New Ansible for VPN Offloader
This commit is contained in:
parent
b59eea9f8a
commit
b8eb3d349c
33
hosts.yml
Normal file
33
hosts.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
######################
|
||||||
|
#
|
||||||
|
# Ansible Hosts for FFTDF Supernodes. atm only the new offloader
|
||||||
|
#
|
||||||
|
######################
|
||||||
|
all:
|
||||||
|
children:
|
||||||
|
supernodes:
|
||||||
|
children:
|
||||||
|
vpn-offloader:
|
||||||
|
hosts:
|
||||||
|
# tdf7
|
||||||
|
troisdorf7:
|
||||||
|
#TDF (alt)
|
||||||
|
#ansible_host: 93.241.53.100
|
||||||
|
ansible_host: 5.9.220.113
|
||||||
|
ansible_user: root
|
||||||
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
|
ffrl_ipv4: 185.66.193.107
|
||||||
|
ffrl_ipv6: 2a03:2260:121:7000::107
|
||||||
|
ffrl_ipv6_net: "2a03:2260:121:7000::"
|
||||||
|
gre_bb_a_ak_ber_ipv4: 100.64.6.25
|
||||||
|
gre_bb_b_ak_ber_ipv4: 100.64.6.31
|
||||||
|
gre_bb_a_ix_dus_ipv4: 100.64.6.29
|
||||||
|
gre_bb_b_ix_dus_ipv4: 100.64.6.35
|
||||||
|
gre_bb_a_fra3_f_ipv4: 100.64.6.27
|
||||||
|
gre_bb_b_fra3_f_ipv4: 100.64.6.33
|
||||||
|
gre_bb_a_ak_ber_ipv6: 2a03:2260:0:30c::2
|
||||||
|
gre_bb_b_ak_ber_ipv6: 2a03:2260:0:30f::2
|
||||||
|
gre_bb_a_ix_dus_ipv6: 2a03:2260:0:30e::2
|
||||||
|
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
|
||||||
|
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
|
||||||
|
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
|
33
roles/00-create-sudo-user/tasks/main.yml
Normal file
33
roles/00-create-sudo-user/tasks/main.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
- name: Make sure we have a 'wheel' group
|
||||||
|
group:
|
||||||
|
name: wheel
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Allow 'wheel' group to have passwordless sudo
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
state: present
|
||||||
|
regexp: '^%wheel'
|
||||||
|
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
|
||||||
|
validate: '/usr/sbin/visudo -cf %s'
|
||||||
|
|
||||||
|
- name: Create a new regular user with sudo privileges
|
||||||
|
user:
|
||||||
|
name: freifunk
|
||||||
|
state: present
|
||||||
|
groups: wheel
|
||||||
|
append: true
|
||||||
|
create_home: true
|
||||||
|
shell: /bin/bash
|
||||||
|
|
||||||
|
- name: Set authorized key for Stefan
|
||||||
|
authorized_key:
|
||||||
|
user: freifunk
|
||||||
|
state: present
|
||||||
|
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux"
|
||||||
|
|
||||||
|
- name: Set authorized key for Roman
|
||||||
|
authorized_key:
|
||||||
|
user: freifunk
|
||||||
|
state: present
|
||||||
|
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman"
|
17
roles/00-system-set-hostname/tasks/main.yml
Normal file
17
roles/00-system-set-hostname/tasks/main.yml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure hostname set
|
||||||
|
hostname:
|
||||||
|
name: "{{ inventory_hostname }}"
|
||||||
|
when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}')
|
||||||
|
become: yes
|
||||||
|
register: hostname_set
|
||||||
|
|
||||||
|
- name: Reboot host and wait for it to restart
|
||||||
|
reboot:
|
||||||
|
msg: "Reboot initiated by Ansible"
|
||||||
|
connect_timeout: 5
|
||||||
|
reboot_timeout: 600
|
||||||
|
pre_reboot_delay: 0
|
||||||
|
post_reboot_delay: 30
|
||||||
|
test_command: whoami
|
||||||
|
when: hostname_set.changed
|
26
roles/00-system-set-network/tasks/main.yml
Normal file
26
roles/00-system-set-network/tasks/main.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
- name: Cop Network Config
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: 01-ffrl-gre.yaml.j2
|
||||||
|
dest: /etc/netplan/01-ffrl-gre.yaml
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
- name: Netplan Apply
|
||||||
|
ansible.builtin.shell: netplan apply
|
||||||
|
|
||||||
|
- name: Add ifDown Scripts via networkd-dispatcher
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: 50-ifdown-hooks.sh.j2
|
||||||
|
dest: /etc/networkd-dispatcher/off.d/50-ifdown-hooks.sh
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
- name: Add ifUP Scripts via networkd-dispatcher
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: 50-ifup-hooks.sh.j2
|
||||||
|
dest: /etc/networkd-dispatcher/routable.d/50-ifup-hooks.sh
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
@ -0,0 +1,55 @@
|
|||||||
|
network:
|
||||||
|
tunnels:
|
||||||
|
gre-bb-a.ak.ber:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.195.0
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_a_ak_ber_ipv4 }}/31
|
||||||
|
- {{ gre_bb_a_ak_ber_ipv6 }}/64
|
||||||
|
gre-bb-b.ak.ber:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.195.1
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_b_ak_ber_ipv4 }}/31
|
||||||
|
- {{ gre_bb_b_ak_ber_ipv6 }}/64
|
||||||
|
gre-bb-a.ix.dus:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.193.0
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_a_ix_dus_ipv4 }}/31
|
||||||
|
- {{ gre_bb_a_ix_dus_ipv6 }}/64
|
||||||
|
gre-bb-b.ix.dus:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.193.1
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_b_ix_dus_ipv4 }}/31
|
||||||
|
- {{ gre_bb_b_ix_dus_ipv6}}/64
|
||||||
|
gre-bb-a.fra3.f:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.194.0
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_a_fra3_f_ipv4 }}/31
|
||||||
|
- {{ gre_bb_a_fra3_f_ipv6 }}/64
|
||||||
|
gre-bb-b.fra3.f:
|
||||||
|
mode: gre
|
||||||
|
local: {{ ansible_host }}
|
||||||
|
remote: 185.66.194.1
|
||||||
|
mtu: 1400
|
||||||
|
addresses:
|
||||||
|
- {{ gre_bb_b_fra3_f_ipv4 }}/31
|
||||||
|
- {{ gre_bb_b_fra3_f_ipv6 }}/64
|
||||||
|
ethernets:
|
||||||
|
lo:
|
||||||
|
addresses:
|
||||||
|
- {{ ffrl_ipv4 }}/32
|
||||||
|
- {{ ffrl_ipv6 }}/52
|
@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "$IFACE" == "gre*" ];
|
||||||
|
then
|
||||||
|
iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
fi
|
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "$IFACE" == "gre*" ];
|
||||||
|
then
|
||||||
|
iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source {{ ffrl_ipv4 }}
|
||||||
|
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
|
||||||
|
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
|
||||||
|
fi
|
15
roles/01-system-install-packages/tasks/main.yml
Normal file
15
roles/01-system-install-packages/tasks/main.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
- name: Install all Packages
|
||||||
|
apt: name={{ item }} state=latest update_cache=yes
|
||||||
|
with_items:
|
||||||
|
- curl
|
||||||
|
- nano
|
||||||
|
- vim
|
||||||
|
- htop
|
||||||
|
- bird
|
||||||
|
- screen
|
||||||
|
- iproute2
|
||||||
|
- iptables
|
||||||
|
- cron
|
||||||
|
- qemu-guest-agent
|
||||||
|
- iputils-ping
|
||||||
|
- iw
|
16
roles/11-create-cronjob/tasks/main.yml
Normal file
16
roles/11-create-cronjob/tasks/main.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
- name: Ensures Freifunk Folder exists
|
||||||
|
file: path=/opt/freifunk state=directory
|
||||||
|
|
||||||
|
- name: Copy Reboot Script
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: sn_startup.sh.j2
|
||||||
|
dest: /opt/freifunk/sn_startup.sh
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
- name: Cron Job to run after boot
|
||||||
|
ansible.builtin.cron:
|
||||||
|
name: "Set Freifunk Routes"
|
||||||
|
special_time: reboot
|
||||||
|
job: /opt/freifunk/sn_startup.sh
|
26
roles/11-create-cronjob/templates/sn_startup.sh.j2
Normal file
26
roles/11-create-cronjob/templates/sn_startup.sh.j2
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Version 1.91
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
# Activate IP forwarding
|
||||||
|
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
|
||||||
|
/sbin/sysctl -w net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# restart when kernel panic
|
||||||
|
/sbin/sysctl kernel.panic=1
|
||||||
|
|
||||||
|
# Routing table 42
|
||||||
|
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
|
||||||
|
|
||||||
|
# Set table for traffice with mark 4
|
||||||
|
/bin/ip rule add fwmark 0x4 table 42
|
||||||
|
/bin/ip -6 rule add fwmark 0x4 table 42
|
||||||
|
|
||||||
|
# Set mark 4 to Freifunk traffic
|
||||||
|
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
|
||||||
|
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
|
||||||
|
|
||||||
|
# All from FF IPv4 via routing table 42
|
||||||
|
/bin/ip rule add from {{ ffrl_ipv4 }}/32 lookup 42
|
||||||
|
/bin/ip -6 rule add from {{ ffrl_ipv6_net }}/52 lookup 42
|
4
roles/20-install-openvpn/tasks/main.yml
Normal file
4
roles/20-install-openvpn/tasks/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: Install OpenVPN
|
||||||
|
apt: name={{ item }} state=latest update_cache=yes
|
||||||
|
with_items:
|
||||||
|
- openvpn
|
14
system-setup.yml
Normal file
14
system-setup.yml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# ansible-playbook -i hosts.yml -u root system-setup.yml
|
||||||
|
- name: System preperation
|
||||||
|
hosts: supernodes
|
||||||
|
roles:
|
||||||
|
- 00-system-set-hostname
|
||||||
|
- 00-create-sudo-user
|
||||||
|
- 00-system-set-network
|
||||||
|
- 01-system-install-packages
|
||||||
|
- 11-create-cronjob
|
||||||
|
|
||||||
|
- name: System preperation
|
||||||
|
hosts: vpn-offloader
|
||||||
|
roles:
|
||||||
|
- 20-install-openvpn
|
Loading…
Reference in New Issue
Block a user