diff options
| author | Niklas Yann Wettengel <niyawe@niyawe.de> | 2019-04-13 01:29:23 +0200 |
|---|---|---|
| committer | Niklas Yann Wettengel <niyawe@niyawe.de> | 2019-04-13 01:29:23 +0200 |
| commit | 43ed9c0c883f2532c30b309dd9a6a8316199909b (patch) | |
| tree | 4bff6aedaa8b72ab9a270ca7960ad1f247c4d526 /roles | |
| parent | 2befca5ea47dd361d0db44efb0a6d8ce3b011fd7 (diff) | |
nat64
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/configure_iptables/templates/ip6tables.rules | 11 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/iptables.rules | 7 | ||||
| -rwxr-xr-x | roles/configure_static_routes/files/ffmyk-iproute.sh | 1 | ||||
| -rw-r--r-- | roles/install_babeld/templates/babeld.conf.j2 | 7 | ||||
| -rw-r--r-- | roles/install_monitoring/files/vnstat | 37 | ||||
| -rwxr-xr-x | roles/install_monitoring/files/vnstat.sh | 45 | ||||
| -rw-r--r-- | roles/install_monitoring/tasks/install_vnstat.yml | 73 | ||||
| -rw-r--r-- | roles/install_monitoring/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/install_radvd/templates/radvd.conf.j2 | 4 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/uplink_tasks.yml | 29 |
11 files changed, 52 insertions, 167 deletions
diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 8ee9f91..48ede0f 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -10,7 +10,7 @@ {% endfor %} {% endif %} -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'nat64' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,6 +19,9 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% for peer in groups['nat64'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -57,7 +60,7 @@ COMMIT {% endfor %} {% endif %} # wireguard_backbone -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'nat64' in group_names %} {% for peer in groups['uplink'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -68,6 +71,10 @@ COMMIT -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} +{% for peer in groups['nat64'] %} +-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT +-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index f76fa56..3f0c6a1 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -23,6 +23,11 @@ -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} +{% if 'nat64' in group_names %} +{% for peer in groups['uplink'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} +{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -34,8 +39,6 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -# nginx --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # iperf3 -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh index b0ce1a0..831d30d 100755 --- a/roles/configure_static_routes/files/ffmyk-iproute.sh +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -14,4 +14,5 @@ ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10 ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10 ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10 +ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10 ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10 diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index 98b3acd..3ef7e53 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,7 +5,7 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% if 'fastd' in group_names %} +{% if ('fastd' in group_names) or ('nat64' in group_names) %} {% for peer in groups['uplink'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% for peer in groups['fastd'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} +{% for peer in groups['nat64'] %} +interface bb{{ hostvars[peer]['wireguard_bb_name'] }} +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -62,7 +65,7 @@ redistribute ip 64:ff9b::/96 allow redistribute ip fd62:44e1:da::/48 allow redistribute local deny -{% if 'fastd' in group_names and preferred_uplink is defined %} +{% if ('fastd' in group_names or 'nat64' in group_names) and preferred_uplink is defined %} {% for peer in groups['uplink'] %} {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %} in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64 diff --git a/roles/install_monitoring/files/vnstat b/roles/install_monitoring/files/vnstat deleted file mode 100644 index cbd2f7c..0000000 --- a/roles/install_monitoring/files/vnstat +++ /dev/null @@ -1,37 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server ipv6only=on; - server_name localhost; - - charset UTF-8; - - index index.html index.htm; - root /srv/http/vnstat; - - location / { - try_files $uri $uri/ =404; - autoindex on; - } - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - allow ::1; - deny all; - } - - - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ { - expires 30d; - # Optional: Don't log access to assets - access_log off; - } -} diff --git a/roles/install_monitoring/files/vnstat.sh b/roles/install_monitoring/files/vnstat.sh deleted file mode 100755 index 7ff875c..0000000 --- a/roles/install_monitoring/files/vnstat.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -set -e - -IFACES=$(ls /var/lib/vnstat/) - -TARGET=/srv/http/vnstat/ - -for iface in $IFACES; do - /usr/bin/vnstati -i ${iface} -h -o ${TARGET}${iface}_hourly.png - /usr/bin/vnstati -i ${iface} -d -o ${TARGET}${iface}_daily.png - /usr/bin/vnstati -i ${iface} -m -o ${TARGET}${iface}_monthly.png - /usr/bin/vnstati -i ${iface} -t -o ${TARGET}${iface}_top10.png - /usr/bin/vnstati -i ${iface} -s -o ${TARGET}${iface}_summary.png -done - -cat > ${TARGET}index.html <<EOT -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> -<head> - <titleu1 - Network Traffic</title> - <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <meta http-equiv="Content-Language" content="en" /> -</head> - -<body style="white-space: nowrap"> -EOT - - -for iface in $IFACES; do - sed s/IFACE/${iface}/g >> ${TARGET}index.html <<EOT - <div style="display:inline-block;vertical-align: top"> - <img src="IFACE_summary.png" alt="traffic summary" /><br> - <img src="IFACE_monthly.png" alt="traffic per month" /><br> - <img src="IFACE_hourly.png" alt="traffic per hour" /><br> - <img src="IFACE_top10.png" alt="traffic top10" /><br> - <img src="IFACE_daily.png" alt="traffic per day" /> - </div> -EOT - -done - -echo "</body></html>" >> ${TARGET}index.html - diff --git a/roles/install_monitoring/tasks/install_vnstat.yml b/roles/install_monitoring/tasks/install_vnstat.yml deleted file mode 100644 index 4027aa6..0000000 --- a/roles/install_monitoring/tasks/install_vnstat.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -- name: install vnstat - pacman: - name: vnstat - state: present - -- name: start and enable vnstat service - systemd: - name: vnstat.service - enabled: yes - state: started - -- name: add interfaces to vnstat for batman interfaces - command: /usr/bin/vnstat -u -i bat{{ item.name }} - args: - creates: '/var/lib/vnstat/bat{{ item.name }}' - with_items: "{{ sites }}" - when: "'fastd' in group_names" - -- name: add interfaces to vnstat for uplink interfaces - command: /usr/bin/vnstat -u -i bb{{ hostvars[item]['wireguard_bb_name'] }} - args: - creates: "/var/lib/vnstat/bb{{ hostvars[item]['wireguard_bb_name'] }}" - with_items: - - "{{ groups['uplink'] }}" - when: "'fastd' in group_names" - -- name: add interfaces to vnstat for outgoing v4 interface - command: /usr/bin/vnstat -u -i {{ ansible_default_ipv4.interface }} - args: - creates: '/var/lib/vnstat/{{ ansible_default_ipv4.interface }}' - -- name: add interfaces to vnstat for outgoing v6 interface - command: /usr/bin/vnstat -u -i {{ ansible_default_ipv6.interface }} - args: - creates: '/var/lib/vnstat/{{ ansible_default_ipv6.interface }}' - -- name: add output folder for vnstat graphs - file: - path: /srv/http/vnstat - state: directory - -- name: install gd which is needed for graph generation - pacman: - name: gd - state: present - -- name: add bash script to generate vnstat graphs - copy: - src: vnstat.sh - dest: /usr/local/bin/vnstat.sh - mode: 0744 - -- name: add cronjob to generate vnstat graphs - cron: - name: vnstat - minute: '*/5' - user: root - cron_file: vnstat - job: '/usr/local/bin/vnstat.sh' - -- name: add vnstat nginx config - copy: - src: vnstat - dest: /etc/nginx/sites-available/vnstat - notify: reload nginx - -- name: enable vnstat nginx config - file: - src: /etc/nginx/sites-available/vnstat - dest: /etc/nginx/sites-enabled/vnstat - state: link - notify: reload nginx diff --git a/roles/install_monitoring/tasks/main.yml b/roles/install_monitoring/tasks/main.yml index afb4db9..6600e0c 100644 --- a/roles/install_monitoring/tasks/main.yml +++ b/roles/install_monitoring/tasks/main.yml @@ -1,7 +1,4 @@ --- -- name: install vnstat - import_tasks: install_vnstat.yml - - name: install ffmyk-influx include: install_ffmyk-influx.yml when: "'fastd' in group_names" diff --git a/roles/install_radvd/templates/radvd.conf.j2 b/roles/install_radvd/templates/radvd.conf.j2 index a27a24e..81e4379 100644 --- a/roles/install_radvd/templates/radvd.conf.j2 +++ b/roles/install_radvd/templates/radvd.conf.j2 @@ -3,8 +3,8 @@ interface bat{{ site.name }} { AdvSendAdvert on; IgnoreIfMissing on; - MinRtrAdvInterval 60; - MaxRtrAdvInterval 600; + MinRtrAdvInterval 10; + MaxRtrAdvInterval 300; AdvDefaultPreference low; AdvHomeAgentFlag off; diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 9ccfe05..24facda 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -5,7 +5,7 @@ dest: /etc/systemd/system/wgbackbone@.service - include_tasks: fastd_tasks.yml - when: "'fastd' in group_names" + when: "('fastd' in group_names) or ('nat64' in group_names)" - include_tasks: uplink_tasks.yml when: "'uplink' in group_names" diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml index ea906e5..357fa0b 100644 --- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml @@ -6,6 +6,13 @@ mode: 0400 with_items: "{{ groups['fastd'] }}" +- name: create wireguard config for nat64 + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard config for uplinks template: src: wg.conf.j2 @@ -27,6 +34,13 @@ mode: 0744 with_items: "{{ groups['fastd'] }}" +- name: create wireguard up scripts for nat64 + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard up scripts for uplinks template: src: up.sh.j2 @@ -48,6 +62,13 @@ mode: 0744 with_items: "{{ groups['fastd'] }}" +- name: create wireguard down scripts for nat64 + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard down scripts for uplinks template: src: down.sh.j2 @@ -70,6 +91,14 @@ daemon_reload: yes with_items: "{{ groups['fastd'] }}" +- name: start and enable wireguard mesh for nat64 + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ groups['nat64'] }}" + - name: start and enable wireguard mesh for uplinks systemd: name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service |