Restructure ansible (#8)
* Add filename prefix to playbooks * Inventory: clean up & rename role ffmwu-prereq to test-prerequisites Remove all hosts which aren't set up by ansible, yet. Prepare to start from scratch. Only add hosts to the inventory which will be set up completly by ansible. * Role test-prerequisites: improve tasks; update OS to current debian stable * Add a bunch of new roles - Update Readme - Update ansible.cfg - Add playbook to set up gateways - Add group variables * Roles: add role documentation * Some restructuring (#3) * Modify prerequisites role and integrate prerequisites role into all playbooks (#4) * Add relaxed yamllint config and fix errors * Add role service-rclocal * Add role service-bird * Move localtestvm to separate role (untested) (#6) * Add role git-repos * Add role service-bird-icvpn; add python3-yaml package to server-basic role * Add role service-bird-ffrl * Set 'become' default to True (#7) * Retouch tasks due to 'become' defaults to True * Add role service-bird-ffrl to playbook gateways * Role service-bird-ffrl: correct ipaddr filters * Update readme of roles service-fastd-mesh + service-fastd-intragate * Update Readme.md - update passwordstore lookup for fastd secrets - add explanation about sensible informations * Role server-basic: add package bridge-utils * Add role service-tinc * Add role system-sysctl-gateway * Add version to git modules in roles: - git-fastd-peers - git-repos - service-tinc * Add readme for role prerequisites * Add role network-iptables-gateway - move netfilter specific sysctl settings * Role kmod-batman: load kernel modules * Role service-bird-icvpn: use a task and not a handler to set file attrs * Add role service-bind-slave * Restructure network interfaces in order to use ifupdown2 - rewrite interface templates for batman, fastd, ffrl and meshbridge - add package ethtool to role server-basic - use more ipaddr filters and get rid of unneeded variables in dict ffrl_exit_server - change ffrl_public_ipv4_nat variable to ip/prefix format - update readme files * Role service-dhcpd: fix disabled notify * Role service-fastd-mesh + service-fastd-intragate: fix mac address format * Restructure service-fastd roles - migrate role git-fastd-peers - add role service-fastd - add repo clone for ffbin peers (currently hardcoded) - add role dependency to role service-fastd-mesh + service-fastd-intragate - add systemd handlers * Role service-tinc: use a task instead of a handler for systemd stuff * Role service-radvd: update handlers * Update loop keys * Role service-radvd: optimize ipaddr filters * Role service-radvd: make more parameters configurable * Update Readme.md * Role service-fastd-mesh: add systemd unit + timer to update mesh peers * Role service-bird + service-bird-icvpn: add systemd unit + timer to update roa+peers+tinc hosts * Role git-repos: change branch of backend-scripts repo to drop-photon * Role service-bind-slave: fix file permissions * Role service-bind-slave: add systemd unit + timer to update icvpn bind config * Role service-bird-icvpn: rename systemd unit+timer icvpn-update to icvpn-tinc-bgp-update * Roles service-fastd-mesh + service-fastd-intragate: rename fastd socket * Role service-rclocal: fix wrong interface * Role network-iptables-gateway: rename var internet_exit_mtu_ipv[4|6] to internet_exit_tcp_mss_ipv[4|6] * FFRL Internet Exit: move IPv4 NAT address to a single dummy interface * Roles service-bird[|-ffrl|-icvpn]: rework handlers * Update some ipaddr filters * Fix wrong IP subnet calculation in roles service-radvd + service-rclocal * Role service-fastd-mesh: move peer limit to a separate file which isn't managed by ansible * Role service-fastd: ensure fastd service is masked * Role service-fastd-mesh: add systemd timer for fastd peer limit update script * Update Readme.md * Migrate nested dictionary `meshes` into a list of dictionaries - migrate dictionary `ipv6` into two simple lists - migrate dictionary `forward_zones` into a list * Restructure fastd configuration to define multiple instances easily - introduce mesh subdictionary `fastd` - change fastd instance naming - change fastd network interface naming (identical with fastd instance names) - change mac address prefixes * Roles service-fastd-[mesh|intragate]: update role dependencies * Role network-batman: update batman-ifaces due to fastd instance change - update README.md * Role network-fastd: update README.md * Readme.md: add control machine requirements * Role service-fastd-mesh: fix typo in handler * Role service-fastd: use own systemd unit fastd@.service - original uses %I which does not escaping, so dashes will be replaced by slashes - use %i instead of %I * Add role network-routing - move static routes from role service-rclocal to scripts run by systemd unit - mv routing specific sysctl settings * Use package module where possible instead of apt * Remove unnecessary handlers * Move all handlers to one single role * Update Readme.md * Move IP rules from role `service-rclocal` to role `network-routing` - add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler * Role network-routing: fix typos in ffmwu-del-ip-rules.sh template * Add role service-respondd * Roles service-fastd-[intragate|mesh]: update mac prefixes due to fastd instances change * Fix some whitespaces * Ensure systemd units are started * Add role service-nginx * Add role service-nginx-firmware * Add missing variables for role service-nginx-firmware * Add roles service-nginx(-firmware) to playbook gateways * Role service-nginx: add autoindex options to default vhost * Flush handlers after configuring network interfaces * Role service-respondd: also listen on fastd-interfaces * Update fastd peer limit configuration * add list of legacy gateways (temporarily) * change backend-scripts branch to ansible * Role server-basic: ensure ffmwu config directory is present * Role service-fastd: add fastd-status script * role service-fastd-mesh: add templating for fastd peer limit configuration * Update Readme.md * Lowercase all network interface names * Inventory: add new gateway uffschnitt.freifunk-mwu.de * Role server-repos: change ffmwu repo to stretch * Role service-respondd: install python3 module dependency * Role server-repos: remove universe-factory repo since fastd package is available in debian upstream * Pretty format ansible.cfg * Inventory host_vars: use single file instead of subfolder * Role prerequisites: add cname asserts * Role network-meshbridge: workaround to set mac address on boot and get ipv6 address configured correctly * Playbook gateways: reorder roles * Rename role server-repos to server-apt-repos - Role server-apt-repos: add readme * Role server-basic: add locale setting * Roles service-fastd-mesh + service-fastd-intragate - remove on-up|on-down stanzas from fastd.conf - update readme * Move dummy module from role kmod-batman to server-basic * Roles service-fastd-[mesh|intragate]: reload networking on fastd instance start * Rework passwordstore lookup handling in roles service-fastd-mesh und service-fastd-intragate * Role service-tinc: rework passwordstore lookup * Role network-iptables-gateway: fix freifunk bridge rules * Role service-fastd-mesh: ensure fastd_status.json file is present; reorder nginx roles * Role network-routing: add missing service dependency for ffmwu-static-routes service unit * Role service-tinc: add task to enable post-merge script * Add prometheus role (#9)
This commit is contained in:
parent
ab2efe5df3
commit
ff1dac07ba
200 changed files with 4715 additions and 269 deletions
.yamllintReadme.mdansible.cfgffmwu-build.ymlffmwu-servers.yml
inventory
ffmwu-build-serversffmwu-gatewaysffmwu-servers
loctevm-test-prerequisites.ymlgroup_vars
host_vars
aubergine.freifunk-mwu.dechurro.freifunk-mwu.deextrasahne.freifunk-mwu.deglueckskeks.freifunk-mwu.deingwer.freifunk-mwu.delinse.freifunk-mwu.delotuswurzel.freifunk-mwu.demilchreis.freifunk-mwu.despinat.freifunk-mwu.desuesskartoffel.freifunk-mwu.deuffschnitt.freifunk-mwu.dewasserfloh.freifunk-mwu.dezuckerwatte.freifunk-mwu.dezwiebel.freifunk-mwu.de
hoststest-vmsplaybooks
roles
ffmwu-bird/tasks
ffmwu-build
ffmwu-meshing/tasks
ffmwu-prereqs/tasks
ffmwu-server/tasks
git-repos
handlers/handlers
kmod-batman
localtestvm
tasks
loctevm-provide-iso.inc.ymlloctevm-provide-net.inc.ymlloctevm-provide-prereq.inc.ymlloctevm-provide-vm.inc.yml
templates
network-batman
network-fastd
network-ffrl
network-iptables-gateway
network-meshbridge
network-routetables
network-routing
README.md
tasks
templates
ffmwu-add-ip-rules.sh.j2ffmwu-add-static-routes.sh.j2ffmwu-del-ip-rules.sh.j2ffmwu-del-static-routes.sh.j2ffmwu-ip-rules.service.j2ffmwu-static-routes.service.j2
vars
packages/tasks
prerequisites
server-apt-repos
server-basic
19
.yamllint
Normal file
19
.yamllint
Normal file
|
@ -0,0 +1,19 @@
|
|||
extends: default
|
||||
|
||||
rules:
|
||||
braces: {max-spaces-inside: 1, level: error}
|
||||
brackets: {max-spaces-inside: 1, level: error}
|
||||
colons: {max-spaces-after: -1, level: error}
|
||||
commas: {max-spaces-after: -1, level: error}
|
||||
comments: disable
|
||||
comments-indentation: disable
|
||||
document-start: disable
|
||||
empty-lines: {max: 3, level: error}
|
||||
hyphens: {level: error}
|
||||
indentation: disable
|
||||
key-duplicates: enable
|
||||
line-length: disable
|
||||
new-line-at-end-of-file: disable
|
||||
new-lines: {type: unix}
|
||||
trailing-spaces: enable
|
||||
truthy: disable
|
203
Readme.md
203
Readme.md
|
@ -1,40 +1,195 @@
|
|||
# ansible-ffmwu.git
|
||||
# Ansible Freifunk MWU
|
||||
|
||||
An dieser Stelle soll der ganze ansible-script-junk entstehen, um ein FFMWU-Gateway automagisiert aufzusetzen. Das Geraffel kann später auch auf andere server-Typen erweitert werden, wenn sinnvoll.
|
||||
Ein server muss minimal vorbereitet sein, bevor er mit den hiesigen Skripten zum Gate (oder zu Sonstigem) gemacht werden kann. Insbesondere müssen die folgenden Voraussetzungen erfüllt sein (diese werden vom playbook `test-prerequisites.yml` getestet):
|
||||
Wir, die Freifunk MWU Community, nutzen Ansible um unsere Freifunk Server aufzusetzen und zu konfigurieren. In
|
||||
diesem Repository verwalten wir unsere Ansible Roles und Playbooks.
|
||||
|
||||
Ein Server muss minimal vorbereitet sein, bevor dieser per Ansible z.B. zu einem Freifunk-Gateway gemacht werden
|
||||
kann. Die folgenden Voraussetzungen müssen erfüllt sein:
|
||||
|
||||
- Ein dedizierter (v)server muss existieren und unter einer IPv4- und einer IPv6-Adresse öffentlich erreichbar sein.
|
||||
- Die Adressen sollen im MWU-DNS eingetragen sein.
|
||||
- Es muss eine nakte unterstützte linux-Version aufgesetzt sein (aktuell Ubuntu 14.04, bald Debian).
|
||||
- Es muss einen user admin geben, auf den die Admins Zugriff haben; dieser muss root-Zugang über sudo haben.
|
||||
- Die Adressen müssen im MWU-DNS eingetragen sein.
|
||||
- Als Betriebssystem muss Debian Stretch installiert sein.
|
||||
- Für Ansible muss Python 2.6 oder höher installiert sein.
|
||||
- Es muss einen User admin geben, auf den die Admins Zugriff haben; dieser muss Root-Zugang über sudo haben.
|
||||
|
||||
Zusätzlich ist sehr empfehlenswert, dass die Admins die Maschinen mit ihren fqdns in ihrer ssh-config definiert haben.
|
||||
Diese Voraussetzungen werden von der Rolle `prerequisites` geprüft, die Rolle sollte als erste Rolle in jedem
|
||||
Playbook eingebunden sein.
|
||||
|
||||
Bisher gibt es hier zwei Sammlungen von files: zum Einen der Beginn des eigentlichen Zwecks: bisher kann eine Rolle (auf Basis der obigen Voraussetzungen) alle FFMWU-Server in dem ihnen allen identischen Aspekt vorbereiten, der Pflege der ssh keys der admins. Zum Anderen gibt es ein playbook, das eine lokale Test-VM aufsetzt, auf der man alle eigentlichen playbooks und Rollen testen kann, ohne ernsthaften Schaden anzurichten.
|
||||
Voraussetzungen für die Control Machine:
|
||||
|
||||
## Aufsetzen und Pflegen von Gateways
|
||||
- Python 2 (Versionen 2.6 oder 2.7) oder 3 (Versionen 3.5 oder höher)
|
||||
- Ansible Version >= 2.4.0.0
|
||||
- Python Modul `netaddr`
|
||||
- Python Modul `dnspython`
|
||||
|
||||
Alle FFMWU-Gatways sind auch FFMWU-Server, alle anderen server bei uns überraschenderweise auch; so sind auch Alle im inventory in der Gruppe 'ff-servers' zusammengefasst. Der Aspekt, der allen FFMWU-Servern gemein ist, sind die ssh-keys der admins. Auf einigen servern gibt es allerdings weitere Zugriffsberechtigte (spezialisierte admins).
|
||||
Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config.
|
||||
|
||||
So gibt es eine Rolle ('ffmwu-server'), die allen hosts dieser Gruppe zugewiesen ist (über das playbook 'ffmwu-servers.yml', später auch über Abhängigkeiten der speziellern playbooks). Dieses playbook (einfach starten) weist die Rolle zu, welche ihrerseits die shh keys auf den hosts pflegt.
|
||||
## Gruppen-Variablen
|
||||
Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung.
|
||||
Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz):
|
||||
|
||||
Die Rolle besteht aus nur einem task und einer definierten Variable, die die keys der admins enthält. Sind auf einem host weitere ssh keys von Nöten, so werden disse als hostvar definiert.
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|id |Variable|mz|string|Zum Teil werden Interface-Namen davon abgeleitet, z.B. `mzbr` oder `mzbat`|
|
||||
|site_number|Variable|37|integer|Fließt in IP-Adress-Berechnung ein|
|
||||
|site_code|Variable|ffmz|string||
|
||||
|site_name|Variable|Mainz|string||
|
||||
|ipv4_network|Variable|10.37.0.0/18|string; Network/Prefix||
|
||||
|ipv6_ula|List|- fd37:b4dc:4b1e::/48|string; Network/Prefix||
|
||||
|ipv6_public|List|- 2a03:2260:11a::/48|string; Network/Prefix||
|
||||
|dnssl|List|- ffmz.org|string|DNS Search List (dhcp/radvd)|
|
||||
|batman|Dictionary||||
|
||||
|batman.it|Key|10000|integer||
|
||||
|batman.gw|Key|server 96mbit/96mbit|string||
|
||||
|batman.mm|Key|0|boolean||
|
||||
|batman.dat|Key|0|boolean||
|
||||
|batman.hop_penalty|Key|60|integer||
|
||||
|radvd|Dictionary||||
|
||||
|radvd.maxrtradvinterval|Key|900|integer||
|
||||
|radvd.advvalidlifetime|Key|864000|integer||
|
||||
|radvd.advpreferredlifetime|Key|172800|integer||
|
||||
|iface_mtu|Variable|1350|integer|Client MTU|
|
||||
|fastd|Dictionary||||
|
||||
|fastd.nodes|Dictionary||||
|
||||
|fastd.nodes.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Node-Kommunikation|
|
||||
|fastd.nodes.instances[x].id|Key|0|integer||
|
||||
|fastd.nodes.instances[x].mtu|Key|1406|integer||
|
||||
|fastd.nodes.instances[x].peers|Dictionary||||
|
||||
|fastd.nodes.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|
||||
|fastd.nodes.instances[x].peers.version|Key|master|string||
|
||||
|fastd.nodes.instances[x].pass|Key|fastd/mzvpn|string||
|
||||
|fastd.intragate|Dictionary||||
|
||||
|fastd.intragate.instances|List|||Jeder Listeneintrag ist ein Dictionary; Instanzen für Intragate-Kommunikation|
|
||||
|fastd.intragate.instances[x].id|Key|0|integer||
|
||||
|fastd.intragate.instances[x].mtu|Key|1406|integer||
|
||||
|fastd.intragate.instances[x].peers|Dictionary||||
|
||||
|fastd.intragate.instances[x].peers.repo|Key|https://github.com/freifunk-mwu/peers-ffmz.git|URL||
|
||||
|fastd.intragate.instances[x].peers.version|Key|master|string||
|
||||
|fastd.intragate.instances[x].pass|Key|fastd/mzigvpn|string||
|
||||
|dns|Dictionary||||
|
||||
|dns.master|Key|fd37:b4dc:4b1e::a25:103|string; IP-Adresse|DNS-Master IP|
|
||||
|dns.forward_zones|List||||
|
||||
|dns.forward_zones[x].name|Key|ffmz.org|string||
|
||||
|dns.forward_zones[x].master|Key|fd37:b4dc:4b1e::a25:10c|string; IP-Adresse|Optional - überschreibt dns.master|
|
||||
|http_domain_internal|Variable|ffmz.org|string|Haupt-Domain für HTTP-Server(intern)|
|
||||
|http_domain_external|Variable|freifunk-mainz.de|string|Haupt-Domain für HTTP-Server(extern)||
|
||||
|
||||
## Erzeugen einer test-VM
|
||||
Weitere Gruppen-Variablen:
|
||||
|
||||
Um die playbooks und Rollen gefahrlos testen zu können, bietet sich ein test host an. Hierfür kann eine lokale VM zu Einsatz kommen, wenn die Voraussetzungen stimmen.
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|as_private_mwu|Variable|65037|integer|Privates AS von Freifunk MWU|
|
||||
|as_public_ffrl|Variable|201701|integer|Public AS von Freifunk Rheinland|
|
||||
|internet_exit_tcp_mss_ipv4|Variable|1240|integer|IPv4 TCP MSS|
|
||||
|internet_exit_tcp_mss_ipv6|Variable|1220|integer|IPv6 TCP MSS|
|
||||
|routing_tables|Dictionary||||
|
||||
|routing_tables.icvpn|Key|23|integer||
|
||||
|routing_tables.mwu|Key|41|integer||
|
||||
|routing_tables.internet|Key|61|integer||
|
||||
|icvpn_ipv4_transfer_net|Variable|10.207.0.0/16|string; Network/Prefix|ICVPN IPv4 Transfernetz|
|
||||
|icvpn_ipv6_transfer_net|Variable|fec0::a:cf:0:0/96|string; Network/Prefix|ICVPN IPv6 Transfernetz|
|
||||
|bgp_loopback_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU Loopback Netz für dynamisches Routing|
|
||||
|bgp_ipv4_transfer_net|Variable|10.37.0.0/18|string; Network/Prefix|MWU IPv4 Transfernetz für dynamisches Routing|
|
||||
|bgp_ipv6_transfer_net|Variable|fd37:b4dc:4b1e::/64|string; Network/Prefix|MWU IPv6 Transfernetz für dynamisches Routing|
|
||||
|http_domain_internal|Variable|ffmwu.org|string|Haupt-Domain für HTTP-Server(intern)|
|
||||
|http_domain_external|Variable|freifunk-mwu.de|string|Haupt-Domain für HTTP-Server(extern)|
|
||||
|icvpn|Dictionary|||ICVPN Informationen|
|
||||
|icvpn.prefix|Key|mwu|string|Prefix für MWU Gateways, z.B. `mwu7` für Spinat|
|
||||
|icvpn.interface|Key|icvpn|string|Name für ICVPN Interface + tinc Instanz|
|
||||
|icvpn.icvpn_repo|Key|https://github.com/freifunk/icvpn|string|URL zum freifunk/icvpn Repository|
|
||||
|bgp_mwu_servers|Dictionary|||Enthält pro BGP MWU peer ein Dictionary - IP-Adressen aus bgp_ipvX_transfer_net|
|
||||
|bgp_mwu_servers.spinat|Dictionary||||
|
||||
|bgp_mwu_servers.spinat.ipv4|Variable|10.37.0.7|string - IPv4-Adresse||
|
||||
|bgp_mwu_server.spinat.ipv6|Variable|fd37:b4dc:4b1e::a25:7|string - IPv6-Adresse||
|
||||
|
||||
Damit auf der lokalen Maschine (der ansible controle machine) VMs ablaufen (und mit dem playbook angelegt werden) können, müssen verschiedene Voraussetzungen erfüllt sein. U. a.:
|
||||
|
||||
- installierte Pakete zu libvirt, kvm und qemu und Pakete virt-manager, isomaster
|
||||
- >15G freier Plattenplatz
|
||||
- ansible >= 2.1
|
||||
## Host-Variablen
|
||||
Alle Server- bzw. Gateway-spezifischen Parameter werden als Host-Variablen abgebildet:
|
||||
|
||||
Leider sind die letzten 2 Meter der Aufgabe offenbar in dieser Art nicht automatisierbar. Deshalb muss der user an einer Stelle mit 'isomaster' kurz etwas manuell durchführen
|
||||
Das playbook 'loctevm-reset.yml' einfach ausführen.
|
||||
|Name|Type|Value|Format|Comment|
|
||||
|----|----|-----|------|-------|
|
||||
|magic|Variable|7|integer|Muss eindeutig unter allen Servern sein|
|
||||
|ipv4_dhcp_range|Variable|6|integer|Wenn man das Mesh-Netz (/18) in /22er-Subnetze unterteilt und durchnummeriert, ist der Wert hier die Nummer des zu verwendenden /22er Subnetzes zwecks DHCP-Adress-Vergabe|
|
||||
|ffrl_public_ipv4_nat|Variable|185.66.195.32/32|IP/Prefix|Öffentliche IPv4-NAT-Adresse|
|
||||
|ffrl_exit_server|Dictionary|||Enthält pro FFRL Tunnel ein Dictionary|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.public_ipv4_address|Key|185.66.195.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv4_network|Key|100.64.2.226/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17b::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.public_ipv4_address|Key|185.66.195.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv4_network|Key|100.64.2.228/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ak-ber.tunnel_ipv6_network|Key|2a03:2260:0:17c::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.public_ipv4_address|Key|185.66.193.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv4_network|Key|100.64.2.230/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17d::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.public_ipv4_address|Key|185.66.193.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv4_network|Key|100.64.2.232/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-ix-dus.tunnel_ipv6_network|Key|2a03:2260:0:17e::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.public_ipv4_address|Key|185.66.194.0|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv4_network|Key|100.64.0.186/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-a-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:63::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra|Dictionary|||Name = Interface|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.public_ipv4_address|Key|185.66.194.1|IP-Adresse|IP-Adresse der Tunnel-Gegenstelle|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv4_network|Key|100.64.0.188/31|Network/Prefix|Internes IPv4-Tunnel-Subnetz|
|
||||
|ffrl_exit_server.ffrl-b-fra2-fra.tunnel_ipv6_network|Key|2a03:2260:0:64::/64|Network/Prefix|Internes IPv6-Tunnel-Subnetz|
|
||||
|
||||
### bekannte Probleme
|
||||
## Sensible Informationen
|
||||
|
||||
- Wenn die VM wegen Zugriffsfehler auf die virtuellen volumes nicht startet, können die Berechtigungen der übergeordneten Verzeichnisse Schuld sein -> hier mal schauen.
|
||||
- Ein Schritt scheint nicht automagisierbar, hier werden isomaster & der user benötigt.
|
||||
- Bisher wird direkt die 64bit-Version ausgewählt.
|
||||
Sensible Daten, z.B. private keys für Dienste wie fastd und tinc verwalten wir in einem [Password Store](https://www.passwordstore.org/).
|
||||
Falls ihr mehrere Password Stores verwaltet, denkt vor Benutzung von Ansible daran, die Umgebungsvariable auf den richtigen Store zu verweisen:
|
||||
```
|
||||
export PASSWORD_STORE_DIR=...
|
||||
```
|
||||
|
||||
## Aufsetzen eines neuen Gateways
|
||||
|
||||
- FQDN im Inventory zur Gruppe ffmwu-gateways hinzufügen
|
||||
- Host-Variablen setzen
|
||||
- inventory/host_vars/$FQDN
|
||||
|
||||
```
|
||||
---
|
||||
# Gateway-Nummer, von der vieles abgeleitet wird. Integer zwischen 1-254. Muss eindeutig unter allen FFMWU Servern sein.
|
||||
magic:
|
||||
|
||||
# Die Nummer des /22er IPv4-Subnetzes, das per DHCP verteilt werden soll.
|
||||
# z.B. 5 für 10.X.16.0/22 (fünftes /22 Subnetz aus 10.X.0.0/18)
|
||||
ipv4_dhcp_range:
|
||||
|
||||
# FFRL (muss vorher bereits zugewiesen worden sein)
|
||||
# Öffentliche IPv4 NAT Adresse, Format: IP/Prefix
|
||||
ffrl_public_ipv4_nat:
|
||||
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network: # Format: IP/Maske
|
||||
tunnel_ipv6_network:
|
||||
```
|
||||
- Neues Gateway aufsetzen per `ansible-playbook playbooks/gateways.yml`
|
||||
- Hierbei werden die definierten Rollen auch auf schon aufgesetzte Gateways angewandt, was unkritisch ist, weil wir unsere Rollen idempotent schreiben.
|
||||
- Um die Rollen nur auf das neu aufzusetzende Gateway anzuwenden: `ansible-playbook playbooks/gateways.yml --limit=$FQDN`
|
||||
|
|
13
ansible.cfg
13
ansible.cfg
|
@ -1,10 +1,13 @@
|
|||
[defaults]
|
||||
# local
|
||||
inventory = ./inventory/hosts
|
||||
retry_files_save_path = ~/.ansible/retry-files
|
||||
#vault_password_file = ~/.ansible/vault-password-file
|
||||
# remote
|
||||
inventory = ./inventory
|
||||
retry_files_enabled = False
|
||||
remote_tmp = $HOME/ansible_tmp
|
||||
remote_user = admin
|
||||
ansible_managed = Ansible managed - don't edit this file!
|
||||
roles_path = ./roles
|
||||
|
||||
[privilege_escalation]
|
||||
become = True
|
||||
|
||||
#[ssh_connection]
|
||||
#pipelining = True
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
- hosts: build-servers
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- ffmwu-build
|
|
@ -1,9 +0,0 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: ff-servers
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- ffmwu-server
|
2
inventory/ffmwu-build-servers
Normal file
2
inventory/ffmwu-build-servers
Normal file
|
@ -0,0 +1,2 @@
|
|||
[ffmwu-build-servers]
|
||||
milchreis.freifunk-mwu.de
|
2
inventory/ffmwu-gateways
Normal file
2
inventory/ffmwu-gateways
Normal file
|
@ -0,0 +1,2 @@
|
|||
[ffmwu-gateways]
|
||||
uffschnitt.freifunk-mwu.de
|
2
inventory/ffmwu-servers
Normal file
2
inventory/ffmwu-servers
Normal file
|
@ -0,0 +1,2 @@
|
|||
[ffmwu-servers]
|
||||
milchreis.freifunk-mwu.de
|
174
inventory/group_vars/all
Normal file
174
inventory/group_vars/all
Normal file
|
@ -0,0 +1,174 @@
|
|||
---
|
||||
as_private_mwu: 65037
|
||||
as_public_ffrl: 201701
|
||||
|
||||
internet_exit_tcp_mss_ipv4: 1240
|
||||
internet_exit_tcp_mss_ipv6: 1220
|
||||
|
||||
routing_tables:
|
||||
icvpn: 23
|
||||
mwu: 41
|
||||
internet: 61
|
||||
|
||||
icvpn_ipv4_transfer_net: 10.207.0.0/16
|
||||
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
|
||||
bgp_loopback_net: 10.37.0.0/18
|
||||
bgp_ipv4_transfer_net: 10.37.0.0/18
|
||||
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
|
||||
|
||||
http_domain_internal: ffmwu.org
|
||||
http_domain_external: freifunk-mwu.de
|
||||
|
||||
meshes:
|
||||
- id: mz
|
||||
site_number: 37
|
||||
site_code: ffmz
|
||||
site_name: Mainz
|
||||
ipv4_network: 10.37.0.0/18
|
||||
ipv6_ula:
|
||||
- fd37:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11a::/48
|
||||
dnssl:
|
||||
- ffmz.org
|
||||
- user.ffmz.org
|
||||
batman:
|
||||
it: 10000
|
||||
gw: server 96mbit/96mbit
|
||||
mm: 0
|
||||
dat: 0
|
||||
hop_penalty: 60
|
||||
radvd:
|
||||
maxrtradvinterval: 900
|
||||
advvalidlifetime: 864000
|
||||
advpreferredlifetime: 172800
|
||||
iface_mtu: 1350
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffmz.git
|
||||
version: master
|
||||
pass: fastd/mzvpn
|
||||
- id: 1
|
||||
mtu: 1312
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffmz.git
|
||||
version: master
|
||||
pass: fastd/mzvpn
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git
|
||||
version: master
|
||||
pass: fastd/mzigvpn
|
||||
dns:
|
||||
master: fd37:b4dc:4b1e::a25:103
|
||||
forward_zones:
|
||||
- name: ffmz.org
|
||||
- name: user.ffmz.org
|
||||
- name: bb.ffmz.org
|
||||
- name: nodes.ffmz.org
|
||||
- name: ffbin
|
||||
master: fd37:b4dc:4b1e::a25:10c
|
||||
http_domain_internal: ffmz.org
|
||||
http_domain_external: freifunk-mainz.de
|
||||
|
||||
- id: wi
|
||||
site_number: 56
|
||||
site_code: ffwi
|
||||
site_name: Wiesbaden
|
||||
ipv4_network: 10.56.0.0/18
|
||||
ipv6_ula:
|
||||
- fd56:b4dc:4b1e::/48
|
||||
ipv6_public:
|
||||
- 2a03:2260:11b::/48
|
||||
dnssl:
|
||||
- ffwi.org
|
||||
- user.ffwi.org
|
||||
batman:
|
||||
it: 10000
|
||||
gw: server 96mbit/96mbit
|
||||
mm: 0
|
||||
dat: 0
|
||||
hop_penalty: 60
|
||||
radvd:
|
||||
maxrtradvinterval: 900
|
||||
advvalidlifetime: 864000
|
||||
advpreferredlifetime: 172800
|
||||
iface_mtu: 1350
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffwi.git
|
||||
version: master
|
||||
pass: fastd/wivpn
|
||||
- id: 1
|
||||
mtu: 1312
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/peers-ffwi.git
|
||||
version: master
|
||||
pass: fastd/wivpn
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0
|
||||
mtu: 1406
|
||||
peers:
|
||||
repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git
|
||||
version: master
|
||||
pass: fastd/wiigvpn
|
||||
dns:
|
||||
master: fd56:b4dc:4b1e::a38:103
|
||||
forward_zones:
|
||||
- name: ffwi.org
|
||||
- name: user.ffwi.org
|
||||
- name: bb.ffwi.org
|
||||
- name: nodes.ffwi.org
|
||||
http_domain_internal: ffwi.org
|
||||
http_domain_external: wiesbaden.freifunk.net
|
||||
|
||||
icvpn:
|
||||
prefix: mwu
|
||||
interface: icvpn
|
||||
icvpn_repo: https://github.com/freifunk/icvpn
|
||||
|
||||
bgp_mwu_servers:
|
||||
spinat:
|
||||
ipv4: 10.37.0.7
|
||||
ipv6: fd37:b4dc:4b1e::a25:7
|
||||
lotuswurzel:
|
||||
ipv4: 10.37.0.23
|
||||
ipv6: fd37:b4dc:4b1e::a25:17
|
||||
ingwer:
|
||||
ipv4: 10.37.0.161
|
||||
ipv6: fd37:b4dc:4b1e::a25:a1
|
||||
wasserfloh:
|
||||
ipv4: 10.37.0.231
|
||||
ipv6: fd37:b4dc:4b1e::a25:e7
|
||||
zuckerwatte:
|
||||
ipv4: 10.37.1.2
|
||||
ipv6: fd37:b4dc:4b1e::a25:102
|
||||
aubergine:
|
||||
ipv4: 10.37.1.3
|
||||
ipv6: fd37:b4dc:4b1e::a25:103
|
||||
zwiebel:
|
||||
ipv4: 10.37.1.0
|
||||
ipv6: fd37:b4dc:4b1e::a25:100
|
||||
glueckskeks:
|
||||
ipv4: 10.37.1.1
|
||||
ipv6: fd37:b4dc:4b1e::a25:101
|
||||
suesskartoffel:
|
||||
ipv4: 10.37.1.4
|
||||
ipv6: fd37:b4dc:4b1e::a25:104
|
||||
|
||||
legacy_gateways:
|
||||
- ingwer
|
||||
- lotuswurzel
|
||||
- spinat
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
fastd_config: 'gate'
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
fastd_config: 'meshing-only'
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
|
||||
communities:
|
||||
- mz
|
||||
- wi
|
||||
|
||||
community_params:
|
||||
mz:
|
||||
fastd_port: 10037
|
||||
abbreviation: mz
|
||||
name: mainz
|
||||
repo: freifunk-mwu/peers-ffmz
|
||||
xtra_peers:
|
||||
- peers_bingen
|
||||
wi:
|
||||
fastd_port: 10056
|
||||
abbreviation: wi
|
||||
name: wiesbaden
|
||||
repo: freifunk-mwu/peers-ffwi
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
ansible_managed_meshing: True
|
||||
|
||||
fastd_alias: gw_extrasahne
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
ansible_managed_build: True
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJhcbPmN6qjd+KI5t8tOVJYqS/8Jef2bAUZFlLYU6kBxZDa0Qu7Hg30z50hFcavoM6Dnh24kiZHsvCdKZ3u8mr6WhaJzDPxDm8YKk2U5WOKrQ48eq4LKU3dIOiO/5M0u90P51hF90J8/bgmp9HpNL31/8g6RT2kjBkwk62ATXF4eb0kyENHPdDn2axInKQ3z8sxhpCWhWE6J/LKIPI5J66E7F+CR7rhvk2h0ikGyBy8xZhJWY/U/IDyDV0JmvW6TNmXi4bUvUhm2lY7PRen6Xvq5UAEjC3K4YtcBCLrNtfyIR7N7vHTuuaDUjdOGCF88KdzxZ5AxIPmhN9WVj+HydCJjB1TiAzINg2egZ3Ot4juXVAi5QbU5Addw0yJdoTwGHe0mrjQ1e+VsMziDR2wZvpsU+x+D8xWmsBAh+V4vDm9gowVo5vPfFMRxAlPktNtrERSNB84OwCLtrhDc+a6BGxVuR1EHbt9H2hAUfsxRVSmwGGm5bG4QOI/DbUsARhthiYQ2Q7cNXGl0UrMkxfFpO86fiH35j3F8Cqr9oQTJOnaK64e8+zwbw+L0XxVPtAPgIGsNeNbam+ALIlbj9RQP1Cin0dlq3QCdEZ1UWdcN38RL+z27LzMgubFnapnWnlmnjqtfKAXldwwQxe1qsdWvzMA4PE/AEUF+NL5w89TYUWdw== maesto@GLaDOS
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local
|
31
inventory/host_vars/uffschnitt.freifunk-mwu.de
Normal file
31
inventory/host_vars/uffschnitt.freifunk-mwu.de
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
magic: 101
|
||||
ipv4_dhcp_range: 8
|
||||
|
||||
ffrl_public_ipv4_nat: 185.66.195.37/32
|
||||
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: 100.64.9.42/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3bd::/64
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network: 100.64.9.48/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c0::/64
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network: 100.64.9.46/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3bf::/64
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network: 100.64.9.52/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c2::/64
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network: 100.64.9.44/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3be::/64
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network: 100.64.9.50/31
|
||||
tunnel_ipv6_network: 2a03:2260:0:3c1::/64
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
||||
|
||||
h_v_add_auth_keys: |
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHs63QNerevCI6wt2Gpq/IpHTPVeHIP8aKIOrRCUlKWR ccgx@small-x
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAwbfFERETgOAF7iOJFTfJAXQwOWykceRXa151PWG+hiln8X2729tdFyEhztL0tJ0ln+VCj29KLc4mG23qCBW48d35btZTkdVUhFSY/PY/bMQEBiWG2MCAWxJ329i/Blw92xvlFARJNhyPzKSxgYYGRhkncbcKXoX9QWhCBY8KfH+08X9tFOxj4osYn/+dXm7Sg5mqJG4ETmdAAy5afNGE+K+NyBafcg35Y+gBfxNzilGc2/2I0lSsiEcUr+StNxhMMZ/NtQ1N2G9iPziqpu/LYlPl/2mtya+6MPtfSfoYpggIyMqcT+KSPsmxyJod0SrI1vgrX7qa0aJV08dN+gThDb8pOBEb6NG2iQEIbmTKy7XoSpF13lnAVDtPv20PjLpUR6IKZtWNnlN2hVtZLhgyeEIDMnVjmNwloItkqsKP1H96eLSoj1g9B9IOYPPxq5pf6VJKizFAI0jsxGZk0gX/QX4DoVxrD57KXrHKEuFAM4eIjHKMXeRq3Ewbn3bHT1QXevjwBtoW2hxY8Pligc0W0sHt2jW0MxaSiE0LM+hGk0Jy9rquC3+gGU7fD2kLM6nff3wzQJXCORkfdyqvMFUqwpkZmjL4qCypt04peTwkWzs/W4LlHWyc4CJGp0jKIAOA8JRxs/FJf9CyN8N+0AY6xXAZ1UPqs+wPkZ9j5hYcaHs= magic
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAhrDPtvVZb9I7Z2dXl3IXa34sT41/7YCl0kBJ2pgOzrTqXn6HjM8iY7duMxr1ScWlsaIoJAJmpML1LM7hkRJiray5YgjXjcNaz8HxDkV/JLLUMqzQSeDuVTFZzrQBQknzEehuA6XPTLRcgPMnpKhyt3TU4E3rHTDEFLHGEn2I9IZeImGdrehgWoJQz0gGyXI5h49bj6AXHz4etgH349ZCvQWY2e/127owcoPK5EyFBsDMKgnfdxCpAHa3vWFdUnbwqHiVu445qr2U4PiG2AK6PZKRsMauR9jBG1EfeRrc7STcx3OYRbBaQoHJkvw8dD0bH5tI1VVnXfZ2CYOyIGWHJw== mitch
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDUI92QCs7D8mpCoqUug1fOcKf7V5nyKZJiyFfsz0T/ ccgx@mobile-x
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFx5FdrQYkd11mEBxEZLUjdI1gOlee8kP+imUTInsYGK9r3wuoiVoWX4ZdemhB6ezmJwY7mmqjHpFixct3FDdZDvoQjbbS0jM9zQtLp3quHlgpbhCSCG0NOzsjRMJhV1rQguVXDBcDxXZf1YDr9S4YJWPJ1USPPE9IILdbDl6lgaTxsEpeL6unQ3SHUkwLnQVnof1DAsS9yyyDouKMAnoiLIqOi2firerm+2KjtWXpQGF8d58eXg8FSy6iWHmy+mEOBo5W2vy8CT80hR72Ynyy4JjijvSjUzqHs9bJjxCVWOV1/4sZ5GUgNzNknIduny4tR744JRmWDfeCjCS9T3TdpKbL7Xd6pjPW4/q5Z3u0DZFutR3tBp0Xm69ic4QQZVMa14FZcipKNdE+uTpIzfpClz2e4RBR8DlJn2DexvEGSGJu3t8uOFqVnJrkmJL/eIWkRpYe+JvpaF7M7K+dM/aQWOtoTWQrmujGUqXLvSyFnuUk4PhPc3an+HaxYFCBcVGQHypc7VyAg/Bm14ZBYbj93c0UTUV01VKu5/tCjq42+hDvMsn1ZyuZ66hnnZizLzIZGH3ciGdZwPp+32nC0sT09Y8pbAZFhN6sfQHDvVrHpOjJXmbBKZ2xjYoUKoi4rdds7sLhvuJV0a3i56WR8CCIx94UGjxkfJ0A9RR24AlAuQ== mattsches@gmail.com
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt00Ozv50kIis7YKBaey5alVps98ZzW4CVO9tA8AHvsGXn8cleROjcGdbz/YwPm2RH+A+GQrRqCuEf3SPVxvthlVUuHQPKzDdX3PpcakN05CoEwR3zVwjwdzXaO3fKbN5ZCEUKTpaJU6Lngi6vO6HLzsuYloSJs3t7PGpV1xp3YESyXX7D78w9YRJSe2n3WMrA40lQ91u79V0efoX1mKQYzPH86uwhWsOqi08DvE6gxsqKMY6P06nljmsQOFsdX8S/HVrWtIcnne50b63vPMMLRkOLa5FP6qMIjU3LiirrpL80r1gmVZGVRHO6uJr+mrOb6A76cZ7LT8jaKFgnVhOyw== msslovi0@wyoming.local
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
|
||||
ansible_managed_server: True
|
||||
# not yet: ansible_managed_meshing
|
|
@ -1,38 +0,0 @@
|
|||
[gates]
|
||||
spinat.freifunk-mwu.de
|
||||
lotuswurzel.freifunk-mwu.de
|
||||
wasserfloh.freifunk-mwu.de
|
||||
# kaschu.freifunk-mwu.de # außer Dienst
|
||||
ingwer.freifunk-mwu.de # (Debian)
|
||||
#mettigel.freifunk-mwu.de
|
||||
#parmesan.freifunk-mwu.de
|
||||
extrasahne.freifunk-mwu.de require_dns=False # (Debian 8) FIXME: set IPv6
|
||||
|
||||
[meshing-srv:children]
|
||||
gates
|
||||
meshing-only-srv
|
||||
test-vms
|
||||
|
||||
[meshing-only-srv]
|
||||
aubergine.freifunk-mwu.de # int. DNS-master
|
||||
zuckerwatte.freifunk-mwu.de # web, blogs, wiki
|
||||
churro.freifunk-mwu.de # Abloesung: web, blogs, wiki (Debian)
|
||||
glueckskeks.freifunk-mwu.de #
|
||||
zwiebel.freifunk-mwu.de #
|
||||
suesskartoffel.freifunk-mwu.de #
|
||||
|
||||
[ff-servers:children]
|
||||
gates
|
||||
meshing-only-srv
|
||||
simple-ff-servers
|
||||
build-servers
|
||||
test-vms
|
||||
|
||||
[simple-ff-servers] # not meshing
|
||||
linse.freifunk-mwu.de # ext. DNS-master
|
||||
|
||||
[build-servers]
|
||||
milchreis.freifunk-mwu.de
|
||||
|
||||
[test-vms]
|
||||
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
2
inventory/test-vms
Normal file
2
inventory/test-vms
Normal file
|
@ -0,0 +1,2 @@
|
|||
[test-vms]
|
||||
local-test-vm.ffmwu.local ansible_host=192.168.137.7 require_dns=False
|
|
@ -1,9 +0,0 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: test-vms
|
||||
remote_user: admin
|
||||
strategy: free
|
||||
|
||||
roles:
|
||||
- ffmwu-prereqs
|
7
playbooks/build-server.yml
Executable file
7
playbooks/build-server.yml
Executable file
|
@ -0,0 +1,7 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
|
||||
- hosts: ffmwu-build-servers
|
||||
remote_user: admin
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-build
|
34
playbooks/gateways.yml
Executable file
34
playbooks/gateways.yml
Executable file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
|
||||
- hosts: ffmwu-gateways
|
||||
remote_user: admin
|
||||
roles:
|
||||
- handlers
|
||||
- prerequisites
|
||||
- server-apt-repos
|
||||
- server-basic
|
||||
- system-sysctl-gateway
|
||||
- git-repos
|
||||
- service-haveged
|
||||
- service-ntpd
|
||||
- kmod-batman
|
||||
- network-routetables
|
||||
- network-batman
|
||||
- network-meshbridge
|
||||
- network-fastd
|
||||
- network-ffrl
|
||||
- network-iptables-gateway
|
||||
- network-routing
|
||||
- service-dhcpd
|
||||
- service-nginx
|
||||
- service-nginx-firmware
|
||||
- service-radvd
|
||||
- service-fastd
|
||||
- service-fastd-mesh
|
||||
- service-fastd-intragate
|
||||
- service-tinc
|
||||
- service-bird
|
||||
- service-bird-icvpn
|
||||
- service-bird-ffrl
|
||||
- service-bind-slave
|
||||
- service-respondd
|
|
@ -1,11 +1,9 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- include: loctevm-provide.yml
|
||||
|
||||
- hosts: test-vms
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-meshing
|
|
@ -1,5 +1,4 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
# localhost (aka 127.0.0.1) is the hypervisor (hard-coded)
|
||||
|
||||
- hosts: test-vms
|
|
@ -1,9 +1,7 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: meshing-srv
|
||||
remote_user: admin
|
||||
strategy: linear
|
||||
|
||||
roles:
|
||||
- prerequisites
|
||||
- ffmwu-meshing
|
|
@ -1,9 +1,7 @@
|
|||
#!/usr/bin/ansible-playbook
|
||||
---
|
||||
|
||||
- hosts: ff-servers
|
||||
remote_user: admin
|
||||
strategy: free
|
||||
|
||||
roles:
|
||||
- ffmwu-prereqs
|
||||
- prerequisites
|
||||
- ffmwu-server
|
|
@ -7,7 +7,6 @@
|
|||
owner: admin
|
||||
group: bird
|
||||
mode: 0750
|
||||
become: yes
|
||||
|
||||
- name: standardise file ownerships
|
||||
file:
|
||||
|
@ -16,7 +15,6 @@
|
|||
owner: admin
|
||||
group: bird
|
||||
mode: 0750
|
||||
become: yes
|
||||
with_items:
|
||||
- /etc/bird/bird.conf
|
||||
- /etc/bird/mwu_peers_v4.inc
|
||||
|
|
|
@ -1,15 +1,12 @@
|
|||
---
|
||||
- name: check apache syntax
|
||||
command: /usr/sbin/apachectl -t
|
||||
become: true
|
||||
|
||||
- name: restart systemd unit apache2
|
||||
systemd:
|
||||
name: apache2
|
||||
state: restarted
|
||||
become: true
|
||||
|
||||
- name: update apt cache
|
||||
apt:
|
||||
update_cache: yes
|
||||
become: true
|
||||
|
|
|
@ -4,3 +4,4 @@
|
|||
repo: https://github.com/freifunk-mwu/sites-ffmwu.git
|
||||
dest: /home/admin/clones/sites-ffmwu
|
||||
version: stable
|
||||
become: false
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
repo: 'deb https://repo.universe-factory.net/debian/ sid main'
|
||||
state: present
|
||||
filename: 'neoraider'
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt repository of freifunk-mwu
|
||||
|
@ -12,7 +11,6 @@
|
|||
repo: 'deb http://repo.freifunk-mwu.de/debian/ jessie main'
|
||||
state: present
|
||||
filename: 'ffmwu'
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt-key of neoraider
|
||||
|
@ -20,14 +18,12 @@
|
|||
keyserver: keyserver.ubuntu.com
|
||||
id: 16EF3F64CB201D9C
|
||||
state: present
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: add apt-key of freifunk-mwu package sigs
|
||||
apt_key:
|
||||
url: http://repo.freifunk-mwu.de/83A70084.gpg.key
|
||||
state: present
|
||||
become: true
|
||||
notify: update apt cache
|
||||
|
||||
- name: install needed packages for build-server
|
||||
|
@ -50,4 +46,3 @@
|
|||
- subversion
|
||||
- unzip
|
||||
- zlib1g-dev
|
||||
become: true
|
||||
|
|
|
@ -4,18 +4,15 @@
|
|||
src: rsyncd.conf
|
||||
dest: /etc/rsyncd.conf
|
||||
mode: 0640
|
||||
become: true
|
||||
|
||||
- name: install rsnyc systemd unit
|
||||
copy:
|
||||
src: rsync.service
|
||||
dest: /etc/systemd/system/
|
||||
mode: 0644
|
||||
become: true
|
||||
|
||||
- name: ensure rsync is started on boot as a daemon
|
||||
systemd:
|
||||
name: rsync
|
||||
state: started
|
||||
enabled: True
|
||||
become: true
|
||||
|
|
|
@ -5,13 +5,11 @@
|
|||
owner: admin
|
||||
group: admin
|
||||
recurse: yes
|
||||
become: true
|
||||
|
||||
- name: enable apache module ssl
|
||||
apache2_module:
|
||||
state: present
|
||||
name: ssl
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -20,7 +18,6 @@
|
|||
command: /usr/sbin/a2dissite 000-default
|
||||
args:
|
||||
removes: /etc/apache2/sites-enabled/000-default.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -29,7 +26,6 @@
|
|||
command: /usr/sbin/a2dissite default-ssl
|
||||
args:
|
||||
removes: /etc/apache2/sites-enabled/default-ssl.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -38,7 +34,6 @@
|
|||
command: /usr/sbin/a2disconf other-vhosts-access-log
|
||||
args:
|
||||
removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -49,7 +44,6 @@
|
|||
regexp: '^([\s\t]+)?SSLCipherSuite'
|
||||
line: "SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -60,7 +54,6 @@
|
|||
regexp: '^([\s\t]+)?SSLProtocol'
|
||||
line: "SSLProtocol all -SSLv2 -SSLv3"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -71,7 +64,6 @@
|
|||
regexp: "^ServerTokens"
|
||||
line: "ServerTokens Prod"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -82,7 +74,6 @@
|
|||
regexp: "^ServerSignature"
|
||||
line: "ServerSignature EMail"
|
||||
state: present
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -91,7 +82,6 @@
|
|||
template:
|
||||
src: ffmwu-default-http.conf.j2
|
||||
dest: /etc/apache2/sites-available/ffmwu-default-http.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -100,7 +90,6 @@
|
|||
template:
|
||||
src: ffmwu-default-https.conf.j2
|
||||
dest: /etc/apache2/sites-available/ffmwu-default-https.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -109,7 +98,6 @@
|
|||
command: /usr/sbin/a2ensite ffmwu-default-http
|
||||
args:
|
||||
creates: /etc/apache2/sites-enabled/ffmwu-default-http.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
@ -118,7 +106,6 @@
|
|||
command: /usr/sbin/a2ensite ffmwu-default-https
|
||||
args:
|
||||
creates: /etc/apache2/sites-enabled/ffmwu-default-https.conf
|
||||
become: true
|
||||
notify:
|
||||
- check apache syntax
|
||||
- restart systemd unit apache2
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
|
||||
mode: 0400
|
||||
regexp: '^secret ".*";'
|
||||
state : present
|
||||
state: present
|
||||
|
||||
- name: write out fastd public key - {{mf_com.abbreviation}}
|
||||
lineinfile:
|
||||
|
@ -50,7 +50,7 @@
|
|||
line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
|
||||
mode: 0440
|
||||
regexp: '^key ".*";'
|
||||
state : present
|
||||
state: present
|
||||
register: f_pub_key
|
||||
ignore_errors: True
|
||||
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
- name: ensure correct ownership of /etc/fastd
|
||||
file: path=/etc/fastd state=directory mode=0750 owner=admin group=admin
|
||||
become: True
|
||||
|
||||
- name: find ssh keyfile name for use with git
|
||||
shell: grep IdentityFile ~/.ssh/config | awk '{print $2}'
|
||||
|
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
|
||||
- name: assert IPv4 DNS entry
|
||||
local_action: shell dig A {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
|
||||
changed_when: False
|
||||
when: "{{ require_dns | default('True') }}"
|
||||
|
||||
- name: assert IPv6 DNS entry
|
||||
local_action: shell dig AAAA {{ inventory_hostname }} | egrep '^{{ inventory_hostname }}'
|
||||
changed_when: False
|
||||
when: "{{ require_dns | default('True') }}"
|
||||
|
||||
- name: test access to admin account (ssh key neccessary!)
|
||||
command: "true"
|
||||
changed_when: False
|
||||
|
||||
- name: test access to root account
|
||||
command: "true"
|
||||
changed_when: False
|
||||
become: True
|
||||
become_user: root
|
||||
|
||||
- name: fail on wrong OS type and version # TODO: include debian
|
||||
fail: msg="unsupported OS type or version - {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
|
||||
when: not ( ( ansible_distribution=="Ubuntu" and ansible_distribution_major_version|int==14 ) or ( ansible_distribution=="Debian" and ansible_distribution_major_version|int==8 ) )
|
|
@ -10,7 +10,6 @@
|
|||
- block:
|
||||
- name: ensure needed system users are present
|
||||
user: name=admin comment="Freifunk MWU Admin" shell=/bin/bash state=present
|
||||
become: True
|
||||
|
||||
- name: ensure all wanted ssh keys exclusively
|
||||
authorized_key: exclusive=True state=present user=admin
|
||||
|
@ -18,11 +17,9 @@
|
|||
|
||||
- name: ensure vim is default editor
|
||||
alternatives: name=editor path=/usr/bin/vim.basic
|
||||
become: True
|
||||
|
||||
- name: set timezone to Europe/Berlin
|
||||
timezone: name=Europe/Berlin
|
||||
become: True
|
||||
|
||||
when: (ansible_managed_server is defined) and (ansible_managed_server)
|
||||
# end block
|
||||
|
|
18
roles/git-repos/README.md
Normal file
18
roles/git-repos/README.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Ansible role git-repos
|
||||
|
||||
Diese Ansible role klont wichtige git Repositories.
|
||||
|
||||
- installiert git
|
||||
- legt /home/admin/clones an
|
||||
- klont alle git Repositories aus dem Dictionary `common_repos`
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `common_repos` # role variable
|
||||
```
|
||||
common_repos:
|
||||
name: # name des Repositories == Ordner Name
|
||||
repo_url: # HTTP-URL zum Repository
|
||||
...
|
||||
|
||||
```
|
23
roles/git-repos/tasks/main.yml
Normal file
23
roles/git-repos/tasks/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
- name: install git packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- git
|
||||
|
||||
- name: ensure git directory is present
|
||||
file:
|
||||
path: /home/admin/clones
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: admin
|
||||
group: admin
|
||||
|
||||
- name: clone git repositories
|
||||
git:
|
||||
repo: "{{ item.value.repo_url }}"
|
||||
dest: "/home/admin/clones/{{ item.key }}"
|
||||
version: "{{ item.value.version }}"
|
||||
with_dict: "{{ common_repos }}"
|
||||
become: false
|
11
roles/git-repos/vars/main.yml
Normal file
11
roles/git-repos/vars/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
common_repos:
|
||||
backend-scripts:
|
||||
repo_url: https://github.com/freifunk-mwu/backend-scripts.git
|
||||
version: ansible
|
||||
icvpn-meta:
|
||||
repo_url: https://github.com/freifunk/icvpn-meta.git
|
||||
version: master
|
||||
icvpn-scripts:
|
||||
repo_url: https://github.com/freifunk/icvpn-scripts.git
|
||||
version: master
|
95
roles/handlers/handlers/main.yml
Normal file
95
roles/handlers/handlers/main.yml
Normal file
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: reload network interfaces
|
||||
systemd:
|
||||
name: networking
|
||||
state: reloaded
|
||||
|
||||
- name: activate sysfs variables
|
||||
systemd:
|
||||
name: sysfsutils
|
||||
state: restarted
|
||||
|
||||
- name: restart bind9
|
||||
systemd:
|
||||
name: bind9
|
||||
state: restarted
|
||||
|
||||
- name: reload systemd unit bird
|
||||
systemd:
|
||||
name: bird
|
||||
state: reloaded
|
||||
|
||||
- name: reload systemd unit bird6
|
||||
systemd:
|
||||
name: bird6
|
||||
state: reloaded
|
||||
|
||||
- name: restart isc dhcp server
|
||||
systemd:
|
||||
name: isc-dhcp-server
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: restart fastd intragate instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.0.id }}igvpn-{{ item.1.mtu }}"
|
||||
state: restarted
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.intragate.instances
|
||||
|
||||
- name: restart fastd mesh instances
|
||||
systemd:
|
||||
name: "fastd@{{ item.0.id }}vpn-{{ item.1.mtu }}"
|
||||
state: restarted
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.nodes.instances
|
||||
|
||||
- name: restart systemd unit radvd
|
||||
systemd:
|
||||
name: radvd
|
||||
state: restarted
|
||||
|
||||
- name: restart respondd
|
||||
systemd:
|
||||
name: "respondd-{{ item.id }}"
|
||||
state: restarted
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: restart systemd unit tinc
|
||||
systemd:
|
||||
name: tinc
|
||||
enabled: yes
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd unit ffmwu-static-routes
|
||||
systemd:
|
||||
name: ffmwu-static-routes
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd unit ffmwu-ip-rules
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
state: restarted
|
||||
|
||||
- name: restart respondd
|
||||
systemd:
|
||||
name: "respondd-{{ item.id }}"
|
||||
state: restarted
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: iptables-restore
|
||||
shell: iptables-restore < /etc/iptables/rules.v4
|
||||
|
||||
- name: ip6tables-restore
|
||||
shell: ip6tables-restore < /etc/iptables/rules.v6
|
||||
|
||||
- name: reload nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: reloaded
|
6
roles/kmod-batman/README.md
Normal file
6
roles/kmod-batman/README.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Ansible role kmod-batman
|
||||
Diese Ansible role installiert das Kernel Modul batman-adv:
|
||||
|
||||
- Linux Kernel Headers
|
||||
- Kernel Modul batman-adv
|
||||
- Userspace Tool batctl
|
19
roles/kmod-batman/tasks/main.yml
Normal file
19
roles/kmod-batman/tasks/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: install batman-module and linux headers
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- linux-headers-amd64
|
||||
- batman-adv-dkms
|
||||
- batctl
|
||||
|
||||
- name: configure batman module to load on system boot
|
||||
template:
|
||||
src: batman-adv.module.conf.j2
|
||||
dest: /etc/modules-load.d/batman-adv.conf
|
||||
|
||||
- name: load batman module
|
||||
modprobe:
|
||||
name: "batman-adv"
|
||||
state: present
|
5
roles/kmod-batman/templates/batman-adv.module.conf.j2
Normal file
5
roles/kmod-batman/templates/batman-adv.module.conf.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
#
|
||||
# Load batman-adv module on system boot
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
batman-adv
|
|
@ -125,4 +125,3 @@
|
|||
# remote_src: True # though remote equals local ...
|
||||
# delegate_to: 127.0.0.1 # local action
|
||||
# register: primcopy
|
||||
|
|
@ -18,15 +18,14 @@
|
|||
|
||||
- name: ensure admin user
|
||||
user: comment="FFMWU Administrator" name=admin shell=/bin/bash state=present
|
||||
become: True
|
||||
|
||||
- name: ensure users ssh key to admin user
|
||||
authorized_key: user=admin key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||
exclusive=no
|
||||
become: True
|
||||
|
||||
- name: ensure users ssh key to bootstrap user
|
||||
authorized_key: user=hein key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
|
||||
become: false
|
||||
|
||||
- name: ensure no-pw sudo capability for admin and bootstrap user
|
||||
lineinfile:
|
||||
|
@ -35,8 +34,6 @@
|
|||
line: "admin,hein ALL = (root) NOPASSWD: ALL"
|
||||
mode: 0440
|
||||
validate: visudo -c -f %s
|
||||
become: True
|
||||
|
||||
- name: from this point on prevent pw for bootstrap user
|
||||
user: user=hein password=X
|
||||
become: True
|
46
roles/network-batman/README.md
Normal file
46
roles/network-batman/README.md
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Ansible role network-batman
|
||||
|
||||
Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces.
|
||||
|
||||
- dummy interface pro mesh
|
||||
- batman-adv interface pro mesh
|
||||
- konfiguriert sysfs variablen:
|
||||
- Hop Penalty pro batman-adv interface
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
batman:
|
||||
it: # integer: originator interval
|
||||
gw: # string: gateway mode
|
||||
mm: # boolean: multicast mode
|
||||
dat: # boolean: distributed arp table
|
||||
hop_penalty: # integer: hop penalty
|
||||
...
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xx0-prefix: `02:00`
|
||||
xxbat-prefix: `02:01`
|
17
roles/network-batman/tasks/main.yml
Normal file
17
roles/network-batman/tasks/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: create dummy interfaces
|
||||
template:
|
||||
src: dummy.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}0"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: create batman interfaces
|
||||
template:
|
||||
src: batman.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}bat"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
15
roles/network-batman/templates/batman.j2
Normal file
15
roles/network-batman/templates/batman.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
#jinja2: trim_blocks:False
|
||||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0201' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}bat
|
||||
iface {{ item.id }}bat
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
||||
batman-ifaces {{ item.id }}0 {% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% for instance in item.fastd.intragate.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %}
|
||||
batman-hop-penalty {{ item.batman.hop_penalty }}
|
||||
post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
|
||||
post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
|
||||
post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
|
||||
post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}
|
9
roles/network-batman/templates/dummy.j2
Normal file
9
roles/network-batman/templates/dummy.j2
Normal file
|
@ -0,0 +1,9 @@
|
|||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0200' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}0
|
||||
iface {{ item.id }}0
|
||||
link-type dummy
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
40
roles/network-fastd/README.md
Normal file
40
roles/network-fastd/README.md
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Ansible role network-fastd
|
||||
|
||||
Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd Instanzen.
|
||||
|
||||
Es wird zwischen node- und intragate-Instanzen unterschieden.
|
||||
|
||||
## Interface-Benamung
|
||||
Node-Interfaces: $mesh.id + vpn + '-' + $mesh.fastd.nodes.instances.xx.mtu, z.B. "mzvpn-1312"
|
||||
Intragate-Interfaces: $mesh.id + 'ig' + vpn + '-' + $mesh.fastd.intragate.instances.xx.mtu, z.B. "mzigvpn-1312"
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
fastd:
|
||||
nodes:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
intragate:
|
||||
instances:
|
||||
- id: 0 # integer
|
||||
mtu: # integer
|
||||
...
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xxvpn-$mtu prefix: `02:2x` # x = ID der fastd-Instanz
|
||||
xxigvpn-$mtu prefix: `02:3x` # x = ID der fastd-Instanz
|
21
roles/network-fastd/tasks/main.yml
Normal file
21
roles/network-fastd/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: create fastd mesh interfaces
|
||||
template:
|
||||
src: fastd-mesh.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}"
|
||||
notify: reload network interfaces
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.nodes.instances
|
||||
|
||||
- name: create fastd intragate interfaces
|
||||
template:
|
||||
src: fastd-intragate.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.0.id }}igvpn-{{ item.1.mtu }}"
|
||||
notify: reload network interfaces
|
||||
with_subelements:
|
||||
- "{{ meshes }}"
|
||||
- fastd.intragate.instances
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
8
roles/network-fastd/templates/fastd-intragate.j2
Normal file
8
roles/network-fastd/templates/fastd-intragate.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '023' + item.1.id|string + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.0.id }}igvpn-{{ item.1.mtu }}
|
||||
iface {{ item.0.id }}igvpn-{{ item.1.mtu }}
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
8
roles/network-fastd/templates/fastd-mesh.j2
Normal file
8
roles/network-fastd/templates/fastd-mesh.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
{% set ip4hex = item.0.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '022' + item.1.id|string + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.0.id }}vpn-{{ item.1.mtu }}
|
||||
iface {{ item.0.id }}vpn-{{ item.1.mtu }}
|
||||
hwaddress {{ mac | hwaddr('linux') }}
|
33
roles/network-ffrl/README.md
Normal file
33
roles/network-ffrl/README.md
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Ansible role network-ffrl
|
||||
|
||||
Diese Ansible role konfiguriert die GRE-Tunnel Interfaces, die für den Internet-Exit über Freifunk Rheinland benötigt werden.
|
||||
|
||||
## Benötigte Variablen
|
||||
- Dictionary `ffrl_exit_server` (Host Variable)
|
||||
´´´
|
||||
ffrl_exit_server:
|
||||
ffrl-a-ak-ber:
|
||||
public_ipv4_address: 185.66.195.0
|
||||
tunnel_ipv4_network: # IPv4 Tunnel Transfernetz
|
||||
tunnel_ipv6_network: # IPv6 Tunnel Transfernetz
|
||||
ffrl-b-ak-ber:
|
||||
public_ipv4_address: 185.66.195.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-ix-dus:
|
||||
public_ipv4_address: 185.66.193.0
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-ix-dus:
|
||||
public_ipv4_address: 185.66.193.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-a-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.0
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
ffrl-b-fra2-fra:
|
||||
public_ipv4_address: 185.66.194.1
|
||||
tunnel_ipv4_network:
|
||||
tunnel_ipv6_network:
|
||||
´´´
|
16
roles/network-ffrl/tasks/main.yml
Normal file
16
roles/network-ffrl/tasks/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: create ffrl interfaces
|
||||
template:
|
||||
src: ffrl.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.key }}"
|
||||
notify: reload network interfaces
|
||||
with_dict: "{{ ffrl_exit_server }}"
|
||||
|
||||
- name: create ffrl-nat dummy interface
|
||||
template:
|
||||
src: ffrl_nat.j2
|
||||
dest: "/etc/network/interfaces.d/ffrl-nat"
|
||||
notify: reload network interfaces
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
15
roles/network-ffrl/templates/ffrl.j2
Normal file
15
roles/network-ffrl/templates/ffrl.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.key }}
|
||||
iface {{ item.key }} inet tunnel
|
||||
mode gre
|
||||
local {{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }}
|
||||
endpoint {{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }}
|
||||
|
||||
ttl 64
|
||||
mtu 1400
|
||||
tunnel-physdev {{ ansible_default_ipv4.interface }}
|
||||
|
||||
address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }}
|
||||
address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }}
|
7
roles/network-ffrl/templates/ffrl_nat.j2
Normal file
7
roles/network-ffrl/templates/ffrl_nat.j2
Normal file
|
@ -0,0 +1,7 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto ffrl-nat
|
||||
iface ffrl-nat
|
||||
link-type dummy
|
||||
address {{ ffrl_public_ipv4_nat | ipaddr('host') }}
|
29
roles/network-iptables-gateway/README.md
Normal file
29
roles/network-iptables-gateway/README.md
Normal file
|
@ -0,0 +1,29 @@
|
|||
# Ansible role network-iptables-gateway
|
||||
|
||||
Diese Ansible role konfiguriert iptables Regeln für IPv4+IPv6 eines Freifunk Gateways.
|
||||
|
||||
- installiert iptables+iptables-persistent
|
||||
- schreibt rules.v4 + rules.v6
|
||||
- setzt netfilter sysctl parameter
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- List `sysctl_settings_netfilter` (Rollen Variable)
|
||||
´´´
|
||||
sysctl_settings_netfilter:
|
||||
- name: # sysctl-Parameter
|
||||
value: # zu setzender Wert
|
||||
|
||||
´´´
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
|
||||
´´´
|
||||
- Variable `internet_exit_tcp_mss_ipv4`
|
||||
- Variable `internet_exit_tcp_mss_ipv6`
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
35
roles/network-iptables-gateway/tasks/main.yml
Normal file
35
roles/network-iptables-gateway/tasks/main.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
- name: install iptables packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- iptables
|
||||
- iptables-persistent
|
||||
|
||||
- name: load netfilter modules
|
||||
modprobe:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- nf_conntrack
|
||||
- nf_conntrack_ipv4
|
||||
|
||||
- name: set netfilter sysctl settings
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
with_items: "{{ sysctl_settings_netfilter }}"
|
||||
|
||||
- name: write iptables configuration
|
||||
template:
|
||||
src: rules.v4.j2
|
||||
dest: /etc/iptables/rules.v4
|
||||
notify: iptables-restore
|
||||
|
||||
- name: write ip6tables configuration
|
||||
template:
|
||||
src: rules.v6.j2
|
||||
dest: /etc/iptables/rules.v6
|
||||
notify: ip6tables-restore
|
42
roles/network-iptables-gateway/templates/rules.v4.j2
Normal file
42
roles/network-iptables-gateway/templates/rules.v4.j2
Normal file
|
@ -0,0 +1,42 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_forward in meshes %}
|
||||
{% for mesh_recursive in meshes recursive %}
|
||||
{% if not mesh_forward.id == mesh_recursive.id %}
|
||||
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv4 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv4 }}
|
||||
COMMIT
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
:ffrl-nat - [0:0]
|
||||
{% for mesh in meshes %}
|
||||
-A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
|
||||
{% endfor %}
|
||||
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }}
|
||||
COMMIT
|
35
roles/network-iptables-gateway/templates/rules.v6.j2
Normal file
35
roles/network-iptables-gateway/templates/rules.v6.j2
Normal file
|
@ -0,0 +1,35 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
{% for mesh_forward in meshes %}
|
||||
{% for mesh_recursive in meshes recursive %}
|
||||
{% if not mesh_forward.id == mesh_recursive.id %}
|
||||
-A FORWARD -i {{ mesh_forward.id }}br -o {{ mesh_recursive.id }}br -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
-A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
COMMIT
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
-A POSTROUTING -o ffrl+ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss ! --mss 0:{{ internet_exit_tcp_mss_ipv6 }} -j TCPMSS --set-mss {{ internet_exit_tcp_mss_ipv6 }}
|
||||
COMMIT
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
COMMIT
|
6
roles/network-iptables-gateway/vars/main.yml
Normal file
6
roles/network-iptables-gateway/vars/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
sysctl_settings_netfilter:
|
||||
- name: net.netfilter.nf_conntrack_tcp_timeout_established
|
||||
value: 86400
|
||||
- name: net.netfilter.nf_conntrack_max
|
||||
value: 262140
|
30
roles/network-meshbridge/README.md
Normal file
30
roles/network-meshbridge/README.md
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Ansible role network-meshbridge
|
||||
|
||||
Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes.
|
||||
|
||||
- linux bridge pro mesh inklusive IP-Konfiguration
|
||||
- konfiguriert sysfs variablen:
|
||||
- hash_max
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
-id: xx
|
||||
...
|
||||
ipv4_network:
|
||||
...
|
||||
ipv6_ula:
|
||||
- fdxx.../48 # ipv6 ula prefix
|
||||
ipv6_public:
|
||||
- 2xxx.../48 # ipv6 public prefix
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
||||
## MAC-Adressen
|
||||
|
||||
Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet.
|
||||
|
||||
xxbr-prefix: `02:10`
|
17
roles/network-meshbridge/tasks/main.yml
Normal file
17
roles/network-meshbridge/tasks/main.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: create mesh bridges
|
||||
template:
|
||||
src: bridge.j2
|
||||
dest: "/etc/network/interfaces.d/{{ item.id }}br"
|
||||
notify: reload network interfaces
|
||||
with_items: "{{ meshes }}"
|
||||
|
||||
- name: set sysfs variables
|
||||
template:
|
||||
src: sysfs.j2
|
||||
dest: "/etc/sysfs.d/99-{{ item.id }}br.conf"
|
||||
with_items: "{{ meshes }}"
|
||||
notify: activate sysfs variables
|
||||
|
||||
- name: flush handlers
|
||||
meta: flush_handlers
|
17
roles/network-meshbridge/templates/bridge.j2
Normal file
17
roles/network-meshbridge/templates/bridge.j2
Normal file
|
@ -0,0 +1,17 @@
|
|||
{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
|
||||
{% set mac = '0210' + ip4hex -%}
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
auto {{ item.id }}br
|
||||
iface {{ item.id }}br
|
||||
# hwaddress {{ mac | hwaddr('linux') }} <-- preferred way, not working - ipv6 addresses not set on boot
|
||||
pre-up /sbin/ip link set address {{ mac | hwaddr('linux') }} dev $IFACE # ^^^ dirty workaround to get rid of
|
||||
address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% for prefix in item.ipv6_ula %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
{% for prefix in item.ipv6_public %}
|
||||
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
|
||||
{% endfor %}
|
||||
bridge-ports {{ item.id }}bat
|
4
roles/network-meshbridge/templates/sysfs.j2
Normal file
4
roles/network-meshbridge/templates/sysfs.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
class/net/{{ item.id }}br/bridge/hash_max = 16384
|
12
roles/network-routetables/README.md
Normal file
12
roles/network-routetables/README.md
Normal file
|
@ -0,0 +1,12 @@
|
|||
# Ansible role network-routetables
|
||||
|
||||
Diese Ansible role legt die erforderlichen routing tables an.
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- `routing_tables`
|
||||
´´´
|
||||
routing_tables:
|
||||
$name: # integer
|
||||
|
||||
´´´
|
8
roles/network-routetables/tasks/main.yml
Normal file
8
roles/network-routetables/tasks/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: create routing tables
|
||||
lineinfile:
|
||||
path: /etc/iproute2/rt_tables
|
||||
regexp: '^{{ item.value }}'
|
||||
line: "{{ item.value }}{{ '\t' }}{{ item.key }}"
|
||||
state: present
|
||||
with_dict: "{{ routing_tables }}"
|
33
roles/network-routing/README.md
Normal file
33
roles/network-routing/README.md
Normal file
|
@ -0,0 +1,33 @@
|
|||
# Ansible role network-routing
|
||||
|
||||
Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
|
||||
|
||||
- konfiguriert statische Routen (systemd Unit)
|
||||
- Mesh Routen für die Routing Tabelle `mwu`
|
||||
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
||||
- konfiguriert IP rules (systemd Unit)
|
||||
- konfiguriert sysctl Parameter
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
site_name:
|
||||
ipv4_network:
|
||||
ipv6_ula:
|
||||
ipv6_public:
|
||||
´´´
|
||||
- List `sysctl_settings_gateway` (Rollen-Variable)
|
||||
```
|
||||
sysctl_settings_routing:
|
||||
- name: # sysctl-Parameter
|
||||
value: # zu setzender Wert
|
||||
...
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
||||
- Host Dictionary `ffrl_exit_server
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
61
roles/network-routing/tasks/main.yml
Normal file
61
roles/network-routing/tasks/main.yml
Normal file
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
- name: write systemd unit ffmwu-static-routes.service
|
||||
template:
|
||||
src: ffmwu-static-routes.service.j2
|
||||
dest: /etc/systemd/system/ffmwu-static-routes.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write static route scripts
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/usr/local/bin/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0750
|
||||
with_items:
|
||||
- ffmwu-add-static-routes.sh
|
||||
- ffmwu-del-static-routes.sh
|
||||
notify: restart systemd unit ffmwu-static-routes
|
||||
|
||||
- name: enable systemd unit ffmwu-static-routes.service
|
||||
systemd:
|
||||
name: ffmwu-static-routes
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: write systemd unit ffmwu-ip-rules.service
|
||||
template:
|
||||
src: ffmwu-ip-rules.service.j2
|
||||
dest: /etc/systemd/system/ffmwu-ip-rules.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write ip rule scripts
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/usr/local/bin/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0750
|
||||
with_items:
|
||||
- ffmwu-add-ip-rules.sh
|
||||
- ffmwu-del-ip-rules.sh
|
||||
notify: restart systemd unit ffmwu-ip-rules
|
||||
|
||||
- name: enable systemd unit ffmwu-ip-rules.service
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: set freifunk gateway sysctl settings
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: "{{ item.value }}"
|
||||
state: present
|
||||
with_items: "{{ sysctl_settings_routing }}"
|
82
roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
Normal file
82
roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
Normal file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule add to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule add to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule add from all oif icvpn lookup icvpn priority 23
|
||||
ip -6 rule add from all oif icvpn lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule add from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule add to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} lookup internet priority 41
|
||||
ip -6 rule add to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule add from all iif icvpn type unreachable priority 61
|
||||
ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||
ip -4 rule add from all iif {{ server_id }} type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -6 rule add from all iif icvpn type unreachable priority 61
|
||||
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule add from {{ public }} type unreachable priority 61
|
||||
ip -6 rule add to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||
ip -4 rule add from all lookup mwu priority 107
|
||||
ip -4 rule add from all lookup icvpn priority 107
|
||||
ip -6 rule add from all lookup mwu priority 107
|
||||
ip -6 rule add from all lookup icvpn priority 107
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,66 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# static blackhole routes for rt_table internet
|
||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
|
||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
|
||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
|
||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
|
||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
|
||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
|
||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
|
||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
|
||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
|
||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
|
||||
/sbin/ip -6 route add blackhole fec0::/10 table internet
|
||||
/sbin/ip -6 route add blackhole fc00::/7 table internet
|
||||
/sbin/ip -6 route add blackhole ff00::/8 table internet
|
||||
/sbin/ip -6 route add blackhole ::/96 table internet
|
||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||
|
||||
# static blackhole routes for rt_table main
|
||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
|
||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
|
||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
|
||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
|
||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
|
||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
|
||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
|
||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
|
||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
|
||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
|
||||
/sbin/ip -6 route add blackhole fec0::/10 table main
|
||||
/sbin/ip -6 route add blackhole fc00::/7 table main
|
||||
/sbin/ip -6 route add blackhole ff00::/8 table main
|
||||
/sbin/ip -6 route add blackhole ::/96 table main
|
||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
||||
/sbin/ip -6 route add blackhole ::/0 table main
|
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule del from all oif icvpn lookup icvpn priority 23
|
||||
ip -6 rule del from all oif icvpn lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule del to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup internet priority 41
|
||||
ip -6 rule del to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule del from all iif icvpn type unreachable priority 61
|
||||
ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||
ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -6 rule del from all iif icvpn type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} type unreachable priority 61
|
||||
ip -6 rule del to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||
ip -4 rule del from all lookup mwu priority 107
|
||||
ip -4 rule del from all lookup icvpn priority 107
|
||||
ip -6 rule del from all lookup mwu priority 107
|
||||
ip -6 rule del from all lookup icvpn priority 107
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,66 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}br table mwu
|
||||
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}br table mwu
|
||||
{% endfor %}
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# static blackhole routes for rt_table internet
|
||||
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet
|
||||
/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet
|
||||
/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet
|
||||
/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet
|
||||
/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet
|
||||
/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet
|
||||
/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet
|
||||
/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet
|
||||
/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet
|
||||
/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet
|
||||
/sbin/ip -6 route del blackhole fec0::/10 table internet
|
||||
/sbin/ip -6 route del blackhole fc00::/7 table internet
|
||||
/sbin/ip -6 route del blackhole ff00::/8 table internet
|
||||
/sbin/ip -6 route del blackhole ::/96 table internet
|
||||
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||
|
||||
# static blackhole routes for rt_table main
|
||||
/sbin/ip -4 route del blackhole 0.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 10.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 100.64.0.0/10 table main
|
||||
/sbin/ip -4 route del blackhole 127.0.0.0/8 table main
|
||||
/sbin/ip -4 route del blackhole 169.254.0.0/16 table main
|
||||
/sbin/ip -4 route del blackhole 172.16.0.0/12 table main
|
||||
/sbin/ip -4 route del blackhole 192.0.0.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.0.2.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.88.99.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 192.168.0.0/16 table main
|
||||
/sbin/ip -4 route del blackhole 198.18.0.0/15 table main
|
||||
/sbin/ip -4 route del blackhole 198.51.100.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 203.0.113.0/24 table main
|
||||
/sbin/ip -4 route del blackhole 224.0.0.0/4 table main
|
||||
/sbin/ip -4 route del blackhole 240.0.0.0/4 table main
|
||||
/sbin/ip -4 route del blackhole 255.255.255.255/32 table main
|
||||
/sbin/ip -6 route del blackhole fec0::/10 table main
|
||||
/sbin/ip -6 route del blackhole fc00::/7 table main
|
||||
/sbin/ip -6 route del blackhole ff00::/8 table main
|
||||
/sbin/ip -6 route del blackhole ::/96 table main
|
||||
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
|
||||
/sbin/ip -6 route del blackhole ::/0 table main
|
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Manage Freifunk MWU IP rules
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
|
||||
ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Manage Freifunk MWU static routes
|
||||
After=network-online.target networking.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh
|
||||
ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
14
roles/network-routing/vars/main.yml
Normal file
14
roles/network-routing/vars/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
sysctl_settings_routing:
|
||||
- name: net.ipv4.ip_forward
|
||||
value: 1
|
||||
- name: net.ipv4.conf.default.rp_filter
|
||||
value: 0
|
||||
- name: net.ipv4.conf.all.rp_filter
|
||||
value: 0
|
||||
- name: net.ipv6.conf.all.forwarding
|
||||
value: 1
|
||||
- name: net.ipv6.conf.all.accept_ra
|
||||
value: 0
|
||||
- name: net.ipv6.conf.default.accept_ra
|
||||
value: 0
|
|
@ -21,7 +21,6 @@
|
|||
with_items: "{{ (pkg_repo_list|default({})).repo_keys | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: pkg_item
|
||||
become: True
|
||||
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repo_keys is defined)
|
||||
|
||||
- name: ensure defined apt repos
|
||||
|
@ -33,7 +32,6 @@
|
|||
with_items: "{{ (pkg_repo_list|default({})).repos | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: pkg_item
|
||||
become: True
|
||||
# see defaults in with - when: (pkg_repo_list is defined) and (pkg_repo_list.repos is defined)
|
||||
|
||||
# see defaults in with - when: pkg_repo_list is defined
|
||||
|
@ -48,7 +46,6 @@
|
|||
with_items: "{{meshing_pkg_pkg_list | default([])}}"
|
||||
loop_control:
|
||||
loop_var: mwu_m_item
|
||||
become: True
|
||||
# see default in with - when: meshing_pkg_pkg_list is defined
|
||||
|
||||
- name: ensure defined python libs
|
||||
|
@ -56,7 +53,6 @@
|
|||
with_items: "{{meshing_pkg_pip_list | default([])}}"
|
||||
loop_control:
|
||||
loop_var: mwu_m_item
|
||||
become: True
|
||||
# see default in with - when: meshing_pkg_pip_list is defined
|
||||
|
||||
when: (really_do is defined) and (really_do)
|
||||
|
|
18
roles/prerequisites/README.md
Normal file
18
roles/prerequisites/README.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Ansible role prerequisites
|
||||
|
||||
Diese Ansible role prüft ob die Voraussetzungen für ein Freifunk Gateway erfüllt sind.
|
||||
|
||||
- Forward-DNS Eintrag $FQDN == ausgelesener IPv4-Adresse
|
||||
- Forward-DNS Eintrag $FQDN == ausgelesener IPv6-Adresse
|
||||
- CNAME Eintrag gate$magic.freifunk-mwu.de == $FQDN
|
||||
- CNAME Eintrag icvpn$magic.freifunk-mwu.de == $FQDN
|
||||
- Linux Distribution == Debian
|
||||
- Debian Version == 9
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
Die folgenden Variablen werden über einen DNS Lookup gesetzt:
|
||||
- Variable `dns_host_ipv4_address` (Rollen-Variable)
|
||||
- Variable `dns_host_ipv6_address` (Rollen-Variable)
|
||||
- Variable `dns_gate_num_cname` (Rollen-Variable)
|
||||
- Variable `dns_gate_icvpn_cname` (Rollen-Variable)
|
15
roles/prerequisites/tasks/main.yml
Executable file
15
roles/prerequisites/tasks/main.yml
Executable file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- name: Check DNS entries and target distribution
|
||||
assert:
|
||||
that:
|
||||
- "dns_host_ipv4_address in ansible_all_ipv4_addresses"
|
||||
- "dns_host_ipv6_address in ansible_all_ipv6_addresses"
|
||||
- "dns_gate_num_cname == inventory_hostname"
|
||||
- "dns_gate_icvpn_cname == inventory_hostname"
|
||||
- "ansible_distribution == 'Debian'"
|
||||
- "ansible_distribution_major_version == '9'"
|
||||
|
||||
- name: Test root access for admin account
|
||||
command: "true"
|
||||
changed_when: False
|
8
roles/prerequisites/vars/main.yml
Normal file
8
roles/prerequisites/vars/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
dns_gate_num: "gate{{ magic }}.{{ http_domain_external }}"
|
||||
dns_gate_icvpn: "icvpn{{ magic }}.{{ http_domain_external }}"
|
||||
|
||||
dns_host_ipv4_address: "{{ lookup('dig', inventory_hostname, 'qtype=A') }}"
|
||||
dns_host_ipv6_address: "{{ lookup('dig', inventory_hostname, 'qtype=AAAA') }}"
|
||||
dns_gate_num_cname: "{{ lookup('dig', dns_gate_num, 'qtype=CNAME') | regex_replace('\\.$') }}"
|
||||
dns_gate_icvpn_cname: "{{ lookup('dig', dns_gate_icvpn, 'qtype=CNAME') | regex_replace('\\.$') }}"
|
13
roles/server-apt-repos/README.md
Normal file
13
roles/server-apt-repos/README.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
# Ansible role server-apt-repos
|
||||
|
||||
Diese Ansible role konfiguriert zusätzliche APT Repositories.
|
||||
|
||||
- installiert Freifunk MWU Debian APT PGP Key
|
||||
- konfiguriert APT Repositories aus der Liste `repos`
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Liste `repos` (Rollen Variable)
|
||||
- `name`: String == Name der Konfigurationsdatei unter /etc/apt/sources.list.d
|
||||
- `repo`: String
|
||||
- `update_cache`: yes|no
|
22
roles/server-apt-repos/tasks/main.yml
Normal file
22
roles/server-apt-repos/tasks/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
- name: ensure dirmngr and apt-transport-https are installed
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- dirmngr
|
||||
- apt-transport-https
|
||||
|
||||
- name: ensure apt key for freifunk-mwu is present
|
||||
apt_key:
|
||||
state: present
|
||||
id: 83A70084
|
||||
url: "http://repo.freifunk-mwu.de/83A70084.gpg.key"
|
||||
|
||||
- name: ensure needed apt repos are present
|
||||
apt_repository:
|
||||
state: present
|
||||
repo: "{{ item.repo }}"
|
||||
update_cache: "{{ item.update_cache }}"
|
||||
filename: "{{ item.name }}"
|
||||
with_items: "{{ repos }}"
|
8
roles/server-apt-repos/vars/main.yml
Normal file
8
roles/server-apt-repos/vars/main.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
repos:
|
||||
- name: freifunk
|
||||
repo: 'deb http://repo.freifunk-mwu.de/debian stretch main'
|
||||
update_cache: yes
|
||||
- name: freifunk
|
||||
repo: 'deb-src http://repo.freifunk-mwu.de/debian stretch main'
|
||||
update_cache: yes
|
14
roles/server-basic/README.md
Normal file
14
roles/server-basic/README.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
# Ansible role server-basic
|
||||
|
||||
Diese Ansible role installiert Pakete, die auf allen MWU-Server benötigt werden.
|
||||
|
||||
- installiert Pakete, die auf allen Servern benötigt werden
|
||||
- setzt vim als default Editor
|
||||
- setzt die Zeitzone auf Europe/Berlin
|
||||
- generiert und setzt default locale
|
||||
- konfiguriert das dummy Kernel Modul
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Liste `packages` (Rollen Variable)
|
||||
- Variable `default_locale` (Rollen-Variable)
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue