summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiklas Yann Wettengel <niyawe@niyawe.de>2022-01-22 23:18:36 +0100
committerNiklas Yann Wettengel <niyawe@niyawe.de>2022-01-22 23:18:36 +0100
commit4d3268b80b55e227a1a89515842cbaaa8a13d788 (patch)
treee7b85a5214614c5dcb7c999f56c0b369011b50d3
parentfb0dbf28a0e7979050858256d2040d734b282afe (diff)
loppermann1
-rw-r--r--host_vars/ff-loppermann168
-rw-r--r--inventory.ini1
-rw-r--r--roles/configure_iptables/templates/iptables.rules2
-rwxr-xr-xroles/configure_static_routes/files/ffmyk-iproute.sh1
-rw-r--r--roles/install_babeld/templates/babeld.conf.j27
-rw-r--r--roles/install_bind/templates/named.conf.j24
-rw-r--r--roles/install_mesh-announce/tasks/main.yml4
-rw-r--r--roles/install_tayga/tasks/main.yml5
-rw-r--r--roles/install_tayga/templates/systemd_override.conf.j24
-rw-r--r--roles/setup_ffrl_tunnel/templates/bird.conf24
-rw-r--r--roles/setup_ffrl_tunnel/templates/netctl4
11 files changed, 120 insertions, 4 deletions
diff --git a/host_vars/ff-loppermann1 b/host_vars/ff-loppermann1
new file mode 100644
index 0000000..4cc245d
--- /dev/null
+++ b/host_vars/ff-loppermann1
@@ -0,0 +1,68 @@
+---
+ansible_host: 2a01:4f8:140:1242:ff::2
+sites: []
+wireguard_bb_name: 'loppermann1'
+wireguard_bb_endpoint: '{{ ansible_host }}'
+wireguard_bb_priv_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 34643662623262646365326237626237313962663465366263386362353630633765363239333831
+ 3632336333633862643737333864623666353935353166620a386462373161383266616633633837
+ 33613761303136623264346435376664356235346633656531343564333334303266666462613665
+ 3063333638323862360a653738306563393434376532313434633162666133343962313066616432
+ 64356233663838353838326230613839663933666663393330303535653638343861656363326632
+ 3539623766663136323061633562643365636162633134396361
+wireguard_bb_pub_key: 'im56pv9JwwveDDkk8aA++0bgHjuUvUzaun4qFAZFrVc='
+wireguard_bb_ipv4: '10.222.0.16'
+wireguard_bb_ipv6: 'fe80::ffbb:ffbb:16'
+wireguard_bb_port: 10116
+wireguard_vpn_port: 10010
+wireguard_vpn_priv_key: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 37333837366636343138326138623361656462653861633566643831306139383964643839393234
+ 3535393434653761643831663063386635323038343337340a336637633233623333316231346165
+ 64643161663061356466616662336332373738306331386636373761623361343032663832663139
+ 6465343666663861630a356231633764363030356230636631663333356665396462623862643863
+ 66306461316633393065343063316633373530623163356530353031393132353964326238383137
+ 3835373735333537396539353735326539633930393564376464
+wireguard_vpn_address: 'fe80::d3:16ff:fee5:6239'
+wireguard_vpn_client_range: '2a03:2260:1016:3000::/52'
+tayga_ipv4: 10.3.0.1
+tayga_pool: 10.3.0.0/16
+ffrl_router_id: 10.222.0.16
+ffrl_peers:
+ - name: 'bbaakber'
+ remote: '185.66.195.0'
+ ip4: '100.64.10.232'
+ peer_ip4: '100.64.10.233'
+ ip6: '2a03:2260:0:58b::2'
+ peer_ip6: '2a03:2260:0:58b::1'
+ - name: 'bbafra2fra'
+ remote: '185.66.194.0'
+ ip4: '100.64.10.234'
+ peer_ip4: '100.64.10.235'
+ ip6: '2a03:2260:0:58c::2'
+ peer_ip6: '2a03:2260:0:58c::1'
+ - name: 'bbaixdus'
+ remote: '185.66.193.0'
+ ip4: '100.64.10.236'
+ peer_ip4: '100.64.10.237'
+ ip6: '2a03:2260:0:58d::2'
+ peer_ip6: '2a03:2260:0:58d::1'
+ - name: 'bbbakber'
+ remote: '185.66.195.1'
+ ip4: '100.64.10.238'
+ peer_ip4: '100.64.10.239'
+ ip6: '2a03:2260:0:58e::2'
+ peer_ip6: '2a03:2260:0:58e::1'
+ - name: 'bbbfra2fra'
+ remote: '185.66.194.1'
+ ip4: '100.64.10.240'
+ peer_ip4: '100.64.10.241'
+ ip6: '2a03:2260:0:58f::2'
+ peer_ip6: '2a03:2260:0:58f::1'
+ - name: 'bbbixdus'
+ remote: '185.66.193.1'
+ ip4: '100.64.10.242'
+ peer_ip4: '100.64.10.243'
+ ip6: '2a03:2260:0:590::2'
+ peer_ip6: '2a03:2260:0:590::1'
diff --git a/inventory.ini b/inventory.ini
index 9938d43..8ed0e39 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -1,3 +1,4 @@
[fastd]
ff-niyawe1
ff-niyawe2
+ff-loppermann1
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index c3d84dc..0a4bfd0 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -74,7 +74,9 @@ COMMIT
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
+{% if ffrl_ip4 is defined %}
{% for peer in ffrl_peers %}
-A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
{% endfor %}
+{% endif %}
COMMIT
diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh
index 83cb5aa..0e1fe06 100755
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@@ -7,6 +7,7 @@ ip -6 rule add iif nat64 table ffmyk priority 10
ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
+ip -4 rule add to 10.3.0.0/16 table ffmyk priority 10
#Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10
diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2
index c5cdda0..7da5e12 100644
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@@ -27,19 +27,22 @@ import-table 42
reflect-kernel-metric true
# Filtering rules.
-in ip 10.222.0.0/16 allow
+in ip 10.0.0.0/8 allow
in ip 2a03:2260:1016::/48 allow
in ip 2003:46:e028::/48 allow # finzelberg
in ip fd62:44e1:da::/48 allow
+{% if ffrl_ip4 is defined %}
in deny # ignore default routes on uplinks
+{% endif %}
{% for peer in ffrl_peers %}
redistribute if {{ peer.name }} metric 128
{% endfor %}
# Only redistribute addresses from a given prefix, to avoid redistributing
# all local addresses
-redistribute ip 10.222.0.0/16 allow
+redistribute ip 10.0.0.0/8 allow
redistribute ip 2a03:2260:1016::/48 allow
redistribute ip 64:ff9b::/96 allow
+redistribute ip 2003:46:e028::/48 allow # finzelberg
redistribute ip fd62:44e1:da::/48 allow
redistribute local deny
diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2
index 352c1fa..056a6ea 100644
--- a/roles/install_bind/templates/named.conf.j2
+++ b/roles/install_bind/templates/named.conf.j2
@@ -29,6 +29,10 @@ options {
hostname none;
server-id none;
+ dns64 64:ff9b::/96 {
+ clients { any; };
+ };
+
max-cache-size 1024M;
};
diff --git a/roles/install_mesh-announce/tasks/main.yml b/roles/install_mesh-announce/tasks/main.yml
index 50c5175..d4591cf 100644
--- a/roles/install_mesh-announce/tasks/main.yml
+++ b/roles/install_mesh-announce/tasks/main.yml
@@ -6,20 +6,24 @@
- lsb-release
- ethtool
state: present
+ when: sites | length > 0
- name: clone mesh-announce repo
git:
repo: https://github.com/FreifunkMYK/mesh-announce.git
dest: /opt/mesh-announce
+ when: sites | length > 0
- name: create respondd service
template:
src: respondd.service.j2
dest: /etc/systemd/system/respondd.service
mode: 0644
+ when: sites | length > 0
- name: start and enable respondd service
systemd:
name: respondd
state: started
enabled: yes
+ when: sites | length > 0
diff --git a/roles/install_tayga/tasks/main.yml b/roles/install_tayga/tasks/main.yml
index 0f38790..7d4c6a5 100644
--- a/roles/install_tayga/tasks/main.yml
+++ b/roles/install_tayga/tasks/main.yml
@@ -11,6 +11,11 @@
mode: 0644
notify: restart tayga
+- name: create systemd override folder
+ ansible.builtin.file:
+ path: /etc/systemd/system/tayga.service.d
+ state: directory
+
- name: systemd override.conf
template:
src: systemd_override.conf.j2
diff --git a/roles/install_tayga/templates/systemd_override.conf.j2 b/roles/install_tayga/templates/systemd_override.conf.j2
index a3e7229..fb6ec48 100644
--- a/roles/install_tayga/templates/systemd_override.conf.j2
+++ b/roles/install_tayga/templates/systemd_override.conf.j2
@@ -4,7 +4,7 @@ ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
ExecStartPre=/usr/bin/ip link set nat64 up
ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
-ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk
-ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk
+ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 proto static table ffmyk
+ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 proto static table ffmyk
ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
Restart=always
diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf
index c609a5b..7e3db92 100644
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@@ -3,21 +3,31 @@ timeformat protocol iso long;
#log "bird.log" all;
# debug protocols all;
+{% if ffrl_ip4 is defined %}
define ffrl_nat_address = {{ ffrl_ip4 }};
+{% endif %}
define ffmyk_as = 65032; # private AS of ffmyk
define ffrl_as = 201701; # public AS of rheinland
+{% if ffrl_ip4 is defined %}
router id ffrl_nat_address;
+{% else %}
+router id {{ ffrl_router_id }};
+{% endif %}
+{% if ffrl_ip4 is defined %}
ipv4 table ffrl4;
+{% endif %}
ipv6 table ffrl6;
+{% if ffrl_ip4 is defined %}
function is_default4() {
return net ~ [
0.0.0.0/0
];
}
+{% endif %}
function is_default6() {
return net ~ [
@@ -25,11 +35,13 @@ function is_default6() {
];
}
+{% if ffrl_ip4 is defined %}
function is_ffrl_nat4() {
return net ~ [
{{ ffrl_ip4 }}/32
];
}
+{% endif %}
function is_ffrl_public_nets6() {
return net ~ [
@@ -37,11 +49,13 @@ function is_ffrl_public_nets6() {
];
}
+{% if ffrl_ip4 is defined %}
function is_ffrl_tunnel_nets4() {
return net ~ [
100.64.0.0/10
];
}
+{% endif %}
function is_ffrl_tunnel_nets6() {
return net ~ [
@@ -49,6 +63,7 @@ function is_ffrl_tunnel_nets6() {
];
}
+{% if ffrl_ip4 is defined %}
# BGP Import Filter für Rheinland
filter ebgp_ffrl_import_filter4 {
if is_default4() then accept;
@@ -60,6 +75,7 @@ filter ebgp_ffrl_export_filter4 {
if is_ffrl_nat4() then accept;
reject;
}
+{% endif %}
filter ebgp_ffrl_import_filter6 {
if is_default6() then accept;
@@ -75,11 +91,13 @@ protocol device {
scan time 10;
}
+{% if ffrl_ip4 is defined %}
# IP-NAT-Adresse legen wir in die interne BIRD Routing Table
protocol static ffrl_uplink_hostroute4 {
ipv4 { table ffrl4; };
route {{ ffrl_ip4 }}/32 reject;
}
+{% endif %}
protocol static ffrl_public_routes6 {
ipv6 { table ffrl6; };
@@ -95,6 +113,7 @@ protocol static ffrl_public_routes6 {
# import where is_ffrl_tunnel_nets4();
#}
+{% if ffrl_ip4 is defined %}
# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
protocol kernel kernel_ffrl4 {
scan time 30;
@@ -108,6 +127,7 @@ protocol kernel kernel_ffrl4 {
};
kernel table 42;
};
+{% endif %}
protocol kernel kernel_ffrl6 {
scan time 30;
@@ -122,6 +142,7 @@ protocol kernel kernel_ffrl6 {
kernel table 42;
};
+{% if ffrl_ip4 is defined %}
# BGP Template für Rheinland Peerings
template bgp ffrl_uplink4 {
local as ffmyk_as;
@@ -134,6 +155,7 @@ template bgp ffrl_uplink4 {
};
direct;
};
+{% endif %}
template bgp ffrl_uplink6 {
local as ffmyk_as;
@@ -148,10 +170,12 @@ template bgp ffrl_uplink6 {
};
{% for peer in ffrl_peers %}
+{% if ffrl_ip4 is defined %}
protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
source address {{ peer.ip4 }};
neighbor {{ peer.peer_ip4 }} as 201701;
};
+{% endif %}
protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
source address {{ peer.ip6 }};
diff --git a/roles/setup_ffrl_tunnel/templates/netctl b/roles/setup_ffrl_tunnel/templates/netctl
index 98e8af4..65bbd7c 100644
--- a/roles/setup_ffrl_tunnel/templates/netctl
+++ b/roles/setup_ffrl_tunnel/templates/netctl
@@ -8,7 +8,11 @@ Remote={{ item.remote }}
ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
IP=static
+{% if ffrl_ip4 is defined %}
Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
+{% else %}
+Address=('{{ item.ip4 }}/31')
+{% endif %}
IP6=static
Address6=('{{ item.ip6 }}/64')