diff --git a/files/alfred.sh.j2 b/files/alfred.sh.j2 index 7da0925..bc03367 100644 --- a/files/alfred.sh.j2 +++ b/files/alfred.sh.j2 @@ -2,7 +2,8 @@ release=$(/bin/uname -r) nodeid=$( /bin/echo {{ sn_mesh_MAC }} | /bin/sed s/://g) -meshh_if=$(/bin/cat /sys/class/net/*/address | /bin/grep -v ^00:00:00) +#meshh_if=$(/bin/cat /sys/class/net/troisdorf*/address | /bin/grep -v ^00:00:00) +meshh_if=$(/bin/cat /sys/class/net/l2tp*/address | /bin/grep -v ^00:00:00) tempfile=/tmp/alfred_info if [ -f $tempfile ] @@ -20,6 +21,7 @@ fi ], "mesh_interfaces": [ $(for i in $meshh_if; do /bin/echo '"'$i'",';done) +"{{ ul_mesh_MAC }}", "{{ sn_mesh_MAC }}" ] }, @@ -37,7 +39,7 @@ EOF if [ -f $tempfile ] then - /bin/cat "$tempfile" | /bin/gzip | /usr/sbin/alfred -s 158 + /bin/cat "$tempfile" | /bin/gzip | /usr/local/sbin/alfred -s 158 fi if [ -f $tempfile ] @@ -46,3 +48,4 @@ if [ -f $tempfile ] fi exit 0 + diff --git a/files/authorized_keys b/files/authorized_keys index 7cc6678..90c7b09 100644 --- a/files/authorized_keys +++ b/files/authorized_keys @@ -2,12 +2,8 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDP ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUlPYUqsisJoBT5iDOc7OQXadZyFgI2Z+n+ARPg7OLgkw4SCORAOd53x6KYQZFhq9LP6Dv+kNkk3Qvd/uIr8avG3nxRcHWSIU9ICUmGzEp+W7dT1ExzhVkFxQG7f219ifjRO95xeQNI45MdVKBytQoQGNMoNLXTOZfW5mYr5yQWePa2OmdJLPWrAoHpS2PgrcqWzqdSBuKLdPQgr8KKHGvn9Wf/t9/6/foYfBlzf+emfxZY0M7vJUcCkpK+m66ECE2/eu9aE3m4oBOImivy9/yCta2BASJKCycYoTijRlihcllT3zSt2AGlK7OKpZRDlvFOPuL4yw1LsreBRkkdcAZ reka - -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDb1l5B82IeYYmapacMPR1KQV7r24Qc7K9v33Wtfyi3GuF6sz/Z014ZvtI6TwodvjWH5yx0yh+zY8BQzgb29zQm6vCjnAzDX2QdJJtAruNcl3Ib8rnp4dIRtSRwxwTP/QSltuSokMMoCoKI3Zl0i4MvlCCezjSVWzmfeTr8OA9pDz1eJ9hZn87IaBghVIOIpZYvoxhE7GAbctqA+Jx3XUoWyY4LJpgMA4Y2q9YjQ9bWNyQb5FuwCp4akapwDFEvbTDY0DyAHKmm7txv+5q5RkxfFq3K/DtcILbm0wtAsqM7VZu2TYOj+KiEHJmJMAq+yYNEWzMTsnr7mjqz8I5uOA0V jan@gefion - -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNx2LqPdxwg26i4PytNUIbabqf7eb9gIp6dgwwIqFUnqbnTcilzxlm1FZoH+yMKvYY0G+ZNPG9Zs59QWE/m+mPBOjmrf5N4EH3BW3L/VRLesFMokXHtxkXZzX8CD7c+C0DGmcWfQNMD9tOYsKVm3No3Yr1Hy/WmVQbdEjpkowGpl/y1GFjZqa0dGBhVwAzdHjxsKkpbbVJDDzBwY6WReV+b6Ychgk4S58caJWXAZhkv/2bnaGW1SloHST+GBZrFa+JYbS0D1eortfpPsSR0AMqReJ+NSBKopOYC+WbqEFk9V5VJgbIsT27hRLk3Ctn8MuBUCP1vzn6gyPK91o/ZZqH jan@odin - -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCVxoI2GdqqnK0eKsx5xXiYca19toxB+s9lHb9u9gdmJ52tsl75XZVT2R44o5Yu8KciSPx+khzj7vL3RWieVTrPGhlbYQnOuK73x420rGejjAyDFPQWQxw98Bx0a7VHBsSUpndcnlLBMPe6bIOLI8j7c/sV26rEOAF7LshuONq4E5SMUTL4bp2dhfBgC8SjGdevBpwR1rCBIt51jhvS/asBIUZNrabG3NPwNoaRLELUbFZm7vLF777GWuBzM0G41iImb8nuC1q9WSt66ShhSxLthvl1wdyvixgCgY5yM3eOVJHheMWR6mwE2ZdAeLAFjfXKBqoH5My7a4K96wyUMptD nodeadmin@update1 - ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEA5OYOF+VBtXXxv/wZkT5K3P7QAUJaM88zJqeGh8NJCO7EDg9jLoWLzAP7LnM9XEA4ycWdl8HX1+EUKqVXAbSNItTZZkO9LCbIiIe1w8oJd2j9hY0IpxPqbz9ePPZh0JtxAZMh3NgOoSiND0leAeOt0lTlDPh4g3G4KvR33d9PIj5ZerU47ceLyy4xEwNbZDKD04+frpq1W+lDqglR0jV/h/pcoQTAEBflbmGLeXIXRsR6zq/of4Wx/MlX18VD9SXPLGXvQ5c4lt5PvV/oeHz4gEjPv2hrI3s3fyWakadAuI9ah48CaEgpVReUGjtYDc0PskvjAH/+slqIHW1D5El+R1Z/2wn/aEGokFHUc0SiFb3NAOwxWvMtUHhXi9ZiTHt0p/0FwWZ1pxqRzODvK8uZ7LAJRGe6q9NYQkIax6SLOfWm4MFWDpDLgWz5MSbPqo+Kfo0614z1mxA3vpY53lUqEGRx4I6z/PDaOHMFd3sxhSMPGvmMvAOLTRofFppwUq1YqQkd6embsJjBN0gU9AilpL5Q2il0OoW4g0rUR8HPJczuDzmHZTXpPU2dY6MhAJ0sbNmk0XhmyoEH9/A1zPEHmirTcBMmbFUsYmR6+MnHEhxnRu5PQpXqcu2vN+JAeasgJShRl7g+rHIdutswHUAWWyfgaD0GF3f6zuOLooz1XQU= localadmin@tst-ansible + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDA2KJvzjFxFrjJvxJj/AZ3rPKGT15JUnV7LhTo0BuXITwx+DpEK6u2m3yjigf2B8ws4VbpL7ceWyP8L3wspozqbqOgyYrQ9TISipkNV9O/DzR+F8R7mhn5mV7+pEOJu1Ba6rtYTfJTcloRKklfO9UjaFLwM69H0GNsomcKMd5Kl4c7DMMwcpXfhb8b7ET5agtfAhXU0CHalnhdAVCwmsC3mj9blOLlX4lxFLonGKVcZB7nWQEmvVAG+9yp6UWZZzeBCPea8Bw4hUVAZcsbK9XLbE4D+gUoxHu2oKGRja4kUnYmlWZOyqlUGbRD6bUxmnW1aBCh8x+b91YLlGv38vT6Y/sy0tPOoVK5kHxJ2yQmnlpgRzgBZf8Kl9ouO/onvExR787C+6TGG834ROW3SaiEeta0RvWwLzugexotT02qqpJmlIXu+gpvN+O9LSfQWzcaCFJTB6MD8mox1ks/W15Uij1pCeleUmiFdVtmt3PCs/ouuG1Uhm9MSWOBNwdFlTpAngopqBHSKYpTY+LhDD9Bv+U4Tno3i4dIGLYqNVmaRij2A0jZeSKOi/OgAaQsD7CzrDhn7C8dlsBFzPjtpFNqgk2Ss5bv3dpfQhBKsaxAe0X5W57vqJD+986039H3fj9/2o2PGuWCNr1LCWSjiy8t/P++cbn0rGdJAIexgTj3Q== supernodeadmin@update1 + +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUTvOdUbtWOmQ1HHh1rNm9LvGozlVPOu0XVcmZ2/NfSOrDbnN99Y4o2Q2mm/ZITWtEZkijnS+LdqB/SO+I2c8NWQO3+gCd9WzI/pqRso2eDIMtPfidnEGdUi4+hHmT96TGOh6P/SrR71646AJkQr5vxLDs/U/57uyTxNwgHFYb1zfekeK4J8gm9StfiGTdfFDTQsYQljrO0YxGrNG2koRXDwgUca4kGjx/HYwnjtl1nDRSAa8HvgxqAASFFrqSOhCkrlCgxoKZZwGIFccYTcAJFDhqIG32q2tRAQOtqxy5OWbTkJLBTBaR7dG4W9iYHbV6vscfNQD7Ml3aMrS+TA0x stefan@ff-stefan@tst-office diff --git a/files/bataddif.sh.j2 b/files/bataddif.sh.j2 index c88786e..e0fc221 100644 --- a/files/bataddif.sh.j2 +++ b/files/bataddif.sh.j2 @@ -2,7 +2,7 @@ INTERFACE="$3" #MAC="$8" #BLACKLISTFILE=/opt/freifunk/blockliste.txt - +batctl=/usr/local/sbin/batctl #if [ -f /opt/freifunk/blockliste.txt ] @@ -21,7 +21,10 @@ INTERFACE="$3" #done #ip link set address {{ sn_mesh_MAC }} dev $INTERFACE -ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }} -ip link set dev $INTERFACE up mtu 1312 -/usr/sbin/batctl if add $INTERFACE +#ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }} +/bin/ip link set dev $INTERFACE up mtu 1312 +#/sbin/sysctl net.ipv4.conf.$INTERFACE.rp_filter=0 +$batctl if add $INTERFACE + +echo "enabled" > /sys/devices/virtual/net/$INTERFACE/batman_adv/no_rebroadcast diff --git a/files/batdelif.sh b/files/batdelif.sh index dbe3614..65fc46d 100644 --- a/files/batdelif.sh +++ b/files/batdelif.sh @@ -1,4 +1,4 @@ #!/bin/bash INTERFACE="$3" -/usr/sbin/batctl if del $INTERFACE +/usr/local/sbin/batctl if del $INTERFACE diff --git a/files/collectd.conf.j2 b/files/collectd.conf.j2 index e0334b8..c27fb62 100644 --- a/files/collectd.conf.j2 +++ b/files/collectd.conf.j2 @@ -35,7 +35,7 @@ LoadPlugin entropy LoadPlugin irq LoadPlugin load LoadPlugin memory -LoadPlugin openvpn +#LoadPlugin openvpn LoadPlugin processes LoadPlugin swap LoadPlugin rrdtool @@ -159,7 +159,7 @@ LoadPlugin users #LoadPlugin thermal #LoadPlugin tokyotyrant #LoadPlugin unixsock -#LoadPlugin uptime +LoadPlugin uptime #LoadPlugin uuid #LoadPlugin varnish diff --git a/files/dhcpd.conf.j2 b/files/dhcpd.conf.j2 index 95998d0..d23aa06 100644 --- a/files/dhcpd.conf.j2 +++ b/files/dhcpd.conf.j2 @@ -1,3 +1,4 @@ +# Version 1.2 ddns-update-style none; option domain-name "fftdf"; default-lease-time 300; @@ -9,6 +10,5 @@ range {{ sn_dhcp_range }}; option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns }}; option routers {{ sn_dhcp_router }}; interface bat0; - } - +include "/opt/freifunk/static-dhcp/static.conf"; diff --git a/files/gre_backbone.sh b/files/gre_backbone.sh deleted file mode 100644 index 9a5683d..0000000 --- a/files/gre_backbone.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -# Server name ending must be a single digit number -communityname="troisdorf" -server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6" -domain="freifunk-troisdorf.de" -mtu=1500 -# community MAC address, without the last Byte (:)! -communitymacaddress="a2:8c:ae:6f:f6" -# Network part of the network, without the trailing dot -communitynetwork="10.188" -# IPv6 network -communitynetworkv6="fda0:747e:ab29:7405:255::" -# Third octet from the server range -octet3rd="255" -# CIDR muss /16 sein -localserver=$(hostname) - -for i in $server; do - -( - for j in $server; do - - if [ $i != $j ]; then - if [ $i = $(hostname) ]; then - ip link add $j type gretap local $(hostname -I | cut -f1 -d' ') remote $(dig +short $j.$domain) dev eth0 nopmtudisc - ip link set dev $j mtu $mtu - ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j - ip link set $j up - batctl if add $j - fi - fi - - done -) - -done - -# configure bat0 -ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 -ip link set up dev bat0 -ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 -ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 -alfred -i bat0 > /dev/null 2>&1 & -batadv-vis -i bat0 -s > /dev/null 2>&1 & -service bind9 restart diff --git a/files/gre_backbone.sh.j2 b/files/gre_backbone.sh.j2 new file mode 100644 index 0000000..b4af165 --- /dev/null +++ b/files/gre_backbone.sh.j2 @@ -0,0 +1,57 @@ +#!/bin/sh +# Server name ending must be a single digit number +communityname="troisdorf" +server="troisdorf0 {{ sn_hostname }}" +domain="freifunk-troisdorf.de" +mtu={{ sn_mtu }} +# community MAC address, without the last Byte (:)! +communitymacaddress="a2:8c:ae:6f:f6" +# Network part of the network, without the trailing dot +communitynetwork="10.188" +# IPv6 network +communitynetworkv6="fda0:747e:ab29:7405:255::" +# Third octet from the server range +octet3rd="255" +# CIDR muss /16 sein +localserver=$(/bin/hostname) +# files +batadv=/usr/local/sbin/batadv-vis +alfred=/usr/local/sbin/alfred +batctl=/usr/local/sbin/batctl + +for i in $server; do + +( + for j in $server; do + + if [ $i != $j ]; then + if [ $i = $(/bin/hostname) ]; then + /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 nopmtudisc +# /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 + /sbin/ip link set dev $j mtu $mtu +# /sbin/ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j +# /sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev $j + /sbin/ip link set address $communitymacaddress$:${localserver#$communityname}0 dev $j + /sbin/ip link set $j up + $batctl if add $j + fi + fi + + done +) + +done + +# configure bat0 +/sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 +/sbin/ip link set up dev bat0 +/sbin/ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 +/sbin/ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 + +/usr/bin/killall alfred +/usr/bin/killall batadv-vis +/bin/sleep 5 +$alfred -i bat0 > /dev/null 2>&1 & +/bin/sleep 15 +$batadv -i bat0 -s > /dev/null 2>&1 & +/usr/sbin/service bind9 restart diff --git a/files/l2tp_backbone.sh.j2 b/files/l2tp_backbone.sh.j2 new file mode 100644 index 0000000..d5ec362 --- /dev/null +++ b/files/l2tp_backbone.sh.j2 @@ -0,0 +1,57 @@ +#!/bin/sh +# Version 5 +# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! +communityname="troisdorf" +server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" +#server="troisdorf0 {{ sn_hostname }}" +domain="freifunk-troisdorf.de" +mtu={{ sn_mtu }} +# community MAC address, without the last Byte (:)! +communitymacaddress="a2:8c:ae:6f:f6" +tunnelPrefix=10 +sessionPrefix=1 +# Netzwerkteil des Netzes, ohne abschliessenden Punkt +communitynetwork="10.188" +# IPv6 network +communitynetworkv6="fda0:747e:ab29:7405:255::" +# Drittes Octet des serverbereichs +octet3rd="255" +# CIDR muss /16 sein +localserver=$(/bin/hostname) +batadv=/usr/local/sbin/batadv-vis +alfred=/usr/local/sbin/alfred +batctl=/usr/local/sbin/batctl +ip=/sbin/ip +dig=/usr/bin/dig + +for i in $server; do +( + for j in $server; do + if [ $i != $j ]; then + if [ $i = $localserver ]; then + ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname} + ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname} + #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j + ip link set dev l2tp-$j mtu $mtu + ip link set up l2tp-$j + $batctl if add l2tp-$j + fi + fi + done +) +done + +# Rest starten +$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0 +#$ip link set address $communitymacaddress:ff dev bat0 +$ip link set up dev bat0 +$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 +$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0 + +/usr/bin/killall alfred +/usr/bin/killall batadv-vis +/bin/sleep 5 +$alfred -i bat0 > /dev/null 2>&1 & +/bin/sleep 15 +$batadv -i bat0 -s > /dev/null 2>&1 & +/usr/sbin/service bind9 restart diff --git a/files/l2tp_backbone_ffswitch.sh.j2 b/files/l2tp_backbone_ffswitch.sh.j2 new file mode 100644 index 0000000..abb5702 --- /dev/null +++ b/files/l2tp_backbone_ffswitch.sh.j2 @@ -0,0 +1,56 @@ +#!/bin/sh +# Version 5 +# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!! +communityname="troisdorf" +server="troisdorf0 troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9" +#server="troisdorf0 {{ sn_hostname }}" +domain="freifunk-troisdorf.de" +mtu={{ sn_mtu }} +# community MAC address, without the last Byte (:)! +communitymacaddress="a2:8c:ae:6f:f6" +tunnelPrefix=10 +sessionPrefix=1 +# Netzwerkteil des Netzes, ohne abschliessenden Punkt +communitynetwork="10.188" +# IPv6 network +communitynetworkv6="fda0:747e:ab29:7405:255::" +# Drittes Octet des serverbereichs +octet3rd="255" +# CIDR muss /16 sein +localserver=$(/bin/hostname) +batadv=/usr/local/sbin/batadv-vis +alfred=/usr/local/sbin/alfred +batctl=/usr/local/sbin/batctl +ip=/sbin/ip +dig=/usr/bin/dig + +for i in $server; do +( + for j in $server; do + if [ $i != $j ]; then + if [ $i = $localserver ]; then + ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname} + ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname} + #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j + ip link set dev l2tp-$j mtu $mtu + ip link set up l2tp-$j + $batctl if add l2tp-$j + fi + fi + done +) +done + +# Rest starten +$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0 +#$ip link set address $communitymacaddress:ff dev bat0 +$ip link set up dev bat0 +$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 +$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0 + +/usr/bin/killall alfred +/usr/bin/killall batadv-vis +/bin/sleep 5 +$alfred -i bat0 > /dev/null 2>&1 & +/bin/sleep 15 +$batadv -i bat0 -s > /dev/null 2>&1 & diff --git a/files/l2tp_broker.cfg.j2 b/files/l2tp_broker.cfg.j2 index c9a0cf8..8060e21 100644 --- a/files/l2tp_broker.cfg.j2 +++ b/files/l2tp_broker.cfg.j2 @@ -9,7 +9,7 @@ interface=eth0 ; session with the broker max_cookies=1024 ; Maximum number of tunnels that will be allowed by the broker -max_tunnels=100 +max_tunnels=150 ; Tunnel port base port_base=15000 ; Tunnel id base diff --git a/files/logrotate.conf b/files/logrotate.conf new file mode 100644 index 0000000..b31a038 --- /dev/null +++ b/files/logrotate.conf @@ -0,0 +1,34 @@ +# see "man logrotate" for details +# rotate log files weekly +#weekly +daily + +# keep 4 weeks worth of backlogs +#rotate 4 +rotate 0 + +# create new (empty) log files after rotating old ones +create + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# no packages own wtmp, or btmp -- we'll rotate them here +/var/log/wtmp { + missingok + monthly + create 0664 root utmp + rotate 1 +} + +/var/log/btmp { + missingok + monthly + create 0660 root utmp + rotate 1 +} + +# system-specific logs may be configured here diff --git a/files/radvd.conf.j2 b/files/radvd.conf.j2 new file mode 100644 index 0000000..b4c45bd --- /dev/null +++ b/files/radvd.conf.j2 @@ -0,0 +1,12 @@ +interface bat0 { + AdvSendAdvert on; + IgnoreIfMissing on; + MaxRtrAdvInterval 200; + RDNSS {{ sn_mesh_IPv6 }} {}; + prefix fda0:747e:ab29:7405::/64 { + AdvOnLink on; + AdvAutonomous on; + AdvRouterAddr on; + }; +}; + diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2 new file mode 100644 index 0000000..8fbf7e7 --- /dev/null +++ b/files/sn_startup.sh.j2 @@ -0,0 +1,57 @@ +#!/bin/sh + +curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} + +# Stop tunneldigger until bat0 is up +/usr/sbin/service tunneldigger stop + +# Set unreachable for table 200 +#/bin/ip route add unreachable 0.0.0.0/0 table iffy + +#while ! ping -c 1 -W 1 {{ sn_iffy_traffic }}; do +# echo "Waiting for {{ sn_iffy_traffic }} - network interface might be down..." +# sleep 5 +#done + +# Block RFC1918 and APIPA destination via WAN +/sbin/iptables -P OUTPUT ACCEPT +for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do +/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP +done + +# Activate IP forwarding +/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 +/sbin/sysctl -w net.ipv4.ip_forward=1 +/sbin/sysctl kernel.panic=1 + +# Routing table 200 for traffic above port 1023 +#/bin/grep 200 /etc/iproute2/rt_tables || /bin/echo 200 iffy >> /etc/iproute2/rt_tables + +# Set table for traffice with mark 4 +#/bin/ip rule add fwmark 0x4 table iffy + +# Set mark 4 to traffic above port 1023 +#/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +#/sbin/iptables -t mangle -A PREROUTING -p udp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 + +# NAT on eth0 +/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +# Allow MAC address spoofing +/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 + +# Set gateway for table 200 +#/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy + +sleep 5 + +# Start tunneldigger +/usr/sbin/service tunneldigger restart + +# radvd restart +/usr/sbin/service radvd restart + +# restart DHCP +/usr/sbin/service isc-dhcp-server restart + +exit 0 diff --git a/install.sn.yml b/install.sn.yml index b826742..77c0d15 100644 --- a/install.sn.yml +++ b/install.sn.yml @@ -1,7 +1,6 @@ # First install ssh-key at remote computer # In case of python error start: # ansible troisdorf4 -u root -m raw -a "apt-get update && apt-get install python -y" -# Version 3.2, gre-backbone - name: Install Freifunk Troisdorf super node # hosts: FreifunkSupernodesL2TP @@ -10,6 +9,8 @@ user: root gather_facts: False vars: + snversion: master_v1.9.3 + batmanversion: v2015.2 common_required_packages: - git - make @@ -20,7 +21,6 @@ - libnl-3-dev - libjansson-dev - isc-dhcp-server -# - openvpn - collectd - libcap-dev - iproute @@ -30,12 +30,17 @@ - ebtables - python-virtualenv - iptables-persistent - - batctl - iftop - screen - bridge-utils - tcpdump - bind9 + - radvd + - curl + - htop + - psmisc + - dnsutils + - ntp modules_required: - batman-adv - nf_conntrack_netlink @@ -51,37 +56,13 @@ - tunneldigger.service bind_zone_fftdf: - named.conf.fftdf -# openvpn_files: -# - mullvad_linux.conf -# - mullvad.key -# - mullvad.crt -# - ca.crt -# - crl.pem -# openvpn_scripts: -# - up.sh -# - down.sh check_gw_script: - keepalive.sh - backbone_script: - - gre_backbone.sh - system_startup: - - "# Routing einschalten" - - /sbin/sysctl -w net.ipv6.conf.all.forwarding=1 - - /sbin/sysctl -w net.ipv4.ip_forward=1 -# - "# Routing Tabelle 42 fuer Freifunk anlegen, wenn noch nicht vorhanden" -# - #/bin/grep 42 /etc/iproute2/rt_tables || echo '42 42' >> /etc/iproute2/rt_tables" -# - "# Freifunk Daten sollen mit 0x1 markiert werden" -# - /sbin/iptables -t mangle -A PREROUTING -i bat0 -j MARK --set-xmark 0x1 -# - "# Erstmal unreachable melden, ausser OpenVPN ist aufgebaut" -# - "#/sbin/ip route add unreachable default table 42" -# - "# Alles was mit 0x1 markiert ist soll nach Routing Tabelle 42 behandelt werden" -# - "/sbin/ip rule add from all fwmark 0x1 table 42 priority 4" - - "#NAT auf eth0 aktivieren" - - /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - - "#GRE Backbone aufbauen" - - /opt/freifunk/gre_backbone.sh authorized_keys: - authorized_keys + logrotate_config: + - logrotate.conf + tasks: - name: Remove cdrom in sources.list @@ -92,9 +73,6 @@ apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present - name: Update apt cache apt: update_cache=yes - - name: Install new kernel - apt: name=linux-image-4.2.0-0.bpo.1-amd64 state=present - register: kernel4 - name: Gathering facts setup: - name: Set IPv4 in hostfile @@ -104,20 +82,19 @@ when: ansible_default_ipv6.address is defined - name: set hostname hostname: name='{{ sn_hostname }}' - register: hostname - - name: Reboot the server - shell: sleep 2 && shutdown -r now "Ansible updates triggered" - async: 1 - poll: 0 - ignore_errors: true - when: hosts.changed - when: hostname.changed + register: sethostname - name: disable multi CPU Kernel (SMP) lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present register: grubnosmp - name: Update grub shell: update-grub2 when: grubnosmp.changed + - name: Reboot the server + shell: sleep 2 && shutdown -r now "Ansible updates triggered" + async: 1 + poll: 0 + ignore_errors: true + when: sethostname.changed - name: waiting for server to come back local_action: wait_for @@ -126,14 +103,14 @@ delay=15 timeout=300 when: hosts.changed - when: hostname.changed + when: sethostname.changed + - apt: update_cache=yes - name: Install common required packages apt: state=installed pkg={{ item }} with_items: common_required_packages - register: apt_updates - - name: Install Linux headers - shell: "apt-get install linux-headers-$(uname -r) -y" - when: apt_updates.changed + register: aptupdates + - name: Set clock + shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start - name: Add modules lineinfile: dest=/etc/modules line={{ item }} with_items: modules_required @@ -142,10 +119,44 @@ modprobe: name={{ item }} with_items: modules_required when: modules_req.changed + - name: Install Linux headers + shell: > + apt-get install linux-headers-$(uname -r) -y + when: aptupdates.changed + - name: Get batman-adv + git: repo=https://git.open-mesh.org/batman-adv.git + dest=/tmp/batman-adv + when: aptupdates.changed + register: getbatman + - name: Get batman-adv no rebrotcast patch + get_url: url=http://map.freifunk-moehne.de/stuff/1001-batman-adv-introduce-no_rebroadcast-option.patch dest=/tmp/batman-adv/1001-batman-adv-introduce-no_rebroadcast-option.patch + when: getbatman.changed + - name: Install batman-adv + shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && make && make install +# shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && git apply 1001-batman-adv-introduce-no_rebroadcast-option.patch && make && make install + when: getbatman.changed + - name: Get batctl + git: repo=http://git.open-mesh.org/batctl.git + dest=/tmp/batctl + when: aptupdates.changed + register: getbatctl + - name: Install batctl + shell: cd /tmp/batctl && git checkout {{ batmanversion }} && make && make install + when: getbatctl.changed + - name: Get alfred + git: repo=http://git.open-mesh.org/alfred.git + dest=/tmp/alfred + when: aptupdates.changed + register: getalfred + - name: Install alfred + shell: cd /tmp/alfred && git checkout {{ batmanversion }} && make && make install + when: getalfred.changed - name: Get Tunneldigger - git: repo=https://github.com/wlanslovenija/tunneldigger.git +# git: repo=https://github.com/wlanslovenija/tunneldigger.git + git: repo=https://github.com/ffrl/tunneldigger.git dest=/srv/tunneldigger register: tunneldigger + when: aptupdates.changed - name: Configure tunneldigger command: "{{item}}" with_items: @@ -174,26 +185,9 @@ - systemctl daemon-reload - systemctl enable tunneldigger.service when: tunneldigger.changed - - name: Check if alfred is installed - command: dpkg-query -W alfred - register: alfred_check_deb - failed_when: alfred_check_deb.rc > 1 - changed_when: alfred_check_deb.rc == 1 - - name: Download alfred - get_url: - url="https://firmware.freifunk-wuppertal.net/deb/alfred_2015.0_amd64.deb" - dest="/tmp/alfred_2015.0_amd64.deb" - when: alfred_check_deb.rc == 1 - - name: Install alfred - apt: deb="/tmp/alfred_2015.0_amd64.deb" - sudo: False - when: alfred_check_deb.rc == 1 -# - name: copy openvpn files -# copy: src=./files/{{ item }} dest=/etc/openvpn owner=root group=root mode=0400 -# with_items: openvpn_files -# - name: copy openvpn scripts -# copy: src=./files/{{ item }} dest=/etc/openvpn owner=root group=root mode=0500 -# with_items: openvpn_scripts + - name: Copy logrotate config + copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500 + with_items: logrotate_config - name: Create freifunk directory file: path=/opt/freifunk state=directory mode=0755 - name: Check gateway / keepalive script @@ -205,21 +199,34 @@ when: check_gw.changed - name: Copy dhcpd template file template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 + register: dhcpd + + - name: Clone static DHCP config + git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp + dest=/opt/freifunk/static-dhcp + when: dhcpd.changed + - name: Add cron static DHCP + cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh" + when: dhcpd.changed + + - name: Restart dhcpd + service: name=isc-dhcp-server state=restarted + when: dhcpd.changed + ignore_errors: yes + - name: Add cron backbone script + cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh" + - name: Add cron startup script + cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh" - name: Copy backbone script - copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 - with_items: backbone_script + template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 - name: Collectd template file template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444 - - name: configure rc.local 1st - lineinfile: dest=/etc/rc.local line="{{ item }}" state=present - with_items: system_startup - register: rc - - name: configure rc.local 2nd - lineinfile: dest=/etc/rc.local line="exit 0" state=absent - when: rc.changed - - name: configure rc.local 3rd - lineinfile: dest=/etc/rc.local line="exit 0" state=present - when: rc.changed + register: collectd + - name: Restart collectd + service: name=collectd state=restarted + when: collectd.changed + - name: configure startup script + template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 - name: SSH authorized_keys copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 with_items: authorized_keys @@ -230,12 +237,20 @@ lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/named.conf.fftdf";' state=present - name: Copy option template template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644 + - name: Copy radvd config template + template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444 + - name: Alfed message + template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 + - name: Add cron job with alfred info script + cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" - name: Reboot the server finally shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 ignore_errors: true when: tunneldigger.changed + - name: Wirte version information + shell: touch /etc/sn_version && echo {{ snversion }} > /etc/sn_version - name: waiting for server to come back local_action: wait_for @@ -244,7 +259,11 @@ delay=15 timeout=300 when: tunneldigger.changed - - name: Alfed message - template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 - - name: Add cron job with alfred info script - cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" + - name: Send notification message via Slack + local_action: + module: slack + token: "{{ slack_token }}" + msg: "{{ inventory_hostname }} completed with {{ snversion }}" + channel: "#technik" + username: "Ansible on {{ inventory_hostname }}" + parse: 'none'