From b8eb3d349c06a34ed3cec36dd4bb113d8c68463d Mon Sep 17 00:00:00 2001 From: Stefan Date: Thu, 5 May 2022 20:03:54 +0200 Subject: [PATCH] New Ansible for VPN Offloader --- hosts.yml | 33 +++++++++++ roles/00-create-sudo-user/tasks/main.yml | 33 +++++++++++ roles/00-system-set-hostname/tasks/main.yml | 17 ++++++ roles/00-system-set-network/tasks/main.yml | 26 +++++++++ .../tasks/templates/01-ffrl-gre.yaml.j2 | 55 +++++++++++++++++++ .../tasks/templates/50-ifdown-hooks.sh.j2 | 6 ++ .../tasks/templates/50-ifup-hooks.sh.j2 | 8 +++ .../01-system-install-packages/tasks/main.yml | 15 +++++ roles/11-create-cronjob/tasks/main.yml | 16 ++++++ .../templates/sn_startup.sh.j2 | 26 +++++++++ roles/20-install-openvpn/tasks/main.yml | 4 ++ system-setup.yml | 14 +++++ 12 files changed, 253 insertions(+) create mode 100644 hosts.yml create mode 100644 roles/00-create-sudo-user/tasks/main.yml create mode 100644 roles/00-system-set-hostname/tasks/main.yml create mode 100644 roles/00-system-set-network/tasks/main.yml create mode 100644 roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 create mode 100644 roles/00-system-set-network/tasks/templates/50-ifdown-hooks.sh.j2 create mode 100644 roles/00-system-set-network/tasks/templates/50-ifup-hooks.sh.j2 create mode 100644 roles/01-system-install-packages/tasks/main.yml create mode 100644 roles/11-create-cronjob/tasks/main.yml create mode 100644 roles/11-create-cronjob/templates/sn_startup.sh.j2 create mode 100644 roles/20-install-openvpn/tasks/main.yml create mode 100644 system-setup.yml diff --git a/hosts.yml b/hosts.yml new file mode 100644 index 0000000..a4d21ba --- /dev/null +++ b/hosts.yml @@ -0,0 +1,33 @@ +###################### +# +# Ansible Hosts for FFTDF Supernodes. atm only the new offloader +# +###################### +all: + children: + supernodes: + children: + vpn-offloader: + hosts: + # tdf7 + troisdorf7: + #TDF (alt) + #ansible_host: 93.241.53.100 + ansible_host: 5.9.220.113 + ansible_user: root + ansible_python_interpreter: /usr/bin/python3 + ffrl_ipv4: 185.66.193.107 + ffrl_ipv6: 2a03:2260:121:7000::107 + ffrl_ipv6_net: "2a03:2260:121:7000::" + gre_bb_a_ak_ber_ipv4: 100.64.6.25 + gre_bb_b_ak_ber_ipv4: 100.64.6.31 + gre_bb_a_ix_dus_ipv4: 100.64.6.29 + gre_bb_b_ix_dus_ipv4: 100.64.6.35 + gre_bb_a_fra3_f_ipv4: 100.64.6.27 + gre_bb_b_fra3_f_ipv4: 100.64.6.33 + gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2 + gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2 + gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2 + gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2 + gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2 + gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2 diff --git a/roles/00-create-sudo-user/tasks/main.yml b/roles/00-create-sudo-user/tasks/main.yml new file mode 100644 index 0000000..558cb1e --- /dev/null +++ b/roles/00-create-sudo-user/tasks/main.yml @@ -0,0 +1,33 @@ +- name: Make sure we have a 'wheel' group + group: + name: wheel + state: present + +- name: Allow 'wheel' group to have passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: '^%wheel' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + validate: '/usr/sbin/visudo -cf %s' + +- name: Create a new regular user with sudo privileges + user: + name: freifunk + state: present + groups: wheel + append: true + create_home: true + shell: /bin/bash + +- name: Set authorized key for Stefan + authorized_key: + user: freifunk + state: present + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux" + +- name: Set authorized key for Roman + authorized_key: + user: freifunk + state: present + key: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman" \ No newline at end of file diff --git a/roles/00-system-set-hostname/tasks/main.yml b/roles/00-system-set-hostname/tasks/main.yml new file mode 100644 index 0000000..52e0af2 --- /dev/null +++ b/roles/00-system-set-hostname/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Ensure hostname set + hostname: + name: "{{ inventory_hostname }}" + when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}') + become: yes + register: hostname_set + +- name: Reboot host and wait for it to restart + reboot: + msg: "Reboot initiated by Ansible" + connect_timeout: 5 + reboot_timeout: 600 + pre_reboot_delay: 0 + post_reboot_delay: 30 + test_command: whoami + when: hostname_set.changed \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/main.yml b/roles/00-system-set-network/tasks/main.yml new file mode 100644 index 0000000..648997a --- /dev/null +++ b/roles/00-system-set-network/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Cop Network Config + ansible.builtin.template: + src: 01-ffrl-gre.yaml.j2 + dest: /etc/netplan/01-ffrl-gre.yaml + owner: root + group: root + mode: '0644' + +- name: Netplan Apply + ansible.builtin.shell: netplan apply + +- name: Add ifDown Scripts via networkd-dispatcher + ansible.builtin.template: + src: 50-ifdown-hooks.sh.j2 + dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh + owner: root + group: root + mode: '0644' + +- name: Add ifUP Scripts via networkd-dispatcher + ansible.builtin.template: + src: 50-ifup-hooks.sh.j2 + dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh + owner: root + group: root + mode: '0644' \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 b/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 new file mode 100644 index 0000000..caf5cb3 --- /dev/null +++ b/roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2 @@ -0,0 +1,55 @@ +network: + tunnels: + gre-bb-a.ak.ber: + mode: gre + local: {{ ansible_host }} + remote: 185.66.195.0 + mtu: 1400 + addresses: + - {{ gre_bb_a_ak_ber_ipv4 }}/31 + - {{ gre_bb_a_ak_ber_ipv6 }}/64 + gre-bb-b.ak.ber: + mode: gre + local: {{ ansible_host }} + remote: 185.66.195.1 + mtu: 1400 + addresses: + - {{ gre_bb_b_ak_ber_ipv4 }}/31 + - {{ gre_bb_b_ak_ber_ipv6 }}/64 + gre-bb-a.ix.dus: + mode: gre + local: {{ ansible_host }} + remote: 185.66.193.0 + mtu: 1400 + addresses: + - {{ gre_bb_a_ix_dus_ipv4 }}/31 + - {{ gre_bb_a_ix_dus_ipv6 }}/64 + gre-bb-b.ix.dus: + mode: gre + local: {{ ansible_host }} + remote: 185.66.193.1 + mtu: 1400 + addresses: + - {{ gre_bb_b_ix_dus_ipv4 }}/31 + - {{ gre_bb_b_ix_dus_ipv6}}/64 + gre-bb-a.fra3.f: + mode: gre + local: {{ ansible_host }} + remote: 185.66.194.0 + mtu: 1400 + addresses: + - {{ gre_bb_a_fra3_f_ipv4 }}/31 + - {{ gre_bb_a_fra3_f_ipv6 }}/64 + gre-bb-b.fra3.f: + mode: gre + local: {{ ansible_host }} + remote: 185.66.194.1 + mtu: 1400 + addresses: + - {{ gre_bb_b_fra3_f_ipv4 }}/31 + - {{ gre_bb_b_fra3_f_ipv6 }}/64 + ethernets: + lo: + addresses: + - {{ ffrl_ipv4 }}/32 + - {{ ffrl_ipv6 }}/52 \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/templates/50-ifdown-hooks.sh.j2 b/roles/00-system-set-network/tasks/templates/50-ifdown-hooks.sh.j2 new file mode 100644 index 0000000..fd98692 --- /dev/null +++ b/roles/00-system-set-network/tasks/templates/50-ifdown-hooks.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash + +if [ "$IFACE" == "gre*" ]; +then + iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }} +fi \ No newline at end of file diff --git a/roles/00-system-set-network/tasks/templates/50-ifup-hooks.sh.j2 b/roles/00-system-set-network/tasks/templates/50-ifup-hooks.sh.j2 new file mode 100644 index 0000000..35aed30 --- /dev/null +++ b/roles/00-system-set-network/tasks/templates/50-ifup-hooks.sh.j2 @@ -0,0 +1,8 @@ +#!/bin/bash + +if [ "$IFACE" == "gre*" ]; +then + iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }} + iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 + ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312 +fi diff --git a/roles/01-system-install-packages/tasks/main.yml b/roles/01-system-install-packages/tasks/main.yml new file mode 100644 index 0000000..9a6ff62 --- /dev/null +++ b/roles/01-system-install-packages/tasks/main.yml @@ -0,0 +1,15 @@ +- name: Install all Packages + apt: name={{ item }} state=latest update_cache=yes + with_items: + - curl + - nano + - vim + - htop + - bird + - screen + - iproute2 + - iptables + - cron + - qemu-guest-agent + - iputils-ping + - iw \ No newline at end of file diff --git a/roles/11-create-cronjob/tasks/main.yml b/roles/11-create-cronjob/tasks/main.yml new file mode 100644 index 0000000..4a4ff1c --- /dev/null +++ b/roles/11-create-cronjob/tasks/main.yml @@ -0,0 +1,16 @@ +- name: Ensures Freifunk Folder exists + file: path=/opt/freifunk state=directory + +- name: Copy Reboot Script + ansible.builtin.template: + src: sn_startup.sh.j2 + dest: /opt/freifunk/sn_startup.sh + owner: root + group: root + mode: '0644' + +- name: Cron Job to run after boot + ansible.builtin.cron: + name: "Set Freifunk Routes" + special_time: reboot + job: /opt/freifunk/sn_startup.sh \ No newline at end of file diff --git a/roles/11-create-cronjob/templates/sn_startup.sh.j2 b/roles/11-create-cronjob/templates/sn_startup.sh.j2 new file mode 100644 index 0000000..05e0056 --- /dev/null +++ b/roles/11-create-cronjob/templates/sn_startup.sh.j2 @@ -0,0 +1,26 @@ +#!/bin/sh +# Version 1.91 + +sleep 5 + +# Activate IP forwarding +/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 +/sbin/sysctl -w net.ipv4.ip_forward=1 + +# restart when kernel panic +/sbin/sysctl kernel.panic=1 + +# Routing table 42 +/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables + +# Set table for traffice with mark 4 +/bin/ip rule add fwmark 0x4 table 42 +/bin/ip -6 rule add fwmark 0x4 table 42 + +# Set mark 4 to Freifunk traffic +/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 + +# All from FF IPv4 via routing table 42 +/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42 +/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42 \ No newline at end of file diff --git a/roles/20-install-openvpn/tasks/main.yml b/roles/20-install-openvpn/tasks/main.yml new file mode 100644 index 0000000..d009472 --- /dev/null +++ b/roles/20-install-openvpn/tasks/main.yml @@ -0,0 +1,4 @@ +- name: Install OpenVPN + apt: name={{ item }} state=latest update_cache=yes + with_items: + - openvpn \ No newline at end of file diff --git a/system-setup.yml b/system-setup.yml new file mode 100644 index 0000000..f02986b --- /dev/null +++ b/system-setup.yml @@ -0,0 +1,14 @@ +# ansible-playbook -i hosts.yml -u root system-setup.yml +- name: System preperation + hosts: supernodes + roles: + - 00-system-set-hostname + - 00-create-sudo-user + - 00-system-set-network + - 01-system-install-packages + - 11-create-cronjob + +- name: System preperation + hosts: vpn-offloader + roles: + - 20-install-openvpn \ No newline at end of file