New Ansible for VPN Offloader

hosts.yml

@@ -0,0 +1,33 @@
+######################
+#
+# Ansible Hosts for FFTDF Supernodes. atm only the new offloader
+#
+######################
+all:
+  children:
+    supernodes:
+      children:
+        vpn-offloader:
+          hosts:
+            # tdf7
+            troisdorf7:
+              #TDF (alt)
+              #ansible_host: 93.241.53.100
+              ansible_host: 5.9.220.113
+              ansible_user: root
+              ansible_python_interpreter: /usr/bin/python3
+              ffrl_ipv4: 185.66.193.107
+              ffrl_ipv6: 2a03:2260:121:7000::107
+              ffrl_ipv6_net: "2a03:2260:121:7000::"
+              gre_bb_a_ak_ber_ipv4: 100.64.6.25
+              gre_bb_b_ak_ber_ipv4: 100.64.6.31
+              gre_bb_a_ix_dus_ipv4: 100.64.6.29
+              gre_bb_b_ix_dus_ipv4: 100.64.6.35
+              gre_bb_a_fra3_f_ipv4: 100.64.6.27
+              gre_bb_b_fra3_f_ipv4: 100.64.6.33
+              gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2
+              gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2
+              gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2
+              gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
+              gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
+              gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2

roles/00-create-sudo-user/tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Make sure we have a 'wheel' group
+  group:
+    name: wheel
+    state: present
+
+- name: Allow 'wheel' group to have passwordless sudo
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%wheel'
+    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+
+- name: Create a new regular user with sudo privileges
+  user:
+    name: freifunk
+    state: present
+    groups: wheel
+    append: true
+    create_home: true
+    shell: /bin/bash
+
+- name: Set authorized key for Stefan
+  authorized_key:
+    user: freifunk
+    state: present
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux"
+
+- name: Set authorized key for Roman
+  authorized_key:
+    user: freifunk
+    state: present
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman"

roles/00-system-set-hostname/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Ensure hostname set
+  hostname:
+    name: "{{ inventory_hostname }}"
+  when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}')
+  become: yes
+  register: hostname_set
+
+- name: Reboot host and wait for it to restart
+  reboot:
+    msg: "Reboot initiated by Ansible"
+    connect_timeout: 5
+    reboot_timeout: 600
+    pre_reboot_delay: 0
+    post_reboot_delay: 30
+    test_command: whoami
+  when: hostname_set.changed

roles/00-system-set-network/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: Cop Network Config
+  ansible.builtin.template:
+    src: 01-ffrl-gre.yaml.j2
+    dest: /etc/netplan/01-ffrl-gre.yaml
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Netplan Apply
+  ansible.builtin.shell: netplan apply
+
+- name: Add ifDown Scripts via networkd-dispatcher
+  ansible.builtin.template:
+    src: 50-ifdown-hooks.sh.j2
+    dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add ifUP Scripts via networkd-dispatcher
+  ansible.builtin.template:
+    src: 50-ifup-hooks.sh.j2
+    dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
+    owner: root
+    group: root
+    mode: '0644'

roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2

@@ -0,0 +1,55 @@
+network:
+ tunnels:
+  gre-bb-a.ak.ber:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.195.0
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_a_ak_ber_ipv4 }}/31
+     - {{ gre_bb_a_ak_ber_ipv6 }}/64
+  gre-bb-b.ak.ber:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.195.1
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_b_ak_ber_ipv4 }}/31
+     - {{ gre_bb_b_ak_ber_ipv6 }}/64
+  gre-bb-a.ix.dus:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.193.0
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_a_ix_dus_ipv4 }}/31
+     - {{ gre_bb_a_ix_dus_ipv6 }}/64
+  gre-bb-b.ix.dus:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.193.1
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_b_ix_dus_ipv4 }}/31
+     - {{ gre_bb_b_ix_dus_ipv6}}/64
+  gre-bb-a.fra3.f:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.194.0
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_a_fra3_f_ipv4 }}/31
+     - {{ gre_bb_a_fra3_f_ipv6 }}/64
+  gre-bb-b.fra3.f:
+    mode: gre
+    local: {{ ansible_host }}
+    remote: 185.66.194.1
+    mtu: 1400
+    addresses:
+     - {{ gre_bb_b_fra3_f_ipv4 }}/31
+     - {{ gre_bb_b_fra3_f_ipv6 }}/64
+ ethernets:
+   lo:
+     addresses:
+     - {{ ffrl_ipv4 }}/32
+     - {{ ffrl_ipv6 }}/52

roles/00-system-set-network/tasks/templates/50-ifdown-hooks.sh.j2

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ "$IFACE" == "gre*" ];
+then
+        iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
+fi

roles/00-system-set-network/tasks/templates/50-ifup-hooks.sh.j2

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [ "$IFACE" == "gre*" ];
+then
+    iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
+    iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
+    ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
+fi

roles/01-system-install-packages/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: Install all Packages
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - curl
+    - nano
+    - vim
+    - htop
+    - bird
+    - screen
+    - iproute2
+    - iptables
+    - cron
+    - qemu-guest-agent
+    - iputils-ping
+    - iw

roles/11-create-cronjob/tasks/main.yml

@@ -0,0 +1,16 @@
+- name: Ensures Freifunk Folder exists
+  file: path=/opt/freifunk state=directory
+
+- name: Copy Reboot Script
+  ansible.builtin.template:
+    src: sn_startup.sh.j2
+    dest: /opt/freifunk/sn_startup.sh
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Cron Job to run after boot
+  ansible.builtin.cron:
+    name: "Set Freifunk Routes"
+    special_time: reboot
+    job: /opt/freifunk/sn_startup.sh

roles/11-create-cronjob/templates/sn_startup.sh.j2

@@ -0,0 +1,26 @@
+#!/bin/sh
+# Version 1.91
+
+sleep 5
+
+# Activate IP forwarding
+/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
+/sbin/sysctl -w net.ipv4.ip_forward=1
+
+# restart when kernel panic
+/sbin/sysctl kernel.panic=1
+
+# Routing table 42
+/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
+
+# Set table for traffice with mark 4
+/bin/ip rule add fwmark 0x4 table 42
+/bin/ip -6 rule add fwmark 0x4 table 42
+
+# Set mark 4 to Freifunk traffic
+/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
+/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
+
+# All from FF IPv4 via routing table 42
+/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
+/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42

roles/20-install-openvpn/tasks/main.yml

@@ -0,0 +1,4 @@
+- name: Install OpenVPN
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - openvpn

system-setup.yml

@@ -0,0 +1,14 @@
+# ansible-playbook -i hosts.yml -u root system-setup.yml   
+- name: System preperation
+  hosts: supernodes
+  roles:
+    - 00-system-set-hostname
+    - 00-create-sudo-user
+    - 00-system-set-network
+    - 01-system-install-packages
+    - 11-create-cronjob
+
+- name: System preperation
+  hosts: vpn-offloader
+  roles:
+    - 20-install-openvpn