diff options
| author | Niklas Yann Wettengel <niyawe@niyawe.de> | 2022-01-22 23:18:36 +0100 |
|---|---|---|
| committer | Niklas Yann Wettengel <niyawe@niyawe.de> | 2022-01-22 23:18:36 +0100 |
| commit | 4d3268b80b55e227a1a89515842cbaaa8a13d788 (patch) | |
| tree | e7b85a5214614c5dcb7c999f56c0b369011b50d3 | |
| parent | fb0dbf28a0e7979050858256d2040d734b282afe (diff) | |
loppermann1
| -rw-r--r-- | host_vars/ff-loppermann1 | 68 | ||||
| -rw-r--r-- | inventory.ini | 1 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/iptables.rules | 2 | ||||
| -rwxr-xr-x | roles/configure_static_routes/files/ffmyk-iproute.sh | 1 | ||||
| -rw-r--r-- | roles/install_babeld/templates/babeld.conf.j2 | 7 | ||||
| -rw-r--r-- | roles/install_bind/templates/named.conf.j2 | 4 | ||||
| -rw-r--r-- | roles/install_mesh-announce/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/install_tayga/tasks/main.yml | 5 | ||||
| -rw-r--r-- | roles/install_tayga/templates/systemd_override.conf.j2 | 4 | ||||
| -rw-r--r-- | roles/setup_ffrl_tunnel/templates/bird.conf | 24 | ||||
| -rw-r--r-- | roles/setup_ffrl_tunnel/templates/netctl | 4 |
11 files changed, 120 insertions, 4 deletions
diff --git a/host_vars/ff-loppermann1 b/host_vars/ff-loppermann1 new file mode 100644 index 0000000..4cc245d --- /dev/null +++ b/host_vars/ff-loppermann1 @@ -0,0 +1,68 @@ +--- +ansible_host: 2a01:4f8:140:1242:ff::2 +sites: [] +wireguard_bb_name: 'loppermann1' +wireguard_bb_endpoint: '{{ ansible_host }}' +wireguard_bb_priv_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34643662623262646365326237626237313962663465366263386362353630633765363239333831 + 3632336333633862643737333864623666353935353166620a386462373161383266616633633837 + 33613761303136623264346435376664356235346633656531343564333334303266666462613665 + 3063333638323862360a653738306563393434376532313434633162666133343962313066616432 + 64356233663838353838326230613839663933666663393330303535653638343861656363326632 + 3539623766663136323061633562643365636162633134396361 +wireguard_bb_pub_key: 'im56pv9JwwveDDkk8aA++0bgHjuUvUzaun4qFAZFrVc=' +wireguard_bb_ipv4: '10.222.0.16' +wireguard_bb_ipv6: 'fe80::ffbb:ffbb:16' +wireguard_bb_port: 10116 +wireguard_vpn_port: 10010 +wireguard_vpn_priv_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37333837366636343138326138623361656462653861633566643831306139383964643839393234 + 3535393434653761643831663063386635323038343337340a336637633233623333316231346165 + 64643161663061356466616662336332373738306331386636373761623361343032663832663139 + 6465343666663861630a356231633764363030356230636631663333356665396462623862643863 + 66306461316633393065343063316633373530623163356530353031393132353964326238383137 + 3835373735333537396539353735326539633930393564376464 +wireguard_vpn_address: 'fe80::d3:16ff:fee5:6239' +wireguard_vpn_client_range: '2a03:2260:1016:3000::/52' +tayga_ipv4: 10.3.0.1 +tayga_pool: 10.3.0.0/16 +ffrl_router_id: 10.222.0.16 +ffrl_peers: + - name: 'bbaakber' + remote: '185.66.195.0' + ip4: '100.64.10.232' + peer_ip4: '100.64.10.233' + ip6: '2a03:2260:0:58b::2' + peer_ip6: '2a03:2260:0:58b::1' + - name: 'bbafra2fra' + remote: '185.66.194.0' + ip4: '100.64.10.234' + peer_ip4: '100.64.10.235' + ip6: '2a03:2260:0:58c::2' + peer_ip6: '2a03:2260:0:58c::1' + - name: 'bbaixdus' + remote: '185.66.193.0' + ip4: '100.64.10.236' + peer_ip4: '100.64.10.237' + ip6: '2a03:2260:0:58d::2' + peer_ip6: '2a03:2260:0:58d::1' + - name: 'bbbakber' + remote: '185.66.195.1' + ip4: '100.64.10.238' + peer_ip4: '100.64.10.239' + ip6: '2a03:2260:0:58e::2' + peer_ip6: '2a03:2260:0:58e::1' + - name: 'bbbfra2fra' + remote: '185.66.194.1' + ip4: '100.64.10.240' + peer_ip4: '100.64.10.241' + ip6: '2a03:2260:0:58f::2' + peer_ip6: '2a03:2260:0:58f::1' + - name: 'bbbixdus' + remote: '185.66.193.1' + ip4: '100.64.10.242' + peer_ip4: '100.64.10.243' + ip6: '2a03:2260:0:590::2' + peer_ip6: '2a03:2260:0:590::1' diff --git a/inventory.ini b/inventory.ini index 9938d43..8ed0e39 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,3 +1,4 @@ [fastd] ff-niyawe1 ff-niyawe2 +ff-loppermann1 diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index c3d84dc..0a4bfd0 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -74,7 +74,9 @@ COMMIT :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] +{% if ffrl_ip4 is defined %} {% for peer in ffrl_peers %} -A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }} {% endfor %} +{% endif %} COMMIT diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh index 83cb5aa..0e1fe06 100755 --- a/roles/configure_static_routes/files/ffmyk-iproute.sh +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -7,6 +7,7 @@ ip -6 rule add iif nat64 table ffmyk priority 10 ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10 ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10 +ip -4 rule add to 10.3.0.0/16 table ffmyk priority 10 #Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10 ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10 diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index c5cdda0..7da5e12 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -27,19 +27,22 @@ import-table 42 reflect-kernel-metric true # Filtering rules. -in ip 10.222.0.0/16 allow +in ip 10.0.0.0/8 allow in ip 2a03:2260:1016::/48 allow in ip 2003:46:e028::/48 allow # finzelberg in ip fd62:44e1:da::/48 allow +{% if ffrl_ip4 is defined %} in deny # ignore default routes on uplinks +{% endif %} {% for peer in ffrl_peers %} redistribute if {{ peer.name }} metric 128 {% endfor %} # Only redistribute addresses from a given prefix, to avoid redistributing # all local addresses -redistribute ip 10.222.0.0/16 allow +redistribute ip 10.0.0.0/8 allow redistribute ip 2a03:2260:1016::/48 allow redistribute ip 64:ff9b::/96 allow +redistribute ip 2003:46:e028::/48 allow # finzelberg redistribute ip fd62:44e1:da::/48 allow redistribute local deny diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2 index 352c1fa..056a6ea 100644 --- a/roles/install_bind/templates/named.conf.j2 +++ b/roles/install_bind/templates/named.conf.j2 @@ -29,6 +29,10 @@ options { hostname none; server-id none; + dns64 64:ff9b::/96 { + clients { any; }; + }; + max-cache-size 1024M; }; diff --git a/roles/install_mesh-announce/tasks/main.yml b/roles/install_mesh-announce/tasks/main.yml index 50c5175..d4591cf 100644 --- a/roles/install_mesh-announce/tasks/main.yml +++ b/roles/install_mesh-announce/tasks/main.yml @@ -6,20 +6,24 @@ - lsb-release - ethtool state: present + when: sites | length > 0 - name: clone mesh-announce repo git: repo: https://github.com/FreifunkMYK/mesh-announce.git dest: /opt/mesh-announce + when: sites | length > 0 - name: create respondd service template: src: respondd.service.j2 dest: /etc/systemd/system/respondd.service mode: 0644 + when: sites | length > 0 - name: start and enable respondd service systemd: name: respondd state: started enabled: yes + when: sites | length > 0 diff --git a/roles/install_tayga/tasks/main.yml b/roles/install_tayga/tasks/main.yml index 0f38790..7d4c6a5 100644 --- a/roles/install_tayga/tasks/main.yml +++ b/roles/install_tayga/tasks/main.yml @@ -11,6 +11,11 @@ mode: 0644 notify: restart tayga +- name: create systemd override folder + ansible.builtin.file: + path: /etc/systemd/system/tayga.service.d + state: directory + - name: systemd override.conf template: src: systemd_override.conf.j2 diff --git a/roles/install_tayga/templates/systemd_override.conf.j2 b/roles/install_tayga/templates/systemd_override.conf.j2 index a3e7229..fb6ec48 100644 --- a/roles/install_tayga/templates/systemd_override.conf.j2 +++ b/roles/install_tayga/templates/systemd_override.conf.j2 @@ -4,7 +4,7 @@ ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf ExecStartPre=/usr/bin/ip link set nat64 up ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64 ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64 -ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk -ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk +ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 proto static table ffmyk +ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 proto static table ffmyk ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf Restart=always diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf index c609a5b..7e3db92 100644 --- a/roles/setup_ffrl_tunnel/templates/bird.conf +++ b/roles/setup_ffrl_tunnel/templates/bird.conf @@ -3,21 +3,31 @@ timeformat protocol iso long; #log "bird.log" all; # debug protocols all; +{% if ffrl_ip4 is defined %} define ffrl_nat_address = {{ ffrl_ip4 }}; +{% endif %} define ffmyk_as = 65032; # private AS of ffmyk define ffrl_as = 201701; # public AS of rheinland +{% if ffrl_ip4 is defined %} router id ffrl_nat_address; +{% else %} +router id {{ ffrl_router_id }}; +{% endif %} +{% if ffrl_ip4 is defined %} ipv4 table ffrl4; +{% endif %} ipv6 table ffrl6; +{% if ffrl_ip4 is defined %} function is_default4() { return net ~ [ 0.0.0.0/0 ]; } +{% endif %} function is_default6() { return net ~ [ @@ -25,11 +35,13 @@ function is_default6() { ]; } +{% if ffrl_ip4 is defined %} function is_ffrl_nat4() { return net ~ [ {{ ffrl_ip4 }}/32 ]; } +{% endif %} function is_ffrl_public_nets6() { return net ~ [ @@ -37,11 +49,13 @@ function is_ffrl_public_nets6() { ]; } +{% if ffrl_ip4 is defined %} function is_ffrl_tunnel_nets4() { return net ~ [ 100.64.0.0/10 ]; } +{% endif %} function is_ffrl_tunnel_nets6() { return net ~ [ @@ -49,6 +63,7 @@ function is_ffrl_tunnel_nets6() { ]; } +{% if ffrl_ip4 is defined %} # BGP Import Filter für Rheinland filter ebgp_ffrl_import_filter4 { if is_default4() then accept; @@ -60,6 +75,7 @@ filter ebgp_ffrl_export_filter4 { if is_ffrl_nat4() then accept; reject; } +{% endif %} filter ebgp_ffrl_import_filter6 { if is_default6() then accept; @@ -75,11 +91,13 @@ protocol device { scan time 10; } +{% if ffrl_ip4 is defined %} # IP-NAT-Adresse legen wir in die interne BIRD Routing Table protocol static ffrl_uplink_hostroute4 { ipv4 { table ffrl4; }; route {{ ffrl_ip4 }}/32 reject; } +{% endif %} protocol static ffrl_public_routes6 { ipv6 { table ffrl6; }; @@ -95,6 +113,7 @@ protocol static ffrl_public_routes6 { # import where is_ffrl_tunnel_nets4(); #} +{% if ffrl_ip4 is defined %} # Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl) protocol kernel kernel_ffrl4 { scan time 30; @@ -108,6 +127,7 @@ protocol kernel kernel_ffrl4 { }; kernel table 42; }; +{% endif %} protocol kernel kernel_ffrl6 { scan time 30; @@ -122,6 +142,7 @@ protocol kernel kernel_ffrl6 { kernel table 42; }; +{% if ffrl_ip4 is defined %} # BGP Template für Rheinland Peerings template bgp ffrl_uplink4 { local as ffmyk_as; @@ -134,6 +155,7 @@ template bgp ffrl_uplink4 { }; direct; }; +{% endif %} template bgp ffrl_uplink6 { local as ffmyk_as; @@ -148,10 +170,12 @@ template bgp ffrl_uplink6 { }; {% for peer in ffrl_peers %} +{% if ffrl_ip4 is defined %} protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 { source address {{ peer.ip4 }}; neighbor {{ peer.peer_ip4 }} as 201701; }; +{% endif %} protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 { source address {{ peer.ip6 }}; diff --git a/roles/setup_ffrl_tunnel/templates/netctl b/roles/setup_ffrl_tunnel/templates/netctl index 98e8af4..65bbd7c 100644 --- a/roles/setup_ffrl_tunnel/templates/netctl +++ b/roles/setup_ffrl_tunnel/templates/netctl @@ -8,7 +8,11 @@ Remote={{ item.remote }} ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64" IP=static +{% if ffrl_ip4 is defined %} Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32') +{% else %} +Address=('{{ item.ip4 }}/31') +{% endif %} IP6=static Address6=('{{ item.ip6 }}/64') |