diff --git a/files/dhcpd.conf.j2 b/files/dhcpd.conf.j2 index 8cd5205..d381959 100644 --- a/files/dhcpd.conf.j2 +++ b/files/dhcpd.conf.j2 @@ -1,6 +1,6 @@ # Version 1.3 ddns-update-style none; -option domain-name "fftdf"; +option domain-name "ff"; default-lease-time 300; max-lease-time 3600; log-facility local7; diff --git a/files/dhcpd6.conf.j2 b/files/dhcpd6.conf.j2 index 2a79b20..670a0d8 100644 --- a/files/dhcpd6.conf.j2 +++ b/files/dhcpd6.conf.j2 @@ -8,7 +8,7 @@ max-lease-time 600; option dhcp6.name-servers {{ sn_mesh_IPv6 }}; -option dhcp6.domain-search "fftdf"; +option dhcp6.domain-search "ff"; subnet6 {{ sn_mesh_IPv6_net }} { } diff --git a/files/fftdf/db.fftdf.j2 b/files/ff/db.ff.j2 similarity index 89% rename from files/fftdf/db.fftdf.j2 rename to files/ff/db.ff.j2 index 0216c3a..a46175e 100644 --- a/files/fftdf/db.fftdf.j2 +++ b/files/ff/db.ff.j2 @@ -1,15 +1,15 @@ -;; db.fftdf -;; Forwardlookupzone für .fftdf +;; db.ff +;; Forwardlookupzone für .ff ;; $TTL 600 -@ IN SOA fftdf. root.fftdf. ( +@ IN SOA ff. root.ff. ( 2015584544 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 3H ) ; NX (TTL Negativ Cache) -@ IN NS {{ sn_hostname }}.infra.fftdf. +@ IN NS {{ sn_hostname }}.infra.ff. IN A {{ sn_mesh_IPv4 }} IN AAAA {{ sn_mesh_IPv6 }} localhost IN A 127.0.0.1 diff --git a/files/ff/ff.conf b/files/ff/ff.conf new file mode 100644 index 0000000..c720df4 --- /dev/null +++ b/files/ff/ff.conf @@ -0,0 +1,6 @@ +// Zone declarations for Freifunk + +zone "ff" { + type master; + file "/etc/bind/ff/db.ff"; +}; diff --git a/files/fftdf/fftdf.conf b/files/fftdf/fftdf.conf deleted file mode 100644 index e94dfa6..0000000 --- a/files/fftdf/fftdf.conf +++ /dev/null @@ -1,6 +0,0 @@ -// Zone declarations for Freifunk Troisdorf - -zone "fftdf" { - type master; - file "/etc/bind/fftdf/db.fftdf"; -}; \ No newline at end of file diff --git a/files/interfaces-troisdorf4 b/files/interfaces-troisdorf4.j2 similarity index 93% rename from files/interfaces-troisdorf4 rename to files/interfaces-troisdorf4.j2 index 3784e32..1ab9164 100644 --- a/files/interfaces-troisdorf4 +++ b/files/interfaces-troisdorf4.j2 @@ -13,18 +13,18 @@ iface lo inet6 loopback # The primary network interface -allow-hotplug eth0 -iface eth0 inet static +allow-hotplug {{ sn_interface_name }} +iface {{ sn_interface_name }} inet static address 212.129.50.141 netmask 255.255.255.255 gateway 163.172.210.1 pointopoint 163.172.210.1 post-up iptables -P OUTPUT ACCEPT - post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP - post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP + post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE auto 6to4 iface 6to4 inet6 6to4 local 212.129.50.141 diff --git a/files/interfaces-troisdorf5 b/files/interfaces-troisdorf5.j2 similarity index 90% rename from files/interfaces-troisdorf5 rename to files/interfaces-troisdorf5.j2 index fea611f..68d1394 100644 --- a/files/interfaces-troisdorf5 +++ b/files/interfaces-troisdorf5.j2 @@ -13,18 +13,18 @@ iface lo inet6 loopback # The primary network interface -allow-hotplug eth0 -iface eth0 inet static +allow-hotplug {{ sn_interface_name }} +iface {{ sn_interface_name }} inet static address 62.210.5.90 netmask 255.255.255.255 gateway 163.172.210.1 pointopoint 163.172.210.1 post-up iptables -P OUTPUT ACCEPT - post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP - post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP + post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE auto 6to4 iface 6to4 inet6 6to4 local 62.210.5.90 diff --git a/files/interfaces-troisdorf6 b/files/interfaces-troisdorf6.j2 similarity index 89% rename from files/interfaces-troisdorf6 rename to files/interfaces-troisdorf6.j2 index ceb6352..1877aa5 100644 --- a/files/interfaces-troisdorf6 +++ b/files/interfaces-troisdorf6.j2 @@ -13,25 +13,24 @@ iface lo inet6 loopback # The primary network interface -allow-hotplug eth0 -#iface eth0 inet dhcp -iface eth0 inet static +allow-hotplug {{ sn_interface_name }} +iface {{ sn_interface_name }} inet static address 62.210.12.122 netmask 255.255.255.255 gateway 163.172.210.1 pointopoint 163.172.210.1 post-up iptables -P OUTPUT ACCEPT - post-up iptables -A OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 172.16.0.0/12 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 169.254.0.0/16 -j DROP - post-up iptables -A OUTPUT -o eth0 -d 192.168.0.0/16 -j DROP - post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP + post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP + post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE auto 6to4 iface 6to4 inet6 6to4 local 62.210.12.122 post-up ip6tables -P OUTPUT ACCEPT - post-up ip6tables -A OUTPUT -o eth0 -d fc00::/7 -j DROP + post-up ip6tables -A OUTPUT -o $IFACE -d fc00::/7 -j DROP # GRE Tunnel zum Rheinland Backbone # - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen diff --git a/files/interfaces-troisdorf7 b/files/interfaces-troisdorf7.j2 similarity index 98% rename from files/interfaces-troisdorf7 rename to files/interfaces-troisdorf7.j2 index cd6ca9b..214e566 100644 --- a/files/interfaces-troisdorf7 +++ b/files/interfaces-troisdorf7.j2 @@ -13,8 +13,8 @@ iface lo inet6 loopback # The primary network interface -allow-hotplug ens18 -iface ens18 inet static +allow-hotplug {{ sn_interface_name }} +iface {{ sn_interface_name }} inet static address 93.241.53.100 netmask 255.255.255.0 gateway 93.241.53.1 diff --git a/files/named.conf.local b/files/named.conf.local index db75b20..09a1335 100644 --- a/files/named.conf.local +++ b/files/named.conf.local @@ -6,5 +6,5 @@ // organization //include "/etc/bind/zones.rfc1918"; -// Include Freifunk Troisdorf (fftdf) zones -include "/etc/bind/fftdf/fftdf.conf"; \ No newline at end of file +// Include Freifunk (ff) zones +include "/etc/bind/ff/ff.conf"; diff --git a/files/sn_startup.local.exit.sh.j2 b/files/sn_startup.local.exit.sh.j2 new file mode 100644 index 0000000..bd648ae --- /dev/null +++ b/files/sn_startup.local.exit.sh.j2 @@ -0,0 +1,43 @@ +#!/bin/sh +# Version 1.91 + +curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }} + +# Activate IP forwarding +/sbin/sysctl -w net.ipv6.conf.all.forwarding=1 +/sbin/sysctl -w net.ipv4.ip_forward=1 + +# restart when kernel panic +/sbin/sysctl kernel.panic=1 + +# Routing table 42 +/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables + +# Set table for traffice with mark 4 +/bin/ip rule add fwmark 0x4 table 42 +/bin/ip -6 rule add fwmark 0x4 table 42 + +# Set mark 4 to Freifunk traffic +#/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4 + +# All from FF IPv4 via routing table 42 +#/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42 +#/bin/ip -6 rule add from {{ sn_mesh_IPv6_net }} lookup 42 + +# Allow MAC address spoofing +/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0 + +# Create Tunneldigger Bridge +/sbin/brctl addbr br-nodes +/sbin/ip link set dev br-nodes up address 2E:9D:FA:A1:6B:0{{ sn_number }} +/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP +/usr/local/sbin/batctl if add br-nodes + +sleep 5 +/bin/systemctl restart radvd +/bin/systemctl retsrat tunneldigger +/bin/systemctl restart bird +/bin/systemctl restart bird6 +/bin/systemctl restart isc-dhcp-server +exit 0 diff --git a/install.sn.yml b/install.sn.yml index 7a6531f..1a494c2 100644 --- a/install.sn.yml +++ b/install.sn.yml @@ -9,7 +9,7 @@ user: root gather_facts: False vars: - snversion: master_v3.1.4 + snversion: master_v3.1.5 batmanversion: v2017.4 common_required_packages: - git @@ -47,6 +47,7 @@ - libffi-dev - libnetfilter-conntrack-dev - libnfnetlink-dev + - speedtest-cli modules_required: - batman-adv - nf_conntrack_netlink @@ -57,25 +58,15 @@ - l2tp_eth tunneldigger_scripts: - start-broker.sh -# - start-broker-backup.sh - batdelif.sh tunneldigger_service: - tunneldigger.service -# - tunneldigger-backup.service broker_cfg: -# - l2tp_broker-backup.cfg - l2tp_broker.cfg -# bind_zone_fftdf: -# - named.conf.fftdf -# check_gw_script: -# - keepalive.sh authorized_keys: - authorized_keys logrotate_config: - logrotate.conf -# supernode_config: -# - supernode.mode -# - loadbalancing.mode tasks: - name: Remove cdrom in sources.list @@ -91,6 +82,10 @@ # url: https://sks.pod01.fleetstreetops.com # state: present + - name: Import Slack token + include_vars: "{{ slack_token_file }}" + - name: Import root password + include_vars: "{{ root_password_file }}" - name: Add Freifuck repo to source list apt_repository: repo='deb https://freifuck.de/debian stretch main' state=present - name: Add backport repo to source list @@ -128,7 +123,6 @@ timeout=300 when: hosts.changed when: sethostname.changed -# - apt: update_cache=yes - name: Install common required packages apt: name: "{{ item }}" @@ -138,57 +132,13 @@ register: aptupdates - name: Set clock shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start -# - name: Add modules -# lineinfile: dest=/etc/modules line={{ item }} -# with_items: modules_required -# register: modules_req -# - name: Load modules -# modprobe: name={{ item }} -# with_items: modules_required -# when: modules_req.changed -# - name: Install Linux headers -# shell: > -# apt-get install linux-headers-$(uname -r) -y -# when: aptupdates.changed -# - name: Get batman-adv -# git: repo=https://git.open-mesh.org/batman-adv.git -# dest=/tmp/batman-adv -# when: aptupdates.changed -# register: getbatman -# - name: Get batman-adv no rebrotcast patch -# get_url: url=http://map.freifunk-moehne.de/stuff/1001-batman-adv-introduce-no_rebroadcast-option.patch dest=/tmp/batman-adv/1001-batman-adv-introduce-no_rebroadcast-option.patch -# when: getbatman.changed -# - name: Install batman-adv -# shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && make && make install -# shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && git apply 1001-batman-adv-introduce-no_rebroadcast-option.patch && make && make install -# when: getbatman.changed -# - name: Get batctl -# git: repo=http://git.open-mesh.org/batctl.git -# dest=/tmp/batctl -# when: aptupdates.changed -# register: getbatctl -# - name: Install batctl -# shell: cd /tmp/batctl && git checkout {{ batmanversion }} && make && make install -# when: getbatctl.changed - name: Get Tunneldigger -# git: repo=https://github.com/Freifunk-Troisdorf/tunneldigger.git dest=/srv/tunneldigger -# git: repo=https://github.com/wlanslovenija/tunneldigger.git dest=/srv/tunneldigger version=v0.1.0 -# git: repo=https://github.com/wlanslovenija/tunneldigger.git dest=/srv/tunneldigger -# git: repo=https://github.com/ffrl/tunneldigger.git dest=/srv/tunneldigger git: repo=https://github.com/Freifunk-Troisdorf/tunneldigger.git dest=/srv/tunneldigger -# version: release-0.22 register: tunneldigger when: aptupdates.changed - name: Configure tunneldigger raw: "cd /srv/tunneldigger && virtualenv env_tunneldigger && source env_tunneldigger/bin/activate && cd broker && python setup.py install" -# command: "{{item}}" -# with_items: -# - virtualenv /srv/tunneldigger/ -p python2.7 -# - virtualenv /srv/tunneldigger/ when: tunneldigger.changed -# - name: Tunneldigger requirements -# pip: requirements=/srv/tunneldigger/broker/requirements.txt virtualenv=/srv/tunneldigger/ -# when: tunneldigger.changed - name: Copy l2tp broker config template template: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0444 with_items: "{{ broker_cfg }}" @@ -204,57 +154,26 @@ copy: src=./files/{{ item }} dest=/etc/systemd/system owner=root group=root mode=0444 with_items: "{{ tunneldigger_service }}" when: tunneldigger.changed -########## - name: Add modules lineinfile: dest=/etc/modules line={{ item }} with_items: "{{ modules_required }}" register: modules_req -# - name: Load modules -# modprobe: name= "{{ item }}" -# with_items: "{{ modules_required }}" -# when: modules_req.changed -######### - name: Tunneldigger reload command: "{{item}}" with_items: - systemctl daemon-reload - systemctl enable tunneldigger.service -# - systemctl enable tunneldigger-backup.service when: tunneldigger.changed - name: Copy logrotate config copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500 with_items: "{{logrotate_config}}" - name: Create freifunk directory file: path=/opt/freifunk state=directory mode=0755 -# - name: Create keepalive directory -# file: path=/etc/supernode-status state=directory mode=0755 -# - name: Create supernode config files -# file: path=/etc/supernode-status/{{ item }} state=touch owner=root group=root mode=0644 -# with_items: supernode_config -# - name: Supernode set default mode -# lineinfile: dest=/etc/supernode-status/{{ item }} regexp=^0 line=0 -# with_items: supernode_config -# - name: Check gateway / keepalive script supernode -# copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 -# with_items: check_gw_script -# register: check_gw -# when: sn_exit is undefined -# - name: Check gateway / keepalive script super- and exitnode -# template: src=./files/keepalive.exit.sh.j2 dest=/opt/freifunk/keepalive.sh owner=root group=root mode=0500 -# register: check_gw -# when: sn_exit is defined -# - name: Add cron job with check gateway script -# cron: name=check_gw special_time=reboot job="/opt/freifunk/keepalive.sh > /dev/null 2>&1 &" user="root" -# when: check_gw.changed -# - name: Supernode Config script super- and exitnode -# copy: src=./files/supernode dest=/usr/bin/supernode owner=root group=root mode=0500 -# when: sn_exit is defined - name: Copy dhcpd template file template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 register: dhcpd - name: Clone static DHCP config - git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp - dest=/opt/freifunk/static-dhcp + git: repo="{{ static_dhcp_repo }}" dest=/opt/freifunk/static-dhcp when: dhcpd.changed - name: Add cron static DHCP cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh" @@ -267,58 +186,40 @@ cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh" - name: Add cron startup script cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh" - - name: Copy backbone script - template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 - when: sn_exit is undefined - name: Copy backbone script template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 - when: sn_exit is defined -# - name: Collectd template file -# template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444 -# register: collectd -# - name: Restart collectd -# service: name=collectd state=restarted -# when: collectd.changed - - name: configure startup script supernode - template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 - when: sn_exit is undefined - name: Exit node startup script super- and exitnode template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 when: sn_exit is defined + - name: Exit node startup script super- and exitnode + template: src=./files/sn_startup.local.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 + when: sn_local_exit is defined - name: SSH authorized_keys copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 with_items: "{{ authorized_keys }}" - - name: Bind9, activate fftdf zone - lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/fftdf/fftdf.conf";' state=present + - name: Bind9, activate ff zone + lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/ff/ff.conf";' state=present - name: Copy option template template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644 - - name: Create fftdf directory - file: path=/etc/bind/fftdf state=directory - - name: Copy FFTDF Zones - copy: src=./files/fftdf/{{ item }} dest=/etc/bind/fftdf/{{ item }} owner=root group=bind mode=644 + - name: Create ff directory + file: path=/etc/bind/ff state=directory + - name: Copy FF Zones + copy: src=./files/ff/{{ item }} dest=/etc/bind/ff/{{ item }} owner=root group=bind mode=644 with_items: - - fftdf.conf - - name: Copy fftdf Zone config template - template: src=./files/fftdf/db.fftdf.j2 dest=/etc/bind/fftdf/db.fftdf owner=radvd group=root mode=0444 + - ff.conf + - name: Copy ff Zone config template + template: src=./files/ff/db.ff.j2 dest=/etc/bind/ff/db.ff owner=bind group=root mode=0444 - name: Copy radvd config template template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444 - name: Interface configuration with ffrl gre tunnel - copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544 - when: sn_exit is defined + template: src=./files/interfaces-{{ sn_hostname }}.j2 dest=/etc/network/interfaces owner=root group=root mode=0544 - apt: update_cache=yes - name: Install bird apt: state=present pkg=bird - when: sn_exit is defined - name: Bird configuration copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444 - when: sn_exit is defined - name: Bird configuration copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444 - when: sn_exit is defined -# - name: Get speedtest-cli -# get_url: url=https://raw.githubusercontent.com/MightySCollins/speedtest-cli/master/speedtest_cli.py dest=/usr/bin/speedtest-cli -# - name: Change rights speedtest-cli -# file: path=/usr/bin/speedtest-cli owner=root group=root mode=0755 - name: Copy Slacktee Config template: src=./files/slacktee.conf.j2 dest=/etc/slacktee.conf owner=root group=root mode=0544 - name: Copy Slacktee @@ -369,4 +270,3 @@ channel: "#technik" username: "Ansible on {{ inventory_hostname }}" parse: 'none' -