Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

+ bird BGP config

Browse Source 
+ new FFRL exit super nodes
+ new keepalive for ffrl exit
This commit is contained in:
Ansible Admin 2016-01-09 19:50:44 +01:00
parent 699116600e
commit fce5d81274
17 changed files with 760 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
files/bird-troisdorf5.conf Normal file
View File

@ -0,0 +1,84 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.105/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.151;
neighbor 100.64.2.150 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.153;
neighbor 100.64.2.152 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.155;
neighbor 100.64.2.154 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.157;
neighbor 100.64.2.156 as 201701;
};

84
files/bird-troisdorf6.conf Normal file
View File

@ -0,0 +1,84 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.106/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.159;
neighbor 100.64.2.158 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.161;
neighbor 100.64.2.160 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.163;
neighbor 100.64.2.162 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.165;
neighbor 100.64.2.164 as 201701;
};

82
files/bird6-troisdorf5.conf Normal file
View File

@ -0,0 +1,82 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121::/48 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:155::2;
neighbor 2a03:2260:0:155::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:156::2;
neighbor 2a03:2260:0:156::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:157::2;
neighbor 2a03:2260:0:157::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:158::2;
neighbor 2a03:2260:0:158::1 as 201701;
}

82
files/bird6-troisdorf6.conf Normal file
View File

@ -0,0 +1,82 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121::/48 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:159::2;
neighbor 2a03:2260:0:159::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:15a::2;
neighbor 2a03:2260:0:15a::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address a03:2260:0:15b::2;
neighbor 2a03:2260:0:15b::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:15c::2;
neighbor 2a03:2260:0:15c::1 as 201701;
}

2
files/collectd.conf.j2
View File

@ -26,7 +26,7 @@ LoadPlugin processes
LoadPlugin users
LoadPlugin uptime
LoadPlugin interface
LoadPugin filecount
LoadPlugin filecount
<Plugin "filecount">
<Directory "/opt/freifunk/tunneldigger_interfaces">
Instance "tunneldigger-connections"

7
files/dhcpd.conf.j2
View File

@ -1,4 +1,4 @@
# Version 1.2
# Version 1.3
ddns-update-style none;
option domain-name "fftdf";
default-lease-time 300;
@ -7,8 +7,9 @@ log-facility local7;
subnet 10.188.0.0 netmask 255.255.0.0 {
authoritative;
range {{ sn_dhcp_range }};
option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns }};
option routers {{ sn_dhcp_router }};
option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns_v4 }};
option routers {{ sn_mesh_IPv4 }};
option interface-mtu {{ sn_mtu }};
interface bat0;
}
include "/opt/freifunk/static-dhcp/static.conf";

22
files/dhcpd6.conf.j2 Normal file
View File

@ -0,0 +1,22 @@
# Enable RFC 5007 support (same than for DHCPv4)
allow leasequery;
authoritative;
default-lease-time 300;
max-lease-time 600;
#option dhcp6.name-servers {{ sn_mesh_IPv6 }};
option dhcp6.name-servers {{ sn_mesh_IPv6 }}, {{ sn_dhcp_dns_v6 }};
option dhcp6.domain-search "fftdf";
subnet6 2a03:2260:121::/64 {
#
# # Range for clients
# range6 2a03:2260:121::201 2a03:2260:121::ffff;
#
# # Range for clients requesting a temporary address
# range6 2a03:2260:121::/64 temporary;
}

57
files/gre_backbone.sh.j2
View File

@ -1,57 +0,0 @@
#!/bin/sh
# Server name ending must be a single digit number
communityname="troisdorf"
server="troisdorf0 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
communitymacaddress="a2:8c:ae:6f:f6"
# Network part of the network, without the trailing dot
communitynetwork="10.188"
# IPv6 network
communitynetworkv6="fda0:747e:ab29:7405:255::"
# Third octet from the server range
octet3rd="255"
# CIDR muss /16 sein
localserver=$(/bin/hostname)
# files
batadv=/usr/local/sbin/batadv-vis
alfred=/usr/local/sbin/alfred
batctl=/usr/local/sbin/batctl
for i in $server; do
(
for j in $server; do
if [ $i != $j ]; then
if [ $i = $(/bin/hostname) ]; then
/sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0 nopmtudisc
# /sbin/ip link add $j type gretap local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') remote $(/usr/bin/dig +short $j.$domain) dev eth0
/sbin/ip link set dev $j mtu $mtu
# /sbin/ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev $j
# /sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev $j
/sbin/ip link set address $communitymacaddress$:${localserver#$communityname}0 dev $j
/sbin/ip link set $j up
$batctl if add $j
fi
fi
done
)
done
# configure bat0
/sbin/ip link set address $communitymacaddress$:0${localserver#$communityname} dev bat0
/sbin/ip link set up dev bat0
/sbin/ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
/sbin/ip -6 addr add fda0:747e:ab29:7405:255::${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
/bin/sleep 5
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/usr/sbin/service bind9 restart

80
files/interfaces-troisdorf5 Normal file
View File

@ -0,0 +1,80 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.105/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121::105/48 dev lo
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 static
address 2a01:4f8:c17:173b::2
netmask 64
gateway fe80::1
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.151
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:155::2/64
netmask 64
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.153
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:156::2/64
netmask 64
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.155
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:157::2/64
netmask 64
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.157
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:158::2/64
netmask 64

85
files/interfaces-troisdorf6 Normal file
View File

@ -0,0 +1,85 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.106/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121::106/48 dev lo
# The primary network interface
allow-hotplug eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 46.4.138.189
netmask 255.255.255.192
gateway 46.4.138.129
dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
iface eth0 inet6 static
address 2a01:4f8:11d:600::189
netmask 59
gateway 2a01:4f8:11d:600::1
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.159
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:159::2/64
netmask 64
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.161
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:15a::2/64
netmask 64
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.163
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:15b::2/64
netmask 64
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.165
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:15c::2/64
netmask 64

80
files/keepalive.sh
View File

@ -1,50 +1,44 @@
#!/bin/bash
INTERFACE=eth0 # Set to name of VPN interface
shopt -s nullglob
# Version 1.4
# Parameter setzen
GATEWAY1=185.66.193.105
GATEWAY2=185.66.193.106
GATEWAY1v6=2a03:2260:121::255:5
GATEWAY2v6=2a03:2260:121::255:6
IP=/sbin/ip
PING=/bin/ping
BATCTL=/usr/local/sbin/batctl
# Test whether gateway is connected to the outer world via VPN
ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1
if test $? -eq 0; then
NEW_STATE=server
else
NEW_STATE=off
fi
# Iterate through network interfaces in sys file system
for MESH in /sys/class/net/*/mesh; do
# Check whether gateway modus needs to be changed
OLD_STATE="$(cat $MESH/gw_mode)"
[ "$OLD_STATE" == "$NEW_STATE" ] && continue
echo $NEW_STATE > $MESH/gw_mode
echo 92MBit/92MBit > $MESH/gw_bandwidth
logger "batman gateway mode changed to $NEW_STATE"
# Check whether gateway modus has been deactivated
if [ "$NEW_STATE" == "off" ]; then
# Shutdown DHCP server to prevent renewal of leases
/usr/sbin/service isc-dhcp-server stop
fi
# Check whether gateway modus has been activated
if [ "$NEW_STATE" == "server" ]; then
# Restart DHCP server
/usr/sbin/service isc-dhcp-server start
fi
exit 0
done
if [ "$NEW_STATE" == "server" ]; then
/usr/sbin/service isc-dhcp-server status 2>&1> /dev/null
if $? -ne 0
if [ "hostname = troisdorf1 | troisdorf2" ]
then
/usr/sbin/service isc-dhcp-server restart
fi
DEFAULT_GATEWAY=$GATEWAY1
FALLBACK_GATEWAY=$GATEWAY2
DEFAULT_GATEWAYv6=$GATEWAY1v6
FALLBACK_GATEWAYv6=$GATEWAY2v6
else
DEFAULT_GATEWAY=$GATEWAY2
FALLBACK_GATEWAY=$GATEWAY1
DEFAULT_GATEWAYv6=$GATEWAY2v6
FALLBACK_GATEWAYv6=$GATEWAY1v6
fi
if [ "$NEW_STATE" == "off" ]; then
/usr/sbin/service isc-dhcp-server status 2>&1> /dev/null
if $? -eq 0
if $PING -c 1 $DEFAULT_GATEWAY
then
/usr/sbin/service isc-dhcp-server stop
$IP route replace default via $DEFAULT_GATEWAY table 42
$IP -6 route replace default via $DEFAULT_GATEWAYv6 table 42
$BATCTL gw server 100Mbit/100Mbit
echo "Gateway erreichbar"
else
if $PING -c 1 $FALLBACK_GATEWAY
then
$IP route replace default via $FALLBACK_GATEWAY table 42
$IP -6 route replace default via $FALLBACK_GATEWAYv6 table 42
$BATCTL gw server 80Mbit/80Mbit
echo "Nun FALLBACK_GATEWAY"
else
$BATCTL gw off
#Kein Gateway erreichbar, batctl gw off
fi
fi

58
files/l2tp_backbone.sh.exit.j2 Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# Version 6
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
#server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
server="troisdorf7 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
communitymacaddress="a2:8c:ae:6f:f6"
tunnelPrefix=10
sessionPrefix=1
# Netzwerkteil des Netzes, ohne abschliessenden Punkt
communitynetwork="10.188"
# IPv6 network
#communitynetworkv6="fda0:747e:ab29:7405:255::"
communitynetworkv6="2a03:2260:121::"
# Drittes Octet des serverbereichs
octet3rd="255"
# CIDR muss /16 sein
localserver=$(/bin/hostname)
batadv=/usr/local/sbin/batadv-vis
alfred=/usr/local/sbin/alfred
batctl=/usr/local/sbin/batctl
ip=/sbin/ip
dig=/usr/bin/dig
for i in $server; do
(
for j in $server; do
if [ $i != $j ]; then
if [ $i = $localserver ]; then
ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
#ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
ip link set dev l2tp-$j mtu $mtu
ip link set up l2tp-$j
$batctl if add l2tp-$j
fi
fi
done
)
done
# Rest starten
$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
$ip link set up dev bat0
$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
/bin/sleep 5
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/usr/sbin/service bind9 restart
/usr/local/sbin/batctl gw client 3

10
files/l2tp_backbone.sh.j2
View File

@ -1,9 +1,9 @@
#!/bin/sh
# Version 5
# Version 6
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
#server="troisdorf0 {{ sn_hostname }}"
#server="troisdorf7 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
@ -13,7 +13,8 @@ sessionPrefix=1
# Netzwerkteil des Netzes, ohne abschliessenden Punkt
communitynetwork="10.188"
# IPv6 network
communitynetworkv6="fda0:747e:ab29:7405:255::"
#communitynetworkv6="fda0:747e:ab29:7405:255::"
communitynetworkv6="2a03:2260:121::"
# Drittes Octet des serverbereichs
octet3rd="255"
# CIDR muss /16 sein
@ -46,7 +47,7 @@ $ip link set address $communitymacaddress:0${localserver#$communityname} dev bat
#$ip link set address $communitymacaddress:ff dev bat0
$ip link set up dev bat0
$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0
$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
@ -55,3 +56,4 @@ $alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/usr/sbin/service bind9 restart
/usr/local/sbin/batctl gw server 100Mbit/100Mbit

3
files/radvd.conf.j2
View File

@ -3,7 +3,8 @@ interface bat0 {
IgnoreIfMissing on;
MaxRtrAdvInterval 200;
RDNSS {{ sn_mesh_IPv6 }} {};
prefix fda0:747e:ab29:7405::/64 {
# prefix fda0:747e:ab29:7405::/64 {
prefix 2a03:2260:121::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;

68
files/sn_startup.exit.sh.j2 Normal file
View File

@ -0,0 +1,68 @@
#!/bin/sh
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Block RFC1918 and APIPA destination via WAN
/sbin/iptables -P OUTPUT ACCEPT
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
done
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# NAT on GRE Freifunk interface
#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
# MTU
/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
# All from FF IPv4 via routing table 42
/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
sleep 5
# stop tunneldigger
/bin/systemctl disable tunneldigger
/bin/systemctl stop tunneldigger
# restart bird
/bin/systemctl start bird
/bin/systemctl start bird6
/bin/systemctl enable bird
/bin/systemctl enable bird6
# stop radvd
/bin/systemctl disable radvd
/bin/systemctl stop radvd
# restart DHCP
/bin/systemctl disable isc-dhcp-server
/bin/systemctl stop isc-dhcp-server
exit 0

46
files/sn_startup.sh.j2
View File

@ -2,17 +2,6 @@
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Stop tunneldigger until bat0 is up
/usr/sbin/service tunneldigger stop
# Set unreachable for table 200
#/bin/ip route add unreachable 0.0.0.0/0 table iffy
#while ! ping -c 1 -W 1 {{ sn_iffy_traffic }}; do
# echo "Waiting for {{ sn_iffy_traffic }} - network interface might be down..."
# sleep 5
#done
# Block RFC1918 and APIPA destination via WAN
/sbin/iptables -P OUTPUT ACCEPT
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
@ -22,36 +11,47 @@ done
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 200 for traffic above port 1023
#/bin/grep 200 /etc/iproute2/rt_tables || /bin/echo 200 iffy >> /etc/iproute2/rt_tables
# Stop tunneldigger until bat0 is up
/usr/sbin/service tunneldigger stop
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
#/bin/ip rule add fwmark 0x4 table iffy
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to traffic above port 1023
#/sbin/iptables -t mangle -A PREROUTING -p tcp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
#/sbin/iptables -t mangle -A PREROUTING -p udp --dport 1024:65535 -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# All from FF IPv4 via routing table 42
/bin/ip rule add from 185.66.193.104/30 lookup 42
/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Set gateway for table 200
#/bin/ip route replace default via {{ sn_iffy_traffic }} table iffy
sleep 5
# Start tunneldigger
/usr/sbin/service tunneldigger restart
/bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger
# radvd restart
/usr/sbin/service radvd restart
/bin/systemctl restart radvd
/bin/systemctl enable radvd
# restart DHCP
/usr/sbin/service isc-dhcp-server restart
/bin/systemctl restart isc-dhcp-server
/bin/systemctl enable isc-dhcp-server
exit 0

47
install.sn.yml
View File

@ -9,7 +9,7 @@
user: root
gather_facts: False
vars:
snversion: master_v1.9.3
snversion: master_v2.0
batmanversion: v2015.2
common_required_packages:
- git
@ -62,6 +62,8 @@
- authorized_keys
logrotate_config:
- logrotate.conf
tunneld_stats_file:
- collectd_td_stat.sh
tasks:
@ -95,12 +97,12 @@
poll: 0
ignore_errors: true
when: sethostname.changed
- name: waiting for server to come back
- name: waiting for server to come back (1st)
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=15
delay=20
timeout=300
when: hosts.changed
when: sethostname.changed
@ -194,13 +196,24 @@
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: check_gw_script
register: check_gw
when: sn_exit is undefined
- name: Add cron job with check gateway script
cron: name=check_gw job="/opt/freifunk/keepalive.sh > /dev/null 2>&1" user="root"
when: check_gw.changed
- name: Tunneldigger stats
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: tunneld_stats_file
register: tunneld_stats
when: sn_exit is undefined
- name: Add cron job tunneldigger stats
cron: name=tunneld_stats job="/opt/freifunk/collectd_td_stat.sh > /dev/null 2>&1" user="root"
when: tunneld_stats.changed
- name: Copy dhcpd template file
template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
register: dhcpd
- name: Clone static DHCP config
git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp
dest=/opt/freifunk/static-dhcp
@ -208,7 +221,6 @@
- name: Add cron static DHCP
cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh"
when: dhcpd.changed
- name: Restart dhcpd
service: name=isc-dhcp-server state=restarted
when: dhcpd.changed
@ -217,8 +229,14 @@
cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh"
- name: Add cron startup script
cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is undefined
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is defined
- name: Collectd template file
template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444
register: collectd
@ -227,6 +245,7 @@
when: collectd.changed
- name: configure startup script
template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is undefined
- name: SSH authorized_keys
copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
with_items: authorized_keys
@ -243,6 +262,22 @@
template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544
- name: Add cron job with alfred info script
cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root"
- name: Interface configuration with ffrl gre tunnel
copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544
when: sn_exit is defined
- name: Exit node startup script
template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is defined
- apt: update_cache=yes
- name: Install bird
apt: state=installed pkg=bird
when: sn_exit is defined
- name: Bird configuration
copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444
when: sn_exit is defined
- name: Bird configuration
copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
when: sn_exit is defined
- name: Reboot the server finally
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
@ -256,7 +291,7 @@
wait_for
host={{ inventory_hostname }}
port=22
delay=15
delay=20
timeout=300
when: tunneldigger.changed
- name: Send notification message via Slack