From d82f8524972086862f64750f325ba067ea993d86 Mon Sep 17 00:00:00 2001 From: Niklas Yann Wettengel Date: Mon, 3 Jul 2017 09:46:42 +0200 Subject: fastd working --- host_vars/fastd | 127 +++++++++++---------- roles/configure_iptables/files/ip6tables.rules | 24 ++-- roles/configure_iptables/files/iptables.rules | 42 +++---- .../files/ffmyk-iproute.service | 14 +++ .../configure_static_routes/files/ffmyk-iproute.sh | 12 ++ roles/configure_static_routes/tasks/main.yml | 38 ++++++ .../templates/ffmyk-iproute-down.j2 | 11 ++ .../templates/ffmyk-iproute-up.j2 | 11 ++ roles/configure_sysctl/files/ff.conf | 3 + roles/install_bind/templates/named.conf.j2 | 45 +++----- roles/install_dhcp/tasks/main.yml | 37 +++--- roles/install_dhcp/templates/dhcpd.conf.j2 | 12 +- roles/install_fastd/files/fastd-api.php | 45 -------- roles/install_fastd/handlers/main.yml | 29 ++++- roles/install_fastd/tasks/main.yml | 63 ++++------ roles/install_fastd/templates/fastd-api.php.j2 | 45 ++++++++ roles/install_fastd/templates/fastd.conf.j2 | 12 +- roles/install_fastd/templates/fastd_up.sh.j2 | 14 +-- roles/install_radvd/handlers/main.yml | 5 + roles/install_radvd/tasks/main.yml | 17 +++ roles/install_radvd/templates/radvd.conf.j2 | 26 +++++ roles/setup_batman/files/ffmyk-iproute.sh | 20 ---- roles/setup_batman/tasks/main.yml | 18 +-- roles/setup_batman/templates/netctl_bat.j2 | 8 ++ roles/setup_batman/templates/netctl_bat0.j2 | 7 -- setup_fastd.yml | 10 +- 26 files changed, 401 insertions(+), 294 deletions(-) create mode 100644 roles/configure_static_routes/files/ffmyk-iproute.service create mode 100755 roles/configure_static_routes/files/ffmyk-iproute.sh create mode 100644 roles/configure_static_routes/tasks/main.yml create mode 100644 roles/configure_static_routes/templates/ffmyk-iproute-down.j2 create mode 100644 roles/configure_static_routes/templates/ffmyk-iproute-up.j2 delete mode 100644 roles/install_fastd/files/fastd-api.php create mode 100644 roles/install_fastd/templates/fastd-api.php.j2 create mode 100644 roles/install_radvd/handlers/main.yml create mode 100644 roles/install_radvd/tasks/main.yml create mode 100644 roles/install_radvd/templates/radvd.conf.j2 delete mode 100755 roles/setup_batman/files/ffmyk-iproute.sh create mode 100644 roles/setup_batman/templates/netctl_bat.j2 delete mode 100644 roles/setup_batman/templates/netctl_bat0.j2 diff --git a/host_vars/fastd b/host_vars/fastd index 532d309..d1ace4a 100644 --- a/host_vars/fastd +++ b/host_vars/fastd @@ -1,12 +1,19 @@ --- ansible_host: 123.123.123.123 -fastd_peer_limit: 200 -fastd_secret: -fastd_mesh_mac: ' -bat0_ipv6: '' -bat0_ipv4: -dhcp_start: -dhcp_end: +sites: + - name: '' + net4: '' + net6: '' + fastd_secret: + fastd_mesh_mac: ' + fastd_port1: + fastd_port2: + bat_ipv6: '' + bat_ipv4: + dhcp_subnet: '' + dhcp_netmask: '' + dhcp_start: + dhcp_end: mullvad_country: nl mullvad_crt: | -----BEGIN CERTIFICATE----- @@ -16,56 +23,56 @@ mullvad_key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- -influx_user: -influx_password: -munin_node_plugins: - - name: cpu - - name: df - - name: df_inode - - name: dhcp-pool - - name: diskstats - - name: entropy - - name: fastd_peers - plugin: fastd_ - - name: fastd_traffic - plugin: fastd_ - - name: forks - - name: fw_conntrack - - name: fw_forwarded_local - - name: fw_packets - - name: if_bat0 - plugin: if_ - - name: if_err_bat0 - plugin: if_err_ - - name: if_ens3 - plugin: if_ - - name: if_err_ens3 - plugin: if_err_ - - name: if_ffmyk-mesh-vpn - plugin: if_ - - name: if_err_ffmyk-mesh-vpn - plugin: if_err_ - - name: if_mullvad - plugin: if_ - - name: if_err_mullvad - plugin: if_err_ - - name: interrupts - - name: irqstats - - name: load - - name: memory - - name: netstat - - name: nginx_request - - name: nginx_status - - name: ntp_kernel_err - - name: ntp_kernel_pll_freq - - name: ntp_kernel_pll_off - - name: ntp_offset - - name: open_files - - name: open_inodes - - name: proc_pri - - name: processes - - name: swap - - name: threads - - name: uptime - - name: users - - name: vmstat +#influx_user: +#influx_password: +#munin_node_plugins: +# - name: cpu +# - name: df +# - name: df_inode +# - name: dhcp-pool +# - name: diskstats +# - name: entropy +# - name: fastd_peers +# plugin: fastd_ +# - name: fastd_traffic +# plugin: fastd_ +# - name: forks +# - name: fw_conntrack +# - name: fw_forwarded_local +# - name: fw_packets +# - name: if_bat0 +# plugin: if_ +# - name: if_err_bat0 +# plugin: if_err_ +# - name: if_ens3 +# plugin: if_ +# - name: if_err_ens3 +# plugin: if_err_ +# - name: if_ffmyk-mesh-vpn +# plugin: if_ +# - name: if_err_ffmyk-mesh-vpn +# plugin: if_err_ +# - name: if_mullvad +# plugin: if_ +# - name: if_err_mullvad +# plugin: if_err_ +# - name: interrupts +# - name: irqstats +# - name: load +# - name: memory +# - name: netstat +# - name: nginx_request +# - name: nginx_status +# - name: ntp_kernel_err +# - name: ntp_kernel_pll_freq +# - name: ntp_kernel_pll_off +# - name: ntp_offset +# - name: open_files +# - name: open_inodes +# - name: proc_pri +# - name: processes +# - name: swap +# - name: threads +# - name: uptime +# - name: users +# - name: vmstat diff --git a/roles/configure_iptables/files/ip6tables.rules b/roles/configure_iptables/files/ip6tables.rules index f7b5ec2..7a1ea51 100644 --- a/roles/configure_iptables/files/ip6tables.rules +++ b/roles/configure_iptables/files/ip6tables.rules @@ -1,9 +1,7 @@ -# Generated by ip6tables-save v1.4.21 on Mon Feb 22 00:25:52 2016 *filter :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -:LOGGING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT @@ -13,20 +11,20 @@ # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -# http --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT -# munin --A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT # fastd --A INPUT -p udp -m udp --dport 10000 -j ACCEPT +-A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT # LOG --A INPUT -j LOGGING --A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped: " --log-level 4 --A LOGGING -j DROP --A FORWARD -i bat0 -p udp --dport 10000 -j REJECT +-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4 + +-A FORWARD -i bataw -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batcoc -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batems -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batko -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batmy -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batsim -p udp --dport 10010:10021 -j REJECT +-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped forward: " --log-level 4 COMMIT -# Completed on Mon Feb 22 00:25:52 2016 diff --git a/roles/configure_iptables/files/iptables.rules b/roles/configure_iptables/files/iptables.rules index 49bc7d2..24b82e3 100644 --- a/roles/configure_iptables/files/iptables.rules +++ b/roles/configure_iptables/files/iptables.rules @@ -1,22 +1,24 @@ -# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A PREROUTING -i bat0 -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i bataw -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i batcoc -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i batems -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i batko -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i batmy -j MARK --set-xmark 0x1/0xffffffff +-A PREROUTING -i batsim -j MARK --set-xmark 0x1/0xffffffff COMMIT -# Completed on Tue Sep 8 21:44:08 2015 -# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015 *filter :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -:LOGGING - [0:0] -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT + # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # dns @@ -24,33 +26,25 @@ COMMIT -A INPUT -p udp -m udp --dport 53 -j ACCEPT #dhcp -I INPUT -i bat0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT -# http --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT -# munin --A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT -# iperf --A INPUT -i bat0 -p tcp -m tcp --dport 5001 -j ACCEPT # fastd --A INPUT -p udp -m udp --dport 10000 -j ACCEPT +-A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT # MOSH -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -# LOG --A INPUT -j LOGGING --A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 --A LOGGING -j DROP --A FORWARD -i bat0 -p udp --dport 10000 -j REJECT +-A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4 + +-A FORWARD -i bataw -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batcoc -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batems -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batko -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batmy -p udp --dport 10010:10021 -j REJECT +-A FORWARD -i batsim -p udp --dport 10010:10021 -j REJECT +-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped forward: " --log-level 4 COMMIT -# Completed on Tue Sep 8 21:44:08 2015 -# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] --A POSTROUTING -o mullvad -j MASQUERADE COMMIT -# Completed on Tue Sep 8 21:44:08 2015 - diff --git a/roles/configure_static_routes/files/ffmyk-iproute.service b/roles/configure_static_routes/files/ffmyk-iproute.service new file mode 100644 index 0000000..95bfe42 --- /dev/null +++ b/roles/configure_static_routes/files/ffmyk-iproute.service @@ -0,0 +1,14 @@ +[Unit] +Description=sets up ip rules and static routes +ConditionPathExists=/usr/local/bin/ffmyk-iproute.sh + +[Service] +Type=forking +ExecStart=/usr/local/bin/ffmyk-iproute.sh +TimeoutSec=0 +StandardOutput=tty +RemainAfterExit=yes +SysVStartPriority=99 + +[Install] +WantedBy=multi-user.target diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh new file mode 100755 index 0000000..ee7f6a0 --- /dev/null +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -0,0 +1,12 @@ +#!/bin/bash +#Routingtabelle ffmyk ist per default nicht erreichbar +ip -4 route add unreachable default table ffmyk +ip -6 route add unreachable default table ffmyk + +#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk +ip -4 rule add from all fwmark 0x1 table ffmyk +ip -6 rule add from all fwmark 0x1 table ffmyk + +#Alles mit Freifunk-IP - woher auch immer - gehlrt zu Tabelle ffmyk +ip -4 rule add from 10.222.0.0/16 table ffmyk +ip -6 rule add from 2001:470:cd45:FF00::/56 table ffmyk diff --git a/roles/configure_static_routes/tasks/main.yml b/roles/configure_static_routes/tasks/main.yml new file mode 100644 index 0000000..e89d845 --- /dev/null +++ b/roles/configure_static_routes/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: name ffmyk routing table + lineinfile: + path: /etc/iproute2/rt_tables + line: 42 ffmyk + +- name: copy ffmyk iproute config script + copy: + src: ffmyk-iproute.sh + dest: /usr/local/bin/ffmyk-iproute.sh + mode: 0744 + +- name: copy site specific iproute up config script + template: + src: ffmyk-iproute-up.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: copy site specific iproute down config script + template: + src: ffmyk-iproute-down.j2 + dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh + mode: 0744 + with_items: "{{ sites }}" + +- name: copy ffmyk iproute systemd service + copy: + src: ffmyk-iproute.service + dest: /etc/systemd/system/ffmyk-iproute.service + mode: 0444 + +- name: start and enable ffmyk iproute service + systemd: + name: ffmyk-iproute.service + daemon_reload: yes + enabled: yes + state: started diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 new file mode 100644 index 0000000..51a0a17 --- /dev/null +++ b/roles/configure_static_routes/templates/ffmyk-iproute-down.j2 @@ -0,0 +1,11 @@ +#!/bin/bash + +ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk +ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk + +ip -4 rule del iif bat{{ item.name }} table ffmyk +ip -6 rule del iif bat{{ item.name }} table ffmyk +ip -4 rule del from {{ item.net4 }} table ffmyk +ip -6 rule del from {{ item.net6 }} table ffmyk +ip -4 rule del to {{ item.net4 }} table ffmyk +ip -6 rule del to {{ item.net6 }} table ffmyk diff --git a/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 new file mode 100644 index 0000000..a8275da --- /dev/null +++ b/roles/configure_static_routes/templates/ffmyk-iproute-up.j2 @@ -0,0 +1,11 @@ +#!/bin/bash + +ip -4 rule add iif bat{{ item.name }} table ffmyk +ip -6 rule add iif bat{{ item.name }} table ffmyk +ip -4 rule add from {{ item.net4 }} table ffmyk +ip -6 rule add from {{ item.net6 }} table ffmyk +ip -4 rule add to {{ item.net4 }} table ffmyk +ip -6 rule add to {{ item.net6 }} table ffmyk + +ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk +ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk diff --git a/roles/configure_sysctl/files/ff.conf b/roles/configure_sysctl/files/ff.conf index a80a925..584bd67 100644 --- a/roles/configure_sysctl/files/ff.conf +++ b/roles/configure_sysctl/files/ff.conf @@ -1,4 +1,7 @@ net.ipv4.ip_forward=1 +# Sonst landen ICMP-Fehlerpakete auf eth0 - mit source-IP 10.222.x.y... +# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt +net.ipv4.icmp_errors_use_inbound_ifaddr = 1 net.ipv6.conf.all.forwarding=1 diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2 index ac2f9bd..9966332 100644 --- a/roles/install_bind/templates/named.conf.j2 +++ b/roles/install_bind/templates/named.conf.j2 @@ -10,18 +10,22 @@ options { auth-nxdomain no; # conform to RFC1035 - listen-on-v6 { {{ bat0_ipv6 }}; }; - listen-on port 53 { 127.0.0.1; {{ bat0_ipv4 }}; }; - - allow-recursion { 127.0.0.1; 10.222.0.0/16; 2a01:198:70a:ff::/64; }; + listen-on-v6 { +{% for site in sites %} + {{ site.bat_ipv6 }}; +{% endfor %} + }; + listen-on port 53 { + 127.0.0.1; +{% for site in sites %} + {{ site.bat_ipv4 }}; +{% endfor %} + }; + + allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; }; allow-transfer { none; }; allow-update { none; }; - //forwarders { - // 85.214.20.141; - // 213.73.91.35; - //}; - version none; hostname none; server-id none; @@ -57,22 +61,9 @@ zone "." IN { file "root.hint"; }; -zone "ffmyk" IN { - type slave; - file "bak/ffmyk.zone"; - allow-query { any; }; - masters { 10.222.100.1; }; -}; - -//logging { -// channel xfer-log { -// file "/var/log/named.log"; -// print-category yes; -// print-severity yes; -// severity info; -// }; -// category xfer-in { xfer-log; }; -// category xfer-out { xfer-log; }; -// category notify { xfer-log; }; +//zone "ffmyk" IN { +// type slave; +// file "bak/ffmyk.zone"; +// allow-query { any; }; +// masters { 10.222.100.1; }; //}; - diff --git a/roles/install_dhcp/tasks/main.yml b/roles/install_dhcp/tasks/main.yml index 2e85106..4bcf845 100644 --- a/roles/install_dhcp/tasks/main.yml +++ b/roles/install_dhcp/tasks/main.yml @@ -4,24 +4,25 @@ name: dhcp state: present -- name: create dhcp file for static ips - copy: - content: '' - dest: /etc/dhcpd.hosts.conf - force: no - -- name: copy fastd-services-api.php - copy: - src: fastd-services-api.php - dest: /etc/fastd-services-api.php - -- name: setup cronjob for fastd-services-api - cron: - name: fastd-services-api - minute: '*/10' - user: root - cron_file: fastd-api - job: '/usr/bin/php /etc/fastd-services-api.php' +#- name: create dhcp file for static ips +# copy: +# content: '' +# dest: /etc/dhcpd.hosts{{ item.name }}.conf +# force: no +# with_items: "{{ sites }}" +# +#- name: copy fastd-services-api.php +# copy: +# src: fastd-services-api.php +# dest: /etc/fastd-services-api.php +# +#- name: setup cronjob for fastd-services-api +# cron: +# name: fastd-services-api +# minute: '*/10' +# user: root +# cron_file: fastd-api +# job: '/usr/bin/php /etc/fastd-services-api.php' - name: dhcpd.conf template: diff --git a/roles/install_dhcp/templates/dhcpd.conf.j2 b/roles/install_dhcp/templates/dhcpd.conf.j2 index e985d1a..42496d6 100644 --- a/roles/install_dhcp/templates/dhcpd.conf.j2 +++ b/roles/install_dhcp/templates/dhcpd.conf.j2 @@ -5,14 +5,16 @@ authoritative; log-facility local7; -subnet 10.222.0.0 netmask 255.255.0.0 { - range {{ dhcp_start }} {{ dhcp_end }}; +{% for site in sites %} +subnet {{ site.dhcp_subnet }} netmask {{ site.dhcp_netmask }} { + range {{ site.dhcp_start }} {{ site.dhcp_end }}; - option routers {{ bat0_ipv4 }}; - option domain-name-servers {{ bat0_ipv4 }}; + option routers {{ site.bat_ipv4 }}; + option domain-name-servers {{ site.bat_ipv4 }}; } +{% endfor %} subnet {{ ansible_default_ipv4['address'] }} netmask 255.255.255.255 { } -include "/etc/dhcpd.hosts.conf"; +#include "/etc/dhcpd.hosts.conf"; diff --git a/roles/install_fastd/files/fastd-api.php b/roles/install_fastd/files/fastd-api.php deleted file mode 100644 index 98da7a7..0000000 --- a/roles/install_fastd/files/fastd-api.php +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/php -f - diff --git a/roles/install_fastd/handlers/main.yml b/roles/install_fastd/handlers/main.yml index e8051bc..01cff4d 100644 --- a/roles/install_fastd/handlers/main.yml +++ b/roles/install_fastd/handlers/main.yml @@ -4,7 +4,32 @@ name: fastd@ffmyk.service state: reloaded -- name: restart fastd +- name: restart fastdaw systemd: - name: fastd@ffmyk.service + name: fastd@ffaw.service + state: restarted + +- name: restart fastdcoc + systemd: + name: fastd@ffcoc.service + state: restarted + +- name: restart fastdems + systemd: + name: fastd@ffems.service + state: restarted + +- name: restart fastdko + systemd: + name: fastd@ffko.service + state: restarted + +- name: restart fastdmy + systemd: + name: fastd@ffmy.service + state: restarted + +- name: restart fastdsim + systemd: + name: fastd@ffsim.service state: restarted diff --git a/roles/install_fastd/tasks/main.yml b/roles/install_fastd/tasks/main.yml index 4a0a131..8f01e47 100644 --- a/roles/install_fastd/tasks/main.yml +++ b/roles/install_fastd/tasks/main.yml @@ -6,77 +6,58 @@ name: fastd tool: yaourt -- name: create ffmyk folder +- name: create site folder file: - path: /etc/fastd/ffmyk + path: /etc/fastd/ff{{ item.name }} state: directory + with_items: "{{ sites }}" - name: fastd.conf template: src: fastd.conf.j2 - dest: /etc/fastd/ffmyk/fastd.conf + dest: /etc/fastd/ff{{ item.name }}/fastd.conf mode: 0640 - notify: restart fastd - -- name: create backbone folder - file: - path: /etc/fastd/ffmyk/backbone - state: directory - -- name: add backbone peers - copy: - src: '{{ item }}' - dest: /etc/fastd/ffmyk/backbone/{{ item }} - with_items: - - fastd1 - - fastd2 - - fastd3 - - fastd4 - - fastd5 - - fastd6 - - fastd7 - - fastd8 - - fastd9 - - fastd10 - - fastd11 - - fastd12 - - fastd13 - - fastd14 - - fastd15 - notify: reload fastd + notify: restart fastd{{ item.name }} + with_items: "{{ sites }}" - name: add fastd bin folder file: - path: /etc/fastd/ffmyk/bin + path: /etc/fastd/ff{{ item.name }}/bin state: directory + with_items: "{{ sites }}" - name: add fastd up script template: src: fastd_up.sh.j2 - dest: /etc/fastd/ffmyk/bin/up.sh + dest: /etc/fastd/ff{{ item.name }}/bin/up.sh mode: 0744 - notify: restart fastd + notify: restart fastd{{ item.name }} + with_items: "{{ sites }}" - name: add fastd peers folder file: - path: /etc/fastd/ffmyk/peers + path: /etc/fastd/ff{{ item.name }}/peers state: directory + with_items: "{{ sites }}" - name: add fastd peer api script - copy: - src: fastd-api.php - dest: /etc/fastd/ffmyk/bin/fastd-api.php + template: + src: fastd-api.php.j2 + dest: /etc/fastd/ff{{ item.name }}/bin/fastd-api.php + with_items: "{{ sites }}" - name: setup cronjob for fastd-api cron: - name: fastd-api + name: fastd-api-{{ item.name }} minute: '*/10' user: root cron_file: fastd-api - job: '/usr/bin/php /etc/fastd/ffmyk/bin/fastd-api.php' + job: '/usr/bin/php /etc/fastd/ff{{ item.name }}/bin/fastd-api.php' + with_items: "{{ sites }}" - name: start and enable fastd service systemd: - name: fastd@ffmyk.service + name: fastd@ff{{ item.name }}.service enabled: yes state: started + with_items: "{{ sites }}" diff --git a/roles/install_fastd/templates/fastd-api.php.j2 b/roles/install_fastd/templates/fastd-api.php.j2 new file mode 100644 index 0000000..7b1fc17 --- /dev/null +++ b/roles/install_fastd/templates/fastd-api.php.j2 @@ -0,0 +1,45 @@ +#!/usr/bin/php -f + diff --git a/roles/install_fastd/templates/fastd.conf.j2 b/roles/install_fastd/templates/fastd.conf.j2 index 9d8a42b..1ec818d 100644 --- a/roles/install_fastd/templates/fastd.conf.j2 +++ b/roles/install_fastd/templates/fastd.conf.j2 @@ -1,18 +1,16 @@ log to syslog level info; -interface "ffmyk-mesh-vpn"; +interface "vpn{{ item.name }}"; method "salsa2012+gmac"; method "salsa2012+umac"; secure handshakes yes; -bind any:10000; +bind any:{{ item.fastd_port1 }}; hide ip addresses yes; hide mac addresses yes; mtu 1280; peer group "clients" { include peers from "peers"; - peer limit {{ fastd_peer_limit }}; } -include peers from "backbone"; -secret "{{ fastd_secret }}"; -on up "/etc/fastd/ffmyk/bin/up.sh $INTERFACE"; -status socket "/run/ffmyk.socket"; +secret "{{ item.fastd_secret }}"; +on up "/etc/fastd/ff{{ item.name }}/bin/up.sh $INTERFACE"; +status socket "/run/ff{{ item.name }}1.socket"; diff --git a/roles/install_fastd/templates/fastd_up.sh.j2 b/roles/install_fastd/templates/fastd_up.sh.j2 index 87b71ce..6ab39b0 100644 --- a/roles/install_fastd/templates/fastd_up.sh.j2 +++ b/roles/install_fastd/templates/fastd_up.sh.j2 @@ -1,11 +1,11 @@ #!/bin/bash -ip link set address {{ fastd_mesh_mac }} dev $1 +ip link set address {{ item.fastd_mesh_mac }} dev $1 ip link set up dev $1 -batctl -m bat0 if add $1 -batctl -m bat0 gw server 1000000/1000000 -batctl -m bat0 it 10000 -batctl -m bat0 mm 1 -echo 128 > /sys/class/net/bat0/mesh/hop_penalty -netctl start bat0 +batctl -m bat{{ item.name }} if add $1 +batctl -m bat{{ item.name }} gw server 1000000/1000000 +batctl -m bat{{ item.name }} it 10000 +batctl -m bat{{ item.name }} mm 1 +echo 64 > /sys/class/net/bat0/mesh/hop_penalty +netctl start bat{{ item.name }} systemctl restart dhcpd4.service systemctl restart named.service diff --git a/roles/install_radvd/handlers/main.yml b/roles/install_radvd/handlers/main.yml new file mode 100644 index 0000000..37634dd --- /dev/null +++ b/roles/install_radvd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart radvd + systemd: + name: radvd.service + state: restarted diff --git a/roles/install_radvd/tasks/main.yml b/roles/install_radvd/tasks/main.yml new file mode 100644 index 0000000..161e7a1 --- /dev/null +++ b/roles/install_radvd/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: install radvd + pacman: + name: radvd + state: present + +- name: radvd config + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + notify: restart radvd + +- name: start and enable radvd + systemd: + name: radvd.service + enabled: yes + state: started diff --git a/roles/install_radvd/templates/radvd.conf.j2 b/roles/install_radvd/templates/radvd.conf.j2 new file mode 100644 index 0000000..0774189 --- /dev/null +++ b/roles/install_radvd/templates/radvd.conf.j2 @@ -0,0 +1,26 @@ +{% for site in sites %} +interface bat{{ site.name }} +{ + AdvSendAdvert on; + IgnoreIfMissing on; + MinRtrAdvInterval 3; + MaxRtrAdvInterval 900; + + AdvDefaultPreference low; + AdvHomeAgentFlag off; + + prefix {{ site.net6 }} + { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr off; + }; + + RDNSS {{ site.bat_ipv6 }} + { + AdvRDNSSLifetime 30; + }; + +}; + +{% endfor %} diff --git a/roles/setup_batman/files/ffmyk-iproute.sh b/roles/setup_batman/files/ffmyk-iproute.sh deleted file mode 100755 index 49fbb16..0000000 --- a/roles/setup_batman/files/ffmyk-iproute.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -#Routingtabelle ffmyk ist per default nicht erreichbar -ip route add unreachable default table ffmyk - -#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk -ip rule add from all fwmark 0x1 table ffmyk - -#Alles mit Freifunk-IP - woher auch immer - gehlrt zu Tabelle ffmyk -ip rule add from 10.222.0.0/16 table ffmyk - -#Tabelle ffmyk routet das Ziel mit Freifunk-IPs über das Device bat0 -ip route replace 10.222.0.0/16 dev bat0 table ffmyk - -ip route replace 0.0.0.0/1 via 10.222.100.1 dev bat0 metric 666 table ffmyk # fastd1 -ip route replace 128.0.0.0/1 via 10.222.100.1 dev bat0 metric 666 table ffmyk # fastd1 -ip route replace 0.0.0.0/1 via 10.222.112.1 dev bat0 metric 667 table ffmyk # fastd2 -ip route replace 128.0.0.0/1 via 10.222.112.1 dev bat0 metric 667 table ffmyk # fastd2 -ip route replace 0.0.0.0/1 via 10.222.120.1 dev bat0 metric 668 table ffmyk # fastd3 -ip route replace 128.0.0.0/1 via 10.222.120.1 dev bat0 metric 668 table ffmyk # fastd3 - diff --git a/roles/setup_batman/tasks/main.yml b/roles/setup_batman/tasks/main.yml index b8f49da..dd03ed1 100644 --- a/roles/setup_batman/tasks/main.yml +++ b/roles/setup_batman/tasks/main.yml @@ -14,18 +14,8 @@ name: batctl state: present -- name: name ffmyk routing table - lineinfile: - path: /etc/iproute2/rt_tables - line: 42 ffmyk - -- name: copy ffmyk iproute config script - copy: - src: ffmyk-iproute.sh - dest: /usr/local/bin/ffmyk-iproute.sh - mode: 0744 - -- name: add netctl config +- name: add batman netctl config for sites template: - src: netctl_bat0.j2 - dest: /etc/netctl/bat0 + src: netctl_bat.j2 + dest: "/etc/netctl/bat{{ item.name }}" + with_items: "{{ sites }}" diff --git a/roles/setup_batman/templates/netctl_bat.j2 b/roles/setup_batman/templates/netctl_bat.j2 new file mode 100644 index 0000000..01ebb6d --- /dev/null +++ b/roles/setup_batman/templates/netctl_bat.j2 @@ -0,0 +1,8 @@ +Connection=ethernet +Interface=bat{{ item.name }} +IP=static +IP6=static +Address6=({{ item.bat_ipv6 }}/64) +Address=({{ item.bat_ipv4 }}/20) +ExecUpPost=/usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh +ExecDownPre=/usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh diff --git a/roles/setup_batman/templates/netctl_bat0.j2 b/roles/setup_batman/templates/netctl_bat0.j2 deleted file mode 100644 index e48c5b8..0000000 --- a/roles/setup_batman/templates/netctl_bat0.j2 +++ /dev/null @@ -1,7 +0,0 @@ -Connection=ethernet -Interface=bat0 -IP=static -IP6=static -Address6=({{ bat0_ipv6 }}/64) -Address=({{ bat0_ipv4 }}/16) -ExecUpPost=/usr/local/bin/ffmyk-iproute.sh diff --git a/setup_fastd.yml b/setup_fastd.yml index 2ddf41a..d34cd02 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -7,16 +7,18 @@ - configure_journald - configure_sysctl - configure_iptables - - install_ssmtp + - configure_static_routes + #- install_ssmtp - install_cronie - install_php - - install_nginx + #- install_nginx - install_ntp - install_haveged - setup_batman - install_dhcp + - install_radvd - install_bind - install_fastd - - install_openvpn - - install_monitoring + #- install_openvpn + #- install_monitoring - install_admin_packages -- cgit v1.2.3-54-g00ecf