriert den tinc daemon, der für die Ve ``` icvpn: prefix: mwu - interface: icVPN + interface: icvpn icvpn_repo: https://github.com/freifunk/icvpn ``` - Variable `icvpn_ipv4_transfer_net` @@ -30,12 +30,12 @@ routing_tables: - Host Variable `magic` - Host Variable `tinc_private_key` ``` -tinc_private_key: "{{ lookup('passwordstore', 'tinc/icVPN/$Hostname_private returnall=true') }}" +tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/$Hostname_private returnall=true') }}" ``` ## tinc private key -Der private Schlüssel der icVPN tinc-Instanz liegt im passwordstore. +Der private Schlüssel der icvpn tinc-Instanz liegt im passwordstore. Bevor man ein Gateway aufsetzt, muss der private Schlüssel generiert und im passwordstore hinterlegt werden. Die Variable `tinc_private_key` folgt dem Aufbau: ``` From 9e3a9562cb0ba13e825f6695f655e6ebb8f13fa8 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 7 Nov 2017 06:22:09 +0100 Subject: [PATCH 086/106] Inventory: add new gateway uffschnitt.freifunk-mwu.de --- inventory/ffmwu-gateways | 1 + .../uffschnitt.freifunk-mwu.de/vars.yml | 39 +++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml diff --git a/inventory/ffmwu-gateways b/inventory/ffmwu-gateways index 2978865..9d785b2 100644 --- a/inventory/ffmwu-gateways +++ b/inventory/ffmwu-gateways @@ -1 +1,2 @@ [ffmwu-gateways] +uffschnitt.freifunk-mwu.de diff --git a/inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml b/inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml new file mode 100644 index 0000000..2185fc2 --- /dev/null +++ b/inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml @@ -0,0 +1,39 @@ +--- +magic: 101 +ipv4_dhcp_range: 8 + +ffrl_public_ipv4_nat: 185.66.195.37/32 + +ffrl_exit_server: + ffrl-a-ak-ber: + public_ipv4_address: 185.66.195.0 + tunnel_ipv4_network: 100.64.9.42/31 + tunnel_ipv6_network: 2a03:2260:0:3bd::/64 + ffrl-b-ak-ber: + public_ipv4_address: 185.66.195.1 + tunnel_ipv4_network: 100.64.9.48/31 + tunnel_ipv6_network: 2a03:2260:0:3c0::/64 + ffrl-a-ix-dus: + public_ipv4_address: 185.66.193.0 + tunnel_ipv4_network: 100.64.9.46/31 + tunnel_ipv6_network: 2a03:2260:0:3bf::/64 + ffrl-b-ix-dus: + public_ipv4_address: 185.66.193.1 + tunnel_ipv4_network: 100.64.9.52/31 + tunnel_ipv6_network: 2a03:2260:0:3c2::/64 + ffrl-a-fra2-fra: + public_ipv4_address: 185.66.194.0 + tunnel_ipv4_network: 100.64.9.44/31 + tunnel_ipv6_network: 2a03:2260:0:3be::/64 + ffrl-b-fra2-fra: + public_ipv4_address: 185.66.194.1 + tunnel_ipv4_network: 100.64.9.50/31 + tunnel_ipv6_network: 2a03:2260:0:3c1::/64 + +fastd_secrets: + mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/uffschnitt subkey=secret') }}" + wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/uffschnitt subkey=secret') }}" + mzigvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/uffschnitt subkey=secret') }}" + wiigvpn: "{{ lookup('passwordstore', 'fastd/wivpn/uffschnitt subkey=secret') }}" + +tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/uffschnitt_private returnall=true') }}" From b1480594faf0853a9c26d2239102b7a7b35ab6ae Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 7 Nov 2017 20:23:23 +0100 Subject: [PATCH 087/106] Role server-repos: change ffmwu repo to stretch --- roles/server-repos/vars/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/server-repos/vars/main.yml b/roles/server-repos/vars/main.yml index 5690253..1db4d20 100644 --- a/roles/server-repos/vars/main.yml +++ b/roles/server-repos/vars/main.yml @@ -4,8 +4,8 @@ repos: repo: 'deb https://repo.universe-factory.net/debian/ sid main' update_cache: yes - name: freifunk - repo: 'deb http://repo.freifunk-mwu.de/debian jessie main' + repo: 'deb http://repo.freifunk-mwu.de/debian stretch main' update_cache: yes - name: freifunk - repo: 'deb-src http://repo.freifunk-mwu.de/debian jessie main' + repo: 'deb-src http://repo.freifunk-mwu.de/debian stretch main' update_cache: yes From f0564b5ad24bdf934f3428929aed0d3619c6ebf5 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 7 Nov 2017 20:25:39 +0100 Subject: [PATCH 088/106] Role service-respondd: install python3 module dependency --- roles/service-respondd/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/service-respondd/tasks/main.yml b/roles/service-respondd/tasks/main.yml index 3e49feb..4ae43cc 100644 --- a/roles/service-respondd/tasks/main.yml +++ b/roles/service-respondd/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: install packages + package: + name: python3-netifaces + state: present + - name: clone respondd repo git: repo: https://github.com/freifunk-mwu/mesh-announce.git From 99a77aa0b7a993197905228ccbee2741c61588a0 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 9 Nov 2017 06:20:23 +0100 Subject: [PATCH 089/106] Role server-repos: remove universe-factory repo since fastd package is available in debian upstream --- roles/server-repos/tasks/main.yml | 6 ------ roles/server-repos/vars/main.yml | 3 --- 2 files changed, 9 deletions(-) diff --git a/roles/server-repos/tasks/main.yml b/roles/server-repos/tasks/main.yml index 14db38b..f6f0e26 100644 --- a/roles/server-repos/tasks/main.yml +++ b/roles/server-repos/tasks/main.yml @@ -7,12 +7,6 @@ - dirmngr - apt-transport-https -- name: ensure apt key for universe-factory is present - apt_key: - state: present - id: 16ef3f64cb201d9c - keyserver: pgp.mit.edu - - name: ensure apt key for freifunk-mwu is present apt_key: state: present diff --git a/roles/server-repos/vars/main.yml b/roles/server-repos/vars/main.yml index 1db4d20..1c355b4 100644 --- a/roles/server-repos/vars/main.yml +++ b/roles/server-repos/vars/main.yml @@ -1,8 +1,5 @@ --- repos: - - name: fastd - repo: 'deb https://repo.universe-factory.net/debian/ sid main' - update_cache: yes - name: freifunk repo: 'deb http://repo.freifunk-mwu.de/debian stretch main' update_cache: yes From cb834d6ee3df3e75a6c4620e1d19993fc289c5da Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 11 Nov 2017 21:16:10 +0100 Subject: [PATCH 090/106] Pretty format ansible.cfg --- ansible.cfg | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index ea9a9df..8fdbb75 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,14 +1,13 @@ [defaults] -inventory = ./inventory -retry_files_enabled = False -#vault_password_file = ~/.ansible/vault-password-file -remote_tmp = $HOME/ansible_tmp -remote_user = admin -ansible_managed = Ansible managed - don't edit this file! -roles_path = ./roles +inventory = ./inventory +retry_files_enabled = False +remote_tmp = $HOME/ansible_tmp +remote_user = admin +ansible_managed = Ansible managed - don't edit this file! +roles_path = ./roles [privilege_escalation] -become=True +become = True #[ssh_connection] #pipelining = True From e020ea085463f2a4283e59cc14b7910c33e005c5 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 11 Nov 2017 21:19:15 +0100 Subject: [PATCH 091/106] Inventory host_vars: use single file instead of subfolder --- .../vars.yml => uffschnitt.freifunk-mwu.de} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename inventory/host_vars/{uffschnitt.freifunk-mwu.de/vars.yml => uffschnitt.freifunk-mwu.de} (100%) diff --git a/inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml b/inventory/host_vars/uffschnitt.freifunk-mwu.de similarity index 100% rename from inventory/host_vars/uffschnitt.freifunk-mwu.de/vars.yml rename to inventory/host_vars/uffschnitt.freifunk-mwu.de From 623faaa40fd8536d83b29eedc418dfd61749a3fc Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sat, 11 Nov 2017 23:24:49 +0100 Subject: [PATCH 092/106] Role prerequisites: add cname asserts --- roles/prerequisites/README.md | 15 +++++++-------- roles/prerequisites/tasks/main.yml | 2 ++ roles/prerequisites/vars/main.yml | 4 ++++ 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/roles/prerequisites/README.md b/roles/prerequisites/README.md index f1120c9..5cd087a 100644 --- a/roles/prerequisites/README.md +++ b/roles/prerequisites/README.md @@ -2,18 +2,17 @@ Diese Ansible role prüft ob die Voraussetzungen für ein Freifunk Gateway erfüllt sind. -- Forward-DNS Eintrag == ausgelesener IPv4-Adresse -- Forward-DNS Eintrag == ausgelesener IPv6-Adresse +- Forward-DNS Eintrag $FQDN == ausgelesener IPv4-Adresse +- Forward-DNS Eintrag $FQDN == ausgelesener IPv6-Adresse +- CNAME Eintrag gate$magic.freifunk-mwu.de == $FQDN +- CNAME Eintrag icvpn$magic.freifunk-mwu.de == $FQDN - Linux Distribution == Debian - Debian Version == 9 ## Benötigte Variablen +Die folgenden Variablen werden über einen DNS Lookup gesetzt: - Variable `dns_host_ipv4_address` (Rollen-Variable) -``` -dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}" -``` - Variable `dns_host_ipv6_address` (Rollen-Variable) -``` -dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}" -``` +- Variable `dns_gate_num_cname` (Rollen-Variable) +- Variable `dns_gate_icvpn_cname` (Rollen-Variable) diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml index b5f19bc..43f2cb9 100755 --- a/roles/prerequisites/tasks/main.yml +++ b/roles/prerequisites/tasks/main.yml @@ -5,6 +5,8 @@ that: - "dns_host_ipv4_address in ansible_all_ipv4_addresses" - "dns_host_ipv6_address in ansible_all_ipv6_addresses" + - "dns_gate_num_cname == inventory_hostname" + - "dns_gate_icvpn_cname == inventory_hostname" - "ansible_distribution == 'Debian'" - "ansible_distribution_major_version == '9'" diff --git a/roles/prerequisites/vars/main.yml b/roles/prerequisites/vars/main.yml index f0e8dca..6cb0cdd 100644 --- a/roles/prerequisites/vars/main.yml +++ b/roles/prerequisites/vars/main.yml @@ -1,4 +1,8 @@ --- +dns_gate_num: "gate{{ magic }}.{{ http_domain_external }}" +dns_gate_icvpn: "icvpn{{ magic }}.{{ http_domain_external }}" dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}" dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}" +dns_gate_num_cname: "{{ lookup('dig', dns_gate_num, 'qtype=CNAME') | regex_replace('\\.$') }}" +dns_gate_icvpn_cname: "{{ lookup('dig', dns_gate_icvpn, 'qtype=CNAME') | regex_replace('\\.$') }}" From 42d407340aaa8d40fec64e28494110ed9189d3ae Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 00:31:14 +0100 Subject: [PATCH 093/106] Role network-meshbridge: workaround to set mac address on boot and get ipv6 address configured correctly --- roles/network-meshbridge/templates/bridge.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 index 984d3ac..626f08d 100644 --- a/roles/network-meshbridge/templates/bridge.j2 +++ b/roles/network-meshbridge/templates/bridge.j2 @@ -5,7 +5,8 @@ # auto {{ item.id }}br iface {{ item.id }}br - hwaddress {{ mac | hwaddr('linux') }} +# hwaddress {{ mac | hwaddr('linux') }} <-- preferred way, not working - ipv6 addresses not set on boot + pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE # ^^^ dirty workaround to get rid of address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} {% for prefix in item.ipv6_ula %} address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} From ff5f9d8b6d204681cdcc3f2199361e19be34c061 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 00:34:38 +0100 Subject: [PATCH 094/106] Playbook gateways: reorder roles --- playbooks/gateways.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 176daf3..5152b5d 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -7,6 +7,7 @@ - prerequisites - server-repos - server-basic + - system-sysctl-gateway - git-repos - service-haveged - service-ntpd @@ -14,21 +15,20 @@ - network-routetables - network-batman - network-meshbridge + - network-fastd + - network-ffrl + - network-iptables-gateway + - network-routing - service-dhcpd - service-radvd - - network-fastd - service-fastd - service-fastd-mesh - service-fastd-intragate - - network-iptables-gateway - - network-ffrl - service-tinc - service-bird - service-bird-icvpn - service-bird-ffrl - service-bind-slave - - network-routing - - system-sysctl-gateway - service-respondd - service-nginx - service-nginx-firmware From 9d08803a9e3bbd767abb3c3a87275ff79d3d7e31 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 11:30:44 +0100 Subject: [PATCH 095/106] Rename role server-repos to server-apt-repos - Role server-apt-repos: add readme --- playbooks/gateways.yml | 2 +- roles/server-apt-repos/README.md | 13 +++++++++++++ .../tasks/main.yml | 0 .../vars/main.yml | 0 4 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 roles/server-apt-repos/README.md rename roles/{server-repos => server-apt-repos}/tasks/main.yml (100%) rename roles/{server-repos => server-apt-repos}/vars/main.yml (100%) diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 5152b5d..9e2e2da 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -5,7 +5,7 @@ roles: - handlers - prerequisites - - server-repos + - server-apt-repos - server-basic - system-sysctl-gateway - git-repos diff --git a/roles/server-apt-repos/README.md b/roles/server-apt-repos/README.md new file mode 100644 index 0000000..2a1e2f9 --- /dev/null +++ b/roles/server-apt-repos/README.md @@ -0,0 +1,13 @@ +# Ansible role server-apt-repos + +Diese Ansible role konfiguriert zusätzliche APT Repositories. + +- installiert Freifunk MWU Debian APT PGP Key +- konfiguriert APT Repositories aus der Liste `repos` + +## Benötigte Variablen + +- Liste `repos` (Rollen Variable) + - `name`: String == Name der Konfigurationsdatei unter /etc/apt/sources.list.d + - `repo`: String + - `update_cache`: yes|no diff --git a/roles/server-repos/tasks/main.yml b/roles/server-apt-repos/tasks/main.yml similarity index 100% rename from roles/server-repos/tasks/main.yml rename to roles/server-apt-repos/tasks/main.yml diff --git a/roles/server-repos/vars/main.yml b/roles/server-apt-repos/vars/main.yml similarity index 100% rename from roles/server-repos/vars/main.yml rename to roles/server-apt-repos/vars/main.yml From 7a482e195fb35a615dfdf6e7efc810451ea56aa0 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 12:44:20 +0100 Subject: [PATCH 096/106] Role server-basic: add locale setting --- roles/server-basic/README.md | 4 +++- roles/server-basic/tasks/main.yml | 9 +++++++++ roles/server-basic/vars/main.yml | 2 ++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/roles/server-basic/README.md b/roles/server-basic/README.md index ebb8121..d454a25 100644 --- a/roles/server-basic/README.md +++ b/roles/server-basic/README.md @@ -3,9 +3,11 @@ Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden. - installiert Pakete, die auf allen Servern benötigt werden -- setzt als default Editor +- setzt vim als default Editor - setzt die Zeitzone auf Europe/Berlin +- generiert und setzt default locale ## Benötigte Variablen - Liste `packages` (Rollen Variable) +- Variable `default_locale` (Rollen-Variable) diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index 1de5f78..e14a925 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -10,6 +10,15 @@ name: editor path: /usr/bin/vim.basic +- name: ensure default locale is installed + locale_gen: + name: "{{ default_locale }}" + state: present + +- name: ensure default locale is set + command: "/usr/bin/localectl set-locale LANG={{ default_locale }}" + changed_when: false + - name: set timezone to Europe/Berlin timezone: name: Europe/Berlin diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index 68bc696..722d395 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -11,3 +11,5 @@ packages: - sudo - sysfsutils - vim + +default_locale: "en_US.UTF-8" From 07eda681ca48afb3c9dda6cbf4008b25fae46db5 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 14:12:07 +0100 Subject: [PATCH 097/106] Roles service-fastd-mesh + service-fastd-intragate - remove on-up|on-down stanzas from fastd.conf - update readme --- .../templates/fastd-intragate.conf.j2 | 14 -------------- roles/service-fastd-mesh/README.md | 1 + .../templates/fastd-mesh.conf.j2 | 14 -------------- 3 files changed, 1 insertion(+), 28 deletions(-) diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index fa068ac..a97bd4d 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -1,5 +1,3 @@ -{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '023' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # @@ -22,16 +20,4 @@ peer group "servers" { include peers from "peers/services"; } -on up " - ip link set $INTERFACE down - ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE - ip link set $INTERFACE up - - batctl -m {{ item.0.id }}bat if add $INTERFACE -"; - -on down " - batctl -m {{ item.0.id }}bat if del $INTERFACE -"; - status socket "/var/run/fastd-{{ item.0.id }}igvpn-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 78b4ad4..1f33875 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -40,6 +40,7 @@ fastd_secrets: ... ´´´ +- Liste `legacy_gateways` ## fastd Secrets diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index a9954bc..aa8a640 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -1,5 +1,3 @@ -{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '022' + item.1.id|string + ip4hex -%} # # {{ ansible_managed }} # @@ -29,16 +27,4 @@ peer group "servers" { include peers from "peers/servers"; } -on up " - ip link set $INTERFACE down - ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE - ip link set $INTERFACE up - - batctl -m {{ item.0.id }}bat if add $INTERFACE -"; - -on down " - batctl -m {{ item.0.id }}bat if del $INTERFACE -"; - status socket "/var/run/fastd-{{ item.0.id }}vpn-{{ item.1.mtu }}.status"; From 10d25ee03171da57901dc7843c747d8476a9202b Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 14:35:11 +0100 Subject: [PATCH 098/106] Move dummy module from role kmod-batman to server-basic --- roles/kmod-batman/tasks/main.yml | 7 ++----- roles/kmod-batman/templates/batman-adv.module.conf.j2 | 1 - roles/server-basic/README.md | 1 + roles/server-basic/tasks/main.yml | 11 +++++++++++ roles/server-basic/templates/dummy.module.conf.j2 | 5 +++++ 5 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 roles/server-basic/templates/dummy.module.conf.j2 diff --git a/roles/kmod-batman/tasks/main.yml b/roles/kmod-batman/tasks/main.yml index 0991b4e..8cc799e 100644 --- a/roles/kmod-batman/tasks/main.yml +++ b/roles/kmod-batman/tasks/main.yml @@ -13,10 +13,7 @@ src: batman-adv.module.conf.j2 dest: /etc/modules-load.d/batman-adv.conf -- name: load batman + dummy module +- name: load batman module modprobe: - name: "{{ item }}" + name: "batman-adv" state: present - with_items: - - batman-adv - - dummy diff --git a/roles/kmod-batman/templates/batman-adv.module.conf.j2 b/roles/kmod-batman/templates/batman-adv.module.conf.j2 index 35d76b4..b0b819f 100644 --- a/roles/kmod-batman/templates/batman-adv.module.conf.j2 +++ b/roles/kmod-batman/templates/batman-adv.module.conf.j2 @@ -3,4 +3,3 @@ # {{ ansible_managed }} # batman-adv -dummy diff --git a/roles/server-basic/README.md b/roles/server-basic/README.md index d454a25..2761041 100644 --- a/roles/server-basic/README.md +++ b/roles/server-basic/README.md @@ -6,6 +6,7 @@ Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden - setzt vim als default Editor - setzt die Zeitzone auf Europe/Berlin - generiert und setzt default locale +- konfiguriert das dummy Kernel Modul ## Benötigte Variablen diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index e14a925..f3fcd68 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -30,3 +30,14 @@ owner: admin group: admin mode: 0750 + +- name: configure dummy module to load on system boot + template: + src: dummy.module.conf.j2 + dest: /etc/modules-load.d/dummy.conf + +- name: load dummy module + modprobe: + name: "dummy" + state: present + params: "numdummies=0" diff --git a/roles/server-basic/templates/dummy.module.conf.j2 b/roles/server-basic/templates/dummy.module.conf.j2 new file mode 100644 index 0000000..4beefe7 --- /dev/null +++ b/roles/server-basic/templates/dummy.module.conf.j2 @@ -0,0 +1,5 @@ +# +# Load dummy module on system boot +# {{ ansible_managed }} +# +dummy From 7437095761b76d6e9cb241c61538ef46b405e4c2 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 15:08:41 +0100 Subject: [PATCH 099/106] Roles service-fastd-[mesh|intragate]: reload networking on fastd instance start --- roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 | 2 ++ roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 index a97bd4d..b7945eb 100644 --- a/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-intragate.conf.j2 @@ -20,4 +20,6 @@ peer group "servers" { include peers from "peers/services"; } +on up "/bin/systemctl reload networking"; + status socket "/var/run/fastd-{{ item.0.id }}igvpn-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index aa8a640..bcee23f 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -27,4 +27,6 @@ peer group "servers" { include peers from "peers/servers"; } +on up "/bin/systemctl reload networking"; + status socket "/var/run/fastd-{{ item.0.id }}vpn-{{ item.1.mtu }}.status"; From 78a141305d59de104df385ea1b469563440fd624 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 20:27:12 +0100 Subject: [PATCH 100/106] Rework passwordstore lookup handling in roles service-fastd-mesh und service-fastd-intragate --- Readme.md | 14 ++------------ inventory/group_vars/all | 6 ++++++ inventory/host_vars/uffschnitt.freifunk-mwu.de | 6 ------ roles/service-fastd-intragate/README.md | 18 +++--------------- .../templates/fastd-secret.conf.j2 | 7 +------ roles/service-fastd-mesh/README.md | 18 +++--------------- .../templates/fastd-secret.conf.j2 | 7 +------ 7 files changed, 16 insertions(+), 60 deletions(-) diff --git a/Readme.md b/Readme.md index a23e4f9..ace2105 100644 --- a/Readme.md +++ b/Readme.md @@ -57,6 +57,7 @@ Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Par |fastd.nodes.instances[x].peers|Dictionary|||| |fastd.nodes.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL|| |fastd.nodes.instances[x].peers.version|Key|master|string|| +|fastd.nodes.instances[x].pass|Key|fastd/mzvpn|string|| |fastd.intragate|Dictionary|||| |fastd.intragate.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Intragate-Kommunikation| |fastd.intragate.instances[x].id|Key|0|integer|| @@ -64,6 +65,7 @@ Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Par |fastd.intragate.instances[x].peers|Dictionary|||| |fastd.intragate.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL|| |fastd.intragate.instances[x].peers.version|Key|master|string|| +|fastd.intragate.instances[x].pass|Key|fastd/mzigvpn|string|| |dns|Dictionary|||| |dns.master|Key|fd37:b4dc:4b1e::a25:103|string; IP-Adresse|DNS-Master IP| |dns.forward_zones|List|||| @@ -134,11 +136,6 @@ Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgeb |ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| -|fastd_secrets|Dictionary|||Ein Eintrag pro fastd-Interface mit passwordstore lookup zum pass-Pfad| -|fastd_secrets.mzvpn|Key|"{{ lookup('passwordstore', 'fastd/mzvpn/spinat subkey=secret') }}"||| -|fastd_secrets.wivpn|Key|"{{ lookup('passwordstore', 'fastd/wivpn/spinat subkey=secret') }}"||| -|fastd_secrets.mzigvpn|Key|"{{ lookup('passwordstore', 'fastd/mzvpn/spinat subkey=secret') }}"||| -|fastd_secrets.wiigvpn|Key|"{{ lookup('passwordstore', 'fastd/wivpn/spinat subkey=secret') }}"||| |tinc_private_key|Variable|"{{ lookup('passwordstore', 'tinc/icvpn/spinat_private returnall=true') }}"||Passwordstore lookup zum pass-Pfad| ## Sensible Informationen @@ -194,13 +191,6 @@ ffrl_exit_server: tunnel_ipv4_network: # Format: IP/Maske tunnel_ipv6_network: -# Pfade zu den fastd secrets im passwordstore -fastd_secrets: - mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/$Hostname subkey=secret') }}" - wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/$Hostname subkey=secret') }}" - mzigvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/$Hostname subkey=secret') }}" - wiigvpn: "{{ lookup('passwordstore', 'fastd/wivpn/$Hostname subkey=secret') }}" - # Pfade zum tinc secret im passwordstore tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/$hostname_private returnall=true') }}" ``` diff --git a/inventory/group_vars/all b/inventory/group_vars/all index a9fd666..458482e 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -51,11 +51,13 @@ meshes: peers: repo: https://github.com/freifunk-mwu/peers-ffmz.git version: master + pass: fastd/mzvpn - id: 1 mtu: 1312 peers: repo: https://github.com/freifunk-mwu/peers-ffmz.git version: master + pass: fastd/mzvpn intragate: instances: - id: 0 @@ -63,6 +65,7 @@ meshes: peers: repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git version: master + pass: fastd/mzigvpn dns: master: fd37:b4dc:4b1e::a25:103 forward_zones: @@ -106,11 +109,13 @@ meshes: peers: repo: https://github.com/freifunk-mwu/peers-ffwi.git version: master + pass: fastd/wivpn - id: 1 mtu: 1312 peers: repo: https://github.com/freifunk-mwu/peers-ffwi.git version: master + pass: fastd/wivpn intragate: instances: - id: 0 @@ -118,6 +123,7 @@ meshes: peers: repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git version: master + pass: fastd/wiigvpn dns: master: fd56:b4dc:4b1e::a38:103 forward_zones: diff --git a/inventory/host_vars/uffschnitt.freifunk-mwu.de b/inventory/host_vars/uffschnitt.freifunk-mwu.de index 2185fc2..55d2495 100644 --- a/inventory/host_vars/uffschnitt.freifunk-mwu.de +++ b/inventory/host_vars/uffschnitt.freifunk-mwu.de @@ -30,10 +30,4 @@ ffrl_exit_server: tunnel_ipv4_network: 100.64.9.50/31 tunnel_ipv6_network: 2a03:2260:0:3c1::/64 -fastd_secrets: - mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/uffschnitt subkey=secret') }}" - wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/uffschnitt subkey=secret') }}" - mzigvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/uffschnitt subkey=secret') }}" - wiigvpn: "{{ lookup('passwordstore', 'fastd/wivpn/uffschnitt subkey=secret') }}" - tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/uffschnitt_private returnall=true') }}" diff --git a/roles/service-fastd-intragate/README.md b/roles/service-fastd-intragate/README.md index 016bbdb..2127c19 100644 --- a/roles/service-fastd-intragate/README.md +++ b/roles/service-fastd-intragate/README.md @@ -13,7 +13,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunik ## Benötigte Variablen - Dictionary `meshes` -´´´ +``` meshes: - id: xx ... @@ -26,26 +26,14 @@ meshes: peers: repo: # String - https Link zum Github Repository version: # String - Branch oder Commit ID + pass: # String - Pfad des fastd secrets im Admin Pass ... -´´´ -- Dictionary `fastd_secrets` (Host-Variable) -´´´ -fastd_secrets: - mzigvpn: "{{ lookup('passwordstore', 'fastd/mzigvpn/sparegate4 subkey=secret') }}" - wiigvpn: "{{ lookup('passwordstore', 'fastd/wiigvpn/sparegate4 subkey=secret') }}" - ... - -´´´ +``` ## fastd Secrets Die privaten Schlüssel der fastd Instanzen sind sehr sensible Informationen, weshalb wir diese in ein nicht öffentliches passwordstore ausgelagert haben. Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benötigten fastd Instanzen generiert und im passwordstore hinterlegt werden. -Das Dictionary `fastd_secrets` folgt dem Aufbau: -``` -fastd_secrets: - $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" -``` ## Abhängigkeiten diff --git a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 index a61bca7..c8d0e15 100644 --- a/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-intragate/templates/fastd-secret.conf.j2 @@ -1,9 +1,4 @@ -{% set local_interface = item.0.id + 'igvpn' -%} # # {{ ansible_managed }} # -{% for interface in fastd_secrets %} -{% if local_interface == interface %} -secret "{{ fastd_secrets[interface] }}"; -{% endif %} -{% endfor %} +secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}"; diff --git a/roles/service-fastd-mesh/README.md b/roles/service-fastd-mesh/README.md index 1f33875..f7fad8e 100644 --- a/roles/service-fastd-mesh/README.md +++ b/roles/service-fastd-mesh/README.md @@ -17,7 +17,7 @@ Intragate-Instanzen: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instanc ## Benötigte Variablen - Dictionary `meshes` -´´´ +``` meshes: - id: xx ... @@ -30,27 +30,15 @@ meshes: peers: repo: # String - https Link zum Github Repository version: # String - Branch oder Commit ID + pass: # String - Pfad des fastd secrets im Admin Pass ... -´´´ -- Dictionary `fastd_secrets` (Host-Variable) -´´´ -fastd_secrets: - mzvpn: "{{ lookup('passwordstore', 'fastd/mzvpn/sparegate4 subkey=secret') }}" - wivpn: "{{ lookup('passwordstore', 'fastd/wivpn/sparegate4 subkey=secret') }}" - ... - -´´´ +``` - Liste `legacy_gateways` ## fastd Secrets Die privaten Schlüssel der fastd Instanzen sind sehr sensible Informationen, weshalb wir diese in ein nicht öffentliches passwordstore ausgelagert haben. Bevor man ein Gateway aufsetzt, müssen die privaten Schlüssel für alle benötigten fastd Instanzen generiert und im passwordstore hinterlegt werden. -Das Dictionary `fastd_secrets` folgt dem Aufbau: -``` -fastd_secrets: - $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore subkey=secret') }}" -``` ## Abhängigkeiten diff --git a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 index 8b85738..c8d0e15 100644 --- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2 @@ -1,9 +1,4 @@ -{% set local_interface = item.0.id + 'vpn' -%} # # {{ ansible_managed }} # -{% for interface in fastd_secrets %} -{% if local_interface == interface %} -secret "{{ fastd_secrets[interface] }}"; -{% endif %} -{% endfor %} +secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}"; From 071bdb40d4c54a1ca2e89b1baeb6c22dbc9b4592 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Sun, 12 Nov 2017 20:39:33 +0100 Subject: [PATCH 101/106] Role service-tinc: rework passwordstore lookup --- Readme.md | 4 ---- inventory/host_vars/uffschnitt.freifunk-mwu.de | 2 -- roles/service-tinc/README.md | 10 ---------- roles/service-tinc/templates/rsa_key.priv.j2 | 2 +- 4 files changed, 1 insertion(+), 17 deletions(-) diff --git a/Readme.md b/Readme.md index ace2105..f3d38e5 100644 --- a/Readme.md +++ b/Readme.md @@ -136,7 +136,6 @@ Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgeb |ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle| |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz| |ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz| -|tinc_private_key|Variable|"{{ lookup('passwordstore', 'tinc/icvpn/spinat_private returnall=true') }}"||Passwordstore lookup zum pass-Pfad| ## Sensible Informationen @@ -190,9 +189,6 @@ ffrl_exit_server: public_ipv4_address: 185.66.194.1 tunnel_ipv4_network: # Format: IP/Maske tunnel_ipv6_network: - -# Pfade zum tinc secret im passwordstore -tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/$hostname_private returnall=true') }}" ``` - Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml` - Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben. diff --git a/inventory/host_vars/uffschnitt.freifunk-mwu.de b/inventory/host_vars/uffschnitt.freifunk-mwu.de index 55d2495..51aaa82 100644 --- a/inventory/host_vars/uffschnitt.freifunk-mwu.de +++ b/inventory/host_vars/uffschnitt.freifunk-mwu.de @@ -29,5 +29,3 @@ ffrl_exit_server: public_ipv4_address: 185.66.194.1 tunnel_ipv4_network: 100.64.9.50/31 tunnel_ipv6_network: 2a03:2260:0:3c1::/64 - -tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/uffschnitt_private returnall=true') }}" diff --git a/roles/service-tinc/README.md b/roles/service-tinc/README.md index e4829e6..855df5c 100644 --- a/roles/service-tinc/README.md +++ b/roles/service-tinc/README.md @@ -28,18 +28,8 @@ routing_tables: ... ``` - Host Variable `magic` -- Host Variable `tinc_private_key` -``` -tinc_private_key: "{{ lookup('passwordstore', 'tinc/icvpn/$Hostname_private returnall=true') }}" -``` ## tinc private key Der private Schlüssel der icvpn tinc-Instanz liegt im passwordstore. Bevor man ein Gateway aufsetzt, muss der private Schlüssel generiert und im passwordstore hinterlegt werden. -Die Variable `tinc_private_key` folgt dem Aufbau: -``` -tinc_private_key: - $Instanz-Name: "{{ lookup('passwordstore', '$Pfad-im-passwordstore returnall=true') }}" -``` - diff --git a/roles/service-tinc/templates/rsa_key.priv.j2 b/roles/service-tinc/templates/rsa_key.priv.j2 index 7c952bc..1a7a690 100644 --- a/roles/service-tinc/templates/rsa_key.priv.j2 +++ b/roles/service-tinc/templates/rsa_key.priv.j2 @@ -1 +1 @@ -{{ tinc_private_key }} +{{ lookup('passwordstore', 'tinc/icvpn/' + inventory_hostname_short + '_private returnall=true') }} From 80bd91a46944d8ff52fb110c5bacf36eb937c0ae Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Tue, 14 Nov 2017 23:09:55 +0100 Subject: [PATCH 102/106] Role network-iptables-gateway: fix freifunk bridge rules --- roles/network-iptables-gateway/templates/rules.v4.j2 | 8 ++++++-- roles/network-iptables-gateway/templates/rules.v6.j2 | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2 index 4359b2b..94cdc07 100644 --- a/roles/network-iptables-gateway/templates/rules.v4.j2 +++ b/roles/network-iptables-gateway/templates/rules.v4.j2 @@ -8,8 +8,12 @@ -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh in meshes %} --A FORWARD -i {{ mesh.id }}br -o {{ mesh.id }}br -j ACCEPT +{% for mesh_forward in meshes %} +{% for mesh_recursive in meshes recursive %} +{% if not mesh_forward.id == mesh_recursive.id %} +-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT +{% endif %} +{% endfor %} {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2 index f1644f9..7c97f3f 100644 --- a/roles/network-iptables-gateway/templates/rules.v6.j2 +++ b/roles/network-iptables-gateway/templates/rules.v6.j2 @@ -7,8 +7,12 @@ :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -{% for mesh in meshes %} --A FORWARD -i {{ mesh.id }}br -o {{ mesh.id }}br -j ACCEPT +{% for mesh_forward in meshes %} +{% for mesh_recursive in meshes recursive %} +{% if not mesh_forward.id == mesh_recursive.id %} +-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT +{% endif %} +{% endfor %} {% endfor %} -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT From 466a08a0b38c03e262d38b06ecb1391638248744 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Thu, 30 Nov 2017 23:12:15 +0100 Subject: [PATCH 103/106] Role service-fastd-mesh: ensure fastd_status.json file is present; reorder nginx roles --- playbooks/gateways.yml | 4 ++-- roles/service-fastd-mesh/tasks/main.yml | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 9e2e2da..8adeeb0 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -20,6 +20,8 @@ - network-iptables-gateway - network-routing - service-dhcpd + - service-nginx + - service-nginx-firmware - service-radvd - service-fastd - service-fastd-mesh @@ -30,5 +32,3 @@ - service-bird-ffrl - service-bind-slave - service-respondd - - service-nginx - - service-nginx-firmware diff --git a/roles/service-fastd-mesh/tasks/main.yml b/roles/service-fastd-mesh/tasks/main.yml index c8b9f8e..879fe80 100644 --- a/roles/service-fastd-mesh/tasks/main.yml +++ b/roles/service-fastd-mesh/tasks/main.yml @@ -112,6 +112,14 @@ mode: 0644 notify: reload systemd +- name: create fastd_status.json file + file: + path: /var/www/html/fastd_status.json + state: touch + owner: admin + group: admin + mode: 0644 + - name: write configuration for fastd-peer-limit-update script template: src: fastd_peer_limit_config.yaml.j2 From 89c187a9754be19880c4eab0db2fc3422d86a74c Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 4 Dec 2017 06:21:25 +0100 Subject: [PATCH 104/106] Role network-routing: add missing service dependency for ffmwu-static-routes service unit --- roles/network-routing/templates/ffmwu-static-routes.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network-routing/templates/ffmwu-static-routes.service.j2 b/roles/network-routing/templates/ffmwu-static-routes.service.j2 index ad342f0..e793f81 100644 --- a/roles/network-routing/templates/ffmwu-static-routes.service.j2 +++ b/roles/network-routing/templates/ffmwu-static-routes.service.j2 @@ -1,6 +1,6 @@ [Unit] Description=Manage Freifunk MWU static routes -After=network-online.target +After=network-online.target networking.service [Service] Type=oneshot From 0f9cee0e7da9ac35a478690320e4e5657e8dd11a Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Mon, 4 Dec 2017 16:32:38 +0100 Subject: [PATCH 105/106] Role service-tinc: add task to enable post-merge script --- roles/service-tinc/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/service-tinc/tasks/main.yml b/roles/service-tinc/tasks/main.yml index 034350f..5ee461d 100644 --- a/roles/service-tinc/tasks/main.yml +++ b/roles/service-tinc/tasks/main.yml @@ -26,6 +26,15 @@ register: metanodes changed_when: false +- name: enable freifunk/icvpn post-merge script + copy: + remote_src: yes + src: /etc/tinc/{{ icvpn.interface }}/scripts/post-merge + dest: /etc/tinc/{{ icvpn.interface }}/.git/hooks/ + owner: admin + group: admin + mode: 0755 + - name: write tinc.conf template: src: tinc.conf.j2 From ad5b658467604b73c2a5630283244d89a7296798 Mon Sep 17 00:00:00 2001 From: n0trax Date: Tue, 5 Dec 2017 05:58:34 +0100 Subject: [PATCH 106/106] Add prometheus role (#9) --- roles/service-prometheus/LICENSE | 22 ++ roles/service-prometheus/README.md | 239 ++++++++++++++++++ roles/service-prometheus/defaults/main.yml | 32 +++ .../service-prometheus/files/alertmanager.yml | 13 + roles/service-prometheus/handlers/main.yml | 9 + .../service-prometheus/tasks/alertmanager.yml | 61 +++++ .../service-prometheus/tasks/install-gosu.yml | 19 ++ roles/service-prometheus/tasks/main.yml | 51 ++++ .../tasks/node-exporter.yml | 40 +++ roles/service-prometheus/tasks/prometheus.yml | 79 ++++++ .../templates/alertmanager.service.j2 | 18 ++ .../templates/node_exporter.service.j2 | 18 ++ .../templates/prometheus.service.j2 | 18 ++ .../templates/prometheus.yml.j2 | 36 +++ 14 files changed, 655 insertions(+) create mode 100644 roles/service-prometheus/LICENSE create mode 100644 roles/service-prometheus/README.md create mode 100644 roles/service-prometheus/defaults/main.yml create mode 100644 roles/service-prometheus/files/alertmanager.yml create mode 100644 roles/service-prometheus/handlers/main.yml create mode 100644 roles/service-prometheus/tasks/alertmanager.yml create mode 100644 roles/service-prometheus/tasks/install-gosu.yml create mode 100644 roles/service-prometheus/tasks/main.yml create mode 100644 roles/service-prometheus/tasks/node-exporter.yml create mode 100644 roles/service-prometheus/tasks/prometheus.yml create mode 100644 roles/service-prometheus/templates/alertmanager.service.j2 create mode 100644 roles/service-prometheus/templates/node_exporter.service.j2 create mode 100644 roles/service-prometheus/templates/prometheus.service.j2 create mode 100644 roles/service-prometheus/templates/prometheus.yml.j2 diff --git a/roles/service-prometheus/LICENSE b/roles/service-prometheus/LICENSE new file mode 100644 index 0000000..9aba21a --- /dev/null +++ b/roles/service-prometheus/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 William Yeh + + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/roles/service-prometheus/README.md b/roles/service-prometheus/README.md new file mode 100644 index 0000000..2b7d0b2 --- /dev/null +++ b/roles/service-prometheus/README.md @@ -0,0 +1,239 @@ + +FFMWU prometheus +============ + + +## Summary + +Prometheus ansible role based on **[williamyeh.prometheus](https://galaxy.ansible.com/williamyeh/prometheus/)** + +This Ansible role has the following features for [Prometheus](http://prometheus.io/): + + - Install specific versions of [Prometheus server](https://github.com/prometheus/prometheus), [Node exporter](https://github.com/prometheus/node_exporter), [Alertmanager](https://github.com/prometheus/alertmanager). + - Handlers for restart/reload/stop events; + - Bare bone configuration (*real* configuration should be left to user's template files; see **Usage** section below). + +## Role Variables + + +### Mandatory variables + +The components to be installed: + +```yaml +# Supported components: +# +# [Server components] +# - "prometheus" +# - "alertmanager" +# +# [Exporter components] +# - "node_exporter" +# +prometheus_components +``` + + + +### Optional variables: general settings + + +User-configurable defaults: + +```yaml +# user and group +prometheus_user: prometheus +prometheus_group: prometheus + + +# directory for executable files +prometheus_install_path: /opt/prometheus + +# directory for configuration files +prometheus_config_path: /etc/prometheus + +# directory for PID files +prometheus_pid_path: /var/run/prometheus + +# directory for temporary files +prometheus_download_path: /tmp + +# version of helper utility "gosu" +gosu_version: "1.10" +``` + +### Optional variables: Prometheus server + +User-configurable defaults: + +```yaml +# which version? +prometheus_version: 2.0.0 + +# directory for rule files +prometheus_rule_path: {{ prometheus_config_path }}/rules + +# directory for file_sd files +prometheus_file_sd_config_path: {{ prometheus_config_path }}/tgroups + +# directory for runtime database +prometheus_db_path: /var/lib/prometheus +``` + + + + + + +User-installable configuration file (see [doc](http://prometheus.io/docs/operating/configuration/) for details): + + +```yaml +# main conf template relative to `playbook_dir`; +# to be installed to "{{ prometheus_config_path }}/prometheus.yml" +prometheus_conf_main +``` + + +User-installable rule files (see [doc](http://prometheus.io/docs/alerting/rules/) for details): + + +```yaml +# rule files to be installed to "{{ prometheus_rule_path }}" directory; +# dict fields: +# - key: memo for this rule +# - value: +# - src: file relative to `playbook_dir` +# - dest: target file relative to `{{ prometheus_rule_path }}` +prometheus_rule_files +``` + + +Additional command-line arguments, if any (use `prometheus --help` to see the full list of arguments): + +```yaml +prometheus_opts +``` + + +### Optional variables: Node exporter + + +User-configurable defaults: + +```yaml +# which version? +node_exporter_version: 0.15.1 +``` + +Additional command-line arguments, if any (use `node_exporter --help` to see the full list of arguments): + +```yaml +node_exporter_opts +``` + + +### Optional variables: Alertmanager + + +User-configurable defaults: + +```yaml +# which version? +alertmanager_version: 0.10.0 + +# directory for runtime database (currently for `silences.json`) +alertmanager_db_path: /var/lib/alertmanager +``` + +User-installable alertmanager conf file (see [doc](http://prometheus.io/docs/alerting/alertmanager/) for details): +See files directory alertmanager.yml + + +Additional command-line arguments, if any (use `alertmanager --help` to see the full list of arguments): + +```yaml +prometheus_alertmanager_opts +``` + + + + +## Handlers + +Prometheus server: + +- `reload prometheus` + +Alertmanager: + +- `reload alertmanager` + + +## Usage + + +### Step 1: add role + +Add role name `service-prometheus` to your playbook file. + + +### Step 2: add variables + +Set vars in your playbook file, if necessary. + +Simple example: + +```yaml +--- +# file: simple-playbook.yml + +- hosts: all + become: True + roles: + - service-prometheus + + vars: + prometheus_components: [ "prometheus", "alertmanager" ] +``` + + +### Step 3: copy user's config files, if necessary + + +More practical example: + +```yaml +--- +# file: complex-playbook.yml + +- hosts: all + become: True + roles: + - service-prometheus + + vars: + prometheus_components: + - prometheus + - node_exporter + - alertmanager + + prometheus_rule_files: + this_is_rule_1_InstanceDown: + src: some/path/basic.rules + dest: basic.rules +``` + + +### Step 4: browse the default Prometheus pages + +Open the page in your browser: + +- Prometheus - `http://HOST:9090` or `http://HOST:9090/consoles/node.html` + +- Alertmanager - `http://HOST:9093` + + +## License + +MIT License. See the [LICENSE file](LICENSE) for details. diff --git a/roles/service-prometheus/defaults/main.yml b/roles/service-prometheus/defaults/main.yml new file mode 100644 index 0000000..c639e3e --- /dev/null +++ b/roles/service-prometheus/defaults/main.yml @@ -0,0 +1,32 @@ +--- +# +# user-configurable defaults +# + +prometheus_components: + - "node_exporter" + +prometheus_user: prometheus +prometheus_group: prometheus + +prometheus_version: 2.0.0 +node_exporter_version: 0.15.1 +alertmanager_version: 0.10.0 + +gosu_version: "1.10" + +prometheus_install_path: /opt/prometheus +prometheus_config_path: /etc/prometheus +prometheus_rule_path: "{{ prometheus_config_path }}/rules" +prometheus_file_sd_config_path: "{{ prometheus_config_path }}/tgroups" +prometheus_db_path: /var/lib/prometheus +alertmanager_db_path: /var/lib/alertmanager +prometheus_pid_path: /var/run/prometheus + +prometheus_download_path: /tmp +prometheus_workdir: "{{ prometheus_download_path }}/prometheus_workdir" +prometheus_goroot: "{{ prometheus_workdir }}/go" +prometheus_gopath: "{{ prometheus_workdir }}/gopath" + +prometheus_default_opts: "--config.file={{ prometheus_config_path }}/prometheus.yml --storage.tsdb.path={{ prometheus_db_path }}" +alertmanager_default_opts: "-config.file={{ prometheus_config_path }}/alertmanager.yml -storage.path={{ alertmanager_db_path }}" diff --git a/roles/service-prometheus/files/alertmanager.yml b/roles/service-prometheus/files/alertmanager.yml new file mode 100644 index 0000000..abab519 --- /dev/null +++ b/roles/service-prometheus/files/alertmanager.yml @@ -0,0 +1,13 @@ +global: + +route: + group_by: ['alertname', 'cluster'] + group_wait: 30s + group_interval: 5m + repeat_interval: 3h + receiver: 'default-pager' + +receivers: + - name: 'default-pager' + pagerduty_configs: + - service_key: diff --git a/roles/service-prometheus/handlers/main.yml b/roles/service-prometheus/handlers/main.yml new file mode 100644 index 0000000..a293535 --- /dev/null +++ b/roles/service-prometheus/handlers/main.yml @@ -0,0 +1,9 @@ +- name: reload prometheus + service: + name: prometheus + state: reloaded + +- name: reload alertmanager + service: + name: alertmanager + state: reloaded diff --git a/roles/service-prometheus/tasks/alertmanager.yml b/roles/service-prometheus/tasks/alertmanager.yml new file mode 100644 index 0000000..3436a94 --- /dev/null +++ b/roles/service-prometheus/tasks/alertmanager.yml @@ -0,0 +1,61 @@ +--- +# Install Prometheus alertmanager. + +- name: set internal variables, part 1 + set_fact: + alertmanager_signature: "alertmanager-{{ alertmanager_version }}.linux-amd64" + +- name: set internal variables, part 2 + set_fact: + alertmanager_daemon_dir: "{{ prometheus_install_path }}/{{ alertmanager_signature }}" + +- name: set download url + set_fact: + alertmanager_tarball_url: "https://github.com/prometheus/alertmanager/releases/download/v{{ alertmanager_version }}/{{ alertmanager_signature }}.tar.gz" + +- name: download and uncompress alertmanager tarball + unarchive: + src: "{{ alertmanager_tarball_url }}" + dest: "{{ prometheus_install_path }}" + copy: no + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "go-w" + creates: "{{ alertmanager_daemon_dir }}" + +- name: create alertmanager /usr/local/bin links + file: + src: "{{ alertmanager_daemon_dir }}/{{ item }}" + dest: "/usr/local/bin/{{ item }}" + state: link + with_items: + - "alertmanager" + - "amtool" + +- name: mkdir for alertmanager data (silences.json for now) + file: + path: "{{ item }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "u=rwx,g=rx,o=" + with_items: + - "{{ alertmanager_db_path }}" + +- name: copy alertmanager systemd config + template: + src: "alertmanager.service.j2" + dest: "/lib/systemd/system/alertmanager.service" + +- name: install alertmanager config file + copy: + src: "alertmanager.yml" + dest: "{{ prometheus_config_path }}/alertmanager.yml" + notify: + - reload alertmanager + +- name: enable alertmanager service + service: + name: alertmanager + enabled: yes + state: started diff --git a/roles/service-prometheus/tasks/install-gosu.yml b/roles/service-prometheus/tasks/install-gosu.yml new file mode 100644 index 0000000..78c686a --- /dev/null +++ b/roles/service-prometheus/tasks/install-gosu.yml @@ -0,0 +1,19 @@ +# Install "gosu" utility. +# +# @see https://github.com/tianon/gosu +# + +- name: set internal variables for convenience + set_fact: + gosu_bin_url: "https://github.com/tianon/gosu/releases/download/{{ gosu_version }}/gosu-amd64" + +- name: download gosu executable + get_url: + url: "{{ gosu_bin_url }}" + dest: "/usr/local/bin/gosu" + +- name: add executable permission + file: + path: "/usr/local/bin/gosu" + state: file + mode: "a+x" diff --git a/roles/service-prometheus/tasks/main.yml b/roles/service-prometheus/tasks/main.yml new file mode 100644 index 0000000..4ed1092 --- /dev/null +++ b/roles/service-prometheus/tasks/main.yml @@ -0,0 +1,51 @@ +# Top-level installer for Prometheus. + +- name: create Prometheus group + group: + name: "{{ prometheus_group }}" + state: present + +- name: create Prometheus user + user: + name: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + createhome: no + shell: /sbin/nologin + comment: "Prometheus User" + state: present + +- name: create base directories + file: + path: "{{ item }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "u=rwx,g=rx,o=" + with_items: + - "{{ prometheus_install_path }}" + - "{{ prometheus_config_path }}" + - "{{ prometheus_pid_path }}" + +- name: install helper utility "gosu" + include_tasks: install-gosu.yml + +- name: install and configure prometheus service + include_tasks: prometheus.yml + when: '"prometheus" in prometheus_components' + +- name: install and configure node-exporter service + include_tasks: node-exporter.yml + when: '"node_exporter" in prometheus_components' + +- name: install and configure alertmanager service + include_tasks: alertmanager.yml + when: '"alertmanager" in prometheus_components' + +- name: set {{ prometheus_install_path }} permissions, owner and group + file: + path: "{{ prometheus_install_path }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "go-w" + recurse: yes diff --git a/roles/service-prometheus/tasks/node-exporter.yml b/roles/service-prometheus/tasks/node-exporter.yml new file mode 100644 index 0000000..cb55d53 --- /dev/null +++ b/roles/service-prometheus/tasks/node-exporter.yml @@ -0,0 +1,40 @@ +# Install Prometheus node-exporter. +# +# @see http://prometheus.io/docs/introduction/getting_started/ + +- name: set internal variables for convenience + set_fact: + node_exporter_daemon_dir: "{{ prometheus_install_path }}/node_exporter-{{ node_exporter_version }}.linux-amd64" + node_exporter_tarball_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" + +- name: download and untar node_exporter tarball + unarchive: + src: "{{ node_exporter_tarball_url }}" + dest: "{{ prometheus_install_path }}" + copy: no + creates: "{{ node_exporter_daemon_dir }}" + +- name: create node_exporter /usr/local/bin link + file: + src: "{{ node_exporter_daemon_dir }}/node_exporter" + dest: "/usr/local/bin/node_exporter" + state: link + +- name: mkdir for data + file: + path: "{{ prometheus_db_path }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "u=rwx,g=rx,o=" + +- name: copy systemd config to server + template: + src: "../templates/node_exporter.service.j2" + dest: "/lib/systemd/system/node_exporter.service" + +- name: enable node_exporter service + service: + name: node_exporter + enabled: yes + state: started diff --git a/roles/service-prometheus/tasks/prometheus.yml b/roles/service-prometheus/tasks/prometheus.yml new file mode 100644 index 0000000..53fae23 --- /dev/null +++ b/roles/service-prometheus/tasks/prometheus.yml @@ -0,0 +1,79 @@ +# Install Prometheus server. +# +# @see http://prometheus.io/docs/introduction/getting_started/ +# + +- name: set internal variables for convenience + set_fact: + prometheus_daemon_dir: "{{ prometheus_install_path }}/prometheus-{{ prometheus_version }}.linux-amd64" + prometheus_tarball_url: "https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz" + +- name: set prometheus default options + set_fact: + prometheus_default_opts: "{{ prometheus_default_opts }} --web.console.templates={{ prometheus_daemon_dir }}/consoles --web.console.libraries={{ prometheus_daemon_dir }}/console_libraries" + +- name: download and untar prometheus tarball + unarchive: + src: "{{ prometheus_tarball_url }}" + dest: "{{ prometheus_install_path }}" + copy: no + creates: "{{ prometheus_daemon_dir }}" + +- name: create prometheus /usr/local/bin links + file: + src: "{{ prometheus_daemon_dir }}/{{ item }}" + dest: "/usr/local/bin/{{ item }}" + state: link + with_items: + - "prometheus" + - "promtool" + +- name: mkdir for config and data + file: + path: "{{ item }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + mode: "u=rwx,g=rx,o=" + with_items: + - "{{ prometheus_rule_path }}" + - "{{ prometheus_file_sd_config_path }}" + - "{{ prometheus_db_path }}" + +- name: copy prometheus systemd config + template: + src: "prometheus.service.j2" + dest: "/lib/systemd/system/prometheus.service" + +- name: copy rule files from playbook's, if any + copy: + src: "{{ playbook_dir }}/{{ item.value.src }}" + dest: "{{ prometheus_rule_path }}/{{ item.value.dest }}" + validate: "{{ prometheus_daemon_dir }}/promtool check rules %s" + with_dict: '{{ prometheus_rule_files | default({}) }}' + notify: + - reload prometheus + +- name: copy prometheus main config file from role's default, if necessary + template: + src: "prometheus.yml.j2" + dest: "{{ prometheus_config_path }}/prometheus.yml" + validate: "{{ prometheus_daemon_dir }}/promtool check config %s" + when: prometheus_conf_main is not defined + notify: + - reload prometheus + +- name: copy prometheus main config file from playbook's, if any + template: + src: "{{ playbook_dir }}/{{ prometheus_conf_main }}" + dest: "{{ prometheus_config_path }}/prometheus.yml" + validate: "{{ prometheus_daemon_dir }}/promtool check config %s" + when: prometheus_conf_main is defined + notify: + - reload prometheus + +- name: enable prometheus service + service: + name: prometheus + enabled: yes + state: started diff --git a/roles/service-prometheus/templates/alertmanager.service.j2 b/roles/service-prometheus/templates/alertmanager.service.j2 new file mode 100644 index 0000000..891e35f --- /dev/null +++ b/roles/service-prometheus/templates/alertmanager.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=Prometheus alertmanager. +After=network.target + +[Service] +Type=simple + +PIDFile={{ prometheus_pid_path }}/alertmanager.pid + +User={{ prometheus_user }} +Group={{ prometheus_group }} + +{% if prometheus_opts is defined %} +ExecStart={{ alertmanager_daemon_dir }}/alertmanager {{ alertmanager_default_opts }} {{ alertmanager_opts }} +{% else %} +ExecStart={{ alertmanager_daemon_dir }}/alertmanager {{ alertmanager_default_opts }} +{% endif %} +ExecReload=/bin/kill -HUP $MAINPID diff --git a/roles/service-prometheus/templates/node_exporter.service.j2 b/roles/service-prometheus/templates/node_exporter.service.j2 new file mode 100644 index 0000000..abb2007 --- /dev/null +++ b/roles/service-prometheus/templates/node_exporter.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=node_exporter - Prometheus exporter for machine metrics. +After=network.target + +[Service] +Type=simple + +PIDFile={{ prometheus_pid_path }}/node_exporter.pid + +User={{ prometheus_user }} +Group={{ prometheus_group }} + +{% if node_exporter_opts is defined %} +ExecStart={{ node_exporter_daemon_dir }}/node_exporter {{ node_exporter_opts }} +{% else %} +ExecStart={{ node_exporter_daemon_dir }}/node_exporter +{% endif %} +ExecReload=/bin/kill -HUP $MAINPID diff --git a/roles/service-prometheus/templates/prometheus.service.j2 b/roles/service-prometheus/templates/prometheus.service.j2 new file mode 100644 index 0000000..f6773cb --- /dev/null +++ b/roles/service-prometheus/templates/prometheus.service.j2 @@ -0,0 +1,18 @@ +[Unit] +Description=Prometheus server daemon. +After=network.target + +[Service] +Type=simple + +PIDFile={{ prometheus_pid_path }}/prometheus.pid + +User={{ prometheus_user }} +Group={{ prometheus_group }} + +{% if prometheus_opts is defined %} +ExecStart={{ prometheus_daemon_dir }}/prometheus {{ prometheus_default_opts }} {{ prometheus_node_exporter_opts }} +{% else %} +ExecStart={{ prometheus_daemon_dir }}/prometheus {{ prometheus_default_opts }} +{% endif %} +ExecReload=/bin/kill -HUP $MAINPID diff --git a/roles/service-prometheus/templates/prometheus.yml.j2 b/roles/service-prometheus/templates/prometheus.yml.j2 new file mode 100644 index 0000000..93a3eb0 --- /dev/null +++ b/roles/service-prometheus/templates/prometheus.yml.j2 @@ -0,0 +1,36 @@ +global: + scrape_interval: 15s # By default, scrape targets every 15 seconds. + evaluation_interval: 15s # By default, scrape targets every 15 seconds. + # scrape_timeout is set to the global default (10s). + + # The labels to add to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'master' + +{% if prometheus_rule_files is defined %} +# Rule files specifies a list of files from which rules are read. +rule_files: + {% for (key, value) in prometheus_rule_files.iteritems() %} + - {{ prometheus_rule_path }}/{{ value.dest }} + {% endfor %} +{% endif %} + +# A list of scrape configurations. +scrape_configs: + + - job_name: 'prometheus' + scrape_interval: 10s + scrape_timeout: 10s + static_configs: + - targets: ['localhost:9090'] + + - job_name: "node" + file_sd_configs: + - files: + - '{{ prometheus_file_sd_config_path }}/*.json' + - '{{ prometheus_file_sd_config_path }}/*.yml' + - '{{ prometheus_file_sd_config_path }}/*.yaml' + #static_configs: + #- targets: + # - "localhost:9100"