Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Minor fixes

Browse Source 
Split traffic ICMP & TCP/UDP <1024 with local exit
TCP/UDP =>1024 exit @ Freifunk backbone
Start script now in cron @reboot
This commit is contained in:
Roman Katrincak 2015-12-03 22:01:23 +01:00
parent f01abf0271
commit 6e9eea7f62
6 changed files with 75 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
files/bataddif.sh.j2
View File

@ -23,5 +23,6 @@ INTERFACE="$3"
#ip link set address {{ sn_mesh_MAC }} dev $INTERFACE #ip link set address {{ sn_mesh_MAC }} dev $INTERFACE
ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }} ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }}
ip link set dev $INTERFACE up mtu 1312 ip link set dev $INTERFACE up mtu 1312
/sbin/sysctl net.ipv4.conf.$INTERFACE.rp_filter=0
/usr/sbin/batctl if add $INTERFACE /usr/sbin/batctl if add $INTERFACE

2
files/collectd.conf.j2
View File

@ -35,7 +35,7 @@ LoadPlugin entropy
LoadPlugin irq LoadPlugin irq
LoadPlugin load LoadPlugin load
LoadPlugin memory LoadPlugin memory
LoadPlugin openvpn #LoadPlugin openvpn
LoadPlugin processes LoadPlugin processes
LoadPlugin swap LoadPlugin swap
LoadPlugin rrdtool LoadPlugin rrdtool

28
files/gre_backbone.sh
View File

@ -13,7 +13,7 @@ communitynetworkv6="fda0:747e:ab29:7405:255::"
# Third octet from the server range # Third octet from the server range
octet3rd="255" octet3rd="255"
# CIDR muss /16 sein # CIDR muss /16 sein
localserver=$(hostname) localserver=$(/bin/hostname)
for i in $server; do for i in $server; do
@ -21,12 +21,12 @@ for i in $server; do
for j in $server; do for j in $server; do
if [ $i != $j ]; then if [ $i != $j ]; then
if [ $i = $(hostname) ]; then if [ $i = $(/bin/hostname) ]; then
ip link add $j type gretap local $(hostname -I | cut -f1 -d' ') remote $(dig +short $j.$domain) dev eth0 nopmtudisc /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 nopmtudisc
ip link set dev $j mtu $mtu /sbin/ip link set dev $j mtu $mtu
ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j /sbin/ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j
ip link set $j up /sbin/ip link set $j up
batctl if add $j /usr/sbin/batctl if add $j
fi fi
fi fi
@ -36,10 +36,10 @@ for i in $server; do
done done
# configure bat0 # configure bat0
ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0 /sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0
ip link set up dev bat0 /sbin/ip link set up dev bat0
ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0 /sbin/ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0 /sbin/ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0
alfred -i bat0 > /dev/null 2>&1 & /usr/sbin/alfred -i bat0 > /dev/null 2>&1 &
batadv-vis -i bat0 -s > /dev/null 2>&1 & /usr/sbin/batadv-vis -i bat0 -s > /dev/null 2>&1 &
service bind9 restart /usr/sbin/service bind9 restart

2
files/l2tp_broker.cfg.j2
View File

@ -9,7 +9,7 @@ interface=eth0
; session with the broker ; session with the broker
max_cookies=1024 max_cookies=1024
; Maximum number of tunnels that will be allowed by the broker ; Maximum number of tunnels that will be allowed by the broker
max_tunnels=100 max_tunnels=50
; Tunnel port base ; Tunnel port base
port_base=15000 port_base=15000
; Tunnel id base ; Tunnel id base

41
files/sn_startup.sh.j2 Normal file
View File

@ -0,0 +1,41 @@
#!/bin/sh
# Stop tunneldigger until bat0 is up
/usr/sbin/service tunneldigger stop
# Set unreachable for table 200
/bin/ip route add unreachable 0.0.0.0/0 table iffy
while ! ping -c 1 -W 1 {{ sn_iffy_traffic }}; do
echo "Waiting for {{ sn_iffy_traffic }} - network interface might be down..."
sleep 5
done
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# Routing table 200 for traffic above port 1023
/bin/grep 200 /etc/iproute2/rt_tables || /bin/echo 200 iffy >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table iffy
# Set mark 4 to traffic above port 1023
/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/iptables -t mangle -A PREROUTING -p udp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Set gateway for table 200
/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy
# Start tunneldigger
/usr/sbin/service tunneldigger start
exit 0

47
install.sn.yml
View File

@ -63,22 +63,6 @@
- keepalive.sh - keepalive.sh
backbone_script: backbone_script:
- gre_backbone.sh - gre_backbone.sh
system_startup:
- "# Routing einschalten"
- /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
- /sbin/sysctl -w net.ipv4.ip_forward=1
# - "# Routing Tabelle 42 fuer Freifunk anlegen, wenn noch nicht vorhanden"
# - #/bin/grep 42 /etc/iproute2/rt_tables || echo '42 42' >> /etc/iproute2/rt_tables"
# - "# Freifunk Daten sollen mit 0x1 markiert werden"
# - /sbin/iptables -t mangle -A PREROUTING -i bat0 -j MARK --set-xmark 0x1
# - "# Erstmal unreachable melden, ausser OpenVPN ist aufgebaut"
# - "#/sbin/ip route add unreachable default table 42"
# - "# Alles was mit 0x1 markiert ist soll nach Routing Tabelle 42 behandelt werden"
# - "/sbin/ip rule add from all fwmark 0x1 table 42 priority 4"
- "#NAT auf eth0 aktivieren"
- /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- "#GRE Backbone aufbauen"
- /opt/freifunk/gre_backbone.sh
authorized_keys: authorized_keys:
- authorized_keys - authorized_keys
@ -103,14 +87,13 @@
when: ansible_default_ipv6.address is defined when: ansible_default_ipv6.address is defined
- name: set hostname - name: set hostname
hostname: name='{{ sn_hostname }}' hostname: name='{{ sn_hostname }}'
register: hostname register: sethostname
- name: Reboot the server - name: Reboot the server
shell: sleep 2 && shutdown -r now "Ansible updates triggered" shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1 async: 1
poll: 0 poll: 0
ignore_errors: true ignore_errors: true
when: hosts.changed when: sethostname.changed
when: hostname.changed
- name: disable multi CPU Kernel (SMP) - name: disable multi CPU Kernel (SMP)
lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present
register: grubnosmp register: grubnosmp
@ -125,7 +108,7 @@
delay=15 delay=15
timeout=300 timeout=300
when: hosts.changed when: hosts.changed
when: hostname.changed when: sethostname.changed
- name: Install common required packages - name: Install common required packages
apt: state=installed pkg={{ item }} apt: state=installed pkg={{ item }}
with_items: common_required_packages with_items: common_required_packages
@ -205,6 +188,10 @@
when: check_gw.changed when: check_gw.changed
- name: Copy dhcpd template file - name: Copy dhcpd template file
template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
- name: Add cron backbone script
cron: name=backbone special_time=reboot job="/opt/freifunk/gre_backbone.sh"
- name: Add cron startup script
cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
- name: Copy backbone script - name: Copy backbone script
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: backbone_script with_items: backbone_script
@ -214,16 +201,8 @@
- name: Restart collectd - name: Restart collectd
service: name=collectd state=restarted service: name=collectd state=restarted
when: collectd.changed when: collectd.changed
- name: configure rc.local 1st - name: configure startup script
lineinfile: dest=/etc/rc.local line="{{ item }}" state=present template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
with_items: system_startup
register: rc
- name: configure rc.local 2nd
lineinfile: dest=/etc/rc.local line="exit 0" state=absent
when: rc.changed
- name: configure rc.local 3rd
lineinfile: dest=/etc/rc.local line="exit 0" state=present
when: rc.changed
- name: SSH authorized_keys - name: SSH authorized_keys
copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
with_items: authorized_keys with_items: authorized_keys
@ -252,3 +231,11 @@
template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544 template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544
- name: Add cron job with alfred info script - name: Add cron job with alfred info script
cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root" cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root"
- name: Send notification message via Slack
local_action:
module: slack
token:
msg: "{{ inventory_hostname }} completed"
channel: "#technik"
username: "Ansible on {{ inventory_hostname }}"
parse: 'none'