diff options
| author | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-12-12 15:15:03 +0100 |
|---|---|---|
| committer | Niklas Yann Wettengel <niyawe@niyawe.de> | 2021-12-12 15:15:03 +0100 |
| commit | b53a8cf2283b2d6debb94cd399a72d25da0d7c82 (patch) | |
| tree | e91b4b549150219b82e5a3995f0f3515154e2a7e /roles | |
| parent | e75acd9a72df39269496abb7207decfc210efaa6 (diff) | |
merge fastd and uplink nodes
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/configure_iptables/templates/ip6tables.rules | 45 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/iptables.rules | 26 | ||||
| -rw-r--r-- | roles/configure_static_routes/tasks/fastd_tasks.yml | 14 | ||||
| -rw-r--r-- | roles/configure_static_routes/tasks/main.yml | 15 | ||||
| -rw-r--r-- | roles/configure_sysctl/files/ff.conf | 12 | ||||
| -rw-r--r-- | roles/install_babeld/templates/babeld.conf.j2 | 27 | ||||
| -rw-r--r-- | roles/install_bind/templates/named.conf.j2 | 2 | ||||
| -rw-r--r-- | roles/install_monitoring/tasks/install_munin.yml | 55 | ||||
| -rw-r--r-- | roles/install_monitoring/tasks/main.yml | 1 | ||||
| -rw-r--r-- | roles/install_monitoring/templates/ffmyk-influx/traffic.php.j2 | 3 | ||||
| -rw-r--r-- | roles/install_monitoring/templates/munin-node.conf.j2 | 2 | ||||
| -rw-r--r-- | roles/install_wg_add/tasks/main.yml | 30 | ||||
| -rw-r--r-- | roles/install_wg_add/templates/wg_add.service.j2 | 10 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/fastd_tasks.yml | 33 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/main.yml | 60 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/uplink_tasks.yml | 87 |
16 files changed, 144 insertions, 278 deletions
diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 636541d..80e8b30 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -1,31 +1,29 @@ +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% for site in sites %} +-A PREROUTING -i wg{{ site.name }} -p udp -m udp --dport 8472 -j NOTRACK +{% endfor %} +{% for site in sites %} +-A OUTPUT -o wg{{ site.name }} -p udp -m udp --dport 8472 -j NOTRACK +{% endfor %} +COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if 'fastd' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% endif %} -{% if 'fastd' in group_names %} -{% for peer in groups['uplink'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% endif %} -{% if 'uplink' in group_names %} -{% for peer in groups['fastd'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% for peer in groups['uplink'] | difference([inventory_hostname]) %} +{% for peer in groups['fastd'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% for peer in wireguard_bb_peers %} -A PREROUTING -i bb{{ peer.name }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -42,7 +40,6 @@ COMMIT # iperf3 -A INPUT -p tcp -m tcp -s 2a03:2260:1016::/48 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -57,23 +54,12 @@ COMMIT -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT # wireguard_mesh {% for site in sites %} +-A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT -A INPUT -i wg{{ site.name }} -p udp --dport 8472 -j ACCEPT {% endfor %} -{% endif %} # wireguard_backbone -{% if 'fastd' in group_names %} -{% for peer in groups['uplink'] %} --A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT --A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT -{% endfor %} -{% endif %} -{% if 'uplink' in group_names %} -{% for peer in groups['fastd'] %} --A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT --A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT -{% endfor %} -{% for peer in groups['uplink'] | difference([inventory_hostname]) %} +{% for peer in groups['fastd'] | difference([inventory_hostname]) %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} @@ -81,24 +67,19 @@ COMMIT -A INPUT -i bb{{ peer.name }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ peer.port }} -j ACCEPT {% endfor %} -{% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT # ffrl bgp -{% if 'ffrl_uplink' in group_names %} {% for peer in ffrl_peers %} -A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT {% endfor %} -{% endif %} # LOG -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names %} {% for site in sites %} -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10021 -j REJECT {% endfor %} -{% endif %} -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT -A FORWARD -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 924320d..c3d84dc 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -4,28 +4,16 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if 'fastd' in group_names %} {% for site in sites %} -A PREROUTING -i bat{{ site.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% endif %} -{% if 'fastd' in group_names %} -{% for peer in groups['uplink'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% endif %} -{% if 'uplink' in group_names %} -{% for peer in groups['fastd'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% for peer in groups['uplink'] | difference([inventory_hostname]) %} +{% for peer in groups['fastd'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% for peer in wireguard_bb_peers %} -A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} -{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -40,7 +28,6 @@ COMMIT # iperf3 -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT -{% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT @@ -57,13 +44,12 @@ COMMIT -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT # wireguard_mesh {% for site in sites %} +-A INPUT -s 10.222.0.0/16 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP -A INPUT -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j ACCEPT {% endfor %} -{% endif %} # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -{% if 'ffrl_uplink' in group_names %} # ffrl-gre {% for peer in ffrl_peers %} -A INPUT -p gre -s {{ peer.remote }} -j ACCEPT @@ -72,15 +58,12 @@ COMMIT {% for peer in ffrl_peers %} -A INPUT -i {{ peer.name }} -p tcp -m tcp --dport 179 -j ACCEPT {% endfor %} -{% endif %} -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 -{% if 'fastd' in group_names %} {% for site in sites %} -A FORWARD -i bat{{ site.name }} -p udp --dport 10010:10023 -j REJECT {% endfor %} -{% endif %} -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT -A FORWARD -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -91,12 +74,7 @@ COMMIT :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -{% if 'ffrl_uplink' in group_names %} {% for peer in ffrl_peers %} -A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }} {% endfor %} -{% endif %} -{% if 'mullvad_uplink' in group_names %} --A POSTROUTING -o mullvad -j MASQUERADE -{% endif %} COMMIT diff --git a/roles/configure_static_routes/tasks/fastd_tasks.yml b/roles/configure_static_routes/tasks/fastd_tasks.yml deleted file mode 100644 index 4cd1583..0000000 --- a/roles/configure_static_routes/tasks/fastd_tasks.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: copy site specific iproute up config script - template: - src: ffmyk-iproute-up.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh - mode: 0744 - with_items: "{{ sites }}" - -- name: copy site specific iproute down config script - template: - src: ffmyk-iproute-down.j2 - dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh - mode: 0744 - with_items: "{{ sites }}" diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml index c98825f..e89d845 100644 --- a/roles/configure_static_routes/tasks/main.yml +++ b/roles/configure_static_routes/tasks/main.yml @@ -10,8 +10,19 @@ dest: /usr/local/bin/ffmyk-iproute.sh mode: 0744 -- include_tasks: fastd_tasks.yml - when: "'fastd' in group_names" +- name: copy site specific iproute up config script + template: + src: ffmyk-iproute-up.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: copy site specific iproute down config script + template: + src: ffmyk-iproute-down.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh + mode: 0744 + with_items: "{{ sites }}" - name: copy ffmyk iproute systemd service copy: diff --git a/roles/configure_sysctl/files/ff.conf b/roles/configure_sysctl/files/ff.conf index d07763d..85a9b3a 100644 --- a/roles/configure_sysctl/files/ff.conf +++ b/roles/configure_sysctl/files/ff.conf @@ -11,9 +11,15 @@ net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 -net.ipv6.neigh.default.gc_thresh3=4096 -net.ipv6.neigh.default.gc_thresh2=2048 -net.ipv6.neigh.default.gc_thresh1=1024 +net.ipv4.neigh.default.gc_thresh3=8192 +net.ipv4.neigh.default.gc_thresh2=4096 +net.ipv4.neigh.default.gc_thresh1=2048 +net.ipv4.neigh.default.gc_interval=3600 +net.ipv4.neigh.default.gc_stale_time=3600 + +net.ipv6.neigh.default.gc_thresh3=8192 +net.ipv6.neigh.default.gc_thresh2=4096 +net.ipv6.neigh.default.gc_thresh1=2048 net.ipv6.neigh.default.gc_interval=3600 net.ipv6.neigh.default.gc_stale_time=3600 diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index 1fac52e..c5cdda0 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,22 +5,12 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% if ('fastd' in group_names) %} -{% for peer in groups['uplink'] %} -interface bb{{ hostvars[peer]['wireguard_bb_name'] }} -{% endfor %} -{% endif %} -{% if 'uplink' in group_names %} -{% for peer in groups['fastd'] %} -interface bb{{ hostvars[peer]['wireguard_bb_name'] }} -{% endfor %} -{% for peer in groups['uplink'] | difference([inventory_hostname]) %} +{% for peer in groups['fastd'] | difference([inventory_hostname]) %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} {% for peer in wireguard_bb_peers|default([]) %} interface bb{{ peer.name }} {% endfor %} -{% endif %} # Global options you might want to set. There are many more, see the man page. #debug 1 @@ -37,22 +27,15 @@ import-table 42 reflect-kernel-metric true # Filtering rules. -{% if 'uplink' in group_names %} in ip 10.222.0.0/16 allow in ip 2a03:2260:1016::/48 allow in ip 2003:46:e028::/48 allow # finzelberg in ip fd62:44e1:da::/48 allow in deny # ignore default routes on uplinks -{% endif %} -{% if 'mullvad_uplink' in group_names %} -redistribute if mullvad metric 256 -{% endif %} -{% if 'ffrl_uplink' in group_names %} {% for peer in ffrl_peers %} redistribute if {{ peer.name }} metric 128 {% endfor %} -{% endif %} # Only redistribute addresses from a given prefix, to avoid redistributing # all local addresses redistribute ip 10.222.0.0/16 allow @@ -60,11 +43,3 @@ redistribute ip 2a03:2260:1016::/48 allow redistribute ip 64:ff9b::/96 allow redistribute ip fd62:44e1:da::/48 allow redistribute local deny - -{% if ('fastd' in group_names) and preferred_uplink is defined %} -{% for peer in groups['uplink'] %} -{% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %} -in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64 -{% endif %} -{% endfor %} -{% endif %} diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2 index da7043e..25d3470 100644 --- a/roles/install_bind/templates/named.conf.j2 +++ b/roles/install_bind/templates/named.conf.j2 @@ -27,6 +27,8 @@ options { version none; hostname none; server-id none; + + max-cache-size 1024M; }; statistics-channels { diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml index ee81639..c843bfe 100644 --- a/roles/install_monitoring/tasks/install_munin.yml +++ b/roles/install_monitoring/tasks/install_munin.yml @@ -14,7 +14,6 @@ pacman: name: perl-json state: present - when: "'fastd' in group_names" - name: copy fastd peers plugin copy: @@ -22,7 +21,6 @@ dest: /usr/lib/munin/plugins/fastd_peers_ mode: 0755 notify: restart munin-node - when: "'fastd' in group_names" - name: copy fastd traffic plugin copy: @@ -30,7 +28,6 @@ dest: /usr/lib/munin/plugins/fastd_traffic_ mode: 0755 notify: restart munin-node - when: "'fastd' in group_names" - name: enable munin plugins for fastd peers file: @@ -39,7 +36,6 @@ state: link with_items: "{{ sites }}" notify: restart munin-node - when: "'fastd' in group_names" - name: enable munin plugins for fastd traffic file: @@ -48,14 +44,12 @@ state: link with_items: "{{ sites }}" notify: restart munin-node - when: "'fastd' in group_names" - name: copy fastd plugin config template: src: munin_fastd_conf.j2 dest: /etc/munin/plugin-conf.d/fastd notify: restart munin-node - when: "'fastd' in group_names" - name: copy wg peers plugin copy: @@ -63,7 +57,6 @@ dest: /usr/lib/munin/plugins/wg_peers_ mode: 0755 notify: restart munin-node - when: "'fastd' in group_names" - name: copy wg peers plugin config copy: @@ -71,7 +64,6 @@ dest: /etc/munin/plugin-conf.d/wg mode: 0644 notify: restart munin-node - when: "'fastd' in group_names" - name: enable munin plugins for wg peers file: @@ -80,7 +72,6 @@ state: link with_items: "{{ sites }}" notify: restart munin-node - when: "'fastd' in group_names" - name: copy dhcp-pool plugin copy: @@ -88,7 +79,6 @@ dest: /usr/lib/munin/plugins/dhcp-pool mode: 0755 notify: restart munin-node - when: "'fastd' in group_names" - name: enable munin plugins for dhcp file: @@ -96,7 +86,6 @@ src: /usr/lib/munin/plugins/dhcp-pool state: link notify: restart munin-node - when: "'fastd' in group_names" - name: copy fw_conntrack plugin copy: @@ -128,21 +117,21 @@ name: perl-lwp-protocol-https state: present -- name: enable munin plugins for network monitoring (1/9) +- name: enable munin plugins for network monitoring (1/6) file: path: /etc/munin/plugins/if_{{ ansible_default_ipv4.interface }} src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node -- name: enable munin plugins for network monitoring (2/9) +- name: enable munin plugins for network monitoring (2/6) file: path: /etc/munin/plugins/if_{{ ansible_default_ipv6.interface }} src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node -- name: enable munin plugins for network monitoring (3/9) +- name: enable munin plugins for network monitoring (3/6) file: path: /etc/munin/plugins/if_{{ item[0] }}{{ item[1].name }} src: /usr/lib/munin/plugins/if_ @@ -151,60 +140,30 @@ with_nested: - [ 'bat', 'vpn', 'wg', 'vx' ] - "{{ sites }}" - when: "'fastd' in group_names" -- name: enable munin plugins for network monitoring (4/9) - file: - path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }} - src: /usr/lib/munin/plugins/if_ - state: link - notify: restart munin-node - with_items: "{{ groups['uplink'] }}" - when: "'fastd' in group_names" - -- name: enable munin plugins for network monitoring (5/9) - file: - path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }} - src: /usr/lib/munin/plugins/if_ - state: link - notify: restart munin-node - with_items: "{{ groups['fastd'] }}" - when: "'uplink' in group_names" - -- name: enable munin plugins for network monitoring (6/9) +- name: enable munin plugins for network monitoring (4/6) file: path: /etc/munin/plugins/if_bb{{ item.name }} src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node with_items: "{{ wireguard_bb_peers|default([]) }}" - when: "'uplink' in group_names" -- name: enable munin plugins for network monitoring (7/9) +- name: enable munin plugins for network monitoring (5/6) file: path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }} src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node - with_items: "{{ groups['uplink'] | difference([inventory_hostname]) }}" - when: "'uplink' in group_names" + with_items: "{{ groups['fastd'] | difference([inventory_hostname]) }}" -- name: enable munin plugins for network monitoring (8/9) +- name: enable munin plugins for network monitoring (6/6) file: path: /etc/munin/plugins/if_{{ item.name }} src: /usr/lib/munin/plugins/if_ state: link notify: restart munin-node with_items: "{{ ffrl_peers }}" - when: "'ffrl_uplink' in group_names" - -- name: enable munin plugins for network monitoring (9/9) - file: - path: /etc/munin/plugins/if_mullvad - src: /usr/lib/munin/plugins/if_ - state: link - notify: restart munin-node - when: "'mullvad_uplink' in group_names" - name: enable munin plugins file: diff --git a/roles/install_monitoring/tasks/main.yml b/roles/install_monitoring/tasks/main.yml index 6600e0c..dc3c445 100644 --- a/roles/install_monitoring/tasks/main.yml +++ b/roles/install_monitoring/tasks/main.yml @@ -1,7 +1,6 @@ --- - name: install ffmyk-influx include: install_ffmyk-influx.yml - when: "'fastd' in group_names" - name: install munin import_tasks: install_munin.yml diff --git a/roles/install_monitoring/templates/ffmyk-influx/traffic.php.j2 b/roles/install_monitoring/templates/ffmyk-influx/traffic.php.j2 index dde5dba..9a848da 100644 --- a/roles/install_monitoring/templates/ffmyk-influx/traffic.php.j2 +++ b/roles/install_monitoring/templates/ffmyk-influx/traffic.php.j2 @@ -24,8 +24,5 @@ function traffic($iface, $alias=false) { (traffic('vpn{{ site.name }}')); (traffic('wg{{ site.name }}')); {% endfor %} -{% for uplink in groups['uplink'] %} -(traffic('bb{{ hostvars[uplink]['wireguard_bb_name'] }}')); -{% endfor %} ?> diff --git a/roles/install_monitoring/templates/munin-node.conf.j2 b/roles/install_monitoring/templates/munin-node.conf.j2 index 6dda88c..e7a1610 100644 --- a/roles/install_monitoring/templates/munin-node.conf.j2 +++ b/roles/install_monitoring/templates/munin-node.conf.j2 @@ -38,7 +38,7 @@ host_name {{ ansible_fqdn }} # may repeat the allow line as many times as you'd like allow ^127\.0\.0\.1$ -allow ^2a01:4f8:151:13cd:1::35$ +allow ^2a01:4f8:272:3d5f:1::35$ allow ^::1$ # Which address to bind to; diff --git a/roles/install_wg_add/tasks/main.yml b/roles/install_wg_add/tasks/main.yml new file mode 100644 index 0000000..da7f0b4 --- /dev/null +++ b/roles/install_wg_add/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: install wg_add dependencies + pacman: + name: + - git + - make + - gcc + state: present + +- name: clone wg_add repo + git: + repo: https://github.com/FreifunkMYK/wg_add.git + dest: /opt/wg_add + +- name: build wg_add + make: + chdir: /opt/wg_add + +- name: install wg_add service + template: + src: wg_add.service.j2 + dest: /etc/systemd/system/wg_add@.service + mode: 0644 + +- name: start and enable wgkex service + systemd: + name: wg_add@{{ item.name }} + state: started + enabled: yes + with_items: "{{ sites }}" diff --git a/roles/install_wg_add/templates/wg_add.service.j2 b/roles/install_wg_add/templates/wg_add.service.j2 new file mode 100644 index 0000000..b348e98 --- /dev/null +++ b/roles/install_wg_add/templates/wg_add.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=wg_add +After=network.target + +[Service] +ExecStart=/opt/wg_add/wg_add {{ ansible_default_ipv4.interface }} wg%i vx%i +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml deleted file mode 100644 index d1d9974..0000000 --- a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: create wireguard config for peers - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf - mode: 0400 - with_items: - - "{{ groups['uplink'] }}" - -- name: create wireguard up scripts for peers - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: - - "{{ groups['uplink'] }}" - -- name: create wireguard down scripts for peers - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: - - "{{ groups['uplink'] }}" - -- name: start and enable wireguard mesh - systemd: - name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: - - "{{ groups['uplink'] }}" diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 9ccfe05..b185173 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -4,8 +4,60 @@ src: wgbackbone@.service dest: /etc/systemd/system/wgbackbone@.service -- include_tasks: fastd_tasks.yml - when: "'fastd' in group_names" +- name: create wireguard config for uplinks + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: "{{ groups['fastd'] | difference([inventory_hostname]) }}" -- include_tasks: uplink_tasks.yml - when: "'uplink' in group_names" +- name: create wireguard config for additional peers + template: + src: wg2.conf.j2 + dest: /etc/wireguard/wgbb{{ item.name }}.conf + mode: 0400 + with_items: "{{ wireguard_bb_peers|default([]) }}" + +- name: create wireguard up scripts for uplinks + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['fastd'] | difference([inventory_hostname]) }}" + +- name: create wireguard up scripts for additional peers + template: + src: up2.sh.j2 + dest: /etc/wireguard/upbb{{ item.name }}.sh + mode: 0744 + with_items: "{{ wireguard_bb_peers|default([]) }}" + +- name: create wireguard down scripts for uplinks + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['fastd'] | difference([inventory_hostname]) }}" + +- name: create wireguard down scripts for additional peers + template: + src: down2.sh.j2 + dest: /etc/wireguard/downbb{{ item.name }}.sh + mode: 0744 + with_items: "{{ wireguard_bb_peers|default([]) }}" + +- name: start and enable wireguard mesh for uplinks + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ groups['fastd'] | difference([inventory_hostname]) }}" + +- name: start and enable wireguard mesh for additional peers + systemd: + name: wgbackbone@{{ item.name }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ wireguard_bb_peers|default([]) }}" diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml deleted file mode 100644 index ea906e5..0000000 --- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -- name: create wireguard config for fastds - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf - mode: 0400 - with_items: "{{ groups['fastd'] }}" - -- name: create wireguard config for uplinks - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf - mode: 0400 - with_items: "{{ groups['uplink'] | difference([inventory_hostname]) }}" - -- name: create wireguard config for additional peers - template: - src: wg2.conf.j2 - dest: /etc/wireguard/wgbb{{ item.name }}.conf - mode: 0400 - with_items: "{{ wireguard_bb_peers|default([]) }}" - -- name: create wireguard up scripts for fastds - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['fastd'] }}" - -- name: create wireguard up scripts for uplinks - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['uplink'] | difference([inventory_hostname]) }}" - -- name: create wireguard up scripts for additional peers - template: - src: up2.sh.j2 - dest: /etc/wireguard/upbb{{ item.name }}.sh - mode: 0744 - with_items: "{{ wireguard_bb_peers|default([]) }}" - -- name: create wireguard down scripts for fastds - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['fastd'] }}" - -- name: create wireguard down scripts for uplinks - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['uplink'] | difference([inventory_hostname]) }}" - -- name: create wireguard down scripts for additional peers - template: - src: down2.sh.j2 - dest: /etc/wireguard/downbb{{ item.name }}.sh - mode: 0744 - with_items: "{{ wireguard_bb_peers|default([]) }}" - -- name: start and enable wireguard mesh for fastds - systemd: - name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: "{{ groups['fastd'] }}" - -- name: start and enable wireguard mesh for uplinks - systemd: - name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: "{{ groups['uplink'] | difference([inventory_hostname]) }}" - -- name: start and enable wireguard mesh for additional peers - systemd: - name: wgbackbone@{{ item.name }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: "{{ wireguard_bb_peers|default([]) }}" |