First try Supernode

host_vars/vpn02.yml

@@ -0,0 +1,17 @@
+ansible_host: 5.9.220.115
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3
+
+network:
+  ff_v4_address: 10.188.32.5
+  ff_v6_address: 2a03:2260:121:5000::5
+dhcp:
+  ff_subnet: 10.188.32.0
+  ff_netmask: 255.255.224.0
+  range_start: 10.188.40.0
+  range_end: 10.188.47.255
+  mtu: 1312
+tunneldigger:
+  td_port: 53842
+  td_wan_interface: ens18

hosts.yml

@@ -15,6 +15,9 @@ all:
         vpn-offloader-wireguard:
           hosts:
             vpn01:
+        freifunk-supernodes:
+          hosts: 
+            vpn02:
     edge_router:
       hosts:
         edge1:

roles/00-ubuntu-basic/tasks/main.yml

@@ -58,4 +58,11 @@
       - speedtest-cli
       - telnet
     state: latest
-    update_cache: yes
+    update_cache: yes
+
+- name: uninstall unneeded packages
+  apt:
+    name:
+      - rpcbind
+    update_cache: yes
+    state: absent

roles/10-freifunk-supernode/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/10-freifunk-supernode/tasks/main.yml

@@ -0,0 +1,122 @@
+---
+# tasks file for 10-freifunk-supernode
+
+# Install basic packages for Supernode
+- name: Install all Packages
+  ansible.builtin.apt: 
+    name: 
+      - batctl
+      - iptables-persistent
+      - conntrack
+    state: latest
+    update_cache: yes
+
+## IP Forwarding
+- name: IPv4-Paketweiterleitung aktivieren
+  sysctl: 
+    name: "net.ipv4.conf.all.forwarding" 
+    value: 1 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: IPv6-Paketweiterleitung aktivieren
+  sysctl: 
+    name: "net.ipv6.conf.all.forwarding" 
+    value: 1 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
+  sysctl: 
+    name: "net.ipv4.conf.default.rp_filter" 
+    value: 0 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
+  sysctl: 
+    name: "net.ipv4.conf.all.rp_filter" 
+    value: 0 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: Create Routing Table 42
+  ansible.builtin.lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: 42 ffrl
+    create: yes
+
+## Contrack
+- name: Enable nf_conntrack_ipv4 module
+  modprobe: 
+    name: nf_conntrack_ipv4 
+    state: present
+  when: ansible_kernel is version_compare('4.19', '<')
+
+- name: Enable nf_conntrack_ipv4 on system startup
+  blockinfile:
+    path: /etc/modules
+    marker: "# {mark} Ansible managed block"
+    block: |
+      nf_conntrack_ipv4
+  when: ansible_kernel is version_compare('4.19', '<')
+
+- name: Enable nf_conntrack module
+  modprobe: 
+   name: nf_conntrack
+   state: present
+  when: ansible_kernel is version_compare('4.19', '>=')
+
+- name: Enable nf_conntrack on system startup
+  blockinfile:
+    path: /etc/modules
+    marker: "# {mark} Ansible managed block"
+    block: |
+      nf_conntrack
+  when: ansible_kernel is version_compare('4.19', '>=')
+
+
+- name: Set nf_conntrack_max to a higher value
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_max" 
+    value: 524288 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_tcp_timeout_established"
+    value: 86400
+    sysctl_set: yes
+    state: present 
+    reload: yes
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Set nf_conntrack_tcp_timeout_time_wait to 60
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" 
+    value: 60 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Get current nf_conntrack hashsize
+  shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
+  register: nf_conntrack_hashsize
+  changed_when: false
+  check_mode: no
+
+- name: Set nf_conntrack hashsize to a higher value
+  shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
+  when: "nf_conntrack_hashsize.stdout != '32768'"

roles/10.1-dhcp/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart isc-dhcp-server
+  service: name=isc-dhcp-server state=restarted
+
+- name: restart isc-dhcp6-server
+  service: name=isc-dhcp6-server state=restarted

roles/10.1-dhcp/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Install Packages for DHCP Server
+  ansible.builtin.apt: 
+    name: 
+      - isc-dhcp-server
+    state: latest
+    update_cache: yes
+
+- name: create dhcp defaults 
+  template: 
+    src: isc-dhcp-server.conf.j2
+    dest: /etc/default/isc-dhcp-server
+  notify:
+    - restart isc-dhcp-server
+  
+- name: create dhcp config
+  template: 
+    src: dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+  notify:
+    - restart isc-dhcp-server

roles/10.1-dhcp/templates/dhcpd.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+default-lease-time 300;
+max-lease-time 1800;
+
+authoritative;
+
+log-facility local7;
+
+subnet {{ dhcp.ff_subnet }} netmask {{ dhcp.ff_netmask }} {
+    range {{dhcp.range_start}} {{dhcp.range_end}};
+
+    option routers {{ network.ff_v4_address }};
+    option domain-name-servers {{ network.ff_v4_address }};
+    option interface-mtu {{ dhcp.mtu }};
+    interface bat0;
+}

roles/10.1-dhcp/templates/isc-dhcp-server.conf.j2

@@ -0,0 +1,3 @@
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES="bat0"

roles/10.2-named/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart bind9
+  service: name=bind9 state=restarted

roles/10.2-named/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Install all Packages for Bind9
+  ansible.builtin.apt: 
+    name: 
+      - bind9
+    state: latest
+    update_cache: yes
+
+- name: create named config
+  template: 
+    src: named.conf.j2
+    dest: /etc/bind/named.conf
+  notify:
+    - restart bind9
+
+- name: create named.local config
+  template: 
+    src: named.conf.local.j2
+    dest: /etc/bind/named.conf.local
+  notify:
+    - restart bind9
+
+- name: create named.options config
+  template: 
+    src: named.conf.options.j2
+    dest: /etc/bind/named.conf.options
+  notify:
+    - restart bind9
+
+- name: create named fftdf config
+  template: 
+    src: named.fftdf.conf.j2
+    dest: /etc/bind/named.fftdf.conf
+  notify:
+    - restart bind9
+- name: create named fftdf db
+  template: 
+    src: named.fftdf.db.j2
+    dest: /etc/bind/named.fftdf.db
+  notify:
+    - restart bind9

roles/10.2-named/templates/named.conf.default-zones.j2

@@ -0,0 +1,28 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+//
+//zone "localhost" {
+//	type master;
+//	file "/etc/bind/db.local";
+//};
+//
+//zone "127.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.127";
+//};
+//
+//zone "0.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.0";
+//};
+//
+//zone "255.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.255";
+//};

roles/10.2-named/templates/named.conf.j2

@@ -0,0 +1,12 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+include "/etc/bind/named.fftdf.conf";

roles/10.2-named/templates/named.conf.local.j2

@@ -0,0 +1,7 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";

roles/10.2-named/templates/named.conf.options.j2

@@ -0,0 +1,26 @@
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+
+        // forwarders {
+        //      0.0.0.0;
+        // };
+
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+
+        auth-nxdomain no;    # conform to RFC1035
+        listen-on { {{ network.ff_v4_address }}; };
+        listen-on-v6 { {{ network.ff_v6_address }}; };
+};

roles/10.2-named/templates/named.fftdf.conf.j2

@@ -0,0 +1,6 @@
+// Zone declarations for Freifunk Troisdorf
+
+zone "fftdf" {
+  type master;
+  file "/etc/bind/named.fftdf.db";
+};

roles/10.2-named/templates/named.fftdf.db.j2

@@ -0,0 +1,24 @@
+;; db.fftdf
+;; Forwardlookupzone für .fftdf
+;;
+$TTL 600
+@       IN      SOA     fftdf. root.fftdf. (
+                        2016584547      ; Serial
+                                8H      ; Refresh
+                                2H      ; Retry
+                                4W      ; Expire
+                                3H )    ; NX (TTL Negativ Cache)
+
+@                               IN      NS      troisdorf5.infra.fftdf.
+                                IN      A       10.188.32.5
+                                IN      AAAA	2a03:2260:121:2::5
+localhost			IN	A    	127.0.0.1
+				IN  	AAAA    ::1
+nextnode			IN  	A       10.188.0.1
+				IN  	AAAA    2a03:2260:121::1
+;; Update Servers
+update1.infra			IN      AAAA    2a03:2260:121:4000:6038:61ff:fe34:3461
+update2.infra			IN      AAAA    2a01:4f8:11d:600::183
+;;update3.infra			IN      AAAA    2a03:2260:121::24
+;; Unifi
+unifi				IN	A	195.201.216.131

roles/10.3-tunneldigger/files/tunneldigger.conf

@@ -0,0 +1,6 @@
+nf_conntrack_netlink
+nf_conntrack
+nfnetlink
+l2tp_netlink
+l2tp_core
+l2tp_eth

roles/10.3-tunneldigger/files/tunneldigger.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=tunneldigger tunnelling network daemon using l2tpv3 for domain %i
+After=network.target auditd.service
+
+[Service]
+Type=simple
+WorkingDirectory=/srv/tunneldigger
+ExecStart=/srv/tunneldigger/env_tunneldigger/bin/python3 -m tunneldigger_broker.main /srv/tunneldigger/broker/l2tp_broker.cfg
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/10.3-tunneldigger/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: load kernel modules
+  shell: /etc/init.d/kmod start || true

roles/10.3-tunneldigger/tasks/main.yml

@@ -0,0 +1,80 @@
+- name: Install dependencies for this role
+  apt:
+    pkg: "{{ item }}"
+    state: present
+  with_items:
+    - bridge-utils
+    - ebtables
+    - git
+    - iproute2
+    - libnetfilter-conntrack-dev
+    - libnfnetlink-dev
+    - python3-dev
+    - python3-virtualenv
+    - virtualenv
+    - gcc
+    - libnl-3-dev
+    - libevent-dev
+
+- name: Get Tunneldigger
+  git: 
+    repo: https://github.com/wlanslovenija/tunneldigger
+    dest: /srv/tunneldigger
+  register: tunneldigger
+
+- name: generate virtualenv.
+  command:
+    "virtualenv -p /usr/bin/python3 env_tunneldigger"
+  args:
+    chdir: /srv/tunneldigger/
+    creates: "/srv/tunneldigger/env_tunneldigger/bin/python3"
+  when: tunneldigger.changed
+
+- name: Install python dependencies
+  command: "/srv/tunneldigger/env_tunneldigger/bin/python setup.py install"
+  args:
+    chdir: /srv/tunneldigger/broker
+  when: tunneldigger.changed
+
+- name: Copy l2tp broker config template
+  template: 
+    src: l2tp_broker.cfg.j2
+    dest: /srv/tunneldigger/l2tp_broker.cfg
+    owner: root 
+    group: root 
+    mode: 0444
+
+- name: Copy tunneldigger script template
+  template: 
+    src: bataddif.sh.j2 
+    dest: /srv/tunneldigger/bataddif.sh 
+    owner: root 
+    group: root 
+    mode: 0500
+
+- name: Copy tunneldigger scripts
+  template: 
+    src: batdelif.sh.j2
+    dest: /srv/tunneldigger/batdelif.sh
+    owner: root 
+    group: root 
+    mode: 0500
+
+- name: Copy tunneldigger service template
+  copy: 
+    src: tunneldigger.service
+    dest: /etc/systemd/system/tunneldigger.service
+    mode: 0444
+
+- name: Deploy tunneldigger.conf to /etc/modules-load.d/
+  copy: 
+    src: tunneldigger.conf 
+    dest: /etc/modules-load.d/tunneldigger.conf
+  notify: load kernel modules
+  
+- name: Tunneldigger reload
+  command: "{{item}}"
+  with_items:
+  - systemctl daemon-reload
+  - systemctl enable tunneldigger.service
+  when: tunneldigger.changed

roles/10.3-tunneldigger/templates/bataddif.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/bash
+INTERFACE="$3"
+MAC="$8"
+brctl=/sbin/brctl
+BLOCKLISTE=$(/bin/cat /opt/freifunk/tunneldigger-blacklist.txt)
+wget -q -O /opt/freifunk/tunneldigger-blacklist.txt https://raw.githubusercontent.com/Freifunk-Troisdorf/tunneldigger-blockliste/master/macs.txt
+
+/bin/ip link set dev $INTERFACE up mtu 1312
+
+for i in $BLOCKLISTE;
+do
+    if [[ $i == $MAC ]]; then
+      exit 1
+    fi
+done
+
+$brctl addif br-nodes $INTERFACE

roles/10.3-tunneldigger/templates/batdelif.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+INTERFACE="$3"
+
+/sbin/brctl delif br-nodes $INTERFACE

roles/10.3-tunneldigger/templates/l2tp_broker.cfg.j2

@@ -0,0 +1,63 @@
+[broker]
+; IP address the broker will listen and accept tunnels on
+address={{ ansible_host }}
+; Ports where the broker will listen on
+port={{ tunneldigger.td_port }}
+; Interface with that IP address
+interface={{ tunneldigger.td_wan_interface }}
+; Maximum number of cached cookies, required for establishing a
+; session with the broker
+max_cookies=1024
+; Maximum number of tunnels that will be allowed by the broker
+max_tunnels=150
+; Tunnel port base
+port_base=15000
+; Tunnel id base
+tunnel_id_base=100
+; Tunnel timeout interval in seconds
+tunnel_timeout=60
+; Should PMTU discovery be enabled
+pmtu_discovery=false
+; Namespace (for running multiple brokers); note that you must also
+; configure disjunct ports, and tunnel identifiers in order for
+; namespacing to work
+namespace=troisdorf
+
+; Reject connections if there are less than N seconds since the last connection.
+; Can be less than a second (e.g., 0.1).
+connection_rate_limit=2
+
+; Set PMTU to a fixed value.  Use 0 for automatic PMTU discovery.  A non-0 value also disables
+; PMTU discovery on the client side, by having the server not respond to client-side PMTU
+; discovery probes.
+pmtu=0
+
+; The batman device of this Hood (e.g. bat2)
+batdev=bat0
+
+[log]
+; Log filename
+filename=/var/log/tunneldigger-broker.log
+; Verbosity
+verbosity=DEBUG
+; Should IP addresses be logged or not
+log_ip_addresses=false
+
+[hooks]
+; Arguments to the session.{up,pre-down,down} hooks are as follows:
+;
+;    <tunnel_id> <session_id> <interface> <mtu> <endpoint_ip> <endpoint_port> <local_port>
+;
+; Arguments to the session.mtu-changed hook are as follows:
+;
+;    <tunnel_id> <session_id> <interface> <old_mtu> <new_mtu>
+;
+
+; Called after the tunnel interface goes up
+session.up=/srv/tunneldigger/bataddif.sh
+; Called just before the tunnel interface goes down
+session.pre-down=/srv/tunneldigger/batdelif.sh
+; Called after the tunnel interface goes down
+session.down=
+; Called after the tunnel MTU gets changed because of PMTU discovery
+session.mtu-changed=

system-setup-supernode.yml

@@ -0,0 +1,14 @@
+# ansible-playbook -i hosts.yml system-setup-supernode.yml -e vault.yml --ask-vault-password
+- name: System preperation
+  hosts: freifunk-supernodes
+  roles:
+    - 00-ubuntu-basic
+    - 21-install-oitc
+
+- name: VPN Offloader Setup
+  hosts: freifunk-supernodes
+  roles:
+    - 10-freifunk-supernode
+    - 10.1-dhcp
+    - 10.2-named
+    - 10.3-tunneldigger