remove nat64

host_vars/ff-nat64

@@ -1,18 +0,0 @@
----
-ansible_host: 2a01:4f8:a0:9395:2::3
-#ansible_host: 10.0.4.67
-wireguard_bb_name: 'nat64'
-wireguard_bb_endpoint: '2a01:4f8:a0:9395:2::3'
-wireguard_bb_priv_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          39303530363738363764303964346631313532353762343263316166383534373763303538376363
-          3733366465336331353939346464306162353938353666370a613166623931613430613333613139
-          63356231653035663232376330363763393732666135356639663537666534326136356431663264
-          6330643965613562380a623830616437653563613630663332313266623239373634643431313064
-          62306263343934616462356536613235363866303736636537633766616663346363326234323532
-          3862346431613738663665613661623236323139616639613432
-wireguard_bb_pub_key: '4f3BbS38u97CNN3LDUZS//vO3JTzAl6zRWovuIAGcQM='
-wireguard_bb_ipv4: '10.222.0.6'
-wireguard_bb_ipv6: 'fe80::ffbb:ffbb:6'
-wireguard_bb_port: 10106
-preferred_uplink: 'uplink2'

inventory.ini

@@ -28,6 +28,3 @@ ff-uplink2
 [uplink:children]
 mullvad_uplink
 ffrl_uplink
-
-[nat64]
-ff-nat64

roles/configure_iptables/templates/ip6tables.rules

@@ -10,7 +10,7 @@
 {% endfor %}
 {% endif %}
 
-{% if 'fastd' in group_names or 'nat64' in group_names %}
+{% if 'fastd' in group_names %}
 {% for peer in groups['uplink'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -19,9 +19,6 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -63,7 +60,7 @@ COMMIT
 {% endfor %}
 {% endif %}
 # wireguard_backbone
-{% if 'fastd' in group_names or 'nat64' in group_names %}
+{% if 'fastd' in group_names %}
 {% for peer in groups['uplink'] %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
@@ -74,10 +71,6 @@ COMMIT
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
--A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT
 -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT

roles/configure_iptables/templates/iptables.rules

@@ -19,9 +19,6 @@
 {% for peer in groups['fastd'] %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
-{% for peer in groups['nat64'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
@@ -29,11 +26,6 @@
 -A PREROUTING -i bb{{ peer.name }} -j MARK --set-xmark 0x1/0xffffffff
 {% endfor %}
 {% endif %}
-{% if 'nat64' in group_names %}
-{% for peer in groups['uplink'] %}
--A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff
-{% endfor %}
-{% endif %}
 COMMIT
 *filter
 :INPUT DROP [0:0]

roles/install_babeld/templates/babeld.conf.j2

@@ -5,7 +5,7 @@
 ipv6-subtrees true
 
 # You must provide at least one interface for babeld to operate on.
-{% if ('fastd' in group_names) or ('nat64' in group_names) %}
+{% if ('fastd' in group_names) %}
 {% for peer in groups['uplink'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -14,9 +14,6 @@ interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% for peer in groups['fastd'] %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
-{% for peer in groups['nat64'] %}
-interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
-{% endfor %}
 {% for peer in groups['uplink'] | difference([inventory_hostname]) %}
 interface bb{{ hostvars[peer]['wireguard_bb_name'] }}
 {% endfor %}
@@ -45,7 +42,6 @@ in ip 10.30.0.0/18 allow
 in ip 10.222.0.0/16 allow
 in ip 2a03:2260:1016::/48 allow
 in ip 2003:46:e028::/48 allow # finzelberg
-in ip 64:ff9b::/96 allow # nat64
 in ip fd62:44e1:da::/48 allow
 in deny # ignore default routes on uplinks
 {% endif %}
@@ -67,7 +63,7 @@ redistribute ip 64:ff9b::/96 allow
 redistribute ip fd62:44e1:da::/48 allow
 redistribute local deny
 
-{% if ('fastd' in group_names or 'nat64' in group_names) and preferred_uplink is defined %}
+{% if ('fastd' in group_names) and preferred_uplink is defined %}
 {% for peer in groups['uplink'] %}
 {% if not hostvars[peer]['wireguard_bb_name'] == preferred_uplink %}
 in if bb{{ hostvars[peer]['wireguard_bb_name'] }} metric 64

roles/install_bind/templates/named.conf.j2

@@ -21,7 +21,7 @@ options {
 {% endfor %}
     };
 
-    allow-recursion { 127.0.0.1; 10.222.0.0/16; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; };
+    allow-recursion { 127.0.0.1; 10.222.0.0/16; 10.30.0.0/18; 2001:470:cd45:ff00::/56; 2a03:2260:1016::/48; };
     allow-transfer { none; };
 
     version none;

roles/install_fastd/files/fastd1

@@ -1,2 +0,0 @@
-key "d78c8c9b2977f732cdd00d2d4b557cfb5de1438897d33b9ec04037512dd11d6a";
-remote "fastd1.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd10

@@ -1,2 +0,0 @@
-key "03cb2b87af657dfc4a434c5dfe3234e947571ca5a8d114d24e0e9f9861eff558";
-remote "fastd10.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd11

@@ -1,2 +0,0 @@
-key "c5ddbdc98a9aa8eb4fc684571c23eabaefd6ef63b8cb9d3a31a2cd6e656c47f9";
-remote "fastd11.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd12

@@ -1,2 +0,0 @@
-key "d47e917875f145a27a3ef10e29bf011c1f89ab4ea313c4bd0d8bac07ffacf557";
-remote "fastd12.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd13

@@ -1,2 +0,0 @@
-key "2895322d66ba7aaa0daf779d795a2a44255d1d14bea639e1267149f466602fce";
-remote "fastd13.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd14

@@ -1,2 +0,0 @@
-key "22e08f6e9c72e77041aa635d380e03069cfe193d9f5a0551ff2188677d15d5c0";
-remote "fastd14.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd15

@@ -1,2 +0,0 @@
-key "78605f4cc687a1a5c2a1cbbacb6310bb4dc2546e605a1f2852aabea5e2dbecbb";
-remote "fastd15.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd2

@@ -1,2 +0,0 @@
-key "f753af06aff1e765a0601c21343965cd3a9abd91f98a76867589e742c041a550";
-remote "fastd2.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd3

@@ -1,2 +0,0 @@
-key "70a561adcea747e4758376222cddf7d43db43fac55b43e3840b6e3bc5042b170";
-remote "fastd3.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd4

@@ -1,2 +0,0 @@
-key "30e707472d8eed4397295554764846f309a4b046ba628d24f2acee79543d671c";
-remote "fastd4.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd5

@@ -1,2 +0,0 @@
-key "c785f8d8f59b75ffbec7eb417e1971dc5a123ff3507e3121352102fdea646e89";
-remote "fastd5.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd6

@@ -1,2 +0,0 @@
-key "c40b725a5118b7c37f76b562461db160b1c99495f1df254067de2b5772831d22";
-remote "fastd6.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd7

@@ -1,2 +0,0 @@
-key "72dbb9f07c272e6cfba07ebc3e318cc66e7d6e7583d6aa27fdd0445cf1bea2d8";
-remote "fastd7.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd8

@@ -1,2 +0,0 @@
-key "66744cda306b1087753a57a727c79a934c872e7221ec6a28ff41e3a316eff0ab";
-remote "fastd8.services.freifunk-myk.de":10000;

roles/install_fastd/files/fastd9

@@ -1,2 +0,0 @@
-key "a8a79387ffa4370c6ae322d99aeb5b8b82f5580ce8dfe5726e0d161a7894a6ed";
-remote "fastd9.services.freifunk-myk.de":10000;

roles/install_fastd/files/verify.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exit 0

roles/install_fastd/tasks/main.yml

@@ -32,25 +32,11 @@
   notify: restart fastd{{ item.name }}
   with_items: "{{ sites }}"
 
-- name: add fastd peers folder
-  file:
-      path: /etc/fastd/ff{{ item.name }}/peers
-      state: directory
-  with_items: "{{ sites }}"
-
-- name: add fastd peer api script
-  template:
-      src: fastd-api.php.j2
-      dest: /etc/fastd/ff{{ item.name }}/bin/fastd-api.php
-  with_items: "{{ sites }}"
-
-- name: setup cronjob for fastd-api
-  cron:
-      name: fastd-api-{{ item.name }}
-      minute: '*/10'
-      user: root
-      cron_file: fastd-api
-      job: '/usr/bin/php /etc/fastd/ff{{ item.name }}/bin/fastd-api.php'
+- name: add fastd verify script
+  copy:
+      src: verify.sh
+      dest: /etc/fastd/ff{{ item.name }}/bin/verify.sh
+      mode: 0744
   with_items: "{{ sites }}"
 
 - name: start and enable fastd service

roles/install_fastd/templates/fastd.conf.j2

@@ -7,10 +7,7 @@ bind any:{{ item.fastd_port1 }};
 hide ip addresses yes;
 hide mac addresses yes;
 mtu 1280;
-peer group "clients" {
-	include peers from "peers";
-}
 secret "{{ item.fastd_secret }}";
 on up "/etc/fastd/ff{{ item.name }}/bin/up.sh $INTERFACE";
 status socket "/run/ff{{ item.name }}1.socket";
-
+on verify "/etc/fastd/ff{{ item.name }}/bin/verify.sh";

roles/install_wireguard_backbone/tasks/main.yml

@@ -5,7 +5,7 @@
       dest: /etc/systemd/system/wgbackbone@.service
 
 - include_tasks: fastd_tasks.yml
-  when: "('fastd' in group_names) or ('nat64' in group_names)"
+  when: "('fastd' in group_names)"
 
 - include_tasks: uplink_tasks.yml
   when: "'uplink' in group_names"

roles/install_wireguard_backbone/tasks/uplink_tasks.yml

@@ -6,13 +6,6 @@
       mode: 0400
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard config for nat64
-  template:
-      src: wg.conf.j2
-      dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf
-      mode: 0400
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard config for uplinks
   template:
       src: wg.conf.j2
@@ -34,13 +27,6 @@
       mode: 0744
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard up scripts for nat64
-  template:
-      src: up.sh.j2
-      dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
-      mode: 0744
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard up scripts for uplinks
   template:
       src: up.sh.j2
@@ -62,13 +48,6 @@
       mode: 0744
   with_items: "{{ groups['fastd'] }}"
 
-- name: create wireguard down scripts for nat64
-  template:
-      src: down.sh.j2
-      dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh
-      mode: 0744
-  with_items: "{{ groups['nat64'] }}"
-
 - name: create wireguard down scripts for uplinks
   template:
       src: down.sh.j2
@@ -91,14 +70,6 @@
       daemon_reload: yes
   with_items: "{{ groups['fastd'] }}"
 
-- name: start and enable wireguard mesh for nat64
-  systemd:
-      name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service
-      enabled: yes
-      state: started
-      daemon_reload: yes
-  with_items: "{{ groups['nat64'] }}"
-
 - name: start and enable wireguard mesh for uplinks
   systemd:
       name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service

setup_fastd.yml

@@ -79,26 +79,3 @@
   user: root
   roles:
       - setup_ffrl_tunnel
-- name: setup nat64
-  hosts: nat64
-  user: root
-  roles:
-      - configure_journald
-      - configure_sysctl
-      - configure_iptables
-      - configure_static_routes
-      #- install_ssmtp
-      - install_cronie
-      #- install_php
-      #- install_nginx
-      - install_ntp
-      - install_haveged
-      #- setup_batman
-      #- install_bind
-      - install_wireguard
-      - install_wireguard_backbone
-      - install_babeld
-      - install_monitoring
-      - install_iperf3
-      - update_ssh_keys
-      - install_admin_packages