diff --git a/host_vars/ff-nat64 b/host_vars/ff-nat64 new file mode 100644 index 0000000..2209208 --- /dev/null +++ b/host_vars/ff-nat64 @@ -0,0 +1,18 @@ +--- +ansible_host: 2a01:4f8:a0:9395:2::3 +#ansible_host: 10.0.4.67 +wireguard_bb_name: 'nat64' +wireguard_bb_endpoint: '2a01:4f8:a0:9395:2::3' +wireguard_bb_priv_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39303530363738363764303964346631313532353762343263316166383534373763303538376363 + 3733366465336331353939346464306162353938353666370a613166623931613430613333613139 + 63356231653035663232376330363763393732666135356639663537666534326136356431663264 + 6330643965613562380a623830616437653563613630663332313266623239373634643431313064 + 62306263343934616462356536613235363866303736636537633766616663346363326234323532 + 3862346431613738663665613661623236323139616639613432 +wireguard_bb_pub_key: '4f3BbS38u97CNN3LDUZS//vO3JTzAl6zRWovuIAGcQM=' +wireguard_bb_ipv4: '10.222.0.6' +wireguard_bb_ipv6: 'fe80::ffbb:ffbb:6' +wireguard_bb_port: 10106 +preferred_uplink: 'uplink2' diff --git a/inventory.ini b/inventory.ini index 9d82673..5cb4f69 100644 --- a/inventory.ini +++ b/inventory.ini @@ -27,3 +27,6 @@ ff-uplink2 [uplink:children] mullvad_uplink ffrl_uplink + +[nat64] +ff-nat64 diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 8ee9f91..48ede0f 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -10,7 +10,7 @@ {% endfor %} {% endif %} -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'nat64' in group_names %} {% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -19,6 +19,9 @@ {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} +{% for peer in groups['nat64'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -57,7 +60,7 @@ COMMIT {% endfor %} {% endif %} # wireguard_backbone -{% if 'fastd' in group_names %} +{% if 'fastd' in group_names or 'nat64' in group_names %} {% for peer in groups['uplink'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT @@ -68,6 +71,10 @@ COMMIT -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} +{% for peer in groups['nat64'] %} +-A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT +-A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index f76fa56..3f0c6a1 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -23,6 +23,11 @@ -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} +{% if 'nat64' in group_names %} +{% for peer in groups['uplink'] %} +-A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff +{% endfor %} +{% endif %} COMMIT *filter :INPUT DROP [0:0] @@ -34,8 +39,6 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -# nginx --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # iperf3 -A INPUT -p tcp -m tcp -s 10.222.0.0/16 --dport 5201 -j ACCEPT diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh index b0ce1a0..831d30d 100755 --- a/roles/configure_static_routes/files/ffmyk-iproute.sh +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -14,4 +14,5 @@ ip -4 rule add to 10.222.64.0/18 table ffmyk priority 10 ip -4 rule add to 10.222.128.0/17 table ffmyk priority 10 ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10 ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10 +ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10 ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10 diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index 98b3acd..3ef7e53 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -5,7 +5,7 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. -{% if 'fastd' in group_names %} +{% if ('fastd' in group_names) or ('nat64' in group_names) %} {% for peer in groups['uplink'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -14,6 +14,9 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% for peer in groups['fastd'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} +{% for peer in groups['nat64'] %} +interface bb{{ hostvars[peer]['wireguard_bb_name'] }} +{% endfor %} {% for peer in groups['uplink'] | difference([inventory_hostname]) %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} @@ -62,7 +65,7 @@ redistribute ip 64:ff9b::/96 allow redistribute ip fd62:44e1:da::/48 allow redistribute local deny -{% if 'fastd' in group_names and preferred_uplink is defined %} +{% if ('fastd' in group_names or 'nat64' in group_names) and preferred_uplink is defined %} {% for peer in groups['uplink'] %} {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %} in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64 diff --git a/roles/install_monitoring/files/vnstat b/roles/install_monitoring/files/vnstat deleted file mode 100644 index cbd2f7c..0000000 --- a/roles/install_monitoring/files/vnstat +++ /dev/null @@ -1,37 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server ipv6only=on; - server_name localhost; - - charset UTF-8; - - index index.html index.htm; - root /srv/http/vnstat; - - location / { - try_files $uri $uri/ =404; - autoindex on; - } - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - allow ::1; - deny all; - } - - - location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ { - expires 30d; - # Optional: Don't log access to assets - access_log off; - } -} diff --git a/roles/install_monitoring/files/vnstat.sh b/roles/install_monitoring/files/vnstat.sh deleted file mode 100755 index 7ff875c..0000000 --- a/roles/install_monitoring/files/vnstat.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -set -e - -IFACES=$(ls /var/lib/vnstat/) - -TARGET=/srv/http/vnstat/ - -for iface in $IFACES; do - /usr/bin/vnstati -i ${iface} -h -o ${TARGET}${iface}_hourly.png - /usr/bin/vnstati -i ${iface} -d -o ${TARGET}${iface}_daily.png - /usr/bin/vnstati -i ${iface} -m -o ${TARGET}${iface}_monthly.png - /usr/bin/vnstati -i ${iface} -t -o ${TARGET}${iface}_top10.png - /usr/bin/vnstati -i ${iface} -s -o ${TARGET}${iface}_summary.png -done - -cat > ${TARGET}index.html < - - - - - - - - - -EOT - - -for iface in $IFACES; do - sed s/IFACE/${iface}/g >> ${TARGET}index.html < - traffic summary
- traffic per month
- traffic per hour
- traffic top10
- traffic per day - -EOT - -done - -echo "" >> ${TARGET}index.html - diff --git a/roles/install_monitoring/tasks/install_vnstat.yml b/roles/install_monitoring/tasks/install_vnstat.yml deleted file mode 100644 index 4027aa6..0000000 --- a/roles/install_monitoring/tasks/install_vnstat.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -- name: install vnstat - pacman: - name: vnstat - state: present - -- name: start and enable vnstat service - systemd: - name: vnstat.service - enabled: yes - state: started - -- name: add interfaces to vnstat for batman interfaces - command: /usr/bin/vnstat -u -i bat{{ item.name }} - args: - creates: '/var/lib/vnstat/bat{{ item.name }}' - with_items: "{{ sites }}" - when: "'fastd' in group_names" - -- name: add interfaces to vnstat for uplink interfaces - command: /usr/bin/vnstat -u -i bb{{ hostvars[item]['wireguard_bb_name'] }} - args: - creates: "/var/lib/vnstat/bb{{ hostvars[item]['wireguard_bb_name'] }}" - with_items: - - "{{ groups['uplink'] }}" - when: "'fastd' in group_names" - -- name: add interfaces to vnstat for outgoing v4 interface - command: /usr/bin/vnstat -u -i {{ ansible_default_ipv4.interface }} - args: - creates: '/var/lib/vnstat/{{ ansible_default_ipv4.interface }}' - -- name: add interfaces to vnstat for outgoing v6 interface - command: /usr/bin/vnstat -u -i {{ ansible_default_ipv6.interface }} - args: - creates: '/var/lib/vnstat/{{ ansible_default_ipv6.interface }}' - -- name: add output folder for vnstat graphs - file: - path: /srv/http/vnstat - state: directory - -- name: install gd which is needed for graph generation - pacman: - name: gd - state: present - -- name: add bash script to generate vnstat graphs - copy: - src: vnstat.sh - dest: /usr/local/bin/vnstat.sh - mode: 0744 - -- name: add cronjob to generate vnstat graphs - cron: - name: vnstat - minute: '*/5' - user: root - cron_file: vnstat - job: '/usr/local/bin/vnstat.sh' - -- name: add vnstat nginx config - copy: - src: vnstat - dest: /etc/nginx/sites-available/vnstat - notify: reload nginx - -- name: enable vnstat nginx config - file: - src: /etc/nginx/sites-available/vnstat - dest: /etc/nginx/sites-enabled/vnstat - state: link - notify: reload nginx diff --git a/roles/install_monitoring/tasks/main.yml b/roles/install_monitoring/tasks/main.yml index afb4db9..6600e0c 100644 --- a/roles/install_monitoring/tasks/main.yml +++ b/roles/install_monitoring/tasks/main.yml @@ -1,7 +1,4 @@ --- -- name: install vnstat - import_tasks: install_vnstat.yml - - name: install ffmyk-influx include: install_ffmyk-influx.yml when: "'fastd' in group_names" diff --git a/roles/install_radvd/templates/radvd.conf.j2 b/roles/install_radvd/templates/radvd.conf.j2 index a27a24e..81e4379 100644 --- a/roles/install_radvd/templates/radvd.conf.j2 +++ b/roles/install_radvd/templates/radvd.conf.j2 @@ -3,8 +3,8 @@ interface bat{{ site.name }} { AdvSendAdvert on; IgnoreIfMissing on; - MinRtrAdvInterval 60; - MaxRtrAdvInterval 600; + MinRtrAdvInterval 10; + MaxRtrAdvInterval 300; AdvDefaultPreference low; AdvHomeAgentFlag off; diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 9ccfe05..24facda 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -5,7 +5,7 @@ dest: /etc/systemd/system/wgbackbone@.service - include_tasks: fastd_tasks.yml - when: "'fastd' in group_names" + when: "('fastd' in group_names) or ('nat64' in group_names)" - include_tasks: uplink_tasks.yml when: "'uplink' in group_names" diff --git a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml index ea906e5..357fa0b 100644 --- a/roles/install_wireguard_backbone/tasks/uplink_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml @@ -6,6 +6,13 @@ mode: 0400 with_items: "{{ groups['fastd'] }}" +- name: create wireguard config for nat64 + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf + mode: 0400 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard config for uplinks template: src: wg.conf.j2 @@ -27,6 +34,13 @@ mode: 0744 with_items: "{{ groups['fastd'] }}" +- name: create wireguard up scripts for nat64 + template: + src: up.sh.j2 + dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard up scripts for uplinks template: src: up.sh.j2 @@ -48,6 +62,13 @@ mode: 0744 with_items: "{{ groups['fastd'] }}" +- name: create wireguard down scripts for nat64 + template: + src: down.sh.j2 + dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh + mode: 0744 + with_items: "{{ groups['nat64'] }}" + - name: create wireguard down scripts for uplinks template: src: down.sh.j2 @@ -70,6 +91,14 @@ daemon_reload: yes with_items: "{{ groups['fastd'] }}" +- name: start and enable wireguard mesh for nat64 + systemd: + name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service + enabled: yes + state: started + daemon_reload: yes + with_items: "{{ groups['nat64'] }}" + - name: start and enable wireguard mesh for uplinks systemd: name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service diff --git a/setup_fastd.yml b/setup_fastd.yml index 6ba05ce..9bdd93d 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -10,7 +10,7 @@ #- install_ssmtp - install_cronie - install_php - - install_nginx + #- install_nginx - install_ntp - install_haveged - setup_batman @@ -58,7 +58,7 @@ - configure_iptables - configure_static_routes - install_cronie - - install_nginx + #- install_nginx - install_ntp - install_haveged - install_wireguard @@ -78,3 +78,26 @@ user: root roles: - setup_ffrl_tunnel +- name: setup nat64 + hosts: nat64 + user: root + roles: + - configure_journald + - configure_sysctl + - configure_iptables + - configure_static_routes + #- install_ssmtp + - install_cronie + #- install_php + #- install_nginx + - install_ntp + - install_haveged + #- setup_batman + #- install_bind + - install_wireguard + - install_wireguard_backbone + - install_babeld + - install_monitoring + - install_iperf3 + - update_ssh_keys + - install_admin_packages