diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 5bb058c..5667a83 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -31,13 +31,15 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +# nginx +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT +# munin +-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT {% if 'fastd' in group_names %} # dns -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -# nginx --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT # fastd @@ -85,8 +87,8 @@ COMMIT -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT {% if 'ffrl_uplink' in group_names %} {% for peer in ffrl_peers %} -iptables -A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -iptables -A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +-A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +-A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu {% endfor %} {% endif %} COMMIT diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 3c750f9..c568e4e 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -31,6 +31,8 @@ COMMIT # SSH-Server -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +# nginx +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT {% if 'fastd' in group_names %} # dns @@ -40,8 +42,6 @@ COMMIT {% for site in sites %} -I INPUT -i bat{{ site.name }} -p udp --dport 67:68 --sport 67:68 -j ACCEPT {% endfor %} -# nginx --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # ntp -A INPUT -p udp -m udp --dport 123 -j ACCEPT # fastd @@ -71,8 +71,8 @@ COMMIT -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT {% if 'ffrl_uplink' in group_names %} {% for peer in ffrl_peers %} -iptables -A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -iptables -A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +-A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +-A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu {% endfor %} {% endif %} diff --git a/roles/install_monitoring/files/munin/munin_fastd_conf b/roles/install_monitoring/files/munin/munin_fastd_conf deleted file mode 100644 index 984b05a..0000000 --- a/roles/install_monitoring/files/munin/munin_fastd_conf +++ /dev/null @@ -1,5 +0,0 @@ -[fastd_*] -user root -group root -env.socketfile /run/ffmyk.socket - diff --git a/roles/install_monitoring/files/munin/munin_fastd_peers b/roles/install_monitoring/files/munin/munin_fastd_peers new file mode 100644 index 0000000..17a0084 --- /dev/null +++ b/roles/install_monitoring/files/munin/munin_fastd_peers @@ -0,0 +1,73 @@ +#!/usr/bin/perl -w +# -*- perl -*- + +=head1 NAME + +fastd_peers_ - Plugin to monitor fastd peers + +=head1 CONFIGURATION + +Set user and group to have access to the socket +Set path to socketfile if not /tmp/fastd.sock + + [fastd_peers_*] + user fastd + group fastd + env.socketfile /tmp/fastd.sock + +=head1 USAGE + +Link this plugin to /etc/munin/plugins/ + +After creating the links, restart munin-node. Don't forget to configure the plugin! + +=head1 AUTHORS + +Dominique Goersch +Niklas Yann Wettengel + +=head1 LICENSE + +GPLv2 + +=head1 MAGIC MARKERS + + #%# family=manual + +=cut + + +use strict; +use warnings; +use File::Basename; +use IO::Socket::UNIX qw( SOCK_STREAM ); +use JSON; + +if ($ARGV[0] and $ARGV[0] eq "config") { #config graph + print "graph_title fastd peers\n"; + print "graph_info This graph shows the peers of the fastd on this supernode\n"; + print "graph_args -l 0\n"; + print "graph_scale no\n"; + print "graph_vlabel peers count\n"; + print "graph_category fastd\n"; + print "peers.label peers\n"; + print "peers.draw AREA\n"; + exit 0; +} + + +my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default +my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket + or die("Can't connect to server: $!\n"); + +my $fastdstatus = ""; +foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket +my $json = decode_json($fastdstatus); #decode json + +#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json +my $fastd_peers = 0; +for my $key (keys(%{$json->{peers}})) { + $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0); +} + +print "peers.value $fastd_peers\n"; #return number of peers diff --git a/roles/install_monitoring/files/munin/munin_fastd_traffic b/roles/install_monitoring/files/munin/munin_fastd_traffic new file mode 100644 index 0000000..6b60a94 --- /dev/null +++ b/roles/install_monitoring/files/munin/munin_fastd_traffic @@ -0,0 +1,79 @@ +#!/usr/bin/perl -w +# -*- perl -*- + +=head1 NAME + +fastd_traffic_ - Plugin to monitor fastd traffic + +=head1 CONFIGURATION + +Set user and group to have access to the socket +Set path to socketfile if not /tmp/fastd.sock + + [fastd_traffic_*] + user fastd + group fastd + env.socketfile /tmp/fastd.sock + +=head1 USAGE + +Link this plugin to /etc/munin/plugins/ + +After creating the links, restart munin-node. Don't forget to configure the plugin! + +=head1 AUTHORS + +Dominique Goersch +Niklas Yann Wettengel + +=head1 LICENSE + +GPLv2 + +=head1 MAGIC MARKERS + + #%# family=manual + +=cut + + +use strict; +use warnings; +use File::Basename; +use IO::Socket::UNIX qw( SOCK_STREAM ); +use JSON; + +if ($ARGV[0] and $ARGV[0] eq "config") { #config graph + print "graph_order down up\n"; + print "graph_title fastd traffic\n"; + print "graph_args --base 1000\n"; + print "graph_vlabel bits in (-) / out (+) per second\n"; + print "graph_category fastd\n"; + print "graph_info This graph shows the traffic of fast.\n"; + print "down.label received\n"; + print "down.type DERIVE\n"; + print "down.graph no\n"; + print "down.cdef down,8,*\n"; + print "down.min 0\n"; + print "up.label bps\n"; + print "up.type DERIVE\n"; + print "up.negative down\n"; + print "up.cdef up,8,*\n"; + print "up.min 0\n"; + exit 0; +} + + +my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default +my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket + or die("Can't connect to server: $!\n"); + +my $fastdstatus = ""; +foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket +my $json = decode_json($fastdstatus); #decode json + +my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json +my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json + +print "up.value $fastd_tx_bytes\n"; #return transmitted bytes +print "down.value $fastd_rx_bytes\n"; #and recieved bytes diff --git a/roles/install_monitoring/files/munin/munin_global_conf b/roles/install_monitoring/files/munin/munin_global_conf index cf418ec..9780faf 100644 --- a/roles/install_monitoring/files/munin/munin_global_conf +++ b/roles/install_monitoring/files/munin/munin_global_conf @@ -1,6 +1,6 @@ [fw_*] user root -[if_ens3] +[if_ens*] env.speed 1000 diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml index bda0e6f..2c8da48 100644 --- a/roles/install_monitoring/tasks/install_munin.yml +++ b/roles/install_monitoring/tasks/install_munin.yml @@ -10,23 +10,65 @@ dest: /etc/munin/munin-node.conf notify: restart munin-node -- name: copy fastd plugin +- name: install perl-json + pacman: + name: perl-json + state: present + when: "'fastd' in group_names" + +- name: copy fastd peers plugin + copy: + src: munin/munin_fastd_peers + dest: /usr/lib/munin/plugins/fastd_peers_ + mode: 0755 + when: "'fastd' in group_names" + +- name: copy fastd traffic plugin copy: - src: munin/munin_fastd_plugin - dest: /usr/lib/munin/plugins/fastd_ + src: munin/munin_fastd_traffic + dest: /usr/lib/munin/plugins/fastd_traffic_ mode: 0755 + when: "'fastd' in group_names" + +- name: enable munin plugins for fastd peers + file: + path: /etc/munin/plugins/fastd_peers_ff{{ item.name }} + src: /usr/lib/munin/plugins/fastd_peers_ + state: link + with_items: "{{ sites }}" + notify: restart munin-node + when: "'fastd' in group_names" + +- name: enable munin plugins for fastd traffic + file: + path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }} + src: /usr/lib/munin/plugins/fastd_traffic_ + state: link + with_items: "{{ sites }}" + notify: restart munin-node + when: "'fastd' in group_names" + +- name: copy fastd plugin config + template: + src: munin_fastd_conf.j2 + dest: /etc/munin/plugin-conf.d/fastd + notify: restart munin-node + when: "'fastd' in group_names" - name: copy dhcp-pool plugin copy: src: munin/munin_dhcp_pool_plugin dest: /usr/lib/munin/plugins/dhcp-pool mode: 0755 + when: "'fastd' in group_names" -- name: copy fastd plugin config - copy: - src: munin/munin_fastd_conf - dest: /etc/munin/plugin-conf.d/fastd +- name: enable munin plugins for dhcp + file: + path: /etc/munin/plugins/dhcp-pool + src: /usr/lib/munin/plugins/dhcp-pool + state: link notify: restart munin-node + when: "'fastd' in group_names" - name: copy global config copy: @@ -44,17 +86,109 @@ name: perl-lwp-protocol-https state: present -- name: install perl-json - pacman: - name: perl-json - state: present +- name: enable munin plugins for network monitoring (1/8) + file: + path: /etc/munin/plugins/if_{{ ansible_default_ipv4.interface }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + +- name: enable munin plugins for network monitoring (2/8) + file: + path: /etc/munin/plugins/if_{{ ansible_default_ipv6.interface }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + +- name: enable munin plugins for network monitoring (3/8) + file: + path: /etc/munin/plugins/if_{{ item[0] }}{{ item[1].name }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + with_nested: + - [ 'bat', 'vpn', 'wg' ] + - "{{ sites }}" + when: "'fastd' in group_names" + +- name: enable munin plugins for network monitoring (4/8) + file: + path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + with_items: "{{ groups['uplink'] }}" + when: "'fastd' in group_names" + +- name: enable munin plugins for network monitoring (5/8) + file: + path: /etc/munin/plugins/if_bb{{ hostvars[item]['wireguard_bb_name'] }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + with_items: "{{ groups['fastd'] }}" + when: "'uplink' in group_names" + +- name: enable munin plugins for network monitoring (6/8) + file: + path: /etc/munin/plugins/if_bb{{ item.name }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + with_items: "{{ wireguard_bb_peers|default([]) }}" + when: "'uplink' in group_names" + +- name: enable munin plugins for network monitoring (7/8) + file: + path: /etc/munin/plugins/if_bb{{ item.name }} + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + with_items: "{{ ffrl_peers }}" + when: "'ffrl_uplink' in group_names" + +- name: enable munin plugins for network monitoring (8/8) + file: + path: /etc/munin/plugins/if_mullvad + src: /usr/lib/munin/plugins/if_ + state: link + notify: restart munin-node + when: "'mullvad_uplink' in group_names" - name: enable munin plugins file: - path: /etc/munin/plugins/{{ item.name }} - src: /usr/lib/munin/plugins/{{ item.plugin | default( item.name ) }} + path: /etc/munin/plugins/{{ item }} + src: /usr/lib/munin/plugins/{{ item }} state: link - with_items: "{{ munin_node_plugins }}" + with_items: + - cpu + - df + - df_inode + - diskstats + - entropy + - forks + - fw_conntrack + - fw_forwarded_local + - fw_packets + - interrupts + - irqstats + - load + - memory + - netstat + - nginx_request + - nginx_status + - ntp_kernel_err + - ntp_kernel_pll_freq + - ntp_kernel_pll_off + - ntp_offset + - open_files + - open_inodes + - proc_pri + - processes + - threads + - uptime + - users + - vmstat notify: restart munin-node - name: start and enable munin-node diff --git a/roles/install_monitoring/tasks/install_vnstat.yml b/roles/install_monitoring/tasks/install_vnstat.yml index e737d74..4027aa6 100644 --- a/roles/install_monitoring/tasks/install_vnstat.yml +++ b/roles/install_monitoring/tasks/install_vnstat.yml @@ -15,6 +15,7 @@ args: creates: '/var/lib/vnstat/bat{{ item.name }}' with_items: "{{ sites }}" + when: "'fastd' in group_names" - name: add interfaces to vnstat for uplink interfaces command: /usr/bin/vnstat -u -i bb{{ hostvars[item]['wireguard_bb_name'] }} @@ -22,6 +23,7 @@ creates: "/var/lib/vnstat/bb{{ hostvars[item]['wireguard_bb_name'] }}" with_items: - "{{ groups['uplink'] }}" + when: "'fastd' in group_names" - name: add interfaces to vnstat for outgoing v4 interface command: /usr/bin/vnstat -u -i {{ ansible_default_ipv4.interface }} diff --git a/roles/install_monitoring/tasks/main.yml b/roles/install_monitoring/tasks/main.yml index 0b63792..407c261 100644 --- a/roles/install_monitoring/tasks/main.yml +++ b/roles/install_monitoring/tasks/main.yml @@ -5,5 +5,5 @@ #- name: install ffmyk-influx # include: install_ffmyk-influx.yml -#- name: install munin -# include: install_munin.yml +- name: install munin + import_tasks: install_munin.yml diff --git a/roles/install_monitoring/templates/munin_fastd_conf.j2 b/roles/install_monitoring/templates/munin_fastd_conf.j2 new file mode 100644 index 0000000..0de38ba --- /dev/null +++ b/roles/install_monitoring/templates/munin_fastd_conf.j2 @@ -0,0 +1,12 @@ +{% for site in sites %} +[fastd_peers_ff{{ site.name }}] +user root +group root +env.socketfile /run/ff{{ site.name }}1.socket + +[fastd_traffic_ff{{ site.name }}] +user root +group root +env.socketfile /run/ff{{ site.name }}1.socket + +{% endfor %} diff --git a/setup_fastd.yml b/setup_fastd.yml index 238400b..a25689b 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -35,13 +35,13 @@ - configure_static_routes - install_cronie #- install_php - #- install_nginx + - install_nginx - install_ntp - install_haveged - install_wireguard - install_wireguard_backbone - install_babeld - #- install_monitoring + - install_monitoring - update_ssh_keys - install_admin_packages - name: install openvpn uplink