kreativmonkey
/
ffmyk-ansible
mirror of https://git.niyawe.de/ffmyk-ansible.git
1
1
Fork 0
Code Issues Releases Wiki Activity

fastd working

Browse Source
netsplit
Niklas Yann Wettengel 8 years ago
parent 90a8a597ea
commit d82f852497
25 changed files with 357 additions and 250 deletions
Show Stats Download Patch File Download Diff File

127
host_vars/fastd
Unescape Escape View File

@ -1,12 +1,19 @@
--- ---
ansible_host: 123.123.123.123 ansible_host: 123.123.123.123
fastd_peer_limit: 200 sites:
fastd_secret: <fastd secret key> - name: '<site kürzel>'
fastd_mesh_mac: '<mesh mac> net4: '<ipv4 netz>'
bat0_ipv6: '<ipv6>' net6: '<ipv6 netz>'
bat0_ipv4: <ipv4> fastd_secret: <fastd secret key>
dhcp_start: <ipv4> fastd_mesh_mac: '<mesh mac>
dhcp_end: <ipv4> fastd_port1: <erster port>
fastd_port2: <zweiter port>
bat_ipv6: '<ipv6>'
bat_ipv4: <ipv4>
dhcp_subnet: '<ipv4 netz ohne netzmaske>'
dhcp_netmask: '<netzmaske>'
dhcp_start: <ipv4>
dhcp_end: <ipv4>
mullvad_country: nl mullvad_country: nl
mullvad_crt: | mullvad_crt: |
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
@ -16,56 +23,56 @@ mullvad_key: |
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
... ...
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
influx_user: <user> #influx_user: <user>
influx_password: <password> #influx_password: <password>
munin_node_plugins: #munin_node_plugins:
- name: cpu # - name: cpu
- name: df # - name: df
- name: df_inode # - name: df_inode
- name: dhcp-pool # - name: dhcp-pool
- name: diskstats # - name: diskstats
- name: entropy # - name: entropy
- name: fastd_peers # - name: fastd_peers
plugin: fastd_ # plugin: fastd_
- name: fastd_traffic # - name: fastd_traffic
plugin: fastd_ # plugin: fastd_
- name: forks # - name: forks
- name: fw_conntrack # - name: fw_conntrack
- name: fw_forwarded_local # - name: fw_forwarded_local
- name: fw_packets # - name: fw_packets
- name: if_bat0 # - name: if_bat0
plugin: if_ # plugin: if_
- name: if_err_bat0 # - name: if_err_bat0
plugin: if_err_ # plugin: if_err_
- name: if_ens3 # - name: if_ens3
plugin: if_ # plugin: if_
- name: if_err_ens3 # - name: if_err_ens3
plugin: if_err_ # plugin: if_err_
- name: if_ffmyk-mesh-vpn # - name: if_ffmyk-mesh-vpn
plugin: if_ # plugin: if_
- name: if_err_ffmyk-mesh-vpn # - name: if_err_ffmyk-mesh-vpn
plugin: if_err_ # plugin: if_err_
- name: if_mullvad # - name: if_mullvad
plugin: if_ # plugin: if_
- name: if_err_mullvad # - name: if_err_mullvad
plugin: if_err_ # plugin: if_err_
- name: interrupts # - name: interrupts
- name: irqstats # - name: irqstats
- name: load # - name: load
- name: memory # - name: memory
- name: netstat # - name: netstat
- name: nginx_request # - name: nginx_request
- name: nginx_status # - name: nginx_status
- name: ntp_kernel_err # - name: ntp_kernel_err
- name: ntp_kernel_pll_freq # - name: ntp_kernel_pll_freq
- name: ntp_kernel_pll_off # - name: ntp_kernel_pll_off
- name: ntp_offset # - name: ntp_offset
- name: open_files # - name: open_files
- name: open_inodes # - name: open_inodes
- name: proc_pri # - name: proc_pri
- name: processes # - name: processes
- name: swap # - name: swap
- name: threads # - name: threads
- name: uptime # - name: uptime
- name: users # - name: users
- name: vmstat # - name: vmstat

24
roles/configure_iptables/files/ip6tables.rules
Unescape Escape View File

@ -1,9 +1,7 @@
# Generated by ip6tables-save v1.4.21 on Mon Feb 22 00:25:52 2016
*filter *filter
:INPUT DROP [0:0] :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT
@ -13,20 +11,20 @@
# dns # dns
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
# http
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# ntp # ntp
-A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT
# munin
-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
# fastd # fastd
-A INPUT -p udp -m udp --dport 10000 -j ACCEPT -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
# MOSH # MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
# LOG # LOG
-A INPUT -j LOGGING -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped input: " --log-level 4
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped: " --log-level 4
-A LOGGING -j DROP -A FORWARD -i bataw -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i bat0 -p udp --dport 10000 -j REJECT -A FORWARD -i batcoc -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batems -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batko -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batmy -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batsim -p udp --dport 10010:10021 -j REJECT
-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IP6Tables-Dropped forward: " --log-level 4
COMMIT COMMIT
# Completed on Mon Feb 22 00:25:52 2016

42
roles/configure_iptables/files/iptables.rules
Unescape Escape View File

@ -1,22 +1,24 @@
# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015
*mangle *mangle
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A PREROUTING -i bat0 -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -i bataw -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i batcoc -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i batems -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i batko -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i batmy -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i batsim -j MARK --set-xmark 0x1/0xffffffff
COMMIT COMMIT
# Completed on Tue Sep 8 21:44:08 2015
# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015
*filter *filter
:INPUT DROP [0:0] :INPUT DROP [0:0]
:FORWARD ACCEPT [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
-A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT -A INPUT -p icmp -j ACCEPT
# SSH-Server # SSH-Server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# dns # dns
@ -24,33 +26,25 @@ COMMIT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT
#dhcp #dhcp
-I INPUT -i bat0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT -I INPUT -i bat0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# http
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# ntp # ntp
-A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT
# munin
-A INPUT -p tcp -m tcp --dport 4949 -j ACCEPT
# iperf
-A INPUT -i bat0 -p tcp -m tcp --dport 5001 -j ACCEPT
# fastd # fastd
-A INPUT -p udp -m udp --dport 10000 -j ACCEPT -A INPUT -p udp -m udp --dport 10010:10021 -j ACCEPT
# MOSH # MOSH
-A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT -A INPUT -p udp -m udp --dport 60000:61000 -j ACCEPT
# LOG -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped input: " --log-level 4
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 -A FORWARD -i bataw -p udp --dport 10010:10021 -j REJECT
-A LOGGING -j DROP -A FORWARD -i batcoc -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i bat0 -p udp --dport 10000 -j REJECT -A FORWARD -i batems -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batko -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batmy -p udp --dport 10010:10021 -j REJECT
-A FORWARD -i batsim -p udp --dport 10010:10021 -j REJECT
-A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped forward: " --log-level 4
COMMIT COMMIT
# Completed on Tue Sep 8 21:44:08 2015
# Generated by iptables-save v1.4.21 on Tue Sep 8 21:44:08 2015
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o mullvad -j MASQUERADE
COMMIT COMMIT
# Completed on Tue Sep 8 21:44:08 2015

14
roles/configure_static_routes/files/ffmyk-iproute.service
Unescape Escape View File

@ -0,0 +1,14 @@
[Unit]
Description=sets up ip rules and static routes
ConditionPathExists=/usr/local/bin/ffmyk-iproute.sh
[Service]
Type=forking
ExecStart=/usr/local/bin/ffmyk-iproute.sh
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target

12
roles/configure_static_routes/files/ffmyk-iproute.sh
Unescape Escape View File

@ -0,0 +1,12 @@
#!/bin/bash
#Routingtabelle ffmyk ist per default nicht erreichbar
ip -4 route add unreachable default table ffmyk
ip -6 route add unreachable default table ffmyk
#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk
ip -4 rule add from all fwmark 0x1 table ffmyk
ip -6 rule add from all fwmark 0x1 table ffmyk
#Alles mit Freifunk-IP - woher auch immer - gehlrt zu Tabelle ffmyk
ip -4 rule add from 10.222.0.0/16 table ffmyk
ip -6 rule add from 2001:470:cd45:FF00::/56 table ffmyk

38
roles/configure_static_routes/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,38 @@
---
- name: name ffmyk routing table
lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffmyk
- name: copy ffmyk iproute config script
copy:
src: ffmyk-iproute.sh
dest: /usr/local/bin/ffmyk-iproute.sh
mode: 0744
- name: copy site specific iproute up config script
template:
src: ffmyk-iproute-up.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy site specific iproute down config script
template:
src: ffmyk-iproute-down.j2
dest: /usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh
mode: 0744
with_items: "{{ sites }}"
- name: copy ffmyk iproute systemd service
copy:
src: ffmyk-iproute.service
dest: /etc/systemd/system/ffmyk-iproute.service
mode: 0444
- name: start and enable ffmyk iproute service
systemd:
name: ffmyk-iproute.service
daemon_reload: yes
enabled: yes
state: started

11
roles/configure_static_routes/templates/ffmyk-iproute-down.j2
Unescape Escape View File

@ -0,0 +1,11 @@
#!/bin/bash
ip -4 route del {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route del {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk
ip -4 rule del iif bat{{ item.name }} table ffmyk
ip -6 rule del iif bat{{ item.name }} table ffmyk
ip -4 rule del from {{ item.net4 }} table ffmyk
ip -6 rule del from {{ item.net6 }} table ffmyk
ip -4 rule del to {{ item.net4 }} table ffmyk
ip -6 rule del to {{ item.net6 }} table ffmyk

11
roles/configure_static_routes/templates/ffmyk-iproute-up.j2
Unescape Escape View File

@ -0,0 +1,11 @@
#!/bin/bash
ip -4 rule add iif bat{{ item.name }} table ffmyk
ip -6 rule add iif bat{{ item.name }} table ffmyk
ip -4 rule add from {{ item.net4 }} table ffmyk
ip -6 rule add from {{ item.net6 }} table ffmyk
ip -4 rule add to {{ item.net4 }} table ffmyk
ip -6 rule add to {{ item.net6 }} table ffmyk
ip -4 route replace {{item.net4 }} dev bat{{ item.name }} proto static table ffmyk
ip -6 route replace {{item.net6 }} dev bat{{ item.name }} proto static table ffmyk

3
roles/configure_sysctl/files/ff.conf
Unescape Escape View File

@ -1,4 +1,7 @@
net.ipv4.ip_forward=1 net.ipv4.ip_forward=1
# Sonst landen ICMP-Fehlerpakete auf eth0 - mit source-IP 10.222.x.y...
# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
net.ipv4.icmp_errors_use_inbound_ifaddr = 1
net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1

45
roles/install_bind/templates/named.conf.j2
Unescape Escape View File

@ -10,18 +10,22 @@ options {
auth-nxdomain no; # conform to RFC1035 auth-nxdomain no; # conform to RFC1035
listen-on-v6 { {{ bat0_ipv6 }}; }; listen-on-v6 {
listen-on port 53 { 127.0.0.1; {{ bat0_ipv4 }}; }; {% for site in sites %}
{{ site.bat_ipv6 }};
allow-recursion { 127.0.0.1; 10.222.0.0/16; 2a01:198:70a:ff::/64; }; {% endfor %}
};
listen-on port 53 {
127.0.0.1;
{% for site in sites %}
{{ site.bat_ipv4 }};
{% endfor %}
};
allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; };
allow-transfer { none; }; allow-transfer { none; };
allow-update { none; }; allow-update { none; };
//forwarders {
// 85.214.20.141;
// 213.73.91.35;
//};
version none; version none;
hostname none; hostname none;
server-id none; server-id none;
@ -57,22 +61,9 @@ zone "." IN {
file "root.hint"; file "root.hint";
}; };
zone "ffmyk" IN { //zone "ffmyk" IN {
type slave; // type slave;
file "bak/ffmyk.zone"; // file "bak/ffmyk.zone";
allow-query { any; }; // allow-query { any; };
masters { 10.222.100.1; }; // masters { 10.222.100.1; };
};
//logging {
// channel xfer-log {
// file "/var/log/named.log";
// print-category yes;
// print-severity yes;
// severity info;
// };
// category xfer-in { xfer-log; };
// category xfer-out { xfer-log; };
// category notify { xfer-log; };
//}; //};

37
roles/install_dhcp/tasks/main.yml
Unescape Escape View File

@ -4,24 +4,25 @@
name: dhcp name: dhcp
state: present state: present
- name: create dhcp file for static ips #- name: create dhcp file for static ips
copy: # copy:
content: '' # content: ''
dest: /etc/dhcpd.hosts.conf # dest: /etc/dhcpd.hosts{{ item.name }}.conf
force: no # force: no
# with_items: "{{ sites }}"
- name: copy fastd-services-api.php #
copy: #- name: copy fastd-services-api.php
src: fastd-services-api.php # copy:
dest: /etc/fastd-services-api.php # src: fastd-services-api.php
# dest: /etc/fastd-services-api.php
- name: setup cronjob for fastd-services-api #
cron: #- name: setup cronjob for fastd-services-api
name: fastd-services-api # cron:
minute: '*/10' # name: fastd-services-api
user: root # minute: '*/10'
cron_file: fastd-api # user: root
job: '/usr/bin/php /etc/fastd-services-api.php' # cron_file: fastd-api
# job: '/usr/bin/php /etc/fastd-services-api.php'
- name: dhcpd.conf - name: dhcpd.conf
template: template:

12
roles/install_dhcp/templates/dhcpd.conf.j2
Unescape Escape View File

@ -5,14 +5,16 @@ authoritative;
log-facility local7; log-facility local7;
subnet 10.222.0.0 netmask 255.255.0.0 { {% for site in sites %}
range {{ dhcp_start }} {{ dhcp_end }}; subnet {{ site.dhcp_subnet }} netmask {{ site.dhcp_netmask }} {
range {{ site.dhcp_start }} {{ site.dhcp_end }};
option routers {{ bat0_ipv4 }}; option routers {{ site.bat_ipv4 }};
option domain-name-servers {{ bat0_ipv4 }}; option domain-name-servers {{ site.bat_ipv4 }};
} }
{% endfor %}
subnet {{ ansible_default_ipv4['address'] }} netmask 255.255.255.255 { subnet {{ ansible_default_ipv4['address'] }} netmask 255.255.255.255 {
} }
include "/etc/dhcpd.hosts.conf"; #include "/etc/dhcpd.hosts.conf";

29
roles/install_fastd/handlers/main.yml
Unescape Escape View File

@ -4,7 +4,32 @@
name: fastd@ffmyk.service name: fastd@ffmyk.service
state: reloaded state: reloaded
- name: restart fastd - name: restart fastdaw
systemd: systemd:
name: fastd@ffmyk.service name: fastd@ffaw.service
state: restarted
- name: restart fastdcoc
systemd:
name: fastd@ffcoc.service
state: restarted
- name: restart fastdems
systemd:
name: fastd@ffems.service
state: restarted
- name: restart fastdko
systemd:
name: fastd@ffko.service
state: restarted
- name: restart fastdmy
systemd:
name: fastd@ffmy.service
state: restarted
- name: restart fastdsim
systemd:
name: fastd@ffsim.service
state: restarted state: restarted

63
roles/install_fastd/tasks/main.yml
Unescape Escape View File

@ -6,77 +6,58 @@
name: fastd name: fastd
tool: yaourt tool: yaourt
- name: create ffmyk folder - name: create site folder
file: file:
path: /etc/fastd/ffmyk path: /etc/fastd/ff{{ item.name }}
state: directory state: directory
with_items: "{{ sites }}"
- name: fastd.conf - name: fastd.conf
template: template:
src: fastd.conf.j2 src: fastd.conf.j2
dest: /etc/fastd/ffmyk/fastd.conf dest: /etc/fastd/ff{{ item.name }}/fastd.conf
mode: 0640 mode: 0640
notify: restart fastd notify: restart fastd{{ item.name }}
with_items: "{{ sites }}"
- name: create backbone folder
file:
path: /etc/fastd/ffmyk/backbone
state: directory
- name: add backbone peers
copy:
src: '{{ item }}'
dest: /etc/fastd/ffmyk/backbone/{{ item }}
with_items:
- fastd1
- fastd2
- fastd3
- fastd4
- fastd5
- fastd6
- fastd7
- fastd8
- fastd9
- fastd10
- fastd11
- fastd12
- fastd13
- fastd14
- fastd15
notify: reload fastd
- name: add fastd bin folder - name: add fastd bin folder
file: file:
path: /etc/fastd/ffmyk/bin path: /etc/fastd/ff{{ item.name }}/bin
state: directory state: directory
with_items: "{{ sites }}"
- name: add fastd up script - name: add fastd up script
template: template:
src: fastd_up.sh.j2 src: fastd_up.sh.j2
dest: /etc/fastd/ffmyk/bin/up.sh dest: /etc/fastd/ff{{ item.name }}/bin/up.sh
mode: 0744 mode: 0744
notify: restart fastd notify: restart fastd{{ item.name }}
with_items: "{{ sites }}"
- name: add fastd peers folder - name: add fastd peers folder
file: file:
path: /etc/fastd/ffmyk/peers path: /etc/fastd/ff{{ item.name }}/peers
state: directory state: directory
with_items: "{{ sites }}"
- name: add fastd peer api script - name: add fastd peer api script
copy: template:
src: fastd-api.php src: fastd-api.php.j2
dest: /etc/fastd/ffmyk/bin/fastd-api.php dest: /etc/fastd/ff{{ item.name }}/bin/fastd-api.php
with_items: "{{ sites }}"
- name: setup cronjob for fastd-api - name: setup cronjob for fastd-api
cron: cron:
name: fastd-api name: fastd-api-{{ item.name }}
minute: '*/10' minute: '*/10'
user: root user: root
cron_file: fastd-api cron_file: fastd-api
job: '/usr/bin/php /etc/fastd/ffmyk/bin/fastd-api.php' job: '/usr/bin/php /etc/fastd/ff{{ item.name }}/bin/fastd-api.php'
with_items: "{{ sites }}"
- name: start and enable fastd service - name: start and enable fastd service
systemd: systemd:
name: fastd@ffmyk.service name: fastd@ff{{ item.name }}.service
enabled: yes enabled: yes
state: started state: started
with_items: "{{ sites }}"

2
roles/install_fastd/files/fastd-api.php → roles/install_fastd/templates/fastd-api.php.j2
Unescape Escape View File

@ -2,7 +2,7 @@
<?php <?php
//$url = 'http://register.freifunk-myk.de/srvapi.php'; //$url = 'http://register.freifunk-myk.de/srvapi.php';
$url = 'https://www.freifunk-myk.de/node/keys'; $url = 'https://www.freifunk-myk.de/node/keys';
$out = '/etc/fastd/ffmyk/peers/'; $out = '/etc/fastd/ff{{ item.name }}/peers/';
if(!is_dir($out)) die('Output Dir missing'); if(!is_dir($out)) die('Output Dir missing');
if(!is_writable($out)) die('Output Dir perms'); if(!is_writable($out)) die('Output Dir perms');

12
roles/install_fastd/templates/fastd.conf.j2
Unescape Escape View File

@ -1,18 +1,16 @@
log to syslog level info; log to syslog level info;
interface "ffmyk-mesh-vpn"; interface "vpn{{ item.name }}";
method "salsa2012+gmac"; method "salsa2012+gmac";
method "salsa2012+umac"; method "salsa2012+umac";
secure handshakes yes; secure handshakes yes;
bind any:10000; bind any:{{ item.fastd_port1 }};
hide ip addresses yes; hide ip addresses yes;
hide mac addresses yes; hide mac addresses yes;
mtu 1280; mtu 1280;
peer group "clients" { peer group "clients" {
include peers from "peers"; include peers from "peers";
peer limit {{ fastd_peer_limit }};
} }
include peers from "backbone"; secret "{{ item.fastd_secret }}";
secret "{{ fastd_secret }}"; on up "/etc/fastd/ff{{ item.name }}/bin/up.sh $INTERFACE";
on up "/etc/fastd/ffmyk/bin/up.sh $INTERFACE"; status socket "/run/ff{{ item.name }}1.socket";
status socket "/run/ffmyk.socket";

14
roles/install_fastd/templates/fastd_up.sh.j2
Unescape Escape View File

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
ip link set address {{ fastd_mesh_mac }} dev $1 ip link set address {{ item.fastd_mesh_mac }} dev $1
ip link set up dev $1 ip link set up dev $1
batctl -m bat0 if add $1 batctl -m bat{{ item.name }} if add $1
batctl -m bat0 gw server 1000000/1000000 batctl -m bat{{ item.name }} gw server 1000000/1000000
batctl -m bat0 it 10000 batctl -m bat{{ item.name }} it 10000
batctl -m bat0 mm 1 batctl -m bat{{ item.name }} mm 1
echo 128 > /sys/class/net/bat0/mesh/hop_penalty echo 64 > /sys/class/net/bat0/mesh/hop_penalty
netctl start bat0 netctl start bat{{ item.name }}
systemctl restart dhcpd4.service systemctl restart dhcpd4.service
systemctl restart named.service systemctl restart named.service

5
roles/install_radvd/handlers/main.yml
Unescape Escape View File

@ -0,0 +1,5 @@
---
- name: restart radvd
systemd:
name: radvd.service
state: restarted

17
roles/install_radvd/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,17 @@
---
- name: install radvd
pacman:
name: radvd
state: present
- name: radvd config
template:
src: radvd.conf.j2
dest: /etc/radvd.conf
notify: restart radvd
- name: start and enable radvd
systemd:
name: radvd.service
enabled: yes
state: started

26
roles/install_radvd/templates/radvd.conf.j2
Unescape Escape View File

@ -0,0 +1,26 @@
{% for site in sites %}
interface bat{{ site.name }}
{
AdvSendAdvert on;
IgnoreIfMissing on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 900;
AdvDefaultPreference low;
AdvHomeAgentFlag off;
prefix {{ site.net6 }}
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
RDNSS {{ site.bat_ipv6 }}
{
AdvRDNSSLifetime 30;
};
};
{% endfor %}

20
roles/setup_batman/files/ffmyk-iproute.sh
Unescape Escape View File

@ -1,20 +0,0 @@
#!/bin/bash
#Routingtabelle ffmyk ist per default nicht erreichbar
ip route add unreachable default table ffmyk
#Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk
ip rule add from all fwmark 0x1 table ffmyk
#Alles mit Freifunk-IP - woher auch immer - gehlrt zu Tabelle ffmyk
ip rule add from 10.222.0.0/16 table ffmyk
#Tabelle ffmyk routet das Ziel mit Freifunk-IPs über das Device bat0
ip route replace 10.222.0.0/16 dev bat0 table ffmyk
ip route replace 0.0.0.0/1 via 10.222.100.1 dev bat0 metric 666 table ffmyk # fastd1
ip route replace 128.0.0.0/1 via 10.222.100.1 dev bat0 metric 666 table ffmyk # fastd1
ip route replace 0.0.0.0/1 via 10.222.112.1 dev bat0 metric 667 table ffmyk # fastd2
ip route replace 128.0.0.0/1 via 10.222.112.1 dev bat0 metric 667 table ffmyk # fastd2
ip route replace 0.0.0.0/1 via 10.222.120.1 dev bat0 metric 668 table ffmyk # fastd3
ip route replace 128.0.0.0/1 via 10.222.120.1 dev bat0 metric 668 table ffmyk # fastd3

18
roles/setup_batman/tasks/main.yml
Unescape Escape View File

@ -14,18 +14,8 @@
name: batctl name: batctl
state: present state: present
- name: name ffmyk routing table - name: add batman netctl config for sites
lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffmyk
- name: copy ffmyk iproute config script
copy:
src: ffmyk-iproute.sh
dest: /usr/local/bin/ffmyk-iproute.sh
mode: 0744
- name: add netctl config
template: template:
src: netctl_bat0.j2 src: netctl_bat.j2
dest: /etc/netctl/bat0 dest: "/etc/netctl/bat{{ item.name }}"
with_items: "{{ sites }}"

8
roles/setup_batman/templates/netctl_bat.j2
Unescape Escape View File

@ -0,0 +1,8 @@
Connection=ethernet
Interface=bat{{ item.name }}
IP=static
IP6=static
Address6=({{ item.bat_ipv6 }}/64)
Address=({{ item.bat_ipv4 }}/20)
ExecUpPost=/usr/local/bin/ffmyk-iproute{{ item.name }}-up.sh
ExecDownPre=/usr/local/bin/ffmyk-iproute{{ item.name }}-down.sh

7
roles/setup_batman/templates/netctl_bat0.j2
Unescape Escape View File

@ -1,7 +0,0 @@
Connection=ethernet
Interface=bat0
IP=static
IP6=static
Address6=({{ bat0_ipv6 }}/64)
Address=({{ bat0_ipv4 }}/16)
ExecUpPost=/usr/local/bin/ffmyk-iproute.sh

10
setup_fastd.yml
Unescape Escape View File

@ -7,16 +7,18 @@
- configure_journald - configure_journald
- configure_sysctl - configure_sysctl
- configure_iptables - configure_iptables
- install_ssmtp - configure_static_routes
#- install_ssmtp
- install_cronie - install_cronie
- install_php - install_php
- install_nginx #- install_nginx
- install_ntp - install_ntp
- install_haveged - install_haveged
- setup_batman - setup_batman
- install_dhcp - install_dhcp
- install_radvd
- install_bind - install_bind
- install_fastd - install_fastd
- install_openvpn #- install_openvpn
- install_monitoring #- install_monitoring
- install_admin_packages - install_admin_packages

Write Preview
Loading…
Cancel
Save