new net with nat64

3 years ago · fb0dbf28a0
parent b53a8cf228
commit fb0dbf28a0
33 changed files with 463 additions and 314 deletions
--- a/group_vars/fastd
+++ b/group_vars/fastd
@ -7,3 +7,4 @@ wireguard_bb_peers:
    pub_key: 'LobyJ67+/rGkTcFSchnJMz76MGVBAz5FrFypYq9GnzQ='
    ipv4: '10.222.0.212'
    port: 10151
 dns_ip: '2a03:2260:1016::53'
--- a/host_vars/ff-niyawe1
+++ b/host_vars/ff-niyawe1
@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'zGubrJd9Wfa1Yo9I5xyJArdvX1bj7OS2VFth289PdlU='
 wireguard_bb_ipv4: '10.222.0.11'
 wireguard_bb_ipv6: 'fe80::ffbb:ffbb:11'
 wireguard_bb_port: 10111
 wireguard_vpn_port: 10010
 wireguard_vpn_priv_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          34313130643739316461343031626565323930303465623238356636636531656630396433383036
          6337386336633165636633353139323366323563333464380a393438343365363661633331356438
          62326531336666326662323535366463333265313130343430653162646461383230363064366264
          6431663833633537660a343830623735633330643935363232366532346664353834623636326462
          33393133363464313665623963393534306235653239636438343537366533306166623535663336
          3864646261313135386563613637613330343935333636633434
 wireguard_vpn_address: 'fe80::7e:adff:fefc:0b8c'
 wireguard_vpn_client_range: '2a03:2260:1016:1000::/52'
 tayga_ipv4: 10.1.0.1
 tayga_pool: 10.1.0.0/16
 ffrl_ip4: '185.66.194.56'
 ffrl_peers:
  - name: 'bbaakber'
--- a/host_vars/ff-niyawe2
+++ b/host_vars/ff-niyawe2
@ -244,6 +244,19 @@ wireguard_bb_pub_key: 'ctSz9JjaPWM4Se39rSsbr39wXWfA1LJDF1OwwBui0VY='
 wireguard_bb_ipv4: '10.222.0.12'
 wireguard_bb_ipv6: 'fe80::ffbb:ffbb:12'
 wireguard_bb_port: 10112
 wireguard_vpn_port: 10010
 wireguard_vpn_priv_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36623962663931636165643834636338373230623438306431316338633765333434626462626636
          6330346538316361376531353932666363303431313737640a333931366638326164333937656566
          32393639376561396161313365343563383132663338363437376563653930643835303230613336
          6232616639643564360a613333666165623036613866383236323335383233376439386463333535
          32616431393965313839613264326137633063366530336461643534623833306466653330373666
          6364666534323361663937613837313031356262363338386563
 wireguard_vpn_address: 'fe80::ce:30ff:fe37:94da'
 wireguard_vpn_client_range: '2a03:2260:1016:2000::/52'
 tayga_ipv4: 10.2.0.1
 tayga_pool: 10.2.0.0/16
 ffrl_ip4: '185.66.194.57'
 ffrl_peers:
  - name: 'bbafra2fra'
--- a/roles/configure_aurto_repo/tasks/main.yml
+++ b/roles/configure_aurto_repo/tasks/main.yml
@ -0,0 +1,19 @@
 ---
 - name: add aurto repo (1/3)
  ansible.builtin.lineinfile:
      path: /etc/pacman.conf
      line: "[aurto]"
 - name: add aurto repo (2/3)
  ansible.builtin.lineinfile:
      path: /etc/pacman.conf
      line: "SigLevel = Optional TrustAll"
 - name: add aurto repo (3/3)
  ansible.builtin.lineinfile:
      path: /etc/pacman.conf
      line: "Server = https://aur.niyawe.de/"
 - name: update pacman cache
  pacman:
      update_cache: yes
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@ -52,6 +52,8 @@ COMMIT
 -A INPUT -p udp -m udp --dport 10010:10023 -j ACCEPT
 # respondd
 -A INPUT -i bat+ -p udp -m udp --dport 1001 -j ACCEPT
 # wg_prefix_provider
 -A INPUT -i wgmyk -s fe80::/64 -p tcp -m tcp --dport 9999 -j ACCEPT
 # wireguard_mesh
 {% for site in sites %}
 -A INPUT -s 2a03:2260:1016::/48 -p udp -m udp --dport {{ site.wireguard_mesh_port }} -j DROP
--- a/roles/configure_static_routes/files/ffmyk-iproute.sh
+++ b/roles/configure_static_routes/files/ffmyk-iproute.sh
@ -2,7 +2,11 @@
 #Alles, was mit 0x1 markiert wird gehört zu Tabelle ffmyk
 ip -4 rule add from all fwmark 0x1 table ffmyk priority 10
 ip -6 rule add from all fwmark 0x1 table ffmyk priority 10
 ip -4 rule add iif nat64 table ffmyk priority 10
 ip -6 rule add iif nat64 table ffmyk priority 10
 ip -4 rule add to 10.1.0.0/16 table ffmyk priority 10
 ip -4 rule add to 10.2.0.0/16 table ffmyk priority 10
 #Alles mit Freifunk-IP - woher auch immer - gehört zu Tabelle ffmyk
 ip -4 rule add to 10.222.1.0/24 table ffmyk priority 10
 ip -4 rule add to 10.222.2.0/23 table ffmyk priority 10
@ -16,3 +20,6 @@ ip -6 rule add to 2001:470:cd45:ff00::/56 table ffmyk priority 10
 ip -6 rule add to 2a03:2260:1016::/48 table ffmyk priority 10
 ip -6 rule add to 64:ff9b::/96 table ffmyk priority 10
 ip -6 rule add to fd62:44e1:da::/48 table ffmyk priority 10
 ip -4 rule add from all iif nat64 type unreachable priority 200
 ip -6 rule add from all iif nat64 type unreachable priority 200
--- a/roles/install_babeld/tasks/main.yml
+++ b/roles/install_babeld/tasks/main.yml
@ -1,5 +1,5 @@
 ---
- name: install fastd
+- name: install babeld
  pacman:
      name: babeld
      state: present
--- a/roles/install_bind/tasks/main.yml
+++ b/roles/install_bind/tasks/main.yml
@ -11,6 +11,16 @@
      owner: named
      group: named
 - name: create systemd-folder
  file:
    path: /etc/systemd/system/named.service.d
    state: directory
 - name: bind ip override
  template:
      src: ipv6.conf.j2
      dest: /etc/systemd/system/named.service.d/ipv6.conf
 - name: bind config
  template:
      src: named.conf.j2
--- a/roles/install_bind/templates/ipv6.conf.j2
+++ b/roles/install_bind/templates/ipv6.conf.j2
@ -0,0 +1,2 @@
 [Service]
 ExecStartPre=/usr/bin/ip addr replace {{ dns_ip }}/128 dev lo
--- a/roles/install_bind/templates/named.conf.j2
+++ b/roles/install_bind/templates/named.conf.j2
@ -10,6 +10,7 @@ options {
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 {
        2a03:2260:1016::53;
 {% for site in sites %}
        {{ site.bat_ipv6 }};
 {% endfor %}
--- a/roles/install_monitoring/files/munin/munin_fastd_peers
+++ b/roles/install_monitoring/files/munin/munin_fastd_peers
@ -1,73 +0,0 @@
 #!/usr/bin/perl -w
 # -*- perl -*-
 =head1 NAME
 fastd_peers_ - Plugin to monitor fastd peers
 =head1 CONFIGURATION
 Set user and group to have access to the socket
 Set path to socketfile if not /tmp/fastd.sock
    [fastd_peers_*]
    user fastd
    group fastd
    env.socketfile /tmp/fastd.sock
 =head1 USAGE
 Link this plugin to /etc/munin/plugins/
 After creating the links, restart munin-node. Don't forget to configure the plugin!
 =head1 AUTHORS
 Dominique Goersch <mail@dgoersch.info>
 Niklas Yann Wettengel <niyawe@niyawe.de>
 =head1 LICENSE
 GPLv2
 =head1 MAGIC MARKERS
 #%# family=manual
 =cut
 use strict;
 use warnings;
 use File::Basename;
 use IO::Socket::UNIX qw( SOCK_STREAM );
 use JSON;
 if ($ARGV[0] and $ARGV[0] eq "config") {                                                #config graph
 	print "graph_title fastd peers\n";
 	print "graph_info This graph shows the peers of the fastd on this supernode\n";
 	print "graph_args -l 0\n";
 	print "graph_scale no\n";
 	print "graph_vlabel peers count\n";
 	print "graph_category fastd\n";
 	print "peers.label peers\n";
 	print "peers.draw AREA\n";
    exit 0;
 }
 my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock";    #get path to socket from environment or use default
 my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile)             #open socket
   or die("Can't connect to server: $!\n");
 my $fastdstatus = "";
 foreach my $line (<$socket>) {$fastdstatus .= $line;}                                   #read contents from socket
 my $json = decode_json($fastdstatus);                                                   #decode json
 #my $fastd_peers      = scalar(keys(%{$json->{peers}}));                                 #get number of peers from json
 my $fastd_peers = 0;
 for my $key (keys(%{$json->{peers}})) {
 	$fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
 }
 print "peers.value $fastd_peers\n";                                                 #return number of peers
--- a/roles/install_monitoring/files/munin/munin_fastd_plugin
+++ b/roles/install_monitoring/files/munin/munin_fastd_plugin
@ -1,124 +0,0 @@
 #!/usr/bin/perl -w
 # -*- perl -*-
 =head1 NAME
 fastd_ - Plugin to monitor fastd uptime, peers and traffic
 =head1 CONFIGURATION
 Set user and group to have access to the socket
 Set path to socketfile if not /tmp/fastd.sock
    [fastd_*]
    user fastd
    group fastd
    env.socketfile /tmp/fastd.sock
 =head1 USAGE
 Link this plugin to /etc/munin/plugins/ with the type of graph (uptime, peers, traffic)
 append to the linkname, ie: /etc/munin/plugins/fastd_peers
 After creating the links, restart munin-node. Don't forget to configure the plugin!
 =head1 AUTHORS
 Dominique Goersch <mail@dgoersch.info>
 =head1 LICENSE
 GPLv2
 =head1 MAGIC MARKERS
 #%# family=manual
 #%# capabilities=suggest
 =cut
 use strict;
 use warnings;
 use File::Basename;
 use IO::Socket::UNIX qw( SOCK_STREAM );
 use JSON;
 my $mode = basename($0);                                                                #get basename
 $mode =~ s/fastd_//;                                                                    #and strip 'fastd_' to get the mode
 if ($ARGV[0] and $ARGV[0] eq "config") {                                                #config graph
    if ($mode eq 'uptime') {                                                            #for uptime
        print "graph_title fastd Uptime\n";
        print "graph_info This graph shows the uptime of the fastd on this supernode\n";
        print "graph_args -l 0\n";
        print "graph_scale no\n";
        print "graph_vlabel uptime in days\n";
        print "graph_category fastd\n";
        print "uptime.label uptime\n";
        print "uptime.draw AREA\n";
    }
    elsif ($mode eq 'peers') {                                                          #for peers
        print "graph_title fastd peers\n";
        print "graph_info This graph shows the peers of the fastd on this supernode\n";
        print "graph_args -l 0\n";
        print "graph_scale no\n";
        print "graph_vlabel peers count\n";
        print "graph_category fastd\n";
        print "peers.label peers\n";
        print "peers.draw AREA\n";
    }
    elsif ($mode eq 'traffic') {                                                        #for traffic
        print "graph_order down up\n";
        print "graph_title fastd traffic\n";
        print "graph_args --base 1000\n";
        print "graph_vlabel bits in (-) / out (+) per second\n";
        print "graph_category fastd\n";
        print "graph_info This graph shows the traffic of fast.\n";
        print "down.label received\n";
        print "down.type DERIVE\n";
        print "down.graph no\n";
        print "down.cdef down,8,*\n";
        print "down.min 0\n";
        print "up.label bps\n";
        print "up.type DERIVE\n";
        print "up.negative down\n";
        print "up.cdef up,8,*\n";
        print "up.min 0\n";
    }
    exit 0;
 }
 if ($ARGV[0] and $ARGV[0] eq "suggest") {                                               #tell munin about our graphs
    print "uptime\n";
    print "peers\n";
    print "traffic\n";
 }
 my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock";    #get path to socket from environment or use default
 my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile)             #open socket
   or die("Can't connect to server: $!\n");
 my $fastdstatus = "";
 foreach my $line (<$socket>) {$fastdstatus .= $line;}                                   #read contents from socket
 my $json = decode_json($fastdstatus);                                                   #decode json
 my $fastd_uptime     = $json->{uptime};                                                 #get the uptime from json
 #my $fastd_peers      = scalar(keys(%{$json->{peers}}));                                 #get number of peers from json
 my $fastd_peers = 0;
 for my $key (keys(%{$json->{peers}})) {
 	$fastd_peers = $fastd_peers + ($json->{peers}{$key}{connection}? 1 : 0);
 }
 my $fastd_rx_bytes   = $json->{statistics}->{rx}->{bytes};                              #get recieved bytes from json
 my $fastd_tx_bytes   = $json->{statistics}->{tx}->{bytes};                              #get transmittetd bytes from json
 if ( $mode eq 'uptime' ) {
    printf "uptime.value %.0f\n",$fastd_uptime/86400000;                                #return uptime in seconds
 } elsif ($mode eq 'peers') {
    print "peers.value $fastd_peers\n";                                                 #return number of peers
 } elsif ($mode eq 'traffic') {
    print "up.value $fastd_tx_bytes\n";                                                 #return transmitted bytes
    print "down.value $fastd_rx_bytes\n";                                               #and recieved bytes
 }
--- a/roles/install_monitoring/files/munin/munin_fastd_traffic
+++ b/roles/install_monitoring/files/munin/munin_fastd_traffic
@ -1,79 +0,0 @@
 #!/usr/bin/perl -w
 # -*- perl -*-
 =head1 NAME
 fastd_traffic_ - Plugin to monitor fastd traffic
 =head1 CONFIGURATION
 Set user and group to have access to the socket
 Set path to socketfile if not /tmp/fastd.sock
    [fastd_traffic_*]
    user fastd
    group fastd
    env.socketfile /tmp/fastd.sock
 =head1 USAGE
 Link this plugin to /etc/munin/plugins/ 
 After creating the links, restart munin-node. Don't forget to configure the plugin!
 =head1 AUTHORS
 Dominique Goersch <mail@dgoersch.info>
 Niklas Yann Wettengel <niyawe@niyawe.de>
 =head1 LICENSE
 GPLv2
 =head1 MAGIC MARKERS
 #%# family=manual
 =cut
 use strict;
 use warnings;
 use File::Basename;
 use IO::Socket::UNIX qw( SOCK_STREAM );
 use JSON;
 if ($ARGV[0] and $ARGV[0] eq "config") {                                                #config graph
 	print "graph_order down up\n";
 	print "graph_title fastd traffic\n";
 	print "graph_args --base 1000\n";
 	print "graph_vlabel bits in (-) / out (+) per second\n";
 	print "graph_category fastd\n";
 	print "graph_info This graph shows the traffic of fast.\n";
 	print "down.label received\n";
 	print "down.type DERIVE\n";
 	print "down.graph no\n";
 	print "down.cdef down,8,*\n";
 	print "down.min 0\n";
 	print "up.label bps\n";
 	print "up.type DERIVE\n";
 	print "up.negative down\n";
 	print "up.cdef up,8,*\n";
 	print "up.min 0\n";
    exit 0;
 }
 my $statusfile = exists $ENV{'socketfile'} ? $ENV{'socketfile'} : "/tmp/fastd.sock";    #get path to socket from environment or use default
 my $socket = IO::Socket::UNIX->new(Type => SOCK_STREAM,Peer => $statusfile)             #open socket
   or die("Can't connect to server: $!\n");
 my $fastdstatus = "";
 foreach my $line (<$socket>) {$fastdstatus .= $line;}                                   #read contents from socket
 my $json = decode_json($fastdstatus);                                                   #decode json
 my $fastd_rx_bytes   = $json->{statistics}->{rx}->{bytes};                              #get recieved bytes from json
 my $fastd_tx_bytes   = $json->{statistics}->{tx}->{bytes};                              #get transmittetd bytes from json
 print "up.value $fastd_tx_bytes\n";                                                 #return transmitted bytes
 print "down.value $fastd_rx_bytes\n";                                               #and recieved bytes
--- a/roles/install_monitoring/tasks/install_munin.yml
+++ b/roles/install_monitoring/tasks/install_munin.yml
@ -15,42 +15,6 @@
      name: perl-json
      state: present
 - name: copy fastd peers plugin
  copy:
      src: munin/munin_fastd_peers
      dest: /usr/lib/munin/plugins/fastd_peers_
      mode: 0755
  notify: restart munin-node
 - name: copy fastd traffic plugin
  copy:
      src: munin/munin_fastd_traffic
      dest: /usr/lib/munin/plugins/fastd_traffic_
      mode: 0755
  notify: restart munin-node
 - name: enable munin plugins for fastd peers
  file:
      path: /etc/munin/plugins/fastd_peers_ff{{ item.name }}
      src: /usr/lib/munin/plugins/fastd_peers_
      state: link
  with_items: "{{ sites }}"
  notify: restart munin-node
 - name: enable munin plugins for fastd traffic
  file:
      path: /etc/munin/plugins/fastd_traffic_ff{{ item.name }}
      src: /usr/lib/munin/plugins/fastd_traffic_
      state: link
  with_items: "{{ sites }}"
  notify: restart munin-node
 - name: copy fastd plugin config
  template:
      src: munin_fastd_conf.j2
      dest: /etc/munin/plugin-conf.d/fastd
  notify: restart munin-node
 - name: copy wg peers plugin
  copy:
      src: munin/munin_wg_peers
--- a/roles/install_respondd_poller/files/requirements.txt
+++ b/roles/install_respondd_poller/files/requirements.txt
@ -0,0 +1,2 @@
 wgnlpy
 requests
--- a/roles/install_respondd_poller/files/respondd_poller.py
+++ b/roles/install_respondd_poller/files/respondd_poller.py
@ -0,0 +1,147 @@
 #!/usr/bin/env python
 import socket
 import ipaddress
 import threading
 import time
 import zlib
 import json
 import os.path
 import sys
 from wgnlpy import WireGuard
 import requests
 from xml.etree import ElementTree
 if not os.path.exists("/etc/respondd_poller.json"):
    print("/etc/respondd_poller.json missing")
    sys.exit(1)
 interface = None
 prefix = None
 yanic_addr = None
 request = None
 with open("/etc/respondd_poller.json", "r") as f:
    config = json.load(f)
    if "interface" in config:
        interface = config["interface"]
    if "prefix" in config:
        prefix = ipaddress.IPv6Network(config["prefix"])
    if "yanic_addr" in config and "yanic_port" in config:
        yanic_addr = (config["yanic_addr"], int(config["yanic_port"]))
    if "request" in config:
        request = config["request"].encode("ascii")
 wg = WireGuard()
 sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
 last_request = dict()
 last_response = dict()
 def get_wg_peers():
    wgpeers = wg.get_interface(interface).peers
    for peer in wgpeers:
        for ip in wgpeers[peer].allowedips:
            if ip.subnet_of(prefix):
                yield ip
 def inflate(data):
    decompress = zlib.decompressobj(-zlib.MAX_WBITS)
    inflated = decompress.decompress(data)
    inflated += decompress.flush()
    return inflated.decode()
 def cleanup():
    while True:
        time.sleep(60)
        old = time.monotonic() - 360
        ips = []
        macs = []
        for ip in last_request:
            if last_response[ip] < old:
                ips.append(ip)
        for ip in ips:
            del last_response[ip]
            del last_request[ip]
 def recv():
    global sock
    while True:
        data, addr = sock.recvfrom(1500)
        sock.sendto(data, yanic_addr)
        j = json.loads(inflate(data))
        last_response[ipaddress.IPv6Address(addr[0])] = time.monotonic()
 def send(ip):
    global request
    try:
        sock.sendto(request, (bytearray(str(ip).encode('ascii')), 1001))
    except:
        print("failed to send packet to", ip)
        return
 def get_http_nodeinfo(ip):
    global last_request
    now = time.monotonic()
    try:
        status = requests.get('http://[' + str(ip) + ']/cgi-bin/status')
    except:
        return
    status_tree = ElementTree.fromstring(status.content)
    mesh_ifs = []
    interface_list = status_tree.findall(".//*[@data-interface]")
    for interface in interface_list:
        mesh_ifs.append(interface.attrib["data-interface"])
    for mesh_if in mesh_ifs:
        try:
            nodeinfo = requests.get('http://[' + str(ip) + ']/cgi-bin/dyn/neighbours-nodeinfo?' + mesh_if)
        except:
            return
        for line in nodeinfo.content.split(b'\n'):
            if line.startswith(b'data: {'):
                data = line.split(b': ', maxsplit=1)[1]
                data = json.loads(data)
                if "network" in data and "addresses" in data["network"]:
                    for address in data["network"]["addresses"]:
                        if ipaddress.IPv6Network(address).subnet_of(prefix):
                            node_ip = ipaddress.IPv6Address(address)
                            if node_ip not in last_request:
                                last_request[node_ip] = now
                                last_response[node_ip] = now
 def scan_wg_peers():
    global last_request
    while True:
        print("scanning wg peers")
        request_threads = []
        now = time.monotonic()
        for net in get_wg_peers():
            ip = ipaddress.IPv6Address(str(net.network_address) + "1")
            if ip not in last_request:
                last_request[ip] = now
                last_response[ip] = now
            request_thread = threading.Thread(target=get_http_nodeinfo, args=(ip,))
            request_thread.start()
            request_threads.append(request_thread)
            if len(request_threads) > 10:
                for thread in request_threads:
                    thread.join()
                request_threads = []
        time.sleep(60)
 listen_thread = threading.Thread(target=recv)
 listen_thread.start()
 cleanup_thread = threading.Thread(target=cleanup)
 cleanup_thread.start()
 scan_thread = threading.Thread(target=scan_wg_peers)
 scan_thread.start()
 last_wg_time = 0
 while True:
    now = time.monotonic()
    for ip in last_request:
        if now - last_request[ip] > 15:
            last_request[ip] = now
            send(ip)
    time.sleep(1)
--- a/roles/install_respondd_poller/files/respondd_poller.service
+++ b/roles/install_respondd_poller/files/respondd_poller.service
@ -0,0 +1,12 @@
 [Unit]
 Description=respondd_poller
 After=network.target
 [Service]
 ExecStart=/opt/respondd_poller/venv/bin/python -u /opt/respondd_poller/respondd_poller.py
 Restart=always
 WorkingDirectory=/opt/respondd_poller
 Environment=PYTHONPATH=/opt/respondd_poller
 [Install]
 WantedBy=multi-user.target
--- a/roles/install_respondd_poller/tasks/main.yml
+++ b/roles/install_respondd_poller/tasks/main.yml
@ -0,0 +1,48 @@
 ---
 - name: install respondd_poller dependencies
  pacman:
      name:
          - git
          - python-virtualenv
          - python-setuptools
      state: present
 - name: create venv
  command:
    cmd: "python -m venv /opt/respondd_poller/venv"
    creates: /opt/respondd_poller/venv
 - name: install respondd_poller requirements
  copy:
      src: requirements.txt
      dest: /opt/respondd_poller/requirements.txt
      mode: 0644
 - name: install respondd_poller script
  copy:
      src: respondd_poller.py
      dest: /opt/respondd_poller/respondd_poller.py
      mode: 0644
 - name: install requirements
  pip:
    requirements: /opt/respondd_poller/requirements.txt
    virtualenv: /opt/respondd_poller/venv
 - name: install respondd_poller config
  template:
      src: respondd_poller.json.j2
      dest: /etc/respondd_poller.json
      mode: 0644
 - name: create respondd_poller service
  copy:
      src: respondd_poller.service
      dest: /etc/systemd/system/respondd_poller.service
      mode: 0644
 - name: start and enable respondd_poller service
  systemd:
      name: respondd_poller
      state: started
      enabled: yes
--- a/roles/install_respondd_poller/templates/respondd_poller.json.j2
+++ b/roles/install_respondd_poller/templates/respondd_poller.json.j2
@ -0,0 +1,7 @@
 {
    "interface":"wgmyk",
    "prefix":"2a03:2260:1016::/48",
    "yanic_addr": "fe80::41:18ff:fec5:5041%wgmyk",
    "yanic_port": 10001,
    "request":"GET nodeinfo statistics neighbours"
 }
--- a/roles/install_tayga/handlers/main.yml
+++ b/roles/install_tayga/handlers/main.yml
@ -0,0 +1,5 @@
 ---
 - name: restart tayga
  systemd:
      name: tayga.service
      state: restarted
--- a/roles/install_tayga/tasks/main.yml
+++ b/roles/install_tayga/tasks/main.yml
@ -0,0 +1,25 @@
 ---
 - name: install tayga
  pacman:
      name: tayga
      state: present
 - name: tayga.conf
  template:
      src: tayga.conf.j2
      dest: /etc/tayga.conf
      mode: 0644
  notify: restart tayga
 - name: systemd override.conf
  template:
      src: systemd_override.conf.j2
      dest: /etc/systemd/system/tayga.service.d/override.conf
      mode: 0644
  notify: restart tayga
 - name: start and enable tayga service
  systemd:
      name: tayga.service
      enabled: yes
      state: started
--- a/roles/install_tayga/templates/systemd_override.conf.j2
+++ b/roles/install_tayga/templates/systemd_override.conf.j2
@ -0,0 +1,10 @@
 [Service]
 ExecStart=
 ExecStartPre=/usr/bin/tayga --mktun --config /etc/tayga.conf
 ExecStartPre=/usr/bin/ip link set nat64 up
 ExecStartPre=/usr/bin/ip addr replace {{ tayga_ipv4 }}/32 dev nat64
 ExecStartPre=/usr/bin/ip addr replace 2a03:2260:1016::64/128 dev nat64
 ExecStartPre=/usr/bin/ip route replace {{ tayga_pool }} dev nat64 table ffmyk
 ExecStartPre=/usr/bin/ip -6 route replace 64:ff9b::/96 dev nat64 table ffmyk
 ExecStart=/usr/bin/tayga --nodetach --config /etc/tayga.conf
 Restart=always
--- a/roles/install_tayga/templates/tayga.conf.j2
+++ b/roles/install_tayga/templates/tayga.conf.j2
@ -0,0 +1,6 @@
 tun-device nat64
 ipv4-addr {{ tayga_ipv4 }}
 ipv6-addr 2a03:2260:1016::64
 prefix 64:ff9b::/96
 dynamic-pool {{ tayga_pool }}
 data-dir /var/db/tayga
--- a/roles/install_wg_add_vpn/tasks/main.yml
+++ b/roles/install_wg_add_vpn/tasks/main.yml
@ -0,0 +1,30 @@
 ---
 - name: install wg_add dependencies
  pacman:
      name:
          - git
          - make
          - gcc
      state: present
 - name: clone wg_add repo
  git:
      repo: https://github.com/FreifunkMYK/wg_add.git
      dest: /opt/wg_add_vpn
      version: vpn
 - name: build wg_add
  make:
    chdir: /opt/wg_add_vpn
 - name: install wg_add service
  template:
      src: wg_add_vpn.service.j2
      dest: /etc/systemd/system/wg_add_vpn.service
      mode: 0644
 - name: start and enable wgkex service
  systemd:
      name: wg_add_vpn
      state: started
      enabled: yes
--- a/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2
+++ b/roles/install_wg_add_vpn/templates/wg_add_vpn.service.j2
@ -0,0 +1,10 @@
 [Unit]
 Description=wg_add
 After=network.target
 [Service]
 ExecStart=/opt/wg_add_vpn/wg_add {{ ansible_default_ipv4.interface }} wgmyk
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/roles/install_wg_prefix_provider/tasks/main.yml
+++ b/roles/install_wg_prefix_provider/tasks/main.yml
@ -0,0 +1,29 @@
 ---
 - name: install wg_prefix_provider dependencies
  pacman:
      name:
          - git
          - make
          - gcc
      state: present
 - name: clone wg_prefix_provider repo
  git:
      repo: https://github.com/FreifunkMYK/wg_prefix_provider.git
      dest: /opt/wg_prefix_provider
 - name: build wg_prefix_provider
  make:
    chdir: /opt/wg_prefix_provider
 - name: install wg_prefix_provider service
  template:
      src: wg_prefix_provider.service.j2
      dest: /etc/systemd/system/wg_prefix_provider.service
      mode: 0644
 - name: start and enable wg_prefix_provider service
  systemd:
      name: wg_prefix_provider
      state: started
      enabled: yes
--- a/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2
+++ b/roles/install_wg_prefix_provider/templates/wg_prefix_provider.service.j2
@ -0,0 +1,10 @@
 [Unit]
 Description=wg_prefix_provider
 After=network.target
 [Service]
 ExecStart=/opt/wg_prefix_provider/wg_prefix_provider wgmyk 9999 {{ wireguard_vpn_client_range }}
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/roles/install_wireguard_vpn/tasks/main.yml
+++ b/roles/install_wireguard_vpn/tasks/main.yml
@ -0,0 +1,24 @@
 ---
 - name: create wireguard config for wgmyk
  template:
      src: wg.conf.j2
      dest: /etc/wireguard/wgmyk.conf
      mode: 0400
 - name: create wireguard up scripts for wgmyk
  template:
      src: up.sh.j2
      dest: /etc/wireguard/upmyk.sh
      mode: 0744
 - name: create wireguard down scripts for wgmyk
  template:
      src: down.sh.j2
      dest: /etc/wireguard/downmyk.sh
      mode: 0744
 - name: start and enable wireguard mesh
  systemd:
      name: wg-quick@wgmyk.service
      enabled: yes
      state: started
--- a/roles/install_wireguard_vpn/templates/down.sh.j2
+++ b/roles/install_wireguard_vpn/templates/down.sh.j2
@ -0,0 +1,6 @@
 #!/bin/bash
 ip -6 route del {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
 ip -6 rule del iif wgmyk
 ip -6 rule del from {{ wireguard_vpn_client_range }}
--- a/roles/install_wireguard_vpn/templates/up.sh.j2
+++ b/roles/install_wireguard_vpn/templates/up.sh.j2
@ -0,0 +1,9 @@
 #!/bin/bash
 ip -6 rule add iif wgmyk table ffmyk priority 10
 ip -6 rule add from {{ wireguard_vpn_client_range }} table ffmyk priority 10
 ip -6 rule add from all iif wgmyk type unreachable priority 200
 ip -6 route add {{ wireguard_vpn_client_range }} table ffmyk dev wgmyk
 systemctl restart named.service
--- a/roles/install_wireguard_vpn/templates/wg.conf.j2
+++ b/roles/install_wireguard_vpn/templates/wg.conf.j2
@ -0,0 +1,7 @@
 [Interface]
 ListenPort = {{ wireguard_vpn_port }}
 PrivateKey = {{ wireguard_vpn_priv_key }}
 Address = {{ wireguard_vpn_address }}/128
 MTU = 1400
 PostUp = /etc/wireguard/upmyk.sh
 PreDown = /etc/wireguard/downmyk.sh
--- a/roles/setup_ffrl_tunnel/templates/bird.conf
+++ b/roles/setup_ffrl_tunnel/templates/bird.conf
@ -84,6 +84,7 @@ protocol static ffrl_uplink_hostroute4 {
 protocol static ffrl_public_routes6 {
    ipv6 { table ffrl6; };
    route 2a03:2260:1016::/48 reject;
    route {{ wireguard_vpn_client_range }} reject;
 }
 # Wir legen die Transfernetze in die interne BIRD Routing Table
--- a/setup_fastd.yml
+++ b/setup_fastd.yml
@ -3,6 +3,7 @@
  hosts: fastd
  user: root
  roles:
      - configure_aurto_repo
      - configure_journald
      - configure_sysctl
      - configure_iptables
@ -18,10 +19,14 @@
      - install_bind
      - install_wireguard
      - install_wireguard_mesh
      - install_wireguard_vpn
      - install_wireguard_backbone
      - install_babeld
      - install_tayga
      - install_wg_add
-      - install_fastd
+      - install_wg_add_vpn
      - install_wg_prefix_provider
      - install_respondd_poller
      - install_mesh-announce
      - install_monitoring
      - install_iperf3
		`@ -0,0 +1,2 @@`
							`[Service]`
							`ExecStartPre=/usr/bin/ip addr replace {{ dns_ip }}/128 dev lo`