Restructure ansible (#8)

* Add filename prefix to playbooks

* Inventory: clean up & rename role ffmwu-prereq to test-prerequisites

Remove all hosts which aren't set up by ansible, yet. Prepare to start
from scratch. Only add hosts to the inventory which will be set up
completly by ansible.

* Role test-prerequisites: improve tasks; update OS to current debian
stable

* Add a bunch of new roles

- Update Readme
- Update ansible.cfg
- Add playbook to set up gateways
- Add group variables

* Roles: add role documentation

* Some restructuring (#3)

* Modify prerequisites role and integrate prerequisites role into all playbooks (#4)

* Add relaxed yamllint config and fix errors

* Add role service-rclocal

* Add role service-bird

* Move localtestvm to separate role (untested) (#6)

* Add role git-repos

* Add role service-bird-icvpn; add python3-yaml package to server-basic
role

* Add role service-bird-ffrl

* Set 'become' default to True (#7)

* Retouch tasks due to 'become' defaults to True

* Add role service-bird-ffrl to playbook gateways

* Role service-bird-ffrl: correct ipaddr filters

* Update readme of roles service-fastd-mesh + service-fastd-intragate

* Update Readme.md

- update passwordstore lookup for fastd secrets
- add explanation about sensible informations

* Role server-basic: add package bridge-utils

* Add role service-tinc

* Add role system-sysctl-gateway

* Add version to git modules in roles:

- git-fastd-peers
- git-repos
- service-tinc

* Add readme for role prerequisites

* Add role network-iptables-gateway

 - move netfilter specific sysctl settings

* Role kmod-batman: load kernel modules

* Role service-bird-icvpn: use a task and not a handler to set file attrs

* Add role service-bind-slave

* Restructure network interfaces in order to use ifupdown2

- rewrite interface templates for batman, fastd, ffrl and meshbridge
- add package ethtool to role server-basic
- use more ipaddr filters and get rid of unneeded variables in dict
ffrl_exit_server
- change ffrl_public_ipv4_nat variable to ip/prefix format
- update readme files

* Role service-dhcpd: fix disabled notify

* Role service-fastd-mesh + service-fastd-intragate: fix mac address format

* Restructure service-fastd roles

- migrate role git-fastd-peers
- add role service-fastd
- add repo clone for ffbin peers (currently hardcoded)
- add role dependency to role service-fastd-mesh +
service-fastd-intragate
- add systemd handlers

* Role service-tinc: use a task instead of a handler for systemd stuff

* Role service-radvd: update handlers

* Update loop keys

* Role service-radvd: optimize ipaddr filters

* Role service-radvd: make more parameters configurable

* Update Readme.md

* Role service-fastd-mesh: add systemd unit + timer to update mesh peers

* Role service-bird + service-bird-icvpn: add systemd unit + timer to update roa+peers+tinc hosts

* Role git-repos: change branch of backend-scripts repo to drop-photon

* Role service-bind-slave: fix file permissions

* Role service-bind-slave: add systemd unit + timer to update icvpn bind config

* Role service-bird-icvpn: rename systemd unit+timer icvpn-update to icvpn-tinc-bgp-update

* Roles service-fastd-mesh + service-fastd-intragate: rename fastd socket

* Role service-rclocal: fix wrong interface

* Role network-iptables-gateway: rename var internet_exit_mtu_ipv[4|6] to internet_exit_tcp_mss_ipv[4|6]

* FFRL Internet Exit: move IPv4 NAT address to a single dummy interface

* Roles service-bird[|-ffrl|-icvpn]: rework handlers

* Update some ipaddr filters

* Fix wrong IP subnet calculation in roles service-radvd + service-rclocal

* Role service-fastd-mesh: move peer limit to a separate file which isn't managed by ansible

* Role service-fastd: ensure fastd service is masked

* Role service-fastd-mesh: add systemd timer for fastd peer limit update script

* Update Readme.md

* Migrate nested dictionary `meshes` into a list of dictionaries

 - migrate dictionary `ipv6` into two simple lists
 - migrate dictionary `forward_zones` into a list

* Restructure fastd configuration to define multiple instances easily

 - introduce mesh subdictionary `fastd`
 - change fastd instance naming
 - change fastd network interface naming (identical with fastd instance
names)
 - change mac address prefixes

* Roles service-fastd-[mesh|intragate]: update role dependencies

* Role network-batman: update batman-ifaces due to fastd instance change

 - update README.md

* Role network-fastd: update README.md

* Readme.md: add control machine requirements

* Role service-fastd-mesh: fix typo in handler

* Role service-fastd: use own systemd unit fastd@.service

- original uses %I which does not escaping, so dashes will be replaced
by slashes
- use %i instead of %I

* Add role network-routing

- move static routes from role service-rclocal to scripts run by systemd
unit
- mv routing specific sysctl settings

* Use package module where possible instead of apt

* Remove unnecessary handlers

* Move all handlers to one single role

* Update Readme.md

* Move IP rules from role `service-rclocal` to role `network-routing`

- add scripts to configure and delete IP rules via a systemd unit
- delete role `service-rclocal`
- update README.md
- add new handler

* Role network-routing: fix typos in ffmwu-del-ip-rules.sh template

* Add role service-respondd

* Roles service-fastd-[intragate|mesh]: update mac prefixes due to fastd instances change

* Fix some whitespaces

* Ensure systemd units are started

* Add role service-nginx

* Add role service-nginx-firmware

* Add missing variables for role service-nginx-firmware

* Add roles service-nginx(-firmware) to playbook gateways

* Role service-nginx: add autoindex options to default vhost

* Flush handlers after configuring network interfaces

* Role service-respondd: also listen on fastd-interfaces

* Update fastd peer limit configuration

 * add list of legacy gateways (temporarily)
 * change backend-scripts branch to ansible
 * Role server-basic: ensure ffmwu config directory is present
 * Role service-fastd: add fastd-status script
 * role service-fastd-mesh: add templating for fastd peer limit
configuration

* Update Readme.md

* Lowercase all network interface names

* Inventory: add new gateway uffschnitt.freifunk-mwu.de

* Role server-repos: change ffmwu repo to stretch

* Role service-respondd: install python3 module dependency

* Role server-repos: remove universe-factory repo since fastd package is available in debian upstream

* Pretty format ansible.cfg

* Inventory host_vars: use single file instead of subfolder

* Role prerequisites: add cname asserts

* Role network-meshbridge: workaround to set mac address on boot and get ipv6 address configured correctly

* Playbook gateways: reorder roles

* Rename role server-repos to server-apt-repos

- Role server-apt-repos: add readme

* Role server-basic: add locale setting

* Roles service-fastd-mesh + service-fastd-intragate

- remove on-up|on-down stanzas from fastd.conf
- update readme

* Move dummy module from role kmod-batman to server-basic

* Roles service-fastd-[mesh|intragate]: reload networking on fastd instance start

* Rework passwordstore lookup handling in roles service-fastd-mesh und service-fastd-intragate

* Role service-tinc: rework passwordstore lookup

* Role network-iptables-gateway: fix freifunk bridge rules

* Role service-fastd-mesh: ensure fastd_status.json file is present; reorder nginx roles

* Role network-routing: add missing service dependency for ffmwu-static-routes service unit

* Role service-tinc: add task to enable post-merge script

* Add prometheus role (#9)
This commit is contained in:
kokel 2017-12-05 05:59:06 +01:00 committed by GitHub
parent ab2efe5df3
commit ff1dac07ba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
200 changed files with 4715 additions and 269 deletions

19
.yamllint Normal file
View file

@ -0,0 +1,19 @@
extends: default
rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines: {type: unix}
trailing-spaces: enable
truthy: disable

203
Readme.md
View file

@ -1,40 +1,195 @@
# ansible-ffmwu.git # Ansible Freifunk MWU
An dieser Stelle soll der ganze ansible-script-junk entstehen, um ein FFMWU-Gateway automagisiert aufzusetzen. Das Geraffel kann später auch auf andere server-Typen erweitert werden, wenn sinnvoll. Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzusetzen und zu konfigurieren. In
Ein server muss minimal vorbereitet sein, bevor er mit den hiesigen Skripten zum Gate (oder zu Sonstigem) gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prerequisites.yml` getestet): diesem Repository verwalten wir unsere Ansible Roles und Playbooks.
Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden
kann. Die folgenden Voraussetzungen müssen erfüllt sein:
- Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein. - Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein.
- Die Adressen sollen im MWU-DNS eingetragen sein. - Die Adressen müssen im MWU-DNS eingetragen sein.
- Es muss eine nakte unterstützte linux-Version aufgesetzt sein (aktuell Ubuntu 14.04, bald Debian). - Als Betriebssystem muss Debian Stretch installiert sein.
- Es muss einen user admin geben, auf den die Admins Zugriff haben; dieser muss root-Zugang über sudo haben. - Für Ansible muss Python 2.6 oder höher installiert sein.
- Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben.
Zusätzlich ist sehr empfehlenswert, dass die Admins die Maschinen mit ihren fqdns in ihrer ssh-config definiert haben. Diese Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem
Playbook eingebunden sein.
Bisher gibt es hier zwei Sammlungen von files: zum Einen der Beginn des eigentlichen Zwecks: bisher kann eine Rolle (auf Basis der obigen Voraussetzungen) alle FFMWU-Server in dem ihnen allen identischen Aspekt vorbereiten, der Pflege der ssh keys der admins. Zum Anderen gibt es ein playbook, das eine lokale Test-VM aufsetzt, auf der man alle eigentlichen playbooks und Rollen testen kann, ohne ernsthaften Schaden anzurichten. Voraussetzungen für die Control Machine:
## Aufsetzen und Pflegen von Gateways - Python 2 (Versionen 2.6 oder 2.7) oder 3 (Versionen 3.5 oder höher)
- Ansible Version >= 2.4.0.0
- Python Modul `netaddr`
- Python Modul `dnspython`
Alle FFMWU-Gatways sind auch FFMWU-Server, alle anderen server bei uns überraschenderweise auch; so sind auch Alle im inventory in der Gruppe 'ff-servers' zusammengefasst. Der Aspekt, der allen FFMWU-Servern gemein ist, sind die ssh-keys der admins. Auf einigen servern gibt es allerdings weitere Zugriffsberechtigte (spezialisierte admins). Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config.
So gibt es eine Rolle ('ffmwu-server'), die allen hosts dieser Gruppe zugewiesen ist (über das playbook 'ffmwu-servers.yml', später auch über Abhängigkeiten der speziellern playbooks). Dieses playbook (einfach starten) weist die Rolle zu, welche ihrerseits die shh keys auf den hosts pflegt. ## Gruppen-Variablen
Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung.
Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz):
Die Rolle besteht aus nur einem task und einer definierten Variable, die die keys der admins enthält. Sind auf einem host weitere ssh keys von Nöten, so werden disse als hostvar definiert. |Name|Type|Value|Format|Comment|
|----|----|-----|------|-------|
|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzbr` oder `mzbat`|
|site_number|Variable|37|integer|Fließt in IP-Adress-Berechnung ein|
|site_code|Variable|ffmz|string||
|site_name|Variable|Mainz|string||
|ipv4_network|Variable|10.37.0.0/18|string; Network/Prefix||
|ipv6_ula|List|- fd37:b4dc:4b1e::/48|string; Network/Prefix||
|ipv6_public|List|- 2a03:2260:11a::/48|string; Network/Prefix||
|dnssl|List|- ffmz.org|string|DNS Search List (dhcp/radvd)|
|batman|Dictionary||||
|batman.it|Key|10000|integer||
|batman.gw|Key|server 96mbit/96mbit|string||
|batman.mm|Key|0|boolean||
|batman.dat|Key|0|boolean||
|batman.hop_penalty|Key|60|integer||
|radvd|Dictionary||||
|radvd.maxrtradvinterval|Key|900|integer||
|radvd.advvalidlifetime|Key|864000|integer||
|radvd.advpreferredlifetime|Key|172800|integer||
|iface_mtu|Variable|1350|integer|Client MTU|
|fastd|Dictionary||||
|fastd.nodes|Dictionary||||
|fastd.nodes.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Node-Kommunikation|
|fastd.nodes.instances[x].id|Key|0|integer||
|fastd.nodes.instances[x].mtu|Key|1406|integer||
|fastd.nodes.instances[x].peers|Dictionary||||
|fastd.nodes.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|fastd.nodes.instances[x].peers.version|Key|master|string||
|fastd.nodes.instances[x].pass|Key|fastd/mzvpn|string||
|fastd.intragate|Dictionary||||
|fastd.intragate.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Intragate-Kommunikation|
|fastd.intragate.instances[x].id|Key|0|integer||
|fastd.intragate.instances[x].mtu|Key|1406|integer||
|fastd.intragate.instances[x].peers|Dictionary||||
|fastd.intragate.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|fastd.intragate.instances[x].peers.version|Key|master|string||
|fastd.intragate.instances[x].pass|Key|fastd/mzigvpn|string||
|dns|Dictionary||||
|dns.master|Key|fd37:b4dc:4b1e::a25:103|string; IP-Adresse|DNS-Master IP|
|dns.forward_zones|List||||
|dns.forward_zones[x].name|Key|ffmz.org|string||
|dns.forward_zones[x].master|Key|fd37:b4dc:4b1e::a25:10c|string; IP-Adresse|Optional - überschreibt dns.master|
|http_domain_internal|Variable|ffmz.org|string|Haupt-Domain für HTTP-Server(intern)|
|http_domain_external|Variable|freifunk-mainz.de|string|Haupt-Domain für HTTP-Server(extern)||
## Erzeugen einer test-VM Weitere Gruppen-Variablen:
Um die playbooks und Rollen gefahrlos testen zu können, bietet sich ein test host an. Hierfür kann eine lokale VM zu Einsatz kommen, wenn die Voraussetzungen stimmen. |Name|Type|Value|Format|Comment|
|----|----|-----|------|-------|
|as_private_mwu|Variable|65037|integer|Privates AS von Freifunk MWU|
|as_public_ffrl|Variable|201701|integer|Public AS von Freifunk Rheinland|
|internet_exit_tcp_mss_ipv4|Variable|1240|integer|IPv4 TCP MSS|
|internet_exit_tcp_mss_ipv6|Variable|1220|integer|IPv6 TCP MSS|
|routing_tables|Dictionary||||
|routing_tables.icvpn|Key|23|integer||
|routing_tables.mwu|Key|41|integer||
|routing_tables.internet|Key|61|integer||
|icvpn_ipv4_transfer_net|Variable|10.207.0.0/16|string; Network/Prefix|ICVPN IPv4 Transfernetz|
|icvpn_ipv6_transfer_net|Variable|fec0::a:cf:0:0/96|string; Network/Prefix|ICVPN IPv6 Transfernetz|
|bgp_loopback_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU Loopback Netz für dynamisches Routing|
|bgp_ipv4_transfer_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU IPv4 Transfernetz für dynamisches Routing|
|bgp_ipv6_transfer_net|Variable|fd37:b4dc:4b1e::/64|string; Network/Prefix|MWU IPv6 Transfernetz für dynamisches Routing|
|http_domain_internal|Variable|ffmwu.org|string|Haupt-Domain für HTTP-Server(intern)|
|http_domain_external|Variable|freifunk-mwu.de|string|Haupt-Domain für HTTP-Server(extern)|
|icvpn|Dictionary|||ICVPN Informationen|
|icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat|
|icvpn.interface|Key|icvpn|string|Name für ICVPN Interface + tinc Instanz|
|icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository|
|bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net|
|bgp_mwu_servers.spinat|Dictionary||||
|bgp_mwu_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse||
|bgp_mwu_server.spinat.ipv6|Variable|fd37:b4dc:4b1e::a25:7|string - IPv6-Adresse||
Damit auf der lokalen Maschine (der ansible controle machine) VMs ablaufen (und mit dem playbook angelegt werden) können, müssen verschiedene Voraussetzungen erfüllt sein. U. a.:
- installierte Pakete zu libvirt, kvm und qemu und Pakete virt-manager, isomaster ## Host-Variablen
- >15G freier Plattenplatz Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgebildet:
- ansible >= 2.1
Leider sind die letzten 2 Meter der Aufgabe offenbar in dieser Art nicht automatisierbar. Deshalb muss der user an einer Stelle mit 'isomaster' kurz etwas manuell durchführen |Name|Type|Value|Format|Comment|
Das playbook 'loctevm-reset.yml' einfach ausführen. |----|----|-----|------|-------|
|magic|Variable|7|integer|Muss eindeutig unter allen Servern sein|
|ipv4_dhcp_range|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe|
|ffrl_public_ipv4_nat|Variable|185.66.195.32/32|IP/Prefix|Öffentliche IPv4-NAT-Adresse|
|ffrl_exit_server|Dictionary|||Enthält pro FFRL Tunnel ein Dictionary|
|ffrl_exit_server.ffrl-a-ak-ber|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-a-ak-ber.public_ipv4_address|Key|185.66.195.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv4_network|Key|100.64.2.226/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17b::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-ak-ber|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-b-ak-ber.public_ipv4_address|Key|185.66.195.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv4_network|Key|100.64.2.228/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17c::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-a-ix-dus|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-a-ix-dus.public_ipv4_address|Key|185.66.193.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv4_network|Key|100.64.2.230/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17d::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-ix-dus|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-b-ix-dus.public_ipv4_address|Key|185.66.193.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv4_network|Key|100.64.2.232/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17e::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-a-fra2-fra|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-a-fra2-fra.public_ipv4_address|Key|185.66.194.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv4_network|Key|100.64.0.186/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:63::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-fra2-fra|Dictionary|||Name = Interface|
|ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
### bekannte Probleme ## Sensible Informationen
- Wenn die VM wegen Zugriffsfehler auf die virtuellen volumes nicht startet, können die Berechtigungen der übergeordneten Verzeichnisse Schuld sein -> hier mal schauen. Sensible Daten, z.B. private keys für Dienste wie fastd und tinc verwalten wir in einem [Password Store](https://www.passwordstore.org/).
- Ein Schritt scheint nicht automagisierbar, hier werden isomaster & der user benötigt. Falls ihr mehrere Password Stores verwaltet, denkt vor Benutzung von Ansible daran, die Umgebungsvariable auf den richtigen Store zu verweisen:
- Bisher wird direkt die 64bit-Version ausgewählt. ```
export PASSWORD_STORE_DIR=...
```
## Aufsetzen eines neuen Gateways
- FQDN im Inventory zur Gruppe ffmwu-gateways hinzufügen
- Host-Variablen setzen
- inventory/host_vars/$FQDN
```
---
# Gateway-Nummer, von der vieles abgeleitet wird. Integer zwischen 1-254. Muss eindeutig unter allen FFMWU Servern sein.
magic:
# Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll.
# z.B. 5 für 10.X.16.0/22 (fünftes /22 Subnetz aus 10.X.0.0/18)
ipv4_dhcp_range:
# FFRL (muss vorher bereits zugewiesen worden sein)
# Öffentliche IPv4 NAT Adresse, Format: IP/Prefix
ffrl_public_ipv4_nat:
ffrl_exit_server:
ffrl-a-ak-ber:
public_ipv4_address: 185.66.195.0
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
ffrl-b-ak-ber:
public_ipv4_address: 185.66.195.1
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
ffrl-a-ix-dus:
public_ipv4_address: 185.66.193.0
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
ffrl-b-ix-dus:
public_ipv4_address: 185.66.193.1
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
ffrl-a-fra2-fra:
public_ipv4_address: 185.66.194.0
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
ffrl-b-fra2-fra:
public_ipv4_address: 185.66.194.1
tunnel_ipv4_network: # Format: IP/Maske
tunnel_ipv6_network:
```
- Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml`
- Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben.
- Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbooks/gateways.yml --limit=$FQDN`

View file

@ -1,10 +1,13 @@
[defaults] [defaults]
# local inventory = ./inventory
inventory = ./inventory/hosts retry_files_enabled = False
retry_files_save_path = ~/.ansible/retry-files remote_tmp = $HOME/ansible_tmp
#vault_password_file = ~/.ansible/vault-password-file remote_user = admin
# remote ansible_managed = Ansible managed - don't edit this file!
remote_tmp = $HOME/ansible_tmp roles_path = ./roles
[privilege_escalation]
become = True
#[ssh_connection] #[ssh_connection]
#pipelining = True #pipelining = True

View file

@ -1,8 +0,0 @@
#!/usr/bin/ansible-playbook
---
- hosts: build-servers
remote_user: admin
strategy: linear
roles:
- ffmwu-build

View file

@ -1,9 +0,0 @@
#!/usr/bin/ansible-playbook
---
- hosts: ff-servers
remote_user: admin
strategy: linear
roles:
- ffmwu-server

View file

@ -0,0 +1,2 @@
[ffmwu-build-servers]
milchreis.freifunk-mwu.de

2
inventory/ffmwu-gateways Normal file
View file

@ -0,0 +1,2 @@
[ffmwu-gateways]
uffschnitt.freifunk-mwu.de

2
inventory/ffmwu-servers Normal file
View file

@ -0,0 +1,2 @@
[ffmwu-servers]
milchreis.freifunk-mwu.de

174
inventory/group_vars/all Normal file
View file

@ -0,0 +1,174 @@
---
as_private_mwu: 65037
as_public_ffrl: 201701
internet_exit_tcp_mss_ipv4: 1240
internet_exit_tcp_mss_ipv6: 1220
routing_tables:
icvpn: 23
mwu: 41
internet: 61
icvpn_ipv4_transfer_net: 10.207.0.0/16
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
http_domain_internal: ffmwu.org
http_domain_external: freifunk-mwu.de
meshes:
- id: mz
site_number: 37
site_code: ffmz
site_name: Mainz
ipv4_network: 10.37.0.0/18
ipv6_ula:
- fd37:b4dc:4b1e::/48
ipv6_public:
- 2a03:2260:11a::/48
dnssl:
- ffmz.org
- user.ffmz.org
batman:
it: 10000
gw: server 96mbit/96mbit
mm: 0
dat: 0
hop_penalty: 60
radvd:
maxrtradvinterval: 900
advvalidlifetime: 864000
advpreferredlifetime: 172800
iface_mtu: 1350
fastd:
nodes:
instances:
- id: 0
mtu: 1406
peers:
repo: https://github.com/freifunk-mwu/peers-ffmz.git
version: master
pass: fastd/mzvpn
- id: 1
mtu: 1312
peers:
repo: https://github.com/freifunk-mwu/peers-ffmz.git
version: master
pass: fastd/mzvpn
intragate:
instances:
- id: 0
mtu: 1406
peers:
repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git
version: master
pass: fastd/mzigvpn
dns:
master: fd37:b4dc:4b1e::a25:103
forward_zones:
- name: ffmz.org
- name: user.ffmz.org
- name: bb.ffmz.org
- name: nodes.ffmz.org
- name: ffbin
master: fd37:b4dc:4b1e::a25:10c
http_domain_internal: ffmz.org
http_domain_external: freifunk-mainz.de
- id: wi
site_number: 56
site_code: ffwi
site_name: Wiesbaden
ipv4_network: 10.56.0.0/18
ipv6_ula:
- fd56:b4dc:4b1e::/48
ipv6_public:
- 2a03:2260:11b::/48
dnssl:
- ffwi.org
- user.ffwi.org
batman:
it: 10000
gw: server 96mbit/96mbit
mm: 0
dat: 0
hop_penalty: 60
radvd:
maxrtradvinterval: 900
advvalidlifetime: 864000
advpreferredlifetime: 172800
iface_mtu: 1350
fastd:
nodes:
instances:
- id: 0
mtu: 1406
peers:
repo: https://github.com/freifunk-mwu/peers-ffwi.git
version: master
pass: fastd/wivpn
- id: 1
mtu: 1312
peers:
repo: https://github.com/freifunk-mwu/peers-ffwi.git
version: master
pass: fastd/wivpn
intragate:
instances:
- id: 0
mtu: 1406
peers:
repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git
version: master
pass: fastd/wiigvpn
dns:
master: fd56:b4dc:4b1e::a38:103
forward_zones:
- name: ffwi.org
- name: user.ffwi.org
- name: bb.ffwi.org
- name: nodes.ffwi.org
http_domain_internal: ffwi.org
http_domain_external: wiesbaden.freifunk.net
icvpn:
prefix: mwu
interface: icvpn
icvpn_repo: https://github.com/freifunk/icvpn
bgp_mwu_servers:
spinat:
ipv4: 10.37.0.7
ipv6: fd37:b4dc:4b1e::a25:7
lotuswurzel:
ipv4: 10.37.0.23
ipv6: fd37:b4dc:4b1e::a25:17
ingwer:
ipv4: 10.37.0.161
ipv6: fd37:b4dc:4b1e::a25:a1
wasserfloh:
ipv4: 10.37.0.231
ipv6: fd37:b4dc:4b1e::a25:e7
zuckerwatte:
ipv4: 10.37.1.2
ipv6: fd37:b4dc:4b1e::a25:102
aubergine:
ipv4: 10.37.1.3
ipv6: fd37:b4dc:4b1e::a25:103
zwiebel:
ipv4: 10.37.1.0
ipv6: fd37:b4dc:4b1e::a25:100
glueckskeks:
ipv4: 10.37.1.1
ipv6: fd37:b4dc:4b1e::a25:101
suesskartoffel:
ipv4: 10.37.1.4
ipv6: fd37:b4dc:4b1e::a25:104
legacy_gateways:
- ingwer
- lotuswurzel
- spinat

View file

@ -1,3 +0,0 @@
---
fastd_config: 'gate'

View file

@ -1,3 +0,0 @@
---
fastd_config: 'meshing-only'

View file

@ -1,19 +0,0 @@
---
communities:
- mz
- wi
community_params:
mz:
fastd_port: 10037
abbreviation: mz
name: mainz
repo: freifunk-mwu/peers-ffmz
xtra_peers:
- peers_bingen
wi:
fastd_port: 10056
abbreviation: wi
name: wiesbaden
repo: freifunk-mwu/peers-ffwi

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,6 +0,0 @@
---
ansible_managed_server: True
ansible_managed_meshing: True
fastd_alias: gw_extrasahne

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,3 +0,0 @@
---
ansible_managed_server: True

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,7 +0,0 @@
---
ansible_managed_server: True
ansible_managed_build: True
h_v_add_auth_keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,7 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing
h_v_add_auth_keys: |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local

View file

@ -0,0 +1,31 @@
---
magic: 101
ipv4_dhcp_range: 8
ffrl_public_ipv4_nat: 185.66.195.37/32
ffrl_exit_server:
ffrl-a-ak-ber:
public_ipv4_address: 185.66.195.0
tunnel_ipv4_network: 100.64.9.42/31
tunnel_ipv6_network: 2a03:2260:0:3bd::/64
ffrl-b-ak-ber:
public_ipv4_address: 185.66.195.1
tunnel_ipv4_network: 100.64.9.48/31
tunnel_ipv6_network: 2a03:2260:0:3c0::/64
ffrl-a-ix-dus:
public_ipv4_address: 185.66.193.0
tunnel_ipv4_network: 100.64.9.46/31
tunnel_ipv6_network: 2a03:2260:0:3bf::/64
ffrl-b-ix-dus:
public_ipv4_address: 185.66.193.1
tunnel_ipv4_network: 100.64.9.52/31
tunnel_ipv6_network: 2a03:2260:0:3c2::/64
ffrl-a-fra2-fra:
public_ipv4_address: 185.66.194.0
tunnel_ipv4_network: 100.64.9.44/31
tunnel_ipv6_network: 2a03:2260:0:3be::/64
ffrl-b-fra2-fra:
public_ipv4_address: 185.66.194.1
tunnel_ipv4_network: 100.64.9.50/31
tunnel_ipv6_network: 2a03:2260:0:3c1::/64

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,12 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing
h_v_add_auth_keys: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs63QNerevCI6wt2Gpq/IpHTPVeHIP8aKIOrRCUlKWR ccgx@small-x
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAwbfFERETgOAF7iOJFTfJAXQwOWykceRXa151PWG+hiln8X2729tdFyEhztL0tJ0ln+VCj29KLc4mG23qCBW48d35btZTkdVUhFSY/PY/bMQEBiWG2MCAWxJ329i/Blw92xvlFARJNhyPzKSxgYYGRhkncbcKXoX9QWhCBY8KfH+08X9tFOxj4osYn/+dXm7Sg5mqJG4ETmdAAy5afNGE+K+NyBafcg35Y+gBfxNzilGc2/2I0lSsiEcUr+StNxhMMZ/NtQ1N2G9iPziqpu/LYlPl/2mtya+6MPtfSfoYpggIyMqcT+KSPsmxyJod0SrI1vgrX7qa0aJV08dN+gThDb8pOBEb6NG2iQEIbmTKy7XoSpF13lnAVDtPv20PjLpUR6IKZtWNnlN2hVtZLhgyeEIDMnVjmNwloItkqsKP1H96eLSoj1g9B9IOYPPxq5pf6VJKizFAI0jsxGZk0gX/QX4DoVxrD57KXrHKEuFAM4eIjHKMXeRq3Ewbn3bHT1QXevjwBtoW2hxY8Pligc0W0sHt2jW0MxaSiE0LM+hGk0Jy9rquC3+gGU7fD2kLM6nff3wzQJXCORkfdyqvMFUqwpkZmjL4qCypt04peTwkWzs/W4LlHWyc4CJGp0jKIAOA8JRxs/FJf9CyN8N+0AY6xXAZ1UPqs+wPkZ9j5hYcaHs= magic
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhrDPtvVZb9I7Z2dXl3IXa34sT41/7YCl0kBJ2pgOzrTqXn6HjM8iY7duMxr1ScWlsaIoJAJmpML1LM7hkRJiray5YgjXjcNaz8HxDkV/JLLUMqzQSeDuVTFZzrQBQknzEehuA6XPTLRcgPMnpKhyt3TU4E3rHTDEFLHGEn2I9IZeImGdrehgWoJQz0gGyXI5h49bj6AXHz4etgH349ZCvQWY2e/127owcoPK5EyFBsDMKgnfdxCpAHa3vWFdUnbwqHiVu445qr2U4PiG2AK6PZKRsMauR9jBG1EfeRrc7STcx3OYRbBaQoHJkvw8dD0bH5tI1VVnXfZ2CYOyIGWHJw== mitch
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDUI92QCs7D8mpCoqUug1fOcKf7V5nyKZJiyFfsz0T/ ccgx@mobile-x
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFx5FdrQYkd11mEBxEZLUjdI1gOlee8kP+imUTInsYGK9r3wuoiVoWX4ZdemhB6ezmJwY7mmqjHpFixct3FDdZDvoQjbbS0jM9zQtLp3quHlgpbhCSCG0NOzsjRMJhV1rQguVXDBcDxXZf1YDr9S4YJWPJ1USPPE9IILdbDl6lgaTxsEpeL6unQ3SHUkwLnQVnof1DAsS9yyyDouKMAnoiLIqOi2firerm+2KjtWXpQGF8d58eXg8FSy6iWHmy+mEOBo5W2vy8CT80hR72Ynyy4JjijvSjUzqHs9bJjxCVWOV1/4sZ5GUgNzNknIduny4tR744JRmWDfeCjCS9T3TdpKbL7Xd6pjPW4/q5Z3u0DZFutR3tBp0Xm69ic4QQZVMa14FZcipKNdE+uTpIzfpClz2e4RBR8DlJn2DexvEGSGJu3t8uOFqVnJrkmJL/eIWkRpYe+JvpaF7M7K+dM/aQWOtoTWQrmujGUqXLvSyFnuUk4PhPc3an+HaxYFCBcVGQHypc7VyAg/Bm14ZBYbj93c0UTUV01VKu5/tCjq42+hDvMsn1ZyuZ66hnnZizLzIZGH3ciGdZwPp+32nC0sT09Y8pbAZFhN6sfQHDvVrHpOjJXmbBKZ2xjYoUKoi4rdds7sLhvuJV0a3i56WR8CCIx94UGjxkfJ0A9RR24AlAuQ== mattsches@gmail.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local

View file

@ -1,4 +0,0 @@
---
ansible_managed_server: True
# not yet: ansible_managed_meshing

View file

@ -1,38 +0,0 @@
[gates]
spinat.freifunk-mwu.de
lotuswurzel.freifunk-mwu.de
wasserfloh.freifunk-mwu.de
# kaschu.freifunk-mwu.de # außer Dienst
ingwer.freifunk-mwu.de # (Debian)
#mettigel.freifunk-mwu.de
#parmesan.freifunk-mwu.de
extrasahne.freifunk-mwu.de require_dns=False # (Debian 8) FIXME: set IPv6
[meshing-srv:children]
gates
meshing-only-srv
test-vms
[meshing-only-srv]
aubergine.freifunk-mwu.de # int. DNS-master
zuckerwatte.freifunk-mwu.de # web, blogs, wiki
churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian)
glueckskeks.freifunk-mwu.de #
zwiebel.freifunk-mwu.de #
suesskartoffel.freifunk-mwu.de #
[ff-servers:children]
gates
meshing-only-srv
simple-ff-servers
build-servers
test-vms
[simple-ff-servers] # not meshing
linse.freifunk-mwu.de # ext. DNS-master
[build-servers]
milchreis.freifunk-mwu.de
[test-vms]
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False

2
inventory/test-vms Normal file
View file

@ -0,0 +1,2 @@
[test-vms]
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False

View file

@ -1,9 +0,0 @@
#!/usr/bin/ansible-playbook
---
- hosts: test-vms
remote_user: admin
strategy: free
roles:
- ffmwu-prereqs

7
playbooks/build-server.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/ansible-playbook
- hosts: ffmwu-build-servers
remote_user: admin
roles:
- prerequisites
- ffmwu-build

34
playbooks/gateways.yml Executable file
View file

@ -0,0 +1,34 @@
#!/usr/bin/ansible-playbook
- hosts: ffmwu-gateways
remote_user: admin
roles:
- handlers
- prerequisites
- server-apt-repos
- server-basic
- system-sysctl-gateway
- git-repos
- service-haveged
- service-ntpd
- kmod-batman
- network-routetables
- network-batman
- network-meshbridge
- network-fastd
- network-ffrl
- network-iptables-gateway
- network-routing
- service-dhcpd
- service-nginx
- service-nginx-firmware
- service-radvd
- service-fastd
- service-fastd-mesh
- service-fastd-intragate
- service-tinc
- service-bird
- service-bird-icvpn
- service-bird-ffrl
- service-bind-slave
- service-respondd

View file

@ -1,11 +1,9 @@
#!/usr/bin/ansible-playbook #!/usr/bin/ansible-playbook
---
- include: loctevm-provide.yml - include: loctevm-provide.yml
- hosts: test-vms - hosts: test-vms
remote_user: admin remote_user: admin
strategy: linear roles:
- prerequisites
roles: - ffmwu-meshing
- ffmwu-meshing

View file

@ -1,5 +1,4 @@
#!/usr/bin/ansible-playbook #!/usr/bin/ansible-playbook
---
# localhost (aka 127.0.0.1) is the hypervisor (hard-coded) # localhost (aka 127.0.0.1) is the hypervisor (hard-coded)
- hosts: test-vms - hosts: test-vms

View file

@ -1,9 +1,7 @@
#!/usr/bin/ansible-playbook #!/usr/bin/ansible-playbook
---
- hosts: meshing-srv - hosts: meshing-srv
remote_user: admin remote_user: admin
strategy: linear roles:
- prerequisites
roles: - ffmwu-meshing
- ffmwu-meshing

View file

@ -1,9 +1,7 @@
#!/usr/bin/ansible-playbook #!/usr/bin/ansible-playbook
---
- hosts: ff-servers - hosts: ff-servers
remote_user: admin remote_user: admin
strategy: free
roles: roles:
- ffmwu-prereqs - prerequisites
- ffmwu-server

View file

@ -7,7 +7,6 @@
owner: admin owner: admin
group: bird group: bird
mode: 0750 mode: 0750
become: yes
- name: standardise file ownerships - name: standardise file ownerships
file: file:
@ -16,7 +15,6 @@
owner: admin owner: admin
group: bird group: bird
mode: 0750 mode: 0750
become: yes
with_items: with_items:
- /etc/bird/bird.conf - /etc/bird/bird.conf
- /etc/bird/mwu_peers_v4.inc - /etc/bird/mwu_peers_v4.inc

View file

@ -1,15 +1,12 @@
--- ---
- name: check apache syntax - name: check apache syntax
command: /usr/sbin/apachectl -t command: /usr/sbin/apachectl -t
become: true
- name: restart systemd unit apache2 - name: restart systemd unit apache2
systemd: systemd:
name: apache2 name: apache2
state: restarted state: restarted
become: true
- name: update apt cache - name: update apt cache
apt: apt:
update_cache: yes update_cache: yes
become: true

View file

@ -4,3 +4,4 @@
repo: https://github.com/freifunk-mwu/sites-ffmwu.git repo: https://github.com/freifunk-mwu/sites-ffmwu.git
dest: /home/admin/clones/sites-ffmwu dest: /home/admin/clones/sites-ffmwu
version: stable version: stable
become: false

View file

@ -4,7 +4,6 @@
repo: 'deb https://repo.universe-factory.net/debian/ sid main' repo: 'deb https://repo.universe-factory.net/debian/ sid main'
state: present state: present
filename: 'neoraider' filename: 'neoraider'
become: true
notify: update apt cache notify: update apt cache
- name: add apt repository of freifunk-mwu - name: add apt repository of freifunk-mwu
@ -12,7 +11,6 @@
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main' repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
state: present state: present
filename: 'ffmwu' filename: 'ffmwu'
become: true
notify: update apt cache notify: update apt cache
- name: add apt-key of neoraider - name: add apt-key of neoraider
@ -20,14 +18,12 @@
keyserver: keyserver.ubuntu.com keyserver: keyserver.ubuntu.com
id: 16EF3F64CB201D9C id: 16EF3F64CB201D9C
state: present state: present
become: true
notify: update apt cache notify: update apt cache
- name: add apt-key of freifunk-mwu package sigs - name: add apt-key of freifunk-mwu package sigs
apt_key: apt_key:
url: http://repo.freifunk-mwu.de/83A70084.gpg.key url: http://repo.freifunk-mwu.de/83A70084.gpg.key
state: present state: present
become: true
notify: update apt cache notify: update apt cache
- name: install needed packages for build-server - name: install needed packages for build-server
@ -50,4 +46,3 @@
- subversion - subversion
- unzip - unzip
- zlib1g-dev - zlib1g-dev
become: true

View file

@ -4,18 +4,15 @@
src: rsyncd.conf src: rsyncd.conf
dest: /etc/rsyncd.conf dest: /etc/rsyncd.conf
mode: 0640 mode: 0640
become: true
- name: install rsnyc systemd unit - name: install rsnyc systemd unit
copy: copy:
src: rsync.service src: rsync.service
dest: /etc/systemd/system/ dest: /etc/systemd/system/
mode: 0644 mode: 0644
become: true
- name: ensure rsync is started on boot as a daemon - name: ensure rsync is started on boot as a daemon
systemd: systemd:
name: rsync name: rsync
state: started state: started
enabled: True enabled: True
become: true

View file

@ -5,13 +5,11 @@
owner: admin owner: admin
group: admin group: admin
recurse: yes recurse: yes
become: true
- name: enable apache module ssl - name: enable apache module ssl
apache2_module: apache2_module:
state: present state: present
name: ssl name: ssl
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -20,7 +18,6 @@
command: /usr/sbin/a2dissite 000-default command: /usr/sbin/a2dissite 000-default
args: args:
removes: /etc/apache2/sites-enabled/000-default.conf removes: /etc/apache2/sites-enabled/000-default.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -29,7 +26,6 @@
command: /usr/sbin/a2dissite default-ssl command: /usr/sbin/a2dissite default-ssl
args: args:
removes: /etc/apache2/sites-enabled/default-ssl.conf removes: /etc/apache2/sites-enabled/default-ssl.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -38,7 +34,6 @@
command: /usr/sbin/a2disconf other-vhosts-access-log command: /usr/sbin/a2disconf other-vhosts-access-log
args: args:
removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -49,7 +44,6 @@
regexp: '^([\s\t]+)?SSLCipherSuite' regexp: '^([\s\t]+)?SSLCipherSuite'
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
state: present state: present
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -60,7 +54,6 @@
regexp: '^([\s\t]+)?SSLProtocol' regexp: '^([\s\t]+)?SSLProtocol'
line: "SSLProtocol all -SSLv2 -SSLv3" line: "SSLProtocol all -SSLv2 -SSLv3"
state: present state: present
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -71,7 +64,6 @@
regexp: "^ServerTokens" regexp: "^ServerTokens"
line: "ServerTokens Prod" line: "ServerTokens Prod"
state: present state: present
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -82,7 +74,6 @@
regexp: "^ServerSignature" regexp: "^ServerSignature"
line: "ServerSignature EMail" line: "ServerSignature EMail"
state: present state: present
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -91,7 +82,6 @@
template: template:
src: ffmwu-default-http.conf.j2 src: ffmwu-default-http.conf.j2
dest: /etc/apache2/sites-available/ffmwu-default-http.conf dest: /etc/apache2/sites-available/ffmwu-default-http.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -100,7 +90,6 @@
template: template:
src: ffmwu-default-https.conf.j2 src: ffmwu-default-https.conf.j2
dest: /etc/apache2/sites-available/ffmwu-default-https.conf dest: /etc/apache2/sites-available/ffmwu-default-https.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -109,7 +98,6 @@
command: /usr/sbin/a2ensite ffmwu-default-http command: /usr/sbin/a2ensite ffmwu-default-http
args: args:
creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2
@ -118,7 +106,6 @@
command: /usr/sbin/a2ensite ffmwu-default-https command: /usr/sbin/a2ensite ffmwu-default-https
args: args:
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
become: true
notify: notify:
- check apache syntax - check apache syntax
- restart systemd unit apache2 - restart systemd unit apache2

View file

@ -40,7 +40,7 @@
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}"; line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
mode: 0400 mode: 0400
regexp: '^secret ".*";' regexp: '^secret ".*";'
state : present state: present
- name: write out fastd public key - {{mf_com.abbreviation}} - name: write out fastd public key - {{mf_com.abbreviation}}
lineinfile: lineinfile:
@ -50,7 +50,7 @@
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}"; line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
mode: 0440 mode: 0440
regexp: '^key ".*";' regexp: '^key ".*";'
state : present state: present
register: f_pub_key register: f_pub_key
ignore_errors: True ignore_errors: True

View file

@ -2,7 +2,6 @@
- name: ensure correct ownership of /etc/fastd - name: ensure correct ownership of /etc/fastd
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
become: True
- name: find ssh keyfile name for use with git - name: find ssh keyfile name for use with git
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}' shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'

View file

@ -1,25 +0,0 @@
---
- name: assert IPv4 DNS entry
local_action: shell dig A {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
changed_when: False
when: "{{ require_dns | default('True') }}"
- name: assert IPv6 DNS entry
local_action: shell dig AAAA {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
changed_when: False
when: "{{ require_dns | default('True') }}"
- name: test access to admin account (ssh key neccessary!)
command: "true"
changed_when: False
- name: test access to root account
command: "true"
changed_when: False
become: True
become_user: root
- name: fail on wrong OS type and version # TODO: include debian
fail: msg="unsupported OS type or version - {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
when: not ( ( ansible_distribution=="Ubuntu" and ansible_distribution_major_version|int==14 ) or ( ansible_distribution=="Debian" and ansible_distribution_major_version|int==8 ) )

View file

@ -10,7 +10,6 @@
- block: - block:
- name: ensure needed system users are present - name: ensure needed system users are present
user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
become: True
- name: ensure all wanted ssh keys exclusively - name: ensure all wanted ssh keys exclusively
authorized_key: exclusive=True state=present user=admin authorized_key: exclusive=True state=present user=admin
@ -18,11 +17,9 @@
- name: ensure vim is default editor - name: ensure vim is default editor
alternatives: name=editor path=/usr/bin/vim.basic alternatives: name=editor path=/usr/bin/vim.basic
become: True
- name: set timezone to Europe/Berlin - name: set timezone to Europe/Berlin
timezone: name=Europe/Berlin timezone: name=Europe/Berlin
become: True
when: (ansible_managed_server is defined) and (ansible_managed_server) when: (ansible_managed_server is defined) and (ansible_managed_server)
# end block # end block

18
roles/git-repos/README.md Normal file
View file

@ -0,0 +1,18 @@
# Ansible role git-repos
Diese Ansible role klont wichtige git Repositories.
- installiert git
- legt /home/admin/clones an
- klont alle git Repositories aus dem Dictionary `common_repos`
## Benötigte Variablen
- Dictionary `common_repos` # role variable
```
common_repos:
name: # name des Repositories == Ordner Name
repo_url: # HTTP-URL zum Repository
...
```

View file

@ -0,0 +1,23 @@
---
- name: install git packages
package:
name: "{{ item }}"
state: present
with_items:
- git
- name: ensure git directory is present
file:
path: /home/admin/clones
state: directory
mode: 0755
owner: admin
group: admin
- name: clone git repositories
git:
repo: "{{ item.value.repo_url }}"
dest: "/home/admin/clones/{{ item.key }}"
version: "{{ item.value.version }}"
with_dict: "{{ common_repos }}"
become: false

View file

@ -0,0 +1,11 @@
---
common_repos:
backend-scripts:
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
version: ansible
icvpn-meta:
repo_url: https://github.com/freifunk/icvpn-meta.git
version: master
icvpn-scripts:
repo_url: https://github.com/freifunk/icvpn-scripts.git
version: master

View file

@ -0,0 +1,95 @@
---
- name: reload systemd
systemd:
daemon_reload: yes
- name: reload network interfaces
systemd:
name: networking
state: reloaded
- name: activate sysfs variables
systemd:
name: sysfsutils
state: restarted
- name: restart bind9
systemd:
name: bind9
state: restarted
- name: reload systemd unit bird
systemd:
name: bird
state: reloaded
- name: reload systemd unit bird6
systemd:
name: bird6
state: reloaded
- name: restart isc dhcp server
systemd:
name: isc-dhcp-server
enabled: yes
state: restarted
- name: restart fastd intragate instances
systemd:
name: "fastd@{{ item.0.id }}igvpn-{{ item.1.mtu }}"
state: restarted
with_subelements:
- "{{ meshes }}"
- fastd.intragate.instances
- name: restart fastd mesh instances
systemd:
name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"
state: restarted
with_subelements:
- "{{ meshes }}"
- fastd.nodes.instances
- name: restart systemd unit radvd
systemd:
name: radvd
state: restarted
- name: restart respondd
systemd:
name: "respondd-{{ item.id }}"
state: restarted
with_items: "{{ meshes }}"
- name: restart systemd unit tinc
systemd:
name: tinc
enabled: yes
state: restarted
- name: restart systemd unit ffmwu-static-routes
systemd:
name: ffmwu-static-routes
state: restarted
- name: restart systemd unit ffmwu-ip-rules
systemd:
name: ffmwu-ip-rules
state: restarted
- name: restart respondd
systemd:
name: "respondd-{{ item.id }}"
state: restarted
with_items: "{{ meshes }}"
- name: iptables-restore
shell: iptables-restore < /etc/iptables/rules.v4
- name: ip6tables-restore
shell: ip6tables-restore < /etc/iptables/rules.v6
- name: reload nginx
systemd:
name: nginx
state: reloaded

View file

@ -0,0 +1,6 @@
# Ansible role kmod-batman
Diese Ansible role installiert das Kernel Modul batman-adv:
- Linux Kernel Headers
- Kernel Modul batman-adv
- Userspace Tool batctl

View file

@ -0,0 +1,19 @@
---
- name: install batman-module and linux headers
package:
name: "{{ item }}"
state: present
with_items:
- linux-headers-amd64
- batman-adv-dkms
- batctl
- name: configure batman module to load on system boot
template:
src: batman-adv.module.conf.j2
dest: /etc/modules-load.d/batman-adv.conf
- name: load batman module
modprobe:
name: "batman-adv"
state: present

View file

@ -0,0 +1,5 @@
#
# Load batman-adv module on system boot
# {{ ansible_managed }}
#
batman-adv

View file

@ -1,7 +1,7 @@
--- ---
- name: retrieve install iso - name: retrieve install iso
get_url: get_url:
checksum: "sha1:23dde0f195170d9fbe99547f9df75838acc95b5e" checksum: "sha1:23dde0f195170d9fbe99547f9df75838acc95b5e"
dest: "{{ vm_path }}/debian-8.6.0-amd64-i386-netinst.iso" dest: "{{ vm_path }}/debian-8.6.0-amd64-i386-netinst.iso"
force: no force: no
@ -24,7 +24,7 @@
loop_control: loop_control:
loop_var: lri_item loop_var: lri_item
delegate_to: 127.0.0.1 # local action delegate_to: 127.0.0.1 # local action
- name: manual intervention 1 - extract configs - name: manual intervention 1 - extract configs
debug: debug:
msg: | msg: |
@ -125,4 +125,3 @@
# remote_src: True # though remote equals local ... # remote_src: True # though remote equals local ...
# delegate_to: 127.0.0.1 # local action # delegate_to: 127.0.0.1 # local action
# register: primcopy # register: primcopy

View file

@ -18,15 +18,14 @@
- name: ensure admin user - name: ensure admin user
user: comment="FFMWU Administrator" name=admin shell=/bin/bash state=present user: comment="FFMWU Administrator" name=admin shell=/bin/bash state=present
become: True
- name: ensure users ssh key to admin user - name: ensure users ssh key to admin user
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
exclusive=no exclusive=no
become: True
- name: ensure users ssh key to bootstrap user - name: ensure users ssh key to bootstrap user
authorized_key: user=hein key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" authorized_key: user=hein key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
become: false
- name: ensure no-pw sudo capability for admin and bootstrap user - name: ensure no-pw sudo capability for admin and bootstrap user
lineinfile: lineinfile:
@ -35,8 +34,6 @@
line: "admin,hein ALL = (root) NOPASSWD: ALL" line: "admin,hein ALL = (root) NOPASSWD: ALL"
mode: 0440 mode: 0440
validate: visudo -c -f %s validate: visudo -c -f %s
become: True
- name: from this point on prevent pw for bootstrap user - name: from this point on prevent pw for bootstrap user
user: user=hein password=X user: user=hein password=X
become: True

View file

@ -0,0 +1,46 @@
# Ansible role network-batman
Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces.
- dummy interface pro mesh
- batman-adv interface pro mesh
- konfiguriert sysfs variablen:
- Hop Penalty pro batman-adv interface
## Benötigte Variablen
- Dictionary `meshes`
´´´
meshes:
- id: xx
...
ipv4_network:
...
batman:
it: # integer: originator interval
gw: # string: gateway mode
mm: # boolean: multicast mode
dat: # boolean: distributed arp table
hop_penalty: # integer: hop penalty
...
fastd:
nodes:
instances:
- id: 0 # integer
mtu: # integer
...
intragate:
instances:
- id: 0 # integer
mtu: # integer
...
´´´
- Host Variable `magic`
## MAC-Adressen
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
xx0-prefix: `02:00`
xxbat-prefix: `02:01`

View file

@ -0,0 +1,17 @@
---
- name: create dummy interfaces
template:
src: dummy.j2
dest: "/etc/network/interfaces.d/{{ item.id }}0"
notify: reload network interfaces
with_items: "{{ meshes }}"
- name: create batman interfaces
template:
src: batman.j2
dest: "/etc/network/interfaces.d/{{ item.id }}bat"
notify: reload network interfaces
with_items: "{{ meshes }}"
- name: flush handlers
meta: flush_handlers

View file

@ -0,0 +1,15 @@
#jinja2: trim_blocks:False
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0201' + ip4hex -%}
#
# {{ ansible_managed }}
#
auto {{ item.id }}bat
iface {{ item.id }}bat
hwaddress {{ mac | hwaddr('linux') }}
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
batman-hop-penalty {{ item.batman.hop_penalty }}
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}

View file

@ -0,0 +1,9 @@
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0200' + ip4hex -%}
#
# {{ ansible_managed }}
#
auto {{ item.id }}0
iface {{ item.id }}0
link-type dummy
hwaddress {{ mac | hwaddr('linux') }}

View file

@ -0,0 +1,40 @@
# Ansible role network-fastd
Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd Instanzen.
Es wird zwischen node- und intragate-Instanzen unterschieden.
## Interface-Benamung
Node-Interfaces: $mesh.id + vpn + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzvpn-1312"
Intragate-Interfaces: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigvpn-1312"
## Benötigte Variablen
- Dictionary `meshes`
´´´
meshes:
- id: xx
...
ipv4_network:
...
fastd:
nodes:
instances:
- id: 0 # integer
mtu: # integer
...
intragate:
instances:
- id: 0 # integer
mtu: # integer
...
´´´
- Host Variable `magic`
## MAC-Adressen
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
xxvpn-$mtu prefix: `02:2x` # x = ID der fastd-Instanz
xxigvpn-$mtu prefix: `02:3x` # x = ID der fastd-Instanz

View file

@ -0,0 +1,21 @@
---
- name: create fastd mesh interfaces
template:
src: fastd-mesh.j2
dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}"
notify: reload network interfaces
with_subelements:
- "{{ meshes }}"
- fastd.nodes.instances
- name: create fastd intragate interfaces
template:
src: fastd-intragate.j2
dest: "/etc/network/interfaces.d/{{ item.0.id }}igvpn-{{ item.1.mtu }}"
notify: reload network interfaces
with_subelements:
- "{{ meshes }}"
- fastd.intragate.instances
- name: flush handlers
meta: flush_handlers

View file

@ -0,0 +1,8 @@
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '023' + item.1.id|string + ip4hex -%}
#
# {{ ansible_managed }}
#
auto {{ item.0.id }}igvpn-{{ item.1.mtu }}
iface {{ item.0.id }}igvpn-{{ item.1.mtu }}
hwaddress {{ mac | hwaddr('linux') }}

View file

@ -0,0 +1,8 @@
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '022' + item.1.id|string + ip4hex -%}
#
# {{ ansible_managed }}
#
auto {{ item.0.id }}vpn-{{ item.1.mtu }}
iface {{ item.0.id }}vpn-{{ item.1.mtu }}
hwaddress {{ mac | hwaddr('linux') }}

View file

@ -0,0 +1,33 @@
# Ansible role network-ffrl
Diese Ansible role konfiguriert die GRE-Tunnel Interfaces, die für den Internet-Exit über Freifunk Rheinland benötigt werden.
## Benötigte Variablen
- Dictionary `ffrl_exit_server` (Host Variable)
´´´
ffrl_exit_server:
ffrl-a-ak-ber:
public_ipv4_address: 185.66.195.0
tunnel_ipv4_network: # IPv4 Tunnel Transfernetz
tunnel_ipv6_network: # IPv6 Tunnel Transfernetz
ffrl-b-ak-ber:
public_ipv4_address: 185.66.195.1
tunnel_ipv4_network:
tunnel_ipv6_network:
ffrl-a-ix-dus:
public_ipv4_address: 185.66.193.0
tunnel_ipv4_network:
tunnel_ipv6_network:
ffrl-b-ix-dus:
public_ipv4_address: 185.66.193.1
tunnel_ipv4_network:
tunnel_ipv6_network:
ffrl-a-fra2-fra:
public_ipv4_address: 185.66.194.0
tunnel_ipv4_network:
tunnel_ipv6_network:
ffrl-b-fra2-fra:
public_ipv4_address: 185.66.194.1
tunnel_ipv4_network:
tunnel_ipv6_network:
´´´

View file

@ -0,0 +1,16 @@
---
- name: create ffrl interfaces
template:
src: ffrl.j2
dest: "/etc/network/interfaces.d/{{ item.key }}"
notify: reload network interfaces
with_dict: "{{ ffrl_exit_server }}"
- name: create ffrl-nat dummy interface
template:
src: ffrl_nat.j2
dest: "/etc/network/interfaces.d/ffrl-nat"
notify: reload network interfaces
- name: flush handlers
meta: flush_handlers

View file

@ -0,0 +1,15 @@
#
# {{ ansible_managed }}
#
auto {{ item.key }}
iface {{ item.key }} inet tunnel
mode gre
local {{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }}
endpoint {{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }}
ttl 64
mtu 1400
tunnel-physdev {{ ansible_default_ipv4.interface }}
address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }}
address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }}

View file

@ -0,0 +1,7 @@
#
# {{ ansible_managed }}
#
auto ffrl-nat
iface ffrl-nat
link-type dummy
address {{ ffrl_public_ipv4_nat | ipaddr('host') }}

View file

@ -0,0 +1,29 @@
# Ansible role network-iptables-gateway
Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways.
- installiert iptables+iptables-persistent
- schreibt rules.v4 + rules.v6
- setzt netfilter sysctl parameter
## Benötigte Variablen
- List `sysctl_settings_netfilter` (Rollen Variable)
´´´
sysctl_settings_netfilter:
- name: # sysctl-Parameter
value: # zu setzender Wert
´´´
- Dictionary `meshes`
´´´
meshes:
- id: xx
...
ipv4_network:
...
´´´
- Variable `internet_exit_tcp_mss_ipv4`
- Variable `internet_exit_tcp_mss_ipv6`
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix

View file

@ -0,0 +1,35 @@
---
- name: install iptables packages
package:
name: "{{ item }}"
state: present
with_items:
- iptables
- iptables-persistent
- name: load netfilter modules
modprobe:
name: "{{ item }}"
state: present
with_items:
- nf_conntrack
- nf_conntrack_ipv4
- name: set netfilter sysctl settings
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_netfilter }}"
- name: write iptables configuration
template:
src: rules.v4.j2
dest: /etc/iptables/rules.v4
notify: iptables-restore
- name: write ip6tables configuration
template:
src: rules.v6.j2
dest: /etc/iptables/rules.v6
notify: ip6tables-restore

View file

@ -0,0 +1,42 @@
#
# {{ ansible_managed }}
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_forward in meshes %}
{% for mesh_recursive in meshes recursive %}
{% if not mesh_forward.id == mesh_recursive.id %}
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
{% endif %}
{% endfor %}
{% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv4 }}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ffrl-nat - [0:0]
{% for mesh in meshes %}
-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
{% endfor %}
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }}
COMMIT

View file

@ -0,0 +1,35 @@
#
# {{ ansible_managed }}
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_forward in meshes %}
{% for mesh_recursive in meshes recursive %}
{% if not mesh_forward.id == mesh_recursive.id %}
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
{% endif %}
{% endfor %}
{% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv6 }}
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

View file

@ -0,0 +1,6 @@
---
sysctl_settings_netfilter:
- name: net.netfilter.nf_conntrack_tcp_timeout_established
value: 86400
- name: net.netfilter.nf_conntrack_max
value: 262140

View file

@ -0,0 +1,30 @@
# Ansible role network-meshbridge
Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes.
- linux bridge pro mesh inklusive IP-Konfiguration
- konfiguriert sysfs variablen:
- hash_max
## Benötigte Variablen
- Dictionary `meshes`
´´´
meshes:
-id: xx
...
ipv4_network:
...
ipv6_ula:
- fdxx.../48 # ipv6 ula prefix
ipv6_public:
- 2xxx.../48 # ipv6 public prefix
´´´
- Host Variable `magic`
## MAC-Adressen
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
xxbr-prefix: `02:10`

View file

@ -0,0 +1,17 @@
---
- name: create mesh bridges
template:
src: bridge.j2
dest: "/etc/network/interfaces.d/{{ item.id }}br"
notify: reload network interfaces
with_items: "{{ meshes }}"
- name: set sysfs variables
template:
src: sysfs.j2
dest: "/etc/sysfs.d/99-{{ item.id }}br.conf"
with_items: "{{ meshes }}"
notify: activate sysfs variables
- name: flush handlers
meta: flush_handlers

View file

@ -0,0 +1,17 @@
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0210' + ip4hex -%}
#
# {{ ansible_managed }}
#
auto {{ item.id }}br
iface {{ item.id }}br
# hwaddress {{ mac | hwaddr('linux') }} <-- preferred way, not working - ipv6 addresses not set on boot
pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE # ^^^ dirty workaround to get rid of
address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
{% for prefix in item.ipv6_ula %}
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
{% endfor %}
{% for prefix in item.ipv6_public %}
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
{% endfor %}
bridge-ports {{ item.id }}bat

View file

@ -0,0 +1,4 @@
#
# {{ ansible_managed }}
#
class/net/{{ item.id }}br/bridge/hash_max = 16384

View file

@ -0,0 +1,12 @@
# Ansible role network-routetables
Diese Ansible role legt die erforderlichen routing tables an.
## Benötigte Variablen
- `routing_tables`
´´´
routing_tables:
$name: # integer
´´´

View file

@ -0,0 +1,8 @@
---
- name: create routing tables
lineinfile:
path: /etc/iproute2/rt_tables
regexp: '^{{ item.value }}'
line: "{{ item.value }}{{ '\t' }}{{ item.key }}"
state: present
with_dict: "{{ routing_tables }}"

View file

@ -0,0 +1,33 @@
# Ansible role network-routing
Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
- konfiguriert statische Routen (systemd Unit)
- Mesh Routen für die Routing Tabelle `mwu`
- Blackhole Routes für die Routing Tabellen `internet` + `main`
- konfiguriert IP rules (systemd Unit)
- konfiguriert sysctl Parameter
## Benötigte Variablen
- Dictionary `meshes`
´´´
meshes:
- id: xx
...
site_name:
ipv4_network:
ipv6_ula:
ipv6_public:
´´´
- List `sysctl_settings_gateway` (Rollen-Variable)
```
sysctl_settings_routing:
- name: # sysctl-Parameter
value: # zu setzender Wert
...
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
- Host Dictionary `ffrl_exit_server
´´´
- Host Variable `magic`

View file

@ -0,0 +1,61 @@
---
- name: write systemd unit ffmwu-static-routes.service
template:
src: ffmwu-static-routes.service.j2
dest: /etc/systemd/system/ffmwu-static-routes.service
owner: root
group: root
mode: 0644
notify: reload systemd
- name: write static route scripts
template:
src: "{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0750
with_items:
- ffmwu-add-static-routes.sh
- ffmwu-del-static-routes.sh
notify: restart systemd unit ffmwu-static-routes
- name: enable systemd unit ffmwu-static-routes.service
systemd:
name: ffmwu-static-routes
enabled: yes
state: started
- name: write systemd unit ffmwu-ip-rules.service
template:
src: ffmwu-ip-rules.service.j2
dest: /etc/systemd/system/ffmwu-ip-rules.service
owner: root
group: root
mode: 0644
notify: reload systemd
- name: write ip rule scripts
template:
src: "{{ item }}.j2"
dest: "/usr/local/bin/{{ item }}"
owner: root
group: root
mode: 0750
with_items:
- ffmwu-add-ip-rules.sh
- ffmwu-del-ip-rules.sh
notify: restart systemd unit ffmwu-ip-rules
- name: enable systemd unit ffmwu-ip-rules.service
systemd:
name: ffmwu-ip-rules
enabled: yes
state: started
- name: set freifunk gateway sysctl settings
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
state: present
with_items: "{{ sysctl_settings_routing }}"

View file

@ -0,0 +1,82 @@
#!/bin/sh
#
# {{ ansible_managed }}
#
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup mwu priority 7
ip -6 rule add to {{ ula }} lookup mwu priority 7
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup mwu priority 7
ip -6 rule add to {{ public }} lookup mwu priority 7
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
{% endfor %}
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup icvpn priority 23
ip -6 rule add to {{ ula }} lookup icvpn priority 23
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup icvpn priority 23
ip -6 rule add to {{ public }} lookup icvpn priority 23
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
{% endfor %}
ip -4 rule add from all oif icvpn lookup icvpn priority 23
ip -6 rule add from all oif icvpn lookup icvpn priority 23
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
{% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup internet priority 41
ip -6 rule add to {{ ula }} lookup internet priority 41
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup internet priority 41
ip -6 rule add to {{ public }} lookup internet priority 41
{% endfor %}
ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41
{% endfor %}
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
{% for mesh in meshes %}
ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61
ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61
{% endfor %}
ip -4 rule add from all iif icvpn type unreachable priority 61
ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
ip -4 rule add from all iif {{ server_id }} type unreachable priority 61
ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
{% endfor %}
ip -6 rule add from all iif icvpn type unreachable priority 61
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
{% for mesh in meshes %}
{% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} type unreachable priority 61
ip -6 rule add to {{ public }} type unreachable priority 61
{% endfor %}
{% endfor %}
# Priority 107 - lookup policies for the gateway host self originating traffic
ip -4 rule add from all lookup mwu priority 107
ip -4 rule add from all lookup icvpn priority 107
ip -6 rule add from all lookup mwu priority 107
ip -6 rule add from all lookup icvpn priority 107
exit 0

View file

@ -0,0 +1,66 @@
#!/bin/sh
#
# {{ ansible_managed }}
#
{% for mesh in meshes %}
# static {{ mesh.site_name }} routes for rt_table mwu
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
{% for ula in mesh.ipv6_ula %}
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% for public in mesh.ipv6_public %}
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% if not loop.last %}
{% endif %}
{% endfor %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
/sbin/ip -6 route add blackhole fec0::/10 table internet
/sbin/ip -6 route add blackhole fc00::/7 table internet
/sbin/ip -6 route add blackhole ff00::/8 table internet
/sbin/ip -6 route add blackhole ::/96 table internet
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
# static blackhole routes for rt_table main
/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
/sbin/ip -6 route add blackhole fec0::/10 table main
/sbin/ip -6 route add blackhole fc00::/7 table main
/sbin/ip -6 route add blackhole ff00::/8 table main
/sbin/ip -6 route add blackhole ::/96 table main
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route add blackhole ::/0 table main

View file

@ -0,0 +1,82 @@
#!/bin/sh
#
# {{ ansible_managed }}
#
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup mwu priority 7
ip -6 rule del to {{ ula }} lookup mwu priority 7
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup mwu priority 7
ip -6 rule del to {{ public }} lookup mwu priority 7
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
{% endfor %}
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup icvpn priority 23
ip -6 rule del to {{ ula }} lookup icvpn priority 23
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup icvpn priority 23
ip -6 rule del to {{ public }} lookup icvpn priority 23
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
{% endfor %}
ip -4 rule del from all oif icvpn lookup icvpn priority 23
ip -6 rule del from all oif icvpn lookup icvpn priority 23
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
{% for mesh in meshes %}
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
{% for ula in mesh.ipv6_ula %}
ip -6 rule del from {{ ula }} lookup internet priority 41
ip -6 rule del to {{ ula }} lookup internet priority 41
{% endfor %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} lookup internet priority 41
ip -6 rule del to {{ public }} lookup internet priority 41
{% endfor %}
ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41
{% endfor %}
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
{% for mesh in meshes %}
ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61
ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61
{% endfor %}
ip -4 rule del from all iif icvpn type unreachable priority 61
ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
{% endfor %}
ip -6 rule del from all iif icvpn type unreachable priority 61
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
{% for mesh in meshes %}
{% for public in mesh.ipv6_public %}
ip -6 rule del from {{ public }} type unreachable priority 61
ip -6 rule del to {{ public }} type unreachable priority 61
{% endfor %}
{% endfor %}
# Priority 107 - lookup policies for the gateway host self originating traffic
ip -4 rule del from all lookup mwu priority 107
ip -4 rule del from all lookup icvpn priority 107
ip -6 rule del from all lookup mwu priority 107
ip -6 rule del from all lookup icvpn priority 107
exit 0

View file

@ -0,0 +1,66 @@
#!/bin/sh
#
# {{ ansible_managed }}
#
{% for mesh in meshes %}
# static {{ mesh.site_name }} routes for rt_table mwu
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
{% for ula in mesh.ipv6_ula %}
/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% for public in mesh.ipv6_public %}
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}br table mwu
{% endfor %}
{% if not loop.last %}
{% endif %}
{% endfor %}
# static blackhole routes for rt_table internet
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet
/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet
/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet
/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet
/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet
/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet
/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet
/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet
/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet
/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet
/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet
/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet
/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet
/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet
/sbin/ip -6 route del blackhole fec0::/10 table internet
/sbin/ip -6 route del blackhole fc00::/7 table internet
/sbin/ip -6 route del blackhole ff00::/8 table internet
/sbin/ip -6 route del blackhole ::/96 table internet
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet
# static blackhole routes for rt_table main
/sbin/ip -4 route del blackhole 0.0.0.0/8 table main
/sbin/ip -4 route del blackhole 10.0.0.0/8 table main
/sbin/ip -4 route del blackhole 100.64.0.0/10 table main
/sbin/ip -4 route del blackhole 127.0.0.0/8 table main
/sbin/ip -4 route del blackhole 169.254.0.0/16 table main
/sbin/ip -4 route del blackhole 172.16.0.0/12 table main
/sbin/ip -4 route del blackhole 192.0.0.0/24 table main
/sbin/ip -4 route del blackhole 192.0.2.0/24 table main
/sbin/ip -4 route del blackhole 192.88.99.0/24 table main
/sbin/ip -4 route del blackhole 192.168.0.0/16 table main
/sbin/ip -4 route del blackhole 198.18.0.0/15 table main
/sbin/ip -4 route del blackhole 198.51.100.0/24 table main
/sbin/ip -4 route del blackhole 203.0.113.0/24 table main
/sbin/ip -4 route del blackhole 224.0.0.0/4 table main
/sbin/ip -4 route del blackhole 240.0.0.0/4 table main
/sbin/ip -4 route del blackhole 255.255.255.255/32 table main
/sbin/ip -6 route del blackhole fec0::/10 table main
/sbin/ip -6 route del blackhole fc00::/7 table main
/sbin/ip -6 route del blackhole ff00::/8 table main
/sbin/ip -6 route del blackhole ::/96 table main
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
/sbin/ip -6 route del blackhole ::/0 table main

View file

@ -0,0 +1,12 @@
[Unit]
Description=Manage Freifunk MWU IP rules
After=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,12 @@
[Unit]
Description=Manage Freifunk MWU static routes
After=network-online.target networking.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh
ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,14 @@
---
sysctl_settings_routing:
- name: net.ipv4.ip_forward
value: 1
- name: net.ipv4.conf.default.rp_filter
value: 0
- name: net.ipv4.conf.all.rp_filter
value: 0
- name: net.ipv6.conf.all.forwarding
value: 1
- name: net.ipv6.conf.all.accept_ra
value: 0
- name: net.ipv6.conf.default.accept_ra
value: 0

View file

@ -21,7 +21,6 @@
with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}" with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}"
loop_control: loop_control:
loop_var: pkg_item loop_var: pkg_item
become: True
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined) # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined)
- name: ensure defined apt repos - name: ensure defined apt repos
@ -33,7 +32,6 @@
with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}" with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}"
loop_control: loop_control:
loop_var: pkg_item loop_var: pkg_item
become: True
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined) # see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined)
# see defaults in with - when: pkg_repo_list is defined # see defaults in with - when: pkg_repo_list is defined
@ -48,7 +46,6 @@
with_items: "{{meshing_pkg_pkg_list | default([])}}" with_items: "{{meshing_pkg_pkg_list | default([])}}"
loop_control: loop_control:
loop_var: mwu_m_item loop_var: mwu_m_item
become: True
# see default in with - when: meshing_pkg_pkg_list is defined # see default in with - when: meshing_pkg_pkg_list is defined
- name: ensure defined python libs - name: ensure defined python libs
@ -56,7 +53,6 @@
with_items: "{{meshing_pkg_pip_list | default([])}}" with_items: "{{meshing_pkg_pip_list | default([])}}"
loop_control: loop_control:
loop_var: mwu_m_item loop_var: mwu_m_item
become: True
# see default in with - when: meshing_pkg_pip_list is defined # see default in with - when: meshing_pkg_pip_list is defined
when: (really_do is defined) and (really_do) when: (really_do is defined) and (really_do)

View file

@ -0,0 +1,18 @@
# Ansible role prerequisites
Diese Ansible role prüft ob die Voraussetzungen für ein Freifunk Gateway erfüllt sind.
- Forward-DNS Eintrag $FQDN == ausgelesener IPv4-Adresse
- Forward-DNS Eintrag $FQDN == ausgelesener IPv6-Adresse
- CNAME Eintrag gate$magic.freifunk-mwu.de == $FQDN
- CNAME Eintrag icvpn$magic.freifunk-mwu.de == $FQDN
- Linux Distribution == Debian
- Debian Version == 9
## Benötigte Variablen
Die folgenden Variablen werden über einen DNS Lookup gesetzt:
- Variable `dns_host_ipv4_address` (Rollen-Variable)
- Variable `dns_host_ipv6_address` (Rollen-Variable)
- Variable `dns_gate_num_cname` (Rollen-Variable)
- Variable `dns_gate_icvpn_cname` (Rollen-Variable)

View file

@ -0,0 +1,15 @@
---
- name: Check DNS entries and target distribution
assert:
that:
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
- "dns_gate_num_cname == inventory_hostname"
- "dns_gate_icvpn_cname == inventory_hostname"
- "ansible_distribution == 'Debian'"
- "ansible_distribution_major_version == '9'"
- name: Test root access for admin account
command: "true"
changed_when: False

View file

@ -0,0 +1,8 @@
---
dns_gate_num: "gate{{ magic }}.{{ http_domain_external }}"
dns_gate_icvpn: "icvpn{{ magic }}.{{ http_domain_external }}"
dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}"
dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}"
dns_gate_num_cname: "{{ lookup('dig', dns_gate_num, 'qtype=CNAME') | regex_replace('\\.$') }}"
dns_gate_icvpn_cname: "{{ lookup('dig', dns_gate_icvpn, 'qtype=CNAME') | regex_replace('\\.$') }}"

View file

@ -0,0 +1,13 @@
# Ansible role server-apt-repos
Diese Ansible role konfiguriert zusätzliche APT Repositories.
- installiert Freifunk MWU Debian APT PGP Key
- konfiguriert APT Repositories aus der Liste `repos`
## Benötigte Variablen
- Liste `repos` (Rollen Variable)
- `name`: String == Name der Konfigurationsdatei unter /etc/apt/sources.list.d
- `repo`: String
- `update_cache`: yes|no

View file

@ -0,0 +1,22 @@
---
- name: ensure dirmngr and apt-transport-https are installed
package:
name: "{{ item }}"
state: present
with_items:
- dirmngr
- apt-transport-https
- name: ensure apt key for freifunk-mwu is present
apt_key:
state: present
id: 83A70084
url: "http://repo.freifunk-mwu.de/83A70084.gpg.key"
- name: ensure needed apt repos are present
apt_repository:
state: present
repo: "{{ item.repo }}"
update_cache: "{{ item.update_cache }}"
filename: "{{ item.name }}"
with_items: "{{ repos }}"

View file

@ -0,0 +1,8 @@
---
repos:
- name: freifunk
repo: 'deb http://repo.freifunk-mwu.de/debian stretch main'
update_cache: yes
- name: freifunk
repo: 'deb-src http://repo.freifunk-mwu.de/debian stretch main'
update_cache: yes

View file

@ -0,0 +1,14 @@
# Ansible role server-basic
Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden.
- installiert Pakete, die auf allen Servern benötigt werden
- setzt vim als default Editor
- setzt die Zeitzone auf Europe/Berlin
- generiert und setzt default locale
- konfiguriert das dummy Kernel Modul
## Benötigte Variablen
- Liste `packages` (Rollen Variable)
- Variable `default_locale` (Rollen-Variable)

Some files were not shown because too many files have changed in this diff Show more