diff --git a/group_vars/fastd b/group_vars/fastd index 21708ae..518834d 100644 --- a/group_vars/fastd +++ b/group_vars/fastd @@ -7,3 +7,4 @@ wireguard_bb_peers: pub_key: 'LobyJ67+/rGkTcFSchnJMz76MGVBAz5FrFypYq9GnzQ=' ipv4: '10.222.0.212' port: 10151 +dns_ip: '2a03:2260:1016::53' diff --git a/host_vars/ff-niyawe1 b/host_vars/ff-niyawe1 index c3d4942..df9ad3f 100644 --- a/host_vars/ff-niyawe1 +++ b/host_vars/ff-niyawe1 @@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'zGubrJd9Wfa1Yo9I5xyJArdvX1bj7OS2VFth289PdlU=' wireguard_bb_ipv4: '10.222.0.11' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:11' wireguard_bb_port: 10111 +wireguard_vpn_port: 10010 +wireguard_vpn_priv_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34313130643739316461343031626565323930303465623238356636636531656630396433383036 + 6337386336633165636633353139323366323563333464380a393438343365363661633331356438 + 62326531336666326662323535366463333265313130343430653162646461383230363064366264 + 6431663833633537660a343830623735633330643935363232366532346664353834623636326462 + 33393133363464313665623963393534306235653239636438343537366533306166623535663336 + 3864646261313135386563613637613330343935333636633434 +wireguard_vpn_address: 'fe80::7e:adff:fefc:0b8c' +wireguard_vpn_client_range: '2a03:2260:1016:1000::/52' +tayga_ipv4: 10.1.0.1 +tayga_pool: 10.1.0.0/16 ffrl_ip4: '185.66.194.56' ffrl_peers: - name: 'bbaakber' diff --git a/host_vars/ff-niyawe2 b/host_vars/ff-niyawe2 index 99f2c8f..2c639dc 100644 --- a/host_vars/ff-niyawe2 +++ b/host_vars/ff-niyawe2 @@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'ctSz9JjaPWM4Se39rSsbr39wXWfA1LJDF1OwwBui0VY=' wireguard_bb_ipv4: '10.222.0.12' wireguard_bb_ipv6: 'fe80::ffbb:ffbb:12' wireguard_bb_port: 10112 +wireguard_vpn_port: 10010 +wireguard_vpn_priv_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36623962663931636165643834636338373230623438306431316338633765333434626462626636 + 6330346538316361376531353932666363303431313737640a333931366638326164333937656566 + 32393639376561396161313365343563383132663338363437376563653930643835303230613336 + 6232616639643564360a613333666165623036613866383236323335383233376439386463333535 + 32616431393965313839613264326137633063366530336461643534623833306466653330373666 + 6364666534323361663937613837313031356262363338386563 +wireguard_vpn_address: 'fe80::ce:30ff:fe37:94da' +wireguard_vpn_client_range: '2a03:2260:1016:2000::/52' +tayga_ipv4: 10.2.0.1 +tayga_pool: 10.2.0.0/16 ffrl_ip4: '185.66.194.57' ffrl_peers: - name: 'bbafra2fra' diff --git a/roles/configure_aurto_repo/tasks/main.yml b/roles/configure_aurto_repo/tasks/main.yml new file mode 100644 index 0000000..e8ab37e --- /dev/null +++ b/roles/configure_aurto_repo/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: add aurto repo (1/3) + ansible.builtin.lineinfile: + path: /etc/pacman.conf + line: "[aurto]" + +- name: add aurto repo (2/3) + ansible.builtin.lineinfile: + path: /etc/pacman.conf + line: "SigLevel = Optional TrustAll" + +- name: add aurto repo (3/3) + ansible.builtin.lineinfile: + path: /etc/pacman.conf + line: "Server = https://aur.niyawe.de/" + +- name: update pacman cache + pacman: + update_cache: yes diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 80e8b30..51287c0 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -52,6 +52,8 @@ COMMIT -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT # respondd -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT +# wg_prefix_provider +-A INPUT -i wgmyk -s fe80::/64 -p tcp -m tcp --dport 9999 -j ACCEPT # wireguard_mesh {% for site in sites %} -A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP diff --git a/roles/configure_static_routes/files/ffmyk-iproute.sh b/roles/configure_static_routes/files/ffmyk-iproute.sh index 831d30d..83cb5aa 100755 --- a/roles/configure_static_routes/files/ffmyk-iproute.sh +++ b/roles/configure_static_routes/files/ffmyk-iproute.sh @@ -2,7 +2,11 @@ #Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk ip -4 rule add from all fwmark 0x1 table ffmyk priority 10 ip -6 rule add from all fwmark 0x1 table ffmyk priority 10 +ip -4 rule add iif nat64 table ffmyk priority 10 +ip -6 rule add iif nat64 table ffmyk priority 10 +ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10 +ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10 #Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10 ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10 @@ -16,3 +20,6 @@ ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10 ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10 ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10 ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10 + +ip -4 rule add from all iif nat64 type unreachable priority 200 +ip -6 rule add from all iif nat64 type unreachable priority 200 diff --git a/roles/install_babeld/tasks/main.yml b/roles/install_babeld/tasks/main.yml index a8299da..94b3ce5 100644 --- a/roles/install_babeld/tasks/main.yml +++ b/roles/install_babeld/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: install fastd +- name: install babeld pacman: name: babeld state: present diff --git a/roles/install_bind/tasks/main.yml b/roles/install_bind/tasks/main.yml index a7391e5..a11d247 100644 --- a/roles/install_bind/tasks/main.yml +++ b/roles/install_bind/tasks/main.yml @@ -11,6 +11,16 @@ owner: named group: named +- name: create systemd-folder + file: + path: /etc/systemd/system/named.service.d + state: directory + +- name: bind ip override + template: + src: ipv6.conf.j2 + dest: /etc/systemd/system/named.service.d/ipv6.conf + - name: bind config template: src: named.conf.j2 diff --git a/roles/install_bind/templates/ipv6.conf.j2 b/roles/install_bind/templates/ipv6.conf.j2 new file mode 100644 index 0000000..0bc8416 --- /dev/null +++ b/roles/install_bind/templates/ipv6.conf.j2 @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/usr/bin/ip addr replace {{ dns_ip }}/128 dev lo diff --git a/roles/install_bind/templates/named.conf.j2 b/roles/install_bind/templates/named.conf.j2 index 25d3470..352c1fa 100644 --- a/roles/install_bind/templates/named.conf.j2 +++ b/roles/install_bind/templates/named.conf.j2 @@ -10,6 +10,7 @@ options { auth-nxdomain no; # conform to RFC1035 listen-on-v6 { + 2a03:2260:1016::53; {% for site in sites %} {{ site.bat_ipv6 }}; {% endfor %} diff --git a/roles/install_monitoring/files/munin/munin_fastd_peers b/roles/install_monitoring/files/munin/munin_fastd_peers deleted file mode 100644 index 17a0084..0000000 --- a/roles/install_monitoring/files/munin/munin_fastd_peers +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/perl -w -# -*- perl -*- - -=head1 NAME - -fastd_peers_ - Plugin to monitor fastd peers - -=head1 CONFIGURATION - -Set user and group to have access to the socket -Set path to socketfile if not /tmp/fastd.sock - - [fastd_peers_*] - user fastd - group fastd - env.socketfile /tmp/fastd.sock - -=head1 USAGE - -Link this plugin to /etc/munin/plugins/ - -After creating the links, restart munin-node. Don't forget to configure the plugin! - -=head1 AUTHORS - -Dominique Goersch -Niklas Yann Wettengel - -=head1 LICENSE - -GPLv2 - -=head1 MAGIC MARKERS - - #%# family=manual - -=cut - - -use strict; -use warnings; -use File::Basename; -use IO::Socket::UNIX qw( SOCK_STREAM ); -use JSON; - -if ($ARGV[0] and $ARGV[0] eq "config") { #config graph - print "graph_title fastd peers\n"; - print "graph_info This graph shows the peers of the fastd on this supernode\n"; - print "graph_args -l 0\n"; - print "graph_scale no\n"; - print "graph_vlabel peers count\n"; - print "graph_category fastd\n"; - print "peers.label peers\n"; - print "peers.draw AREA\n"; - exit 0; -} - - -my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default -my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket - or die("Can't connect to server: $!\n"); - -my $fastdstatus = ""; -foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket -my $json = decode_json($fastdstatus); #decode json - -#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json -my $fastd_peers = 0; -for my $key (keys(%{$json->{peers}})) { - $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0); -} - -print "peers.value $fastd_peers\n"; #return number of peers diff --git a/roles/install_monitoring/files/munin/munin_fastd_plugin b/roles/install_monitoring/files/munin/munin_fastd_plugin deleted file mode 100755 index 35ad65d..0000000 --- a/roles/install_monitoring/files/munin/munin_fastd_plugin +++ /dev/null @@ -1,124 +0,0 @@ -#!/usr/bin/perl -w -# -*- perl -*- - -=head1 NAME - -fastd_ - Plugin to monitor fastd uptime, peers and traffic - -=head1 CONFIGURATION - -Set user and group to have access to the socket -Set path to socketfile if not /tmp/fastd.sock - - [fastd_*] - user fastd - group fastd - env.socketfile /tmp/fastd.sock - -=head1 USAGE - -Link this plugin to /etc/munin/plugins/ with the type of graph (uptime, peers, traffic) -append to the linkname, ie: /etc/munin/plugins/fastd_peers - -After creating the links, restart munin-node. Don't forget to configure the plugin! - -=head1 AUTHORS - -Dominique Goersch - -=head1 LICENSE - -GPLv2 - -=head1 MAGIC MARKERS - - #%# family=manual - #%# capabilities=suggest - -=cut - - -use strict; -use warnings; -use File::Basename; -use IO::Socket::UNIX qw( SOCK_STREAM ); -use JSON; - -my $mode = basename($0); #get basename -$mode =~ s/fastd_//; #and strip 'fastd_' to get the mode - -if ($ARGV[0] and $ARGV[0] eq "config") { #config graph - if ($mode eq 'uptime') { #for uptime - print "graph_title fastd Uptime\n"; - print "graph_info This graph shows the uptime of the fastd on this supernode\n"; - print "graph_args -l 0\n"; - print "graph_scale no\n"; - print "graph_vlabel uptime in days\n"; - print "graph_category fastd\n"; - print "uptime.label uptime\n"; - print "uptime.draw AREA\n"; - } - elsif ($mode eq 'peers') { #for peers - print "graph_title fastd peers\n"; - print "graph_info This graph shows the peers of the fastd on this supernode\n"; - print "graph_args -l 0\n"; - print "graph_scale no\n"; - print "graph_vlabel peers count\n"; - print "graph_category fastd\n"; - print "peers.label peers\n"; - print "peers.draw AREA\n"; - } - elsif ($mode eq 'traffic') { #for traffic - print "graph_order down up\n"; - print "graph_title fastd traffic\n"; - print "graph_args --base 1000\n"; - print "graph_vlabel bits in (-) / out (+) per second\n"; - print "graph_category fastd\n"; - print "graph_info This graph shows the traffic of fast.\n"; - print "down.label received\n"; - print "down.type DERIVE\n"; - print "down.graph no\n"; - print "down.cdef down,8,*\n"; - print "down.min 0\n"; - print "up.label bps\n"; - print "up.type DERIVE\n"; - print "up.negative down\n"; - print "up.cdef up,8,*\n"; - print "up.min 0\n"; - } - exit 0; -} - -if ($ARGV[0] and $ARGV[0] eq "suggest") { #tell munin about our graphs - print "uptime\n"; - print "peers\n"; - print "traffic\n"; -} - - - -my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default -my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket - or die("Can't connect to server: $!\n"); - -my $fastdstatus = ""; -foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket -my $json = decode_json($fastdstatus); #decode json - -my $fastd_uptime = $json->{uptime}; #get the uptime from json -#my $fastd_peers = scalar(keys(%{$json->{peers}})); #get number of peers from json -my $fastd_peers = 0; -for my $key (keys(%{$json->{peers}})) { - $fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0); -} -my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json -my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json - -if ( $mode eq 'uptime' ) { - printf "uptime.value %.0f\n",$fastd_uptime/86400000; #return uptime in seconds -} elsif ($mode eq 'peers') { - print "peers.value $fastd_peers\n"; #return number of peers -} elsif ($mode eq 'traffic') { - print "up.value $fastd_tx_bytes\n"; #return transmitted bytes - print "down.value $fastd_rx_bytes\n"; #and recieved bytes -} diff --git a/roles/install_monitoring/files/munin/munin_fastd_traffic b/roles/install_monitoring/files/munin/munin_fastd_traffic deleted file mode 100644 index 6b60a94..0000000 --- a/roles/install_monitoring/files/munin/munin_fastd_traffic +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/perl -w -# -*- perl -*- - -=head1 NAME - -fastd_traffic_ - Plugin to monitor fastd traffic - -=head1 CONFIGURATION - -Set user and group to have access to the socket -Set path to socketfile if not /tmp/fastd.sock - - [fastd_traffic_*] - user fastd - group fastd - env.socketfile /tmp/fastd.sock - -=head1 USAGE - -Link this plugin to /etc/munin/plugins/ - -After creating the links, restart munin-node. Don't forget to configure the plugin! - -=head1 AUTHORS - -Dominique Goersch -Niklas Yann Wettengel - -=head1 LICENSE - -GPLv2 - -=head1 MAGIC MARKERS - - #%# family=manual - -=cut - - -use strict; -use warnings; -use File::Basename; -use IO::Socket::UNIX qw( SOCK_STREAM ); -use JSON; - -if ($ARGV[0] and $ARGV[0] eq "config") { #config graph - print "graph_order down up\n"; - print "graph_title fastd traffic\n"; - print "graph_args --base 1000\n"; - print "graph_vlabel bits in (-) / out (+) per second\n"; - print "graph_category fastd\n"; - print "graph_info This graph shows the traffic of fast.\n"; - print "down.label received\n"; - print "down.type DERIVE\n"; - print "down.graph no\n"; - print "down.cdef down,8,*\n"; - print "down.min 0\n"; - print "up.label bps\n"; - print "up.type DERIVE\n"; - print "up.negative down\n"; - print "up.cdef up,8,*\n"; - print "up.min 0\n"; - exit 0; -} - - -my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock"; #get path to socket from environment or use default -my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile) #open socket - or die("Can't connect to server: $!\n"); - -my $fastdstatus = ""; -foreach my $line (<$socket>) {$fastdstatus .= $line;} #read contents from socket -my $json = decode_json($fastdstatus); #decode json - -my $fastd_rx_bytes = $json->{statistics}->{rx}->{bytes}; #get recieved bytes from json -my $fastd_tx_bytes = $json->{statistics}->{tx}->{bytes}; #get transmittetd bytes from json - -print "up.value $fastd_tx_bytes\n"; #return transmitted bytes -print "down.value $fastd_rx_bytes\n"; #and recieved bytes diff --git a/roles/install_monitoring/tasks/install_munin.yml b/roles/install_monitoring/tasks/install_munin.yml index c843bfe..b17b0f9 100644 --- a/roles/install_monitoring/tasks/install_munin.yml +++ b/roles/install_monitoring/tasks/install_munin.yml @@ -15,42 +15,6 @@ name: perl-json state: present -- name: copy fastd peers plugin - copy: - src: munin/munin_fastd_peers - dest: /usr/lib/munin/plugins/fastd_peers_ - mode: 0755 - notify: restart munin-node - -- name: copy fastd traffic plugin - copy: - src: munin/munin_fastd_traffic - dest: /usr/lib/munin/plugins/fastd_traffic_ - mode: 0755 - notify: restart munin-node - -- name: enable munin plugins for fastd peers - file: - path: /etc/munin/plugins/fastd_peers_ff{{ item.name }} - src: /usr/lib/munin/plugins/fastd_peers_ - state: link - with_items: "{{ sites }}" - notify: restart munin-node - -- name: enable munin plugins for fastd traffic - file: - path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }} - src: /usr/lib/munin/plugins/fastd_traffic_ - state: link - with_items: "{{ sites }}" - notify: restart munin-node - -- name: copy fastd plugin config - template: - src: munin_fastd_conf.j2 - dest: /etc/munin/plugin-conf.d/fastd - notify: restart munin-node - - name: copy wg peers plugin copy: src: munin/munin_wg_peers diff --git a/roles/install_respondd_poller/files/requirements.txt b/roles/install_respondd_poller/files/requirements.txt new file mode 100644 index 0000000..83bb832 --- /dev/null +++ b/roles/install_respondd_poller/files/requirements.txt @@ -0,0 +1,2 @@ +wgnlpy +requests diff --git a/roles/install_respondd_poller/files/respondd_poller.py b/roles/install_respondd_poller/files/respondd_poller.py new file mode 100644 index 0000000..1eb98a1 --- /dev/null +++ b/roles/install_respondd_poller/files/respondd_poller.py @@ -0,0 +1,147 @@ +#!/usr/bin/env python + +import socket +import ipaddress +import threading +import time +import zlib +import json +import os.path +import sys +from wgnlpy import WireGuard +import requests +from xml.etree import ElementTree + +if not os.path.exists("/etc/respondd_poller.json"): + print("/etc/respondd_poller.json missing") + sys.exit(1) + +interface = None +prefix = None +yanic_addr = None +request = None + +with open("/etc/respondd_poller.json", "r") as f: + config = json.load(f) + if "interface" in config: + interface = config["interface"] + if "prefix" in config: + prefix = ipaddress.IPv6Network(config["prefix"]) + if "yanic_addr" in config and "yanic_port" in config: + yanic_addr = (config["yanic_addr"], int(config["yanic_port"])) + if "request" in config: + request = config["request"].encode("ascii") + +wg = WireGuard() +sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) +last_request = dict() +last_response = dict() + +def get_wg_peers(): + wgpeers = wg.get_interface(interface).peers + for peer in wgpeers: + for ip in wgpeers[peer].allowedips: + if ip.subnet_of(prefix): + yield ip + +def inflate(data): + decompress = zlib.decompressobj(-zlib.MAX_WBITS) + inflated = decompress.decompress(data) + inflated += decompress.flush() + return inflated.decode() + +def cleanup(): + while True: + time.sleep(60) + old = time.monotonic() - 360 + ips = [] + macs = [] + for ip in last_request: + if last_response[ip] < old: + ips.append(ip) + for ip in ips: + del last_response[ip] + del last_request[ip] + +def recv(): + global sock + while True: + data, addr = sock.recvfrom(1500) + sock.sendto(data, yanic_addr) + j = json.loads(inflate(data)) + last_response[ipaddress.IPv6Address(addr[0])] = time.monotonic() + +def send(ip): + global request + try: + sock.sendto(request, (bytearray(str(ip).encode('ascii')), 1001)) + except: + print("failed to send packet to", ip) + return + +def get_http_nodeinfo(ip): + global last_request + now = time.monotonic() + try: + status = requests.get('http://[' + str(ip) + ']/cgi-bin/status') + except: + return + status_tree = ElementTree.fromstring(status.content) + mesh_ifs = [] + interface_list = status_tree.findall(".//*[@data-interface]") + for interface in interface_list: + mesh_ifs.append(interface.attrib["data-interface"]) + for mesh_if in mesh_ifs: + try: + nodeinfo = requests.get('http://[' + str(ip) + ']/cgi-bin/dyn/neighbours-nodeinfo?' + mesh_if) + except: + return + for line in nodeinfo.content.split(b'\n'): + if line.startswith(b'data: {'): + data = line.split(b': ', maxsplit=1)[1] + data = json.loads(data) + if "network" in data and "addresses" in data["network"]: + for address in data["network"]["addresses"]: + if ipaddress.IPv6Network(address).subnet_of(prefix): + node_ip = ipaddress.IPv6Address(address) + if node_ip not in last_request: + last_request[node_ip] = now + last_response[node_ip] = now + +def scan_wg_peers(): + global last_request + while True: + print("scanning wg peers") + request_threads = [] + now = time.monotonic() + for net in get_wg_peers(): + ip = ipaddress.IPv6Address(str(net.network_address) + "1") + if ip not in last_request: + last_request[ip] = now + last_response[ip] = now + request_thread = threading.Thread(target=get_http_nodeinfo, args=(ip,)) + request_thread.start() + request_threads.append(request_thread) + if len(request_threads) > 10: + for thread in request_threads: + thread.join() + request_threads = [] + time.sleep(60) + + +listen_thread = threading.Thread(target=recv) +listen_thread.start() +cleanup_thread = threading.Thread(target=cleanup) +cleanup_thread.start() +scan_thread = threading.Thread(target=scan_wg_peers) +scan_thread.start() + +last_wg_time = 0 + +while True: + now = time.monotonic() + for ip in last_request: + if now - last_request[ip] > 15: + last_request[ip] = now + send(ip) + time.sleep(1) diff --git a/roles/install_respondd_poller/files/respondd_poller.service b/roles/install_respondd_poller/files/respondd_poller.service new file mode 100644 index 0000000..96e309c --- /dev/null +++ b/roles/install_respondd_poller/files/respondd_poller.service @@ -0,0 +1,12 @@ +[Unit] +Description=respondd_poller +After=network.target + +[Service] +ExecStart=/opt/respondd_poller/venv/bin/python -u /opt/respondd_poller/respondd_poller.py +Restart=always +WorkingDirectory=/opt/respondd_poller +Environment=PYTHONPATH=/opt/respondd_poller + +[Install] +WantedBy=multi-user.target diff --git a/roles/install_respondd_poller/tasks/main.yml b/roles/install_respondd_poller/tasks/main.yml new file mode 100644 index 0000000..aa03558 --- /dev/null +++ b/roles/install_respondd_poller/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: install respondd_poller dependencies + pacman: + name: + - git + - python-virtualenv + - python-setuptools + state: present + +- name: create venv + command: + cmd: "python -m venv /opt/respondd_poller/venv" + creates: /opt/respondd_poller/venv + +- name: install respondd_poller requirements + copy: + src: requirements.txt + dest: /opt/respondd_poller/requirements.txt + mode: 0644 + +- name: install respondd_poller script + copy: + src: respondd_poller.py + dest: /opt/respondd_poller/respondd_poller.py + mode: 0644 + +- name: install requirements + pip: + requirements: /opt/respondd_poller/requirements.txt + virtualenv: /opt/respondd_poller/venv + +- name: install respondd_poller config + template: + src: respondd_poller.json.j2 + dest: /etc/respondd_poller.json + mode: 0644 + +- name: create respondd_poller service + copy: + src: respondd_poller.service + dest: /etc/systemd/system/respondd_poller.service + mode: 0644 + +- name: start and enable respondd_poller service + systemd: + name: respondd_poller + state: started + enabled: yes diff --git a/roles/install_respondd_poller/templates/respondd_poller.json.j2 b/roles/install_respondd_poller/templates/respondd_poller.json.j2 new file mode 100644 index 0000000..c3f6574 --- /dev/null +++ b/roles/install_respondd_poller/templates/respondd_poller.json.j2 @@ -0,0 +1,7 @@ +{ + "interface":"wgmyk", + "prefix":"2a03:2260:1016::/48", + "yanic_addr": "fe80::41:18ff:fec5:5041%wgmyk", + "yanic_port": 10001, + "request":"GET nodeinfo statistics neighbours" +} diff --git a/roles/install_tayga/handlers/main.yml b/roles/install_tayga/handlers/main.yml new file mode 100644 index 0000000..38fc10b --- /dev/null +++ b/roles/install_tayga/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart tayga + systemd: + name: tayga.service + state: restarted diff --git a/roles/install_tayga/tasks/main.yml b/roles/install_tayga/tasks/main.yml new file mode 100644 index 0000000..0f38790 --- /dev/null +++ b/roles/install_tayga/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: install tayga + pacman: + name: tayga + state: present + +- name: tayga.conf + template: + src: tayga.conf.j2 + dest: /etc/tayga.conf + mode: 0644 + notify: restart tayga + +- name: systemd override.conf + template: + src: systemd_override.conf.j2 + dest: /etc/systemd/system/tayga.service.d/override.conf + mode: 0644 + notify: restart tayga + +- name: start and enable tayga service + systemd: + name: tayga.service + enabled: yes + state: started diff --git a/roles/install_tayga/templates/systemd_override.conf.j2 b/roles/install_tayga/templates/systemd_override.conf.j2 new file mode 100644 index 0000000..a3e7229 --- /dev/null +++ b/roles/install_tayga/templates/systemd_override.conf.j2 @@ -0,0 +1,10 @@ +[Service] +ExecStart= +ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf +ExecStartPre=/usr/bin/ip link set nat64 up +ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64 +ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64 +ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk +ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk +ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf +Restart=always diff --git a/roles/install_tayga/templates/tayga.conf.j2 b/roles/install_tayga/templates/tayga.conf.j2 new file mode 100644 index 0000000..8606dcb --- /dev/null +++ b/roles/install_tayga/templates/tayga.conf.j2 @@ -0,0 +1,6 @@ +tun-device nat64 +ipv4-addr {{ tayga_ipv4 }} +ipv6-addr 2a03:2260:1016::64 +prefix 64:ff9b::/96 +dynamic-pool {{ tayga_pool }} +data-dir /var/db/tayga diff --git a/roles/install_wg_add_vpn/tasks/main.yml b/roles/install_wg_add_vpn/tasks/main.yml new file mode 100644 index 0000000..40ed07c --- /dev/null +++ b/roles/install_wg_add_vpn/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: install wg_add dependencies + pacman: + name: + - git + - make + - gcc + state: present + +- name: clone wg_add repo + git: + repo: https://github.com/FreifunkMYK/wg_add.git + dest: /opt/wg_add_vpn + version: vpn + +- name: build wg_add + make: + chdir: /opt/wg_add_vpn + +- name: install wg_add service + template: + src: wg_add_vpn.service.j2 + dest: /etc/systemd/system/wg_add_vpn.service + mode: 0644 + +- name: start and enable wgkex service + systemd: + name: wg_add_vpn + state: started + enabled: yes diff --git a/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2 b/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2 new file mode 100644 index 0000000..da1470d --- /dev/null +++ b/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=wg_add +After=network.target + +[Service] +ExecStart=/opt/wg_add_vpn/wg_add {{ ansible_default_ipv4.interface }} wgmyk +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/install_wg_prefix_provider/tasks/main.yml b/roles/install_wg_prefix_provider/tasks/main.yml new file mode 100644 index 0000000..a155300 --- /dev/null +++ b/roles/install_wg_prefix_provider/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: install wg_prefix_provider dependencies + pacman: + name: + - git + - make + - gcc + state: present + +- name: clone wg_prefix_provider repo + git: + repo: https://github.com/FreifunkMYK/wg_prefix_provider.git + dest: /opt/wg_prefix_provider + +- name: build wg_prefix_provider + make: + chdir: /opt/wg_prefix_provider + +- name: install wg_prefix_provider service + template: + src: wg_prefix_provider.service.j2 + dest: /etc/systemd/system/wg_prefix_provider.service + mode: 0644 + +- name: start and enable wg_prefix_provider service + systemd: + name: wg_prefix_provider + state: started + enabled: yes diff --git a/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2 b/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2 new file mode 100644 index 0000000..485517a --- /dev/null +++ b/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=wg_prefix_provider +After=network.target + +[Service] +ExecStart=/opt/wg_prefix_provider/wg_prefix_provider wgmyk 9999 {{ wireguard_vpn_client_range }} +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/install_wireguard_vpn/tasks/main.yml b/roles/install_wireguard_vpn/tasks/main.yml new file mode 100644 index 0000000..3ca9dcc --- /dev/null +++ b/roles/install_wireguard_vpn/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: create wireguard config for wgmyk + template: + src: wg.conf.j2 + dest: /etc/wireguard/wgmyk.conf + mode: 0400 + +- name: create wireguard up scripts for wgmyk + template: + src: up.sh.j2 + dest: /etc/wireguard/upmyk.sh + mode: 0744 + +- name: create wireguard down scripts for wgmyk + template: + src: down.sh.j2 + dest: /etc/wireguard/downmyk.sh + mode: 0744 + +- name: start and enable wireguard mesh + systemd: + name: wg-quick@wgmyk.service + enabled: yes + state: started diff --git a/roles/install_wireguard_vpn/templates/down.sh.j2 b/roles/install_wireguard_vpn/templates/down.sh.j2 new file mode 100644 index 0000000..d33011f --- /dev/null +++ b/roles/install_wireguard_vpn/templates/down.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash + +ip -6 route del {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk + +ip -6 rule del iif wgmyk +ip -6 rule del from {{ wireguard_vpn_client_range }} diff --git a/roles/install_wireguard_vpn/templates/up.sh.j2 b/roles/install_wireguard_vpn/templates/up.sh.j2 new file mode 100644 index 0000000..c57d16f --- /dev/null +++ b/roles/install_wireguard_vpn/templates/up.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/bash + +ip -6 rule add iif wgmyk table ffmyk priority 10 +ip -6 rule add from {{ wireguard_vpn_client_range }} table ffmyk priority 10 + +ip -6 rule add from all iif wgmyk type unreachable priority 200 + +ip -6 route add {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk +systemctl restart named.service diff --git a/roles/install_wireguard_vpn/templates/wg.conf.j2 b/roles/install_wireguard_vpn/templates/wg.conf.j2 new file mode 100644 index 0000000..3e25549 --- /dev/null +++ b/roles/install_wireguard_vpn/templates/wg.conf.j2 @@ -0,0 +1,7 @@ +[Interface] +ListenPort = {{ wireguard_vpn_port }} +PrivateKey = {{ wireguard_vpn_priv_key }} +Address = {{ wireguard_vpn_address }}/128 +MTU = 1400 +PostUp = /etc/wireguard/upmyk.sh +PreDown = /etc/wireguard/downmyk.sh diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf index 2ba27c7..c609a5b 100644 --- a/roles/setup_ffrl_tunnel/templates/bird.conf +++ b/roles/setup_ffrl_tunnel/templates/bird.conf @@ -84,6 +84,7 @@ protocol static ffrl_uplink_hostroute4 { protocol static ffrl_public_routes6 { ipv6 { table ffrl6; }; route 2a03:2260:1016::/48 reject; + route {{ wireguard_vpn_client_range }} reject; } # Wir legen die Transfernetze in die interne BIRD Routing Table diff --git a/setup_fastd.yml b/setup_fastd.yml index e55f267..3bcb077 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -3,6 +3,7 @@ hosts: fastd user: root roles: + - configure_aurto_repo - configure_journald - configure_sysctl - configure_iptables @@ -18,10 +19,14 @@ - install_bind - install_wireguard - install_wireguard_mesh + - install_wireguard_vpn - install_wireguard_backbone - install_babeld + - install_tayga - install_wg_add - - install_fastd + - install_wg_add_vpn + - install_wg_prefix_provider + - install_respondd_poller - install_mesh-announce - install_monitoring - install_iperf3