From 4d3268b80b55e227a1a89515842cbaaa8a13d788 Mon Sep 17 00:00:00 2001
From: Niklas Yann Wettengel <niyawe@niyawe.de>
Date: Sat, 22 Jan 2022 23:18:36 +0100
Subject: [PATCH] loppermann1

---
 host_vars/ff-loppermann1                      | 68 +++++++++++++++++++
 inventory.ini                                 |  1 +
 .../templates/iptables.rules                  |  2 +
 .../files/ffmyk-iproute.sh                    |  1 +
 roles/install_babeld/templates/babeld.conf.j2 |  7 +-
 roles/install_bind/templates/named.conf.j2    |  4 ++
 roles/install_mesh-announce/tasks/main.yml    |  4 ++
 roles/install_tayga/tasks/main.yml            |  5 ++
 .../templates/systemd_override.conf.j2        |  4 +-
 roles/setup_ffrl_tunnel/templates/bird.conf   | 24 +++++++
 roles/setup_ffrl_tunnel/templates/netctl      |  4 ++
 11 files changed, 120 insertions(+), 4 deletions(-)
 create mode 100644 host_vars/ff-loppermann1

diff --git a/host_vars/ff-loppermann1 b/host_vars/ff-loppermann1
new file mode 100644
index 0000000..4cc245d
--- /dev/null
+++ b/host_vars/ff-loppermann1
@@ -0,0 +1,68 @@
+---
+ansible_host: 2a01:4f8:140:1242:ff::2
+sites: []
+wireguard_bb_name: 'loppermann1'
+wireguard_bb_endpoint: '{{ ansible_host }}'
+wireguard_bb_priv_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34643662623262646365326237626237313962663465366263386362353630633765363239333831
+          3632336333633862643737333864623666353935353166620a386462373161383266616633633837
+          33613761303136623264346435376664356235346633656531343564333334303266666462613665
+          3063333638323862360a653738306563393434376532313434633162666133343962313066616432
+          64356233663838353838326230613839663933666663393330303535653638343861656363326632
+          3539623766663136323061633562643365636162633134396361
+wireguard_bb_pub_key: 'im56pv9JwwveDDkk8aA++0bgHjuUvUzaun4qFAZFrVc='
+wireguard_bb_ipv4: '10.222.0.16'
+wireguard_bb_ipv6: 'fe80::ffbb:ffbb:16'
+wireguard_bb_port: 10116
+wireguard_vpn_port: 10010
+wireguard_vpn_priv_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          37333837366636343138326138623361656462653861633566643831306139383964643839393234
+          3535393434653761643831663063386635323038343337340a336637633233623333316231346165
+          64643161663061356466616662336332373738306331386636373761623361343032663832663139
+          6465343666663861630a356231633764363030356230636631663333356665396462623862643863
+          66306461316633393065343063316633373530623163356530353031393132353964326238383137
+          3835373735333537396539353735326539633930393564376464
+wireguard_vpn_address: 'fe80::d3:16ff:fee5:6239'
+wireguard_vpn_client_range: '2a03:2260:1016:3000::/52'
+tayga_ipv4: 10.3.0.1
+tayga_pool: 10.3.0.0/16
+ffrl_router_id: 10.222.0.16
+ffrl_peers:
+  - name: 'bbaakber'
+    remote: '185.66.195.0'
+    ip4: '100.64.10.232'
+    peer_ip4: '100.64.10.233'
+    ip6: '2a03:2260:0:58b::2'
+    peer_ip6: '2a03:2260:0:58b::1'
+  - name: 'bbafra2fra'
+    remote: '185.66.194.0'
+    ip4: '100.64.10.234'
+    peer_ip4: '100.64.10.235'
+    ip6: '2a03:2260:0:58c::2'
+    peer_ip6: '2a03:2260:0:58c::1'
+  - name: 'bbaixdus'
+    remote: '185.66.193.0'
+    ip4: '100.64.10.236'
+    peer_ip4: '100.64.10.237'
+    ip6: '2a03:2260:0:58d::2'
+    peer_ip6: '2a03:2260:0:58d::1'
+  - name: 'bbbakber'
+    remote: '185.66.195.1'
+    ip4: '100.64.10.238'
+    peer_ip4: '100.64.10.239'
+    ip6: '2a03:2260:0:58e::2'
+    peer_ip6: '2a03:2260:0:58e::1'
+  - name: 'bbbfra2fra'
+    remote: '185.66.194.1'
+    ip4: '100.64.10.240'
+    peer_ip4: '100.64.10.241'
+    ip6: '2a03:2260:0:58f::2'
+    peer_ip6: '2a03:2260:0:58f::1'
+  - name: 'bbbixdus'
+    remote: '185.66.193.1'
+    ip4: '100.64.10.242'
+    peer_ip4: '100.64.10.243'
+    ip6: '2a03:2260:0:590::2'
+    peer_ip6: '2a03:2260:0:590::1'
diff --git a/inventory.ini b/inventory.ini
index 9938d43..8ed0e39 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -1,3 +1,4 @@
 [fastd]
 ff-niyawe1
 ff-niyawe2
+ff-loppermann1
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index c3d84dc..0a4bfd0 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -74,7 +74,9 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+{% if ffrl_ip4 is defined %}
 {% for peer in ffrl_peers %}
 -A POSTROUTING ! -s {{ ffrl_ip4 }} -o {{ peer.name }} -j SNAT --to-source {{ ffrl_ip4 }}
 {% endfor %}
+{% endif %}
 COMMIT
diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh
index 83cb5aa..0e1fe06 100755
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@@ -7,6 +7,7 @@ ip -6 rule add iif nat64 table ffmyk priority 10
 
 ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
 ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
+ip -4 rule add to 10.3.0.0/16 table ffmyk priority 10
 #Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
 ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
 ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10
diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2
index c5cdda0..7da5e12 100644
--- a/roles/install_babeld/templates/babeld.conf.j2
+++ b/roles/install_babeld/templates/babeld.conf.j2
@@ -27,19 +27,22 @@ import-table 42
 reflect-kernel-metric true
 
 # Filtering rules.
-in ip 10.222.0.0/16 allow
+in ip 10.0.0.0/8 allow
 in ip 2a03:2260:1016::/48 allow
 in ip 2003:46:e028::/48 allow # finzelberg
 in ip fd62:44e1:da::/48 allow
+{% if ffrl_ip4 is defined %}
 in deny # ignore default routes on uplinks
+{% endif %}
 
 {% for peer in ffrl_peers %}
 redistribute if {{ peer.name }} metric 128
 {% endfor %}
 # Only redistribute addresses from a given prefix, to avoid redistributing
 # all local addresses
-redistribute ip 10.222.0.0/16 allow
+redistribute ip 10.0.0.0/8 allow
 redistribute ip 2a03:2260:1016::/48 allow
 redistribute ip 64:ff9b::/96 allow
+redistribute ip 2003:46:e028::/48 allow # finzelberg
 redistribute ip fd62:44e1:da::/48 allow
 redistribute local deny
diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2
index 352c1fa..056a6ea 100644
--- a/roles/install_bind/templates/named.conf.j2
+++ b/roles/install_bind/templates/named.conf.j2
@@ -29,6 +29,10 @@ options {
     hostname none;
     server-id none;
 
+    dns64 64:ff9b::/96 {
+        clients { any; };
+    };
+
     max-cache-size 1024M;
 };
 
diff --git a/roles/install_mesh-announce/tasks/main.yml b/roles/install_mesh-announce/tasks/main.yml
index 50c5175..d4591cf 100644
--- a/roles/install_mesh-announce/tasks/main.yml
+++ b/roles/install_mesh-announce/tasks/main.yml
@@ -6,20 +6,24 @@
           - lsb-release
           - ethtool
       state: present
+  when: sites | length > 0
 
 - name: clone mesh-announce repo
   git:
       repo: https://github.com/FreifunkMYK/mesh-announce.git
       dest: /opt/mesh-announce
+  when: sites | length > 0
 
 - name: create respondd service
   template:
       src: respondd.service.j2
       dest: /etc/systemd/system/respondd.service
       mode: 0644
+  when: sites | length > 0
 
 - name: start and enable respondd service
   systemd:
       name: respondd
       state: started
       enabled: yes
+  when: sites | length > 0
diff --git a/roles/install_tayga/tasks/main.yml b/roles/install_tayga/tasks/main.yml
index 0f38790..7d4c6a5 100644
--- a/roles/install_tayga/tasks/main.yml
+++ b/roles/install_tayga/tasks/main.yml
@@ -11,6 +11,11 @@
       mode: 0644
   notify: restart tayga
 
+- name: create systemd override folder
+  ansible.builtin.file:
+    path: /etc/systemd/system/tayga.service.d
+    state: directory
+
 - name: systemd override.conf
   template:
       src: systemd_override.conf.j2
diff --git a/roles/install_tayga/templates/systemd_override.conf.j2 b/roles/install_tayga/templates/systemd_override.conf.j2
index a3e7229..fb6ec48 100644
--- a/roles/install_tayga/templates/systemd_override.conf.j2
+++ b/roles/install_tayga/templates/systemd_override.conf.j2
@@ -4,7 +4,7 @@ ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
 ExecStartPre=/usr/bin/ip link set nat64 up
 ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
 ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
-ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk
-ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk
+ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 proto static table ffmyk
+ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 proto static table ffmyk
 ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
 Restart=always
diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf
index c609a5b..7e3db92 100644
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@@ -3,21 +3,31 @@ timeformat protocol iso long;
 #log "bird.log" all;
 # debug protocols all;
 
+{% if ffrl_ip4 is defined %}
 define ffrl_nat_address = {{ ffrl_ip4 }};
+{% endif %}
 
 define ffmyk_as = 65032; # private AS of ffmyk
 define ffrl_as = 201701; # public AS of rheinland
 
+{% if ffrl_ip4 is defined %}
 router id ffrl_nat_address;
+{% else %}
+router id {{ ffrl_router_id }};
+{% endif %}
 
+{% if ffrl_ip4 is defined %}
 ipv4 table ffrl4;
+{% endif %}
 ipv6 table ffrl6;
 
+{% if ffrl_ip4 is defined %}
 function is_default4() {
     return net ~ [
         0.0.0.0/0
     ];
 }
+{% endif %}
 
 function is_default6() {
     return net ~ [
@@ -25,11 +35,13 @@ function is_default6() {
     ];
 }
 
+{% if ffrl_ip4 is defined %}
 function is_ffrl_nat4() {
     return net ~ [
         {{ ffrl_ip4 }}/32
     ];
 }
+{% endif %}
 
 function is_ffrl_public_nets6() {
     return net ~ [
@@ -37,11 +49,13 @@ function is_ffrl_public_nets6() {
     ];
 }
 
+{% if ffrl_ip4 is defined %}
 function is_ffrl_tunnel_nets4() {
     return net ~ [
         100.64.0.0/10
     ];
 }
+{% endif %}
 
 function is_ffrl_tunnel_nets6() {
     return net ~ [
@@ -49,6 +63,7 @@ function is_ffrl_tunnel_nets6() {
     ];
 }
 
+{% if ffrl_ip4 is defined %}
 # BGP Import Filter für Rheinland
 filter ebgp_ffrl_import_filter4 {
     if is_default4() then accept;
@@ -60,6 +75,7 @@ filter ebgp_ffrl_export_filter4 {
     if is_ffrl_nat4() then accept;
     reject;
 }
+{% endif %}
 
 filter ebgp_ffrl_import_filter6 {
     if is_default6() then accept;
@@ -75,11 +91,13 @@ protocol device {
 	scan time 10;
 }
 
+{% if ffrl_ip4 is defined %}
 # IP-NAT-Adresse legen wir in die interne BIRD Routing Table
 protocol static ffrl_uplink_hostroute4 {
     ipv4 { table ffrl4; };
     route {{ ffrl_ip4 }}/32 reject;
 }
+{% endif %}
 
 protocol static ffrl_public_routes6 {
     ipv6 { table ffrl6; };
@@ -95,6 +113,7 @@ protocol static ffrl_public_routes6 {
 #    import where is_ffrl_tunnel_nets4();
 #}
 
+{% if ffrl_ip4 is defined %}
 # Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl)
 protocol kernel kernel_ffrl4 {
     scan time 30;
@@ -108,6 +127,7 @@ protocol kernel kernel_ffrl4 {
 	};
     kernel table 42;
 };
+{% endif %}
 
 protocol kernel kernel_ffrl6 {
     scan time 30;
@@ -122,6 +142,7 @@ protocol kernel kernel_ffrl6 {
     kernel table 42;
 };
 
+{% if ffrl_ip4 is defined %}
 # BGP Template für Rheinland Peerings
 template bgp ffrl_uplink4 {
     local as ffmyk_as;
@@ -134,6 +155,7 @@ template bgp ffrl_uplink4 {
 	};
     direct;
 };
+{% endif %}
 
 template bgp ffrl_uplink6 {
     local as ffmyk_as;
@@ -148,10 +170,12 @@ template bgp ffrl_uplink6 {
 };
 
 {% for peer in ffrl_peers %}
+{% if ffrl_ip4 is defined %}
 protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 {
     source address {{ peer.ip4 }};
     neighbor {{ peer.peer_ip4 }} as 201701;
 };
+{% endif %}
 
 protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 {
     source address {{ peer.ip6 }};
diff --git a/roles/setup_ffrl_tunnel/templates/netctl b/roles/setup_ffrl_tunnel/templates/netctl
index 98e8af4..65bbd7c 100644
--- a/roles/setup_ffrl_tunnel/templates/netctl
+++ b/roles/setup_ffrl_tunnel/templates/netctl
@@ -8,7 +8,11 @@ Remote={{ item.remote }}
 ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64"
 
 IP=static
+{% if ffrl_ip4 is defined %}
 Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32')
+{% else %}
+Address=('{{ item.ip4 }}/31')
+{% endif %}
 
 IP6=static
 Address6=('{{ item.ip6 }}/64')