Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Compare commits

base: Freifunk-Troisdorf:4fa9ebfb44488296df1ce18fa9899e7c643320f2
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0
..
compare: Freifunk-Troisdorf:d983feb72902c0ca6f34b76aedae2e4e246a06ab
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0

No commits in common. "4fa9ebfb44488296df1ce18fa9899e7c643320f2" and "d983feb72902c0ca6f34b76aedae2e4e246a06ab" have entirely different histories.
4fa9ebfb44 ... d983feb729

6 changed files with 8 additions and 23 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +0,0 @@
.DS_Store

4
host_vars/troisdorf7.yml
View File

@ -1,7 +1,7 @@
wireguard_unmanaged_peers: wireguard_unmanaged_peers:
vpn1-testing: vpn1-testing:
public_key: zaxk4sSdmg/NBnjdLaslBA6sljpeW0RPWX00tKq2bnI= public_key: 8BoLoKRwSNRdUe0uygneYFdTIx5iHwoMENbnzpomYCI=
allowed_ips: 10.255.1.2/32, 10.1.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:7001::/64 allowed_ips: 10.255.1.2/32, 10.1.0.0/16
persistent_keepalive: 25 persistent_keepalive: 25
# vpn2-stefan: # vpn2-stefan:
# public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic= # public_key: NvJKN6xorzvwL7NhMoY2bEwpDVTl9Ob/1gx9g8tHfic=

2
hosts.yml
View File

@ -32,5 +32,5 @@ all:
gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2 gre_bb_b_ix_dus_ipv6: 2a03:2260:0:311::2
gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2 gre_bb_a_fra3_f_ipv6: 2a03:2260:0:30d::2
gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2 gre_bb_b_fra3_f_ipv6: 2a03:2260:0:310::2
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64" wireguard_address: 10.255.1.1
wireguard_port: 42001 wireguard_port: 42001

15
readme.md
View File

@ -36,14 +36,12 @@ sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
## Config ER-X ## Config ER-X
configure configure
## Wireguard ## Wireguard
set interfaces wireguard wg0 address 10.255.1.2/24 set interfaces wireguard wg0 address 10.255.1.2/30
set interfaces wireguard wg0 address fd80:3ea2:e399:203a::2/64
set interfaces wireguard wg0 listen-port 51821 set interfaces wireguard wg0 listen-port 51821
set interfaces wireguard wg0 route-allowed-ips false set interfaces wireguard wg0 route-allowed-ips false
set interfaces wireguard wg0 persistent-keepalive 25 set interfaces wireguard wg0 persistent-keepalive 25
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= endpoint 7.fftdf.de:42001
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0 set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s= allowed-ips ::0/0
set interfaces wireguard wg0 private-key /config/auth/wg.key set interfaces wireguard wg0 private-key /config/auth/wg.key
## Firewall for Wireguard ## Firewall for Wireguard
set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 action accept
@ -52,27 +50,22 @@ sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
set firewall name WAN_LOCAL rule 20 destination port 51821 set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default' set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network 10.1.0.0/16 set firewall group network-group LAN-VPN network 10.1.0.0/16
set firewall group ipv6-network-group IPv6-VPN ipv6-network 2a03:2260:121:7001::/64
set firewall group network-group RFC1918 network 10.0.0.0/8 set firewall group network-group RFC1918 network 10.0.0.0/8
set firewall group network-group RFC1918 network 172.16.0.0/12 set firewall group network-group RFC1918 network 172.16.0.0/12
set firewall group network-group RFC1918 network 192.168.0.0/16 set firewall group network-group RFC1918 network 192.168.0.0/16
set firewall group network-group RFC1918 network 169.254.0.0/16 set firewall group network-group RFC1918 network 169.254.0.0/16
set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1 set protocols static table 2 route 0.0.0.0/0 next-hop 10.255.1.1
set protocols static table 2 route6 ::/0 next-hop fd80:3ea2:e399:203a::1
set firewall modify VPN_TDF7 rule 100 action modify set firewall modify VPN_TDF7 rule 100 action modify
set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table' set firewall modify VPN_TDF7 rule 100 description 'Route traffic from group LAN-VPN through VPN-TDF7 table'
set firewall modify VPN_TDF7 rule 100 modify table 2 set firewall modify VPN_TDF7 rule 100 modify table 2
set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN set firewall modify VPN_TDF7 rule 100 source group network-group LAN-VPN
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 action modify set interfaces ethernet eth2 firewall in modify VPN_TDF7
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 description 'Route traffic from group IPv6-VPN through IPv6-VPN-TDF7 table' set interfaces swtich switch0 firewall in modify VPN_TDF7
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 modify table 2
set firewall ipv6-modify IPv6-VPN_TDF7 rule 100 source group ipv6-network-group IPv6-VPN
set interfaces switch switch0 firewall in modify VPN_TDF7
set interfaces switch switch0 firewall in modify IPv6-VPN_TDF7
## NAT einrichten ## NAT einrichten
set service nat rule 5010 description 'masquerade for VPN' set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0 set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 type masquerade set service nat rule 5010 type masquerade
set service nat rule 5010 protocol all set service nat rule 5010 protocol all
## Speichern ## Speichern
commit ; save commit ; save

6
roles/00-system-set-network/tasks/templates/01-ffrl-gre.yaml.j2
View File

@ -8,7 +8,6 @@ network:
addresses: addresses:
- {{ gre_bb_a_ak_ber_ipv4 }}/31 - {{ gre_bb_a_ak_ber_ipv4 }}/31
- {{ gre_bb_a_ak_ber_ipv6 }}/64 - {{ gre_bb_a_ak_ber_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.ak.ber: gre-bb-b.ak.ber:
mode: gre mode: gre
local: {{ ansible_host }} local: {{ ansible_host }}
@ -17,7 +16,6 @@ network:
addresses: addresses:
- {{ gre_bb_b_ak_ber_ipv4 }}/31 - {{ gre_bb_b_ak_ber_ipv4 }}/31
- {{ gre_bb_b_ak_ber_ipv6 }}/64 - {{ gre_bb_b_ak_ber_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-a.ix.dus: gre-bb-a.ix.dus:
mode: gre mode: gre
local: {{ ansible_host }} local: {{ ansible_host }}
@ -26,7 +24,6 @@ network:
addresses: addresses:
- {{ gre_bb_a_ix_dus_ipv4 }}/31 - {{ gre_bb_a_ix_dus_ipv4 }}/31
- {{ gre_bb_a_ix_dus_ipv6 }}/64 - {{ gre_bb_a_ix_dus_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.ix.dus: gre-bb-b.ix.dus:
mode: gre mode: gre
local: {{ ansible_host }} local: {{ ansible_host }}
@ -35,7 +32,6 @@ network:
addresses: addresses:
- {{ gre_bb_b_ix_dus_ipv4 }}/31 - {{ gre_bb_b_ix_dus_ipv4 }}/31
- {{ gre_bb_b_ix_dus_ipv6}}/64 - {{ gre_bb_b_ix_dus_ipv6}}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-a.fra3.f: gre-bb-a.fra3.f:
mode: gre mode: gre
local: {{ ansible_host }} local: {{ ansible_host }}
@ -44,7 +40,6 @@ network:
addresses: addresses:
- {{ gre_bb_a_fra3_f_ipv4 }}/31 - {{ gre_bb_a_fra3_f_ipv4 }}/31
- {{ gre_bb_a_fra3_f_ipv6 }}/64 - {{ gre_bb_a_fra3_f_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
gre-bb-b.fra3.f: gre-bb-b.fra3.f:
mode: gre mode: gre
local: {{ ansible_host }} local: {{ ansible_host }}
@ -53,7 +48,6 @@ network:
addresses: addresses:
- {{ gre_bb_b_fra3_f_ipv4 }}/31 - {{ gre_bb_b_fra3_f_ipv4 }}/31
- {{ gre_bb_b_fra3_f_ipv6 }}/64 - {{ gre_bb_b_fra3_f_ipv6 }}/64
- fe80::200:5efe:2e04:9c72/64
ethernets: ethernets:
lo: lo:
addresses: addresses:

3
roles/01-system-install-packages/tasks/main.yml
View File

@ -13,5 +13,4 @@
- qemu-guest-agent - qemu-guest-agent
- iputils-ping - iputils-ping
- iw - iw
- speedtest-cli - speedtest-cli
- telnet