Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Bugfixing and tidying up some things

Browse Source
This commit is contained in:
Stefan Hoffmann 2023-04-16 17:35:22 +02:00
parent 6eaacaf2a8
commit 68d49c65b0
Signed by: stefan
GPG Key ID: 8EFC7042BF8D5CDD
8 changed files with 75 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
roles/00-ubuntu-basic/tasks/main.yml
View File

@ -32,12 +32,12 @@
key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}" key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Allow 'wheel' group to have passwordless sudo - name: Allow 'sudo' group to have passwordless sudo
lineinfile: lineinfile:
path: /etc/sudoers path: /etc/sudoers
state: present state: present
regexp: '^%wheel' regexp: '^%sudo'
line: '%wheel ALL=(ALL) NOPASSWD: ALL' line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s' validate: '/usr/sbin/visudo -cf %s'
# Install basic packages for Ubuntu minimal Systems # Install basic packages for Ubuntu minimal Systems

34
roles/01-vpn-offloader-setup/tasks/main.yml
View File

@ -5,32 +5,24 @@
table: nat table: nat
source: "{{ internal_network }}" source: "{{ internal_network }}"
jump: MASQUERADE jump: MASQUERADE
register: iptables
- ansible.posix.sysctl: - name: Enable kernel panic reboots
ansible.posix.sysctl:
name: kernel.panic name: kernel.panic
value: '1' value: '1'
sysctl_file: /etc/sysctl.conf
- ansible.posix.sysctl: - name: Enable IPv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward name: net.ipv4.ip_forward
value: '1' value: '1'
sysctl_set: true sysctl_set: true
state: present
reload: true
- ansible.posix.sysctl: - name: Enable IPv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding name: net.ipv6.conf.all.forwarding
value: '1' value: '1'
sysctl_set: true sysctl_set: true
state: present
reload: true
- ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true
state: present
reload: true
- name: Create Routing Table 42 - name: Create Routing Table 42
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -63,12 +55,22 @@
owner: root owner: root
group: root group: root
mode: 755 mode: 755
register: netplan_config
- name: saveip6tables - name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
when: iptables.changed
- name: saveip4tables - name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
when: iptables.changed
- name: Apply Netplan - name: Apply Netplan
ansible.builtin.shell: netplan apply ansible.builtin.shell: netplan apply
when: netplan_config.changed
- name: Enable Proxy_NDP on interface ens19
ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true

28
roles/21-docker/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install required system packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu jammy stable
state: present
- name: Update apt and install docker-ce
apt:
name:
- docker-ce
- docker-compose
state: latest
update_cache: true

2
roles/21-install-oitc/tasks/main.yml
View File

@ -20,8 +20,10 @@
owner: root owner: root
group: root group: root
mode: '0775' mode: '0775'
register: openitcockpit_config
- name: Restart service httpd, in all cases - name: Restart service httpd, in all cases
ansible.builtin.service: ansible.builtin.service:
name: openitcockpit-agent name: openitcockpit-agent
state: restarted state: restarted
when: openitcockpit_config.changed

9
roles/21-install-wireguard/files/postup.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
ip rule add fwmark 0x4 table 42
iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
routeExists=$(ip route show table 42 | grep '172.16.7.1')
if [ -z "$routeExists" ]; then
ip route add default via 172.16.7.1 table 42
fi

19
roles/21-install-wireguard/handlers/main.yml
View File

@ -1,20 +1,5 @@
--- ---
- name: restart wireguard - name: reconfigure wireguard
ansible.builtin.service: ansible.builtin.service:
name: "wg-quick@vpn01" name: "wg-quick@vpn01"
state: "{{ item }}" state: restarted
loop:
- stopped
- started
listen: "reconfigure wireguard"
- name: syncconf wireguard
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01
wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf)
exit 0
args:
executable: "/bin/bash"
listen: "reconfigure wireguard"

14
roles/21-install-wireguard/tasks/main.yml
View File

@ -84,8 +84,18 @@
notify: notify:
- reconfigure wireguard - reconfigure wireguard
- name: Copy PostUp Script
ansible.builtin.copy:
src: postup.sh
dest: /etc/wireguard/postup.sh
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service - name: Start and enable WireGuard service
ansible.builtin.service: ansible.builtin.service:
name: "wg-quick@vpn01" name: "wg-quick@vpn01"
state: "started" state: started
enabled: "yes" enabled: yes

2
roles/21-install-wireguard/templates/wg.conf.j2
View File

@ -9,7 +9,7 @@ PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }} ListenPort = {{ wireguard_port }}
MTU = 1380 MTU = 1380
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42 PostUp = /etc/wireguard/postup.sh
PostDown = ip route del default via 172.16.7.1 table 42 PostDown = ip route del default via 172.16.7.1 table 42