Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Compare commits

merge into: Freifunk-Troisdorf:master
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0
...
pull from: Freifunk-Troisdorf:tdf7
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0

63 Commits
master ... tdf7

Author SHA1 Message Date
Stefan
bc3bc799ad
Added UISP 2023-04-29 11:52:19 +02:00
stefan
e754a94809 Merge pull request 'Enable IPv6 on Host' (#1) from ipv6_on_host into tdf7 
Reviewed-on: #1
 2023-04-17 19:17:21 +00:00
Stefan
1361b9320c
Add new host_vars for vpn01 2023-04-17 21:15:40 +02:00
Stefan
b2d61acaf7
enable vpn01 2023-04-17 21:14:21 +02:00
Stefan
460c5978ac
routing table 88 zu 42 2023-04-17 18:26:33 +02:00
Stefan
534525e4cb
Changed Wireguard Routing setup; Default= Freifunk 2023-04-17 18:21:37 +02:00
Stefan
68d49c65b0
Bugfixing and tidying up some things 2023-04-16 17:35:22 +02:00
Stefan
6eaacaf2a8
Changed host_group naming 2023-04-16 17:34:53 +02:00
Stefan
3d33073711
Delete unused files 2023-04-16 17:34:26 +02:00
Stefan
e67c7e7613
Add VPN Peers 2023-04-16 17:33:39 +02:00
Stefan
3277c76d6c
Changed vpn02 to vpn_offloader 2023-04-16 17:32:44 +02:00
Stefan
c301de90a5
Add ERX Routers 2023-04-13 17:07:18 +02:00
Stefan
b743a01bf0
Add edge3 and edge4 2023-04-13 15:41:07 +02:00
Stefan
92b386f75b
Add Unifi Rollout 2023-04-13 15:30:53 +02:00
Stefan
c4ec42f668
Add Nils VPN 2023-04-11 19:43:58 +02:00
Stefan
0c604561b6
First try Supernode 2023-04-08 14:49:34 +02:00
Stefan
b866a518be
Changed Tunnel 2023-04-03 16:12:36 +02:00
Stefan
4d446e4123
Install OITC on VPN Hosts 2023-04-02 21:05:33 +02:00
Stefan
38aa546aaf
Add Wiregurard Tunnel for A.G. 2023-04-02 20:31:29 +02:00
Stefan
7b44faa21c
Add Comment 2023-03-30 20:44:16 +02:00
Stefan
1329b65ca5 Add WG Peer 2023-03-30 20:31:09 +02:00
Stefan
4b37d4abc9 Changed role name for wireguard-vpn-server 2023-03-30 20:30:51 +02:00
Stefan
85cecdb635 remove old wg tunnels 2023-03-26 18:24:31 +02:00
Stefan
4cf43a47c9 Tidy up 2023-03-26 18:23:11 +02:00
Stefan
fe33d9d879 Bugfixes and edge2 2023-03-26 17:53:00 +02:00
Stefan
91416228da gitignore 2023-03-24 19:37:16 +01:00
stefan
1dcf2152ef „edgerouter_configs/edge1.md“ löschen 2023-03-24 18:36:05 +00:00
Stefan
e3164e5665 Running Config with MTU Setup 2023-03-24 19:34:41 +01:00
Stefan
8fa6933c15 Changed gitignore to config files 2023-03-24 19:31:28 +01:00
Stefan
22956ee6b8 Changed MTU 2023-03-12 21:58:53 +01:00
Stefan
14c7dbf743 Added config for Edge Router 2023-03-12 21:40:59 +01:00
Stefan
c01a906cbc Remove DHCP Server from Vyos 2023-03-06 18:26:36 +01:00
Stefan
bc5a0ada52 Add Netplan for Servers 2023-03-06 18:25:27 +01:00
Stefan
042d63f30a Add Netplan for Servers 2023-03-06 18:25:23 +01:00
Stefan
cab184b5cf vyos config 2023-03-05 22:15:59 +01:00
Stefan
beeb08eb01 changed role for ndppd.conf 2023-03-05 20:24:39 +01:00
Stefan
eba39322ee Added config for vyos routers 2023-03-05 17:38:26 +01:00
Stefan
1198f1ee3d changed naming of tdf7 2023-03-04 15:00:35 +01:00
Stefan
3b1953e318 Changed naming of tdf7 2023-03-04 15:00:12 +01:00
Stefan
74fa1908be Keine ahnung 2023-03-04 14:56:15 +01:00
Stefan
199b22a3c5 NEtwork definition 2023-03-04 11:52:46 +01:00
Stefan
0bcc2be4af add route in table 42 2023-03-02 21:45:46 +01:00
Stefan
b818b32d66 IPv6 config 2023-03-02 20:25:22 +01:00
Stefan
7fb1fe969f bugfixing indent 2023-02-26 10:52:43 +01:00
Stefan
79416ace67 changed role based setup 2023-02-26 10:35:39 +01:00
Nils Stinnesbeck
8861b3c696
added user nils 2023-02-06 23:20:52 +01:00
stefan
ed3a9f9702 „roles/.DS_Store“ löschen 2023-02-06 22:17:26 +00:00
Stefan
5864ead4b8 Toller Commit 2023-02-06 23:13:32 +01:00
Stefan
48c5bf9a79 Added second VPN 2022-07-13 21:35:14 +02:00
Stefan
4fa9ebfb44 Add IPv6 to Wireguard 2022-05-20 19:26:31 +02:00
Stefan
2c561b7709 Add Link-Local Adresses to GRE 2022-05-20 19:23:03 +02:00
Stefan
d47407ab7b Changed wireguard key 2022-05-20 19:17:43 +02:00
Stefan
2263590eff Changed Router Config 2022-05-20 19:14:30 +02:00
Stefan
66df20ddc7 Add Gitignore 2022-05-20 19:14:22 +02:00
Stefan
d983feb729 Changed Readme 2022-05-09 12:27:42 +02:00
Stefan
150be2ac7c Running config v1 2022-05-09 12:16:09 +02:00
Stefan
f7674cd5bb Remove ifup/ifdown scripts 2022-05-09 11:40:31 +02:00
Stefan
9a8ee7942c Bugfixing 2022-05-09 10:18:05 +02:00
Stefan
aa3bf94140 Changed to Wireguard VPN 2022-05-08 21:32:16 +02:00
Stefan
bf10300e30 Added speedtest-cli package 2022-05-07 11:26:24 +02:00
Stefan
17a52ee57e Fixes for first running config 2022-05-07 11:24:28 +02:00
Stefan
b8eb3d349c New Ansible for VPN Offloader 2022-05-05 20:03:54 +02:00
Stefan
b59eea9f8a removed old ansible 2022-05-05 20:02:22 +02:00
103 changed files with 2602 additions and 3004 deletions
Show Stats Expand all files Collapse all files

BIN
.DS_Store vendored Normal file
View File

Binary file not shown.

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
.DS_Store
edgerouter_configs/**

12
README.md
View File

@ -1,12 +0,0 @@
Ansible file to manage Freifunk Troisdorf supernodes
example: ansible-playbook install.sn.yml -l hosts
To install a individual host you have to start it explicit with the target server
example: ansible-playbook install.sn.yml -l hosts -l troisdorf7 -v
The hosts file is the most important file.
You will find some example files:
files/hosts.example
files/root_pwd.yml.example
files/slack_token.yml.example

40
Todo
View File

@ -1,40 +0,0 @@
TODO
1. Statisches Routing über Interconnect Router
==================================================================
# SN 4
# FFTDF Interconnect Routen
ip route add 10.188.32.0/19 via 10.188.0.2 table 42
ip route add 10.188.64.0/19 via 10.188.0.2 table 42
ip route add 10.188.96.0/19 via 10.188.0.2 table 42
ip -6 route add 2a03:2260:121:5000::/64 via 2a03:2260:121:4000::2 table 42
ip -6 route add 2a03:2260:121:6000::/64 via 2a03:2260:121:4000::2 table 42
ip -6 route add 2a03:2260:121:7000::/64 via 2a03:2260:121:4000::2 table 42
# SN 5
# FFTDF Interconnect Routen
ip route add 10.188.0.0/19 via 10.188.32.2 table 42
ip route add 10.188.64.0/19 via 10.188.32.2 table 42
ip route add 10.188.96.0/19 via 10.188.32.2 table 42
ip -6 route add 2a03:2260:121:4000::/64 via 2a03:2260:121:5000::2 table 42
ip -6 route add 2a03:2260:121:6000::/64 via 2a03:2260:121:5000::2 table 42
ip -6 route add 2a03:2260:121:7000::/64 via 2a03:2260:121:5000::2 table 42
# SN 6
# FFTDF Interconnect Routen
ip route add 10.188.0.0/19 via 10.188.64.2 table 42
ip route add 10.188.32.0/19 via 10.188.64.2 table 42
ip route add 10.188.96.0/19 via 10.188.64.2 table 42
ip -6 route add 2a03:2260:121:4000::/64 via 2a03:2260:121:6000::2 table 42
ip -6 route add 2a03:2260:121:5000::/64 via 2a03:2260:121:6000::2 table 42
ip -6 route add 2a03:2260:121:7000::/64 via 2a03:2260:121:6000::2 table 42
# SN 7
# FFTDF Interconnect Routen
ip route add 10.188.0.0/19 via 10.188.96.2 table 42
ip route add 10.188.32.0/19 via 10.188.96.2 table 42
ip route add 10.188.64.0/19 via 10.188.96.2 table 42
ip -6 route add 2a03:2260:121:4000::/64 via 2a03:2260:121:7000::2 table 42
ip -6 route add 2a03:2260:121:5000::/64 via 2a03:2260:121:7000::2 table 42
ip -6 route add 2a03:2260:121:6000::/64 via 2a03:2260:121:7000::2 table 42
==================================================================

474
conf.conf Normal file
View File

@ -0,0 +1,474 @@
interfaces {
ethernet eth0 {
address 5.9.220.113/29
description WAN
}
ethernet eth1 {
address 172.16.7.1/24
description "Freifunk WAN"
ipv6 {
address {
autoconf
}
}
}
loopback lo {
address 185.66.193.107/32
address 2a03:2260:121:600::0/128
}
tunnel tun0 {
address 100.64.6.25/31
address 2a03:2260:0:30c::2/64
description gre_bb_a_ak_ber
encapsulation gre
remote 185.66.195.0
source-address 5.9.220.113
}
tunnel tun1 {
address 100.64.6.31/31
address 2a03:2260:0:30f::2/64
description gre_bb_b_ak_ber
encapsulation gre
remote 185.66.195.1
source-address 5.9.220.113
}
tunnel tun2 {
address 100.64.6.29/31
address 2a03:2260:0:30e::2/64
description gre_bb_a_ix_dus
encapsulation gre
remote 185.66.193.0
source-address 5.9.220.113
}
tunnel tun3 {
address 100.64.6.35/31
address 2a03:2260:0:311::2/64
description gre_bb_b_ix_dus
encapsulation gre
remote 185.66.193.1
source-address 5.9.220.113
}
tunnel tun4 {
address 100.64.6.27/31
address 2a03:2260:0:30d::2/64
description gre_bb_a_fra3_f
encapsulation gre
remote 185.66.194.0
source-address 5.9.220.113
}
tunnel tun5 {
address 100.64.6.33/31
address 2a03:2260:0:310::2/64
description gre-bb-b.fra3.f
encapsulation gre
remote 185.66.194.1
source-address 5.9.220.113
}
}
nat {
destination {
rule 1 {
description "Allow SSH to VPN-01 Port 2222"
destination {
address 185.66.193.107/32
port 2222
}
inbound-interface any
protocol tcp
translation {
address 172.16.7.2
port 22
}
}
rule 2 {
description "Wireguard VPN-01 42001"
destination {
address 185.66.193.107
port 42001
}
inbound-interface any
protocol udp
translation {
address 172.16.7.2
}
}
}
source {
rule 1 {
outbound-interface any
source {
address 172.16.7.0/24
}
translation {
address 185.66.193.107
}
}
}
}
policy {
local-route {
rule 10 {
set {
table 42
}
source 5.9.220.113
}
}
prefix-list FFRL-IN {
rule 10 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list FFRL-OUT {
rule 10 {
action permit
prefix 185.66.193.107/32
}
}
prefix-list6 FFRL-IN-6 {
rule 10 {
action permit
prefix ::/0
}
}
prefix-list6 FFRL-OUT-6 {
rule 10 {
action permit
prefix 2a03:2260:121:600::/55
}
}
route-map FFRL-IN {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-IN
}
}
}
}
}
route-map FFRL-OUT {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-OUT
}
}
}
}
}
route-map FFRL-IN-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-IN-6
}
}
}
}
}
route-map FFRL-OUT-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-OUT-6
}
}
}
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network 185.66.193.107/32 {
}
}
ipv6-unicast {
network 2a03:2260:121:600::/55 {
}
}
}
neighbor 100.64.6.24 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ak_ber
remote-as 201701
update-source 100.64.6.25
}
neighbor 100.64.6.26 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_fra3_fra
remote-as 201701
update-source 100.64.6.27
}
neighbor 100.64.6.28 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ix_dus
remote-as 201701
update-source 100.64.6.29
}
neighbor 100.64.6.30 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ak_ber
remote-as 201701
update-source 100.64.6.31
}
neighbor 100.64.6.32 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_fra3_fra
remote-as 201701
update-source 100.64.6.33
}
neighbor 100.64.6.34 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ix_dus
remote-as 201701
update-source 100.64.6.35
}
neighbor 2a03:2260:0:30c::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30c::2
}
neighbor 2a03:2260:0:30d::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30d::2
}
neighbor 2a03:2260:0:30e::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30e::2
}
neighbor 2a03:2260:0:30f::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30f::2
}
neighbor 2a03:2260:0:310::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:310::2
}
neighbor 2a03:2260:0:311::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:311::2
}
parameters {
router-id 10.188.255.7
}
system-as 65066
}
static {
route6 2a03:2260:121:e000::/54 {
interface eth1 {
}
}
table 42 {
route 0.0.0.0/0 {
next-hop 5.9.220.112 {
}
}
}
}
}
service {
dhcp-server {
listen-address 172.16.7.1
shared-network-name freifunk {
subnet 172.16.7.0/24 {
default-router 172.16.7.1
name-server 1.1.1.1
name-server 1.0.0.1
range dhcp {
start 172.16.7.10
stop 172.16.7.200
}
static-mapping vpn-01 {
ip-address 172.16.7.2
mac-address 36:f3:82:18:9b:03
}
}
}
}
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
router-advert {
interface eth1 {
default-lifetime 300
default-preference high
hop-limit 64
interval {
max 30
}
link-mtu 1500
name-server 2001:4860:4860::8888
other-config-flag
prefix 2a03:2260:121:600::/58 {
preferred-lifetime 300
valid-lifetime 900
}
reachable-time 90000
retrans-timer 0
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name 7.fftdf.de
login {
banner {
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
}
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys nils {
key ****************
type ssh-rsa
}
public-keys stefan {
key ****************
type ssh-rsa
}
}
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

57
definition.md Normal file
View File

@ -0,0 +1,57 @@
# Network
## IP Spaces
### From FFRL
External IPv4:
- troisdorf4: 185.66.193.104
- troisdorf5: 185.66.193.105
- troisdorf6: 185.66.193.106
- troisdorf7: 185.66.193.107
IPv6 Prefix: 2a03:2260:121::/48
### Internal and Segmentation:
#### IPv4:
Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
Die Gluon Netze sind im bereich 10.188.0.0/16
Die VPN Offloader Netze im Bereich 10.0.0.0/8
#### IPv6:
FFRL 2a03:2260:121::/48
Wir nutzen jetzt nur das Netz 2a03:2260:121::/52
GRE-Router: bekommen ein /55
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121::/prefix=52/subnetNo=8
gre1: 2a03:2260:121::/55 (FFRL Tunnel-Paar 1, momentan TDF4)
gre2: 2a03:2260:121:200::/55 (FFRL Tunnel-Paar 2, momentan TDF5)
gre3: 2a03:2260:121:400::/55 (FFRL Tunnel-Paar 3, momentan TDF6)
gre4: 2a03:2260:121:600::/55 (FFRL Tunnel-Paar 4, momentane Testumgebung)
gre5: 2a03:2260:121:800::/55 (noch keine verwendung)
gre6: 2a03:2260:121:a00::/55 (noch keine verwendung)
gre7: 2a03:2260:121:c00::/55 (noch keine verwendung)
gre8: 2a03:2260:121:e00::/55 (noch keine verwendung)
Supernodes / VPN Server bekommen ein /58 aus dem Netz des GRE Routers (hier am beispiel gre4)
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=55/subnetNo=8
vpn1: 2a03:2260:121:600::/58
vpn2: 2a03:2260:121:640::/58
vpn3: 2a03:2260:121:680::/58
vpn4: 2a03:2260:121:6c0::/58
vpn5: 2a03:2260:121:700::/58
vpn6: 2a03:2260:121:740::/58
vpn7: 2a03:2260:121:780::/58
vpn8: 2a03:2260:121:7c0::/58
Router/Clients bekommen dann jeweils ein /64 aus dem vpn Netz:
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=58/subnetNo=64
client1: 2a03:2260:121:601::/64
usw...

5
er-test.yml Normal file
View File

@ -0,0 +1,5 @@
# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
- name: System preperation
hosts: edge_router
roles:
- 01-vpn-router-config

7
files/authorized_keys
View File

@ -1,7 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= Roman
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsaIe542Vk0/sH0GEEMPhjDHBip0PI6OX/teuTLu/osvdb9Hj7432HUlEsiw8cfkCZBXtkQGlYXRVjiZkRxc8CzDpOkq75ZcqTfhmf/tCejBbgSFfdruViU11cFHIdznOqe3PeFM+8BJzHf2Gwnb5P/Q0RDYQ05Hfr9LhQVw3IXM2VInE+xR0sMj2rNr8g8lYa9X/+boElwqFiJqaRyb61XI0DYIXuxFQkg/E2bxvrtbrYJt9Pv5Mu0HYY2Q+xGqOGwPjxtqIixG9ne4EkiQkshFhfnTegfRMmhuSa0G6+Qqh5e4RPbtCGOW27tqXNUo0zDtcNaoWqUCIDkplTlUsimXT8PO+qiwMpXuVBYiwLat3N97kin8GAXoxYdrYdALopLbbkWx/7e06vqwBmF4tsPMcTRKOEIJgWIAVyxxr999Q5GNWA52m7iTNIWH1ExeTm/FQrbU4QCY6YThqhC3AVTYcUINNVZuFp19tNkNydUDOqPtwG0c+Bi8y15RBPUzQDbTgTR3zayuiOc26MYH4SGoSGNKeQjbJWr8MDsGi+NGMs2crYXirYVziPPXdY+im3fBH3UuRDkfbfvl4gXpDYxEUh/8GYdMLnttk2ifoBtlynEhxyunoKm7Z3V8mTikON70/ko6QkOmei/r/F+V9Se6FFsOTUIufwu6BC9+hBkw== localadmin@ansible
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== Nils Jakobi

4
files/batdelif.sh
View File

@ -1,4 +0,0 @@
#!/bin/bash
INTERFACE="$3"
/sbin/brctl delif br-nodes $INTERFACE

94
files/bird-troisdorf4.conf
View File

@ -1,94 +0,0 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.1;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.104/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.6.13;
neighbor 100.64.6.12 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.6.19;
neighbor 100.64.6.18 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.6.17;
neighbor 100.64.6.16 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.6.23;
neighbor 100.64.6.22 as 201701;
};
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 100.64.6.15;
neighbor 100.64.6.14 as 201701;
};
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 100.64.6.21;
neighbor 100.64.6.20 as 201701;
};

84
files/bird-troisdorf5.conf
View File

@ -1,84 +0,0 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.105/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.151;
neighbor 100.64.2.150 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.153;
neighbor 100.64.2.152 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.155;
neighbor 100.64.2.154 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.157;
neighbor 100.64.2.156 as 201701;
};

84
files/bird-troisdorf6.conf
View File

@ -1,84 +0,0 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.106/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.159;
neighbor 100.64.2.158 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.161;
neighbor 100.64.2.160 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.163;
neighbor 100.64.2.162 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.165;
neighbor 100.64.2.164 as 201701;
};

94
files/bird-troisdorf7.conf
View File

@ -1,94 +0,0 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.7;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.107/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.6.25;
neighbor 100.64.6.24 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.6.31;
neighbor 100.64.6.30 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.6.29;
neighbor 100.64.6.28 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.6.35;
neighbor 100.64.6.34 as 201701;
};
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 100.64.6.27;
neighbor 100.64.6.26 as 201701;
};
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 100.64.6.33;
neighbor 100.64.6.32 as 201701;
};

90
files/bird6-troisdorf4.conf
View File

@ -1,90 +0,0 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.1;
protocol direct {
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121:4000::/52 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:306::2;
neighbor 2a03:2260:0:306::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:309::2;
neighbor 2a03:2260:0:309::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:308::2;
neighbor 2a03:2260:0:308::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:30b::2;
neighbor 2a03:2260:0:30b::1 as 201701;
}
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 2a03:2260:0:307::2;
neighbor 2a03:2260:0:307::1 as 201701;
}
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 2a03:2260:0:30a::2;
neighbor 2a03:2260:0:30a::1 as 201701;
}

82
files/bird6-troisdorf5.conf
View File

@ -1,82 +0,0 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121:5000::/52 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:155::2;
neighbor 2a03:2260:0:155::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:156::2;
neighbor 2a03:2260:0:156::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:157::2;
neighbor 2a03:2260:0:157::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:158::2;
neighbor 2a03:2260:0:158::1 as 201701;
}

82
files/bird6-troisdorf6.conf
View File

@ -1,82 +0,0 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121:6000::/52 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:159::2;
neighbor 2a03:2260:0:159::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:15a::2;
neighbor 2a03:2260:0:15a::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address a03:2260:0:15b::2;
neighbor 2a03:2260:0:15b::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:15c::2;
neighbor 2a03:2260:0:15c::1 as 201701;
}

90
files/bird6-troisdorf7.conf
View File

@ -1,90 +0,0 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.7;
protocol direct {
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121:7000::/52 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:30c::2;
neighbor 2a03:2260:0:30c::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:30f::2;
neighbor 2a03:2260:0:30f::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:30e::2;
neighbor 2a03:2260:0:30e::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:311::2;
neighbor 2a03:2260:0:311::1 as 201701;
}
protocol bgp ffrl_bb_a_fra3_fra from uplink {
source address 2a03:2260:0:30d::2;
neighbor 2a03:2260:0:30d::1 as 201701;
}
protocol bgp ffrl_bb_b_fra3_fra from uplink {
source address 2a03:2260:0:310::2;
neighbor 2a03:2260:0:310::1 as 201701;
}

15
files/dhcpd.conf.j2
View File

@ -1,15 +0,0 @@
# Version 1.3
ddns-update-style none;
option domain-name "ff";
default-lease-time 300;
max-lease-time 3600;
log-facility local7;
subnet {{ sn_mesh_IPv4_net }} netmask 255.255.224.0 {
authoritative;
range {{ sn_dhcp_range }};
option domain-name-servers {{ sn_mesh_IPv4 }};
option routers {{ sn_mesh_IPv4 }};
option interface-mtu {{ sn_mtu }};
interface bat0;
}
include "/opt/freifunk/static-dhcp/static.conf";

15
files/dhcpd6.conf.j2
View File

@ -1,15 +0,0 @@
# Enable RFC 5007 support (same than for DHCPv4)
allow leasequery;
authoritative;
default-lease-time 300;
max-lease-time 600;
option dhcp6.name-servers {{ sn_mesh_IPv6 }};
option dhcp6.domain-search "ff";
subnet6 {{ sn_mesh_IPv6_net }} {
}

25
files/ff/db.ff.j2
View File

@ -1,25 +0,0 @@
;; db.ff
;; Forwardlookupzone für .ff
;;
$TTL 600
@ IN SOA ff. root.ff. (
2015584544 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
3H ) ; NX (TTL Negativ Cache)
@ IN NS {{ sn_hostname }}.infra.ff.
IN A {{ sn_mesh_IPv4 }}
IN AAAA {{ sn_mesh_IPv6 }}
localhost IN A 127.0.0.1
IN AAAA ::1
nextnode IN A 10.188.0.1
IN AAAA 2a03:2260:121::1
;;This Supernode
{{ sn_hostname }}.infra IN A {{ sn_mesh_IPv4 }}
IN AAAA {{ sn_mesh_IPv6 }}
;; Update Servers
update1.infra IN AAAA 2a03:2260:121:4000:6038:61ff:fe34:3461
update2.infra IN AAAA 2a03:2260:121:4000:6038:61ff:fe34:3461
update3.infra IN AAAA 2a03:2260:121:4000:6038:61ff:fe34:3461

6
files/ff/ff.conf
View File

@ -1,6 +0,0 @@
// Zone declarations for Freifunk
zone "ff" {
type master;
file "/etc/bind/ff/db.ff";
};

164
files/hosts.example
View File

@ -1,164 +0,0 @@
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
#green.example.com
#blue.example.com
#192.168.100.1
#192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
#[webservers]
#alpha.example.org
#beta.example.org
#192.168.1.100
#192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
#www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
#[dbservers]
#
#db01.intranet.mydomain.net
#db02.intranet.mydomain.net
#10.25.1.56
#10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
#db-[99:101]-node.example.com
[freifunk_Lohmar]
82.165.139.113 ansible_ssh_port=2222
[freifunk]
46.4.138.180 ansible_ssh_port=2222
46.4.138.181 ansible_ssh_port=2222
46.4.138.182 ansible_ssh_port=2222
46.4.138.183 ansible_ssh_port=2222
46.4.138.188 ansible_ssh_port=22
46.4.138.189 ansible_ssh_port=22
[freifunk_sn:children]
troisdorf4
troisdorf5
troisdorf6
troisdorf7
[freifunk_sn_l2tp:children]
troisdorf4
troisdorf5
troisdorf6
troisdorf7
[freifunk_sn:vars]
ansible_ssh_port=22
ansible_ssh_user=root
sn_mtu=1312
sn_l2tp_tb_port=53842
sn_l2tp_tb_backup_port=53840
sn_fqdn=freifunk-troisdorf.de
static_dhcp_repo=https://github.com/Freifunk-Troisdorf/static-dhcp.git
root_password_file=/home/localadmin/root_pwd.yml
slack_token_file=/home/localadmin/slack_token.yml
[troisdorf4]
4.freifunk-troisdorf.de
[troisdorf4:vars]
sn_number=4
sn_hostname=troisdorf4
sn_dhcp_range=10.188.8.0 10.188.15.254
sn_mesh_IPv6=2a03:2260:121:4000::4
sn_mesh_IPv6_net=2a03:2260:121:4000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:4000::2
sn_mesh_IPv4=10.188.0.4
sn_mesh_IPv4_brcast=10.188.31.255
sn_mesh_IPv4_net=10.188.0.0
sn_mesh_IPv4_xfer=10.188.0.2
sn_mesh_MAC=a2:8c:ae:6f:f6:04
ul_mesh_MAC=a2:8c:ae:6f:f6:40
sn_ffrl_IPv4=185.66.193.104
sn_exit=1
sn_interface_name=eth0
yanic_domain=tdf
[troisdorf5]
5.fftdf.de
[troisdorf5:vars]
sn_number=5
sn_hostname=troisdorf5
sn_dhcp_range=10.188.40.0 10.188.47.255
sn_mesh_IPv6=2a03:2260:121:5000::5
sn_mesh_IPv6_net=2a03:2260:121:5000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:5000::2
sn_mesh_IPv4=10.188.32.5
sn_mesh_IPv4_brcast=10.188.63.255
sn_mesh_IPv4_net=10.188.32.0
sn_mesh_IPv4_xfer=10.188.32.2
sn_mesh_MAC=a2:8c:ae:6f:f6:05
ul_mesh_MAC=a2:8c:ae:6f:f6:50
sn_ffrl_IPv4=185.66.193.105
sn_exit=1
sn_interface_name=eth0
yanic_domain=inn
[troisdorf6]
6.fftdf.de
[troisdorf6:vars]
sn_number=6
sn_hostname=troisdorf6
sn_dhcp_range=10.188.72.0 10.188.79.255
sn_mesh_IPv6=2a03:2260:121:6000::6
sn_mesh_IPv6_net=2a03:2260:121:6000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:6000::2
sn_mesh_IPv4=10.188.64.6
sn_mesh_IPv4_brcast=10.188.95.255
sn_mesh_IPv4_net=10.188.64.0
sn_mesh_IPv4_xfer=10.188.64.2
sn_mesh_MAC=a2:8c:ae:6f:f6:06
ul_mesh_MAC=a2:8c:ae:6f:f6:60
sn_ffrl_IPv4=185.66.193.106
sn_exit=1
sn_interface_name=eth0
yanic_domain=flu
[troisdorf7]
7.fftdf.de
[troisdorf7:vars]
sn_number=7
sn_hostname=troisdorf7
sn_dhcp_range=10.188.104.0 10.188.111.255
sn_mesh_IPv6=2a03:2260:121:7000::7
sn_mesh_IPv6_net=2a03:2260:121:7000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:7000::2
sn_mesh_IPv4=10.188.96.7
sn_mesh_IPv4_brcast=10.188.127.255
sn_mesh_IPv4_net=10.188.96.0
sn_mesh_IPv4_xfer=10.188.96.2
sn_mesh_MAC=a2:8c:ae:6f:f6:07
ul_mesh_MAC=a2:8c:ae:6f:f6:70
sn_ffrl_IPv4=185.66.193.107
sn_local_exit=1
sn_interface_name=ens18
yanic_domain=evt

142
files/interfaces-troisdorf4.j2
View File

@ -1,142 +0,0 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.104/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121:4000::105/52 dev lo
# The primary network interface
allow-hotplug {{ sn_interface_name }}
iface {{ sn_interface_name }} inet static
address 46.4.156.114
netmask 255.255.255.255
gateway 163.172.210.1
pointopoint 163.172.210.1
post-up iptables -P OUTPUT ACCEPT
post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
auto 6to4
iface 6to4 inet6 6to4
local 46.4.156.114
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.6.13
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.195.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:306::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.6.19
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.195.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:309::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.6.17
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.193.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:308::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.6.23
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.193.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:30b::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Frankfurt Router A
auto gre-bb-a.fra3.f
iface gre-bb-a.fra3.f inet static
address 100.64.6.15
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.194.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-a.fra3.f inet6 static
address 2a03:2260:0:307::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Frankfurt Router B
auto gre-bb-b.fra3.f
iface gre-bb-b.fra3.f inet static
address 100.64.6.21
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.114 remote 185.66.194.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.104
post-down ip tunnel del $IFACE
iface gre-bb-b.fra3.f inet6 static
address 2a03:2260:0:30a::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312

106
files/interfaces-troisdorf5.j2
View File

@ -1,106 +0,0 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.105/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121:5000::105/52 dev lo
# The primary network interface
allow-hotplug {{ sn_interface_name }}
iface {{ sn_interface_name }} inet static
address 46.4.156.115
netmask 255.255.255.240
gateway 46.4.156.113
post-up iptables -P OUTPUT ACCEPT
post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
auto 6to4
iface 6to4 inet6 6to4
local 46.4.156.115
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.151
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.115 remote 185.66.195.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:155::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.153
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.115 remote 185.66.195.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:156::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.155
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.115 remote 185.66.193.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:157::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.157
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.115 remote 185.66.193.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.105
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:158::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312

110
files/interfaces-troisdorf6.j2
View File

@ -1,110 +0,0 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.106/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121:6000::105/52 dev lo
# The primary network interface
allow-hotplug {{ sn_interface_name }}
iface {{ sn_interface_name }} inet static
address 46.4.156.116
netmask 255.255.255.255
gateway 163.172.210.1
pointopoint 163.172.210.1
post-up iptables -P OUTPUT ACCEPT
post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
auto 6to4
iface 6to4 inet6 6to4
local 46.4.156.116
post-up ip6tables -P OUTPUT ACCEPT
post-up ip6tables -A OUTPUT -o $IFACE -d fc00::/7 -j DROP
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.159
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.116 remote 185.66.195.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:159::2/64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
netmask 64
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.161
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.116 remote 185.66.195.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:15a::2/64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
netmask 64
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.163
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.116 remote 185.66.193.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:15b::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.165
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.156.116 remote 185.66.193.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.106
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:15c::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312

141
files/interfaces-troisdorf7.j2
View File

@ -1,141 +0,0 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.107/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121:7000::107/52 dev lo
# The primary network interface
allow-hotplug {{ sn_interface_name }}
iface {{ sn_interface_name }} inet static
address 93.241.53.100
netmask 255.255.255.0
gateway 93.241.53.1
post-up iptables -P OUTPUT ACCEPT
post-up iptables -A OUTPUT -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A OUTPUT -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 10.0.0.0/8 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 172.16.0.0/12 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 169.254.0.0/16 -j DROP
post-up iptables -A FORWARD -o $IFACE -d 192.168.0.0/16 -j DROP
post-up iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
#auto 6to4
# iface 6to4 inet6 6to4
# local 93.241.53.100
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.6.25
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.195.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:30c::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.6.31
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.195.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:30f::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.6.29
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.193.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:30e::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.6.35
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.193.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:311::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Frankfurt Router A
auto gre-bb-a.fra3.f
iface gre-bb-a.fra3.f inet static
address 100.64.6.27
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.194.0 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-a.fra3.f inet6 static
address 2a03:2260:0:30d::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
# Frankfurt Router B
auto gre-bb-b.fra3.f
iface gre-bb-b.fra3.f inet static
address 100.64.6.33
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 93.241.53.100 remote 185.66.194.1 ttl 255
post-up iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-up iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312
post-up ip link set $IFACE mtu 1400
post-down iptables -t nat -D POSTROUTING -o $IFACE -j SNAT --to-source 185.66.193.107
post-down ip tunnel del $IFACE
iface gre-bb-b.fra3.f inet6 static
address 2a03:2260:0:310::2/64
netmask 64
post-up ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $IFACE -j TCPMSS --set-mss 1312

34
files/l2tp_backbone.sh.exit.j2
View File

@ -1,34 +0,0 @@
#!/bin/sh
# Version 9
sleep 60
batctl=/usr/local/sbin/batctl
ip=/sbin/ip
communitymacaddress="{{ communitymac }}"
localserver=$(/bin/hostname)
communityname={{ communityname }}
# Rest Starten
$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
$ip link set up dev bat0
$ip addr add {{ sn_mesh_IPv4 }}/19 broadcast {{ sn_mesh_IPv4_brcast }} dev bat0
$ip -6 addr add {{ sn_mesh_IPv6 }}/64 dev bat0
$ip route add 10.188.0.0/16 via {{ sn_mesh_IPv4_xfer }} table 42
$ip route add 10.188.0.0/16 via {{ sn_mesh_IPv4_xfer }}
$ip -6 route add 2a03:2260:121:4000::/52 via {{ sn_mesh_IPv6_xfer }} table 42
$ip -6 route add 2a03:2260:121:5000::/52 via {{ sn_mesh_IPv6_xfer }} table 42
$ip -6 route add 2a03:2260:121:6000::/52 via {{ sn_mesh_IPv6_xfer }} table 42
$ip -6 route add 2a03:2260:121:7000::/52 via {{ sn_mesh_IPv6_xfer }} table 42
/usr/bin/killall batadv-vis
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/bin/sleep 15
/usr/sbin/service tunneldigger restart
/usr/sbin/service bind9 restart
/usr/sbin/service bird restart
/usr/sbin/service bird6 restart
/usr/sbin/service isc-dhcp-server restart
/usr/sbin/service radvd restart
$batctl gw server 100Mbit/100Mbit

34
files/logrotate.conf
View File

@ -1,34 +0,0 @@
# see "man logrotate" for details
# rotate log files weekly
#weekly
daily
# keep 4 weeks worth of backlogs
#rotate 4
rotate 1
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}
# system-specific logs may be configured here

12
files/radvd.conf.j2
View File

@ -1,12 +0,0 @@
interface bat0 {
AdvSendAdvert on;
IgnoreIfMissing on;
MaxRtrAdvInterval 200;
RDNSS {{ sn_mesh_IPv6 }} {};
prefix {{ sn_mesh_IPv6_net }} {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};

1
files/root_pwd.yml.example
View File

@ -1 +0,0 @@
sn_rootpasswd: xyz

1
files/slack_token.yml.example
View File

@ -1 +0,0 @@
slack_token: "XYZ"

13
files/slacktee.conf.j2
View File

@ -1,13 +0,0 @@
# ----------
# Configuration
# Describes the Incoming Webhook allowing you to post messages into Slack.
# After the configuration, copy this file to /etc or your home directory.
# NOTE : Please rename this file to '.slacktee', if you'd like to place this in your home directory.
# ----------
webhook_url="https://hooks.slack.com/services/{{ slack_token }}" # Incoming Webhooks integration URL. See https://my.slack.com/services/new/incoming-webhook
upload_token="" # The user's API authentication token, only used for file uploads. See https://api.slack.com/#auth
channel="technik" # Default channel to post messages. '#' is prepended, if it doesn't start with '#' or '@'.
tmp_dir="/tmp" # Temporary file is created in this directory.
username="slacktee" # Default username to post messages.
icon="ghost" # Default emoji or a direct url to an image to post messages. You don't have to wrap emoji with ':'. See http://www.emoji-cheat-sheet.com.
attachment="" # Default color of the attachments. If an empty string is specified, the attachments are not used.

605
files/slacktee.sh
View File

@ -1,605 +0,0 @@
#!/usr/bin/env bash
# ----------
# Default Configuration
# ----------
webhook_url="" # Incoming Webhooks integration URL
upload_token="" # The user's API authentication token, only used for file uploads
channel="general" # Default channel to post messages. '#' is prepended, if it doesn't start with '#' or '@'.
tmp_dir="/tmp" # Temporary file is created in this directory.
username="slacktee" # Default username to post messages.
icon="ghost" # Default emoji to post messages. Don't wrap it with ':'. See http://www.emoji-cheat-sheet.com; can be a url too.
attachment="" # Default color of the attachments. If an empty string is specified, the attachments are not used.
# ----------
# Initialization
# ----------
me=$(basename "$0")
title=""
mode="buffering"
link=""
textWrapper="\`\`\`"
parseMode=""
fields=()
# Since bash 3 doesn't support the associative array, we store colors and patterns separately
cond_color_colors=()
cond_color_patterns=()
found_pattern_color=""
# This color is used when 'attachment' is used without color specification
internal_default_color="#C0C0C0"
# Since bash 3 doesn't support the associative array, we store prefixes and patterns separately
cond_prefix_prefixes=()
cond_prefix_patterns=()
found_title_prefix=""
function show_help()
{
echo "usage: $me [options]"
echo " options:"
echo " -h, --help Show this help."
echo " -n, --no-buffering Post input values without buffering."
echo " -f, --file Post input values as a file."
echo " -l, --link Add a URL link to the message."
echo " -c, --channel channel_name Post input values to specified channel or user."
echo " -u, --username user_name This username is used for posting."
echo " -i, --icon emoji_name|url This icon is used for posting. You can use a word"
echo " from http://www.emoji-cheat-sheet.com or a direct url to an image."
echo " -t, --title title_string This title is added to posts."
echo " -m, --message-formatting format Switch message formatting (none|link_names|full)."
echo " See https://api.slack.com/docs/formatting for more details."
echo " -p, --plain-text Don't surround the post with triple backticks."
echo " -a, --attachment [color] Use attachment (richly-formatted message)"
echo " Color can be 'good','warning','danger' or any hex color code (eg. #439FE0)"
echo " See https://api.slack.com/docs/attachments for more details."
echo " -e, --field title value Add a field to the attachment. You can specify this multiple times."
echo " -s, --short-field title value Add a short field to the attachment. You can specify this multiple times."
echo " -o, --cond-color color pattern Change the attachment color if the specified Regex pattern matches the input."
echo " You can specify this multile times."
echo " If more than one pattern matches, the latest matched pattern is used."
echo " -d, --cond-prefix prefix pattern This prefix is added to the message, if the specified Regex pattern matches the input."
echo " You can specify this multile times."
echo " If more than one pattern matches, the latest matched pattern is used."
echo " --config config_file Specify the location of the config file."
echo " --setup Setup slacktee interactively."
}
function send_message()
{
message="$1"
# Prepend the prefix to the message, if it's set
if [[ -z $attachment && -n $found_pattern_prefix ]]; then
message="$found_pattern_prefix$message"
# Clear conditional prefix for the nest send
found_pattern_prefix=""
fi
escaped_message=$(echo "$textWrapper\n$message\n$textWrapper" | sed 's/"/\\"/g' | sed "s/'/\\'/g" )
message_attr=""
if [[ $message != "" ]]; then
if [[ -n $attachment ]]; then
# Set message color
message_color="$attachment"
if [[ -n $found_pattern_color ]]; then
message_color="$found_pattern_color"
# Reset with the default color for the next send
found_pattern_color="$attachment"
fi
message_attr="\"attachments\": [{ \"color\": \"$message_color\", \"mrkdwn_in\": [\"text\", \"fields\"], \"text\": \"$escaped_message\" "
if [[ -n $found_pattern_prefix ]]; then
title="$found_pattern_prefix $title"
# Clear conditional prefix for the nest send
found_pattern_prefix=""
fi
if [[ -n $title ]]; then
message_attr="$message_attr, \"title\": \"$title\" "
fi
if [[ -n $link ]]; then
message_attr="$message_attr, \"title_link\": \"$link\" "
fi
if [[ $mode == "file" ]]; then
fields+=("{\"title\": \"Access URL\", \"value\": \"$access_url\" }")
fields+=("{\"title\": \"Download URL\", \"value\": \"$download_url\"}")
fi
if [[ ${#fields[@]} != 0 ]]; then
message_attr="$message_attr, \"fields\": ["
for field in "${fields[@]}"; do
message_attr="$message_attr $field,"
done
message_attr=${message_attr%?} # Remove last comma
message_attr="$message_attr ]"
fi
# Close attachment
message_attr="$message_attr }], "
else
message_attr="\"text\": \"$escaped_message\","
fi
icon_url=""
icon_emoji=""
if echo "$icon" | grep -q "^https\?://.*"; then
icon_url="$icon"
else
icon_emoji=":$icon:"
fi
json="{\"channel\": \"$channel\", \"username\": \"$username\", $message_attr \"icon_emoji\": \"$icon_emoji\", \"icon_url\": \"$icon_url\" $parseMode}"
post_result=$(curl -X POST --data-urlencode "payload=$json" "$webhook_url" 2> /dev/null)
exit_code=1
if [[ $post_result == "ok" ]]; then
exit_code=0
fi
fi
}
function process_line()
{
echo "$1"
line="$(echo "$1" | sed $'s/\t/ /g')"
# Check the patterns of the conditional colors
# If more than one pattern matches, the latest pattern is used
if [[ ${#cond_color_patterns[@]} != 0 ]]; then
for i in "${!cond_color_patterns[@]}"; do
if [[ $line =~ ${cond_color_patterns[$i]} ]]; then
found_pattern_color=${cond_color_colors[$i]}
fi
done
fi
# Check the patterns of the conditional titles
# If more than one pattern matches, the latest pattern is used
if [[ ${#cond_prefix_patterns[@]} != 0 ]]; then
for i in "${!cond_prefix_patterns[@]}"; do
if [[ $line =~ ${cond_prefix_patterns[$i]} ]]; then
found_pattern_prefix=${cond_prefix_prefixes[$i]}
if [[ -n $attachment || $mode != "no-buffering" ]]; then
# Append a line break to the prefix for better formatting
found_pattern_prefix="$found_pattern_prefix\n"
else
# Append a space to the prefix for better formatting
found_pattern_prefix="$found_pattern_prefix "
fi
fi
done
fi
if [[ $mode == "no-buffering" ]]; then
prefix=''
if [[ -z $attachment ]]; then
prefix=$title
fi
send_message "$prefix$line"
elif [[ $mode == "file" ]]; then
echo "$line" >> "$filename"
else
if [[ -z "$text" ]]; then
text="$line"
else
text="$text\n$line"
fi
fi
}
function setup()
{
if [[ -z "$HOME" ]]; then
echo "\$HOME is not defined. Please set it first."
exit 1
fi
local_conf="$HOME/.slacktee"
if [[ -e "$local_conf" ]]; then
echo ".slacktee is found in your home directory."
read -p "Are you sure to overwrite it? [y/n] :" choice
case "$choice" in
y|Y )
# Continue
;;
* )
exit 0 # Abort
;;
esac
fi
# Load current local config
. $local_conf
# Start setup
read -p "Incoming Webhook URL [$webhook_url]: " input_webhook_url
if [[ -z "$input_webhook_url" ]]; then
input_webhook_url=$webhook_url
fi
read -p "Upload Token [$upload_token]: " input_upload_token
if [[ -z "$input_upload_token" ]]; then
input_upload_token=$upload_token
fi
read -p "Temporary Directory [$tmp_dir]: " input_tmp_dir
if [[ -z "$input_tmp_dir" ]]; then
input_tmp_dir=$tmp_dir
fi
read -p "Default Channel [$channel]: " input_channel
if [[ -z "$input_channel" ]]; then
input_channel=$channel
fi
read -p "Default Username [$username]: " input_username
if [[ -z "$input_username" ]]; then
input_username=$username
fi
read -p "Default Icon: [$icon]: " input_icon
if [[ -z "$input_icon" ]]; then
input_icon=$icon
fi
read -p "Default color of the attachment. (empty string disables attachment) [$attachment]: " input_attachment
if [[ -z "$input_attachment" ]]; then
input_attachment=$attachment
elif [[ $input_attachment == '""' || $input_attachment == "''" ]]; then
input_attachment=""
fi
cat <<- EOF | sed 's/^[[:space:]]*//' > "$local_conf"
webhook_url="$input_webhook_url"
upload_token="$input_upload_token"
tmp_dir="$input_tmp_dir"
channel="$input_channel"
username="$input_username"
icon="$input_icon"
attachment="$input_attachment"
EOF
}
# ----------
# Parse command line options
# ----------
OPTIND=1
while [[ $# -gt 0 ]]; do
opt="$1"
shift
case "$opt" in
-h|\?|--help)
show_help
exit 0
;;
-n|--no-buffering)
mode="no-buffering"
;;
-f|--file)
mode="file"
;;
-l|--link)
link="$1"
shift
;;
-c|--channel)
opt_channel="$1"
shift
;;
-u|--username)
opt_username="$1"
shift
;;
-i|--icon)
opt_icon="$1"
shift
;;
-t|--title)
title="$1"
shift
;;
-d|--cond-prefix)
case "$1" in
-*|'')
# Found next command line option or empty. Error.
echo "a prefix of the conditional title was not specified"
show_help
exit 1
;;
*)
# Prefix should be found
case "$2" in
-*|'')
# Found next command line option or empty. Error.
echo "a pattern of the conditional title was not specified"
show_help
exit 1
;;
*)
# Set the prefix and the pattern to arrays
cond_prefix_prefixes+=("$1")
cond_prefix_patterns+=("$2")
shift
shift
;;
esac
;;
esac
;;
-m|--message-formatting)
case "$1" in
none)
parseMode=', "parse": "none"'
;;
link_names)
parseMode=', "link_names": "1"'
;;
full)
parseMode=', "parse": "full"'
;;
*)
echo "unknown message formatting option"
show_help
exit 1
;;
esac
shift
;;
-p|--plain-text)
textWrapper=""
;;
-a|--attachment)
case "$1" in
-*|'')
# Found next command line option
opt_attachment="$internal_default_color" # Use default color
;;
\#*|good|warning|danger)
# Found hex color code or predefined colors
opt_attachment="$1"
shift
;;
*)
echo "unknown attachment color"
show_help
exit 1
;;
esac
;;
-o|--cond-color)
case "$1" in
-*|'')
# Found next command line option or empty. Error.
echo "a color of the conditional color was not specified"
show_help
exit 1
;;
\#*|good|warning|danger)
# Found hex color code or predefined colors
case "$2" in
-*|'')
# Found next command line option or empty. Error.
echo "a pattern of the conditional color was not specified"
show_help
exit 1
;;
*)
# Set the color and the pattern to arrays
cond_color_colors+=("$1")
cond_color_patterns+=("$2")
shift
shift
;;
esac
;;
*)
echo "unknown attachment color $1"
show_help
exit 1
;;
esac
;;
-e|-s|--field|--short-field)
case "$1" in
-*|'')
# Found next command line option or empty. Error.
echo "field title was not specified"
show_help
exit 1
;;
*)
case "$2" in
-*|'')
# Found next command line option or empty. Error.
echo "field value was not specified"
show_help
exit 1
;;
*)
if [[ $opt == "-s" || $opt == "--short-field" ]]; then
fields+=("{\"title\": \"$1\", \"value\": \"$2\", \"short\": true}")
else
fields+=("{\"title\": \"$1\", \"value\": \"$2\"}")
fi
shift
shift
;;
esac
esac
;;
--config)
CUSTOM_CONFIG=$1
shift
;;
--setup)
setup
exit 1
;;
*)
echo "illegal option $opt"
show_help
exit 1
;;
esac
done
# ---------
# Read in our configurations
# ---------
if [[ -e "/etc/slacktee.conf" ]]; then
. /etc/slacktee.conf
fi
if [[ -n "$HOME" && -e "$HOME/.slacktee" ]]; then
. "$HOME/.slacktee"
fi
if [[ -e "$CUSTOM_CONFIG" ]]; then
. $CUSTOM_CONFIG
fi
# Overwrite webhook_url if the environment variable SLACKTEE_WEBHOOK is set
if [[ "$SLACKTEE_WEBHOOK" != "" ]]; then
webhook_url="$SLACKTEE_WEBHOOK"
fi
# Overwrite upload_token if the environment variable SLACKTEE_TOKEN is set
if [[ "$SLACKTEE_TOKEN" != "" ]]; then
upload_token="$SLACKTEE_TOKEN"
fi
# Overwrite channel if it's specified in the command line option
if [[ "$opt_channel" != "" ]]; then
channel="$opt_channel"
fi
# Overwrite username if it's specified in the command line option
if [[ "$opt_username" != "" ]]; then
username="$opt_username"
fi
# Overwrite icon if it's specified in the command line option
if [[ "$opt_icon" != "" ]]; then
icon="$opt_icon"
fi
# Overwrite attachment if it's specified in the command line option
if [[ "$opt_attachment" != "" ]]; then
attachment="$opt_attachment"
fi
# Set the default color to attachment if it's still empty and the length of the cond_color_patterns is not 0
if [[ -z $attachment ]] && [[ ${#cond_color_patterns[@]} != 0 ]]; then
attachment="$internal_default_color"
fi
# ----------
# Validate configurations
# ----------
if [[ $webhook_url == "" ]]; then
echo "Please setup the webhook url of this incoming webhook integration."
exit 1
fi
if [[ $upload_token == "" && $mode == "file" ]]; then
echo "Please provide the authentication token for file uploads."
exit 1
fi
if [[ $channel == "" ]]; then
echo "Please specify a channel."
exit 1
elif [[ ( "$channel" != "#"* ) && ( "$channel" != "@"* ) ]]; then
channel="#$channel"
fi
if [[ -n "$icon" ]]; then
icon=${icon#:} # remove leading ':'
icon=${icon%:} # remove trailing ':'
fi
# ----------
# Start script
# ----------
text=""
if [[ -n "$title" || -n "$link" ]]; then
# Use link as title, if title is not specified
if [[ -z "$title" ]]; then
title="$link"
fi
# Add title to filename in the file mode
if [[ "$mode" == "file" ]]; then
filetitle=$(echo "$title"|sed 's/[ /:.]//g')
filetitle="$filetitle-"
fi
if [[ -z "$attachment" ]]; then
if [[ "$mode" == "no-buffering" ]]; then
if [[ -n "$link" ]]; then
title="<$link|$title>: "
else
title="$title: "
fi
elif [[ "$mode" == "file" ]]; then
if [[ -n "$link" ]]; then
title="<$link|$title>"
fi
else
if [[ -n "$link" ]]; then
text="-- <$link|$title> --\n"
else
text="-- $title --\n"
fi
fi
fi
fi
timestamp="$(date +'%m%d%Y-%H%M%S')"
filename="$tmp_dir/$filetitle$$-$timestamp.log"
if [[ "$mode" == "file" ]]; then
touch $filename
fi
exit_code=0
while IFS='' read line; do
process_line "$line"
done
if [[ -n $line ]]; then
process_line "$line"
fi
if [[ "$mode" == "buffering" ]]; then
send_message "$text"
elif [[ "$mode" == "file" ]]; then
if [[ -s "$filename" ]]; then
channels_param=""
if [[ ( "$channel" == "#"* ) ]]; then
# Set channels for making the file public
channels_param="-F channels=$channel"
fi
result="$(curl -F file=@"$filename" -F token="$upload_token" $channels_param https://slack.com/api/files.upload 2> /dev/null)"
access_url="$(echo "$result" | awk 'match($0, /url_private":"([^"]*)"/) {print substr($0, RSTART+14, RLENGTH-15)}'|sed 's/\\//g')"
download_url="$(echo "$result" | awk 'match($0, /url_private_download":"([^"]*)"/) {print substr($0, RSTART+23, RLENGTH-24)}'|sed 's/\\//g')"
if [[ -n "$attachment" ]]; then
text="Input file has been uploaded"
else
if [[ "$title" != "" ]]; then
title=" of $title"
fi
text="Input file$title has been uploaded.\n$access_url\n\nYou can download it from the link below.\n$download_url"
fi
send_message "$text"
fi
# Clean up the temp file
rm "$filename"
fi
exit $exit_code

58
files/sn_startup.exit.sh.j2
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Version 1.91
sleep 5
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
# All from FF IPv4 via routing table 42
/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
/bin/ip -6 rule add from {{ sn_mesh_IPv6_net }} lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up address 2E:9D:FA:A1:6B:0{{ sn_number }}
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes
/bin/sleep 90
/bin/systemctl restart radvd
/bin/sleep 2
/bin/systemctl retsrat tunneldigger
/bin/sleep 2
/bin/systemctl restart bird
/bin/sleep 2
/bin/systemctl restart bird6
/bin/sleep 2
/bin/systemctl restart respondd
/bin/sleep 2
/bin/systemctl stop isc-dhcp-server
/bin/sleep 2
/usr/bin/killall dhcpd
/bin/sleep 2
/bin/rm /var/run/dhcpd.pid
/bin/sleep 2
/bin/systemctl start isc-dhcp-server
exit 0

57
files/sn_startup.local.exit.sh.j2
View File

@ -1,57 +0,0 @@
#!/bin/sh
# Version 1.91
sleep 5
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
#/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
# All from FF IPv4 via routing table 42
#/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
#/bin/ip -6 rule add from {{ sn_mesh_IPv6_net }} lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up address 2E:9D:FA:A1:6B:0{{ sn_number }}
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes
/bin/sleep 90
/bin/systemctl restart radvd
/bin/sleep 2
/bin/systemctl retsrat tunneldigger
/bin/sleep 2
/bin/systemctl restart bird
/bin/sleep 2
/bin/systemctl restart bird6
/bin/sleep 2
/bin/systemctl restart respondd
/bin/sleep 2
/bin/systemctl stop isc-dhcp-server
/bin/sleep 2
/usr/bin/killall dhcpd
/bin/sleep 2
/bin/rm /var/run/dhcpd.pid
/bin/sleep 2
/bin/systemctl start isc-dhcp-server
exit 0

11
files/start-broker.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
WDIR=/srv/tunneldigger/env_tunneldigger
VIRTUALENV_DIR=/srv/tunneldigger/env_tunneldigger
cd $WDIR
source $VIRTUALENV_DIR/bin/activate
$VIRTUALENV_DIR/bin/python -m tunneldigger_broker.main ../l2tp_broker.cfg
#bin/python broker/l2tp_broker.py ../l2tp_broker.cfg

9
files/tunneldigger.service
View File

@ -1,9 +0,0 @@
[Unit]
Description = Start tunneldigger L2TPv3 broker
After = network.target
[Service]
ExecStart = /srv/tunneldigger/start-broker.sh
[Install]
WantedBy = multi-user.target

199
files/yanic.conf.j2
View File

@ -1,199 +0,0 @@
# This is the config file for Yanic written in "Tom's Obvious, Minimal Language."
# syntax: https://github.com/toml-lang/toml
# (if you need somethink multiple times, checkout out the [[array of table]] section)
# Send respondd request to update information
[respondd]
enable = true
# Delay startup until a multiple of the period since zero time
synchronize = "1m"
# how often request per multicast
collect_interval = "1m"
[[respondd.interfaces]]
# name of interface on which this collector is running
ifname = "bat0"
# ip address which is used for sending
# (optional - without definition used a address of ifname - prefered link local)
#ip_address = "fd2f:5119:f2d::5"
# disable sending multicast respondd request
# (for receiving only respondd packages e.g. database respondd)
#send_no_request = false
# multicast address to destination of respondd
# (optional - without definition used default ff05::2:1001)
#multicast_address = "ff02::2:1001"
# define a port to listen
# if not set or set to 0 the kernel will use a random free port at its own
#port = 10001
# A little build-in webserver, which statically serves a directory.
# This is useful for testing purposes or for a little standalone installation.
[webserver]
enable = true
bind = "0.0.0.0:80"
webroot = "/opt/freifunk/yanic/"
[nodes]
# Cache file
# a json file to cache all data collected directly from respondd
state_path = "/var/lib/yanic/state.json"
# prune data in RAM, cache-file and output json files (i.e. nodes.json)
# that were inactive for longer than
prune_after = "7d"
# Export nodes and graph periodically
save_interval = "5s"
# Set node to offline if not seen within this period
offline_after = "10m"
## [[nodes.output.example]]
# Each output format has its own config block and needs to be enabled by adding:
#enable = true
#
# For each output format there can be set different filters
#[nodes.output.example.filter]
#
# WARNING: if it is not set, it will publish contact information of other persons
# Set to true, if you did not want the json files to contain the owner information
#no_owner = true
#
# List of nodeids of nodes that should be filtered out, so they won't appear in output
#blacklist = ["00112233445566", "1337f0badead"]
#
# List of site_codes of nodes that should be included in the output
#sites = ["ffhb"]
#
# set has_location to true if you want to include only nodes that have geo-coordinates set
# (setting this to false has no sensible effect, unless you'd want to hide nodes that have coordinates)
#has_location = true
#[respondd.sites.fftdf]
#domains = ["tdf-tdf"]
#[nodes.output.meshviewer-ffrgb.filter]
#no_owner = true
#blacklist = []
#sites = ["flu","tdf","inn"]
#[nodes.output.example.filter.in_area]
# nodes outside this area are not shown on the map but are still listed as a node without coordinates
#latitude_min = 34.30
#latitude_max = 71.85
#longitude_min = -24.96
#longitude_max = 39.72
# definition for the new more compressed meshviewer.json
[[nodes.output.meshviewer-ffrgb]]
enable = true
path = "/opt/freifunk/yanic/meshviewer.json"
[nodes.output.meshviewer-ffrgb.filter]
# WARNING: if it is not set, it will publish contact information of other persons
no_owner = false
#blacklist = ["00112233445566", "1337f0badead"]
#sites = ["ffhb"]
#has_location = true
#[nodes.output.meshviewer-ffrgb.filter.in_area]
#latitude_min = 34.30
#latitude_max = 71.85
#longitude_min = -24.96
#longitude_max = 39.72
# definition for nodes.json
[[nodes.output.meshviewer]]
enable = true
# The structure version of the output which should be generated (i.e. nodes.json)
# version 1 is accepted by the legacy meshviewer (which is the master branch)
# i.e. https://github.com/ffnord/meshviewer/tree/master
# version 2 is accepted by the new versions of meshviewer (which are in the legacy develop branch or newer)
# i.e. https://github.com/ffnord/meshviewer/tree/dev
# https://github.com/ffrgb/meshviewer/tree/develop
version = 2
# path where to store nodes.json
nodes_path = "/opt/freifunk/yanic/nodes.json"
# path where to store graph.json
graph_path = "/opt/freifunk/yanic/graph.json"
[nodes.output.meshviewer.filter]
# WARNING: if it is not set, it will publish contact information of other persons
no_owner = false
# definition for nodelist.json
[[nodes.output.nodelist]]
enable = true
path = "/opt/freifunk/yanic/nodelist.json"
[nodes.output.nodelist.filter]
# WARNING: if it is not set, it will publish contact information of other persons
no_owner = false
[database]
# this will send delete commands to the database to prune data
# which is older than:
delete_after = "7d"
# how often run the cleaning
delete_interval = "1h"
## [[database.connection.example]]
# Each database-connection has its own config block and needs to be enabled by adding:
#enable = true
# Save collected data to InfluxDB.
# There are the following measurments:
# node: store node specific data i.e. clients memory, airtime
# global: store global data, i.e. count of clients and nodes
# firmware: store the count of nodes tagged with firmware
# model: store the count of nodes tagged with hardware model
[[database.connection.influxdb]]
enable = true
address = "http://195.201.17.16:8886"
database = "freifunk"
username = "freifunk"
password = "dude1990"
# Tagging of the data (optional)
[database.connection.influxdb.tags]
# Tags used by Yanic would override the tags from this config
# nodeid, hostname, owner, model, firmware_base, firmware_release,frequency11g and frequency11a are tags which are already used
#tagname1 = "tagvalue 1"
# some useful e.g.:
#system = "productive"
#site = "ffhb"
# Graphite settings
[[database.connection.graphite]]
enable = false
address = "localhost:2003"
# Graphite is replacing every "." in the metric name with a slash "/" and uses
# that for the file system hierarchy it generates. it is recommended to at least
# move the metrics out of the root namespace (that would be the empty prefix).
# If you only intend to run one community and only freifunk on your graphite node
# then the prefix can be set to anything (including the empty string) since you
# probably wont care much about "polluting" the namespace.
prefix = "freifunk"
# respondd (yanic)
# forward collected respondd package to a address
# (e.g. to another respondd collector like a central yanic instance or hopglass)
[[database.connection.respondd]]
enable = false
# type of network to create a connection
type = "udp6"
# destination address to connect/send respondd package
address = "stats.bremen.freifunk.net:11001"
# Logging
[[database.connection.logging]]
enable = false
path = "/var/log/yanic.log"

61
host_vars/core4.yml Normal file
View File

@ -0,0 +1,61 @@
ansible_connection: network_cli
ansible_network_os: vyos
ansible_ssh_host: 5.9.220.113
ansible_user: vyos
ansible_python_interpreter: /usr/bin/python3
wan_address: 5.9.220.113
wan_gateway: 5.9.220.112
wan_net: /29
lan_address: 172.16.7.1
lan_network: 172.16.7.0/24
ffrl_address: 185.66.193.107
ffrl_address_v6: 2a03:2260:121:600::0/128
ffrl_net_v6: 2a03:2260:121:600::/55
gre_bb_transfer_net: /31
gre_bb_transfer_net_v6: /64
gre_bb_renote_as: 201701
gre_bb_local_as: 65066
gre_ber_a_address: 100.64.6.25
gre_ber_a_neighbor: 100.64.6.24
gre_ber_a_address_v6: 2a03:2260:0:30c::2
gre_ber_a_neighbor_v6: 2a03:2260:0:30c::1
gre_ber_a_description: gre_ber_a
gre_ber_a_remote: 185.66.195.0
gre_ber_b_address: 100.64.6.31
gre_ber_b_neighbor: 100.64.6.30
gre_ber_b_address_v6: 2a03:2260:0:30f::2
gre_ber_b_neighbor_v6: 2a03:2260:0:30f::1
gre_ber_b_description: gre_b_ber
gre_ber_b_remote: 185.66.195.1
gre_a_dus_address: 100.64.6.29
gre_a_dus_neighbor: 100.64.6.28
gre_a_dus_address_v6: 2a03:2260:0:30e::2
gre_a_dus_neighbor_v6: 2a03:2260:0:30e::1
gre_a_dus_description: gre_a_dus
gre_a_dus_remote: 185.66.193.0
gre_b_dus_address: 100.64.6.35
gre_b_dus_neighbor: 100.64.6.34
gre_b_dus_address_v6: 2a03:2260:0:311::2
gre_b_dus_neighbor_v6: 2a03:2260:0:311::1
gre_b_dus_description: gre_b_dus
gre_b_dus_remote: 185.66.193.1
gre_a_fra_address: 100.64.6.27
gre_a_fra_neighbor: 100.64.6.26
gre_a_fra_address_v6: 2a03:2260:0:30d::2
gre_a_fra_neighbor_v6: 2a03:2260:0:30d::1
gre_a_fra_description: gre_a_fra
gre_a_fra_remote: 185.66.194.0
gre_b_fra_address: 100.64.6.33
gre_b_fra_neighbor: 100.64.6.32
gre_b_fra_address_v6: 2a03:2260:0:310::2
gre_b_fra_neighbor_v6: 2a03:2260:0:310::1
gre_b_fra_description: gre_b_fra
gre_b_fra_remote: 185.66.194.1

14
host_vars/edge1/vars.yml Normal file
View File

@ -0,0 +1,14 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.1.0.0/16
ipv4_dhcp_start: 10.1.0.30
ipv4_dhcp_stop: 10.1.0.250
ipv4_address: 10.1.0.1
ipv6_network: 2a03:2260:121:603::/64
ipv6_address: 2a03:2260:121:603::1/64
wireguard_address: 10.255.1.2/24
wireguard_v6_address: fd80:3ea2:e399:203a::3
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge1/vault.yml Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge2/vars.yml Normal file
View File

@ -0,0 +1,14 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.7.0.0/16
ipv4_dhcp_start: 10.7.0.30
ipv4_dhcp_stop: 10.7.0.250
ipv4_address: 10.7.0.1
ipv6_network: 2a03:2260:121:607::/64
ipv6_address: 2a03:2260:121:607::1/64
wireguard_address: 10.255.1.7/24
wireguard_v6_address: fd80:3ea2:e399:203a::7
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge2/vault.yml Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge3/vars.yml Normal file
View File

@ -0,0 +1,14 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.9.0.0/16
ipv4_dhcp_start: 10.9.0.30
ipv4_dhcp_stop: 10.9.0.250
ipv4_address: 10.9.0.1
ipv6_network: 2a03:2260:121:609::/64
ipv6_address: 2a03:2260:121:609::1/64
wireguard_address: 10.255.1.9/24
wireguard_v6_address: fd80:3ea2:e399:203a::9
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge3/vault.yml Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge4/vars.yml Normal file
View File

@ -0,0 +1,14 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.10.0.0/16
ipv4_dhcp_start: 10.10.0.30
ipv4_dhcp_stop: 10.10.0.250
ipv4_address: 10.10.0.1
ipv6_network: 2a03:2260:121:60a::/64
ipv6_address: 2a03:2260:121:60a::1/64
wireguard_address: 10.255.1.10/24
wireguard_v6_address: fd80:3ea2:e399:203a::10
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge4/vault.yml Normal file
View File

@ -0,0 +1,12 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

4
host_vars/uisp.yml Normal file
View File

@ -0,0 +1,4 @@
ansible_host: 5.9.220.117
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3

4
host_vars/unifi.yml Normal file
View File

@ -0,0 +1,4 @@
ansible_host: 5.9.220.118
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3

62
host_vars/vpn01/vars.yml Normal file
View File

@ -0,0 +1,62 @@
###
### Ansible
###
ansible_host: 5.9.220.114
ansible_host_net: /29
ansible_host_ipv6: 2a01:4f8:262:5112::101
ansible_host_ipv6_net: /64
ipv4_gateway: 5.9.220.112
ipv6_gateway: 2a01:4f8:262:5112::3
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars Freifunk
###
internal_network: "10.255.0.0/16"
freifunk_internal_ip: 172.16.7.10/24
core_router: 172.16.7.1
###
### Wireguard
###
ipv6_network: 2a03:2260:121:600::/58
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1
wireguard_unmanaged_peers:
## Ticket #188933
vpn2-Kabel-Waechter:
public_key: IuU88/zIE5fsSi3gN68vmz/72iJadOgip3I+lCOo5hk=
allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:602::/64
## Ticket #521263
vpn3-FFRS-VPN:
public_key: 0T+vKvbB94SkUgjw9Y4wiOKp7eJQ6IFNeY7sve/F0Ag=
allowed_ips: 10.255.1.3/32, 10.3.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:603::/64
## Ticket #150439
vpn4-sg:
public_key: IarM0mG08rfZ1k8d557H49nqRK6mKUrVuffhm8QYN1Q=
allowed_ips: 10.255.1.4/32, 10.4.0.0/16, fd80:3ea2:e399:203a::4/128, 2a03:2260:121:604::/64
## ERX-Testing Stefan
vpn6-stefan:
public_key: KxjuZJs7aIPFAUm/J5iw/oWiv4O44hjpnnfN+VN0iQ0=
allowed_ips: 10.255.1.7/32, 10.7.0.0/16, fd80:3ea2:e399:203a::7/128, 2a03:2260:121:607::/64
## Nils
vpn8-nils:
public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
allowed_ips: 10.255.1.8/32, 10.8.0.0/16, fd80:3ea2:e399:203a::8/128, 2a03:2260:121:608::/64
## edge3
vpn9-edge3:
public_key: pUBPZFl9VGb1zLseKenGS7pvOLWuWQNJdDEpHtOsxlg=
allowed_ips: 10.255.1.9/32, 10.9.0.0/16, fd80:3ea2:e399:203a::9/128, 2a03:2260:121:609::/64
## edge4
vpn10-edge4:
public_key: 2Cq7gW5mSTcOJGzvw4dvdERhAFx3EIga5Ftds9zKlT8=
allowed_ips: 10.255.1.10/32, 10.10.0.0/16, fd80:3ea2:e399:203a::10/128, 2a03:2260:121:60a::/64
## Stefan_Test
vpn10-edge4:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:60b::/64

9
host_vars/vpn01/vault.yml Normal file
View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
31653333646534336164323064616261666365636438363761663837663635613333386165313962
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
61323339356237646631303039646132663161623739393130383338383339373063373566666330
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
66633239393134336539346430343965383339653061633463653864653834633862353861663432
39633663663833373264623138376431353437623765643530373266643539616231376162663831
33643334323861653564333739376561306462316561336531656663396134336635666639343433
38613630313731343736

35
host_vars/vpn02/vars.yml Normal file
View File

@ -0,0 +1,35 @@
ansible_host: 5.9.220.115
ansible_host_net: /29
ansible_host_ipv6: 2a01:4f8:262:5112::102
ansible_host_ipv6_net: /64
ipv4_gateway: 5.9.220.112
ipv6_gateway: 2a01:4f8:262:5112::3
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars Freifunk
###
internal_network: "10.255.0.0/16"
freifunk_internal_ip: 172.16.7.11/24
core_router: 172.16.7.1
###
### Wireguard
###
ipv6_network: 2a03:2260:121:640::/58
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1
wireguard_unmanaged_peers:
## Nils
vpn8-nils:
public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:642::/64
## Stefan_Test
vpn10-edge4:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:64b::/64

9
host_vars/vpn02/vault.yml Normal file
View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
31653333646534336164323064616261666365636438363761663837663635613333386165313962
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
61323339356237646631303039646132663161623739393130383338383339373063373566666330
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
66633239393134336539346430343965383339653061633463653864653834633862353861663432
39633663663833373264623138376431353437623765643530373266643539616231376162663831
33643334323861653564333739376561306462316561336531656663396134336635666639343433
38613630313731343736

161
hosts
View File

@ -1,161 +0,0 @@
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
#green.example.com
#blue.example.com
#192.168.100.1
#192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
#[webservers]
#alpha.example.org
#beta.example.org
#192.168.1.100
#192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
#www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
#[dbservers]
#
#db01.intranet.mydomain.net
#db02.intranet.mydomain.net
#10.25.1.56
#10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
#db-[99:101]-node.example.com
[freifunk]
#46.4.138.180 ansible_ssh_port=2222
#46.4.138.181 ansible_ssh_port=2222
#46.4.138.182 ansible_ssh_port=2222
#46.4.138.183 ansible_ssh_port=2222
#46.4.138.188 ansible_ssh_port=22
#46.4.138.189 ansible_ssh_port=22
[freifunk_sn:children]
troisdorf4
troisdorf5
troisdorf6
troisdorf7
#[freifunk_sn_l2tp:children]
#troisdorf4
#troisdorf5
#troisdorf6
#troisdorf7
[freifunk_sn:vars]
ansible_ssh_port=22
ansible_ssh_user=root
sn_mtu=1312
sn_l2tp_tb_port=53842
sn_fqdn=freifunk-troisdorf.de
static_dhcp_repo=https://github.com/Freifunk-Troisdorf/static-dhcp.git
root_password_file=/home/localadmin/root_pwd.yml
slack_token_file=/home/localadmin/slack_token.yml
communitymac=a2:8c:ae:6f:f6
communityname=troisdorf
[troisdorf4]
4.freifunk-troisdorf.de
[troisdorf4:vars]
sn_number=4
sn_hostname=troisdorf4
sn_dhcp_range=10.188.8.0 10.188.15.254
sn_mesh_IPv6=2a03:2260:121:4000::4
sn_mesh_IPv6_net=2a03:2260:121:4000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:4000::2
sn_mesh_IPv4=10.188.0.4
sn_mesh_IPv4_brcast=10.188.31.255
sn_mesh_IPv4_net=10.188.0.0
sn_mesh_IPv4_xfer=10.188.0.2
sn_mesh_MAC=a2:8c:ae:6f:f6:04
ul_mesh_MAC=a2:8c:ae:6f:f6:40
sn_ffrl_IPv4=185.66.193.104
sn_exit=1
sn_interface_name=eth0
yanic_domain=tdf
[troisdorf5]
5.fftdf.de
[troisdorf5:vars]
sn_number=5
sn_hostname=troisdorf5
sn_dhcp_range=10.188.40.0 10.188.47.255
sn_mesh_IPv6=2a03:2260:121:5000::5
sn_mesh_IPv6_net=2a03:2260:121:5000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:5000::2
sn_mesh_IPv4=10.188.32.5
sn_mesh_IPv4_brcast=10.188.63.255
sn_mesh_IPv4_net=10.188.32.0
sn_mesh_IPv4_xfer=10.188.32.2
sn_mesh_MAC=a2:8c:ae:6f:f6:05
ul_mesh_MAC=a2:8c:ae:6f:f6:50
sn_ffrl_IPv4=185.66.193.105
sn_exit=1
sn_interface_name=eth0
yanic_domain=inn
[troisdorf6]
6.fftdf.de
[troisdorf6:vars]
sn_number=6
sn_hostname=troisdorf6
sn_dhcp_range=10.188.72.0 10.188.79.255
sn_mesh_IPv6=2a03:2260:121:6000::6
sn_mesh_IPv6_net=2a03:2260:121:6000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:6000::2
sn_mesh_IPv4=10.188.64.6
sn_mesh_IPv4_brcast=10.188.95.255
sn_mesh_IPv4_net=10.188.64.0
sn_mesh_IPv4_xfer=10.188.64.2
sn_mesh_MAC=a2:8c:ae:6f:f6:06
ul_mesh_MAC=a2:8c:ae:6f:f6:60
sn_ffrl_IPv4=185.66.193.106
sn_exit=1
sn_interface_name=eth0
yanic_domain=flu
[troisdorf7]
7.fftdf.de
[troisdorf7:vars]
sn_number=7
sn_hostname=troisdorf7
sn_dhcp_range=10.188.104.0 10.188.111.255
sn_mesh_IPv6=2a03:2260:121:7000::7
sn_mesh_IPv6_net=2a03:2260:121:7000::/64
sn_mesh_IPv6_xfer=2a03:2260:121:7000::2
sn_mesh_IPv4=10.188.96.7
sn_mesh_IPv4_brcast=10.188.127.255
sn_mesh_IPv4_net=10.188.96.0
sn_mesh_IPv4_xfer=10.188.96.2
sn_mesh_MAC=a2:8c:ae:6f:f6:07
ul_mesh_MAC=a2:8c:ae:6f:f6:70
sn_ffrl_IPv4=185.66.193.107
sn_local_exit=1
sn_interface_name=ens18
yanic_domain=evt

35
hosts.yml Normal file
View File

@ -0,0 +1,35 @@
######################
#
# Ansible Hosts for FFTDF Supernodes. atm only the new offloader
#
######################
all:
children:
router:
children:
ffrl_uplink:
hosts:
core4:
supernodes:
children:
vpn_offloader_wireguard:
hosts:
vpn01:
vpn02:
freifunk_supernodes:
hosts:
service_server:
children:
unifi:
hosts:
unifi:
uisp:
hosts:
uisp:
edge_router:
hosts:
edge1:
edge2:
edge3:
edge4:

310
install.sn.yml
View File

@ -1,310 +0,0 @@
# First install ssh-key at remote computer
# In case of python error start:
# ansible troisdorf4 -u root -m raw -a "apt-get update && apt-get install python -y"
- name: Install Freifunk Troisdorf super node
hosts: all
sudo: False
user: root
gather_facts: False
vars:
# Internal verion number
snversion: 2019_v3.1.7
common_required_packages:
- git
- make
- gcc
- build-essential
- pkg-config
- libgps-dev
- libnl-3-dev
- libjansson-dev
- isc-dhcp-server
- libcap-dev
- iproute
- libnetfilter-conntrack3
- python-dev
- libevent-dev
- ebtables
- python-virtualenv
- iptables-persistent
- iftop
- screen
- bridge-utils
- tcpdump
- bind9
- radvd
- curl
- htop
- psmisc
- dnsutils
- ntp
- libnl-genl-3-dev
- virtualenv
- batman-adv
- batctl
- libffi-dev
- libnetfilter-conntrack-dev
- libnfnetlink-dev
- speedtest-cli
- ethtool
- prometheus-node-exporter
modules_required:
- batman-adv
- nf_conntrack_netlink
- nf_conntrack
- nfnetlink
- l2tp_netlink
- l2tp_core
- l2tp_eth
tunneldigger_scripts:
- start-broker.sh
- batdelif.sh
tunneldigger_service:
- tunneldigger.service
respondd_service:
- respondd_service
broker_cfg:
- l2tp_broker.cfg
authorized_keys:
- authorized_keys
logrotate_config:
- logrotate.conf
tasks:
- name: Remove cdrom in sources.list
raw: "sed -i '/deb cdrom/c\\#' /etc/apt/sources.list"
- name: Make this server ansible compatible
raw: "apt-get update && apt-get install python apt-transport-https dirmngr -y"
- name: Adding Freifuck GPG Key
raw: "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B2522557E6AB9BF5"
# apt_key:
# id: B2522557E6AB9BF5
# url: https://keyserver.ubuntu.com
# url: https://pool.sks-keyservers.net
# url: https://sks.pod01.fleetstreetops.com
# state: present
- name: Import Slack token
include_vars: "{{ slack_token_file }}"
- name: Import root password
include_vars: "{{ root_password_file }}"
- name: Add Freifuck repo to source list
apt_repository: repo='deb https://freifuck.de/debian stretch main' state=present
- name: Add backport repo to source list
apt_repository: repo='deb http://http.debian.net/debian stretch-backports main' state=present
- name: Update apt cache
apt: update_cache=yes
- name: Gathering facts
setup:
- name: Set IPv4 in hostfile
lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv4.address }}' line='{{ ansible_default_ipv4.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
- name: Set IPv6 in hostfile
lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv6.address }}' line='{{ ansible_default_ipv6.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
when: ansible_default_ipv6.address is defined
- name: set hostname
hostname: name='{{ sn_hostname }}'
register: sethostname
- name: disable multi CPU Kernel (SMP) # Batman don not like SMP
lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present
register: grubnosmp
- name: Update grub
shell: update-grub2
when: grubnosmp.changed
- name: Reboot the server
shell: sleep 2 && shutdown -r now "Ansible updates triggered, no SMP"
async: 1
poll: 0
ignore_errors: true
when: sethostname.changed
- name: waiting for server to come back (1st)
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=20
timeout=300
when: hosts.changed
when: sethostname.changed
- name: Install common required packages
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items: "{{ common_required_packages }}"
register: aptupdates
- name: Set clock
shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start
- name: Get Tunneldigger
git: repo=https://github.com/Freifunk-Troisdorf/tunneldigger.git dest=/srv/tunneldigger
register: tunneldigger
when: aptupdates.changed
- name: Configure tunneldigger
raw: "cd /srv/tunneldigger && virtualenv env_tunneldigger && source env_tunneldigger/bin/activate && cd broker && python setup.py install"
when: tunneldigger.changed
- name: Copy l2tp broker config template
template: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0444
with_items: "{{ broker_cfg }}"
when: tunneldigger.changed
- name: Copy tunneldigger script template
template: src=./files/bataddif.sh.j2 dest=/srv/tunneldigger/bataddif.sh owner=root group=root mode=0500
when: tunneldigger.changed
- name: Copy tunneldigger scripts
copy: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0500
with_items: "{{ tunneldigger_scripts }}"
when: tunneldigger.changed
- name: Copy tunneldigger service template
copy: src=./files/{{ item }} dest=/etc/systemd/system owner=root group=root mode=0444
with_items: "{{ tunneldigger_service }}"
when: tunneldigger.changed
- name: Add modules
lineinfile: dest=/etc/modules line={{ item }}
with_items: "{{ modules_required }}"
register: modules_req
- name: Tunneldigger reload
command: "{{item}}"
with_items:
- systemctl daemon-reload
- systemctl enable tunneldigger.service
when: tunneldigger.changed
- name: Copy logrotate config
copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500
with_items: "{{logrotate_config}}"
- name: Create freifunk directory
file: path=/opt/freifunk state=directory mode=0755
- name: Copy dhcpd template file
template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
register: dhcpd
- name: Copy dhcpd6 template file
template: src=./files/dhcpd6.conf.j2 dest=/etc/dhcp/dhcpd6.conf owner=root group=root mode=0444
- name: Clone static DHCP config
git: repo="{{ static_dhcp_repo }}" dest=/opt/freifunk/static-dhcp
when: dhcpd.changed
- name: Add cron static DHCP
cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh"
when: dhcpd.changed
- name: Replace interface line ISC-DHCP-server
lineinfile:
dest: /etc/default/isc-dhcp-server
regexp: 'INTERFACESv4='
line: 'INTERFACESv4="br-nodes"'
when: dhcpd.changed
- name: Restart dhcpd
service: name=isc-dhcp-server state=restarted
when: dhcpd.changed
ignore_errors: yes
- name: Add cron backbone script
cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh"
- name: Add cron startup script
cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
- name: Exit node startup script super- and exitnode
template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is defined
- name: Exit node startup script super- and exitnode
template: src=./files/sn_startup.local.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_local_exit is defined
- name: SSH authorized_keys
copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
with_items: "{{ authorized_keys }}"
- name: Bind9, activate ff zone
lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/ff/ff.conf";' state=present
- name: Copy option template
template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644
- name: Create ff directory
file: path=/etc/bind/ff state=directory
- name: Copy FF Zones
copy: src=./files/ff/{{ item }} dest=/etc/bind/ff/{{ item }} owner=root group=bind mode=644
with_items:
- ff.conf
- name: Copy ff Zone config template
template: src=./files/ff/db.ff.j2 dest=/etc/bind/ff/db.ff owner=bind group=root mode=0444
- name: Copy radvd config template
template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444
- name: Interface configuration with ffrl gre tunnel
template: src=./files/interfaces-{{ sn_hostname }}.j2 dest=/etc/network/interfaces owner=root group=root mode=0544
- apt: update_cache=yes
- name: Install bird
apt: state=present pkg=bird
- name: Bird configuration
copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444
- name: Bird configuration
copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
- name: Create Yanic user
user:
name: yanic
comment: "Yanic service user"
- name: Create Yanic folder
file: path=/opt/freifunk/yanic state=directory mode=0755 owner=yanic group=yanic
- name: Copy Yanic config template
template: src=./files/yanic.conf.j2 dest=/etc/yanic.conf owner=yanic group=yanic mode=0444
- name: Shit go stuff
shell: cd /usr/local && wget https://dl.google.com/go/go1.13.1.linux-amd64.tar.gz -O go-release-linux-amd64.tar.gz -O go-release-linux-amd64.tar.gz && tar xvf go-release-linux-amd64.tar.gz && rm go-release-linux-amd64.tar.gz
- name: Adjust path for go
lineinfile:
dest: /root/.bashrc
line: "{{ item }}"
with_items:
- export GOPATH=/opt/go
- export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
- name: Compile go
shell: go get -v -u github.com/Freifunk-Troisdorf/yanic
- name: Copy and enable yanic service
shell: cp /opt/go/src/github.com/Freifunk-Troisdorf/yanic/contrib/init/linux-systemd/yanic.service /lib/systemd/system/yanic.service && systemctl daemon-reload && systemctl enable yanic
- name: Get respondd
git: repo=https://github.com/Freifunk-Troisdorf/mesh-announce.git dest=/opt/mesh-announce
- name: Copy respondd service template
shell: cp /opt/mesh-announce/respondd.service /etc/systemd/system
- name: Enable respondd service
shell: systemctl daemon-reload && systemctl enable respondd
- name: Copy Slacktee Config
template: src=./files/slacktee.conf.j2 dest=/etc/slacktee.conf owner=root group=root mode=0544
- name: Copy Slacktee
copy: src=./files/slacktee.sh dest=/usr/local/bin/slacktee.sh owner=root group=root mode=0744
- name: set netfilter rules
lineinfile:
dest: /etc/sysctl.conf
line: "{{ item }}"
with_items:
- net.ipv4.netfilter.ip_conntrack_generic_timeout = 240
- net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000
- net.netfilter.nf_conntrack_max = 65536
- name: check modprobe.conf
stat: path=/etc/modprobe.conf
register: modprobe1
- name: create /etc/modprobe.conf when not present
file: path=/etc/modprobe.conf state=touch owner=root group=root mode=0544
when: modprobe1.stat.exists == False
- name: check /etc/modprobe.conf
lineinfile: dest=/etc/modprobe.conf line="options ip_conntrack hashsize=65536"
- name: Change root password
user:
name: root
password: "{{ sn_rootpasswd }}"
- name: Logrotate rights
file: path=/etc/logrotate.conf mode=0644 owner=root group=root
- name: Wirte version information
shell: touch /etc/sn_version && echo {{ snversion }} > /etc/sn_version
- name: Reboot the server finally
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
when: tunneldigger.changed
- name: waiting for server to come back
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=20
timeout=300
when: tunneldigger.changed
- name: Send notification message via Slack
local_action:
module: slack
token: "{{ slack_token }}"
msg: "{{ inventory_hostname }} completed with {{ snversion }}"
channel: "#technik"
username: "Ansible on {{ inventory_hostname }}"
parse: 'none'

18
readme.md Normal file
View File

@ -0,0 +1,18 @@
# Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Naming:
CORE[1-x]
Core Router auf Vyos mit Verbidung zum FFRL Backbone über GRE Tunnel. Die Core Router stellen das Freifunk Netz über ein LAN auf unseren Proxmox Servern bereit.
VPN[1-x]
VPN Server aka Supernodes. Die VPN Server nehmen VPN Verbindungen von Routern und/oder Clients entgegen und managen diese. Hier sind diekte anbindungen möglich, ebenso aber Supernodes mit dem klassischen Freifunk (Batman) Konzept.
ROUTER[1-x], EDGE[1-x], CLIENT[1-x]
Angebundene Router oder Clients an einen VPN Server, falls dieser aus diesem Ansible eine Config erhält.

1
roles/00-ubuntu-basic/files/nils.key.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== Nils Stinnesbeck

1
roles/00-ubuntu-basic/files/roman.key.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman

1
roles/00-ubuntu-basic/files/stefan.key.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux

68
roles/00-ubuntu-basic/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
# Set System Hostname
- name: Ensure hostname set
hostname:
name: "{{ inventory_hostname }}"
when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}')
become: yes
register: hostname_set
- name: Reboot host and wait for it to restart
reboot:
msg: "Reboot initiated by Ansible"
connect_timeout: 5
reboot_timeout: 600
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: whoami
when: hostname_set.changed
# Users defined in /vars/main.yml
# pub key files in /files/{USER}.key.pub
- name: "Create user accounts and add users to groups"
user:
name: "{{ item }}"
groups: sudo
with_items: "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: Allow 'sudo' group to have passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
# Install basic packages for Ubuntu minimal Systems
- name: Install all Packages
ansible.builtin.apt:
name:
- curl
- nano
- vim
- htop
- screen
- iproute2
- iptables
- cron
- qemu-guest-agent
- iputils-ping
- iw
- speedtest-cli
- telnet
state: latest
update_cache: yes
- name: uninstall unneeded packages
apt:
name:
- rpcbind
update_cache: yes
state: absent

4
roles/00-ubuntu-basic/vars/main.yml Normal file
View File

@ -0,0 +1,4 @@
users:
- stefan
- nils
- roman

90
roles/01-vpn-offloader-setup/tasks/main.yml Normal file
View File

@ -0,0 +1,90 @@
---
- name: Setup NAT
ansible.builtin.iptables:
chain: POSTROUTING
table: nat
source: "{{ internal_network }}"
jump: MASQUERADE
register: iptables
- name: Enable kernel panic reboots
ansible.posix.sysctl:
name: kernel.panic
value: '1'
- name: Enable IPv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
- name: Enable IPv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: true
- name: Create Routing Table 42
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffrl
create: yes
- name: Generate NDPPD Config
ansible.builtin.template:
src: ndppd.conf.j2
dest: /etc/ndppd.conf
owner: root
group: root
mode: 755
- name: Install all Packages for VPN Servers
ansible.builtin.apt:
name:
- libndp0
- libndp-tools
- ndppd
- iptables-persistent
state: latest
update_cache: yes
- name: Find all Netplan Files without of the freifunk file
find:
paths: /etc/netplan/
file_type: file
excludes:
- "01-freifunk.yaml"
register: found_files
- name: Delete files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ found_files['files'] }}"
- name: Copy Netplan Template for Internal Network
ansible.builtin.template:
src: netplan.j2
dest: /etc/netplan/01-freifunk.yaml
owner: root
group: root
mode: 755
register: netplan_config
- name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
when: iptables.changed
- name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
when: iptables.changed
- name: Apply Netplan
ansible.builtin.shell: netplan apply
when: netplan_config.changed
- name: Enable Proxy_NDP on interface ens19
ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true

5
roles/01-vpn-offloader-setup/templates/ndppd.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
proxy ens19 {
rule {{ ipv6_network }} {
static
}
}

32
roles/01-vpn-offloader-setup/templates/netplan.j2 Normal file
View File

@ -0,0 +1,32 @@
network:
ethernets:
ens18:
addresses:
- {{ ansible_host }}{{ ansible_host_net }}
- {{ ansible_host_ipv6 }}{{ ansible_host_ipv6_net }}
nameservers:
addresses:
- 1.1.1.1
routes:
- to: default
via: {{ ipv4_gateway }}
table: 42
- to: default
via: {{ ipv6_gateway }}
table: 42
routing-policy:
- from: {{ ansible_host }}
table: 42
- from: {{ ansible_host_ipv6 }}
table: 42
ens19:
dhcp4: false
addresses:
- {{ freifunk_internal_ip }}
nameservers:
addresses:
- 1.1.1.1
routes:
- to: default
via: {{ core_router }}
version: 2

11
roles/01-vpn-router-config/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
- name: create config directory
file:
path: '{{ playbook_dir }}/edgerouter_configs/'
state: directory
- name: Generate EdgeOS Config
ansible.builtin.template:
src: edgerouter.conf.j2
dest: '{{ playbook_dir }}/edgerouter_configs/{{ inventory_hostname }}.md'
mode: 0755

106
roles/01-vpn-router-config/templates/edgerouter.conf.j2 Normal file
View File

@ -0,0 +1,106 @@
## Webinterface Wizard ausführen
WAN auf eth0
Ein LAN mit Adresse: {{ ipv4_address }}
Dann auf der Konsole weiter
## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
####
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
####
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network {{ ipv4_network }}
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall modify LAN_to_VPN rule 100 action modify
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
set firewall modify LAN_to_VPN rule 100 modify table 2
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces switch switch0 address {{ ipv4_address }}/24
set interfaces switch switch0 address '{{ ipv6_address }}'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1328
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 address {{ wireguard_v6_address }}
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 ::/0 next-hop-interface wg0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
delete service dhcp-server
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service unms
set service unms connection '{{ unms_vault_URL }}'
set system host-name {{ inventory_hostname }}
set system time-zone UTC

38
roles/10-freifunk-supernode/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

122
roles/10-freifunk-supernode/tasks/main.yml Normal file
View File

@ -0,0 +1,122 @@
---
# tasks file for 10-freifunk-supernode
# Install basic packages for Supernode
- name: Install all Packages
ansible.builtin.apt:
name:
- batctl
- iptables-persistent
- conntrack
state: latest
update_cache: yes
## IP Forwarding
- name: IPv4-Paketweiterleitung aktivieren
sysctl:
name: "net.ipv4.conf.all.forwarding"
value: 1
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: IPv6-Paketweiterleitung aktivieren
sysctl:
name: "net.ipv6.conf.all.forwarding"
value: 1
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
sysctl:
name: "net.ipv4.conf.default.rp_filter"
value: 0
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
sysctl:
name: "net.ipv4.conf.all.rp_filter"
value: 0
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: Create Routing Table 42
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffrl
create: yes
## Contrack
- name: Enable nf_conntrack_ipv4 module
modprobe:
name: nf_conntrack_ipv4
state: present
when: ansible_kernel is version_compare('4.19', '<')
- name: Enable nf_conntrack_ipv4 on system startup
blockinfile:
path: /etc/modules
marker: "# {mark} Ansible managed block"
block: |
nf_conntrack_ipv4
when: ansible_kernel is version_compare('4.19', '<')
- name: Enable nf_conntrack module
modprobe:
name: nf_conntrack
state: present
when: ansible_kernel is version_compare('4.19', '>=')
- name: Enable nf_conntrack on system startup
blockinfile:
path: /etc/modules
marker: "# {mark} Ansible managed block"
block: |
nf_conntrack
when: ansible_kernel is version_compare('4.19', '>=')
- name: Set nf_conntrack_max to a higher value
sysctl:
name: "net.netfilter.nf_conntrack_max"
value: 524288
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
sysctl:
name: "net.netfilter.nf_conntrack_tcp_timeout_established"
value: 86400
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Set nf_conntrack_tcp_timeout_time_wait to 60
sysctl:
name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"
value: 60
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Get current nf_conntrack hashsize
shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
register: nf_conntrack_hashsize
changed_when: false
check_mode: no
- name: Set nf_conntrack hashsize to a higher value
shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
when: "nf_conntrack_hashsize.stdout != '32768'"

6
roles/10.1-dhcp/handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted
- name: restart isc-dhcp6-server
service: name=isc-dhcp6-server state=restarted

22
roles/10.1-dhcp/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Install Packages for DHCP Server
ansible.builtin.apt:
name:
- isc-dhcp-server
state: latest
update_cache: yes
- name: create dhcp defaults
template:
src: isc-dhcp-server.conf.j2
dest: /etc/default/isc-dhcp-server
notify:
- restart isc-dhcp-server
- name: create dhcp config
template:
src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
notify:
- restart isc-dhcp-server

17
roles/10.1-dhcp/templates/dhcpd.conf.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
default-lease-time 300;
max-lease-time 1800;
authoritative;
log-facility local7;
subnet {{ dhcp.ff_subnet }} netmask {{ dhcp.ff_netmask }} {
range {{dhcp.range_start}} {{dhcp.range_end}};
option routers {{ network.ff_v4_address }};
option domain-name-servers {{ network.ff_v4_address }};
option interface-mtu {{ dhcp.mtu }};
interface bat0;
}

3
roles/10.1-dhcp/templates/isc-dhcp-server.conf.j2 Normal file
View File

@ -0,0 +1,3 @@
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="bat0"

3
roles/10.2-named/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart bind9
service: name=bind9 state=restarted

41
roles/10.2-named/tasks/main.yml Normal file
View File

@ -0,0 +1,41 @@
---
- name: Install all Packages for Bind9
ansible.builtin.apt:
name:
- bind9
state: latest
update_cache: yes
- name: create named config
template:
src: named.conf.j2
dest: /etc/bind/named.conf
notify:
- restart bind9
- name: create named.local config
template:
src: named.conf.local.j2
dest: /etc/bind/named.conf.local
notify:
- restart bind9
- name: create named.options config
template:
src: named.conf.options.j2
dest: /etc/bind/named.conf.options
notify:
- restart bind9
- name: create named fftdf config
template:
src: named.fftdf.conf.j2
dest: /etc/bind/named.fftdf.conf
notify:
- restart bind9
- name: create named fftdf db
template:
src: named.fftdf.db.j2
dest: /etc/bind/named.fftdf.db
notify:
- restart bind9

28
roles/10.2-named/templates/named.conf.default-zones.j2 Normal file
View File

@ -0,0 +1,28 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//
//zone "localhost" {
// type master;
// file "/etc/bind/db.local";
//};
//
//zone "127.in-addr.arpa" {
// type master;
// file "/etc/bind/db.127";
//};
//
//zone "0.in-addr.arpa" {
// type master;
// file "/etc/bind/db.0";
//};
//
//zone "255.in-addr.arpa" {
// type master;
// file "/etc/bind/db.255";
//};

12
roles/10.2-named/templates/named.conf.j2 Normal file
View File

@ -0,0 +1,12 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.fftdf.conf";

3
files/named.conf.local → roles/10.2-named/templates/named.conf.local.j2
View File

@ -5,6 +5,3 @@
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// Include Freifunk (ff) zones
include "/etc/bind/ff/ff.conf";

6
files/named.conf.options.j2 → roles/10.2-named/templates/named.conf.options.j2
View File

@ -21,6 +21,6 @@ options {
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on { {{ sn_mesh_IPv4 }}; };
listen-on-v6 { {{ sn_mesh_IPv6 }}; };
};
listen-on { {{ network.ff_v4_address }}; };
listen-on-v6 { {{ network.ff_v6_address }}; };
};

6
roles/10.2-named/templates/named.fftdf.conf.j2 Normal file
View File

@ -0,0 +1,6 @@
// Zone declarations for Freifunk Troisdorf
zone "fftdf" {
type master;
file "/etc/bind/named.fftdf.db";
};

24
roles/10.2-named/templates/named.fftdf.db.j2 Normal file
View File

@ -0,0 +1,24 @@
;; db.fftdf
;; Forwardlookupzone für .fftdf
;;
$TTL 600
@ IN SOA fftdf. root.fftdf. (
2016584547 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
3H ) ; NX (TTL Negativ Cache)
@ IN NS troisdorf5.infra.fftdf.
IN A 10.188.32.5
IN AAAA 2a03:2260:121:2::5
localhost IN A 127.0.0.1
IN AAAA ::1
nextnode IN A 10.188.0.1
IN AAAA 2a03:2260:121::1
;; Update Servers
update1.infra IN AAAA 2a03:2260:121:4000:6038:61ff:fe34:3461
update2.infra IN AAAA 2a01:4f8:11d:600::183
;;update3.infra IN AAAA 2a03:2260:121::24
;; Unifi
unifi IN A 195.201.216.131

6
roles/10.3-tunneldigger/files/tunneldigger.conf Normal file
View File

@ -0,0 +1,6 @@
nf_conntrack_netlink
nf_conntrack
nfnetlink
l2tp_netlink
l2tp_core
l2tp_eth

14
roles/10.3-tunneldigger/files/tunneldigger.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=tunneldigger tunnelling network daemon using l2tpv3 for domain %i
After=network.target auditd.service
[Service]
Type=simple
WorkingDirectory=/srv/tunneldigger
ExecStart=/srv/tunneldigger/env_tunneldigger/bin/python3 -m tunneldigger_broker.main /srv/tunneldigger/broker/l2tp_broker.cfg
KillMode=process
KillSignal=SIGINT
Restart=on-failure
[Install]
WantedBy=multi-user.target

2
roles/10.3-tunneldigger/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
- name: load kernel modules
shell: /etc/init.d/kmod start || true

80
roles/10.3-tunneldigger/tasks/main.yml Normal file
View File

@ -0,0 +1,80 @@
- name: Install dependencies for this role
apt:
pkg: "{{ item }}"
state: present
with_items:
- bridge-utils
- ebtables
- git
- iproute2
- libnetfilter-conntrack-dev
- libnfnetlink-dev
- python3-dev
- python3-virtualenv
- virtualenv
- gcc
- libnl-3-dev
- libevent-dev
- name: Get Tunneldigger
git:
repo: https://github.com/wlanslovenija/tunneldigger
dest: /srv/tunneldigger
register: tunneldigger
- name: generate virtualenv.
command:
"virtualenv -p /usr/bin/python3 env_tunneldigger"
args:
chdir: /srv/tunneldigger/
creates: "/srv/tunneldigger/env_tunneldigger/bin/python3"
when: tunneldigger.changed
- name: Install python dependencies
command: "/srv/tunneldigger/env_tunneldigger/bin/python setup.py install"
args:
chdir: /srv/tunneldigger/broker
when: tunneldigger.changed
- name: Copy l2tp broker config template
template:
src: l2tp_broker.cfg.j2
dest: /srv/tunneldigger/l2tp_broker.cfg
owner: root
group: root
mode: 0444
- name: Copy tunneldigger script template
template:
src: bataddif.sh.j2
dest: /srv/tunneldigger/bataddif.sh
owner: root
group: root
mode: 0500
- name: Copy tunneldigger scripts
template:
src: batdelif.sh.j2
dest: /srv/tunneldigger/batdelif.sh
owner: root
group: root
mode: 0500
- name: Copy tunneldigger service template
copy:
src: tunneldigger.service
dest: /etc/systemd/system/tunneldigger.service
mode: 0444
- name: Deploy tunneldigger.conf to /etc/modules-load.d/
copy:
src: tunneldigger.conf
dest: /etc/modules-load.d/tunneldigger.conf
notify: load kernel modules
- name: Tunneldigger reload
command: "{{item}}"
with_items:
- systemctl daemon-reload
- systemctl enable tunneldigger.service
when: tunneldigger.changed

2
files/bataddif.sh.j2 → roles/10.3-tunneldigger/templates/bataddif.sh.j2
View File

@ -14,4 +14,4 @@ do
fi
done
$brctl addif br-nodes $INTERFACE
$brctl addif br-nodes $INTERFACE

4
roles/10.3-tunneldigger/templates/batdelif.sh.j2 Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
INTERFACE="$3"
/sbin/brctl delif br-nodes $INTERFACE

10
files/l2tp_broker.cfg → roles/10.3-tunneldigger/templates/l2tp_broker.cfg.j2
View File

@ -1,10 +1,10 @@
[broker]
; IP address the broker will listen and accept tunnels on
address={{ ansible_default_ipv4.address }}
address={{ ansible_host }}
; Ports where the broker will listen on
port={{ sn_l2tp_tb_port }}
port={{ tunneldigger.td_port }}
; Interface with that IP address
interface={{ sn_interface_name }}
interface={{ tunneldigger.td_wan_interface }}
; Maximum number of cached cookies, required for establishing a
; session with the broker
max_cookies=1024
@ -21,7 +21,7 @@ pmtu_discovery=false
; Namespace (for running multiple brokers); note that you must also
; configure disjunct ports, and tunnel identifiers in order for
; namespacing to work
namespace={{ communityname }}
namespace=troisdorf
; Reject connections if there are less than N seconds since the last connection.
; Can be less than a second (e.g., 0.1).
@ -60,4 +60,4 @@ session.pre-down=/srv/tunneldigger/batdelif.sh
; Called after the tunnel interface goes down
session.down=
; Called after the tunnel MTU gets changed because of PMTU discovery
session.mtu-changed=
session.mtu-changed=

28
roles/21-docker/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install required system packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu jammy stable
state: present
- name: Update apt and install docker-ce
apt:
name:
- docker-ce
- docker-compose
state: latest
update_cache: true

29
roles/21-install-oitc/tasks/main.yml Normal file
View File

@ -0,0 +1,29 @@
- name: Add OITC GPG Key
ansible.builtin.get_url:
url: https://packages.openitcockpit.io/repokey.txt
dest: /etc/apt/keyrings/openitcockpit-agent-keyring.asc
- name: Add specified repository into sources list
ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/openitcockpit-agent-keyring.asc] https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main"
state: present
- name: Install OITC-Agent
apt: name={{ item }} state=latest update_cache=yes
with_items:
- openitcockpit-agent
- name: Copy Config File
ansible.builtin.template:
src: oitc.ini.j2
dest: /etc/openitcockpit-agent/config.ini
owner: root
group: root
mode: '0775'
register: openitcockpit_config
- name: Restart service httpd, in all cases
ansible.builtin.service:
name: openitcockpit-agent
state: restarted
when: openitcockpit_config.changed

177
roles/21-install-oitc/templates/oitc.ini.j2 Normal file
View File

@ -0,0 +1,177 @@
[default]
#
# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x
# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out!
#########################
# Web Server #
#########################
# Bind address of the build-in web server
# Use 0.0.0.0 to bind on all interfaces
address = 0.0.0.0
# Port of the Agents build-in web server
# Default port is 3333
port = 3333
#########################
# Security Settings #
#########################
# Try to enable auto ssl mode for webserver
try-autossl = True
# File paths used to store autossl related files (default: /etc/openitcockpit-agent/):
# Leave this blank to use the default values
# Example: /etc/openitcockpit-agent/agent.csr
#autossl-csr-file =
# Example: /etc/openitcockpit-agent/agent.crt
#autossl-crt-file =
# Example: /etc/openitcockpit-agent/agent.key
#autossl-key-file =
# Example: /etc/openitcockpit-agent/server_ca.crt
#autossl-ca-file =
# If a certificate file is given, the agent will only be accessible through HTTPS
# Instead of messing around with self-signed certificates we recommend to use the autossl feature.
# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem
#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Private key file of the given TLS certificate
# Example: /etc/ssl/private/ssl-cert-snakeoil.key
#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
# Enable remote read and write access to the current agent configuration (this file) and
# the customchecks config
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# ! WARNING: This could lead to remote code execution !
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
config-update-mode = False
# Enable HTTP Basic Authentication
# Example: auth = user:password
#auth = user:password
#########################
# Checks #
#########################
# Determines in seconds how often the agent will schedule all internal checks
interval = 30
# Remote Plugin Execution
# Path to config will where custom checks can be defined
# Comment to use the default value
#
# Linux: /etc/openitcockpit-agent/customchecks.ini
# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini
# macOS: /Applications/openitcockpit-agent/customchecks.ini
#customchecks = /etc/openitcockpit-agent/customchecks.ini
#########################
# Enable/Disable checks #
#########################
# Enable CPU monitoring
cpustats = True
# Enable memory monitoring
memory = True
# Enable Swap monitoring
swap = True
# Enable monitoring of running processes
processstats = True
# Enable monitoring of network interfaces
netstats = True
# Enable monitoring of the traffic (I/O) of network interfaces
netio = True
# Enable disk usage monitoring
diskstats = True
# Enable monitoring of disk I/O
diskio = True
# Enable monitoring of Systemd Services (Linux only)
systemdservices = True
# Enable monitoring of Launchd Services (macOS only)
launchdservices = True
# Enable monitoring of Windows Services (Windows only)
winservices = True
# Enable monitoring of Windows Event Log records (Windows only)
wineventlog = False
# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log.
# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default
# As alternative the Agent could use the PowerShell Get-EventLog cmdlet.
# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround
# on the other hand could lead to blue screens (OA-40).
wineventlog-method = WMI
#wineventlog-method = PowerShell
# Define comma separated windows event log log types
# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application
wineventlog-logtypes = System,Application,Security
# Enable monitoring of temperature and battery sensors
sensorstats = True
# Enable support to monitor Docker containers
# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40
# Workaround: export DOCKER_API_VERSION=1.40
dockerstats = False
# Check KVMs through libvirt
# This requires to complie the openITCOCKPIT Monitoring Agent by yourself.
# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary
libvirt = True
# Enable logged in users check
userstats = True
#########################
# Push mode #
#########################
# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent.
# In a cloud environments or behind a NAT network it could become handy
# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server
[oitc]
# Enable Push Mode
enabled = False
# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode.
# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend
# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS
enable-webserver = False
# Address of your openITCOCKPIT Server where the Agent will push the results to
# Example: https://demo.openitcockpit.io
url =
# Enable this option when your openITCOCKPIT server uses valid TLS certificates
# like from Let's Encrypt
verify-server-certificate = False
# Timeout in seconds for the HTTP push client
timeout = 10
# API-Key of your openITCOCKPIT Server
apikey =
# Address of HTTP/HTTPS Proxy if required.
# Comment to disable
# Example: http://10.10.1.10:3128
#proxy = http://10.10.1.10:3128

5
roles/21-install-wireguard/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: reconfigure wireguard
ansible.builtin.service:
name: "wg-quick@vpn01"
state: restarted

91
roles/21-install-wireguard/tasks/main.yml Normal file
View File

@ -0,0 +1,91 @@
- name: Install Wireguard
apt: name={{ item }} state=latest update_cache=yes
with_items:
- wireguard
- name: Register if config/private key already exists on target host
ansible.builtin.stat:
path: /etc/wireguard/vpn01.conf
register: wireguard__register_config_file
tags:
- wg-generate-keys
- wg-config
- name: WireGuard private key handling for new keys
block:
- name: Generate WireGuard private key
ansible.builtin.command: "wg genkey"
register: wireguard__register_private_key
changed_when: false
tags:
- wg-generate-keys
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
tags:
- wg-generate-keys
when:
- not wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: WireGuard private key handling for existing keys
block:
- name: Read WireGuard config file
ansible.builtin.slurp:
src: /etc/wireguard/vpn01.conf
register: wireguard__register_config
tags:
- wg-config
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
tags:
- wg-config
when:
- wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: Derive WireGuard public key
ansible.builtin.command: "wg pubkey"
args:
stdin: "{{ wireguard_private_key }}"
register: wireguard__register_public_key
changed_when: false
check_mode: false
tags:
- wg-config
- name: Set public key fact
ansible.builtin.set_fact:
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
tags:
- wg-config
- name: Create WireGuard configuration directory
ansible.builtin.file:
dest: /etc/wireguard/
state: directory
mode: 0700
tags:
- wg-config
- name: Generate WireGuard configuration file
ansible.builtin.template:
src: wg.conf.j2
dest: /etc/wireguard/vpn01.conf
owner: root
group: root
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service
ansible.builtin.service:
name: "wg-quick@vpn01"
state: started
enabled: yes

32
roles/21-install-wireguard/templates/wg.conf.j2 Normal file
View File

@ -0,0 +1,32 @@
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
# {{ ansible_managed }}
# PublicKey: {{ wireguard__register_public_key.stdout }}
[Interface]
# {{ inventory_hostname }}
Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
MTU = 1380
{% if wireguard_unmanaged_peers is defined %}
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{% endif %}
{% endfor %}
{% endif %}

106
roles/21.1-portainer-compose/files/portainer.yml Normal file
View File

@ -0,0 +1,106 @@
version: "3"
services:
portainer:
image: portainer/portainer-ce:2.18.1
ports:
- 9443:9443
volumes:
- portainer_data:/data
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik-public
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.routers.portainer-http.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.portainer-http.entrypoints=http
- traefik.http.routers.portainer-http.middlewares=https-redirect
- traefik.http.routers.portainer-http.service=portainer
- traefik.http.routers.portainer-https.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.portainer-https.entrypoints=https
- traefik.http.routers.portainer-https.tls=true
- traefik.http.routers.portainer-https.tls.certresolver=le
- traefik.http.routers.portainer-https.service=portainer
- traefik.http.services.portainer.loadbalancer.server.port=9000
traefik:
image: traefik:v2.4.8
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- 80:80
# Listen on port 443, default for HTTPS
- 443:443
# Listen on 2222 for SSH Gitea
- 2222:2222
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.admin-auth.basicauth.users=admin:$$2y$$05$$HmqkgwL5AxrYrwBWvvlVIuMVb5UMWrrChmhmRYFFkMXpLCFgi60US
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
# Use the special Traefik service api@internal with the web UI/Dashboard
- traefik.http.routers.traefik-public-https.service=api@internal
# Use the "le" (Let's Encrypt) resolver created below
- traefik.http.routers.traefik-public-https.tls.certresolver=le
# Enable HTTP Basic auth, using the middleware created above
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
# Define the port inside of the Docker service to use
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
#- /opt/docker/traefik:/etc/traefik
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
# Enable Docker Swarm mode
#- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create an entrypoint for SSH
- --entrypoints.ssh.address=:2222/tcp
# Create an entrypoint for DNS
#- --entrypoints.dns-tcp.address=:5353/tcp
# Create an entrypoint for DNS
#- --entrypoints.dns-udp.address=:5353/udp
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.le.acme.email=info@hoffmann-hosting.de
# Store the Let's Encrypt certificates in the mounted volume
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS Challenge for Let's Encrypt
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
- --serverstransport.insecureskipverify=true
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
volumes:
traefik-public-certificates:
portainer_data:
networks:
traefik-public:
driver: bridge
attachable: true

11
roles/21.1-portainer-compose/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Create Docker Folder
ansible.builtin.file:
path: /opt/docker
state: directory
mode: '0755'
- name: Copy Docker-Compose File
copy:
src: portainer.yml
dest: /opt/docker/docker-compose.yml

3
roles/vyos-config/tasks/main.yml Normal file
View File

@ -0,0 +1,3 @@
- name: render a Jinja2 template onto the VyOS router
vyos.vyos.vyos_config:
src: config.j2

422
roles/vyos-config/templates/config.j2 Normal file
View File

@ -0,0 +1,422 @@
interfaces {
ethernet eth0 {
address {{ wan_address }}{{ wan_net }}
description WAN
}
ethernet eth1 {
address {{ lan_address }}/24
description "Freifunk WAN"
ipv6 {
address {
autoconf
}
}
}
loopback lo {
address {{ ffrl_address }}/32
address {{ ffrl_address_v6 }}
}
tunnel tun0 {
address {{ gre_ber_a_address }}{{gre_bb_transfer_net}}
address {{ gre_ber_a_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_ber_a_description }}
encapsulation gre
remote {{ gre_ber_a_remote }}
source-address {{ wan_address }}
}
tunnel tun1 {
address {{ gre_ber_b_address }}{{gre_bb_transfer_net}}
address {{ gre_ber_b_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_ber_b_description }}
encapsulation gre
remote {{ gre_ber_b_remote }}
source-address {{ wan_address }}
}
tunnel tun2 {
address {{ gre_a_dus_address }}{{gre_bb_transfer_net}}
address {{ gre_a_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_a_dus_description }}
encapsulation gre
remote {{ gre_a_dus_remote }}
source-address {{ wan_address }}
}
tunnel tun3 {
address {{ gre_b_dus_address }}{{gre_bb_transfer_net}}
address {{ gre_b_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_b_dus_description }}
encapsulation gre
remote {{ gre_b_dus_remote }}
source-address {{ wan_address }}
}
tunnel tun4 {
address {{ gre_a_fra_address }}{{gre_bb_transfer_net}}
address {{ gre_a_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_a_fra_description }}
encapsulation gre
remote {{ gre_a_fra_remote }}
source-address {{ wan_address }}
}
tunnel tun5 {
address {{ gre_b_fra_address }}{{gre_bb_transfer_net}}
address {{ gre_b_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_b_fra_description }}
encapsulation gre
remote {{ gre_b_fra_remote }}
source-address {{ wan_address }}
}
}
nat {
source {
rule 1 {
outbound-interface any
source {
address {{ lan_network }}
}
translation {
address {{ ffrl_address }}
}
}
}
}
policy {
local-route {
rule 10 {
set {
table 42
}
source {{ wan_address }}
}
}
prefix-list FFRL-IN {
rule 10 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list FFRL-OUT {
rule 10 {
action permit
prefix {{ ffrl_address }}/32
}
}
prefix-list6 FFRL-IN-6 {
rule 10 {
action permit
prefix ::/0
}
}
prefix-list6 FFRL-OUT-6 {
rule 10 {
action permit
prefix {{ ffrl_net_v6 }}
}
}
route-map FFRL-IN {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-IN
}
}
}
}
}
route-map FFRL-OUT {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-OUT
}
}
}
}
}
route-map FFRL-IN-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-IN-6
}
}
}
}
}
route-map FFRL-OUT-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-OUT-6
}
}
}
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network {{ ffrl_address }}/32 {
}
}
ipv6-unicast {
network {{ ffrl_net_v6 }} {
}
}
}
neighbor {{ gre_ber_a_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_ber_a_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_a_address }}
}
neighbor {{ gre_ber_b_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_ber_b_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_b_address }}
}
neighbor {{ gre_a_dus_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_a_dus_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_dus_address }}
}
neighbor {{ gre_b_dus_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_b_dus_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_dus_address }}
}
neighbor {{ gre_a_fra_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_a_fra_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_fra_address }}
}
neighbor {{ gre_b_fra_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_b_fra_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_fra_address }}
}
neighbor {{ gre_ber_a_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_a_address_v6 }}
}
neighbor {{ gre_ber_b_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_b_address_v6 }}
}
neighbor {{ gre_a_dus_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_dus_address_v6 }}
}
neighbor {{ gre_b_dus_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_dus_address_v6 }}
}
neighbor {{ gre_a_fra_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_fra_address_v6 }}
}
neighbor {{ gre_b_fra_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_fra_address_v6 }}
}
parameters {
router-id {{ wan_address }}
}
system-as {{ gre_bb_local_as }}
}
static {
table 42 {
route 0.0.0.0/0 {
next-hop {{ wan_gateway }} {
}
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
router-advert {
interface eth1 {
default-lifetime 300
default-preference high
hop-limit 64
interval {
max 30
}
link-mtu 1500
name-server 2606:4700:4700::1111
prefix {{ ffrl_net_v6 }} {
preferred-lifetime 300
valid-lifetime 900
}
reachable-time 90000
retrans-timer 0
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name {{ inventory_hostname }}
login {
banner {
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
}
user vyos {
authentication {
public-keys nils {
key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ==
type ssh-rsa
}
public-keys stefan {
key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB
type ssh-rsa
}
}
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

14
system-setup-supernode.yml Normal file
View File

@ -0,0 +1,14 @@
# ansible-playbook -i hosts.yml system-setup-supernode.yml -e vault.yml --ask-vault-password
- name: System preperation
hosts: freifunk_supernodes
roles:
- 00-ubuntu-basic
- 21-install-oitc
- name: VPN Offloader Setup
hosts: freifunk_supernodes
roles:
- 10-freifunk-supernode
- 10.1-dhcp
- 10.2-named
- 10.3-tunneldigger

16
system-setup-unifi.yml Normal file
View File

@ -0,0 +1,16 @@
# ansible-playbook -i hosts.yml system-setup-unifi.yml
- name: System preperation
hosts: service_server
roles:
- 00-ubuntu-basic
- name: Docker Setup
hosts: unifi
roles:
- 21-docker
- 21.1-portainer-compose
- name: Docker Setup
hosts: uisp
roles:
- 21-docker

Some files were not shown because too many files have changed in this diff Show More