Freifunk-Troisdorf/ansible.fftdf.supernode
5
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Compare commits

base: Freifunk-Troisdorf:tdf7
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0
..
compare: Freifunk-Troisdorf:v3.0
Branches Tags
Freifunk-Troisdorf:tdf7
Freifunk-Troisdorf:master
Freifunk-Troisdorf:v3.0

No commits in common. "tdf7" and "v3.0" have entirely different histories.
tdf7 ... v3.0

96 changed files with 1489 additions and 2636 deletions
Show Stats Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

2
.gitignore vendored
View File

@ -1,2 +0,0 @@
.DS_Store
edgerouter_configs/**

22
README.md Normal file
View File

@ -0,0 +1,22 @@
# ansible.fftdf.supernode
Ansible yml file to manage Freifunk Troisdorf supernodes
At this time you have to start it explicit with the target server
example: ansible-playbook install.sn.yml --extra-vars "target=troisdorf5"
example: ansible-playbook install.sn.yml --extra-vars "target=troisdorf[4,5,6]"
You need this information in your hosts (/etc/ansible/hosts) file:
#example, I hope self explaining
[troisdorf5]
78.46.233.212
[troisdorf5:vars]
sn_hostname=troisdorf5
sn_dhcp_range=10.188.115.1 10.188.115.254
sn_dhcp_dns=10.188.1.100, 10.188.1.23
sn_dhcp_router=10.188.255.5
sn_mesh_IPv6=fda0:747e:ab29:7405:255::5
sn_mesh_IPv4=10.188.255.5
sn_mesh_MAC=a2:8c:ae:6f:f6:05
sn_fqdn=freifunk-troisdorf.de
sn_l2tp_tb_port=53844

474
conf.conf
View File

@ -1,474 +0,0 @@
interfaces {
ethernet eth0 {
address 5.9.220.113/29
description WAN
}
ethernet eth1 {
address 172.16.7.1/24
description "Freifunk WAN"
ipv6 {
address {
autoconf
}
}
}
loopback lo {
address 185.66.193.107/32
address 2a03:2260:121:600::0/128
}
tunnel tun0 {
address 100.64.6.25/31
address 2a03:2260:0:30c::2/64
description gre_bb_a_ak_ber
encapsulation gre
remote 185.66.195.0
source-address 5.9.220.113
}
tunnel tun1 {
address 100.64.6.31/31
address 2a03:2260:0:30f::2/64
description gre_bb_b_ak_ber
encapsulation gre
remote 185.66.195.1
source-address 5.9.220.113
}
tunnel tun2 {
address 100.64.6.29/31
address 2a03:2260:0:30e::2/64
description gre_bb_a_ix_dus
encapsulation gre
remote 185.66.193.0
source-address 5.9.220.113
}
tunnel tun3 {
address 100.64.6.35/31
address 2a03:2260:0:311::2/64
description gre_bb_b_ix_dus
encapsulation gre
remote 185.66.193.1
source-address 5.9.220.113
}
tunnel tun4 {
address 100.64.6.27/31
address 2a03:2260:0:30d::2/64
description gre_bb_a_fra3_f
encapsulation gre
remote 185.66.194.0
source-address 5.9.220.113
}
tunnel tun5 {
address 100.64.6.33/31
address 2a03:2260:0:310::2/64
description gre-bb-b.fra3.f
encapsulation gre
remote 185.66.194.1
source-address 5.9.220.113
}
}
nat {
destination {
rule 1 {
description "Allow SSH to VPN-01 Port 2222"
destination {
address 185.66.193.107/32
port 2222
}
inbound-interface any
protocol tcp
translation {
address 172.16.7.2
port 22
}
}
rule 2 {
description "Wireguard VPN-01 42001"
destination {
address 185.66.193.107
port 42001
}
inbound-interface any
protocol udp
translation {
address 172.16.7.2
}
}
}
source {
rule 1 {
outbound-interface any
source {
address 172.16.7.0/24
}
translation {
address 185.66.193.107
}
}
}
}
policy {
local-route {
rule 10 {
set {
table 42
}
source 5.9.220.113
}
}
prefix-list FFRL-IN {
rule 10 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list FFRL-OUT {
rule 10 {
action permit
prefix 185.66.193.107/32
}
}
prefix-list6 FFRL-IN-6 {
rule 10 {
action permit
prefix ::/0
}
}
prefix-list6 FFRL-OUT-6 {
rule 10 {
action permit
prefix 2a03:2260:121:600::/55
}
}
route-map FFRL-IN {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-IN
}
}
}
}
}
route-map FFRL-OUT {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-OUT
}
}
}
}
}
route-map FFRL-IN-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-IN-6
}
}
}
}
}
route-map FFRL-OUT-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-OUT-6
}
}
}
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network 185.66.193.107/32 {
}
}
ipv6-unicast {
network 2a03:2260:121:600::/55 {
}
}
}
neighbor 100.64.6.24 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ak_ber
remote-as 201701
update-source 100.64.6.25
}
neighbor 100.64.6.26 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_fra3_fra
remote-as 201701
update-source 100.64.6.27
}
neighbor 100.64.6.28 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_a_ix_dus
remote-as 201701
update-source 100.64.6.29
}
neighbor 100.64.6.30 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ak_ber
remote-as 201701
update-source 100.64.6.31
}
neighbor 100.64.6.32 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_fra3_fra
remote-as 201701
update-source 100.64.6.33
}
neighbor 100.64.6.34 {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description ffrl_bb_b_ix_dus
remote-as 201701
update-source 100.64.6.35
}
neighbor 2a03:2260:0:30c::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30c::2
}
neighbor 2a03:2260:0:30d::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30d::2
}
neighbor 2a03:2260:0:30e::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30e::2
}
neighbor 2a03:2260:0:30f::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:30f::2
}
neighbor 2a03:2260:0:310::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:310::2
}
neighbor 2a03:2260:0:311::1 {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as 201701
update-source 2a03:2260:0:311::2
}
parameters {
router-id 10.188.255.7
}
system-as 65066
}
static {
route6 2a03:2260:121:e000::/54 {
interface eth1 {
}
}
table 42 {
route 0.0.0.0/0 {
next-hop 5.9.220.112 {
}
}
}
}
}
service {
dhcp-server {
listen-address 172.16.7.1
shared-network-name freifunk {
subnet 172.16.7.0/24 {
default-router 172.16.7.1
name-server 1.1.1.1
name-server 1.0.0.1
range dhcp {
start 172.16.7.10
stop 172.16.7.200
}
static-mapping vpn-01 {
ip-address 172.16.7.2
mac-address 36:f3:82:18:9b:03
}
}
}
}
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
router-advert {
interface eth1 {
default-lifetime 300
default-preference high
hop-limit 64
interval {
max 30
}
link-mtu 1500
name-server 2001:4860:4860::8888
other-config-flag
prefix 2a03:2260:121:600::/58 {
preferred-lifetime 300
valid-lifetime 900
}
reachable-time 90000
retrans-timer 0
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name 7.fftdf.de
login {
banner {
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
}
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
public-keys nils {
key ****************
type ssh-rsa
}
public-keys stefan {
key ****************
type ssh-rsa
}
}
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

57
definition.md
View File

@ -1,57 +0,0 @@
# Network
## IP Spaces
### From FFRL
External IPv4:
- troisdorf4: 185.66.193.104
- troisdorf5: 185.66.193.105
- troisdorf6: 185.66.193.106
- troisdorf7: 185.66.193.107
IPv6 Prefix: 2a03:2260:121::/48
### Internal and Segmentation:
#### IPv4:
Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
Die Gluon Netze sind im bereich 10.188.0.0/16
Die VPN Offloader Netze im Bereich 10.0.0.0/8
#### IPv6:
FFRL 2a03:2260:121::/48
Wir nutzen jetzt nur das Netz 2a03:2260:121::/52
GRE-Router: bekommen ein /55
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121::/prefix=52/subnetNo=8
gre1: 2a03:2260:121::/55 (FFRL Tunnel-Paar 1, momentan TDF4)
gre2: 2a03:2260:121:200::/55 (FFRL Tunnel-Paar 2, momentan TDF5)
gre3: 2a03:2260:121:400::/55 (FFRL Tunnel-Paar 3, momentan TDF6)
gre4: 2a03:2260:121:600::/55 (FFRL Tunnel-Paar 4, momentane Testumgebung)
gre5: 2a03:2260:121:800::/55 (noch keine verwendung)
gre6: 2a03:2260:121:a00::/55 (noch keine verwendung)
gre7: 2a03:2260:121:c00::/55 (noch keine verwendung)
gre8: 2a03:2260:121:e00::/55 (noch keine verwendung)
Supernodes / VPN Server bekommen ein /58 aus dem Netz des GRE Routers (hier am beispiel gre4)
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=55/subnetNo=8
vpn1: 2a03:2260:121:600::/58
vpn2: 2a03:2260:121:640::/58
vpn3: 2a03:2260:121:680::/58
vpn4: 2a03:2260:121:6c0::/58
vpn5: 2a03:2260:121:700::/58
vpn6: 2a03:2260:121:740::/58
vpn7: 2a03:2260:121:780::/58
vpn8: 2a03:2260:121:7c0::/58
Router/Clients bekommen dann jeweils ein /64 aus dem vpn Netz:
https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=58/subnetNo=64
client1: 2a03:2260:121:601::/64
usw...

5
er-test.yml
View File

@ -1,5 +0,0 @@
# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
- name: System preperation
hosts: edge_router
roles:
- 01-vpn-router-config

51
files/alfred.sh.j2 Normal file
View File

@ -0,0 +1,51 @@
#!/bin/sh
release=$(/bin/uname -r)
nodeid=$( /bin/echo {{ sn_mesh_MAC }} | /bin/sed s/://g)
#meshh_if=$(/bin/cat /sys/class/net/troisdorf*/address | /bin/grep -v ^00:00:00)
meshh_if=$(/bin/cat /sys/class/net/l2tp*/address | /bin/grep -v ^00:00:00)
tempfile=/tmp/alfred_info
if [ -f $tempfile ]
then
/bin/rm $tempfile
fi
/bin/cat > $tempfile <<EOF
{
"network": {
"mac": "{{ sn_mesh_MAC }}",
"addresses": [
"{{ sn_mesh_IPv6 }}",
"{{ sn_mesh_IPv4 }}"
],
"mesh_interfaces": [
$(for i in $meshh_if; do /bin/echo '"'$i'",';done)
"{{ ul_mesh_MAC }}",
"{{ sn_mesh_MAC }}"
]
},
"vpn": true,
"node_id": "$nodeid",
"hostname": "Gateway:{{ sn_hostname }}",
"hardware": {
"model": "vServer"
},
"owner": {
"contact": "stefan@freifunk-troisdorf.de"
}
}
EOF
if [ -f $tempfile ]
then
/bin/cat "$tempfile" | /bin/gzip | /usr/local/sbin/alfred -s 158
fi
if [ -f $tempfile ]
then
/bin/rm $tempfile
fi
exit 0

9
files/authorized_keys Normal file
View File

@ -0,0 +1,9 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= Roman
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEA5OYOF+VBtXXxv/wZkT5K3P7QAUJaM88zJqeGh8NJCO7EDg9jLoWLzAP7LnM9XEA4ycWdl8HX1+EUKqVXAbSNItTZZkO9LCbIiIe1w8oJd2j9hY0IpxPqbz9ePPZh0JtxAZMh3NgOoSiND0leAeOt0lTlDPh4g3G4KvR33d9PIj5ZerU47ceLyy4xEwNbZDKD04+frpq1W+lDqglR0jV/h/pcoQTAEBflbmGLeXIXRsR6zq/of4Wx/MlX18VD9SXPLGXvQ5c4lt5PvV/oeHz4gEjPv2hrI3s3fyWakadAuI9ah48CaEgpVReUGjtYDc0PskvjAH/+slqIHW1D5El+R1Z/2wn/aEGokFHUc0SiFb3NAOwxWvMtUHhXi9ZiTHt0p/0FwWZ1pxqRzODvK8uZ7LAJRGe6q9NYQkIax6SLOfWm4MFWDpDLgWz5MSbPqo+Kfo0614z1mxA3vpY53lUqEGRx4I6z/PDaOHMFd3sxhSMPGvmMvAOLTRofFppwUq1YqQkd6embsJjBN0gU9AilpL5Q2il0OoW4g0rUR8HPJczuDzmHZTXpPU2dY6MhAJ0sbNmk0XhmyoEH9/A1zPEHmirTcBMmbFUsYmR6+MnHEhxnRu5PQpXqcu2vN+JAeasgJShRl7g+rHIdutswHUAWWyfgaD0GF3f6zuOLooz1XQU= localadmin@tst-ansible
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDA2KJvzjFxFrjJvxJj/AZ3rPKGT15JUnV7LhTo0BuXITwx+DpEK6u2m3yjigf2B8ws4VbpL7ceWyP8L3wspozqbqOgyYrQ9TISipkNV9O/DzR+F8R7mhn5mV7+pEOJu1Ba6rtYTfJTcloRKklfO9UjaFLwM69H0GNsomcKMd5Kl4c7DMMwcpXfhb8b7ET5agtfAhXU0CHalnhdAVCwmsC3mj9blOLlX4lxFLonGKVcZB7nWQEmvVAG+9yp6UWZZzeBCPea8Bw4hUVAZcsbK9XLbE4D+gUoxHu2oKGRja4kUnYmlWZOyqlUGbRD6bUxmnW1aBCh8x+b91YLlGv38vT6Y/sy0tPOoVK5kHxJ2yQmnlpgRzgBZf8Kl9ouO/onvExR787C+6TGG834ROW3SaiEeta0RvWwLzugexotT02qqpJmlIXu+gpvN+O9LSfQWzcaCFJTB6MD8mox1ks/W15Uij1pCeleUmiFdVtmt3PCs/ouuG1Uhm9MSWOBNwdFlTpAngopqBHSKYpTY+LhDD9Bv+U4Tno3i4dIGLYqNVmaRij2A0jZeSKOi/OgAaQsD7CzrDhn7C8dlsBFzPjtpFNqgk2Ss5bv3dpfQhBKsaxAe0X5W57vqJD+986039H3fj9/2o2PGuWCNr1LCWSjiy8t/P++cbn0rGdJAIexgTj3Q== supernodeadmin@update1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUTvOdUbtWOmQ1HHh1rNm9LvGozlVPOu0XVcmZ2/NfSOrDbnN99Y4o2Q2mm/ZITWtEZkijnS+LdqB/SO+I2c8NWQO3+gCd9WzI/pqRso2eDIMtPfidnEGdUi4+hHmT96TGOh6P/SrR71646AJkQr5vxLDs/U/57uyTxNwgHFYb1zfekeK4J8gm9StfiGTdfFDTQsYQljrO0YxGrNG2koRXDwgUca4kGjx/HYwnjtl1nDRSAa8HvgxqAASFFrqSOhCkrlCgxoKZZwGIFccYTcAJFDhqIG32q2tRAQOtqxy5OWbTkJLBTBaR7dG4W9iYHbV6vscfNQD7Ml3aMrS+TA0x stefan@ff-stefan@tst-office

8
files/bataddif.sh.j2 Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
INTERFACE="$3"
MAC="$8"
brctl=/sbin/brctl
/bin/ip link set dev $INTERFACE up mtu 1312
#echo "enabled" > /sys/devices/virtual/net/$INTERFACE/batman_adv/no_rebroadcast
$brctl addif br-nodes $INTERFACE

4
files/batdelif.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
INTERFACE="$3"
/sbin/brctl delif br-nodes $INTERFACE

84
files/bird-troisdorf5.conf Normal file
View File

@ -0,0 +1,84 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.105/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.151;
neighbor 100.64.2.150 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.153;
neighbor 100.64.2.152 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.155;
neighbor 100.64.2.154 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.157;
neighbor 100.64.2.156 as 201701;
};

84
files/bird-troisdorf6.conf Normal file
View File

@ -0,0 +1,84 @@
/*
* This is an example configuration file.
*/
# Yes, even shell-like comments work...
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
interface "*";
};
protocol kernel {
device routes;
import all;
export all;
kernel table 42;
};
protocol device {
scan time 8;
};
function is_default() {
return (net ~ [0.0.0.0/0]);
};
# own network
function is_self_net() {
return (net ~ [ 10.188.0.0/16+ ]);
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ 10.0.0.0/8+,
104.0.0.0/8+
];
}
filter hostroute {
if net ~ 185.66.193.106/32 then accept;
reject;
};
# Uplink über ff Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
next hop self;
multihop 64;
default bgp_local_pref 200;
};
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 100.64.2.159;
neighbor 100.64.2.158 as 201701;
};
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 100.64.2.161;
neighbor 100.64.2.160 as 201701;
};
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 100.64.2.163;
neighbor 100.64.2.162 as 201701;
};
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 100.64.2.165;
neighbor 100.64.2.164 as 201701;
};

82
files/bird6-troisdorf5.conf Normal file
View File

@ -0,0 +1,82 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.5;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121::/48 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:155::2;
neighbor 2a03:2260:0:155::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:156::2;
neighbor 2a03:2260:0:156::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address 2a03:2260:0:157::2;
neighbor 2a03:2260:0:157::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:158::2;
neighbor 2a03:2260:0:158::1 as 201701;
}

82
files/bird6-troisdorf6.conf Normal file
View File

@ -0,0 +1,82 @@
# Configure logging
#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
#log syslog all;
#debug protocols all;
# Override router ID
router id 10.188.255.6;
protocol direct {
# interface "*"; # Restrict network interfaces it works with
# interface "bat0", "gre-*", "eth*", "lo"; # Restrict network interfaces it works with
interface "bat0", "gre-*", "lo"; # Restrict network interfaces it works with
}
protocol kernel {
device routes;
import all;
export all; # Default is export none
kernel table 42; # Kernel table to synchronize with (default: main)
}
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}
function is_default() {
return (net ~ [::/0]);
}
# own networks
function is_self_net() {
return net ~ [ fda0:747e:ab29:7405::/64+ ];
}
# freifunk ip ranges in general
function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
}
filter hostroute {
if net ~ 2a03:2260:121::/48 then accept;
reject;
}
# Uplink zum FF Rheinland
template bgp uplink {
local as 65066;
import where is_default();
export filter hostroute;
gateway recursive;
}
protocol bgp ffrl_bb_a_ak_ber from uplink {
source address 2a03:2260:0:159::2;
neighbor 2a03:2260:0:159::1 as 201701;
}
protocol bgp ffrl_bb_b_ak_ber from uplink {
source address 2a03:2260:0:15a::2;
neighbor 2a03:2260:0:15a::1 as 201701;
}
protocol bgp ffrl_bb_a_ix_dus from uplink {
source address a03:2260:0:15b::2;
neighbor 2a03:2260:0:15b::1 as 201701;
}
protocol bgp ffrl_bb_b_ix_dus from uplink {
source address 2a03:2260:0:15c::2;
neighbor 2a03:2260:0:15c::1 as 201701;
}

53
files/collectd.conf.j2 Normal file
View File

@ -0,0 +1,53 @@
# Config file for collectd(1).
#
# Some plugins need additional configuration and are disabled by default.
# Please read collectd.conf(5) for details.
#
# You should also read /usr/share/doc/collectd-core/README.Debian.plugins
# before enabling any more plugins.
## General ##
Hostname "{{ sn_hostname }}"
FQDNLookup true
BaseDir "/var/lib/collectd"
PluginDir "/usr/lib/collectd"
Interval 60
Timeout 2
ReadThreads 5
## Load Plugins ##
LoadPlugin write_graphite
LoadPlugin syslog
LoadPlugin cpu
LoadPlugin load
LoadPlugin memory
LoadPlugin processes
LoadPlugin users
LoadPlugin uptime
LoadPlugin interface
LoadPlugin filecount
<Plugin "filecount">
<Directory "/opt/freifunk/tunneldigger_interfaces">
Instance "tunneldigger-connections"
Name "l2tp*"
</Directory>
</Plugin>
<Plugin write_graphite>
<Carbon>
Host "10.188.1.27"
Port "2003"
Prefix "collectd.gateways."
StoreRates true
AlwaysAppendDS false
EscapeCharacter "_"
</Carbon>
</Plugin>
<Plugin syslog>
LogLevel info
</Plugin>
###########################################################
Include "/etc/collectd/filters.conf"
Include "/etc/collectd/thresholds.conf"

16
files/collectd_td_stat.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/bash
#Check if foldes exists
if ! [ -d /opt/freifunk/tunneldigger_interfaces ]; then
mkdir /opt/freifunk/tunneldigger_interfaces
fi
#Remove old Interfaces
rm /opt/freifunk/tunneldigger_interfaces/*
#Create Interace files
for i in `/sbin/brctl show br-nodes | grep l2tp`;
do
touch /opt/freifunk/tunneldigger_interfaces/$i
done
#Remove wrong file
rm /opt/freifunk/tunneldigger_interfaces/no
rm /opt/freifunk/tunneldigger_interfaces/br-*
rm /opt/freifunk/tunneldigger_interfaces/8*

15
files/dhcpd.conf.j2 Normal file
View File

@ -0,0 +1,15 @@
# Version 1.3
ddns-update-style none;
option domain-name "fftdf";
default-lease-time 300;
max-lease-time 3600;
log-facility local7;
subnet 10.188.0.0 netmask 255.255.0.0 {
authoritative;
range {{ sn_dhcp_range }};
option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns_v4 }};
option routers {{ sn_mesh_IPv4 }};
option interface-mtu {{ sn_mtu }};
interface bat0;
}
include "/opt/freifunk/static-dhcp/static.conf";

22
files/dhcpd6.conf.j2 Normal file
View File

@ -0,0 +1,22 @@
# Enable RFC 5007 support (same than for DHCPv4)
allow leasequery;
authoritative;
default-lease-time 300;
max-lease-time 600;
#option dhcp6.name-servers {{ sn_mesh_IPv6 }};
option dhcp6.name-servers {{ sn_mesh_IPv6 }}, {{ sn_dhcp_dns_v6 }};
option dhcp6.domain-search "fftdf";
subnet6 2a03:2260:121::/64 {
#
# # Range for clients
# range6 2a03:2260:121::201 2a03:2260:121::ffff;
#
# # Range for clients requesting a temporary address
# range6 2a03:2260:121::/64 temporary;
}

80
files/interfaces-troisdorf5 Normal file
View File

@ -0,0 +1,80 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.105/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121::105/48 dev lo
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 static
address 2a01:4f8:c17:173b::2
netmask 64
gateway fe80::1
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.151
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:155::2/64
netmask 64
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.153
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:156::2/64
netmask 64
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.155
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:157::2/64
netmask 64
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.157
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:158::2/64
netmask 64

85
files/interfaces-troisdorf6 Normal file
View File

@ -0,0 +1,85 @@
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
up ip address add 185.66.193.106/32 dev lo
iface lo inet6 loopback
up ip address add 2a03:2260:121::106/48 dev lo
# The primary network interface
allow-hotplug eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 46.4.138.189
netmask 255.255.255.192
gateway 46.4.138.129
dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
iface eth0 inet6 static
address 2a01:4f8:11d:600::189
netmask 59
gateway 2a01:4f8:11d:600::1
# GRE Tunnel zum Rheinland Backbone
# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
# Berlin Router A
auto gre-bb-a.ak.ber
iface gre-bb-a.ak.ber inet static
address 100.64.2.159
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ak.ber inet6 static
address 2a03:2260:0:159::2/64
netmask 64
# Berlin Router B
auto gre-bb-b.ak.ber
iface gre-bb-b.ak.ber inet static
address 100.64.2.161
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ak.ber inet6 static
address 2a03:2260:0:15a::2/64
netmask 64
# Duesseldorf Router A
auto gre-bb-a.ix.dus
iface gre-bb-a.ix.dus inet static
address 100.64.2.163
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-a.ix.dus inet6 static
address 2a03:2260:0:15b::2/64
netmask 64
# Duesseldorf Router B
auto gre-bb-b.ix.dus
iface gre-bb-b.ix.dus inet static
address 100.64.2.165
netmask 255.255.255.254
pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255
post-up ip link set $IFACE mtu 1400
post-down ip tunnel del $IFACE
iface gre-bb-b.ix.dus inet6 static
address 2a03:2260:0:15c::2/64
netmask 64

29
files/keepalive.exit.sh.j2 Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
#
# -q quiet
# -c nb of pings
HOST1=8.8.8.8
HOST2=8.8.4.4
BATCTL=/usr/local/sbin/batctl
ping -q -c5 $HOST1 > /dev/null
if [ $? -eq 0 ]
then
echo "ok"
$BATCTL gw server 100Mbit/100Mbit
else
echo "$HOST1 NICHT ok"
ping -q -c5 $HOST2 > /dev/null
if [ $? -eq 0 ]
then
echo "$HOST2 ok"
$BATCTL gw server 100Mbit/100Mbit
else
echo "$HOST2 NICHT ok"
$BATCTL gw off
fi
fi

51
files/keepalive.sh Normal file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# Version 1.6
# Parameter setzen
GATEWAY1ext=185.66.193.105
GATEWAY2ext=185.66.193.106
GATEWAY1=10.188.255.5
GATEWAY2=10.188.255.6
GATEWAY1v6=2a03:2260:121::255:5
GATEWAY2v6=2a03:2260:121::255:6
IP=/sbin/ip
PING=/bin/ping
BATCTL=/usr/local/sbin/batctl
#if [ "hostname = troisdorf1 | troisdorf2" ]
if [ $(hostname) = "troisdorf1" ] || [ $(hostname) = "troisdorf2" ]
then
DEFAULT_GATEWAY=$GATEWAY1
DEFAULT_GATEWAYext=$GATEWAY1ext
FALLBACK_GATEWAY=$GATEWAY2
FALLBACK_GATEWAYext=$GATEWAY2ext
DEFAULT_GATEWAYv6=$GATEWAY1v6
FALLBACK_GATEWAYv6=$GATEWAY2v6
else
DEFAULT_GATEWAY=$GATEWAY2
DEFAULT_GATEWAYext=$GATEWAY2ext
FALLBACK_GATEWAY=$GATEWAY1
FALLBACK_GATEWAYext=$GATEWAY1ext
DEFAULT_GATEWAYv6=$GATEWAY2v6
FALLBACK_GATEWAYv6=$GATEWAY1v6
fi
if $PING -c 1 $DEFAULT_GATEWAYext
then
$IP route replace default via $DEFAULT_GATEWAY table 42
$IP -6 route replace default via $DEFAULT_GATEWAYv6 table 42
$BATCTL gw server 100Mbit/100Mbit
echo "Gateway erreichbar"
else
if $PING -c 1 $FALLBACK_GATEWAYext
then
$IP route replace default via $FALLBACK_GATEWAY table 42
$IP -6 route replace default via $FALLBACK_GATEWAYv6 table 42
$BATCTL gw server 80Mbit/80Mbit
echo "Nun FALLBACK_GATEWAY"
else
$BATCTL gw off
#Kein Gateway erreichbar, batctl gw off
fi
fi

61
files/l2tp_backbone.sh.exit.j2 Normal file
View File

@ -0,0 +1,61 @@
#!/bin/sh
# Version 6
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
#server="troisdorf7 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
communitymacaddress="a2:8c:ae:6f:f6"
tunnelPrefix=10
sessionPrefix=1
# Netzwerkteil des Netzes, ohne abschliessenden Punkt
communitynetwork="10.188"
# IPv6 network
#communitynetworkv6="fda0:747e:ab29:7405:255::"
communitynetworkv6="2a03:2260:121::"
# Drittes Octet des serverbereichs
octet3rd="255"
# CIDR muss /16 sein
localserver=$(/bin/hostname)
batadv=/usr/local/sbin/batadv-vis
alfred=/usr/local/sbin/alfred
batctl=/usr/local/sbin/batctl
ip=/sbin/ip
dig=/usr/bin/dig
for i in $server; do
(
for j in $server; do
if [ $i != $j ]; then
if [ $i = $localserver ]; then
ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
#ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
ip link set dev l2tp-$j mtu $mtu
ip link set up l2tp-$j
$batctl if add l2tp-$j
fi
fi
done
)
done
# Rest starten
$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
$ip link set up dev bat0
$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
/bin/sleep 5
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/bin/systemctl restart isc-dhcp-server
/bin/systemctl restart bind9
#/usr/local/sbin/batctl gw client 3
/usr/local/sbin/batctl gw server 100Mbit/100Mbit

59
files/l2tp_backbone.sh.j2 Normal file
View File

@ -0,0 +1,59 @@
#!/bin/sh
# Version 6
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
#server="troisdorf7 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
communitymacaddress="a2:8c:ae:6f:f6"
tunnelPrefix=10
sessionPrefix=1
# Netzwerkteil des Netzes, ohne abschliessenden Punkt
communitynetwork="10.188"
# IPv6 network
#communitynetworkv6="fda0:747e:ab29:7405:255::"
communitynetworkv6="2a03:2260:121::"
# Drittes Octet des serverbereichs
octet3rd="255"
# CIDR muss /16 sein
localserver=$(/bin/hostname)
batadv=/usr/local/sbin/batadv-vis
alfred=/usr/local/sbin/alfred
batctl=/usr/local/sbin/batctl
ip=/sbin/ip
dig=/usr/bin/dig
for i in $server; do
(
for j in $server; do
if [ $i != $j ]; then
if [ $i = $localserver ]; then
ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
#ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
ip link set dev l2tp-$j mtu $mtu
ip link set up l2tp-$j
$batctl if add l2tp-$j
fi
fi
done
)
done
# Rest starten
$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
#$ip link set address $communitymacaddress:ff dev bat0
$ip link set up dev bat0
$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
/bin/sleep 5
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
/usr/sbin/service bind9 restart
/usr/local/sbin/batctl gw server 100Mbit/100Mbit

56
files/l2tp_backbone_ffswitch.sh.j2 Normal file
View File

@ -0,0 +1,56 @@
#!/bin/sh
# Version 5
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
server="troisdorf0 troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
#server="troisdorf0 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
communitymacaddress="a2:8c:ae:6f:f6"
tunnelPrefix=10
sessionPrefix=1
# Netzwerkteil des Netzes, ohne abschliessenden Punkt
communitynetwork="10.188"
# IPv6 network
communitynetworkv6="fda0:747e:ab29:7405:255::"
# Drittes Octet des serverbereichs
octet3rd="255"
# CIDR muss /16 sein
localserver=$(/bin/hostname)
batadv=/usr/local/sbin/batadv-vis
alfred=/usr/local/sbin/alfred
batctl=/usr/local/sbin/batctl
ip=/sbin/ip
dig=/usr/bin/dig
for i in $server; do
(
for j in $server; do
if [ $i != $j ]; then
if [ $i = $localserver ]; then
ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
#ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
ip link set dev l2tp-$j mtu $mtu
ip link set up l2tp-$j
$batctl if add l2tp-$j
fi
fi
done
)
done
# Rest starten
$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
#$ip link set address $communitymacaddress:ff dev bat0
$ip link set up dev bat0
$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0
/usr/bin/killall alfred
/usr/bin/killall batadv-vis
/bin/sleep 5
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &

18
roles/10.3-tunneldigger/templates/l2tp_broker.cfg.j2 → files/l2tp_broker.cfg.j2
View File

@ -1,10 +1,10 @@
[broker] [broker]
; IP address the broker will listen and accept tunnels on ; IP address the broker will listen and accept tunnels on
address={{ ansible_host }} address={{ ansible_default_ipv4.address }}
; Ports where the broker will listen on ; Ports where the broker will listen on
port={{ tunneldigger.td_port }} port={{ sn_l2tp_tb_port }}
; Interface with that IP address ; Interface with that IP address
interface={{ tunneldigger.td_wan_interface }} interface=eth0
; Maximum number of cached cookies, required for establishing a ; Maximum number of cached cookies, required for establishing a
; session with the broker ; session with the broker
max_cookies=1024 max_cookies=1024
@ -23,18 +23,6 @@ pmtu_discovery=false
; namespacing to work ; namespacing to work
namespace=troisdorf namespace=troisdorf
; Reject connections if there are less than N seconds since the last connection.
; Can be less than a second (e.g., 0.1).
connection_rate_limit=2
; Set PMTU to a fixed value. Use 0 for automatic PMTU discovery. A non-0 value also disables
; PMTU discovery on the client side, by having the server not respond to client-side PMTU
; discovery probes.
pmtu=0
; The batman device of this Hood (e.g. bat2)
batdev=bat0
[log] [log]
; Log filename ; Log filename
filename=/var/log/tunneldigger-broker.log filename=/var/log/tunneldigger-broker.log

34
files/logrotate.conf Normal file
View File

@ -0,0 +1,34 @@
# see "man logrotate" for details
# rotate log files weekly
#weekly
daily
# keep 4 weeks worth of backlogs
#rotate 4
rotate 0
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}
# system-specific logs may be configured here

6
files/named.conf.fftdf Normal file
View File

@ -0,0 +1,6 @@
zone "fftdf" {
type slave;
masters { 10.188.1.100; };
file "/var/lib/bind/db.fftdf";
};

4
roles/10.2-named/templates/named.conf.options.j2 → files/named.conf.options.j2
View File

@ -21,6 +21,6 @@ options {
dnssec-validation auto; dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035 auth-nxdomain no; # conform to RFC1035
listen-on { {{ network.ff_v4_address }}; }; listen-on { {{ sn_mesh_IPv4 }}; };
listen-on-v6 { {{ network.ff_v6_address }}; }; listen-on-v6 { {{ sn_mesh_IPv6 }}; };
}; };

13
files/radvd.conf.j2 Normal file
View File

@ -0,0 +1,13 @@
interface bat0 {
AdvSendAdvert on;
IgnoreIfMissing on;
MaxRtrAdvInterval 200;
RDNSS {{ sn_mesh_IPv6 }} {};
# prefix fda0:747e:ab29:7405::/64 {
prefix 2a03:2260:121::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};

81
files/sn_startup.exit.sh.j2 Normal file
View File

@ -0,0 +1,81 @@
#!/bin/sh
# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Block RFC1918 and APIPA destination via WAN
/sbin/iptables -P OUTPUT ACCEPT
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
done
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# NAT on GRE Freifunk interface
#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
# MTU
/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
# All from FF IPv4 via routing table 42
/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes
sleep 5
# Fixing the nf_conntrack … dropping packets error
# hashsize = nf_conntrack_max / 4
sysctl -w net.netfilter.nf_conntrack_max=131072
echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
# Against Denial of Service attacks from internal network
# Check with: sysctl -a | grep conntrack | grep timeout
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# restart bird
/bin/systemctl start bird
/bin/systemctl start bird6
/bin/systemctl enable bird
/bin/systemctl enable bird6
# Start tunneldigger
/bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger
# radvd restart
/bin/systemctl restart radvd
/bin/systemctl enable radvd
exit 0

74
files/sn_startup.sh.j2 Normal file
View File

@ -0,0 +1,74 @@
#!/bin/sh
# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
# Block RFC1918 and APIPA destination via WAN
/sbin/iptables -P OUTPUT ACCEPT
for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
done
# Activate IP forwarding
/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
/sbin/sysctl -w net.ipv4.ip_forward=1
# restart when kernel panic
/sbin/sysctl kernel.panic=1
# Stop tunneldigger until bat0 is up
/usr/sbin/service tunneldigger stop
# Routing table 42
/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
# Set table for traffice with mark 4
/bin/ip rule add fwmark 0x4 table 42
/bin/ip -6 rule add fwmark 0x4 table 42
# Set mark 4 to Freifunk traffic
/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
# NAT on eth0
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# All from FF IPv4 via routing table 42
/bin/ip rule add from 185.66.193.104/30 lookup 42
/bin/ip -6 rule add from 2a03:2260:121::/64 lookup 42
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
# Create Tunneldigger Bridge
/sbin/brctl addbr br-nodes
/sbin/ip link set dev br-nodes up
/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
/usr/local/sbin/batctl if add br-nodes
sleep 5
# Fixing the nf_conntrack … dropping packets error
# hashsize = nf_conntrack_max / 4
sysctl -w net.netfilter.nf_conntrack_max=131072
echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
# Against Denial of Service attacks from internal network
# Check with: sysctl -a | grep conntrack | grep timeout
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# Start tunneldigger
/bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger
# radvd restart
/bin/systemctl restart radvd
/bin/systemctl enable radvd
# restart DHCP
/bin/systemctl restart isc-dhcp-server
/bin/systemctl enable isc-dhcp-server
exit 0

9
files/start-broker.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
WDIR=/srv/tunneldigger
VIRTUALENV_DIR=/srv/tunneldigger
cd $WDIR
source $VIRTUALENV_DIR/bin/activate
bin/python broker/l2tp_broker.py l2tp_broker.cfg

9
files/tunneldigger.service Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description = Start tunneldigger L2TPv3 broker
After = network.target
[Service]
ExecStart = /srv/tunneldigger/start-broker.sh
[Install]
WantedBy = multi-user.target

61
host_vars/core4.yml
View File

@ -1,61 +0,0 @@
ansible_connection: network_cli
ansible_network_os: vyos
ansible_ssh_host: 5.9.220.113
ansible_user: vyos
ansible_python_interpreter: /usr/bin/python3
wan_address: 5.9.220.113
wan_gateway: 5.9.220.112
wan_net: /29
lan_address: 172.16.7.1
lan_network: 172.16.7.0/24
ffrl_address: 185.66.193.107
ffrl_address_v6: 2a03:2260:121:600::0/128
ffrl_net_v6: 2a03:2260:121:600::/55
gre_bb_transfer_net: /31
gre_bb_transfer_net_v6: /64
gre_bb_renote_as: 201701
gre_bb_local_as: 65066
gre_ber_a_address: 100.64.6.25
gre_ber_a_neighbor: 100.64.6.24
gre_ber_a_address_v6: 2a03:2260:0:30c::2
gre_ber_a_neighbor_v6: 2a03:2260:0:30c::1
gre_ber_a_description: gre_ber_a
gre_ber_a_remote: 185.66.195.0
gre_ber_b_address: 100.64.6.31
gre_ber_b_neighbor: 100.64.6.30
gre_ber_b_address_v6: 2a03:2260:0:30f::2
gre_ber_b_neighbor_v6: 2a03:2260:0:30f::1
gre_ber_b_description: gre_b_ber
gre_ber_b_remote: 185.66.195.1
gre_a_dus_address: 100.64.6.29
gre_a_dus_neighbor: 100.64.6.28
gre_a_dus_address_v6: 2a03:2260:0:30e::2
gre_a_dus_neighbor_v6: 2a03:2260:0:30e::1
gre_a_dus_description: gre_a_dus
gre_a_dus_remote: 185.66.193.0
gre_b_dus_address: 100.64.6.35
gre_b_dus_neighbor: 100.64.6.34
gre_b_dus_address_v6: 2a03:2260:0:311::2
gre_b_dus_neighbor_v6: 2a03:2260:0:311::1
gre_b_dus_description: gre_b_dus
gre_b_dus_remote: 185.66.193.1
gre_a_fra_address: 100.64.6.27
gre_a_fra_neighbor: 100.64.6.26
gre_a_fra_address_v6: 2a03:2260:0:30d::2
gre_a_fra_neighbor_v6: 2a03:2260:0:30d::1
gre_a_fra_description: gre_a_fra
gre_a_fra_remote: 185.66.194.0
gre_b_fra_address: 100.64.6.33
gre_b_fra_neighbor: 100.64.6.32
gre_b_fra_address_v6: 2a03:2260:0:310::2
gre_b_fra_neighbor_v6: 2a03:2260:0:310::1
gre_b_fra_description: gre_b_fra
gre_b_fra_remote: 185.66.194.1

14
host_vars/edge1/vars.yml
View File

@ -1,14 +0,0 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.1.0.0/16
ipv4_dhcp_start: 10.1.0.30
ipv4_dhcp_stop: 10.1.0.250
ipv4_address: 10.1.0.1
ipv6_network: 2a03:2260:121:603::/64
ipv6_address: 2a03:2260:121:603::1/64
wireguard_address: 10.255.1.2/24
wireguard_v6_address: fd80:3ea2:e399:203a::3
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge1/vault.yml
View File

@ -1,12 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge2/vars.yml
View File

@ -1,14 +0,0 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.7.0.0/16
ipv4_dhcp_start: 10.7.0.30
ipv4_dhcp_stop: 10.7.0.250
ipv4_address: 10.7.0.1
ipv6_network: 2a03:2260:121:607::/64
ipv6_address: 2a03:2260:121:607::1/64
wireguard_address: 10.255.1.7/24
wireguard_v6_address: fd80:3ea2:e399:203a::7
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge2/vault.yml
View File

@ -1,12 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge3/vars.yml
View File

@ -1,14 +0,0 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.9.0.0/16
ipv4_dhcp_start: 10.9.0.30
ipv4_dhcp_stop: 10.9.0.250
ipv4_address: 10.9.0.1
ipv6_network: 2a03:2260:121:609::/64
ipv6_address: 2a03:2260:121:609::1/64
wireguard_address: 10.255.1.9/24
wireguard_v6_address: fd80:3ea2:e399:203a::9
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge3/vault.yml
View File

@ -1,12 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

14
host_vars/edge4/vars.yml
View File

@ -1,14 +0,0 @@
ansible_host: localhost
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ipv4_network: 10.10.0.0/16
ipv4_dhcp_start: 10.10.0.30
ipv4_dhcp_stop: 10.10.0.250
ipv4_address: 10.10.0.1
ipv6_network: 2a03:2260:121:60a::/64
ipv6_address: 2a03:2260:121:60a::1/64
wireguard_address: 10.255.1.10/24
wireguard_v6_address: fd80:3ea2:e399:203a::10
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1

12
host_vars/edge4/vault.yml
View File

@ -1,12 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
63373161393033633933653763653661626365376332306438326363333263656366623837333061
3665663736393837663634653439356465356234613933320a613530656335326538326262376163
36336139633033326430663362633839653831326362326439303634376666623862663037636533
3031306666356637370a396164386339653630343366393163623136333166643162393663323931
65376261356666313034633237323531363733343061396166343333666538313232616265303933
32303633343666346134666332626635396132313932623535383538326639316465633432343239
32353563643565393034653933356235663434376131366565636634376332353738363730626162
31353236303764663236346437613031623634663762653664383534613738353363346563313063
66363430306533666263356365383365303564303565316462306664356236316430653065613036
30386238616564326132303262623664313935376332373037343664666138303932316330336238
363762633930393837363662343133666363

4
host_vars/uisp.yml
View File

@ -1,4 +0,0 @@
ansible_host: 5.9.220.117
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3

4
host_vars/unifi.yml
View File

@ -1,4 +0,0 @@
ansible_host: 5.9.220.118
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3

62
host_vars/vpn01/vars.yml
View File

@ -1,62 +0,0 @@
###
### Ansible
###
ansible_host: 5.9.220.114
ansible_host_net: /29
ansible_host_ipv6: 2a01:4f8:262:5112::101
ansible_host_ipv6_net: /64
ipv4_gateway: 5.9.220.112
ipv6_gateway: 2a01:4f8:262:5112::3
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars Freifunk
###
internal_network: "10.255.0.0/16"
freifunk_internal_ip: 172.16.7.10/24
core_router: 172.16.7.1
###
### Wireguard
###
ipv6_network: 2a03:2260:121:600::/58
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1
wireguard_unmanaged_peers:
## Ticket #188933
vpn2-Kabel-Waechter:
public_key: IuU88/zIE5fsSi3gN68vmz/72iJadOgip3I+lCOo5hk=
allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:602::/64
## Ticket #521263
vpn3-FFRS-VPN:
public_key: 0T+vKvbB94SkUgjw9Y4wiOKp7eJQ6IFNeY7sve/F0Ag=
allowed_ips: 10.255.1.3/32, 10.3.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:603::/64
## Ticket #150439
vpn4-sg:
public_key: IarM0mG08rfZ1k8d557H49nqRK6mKUrVuffhm8QYN1Q=
allowed_ips: 10.255.1.4/32, 10.4.0.0/16, fd80:3ea2:e399:203a::4/128, 2a03:2260:121:604::/64
## ERX-Testing Stefan
vpn6-stefan:
public_key: KxjuZJs7aIPFAUm/J5iw/oWiv4O44hjpnnfN+VN0iQ0=
allowed_ips: 10.255.1.7/32, 10.7.0.0/16, fd80:3ea2:e399:203a::7/128, 2a03:2260:121:607::/64
## Nils
vpn8-nils:
public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
allowed_ips: 10.255.1.8/32, 10.8.0.0/16, fd80:3ea2:e399:203a::8/128, 2a03:2260:121:608::/64
## edge3
vpn9-edge3:
public_key: pUBPZFl9VGb1zLseKenGS7pvOLWuWQNJdDEpHtOsxlg=
allowed_ips: 10.255.1.9/32, 10.9.0.0/16, fd80:3ea2:e399:203a::9/128, 2a03:2260:121:609::/64
## edge4
vpn10-edge4:
public_key: 2Cq7gW5mSTcOJGzvw4dvdERhAFx3EIga5Ftds9zKlT8=
allowed_ips: 10.255.1.10/32, 10.10.0.0/16, fd80:3ea2:e399:203a::10/128, 2a03:2260:121:60a::/64
## Stefan_Test
vpn10-edge4:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:60b::/64

9
host_vars/vpn01/vault.yml
View File

@ -1,9 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31653333646534336164323064616261666365636438363761663837663635613333386165313962
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
61323339356237646631303039646132663161623739393130383338383339373063373566666330
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
66633239393134336539346430343965383339653061633463653864653834633862353861663432
39633663663833373264623138376431353437623765643530373266643539616231376162663831
33643334323861653564333739376561306462316561336531656663396134336635666639343433
38613630313731343736

35
host_vars/vpn02/vars.yml
View File

@ -1,35 +0,0 @@
ansible_host: 5.9.220.115
ansible_host_net: /29
ansible_host_ipv6: 2a01:4f8:262:5112::102
ansible_host_ipv6_net: /64
ipv4_gateway: 5.9.220.112
ipv6_gateway: 2a01:4f8:262:5112::3
ansible_port: 22
ansible_ssh_user: root
ansible_python_interpreter: /usr/bin/python3
###
### Vars Freifunk
###
internal_network: "10.255.0.0/16"
freifunk_internal_ip: 172.16.7.11/24
core_router: 172.16.7.1
###
### Wireguard
###
ipv6_network: 2a03:2260:121:640::/58
wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
wireguard_port: 42001
wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
wiregurad_v4: 10.255.1.1
wireguard_unmanaged_peers:
## Nils
vpn8-nils:
public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:642::/64
## Stefan_Test
vpn10-edge4:
public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:64b::/64

9
host_vars/vpn02/vault.yml
View File

@ -1,9 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31653333646534336164323064616261666365636438363761663837663635613333386165313962
3732656532643062333235366564333633623937353335650a343334393265316131313935363337
61323339356237646631303039646132663161623739393130383338383339373063373566666330
3463346562336166340a313562613835386431613636303637626133346433393630623837646236
66633239393134336539346430343965383339653061633463653864653834633862353861663432
39633663663833373264623138376431353437623765643530373266643539616231376162663831
33643334323861653564333739376561306462316561336531656663396134336635666639343433
38613630313731343736

35
hosts.yml
View File

@ -1,35 +0,0 @@
######################
#
# Ansible Hosts for FFTDF Supernodes. atm only the new offloader
#
######################
all:
children:
router:
children:
ffrl_uplink:
hosts:
core4:
supernodes:
children:
vpn_offloader_wireguard:
hosts:
vpn01:
vpn02:
freifunk_supernodes:
hosts:
service_server:
children:
unifi:
hosts:
unifi:
uisp:
hosts:
uisp:
edge_router:
hosts:
edge1:
edge2:
edge3:
edge4:

303
install.sn.yml Normal file
View File

@ -0,0 +1,303 @@
# First install ssh-key at remote computer
# In case of python error start:
# ansible troisdorf4 -u root -m raw -a "apt-get update && apt-get install python -y"
- name: Install Freifunk Troisdorf super node
# hosts: FreifunkSupernodesL2TP
hosts: '{{ target }}'
sudo: False
user: root
gather_facts: False
vars:
snversion: master_v3.0.0
batmanversion: v2015.2
common_required_packages:
- git
- make
- gcc
- build-essential
- pkg-config
- libgps-dev
- libnl-3-dev
- libjansson-dev
- isc-dhcp-server
- collectd
- libcap-dev
- iproute
- libnetfilter-conntrack3
- python-dev
- libevent-dev
- ebtables
- python-virtualenv
- iptables-persistent
- iftop
- screen
- bridge-utils
- tcpdump
- bind9
- radvd
- curl
- htop
- psmisc
- dnsutils
- ntp
modules_required:
- batman-adv
- nf_conntrack_netlink
- nf_conntrack
- nfnetlink
- l2tp_netlink
- l2tp_core
- l2tp_eth
tunneldigger_scripts:
- start-broker.sh
- batdelif.sh
tunneldigger_service:
- tunneldigger.service
bind_zone_fftdf:
- named.conf.fftdf
check_gw_script:
- keepalive.sh
authorized_keys:
- authorized_keys
logrotate_config:
- logrotate.conf
tunneld_stats_file:
- collectd_td_stat.sh
tasks:
- name: Remove cdrom in sources.list
raw: "sed -i '/deb cdrom/c\\#' /etc/apt/sources.list"
- name: Make this server ansible compatible
raw: "apt-get update && apt-get install python -y"
# - name: Add backport repo to source list #target: /etc/apt/sources.list.d
# apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
- name: Update apt cache
apt: update_cache=yes
- name: Gathering facts
setup:
- name: Set IPv4 in hostfile
lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv4.address }}' line='{{ ansible_default_ipv4.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
- name: Set IPv6 in hostfile
lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv6.address }}' line='{{ ansible_default_ipv6.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
when: ansible_default_ipv6.address is defined
- name: set hostname
hostname: name='{{ sn_hostname }}'
register: sethostname
- name: disable multi CPU Kernel (SMP)
lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present
register: grubnosmp
- name: Update grub
shell: update-grub2
when: grubnosmp.changed
- name: Reboot the server
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
when: sethostname.changed
- name: waiting for server to come back (1st)
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=20
timeout=300
when: hosts.changed
when: sethostname.changed
- apt: update_cache=yes
- name: Install common required packages
apt: state=installed pkg={{ item }}
with_items: common_required_packages
register: aptupdates
- name: Set clock
shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start
- name: Add modules
lineinfile: dest=/etc/modules line={{ item }}
with_items: modules_required
register: modules_req
- name: Load modules
modprobe: name={{ item }}
with_items: modules_required
when: modules_req.changed
- name: Install Linux headers
shell: >
apt-get install linux-headers-$(uname -r) -y
when: aptupdates.changed
- name: Get batman-adv
git: repo=https://git.open-mesh.org/batman-adv.git
dest=/tmp/batman-adv
when: aptupdates.changed
register: getbatman
- name: Get batman-adv no rebrotcast patch
get_url: url=http://map.freifunk-moehne.de/stuff/1001-batman-adv-introduce-no_rebroadcast-option.patch dest=/tmp/batman-adv/1001-batman-adv-introduce-no_rebroadcast-option.patch
when: getbatman.changed
- name: Install batman-adv
shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && make && make install
# shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && git apply 1001-batman-adv-introduce-no_rebroadcast-option.patch && make && make install
when: getbatman.changed
- name: Get batctl
git: repo=http://git.open-mesh.org/batctl.git
dest=/tmp/batctl
when: aptupdates.changed
register: getbatctl
- name: Install batctl
shell: cd /tmp/batctl && git checkout {{ batmanversion }} && make && make install
when: getbatctl.changed
- name: Get alfred
git: repo=http://git.open-mesh.org/alfred.git
dest=/tmp/alfred
when: aptupdates.changed
register: getalfred
- name: Install alfred
shell: cd /tmp/alfred && git checkout {{ batmanversion }} && make && make install
when: getalfred.changed
- name: Get Tunneldigger
# git: repo=https://github.com/wlanslovenija/tunneldigger.git
git: repo=https://github.com/ffrl/tunneldigger.git
dest=/srv/tunneldigger
register: tunneldigger
when: aptupdates.changed
- name: Configure tunneldigger
command: "{{item}}"
with_items:
- virtualenv /srv/tunneldigger/ -p python2.7
when: tunneldigger.changed
- name: Tunneldigger requirements
pip: requirements=/srv/tunneldigger/broker/requirements.txt virtualenv=/srv/tunneldigger/
when: tunneldigger.changed
- name: Copy l2tp broker config template
template: src=./files/l2tp_broker.cfg.j2 dest=/srv/tunneldigger/l2tp_broker.cfg owner=root group=root mode=0444
when: tunneldigger.changed
- name: Copy tunneldigger script template
template: src=./files/bataddif.sh.j2 dest=/srv/tunneldigger/bataddif.sh owner=root group=root mode=0500
when: tunneldigger.changed
- name: Copy tunneldigger scripts
copy: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0500
with_items: tunneldigger_scripts
when: tunneldigger.changed
- name: Copy tunneldigger service file
copy: src=./files/{{ item }} dest=/etc/systemd/system/tunneldigger.service owner=root group=root mode=0444
with_items: tunneldigger_service
when: tunneldigger.changed
- name: Tunneldigger reload
command: "{{item}}"
with_items:
- systemctl daemon-reload
- systemctl enable tunneldigger.service
when: tunneldigger.changed
- name: Copy logrotate config
copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500
with_items: logrotate_config
- name: Create freifunk directory
file: path=/opt/freifunk state=directory mode=0755
- name: Check gateway / keepalive script supernode
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: check_gw_script
register: check_gw
when: sn_exit is undefined
- name: Check gateway / keepalive script super- and exitnode
template: src=./files/keepalive.exit.sh.j2 dest=/opt/freifunk/keepalive.sh owner=root group=root mode=0500
register: check_gw
when: sn_exit is defined
- name: Add cron job with check gateway script
cron: name=check_gw job="/opt/freifunk/keepalive.sh > /dev/null 2>&1" user="root"
when: check_gw.changed
- name: Tunneldigger stats
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: tunneld_stats_file
register: tunneld_stats
# when: sn_exit is undefined
- name: Add cron job tunneldigger stats
cron: name=tunneld_stats job="/opt/freifunk/collectd_td_stat.sh > /dev/null 2>&1" user="root"
when: tunneld_stats.changed
- name: Copy dhcpd template file
template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
register: dhcpd
- name: Clone static DHCP config
git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp
dest=/opt/freifunk/static-dhcp
when: dhcpd.changed
- name: Add cron static DHCP
cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh"
when: dhcpd.changed
- name: Restart dhcpd
service: name=isc-dhcp-server state=restarted
when: dhcpd.changed
ignore_errors: yes
- name: Add cron backbone script
cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh"
- name: Add cron startup script
cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is undefined
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is defined
- name: Collectd template file
template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444
register: collectd
- name: Restart collectd
service: name=collectd state=restarted
when: collectd.changed
- name: configure startup script supernode
template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is undefined
- name: Exit node startup script super- and exitnode
template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is defined
- name: SSH authorized_keys
copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
with_items: authorized_keys
- name: Copy secondary zone file
copy: src=./files/{{ item }} dest=/etc/bind owner=root group=bind mode=644
with_items: bind_zone_fftdf
- name: Bind9, activate fftdf zone
lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/named.conf.fftdf";' state=present
- name: Copy option template
template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644
- name: Copy radvd config template
template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444
- name: Alfed message
template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544
- name: Add cron job with alfred info script
cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root"
- name: Interface configuration with ffrl gre tunnel
copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544
when: sn_exit is defined
- apt: update_cache=yes
- name: Install bird
apt: state=installed pkg=bird
when: sn_exit is defined
- name: Bird configuration
copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444
when: sn_exit is defined
- name: Bird configuration
copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
when: sn_exit is defined
- name: Reboot the server finally
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
when: tunneldigger.changed
- name: Wirte version information
shell: touch /etc/sn_version && echo {{ snversion }} > /etc/sn_version
- name: waiting for server to come back
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=20
timeout=300
when: tunneldigger.changed
- name: Send notification message via Slack
local_action:
module: slack
token: "{{ slack_token }}"
msg: "{{ inventory_hostname }} completed with {{ snversion }}"
channel: "#technik"
username: "Ansible on {{ inventory_hostname }}"
parse: 'none'

18
readme.md
View File

@ -1,18 +0,0 @@
# Supernode mit direkter VPN Ausleitung
Ausleitung über das FFRL Backbone.
Supernode Config:
- GRE-Tunnel zum FFRL Backbone
- VPN per Wireguard
- NAT auf VPN Routern
## Naming:
CORE[1-x]
Core Router auf Vyos mit Verbidung zum FFRL Backbone über GRE Tunnel. Die Core Router stellen das Freifunk Netz über ein LAN auf unseren Proxmox Servern bereit.
VPN[1-x]
VPN Server aka Supernodes. Die VPN Server nehmen VPN Verbindungen von Routern und/oder Clients entgegen und managen diese. Hier sind diekte anbindungen möglich, ebenso aber Supernodes mit dem klassischen Freifunk (Batman) Konzept.
ROUTER[1-x], EDGE[1-x], CLIENT[1-x]
Angebundene Router oder Clients an einen VPN Server, falls dieser aus diesem Ansible eine Config erhält.

1
roles/00-ubuntu-basic/files/nils.key.pub
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== Nils Stinnesbeck

1
roles/00-ubuntu-basic/files/roman.key.pub
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman

1
roles/00-ubuntu-basic/files/stefan.key.pub
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux

68
roles/00-ubuntu-basic/tasks/main.yml
View File

@ -1,68 +0,0 @@
---
# Set System Hostname
- name: Ensure hostname set
hostname:
name: "{{ inventory_hostname }}"
when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}')
become: yes
register: hostname_set
- name: Reboot host and wait for it to restart
reboot:
msg: "Reboot initiated by Ansible"
connect_timeout: 5
reboot_timeout: 600
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: whoami
when: hostname_set.changed
# Users defined in /vars/main.yml
# pub key files in /files/{USER}.key.pub
- name: "Create user accounts and add users to groups"
user:
name: "{{ item }}"
groups: sudo
with_items: "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: Allow 'sudo' group to have passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
# Install basic packages for Ubuntu minimal Systems
- name: Install all Packages
ansible.builtin.apt:
name:
- curl
- nano
- vim
- htop
- screen
- iproute2
- iptables
- cron
- qemu-guest-agent
- iputils-ping
- iw
- speedtest-cli
- telnet
state: latest
update_cache: yes
- name: uninstall unneeded packages
apt:
name:
- rpcbind
update_cache: yes
state: absent

4
roles/00-ubuntu-basic/vars/main.yml
View File

@ -1,4 +0,0 @@
users:
- stefan
- nils
- roman

90
roles/01-vpn-offloader-setup/tasks/main.yml
View File

@ -1,90 +0,0 @@
---
- name: Setup NAT
ansible.builtin.iptables:
chain: POSTROUTING
table: nat
source: "{{ internal_network }}"
jump: MASQUERADE
register: iptables
- name: Enable kernel panic reboots
ansible.posix.sysctl:
name: kernel.panic
value: '1'
- name: Enable IPv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
- name: Enable IPv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: true
- name: Create Routing Table 42
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffrl
create: yes
- name: Generate NDPPD Config
ansible.builtin.template:
src: ndppd.conf.j2
dest: /etc/ndppd.conf
owner: root
group: root
mode: 755
- name: Install all Packages for VPN Servers
ansible.builtin.apt:
name:
- libndp0
- libndp-tools
- ndppd
- iptables-persistent
state: latest
update_cache: yes
- name: Find all Netplan Files without of the freifunk file
find:
paths: /etc/netplan/
file_type: file
excludes:
- "01-freifunk.yaml"
register: found_files
- name: Delete files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ found_files['files'] }}"
- name: Copy Netplan Template for Internal Network
ansible.builtin.template:
src: netplan.j2
dest: /etc/netplan/01-freifunk.yaml
owner: root
group: root
mode: 755
register: netplan_config
- name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
when: iptables.changed
- name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
when: iptables.changed
- name: Apply Netplan
ansible.builtin.shell: netplan apply
when: netplan_config.changed
- name: Enable Proxy_NDP on interface ens19
ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true

5
roles/01-vpn-offloader-setup/templates/ndppd.conf.j2
View File

@ -1,5 +0,0 @@
proxy ens19 {
rule {{ ipv6_network }} {
static
}
}

32
roles/01-vpn-offloader-setup/templates/netplan.j2
View File

@ -1,32 +0,0 @@
network:
ethernets:
ens18:
addresses:
- {{ ansible_host }}{{ ansible_host_net }}
- {{ ansible_host_ipv6 }}{{ ansible_host_ipv6_net }}
nameservers:
addresses:
- 1.1.1.1
routes:
- to: default
via: {{ ipv4_gateway }}
table: 42
- to: default
via: {{ ipv6_gateway }}
table: 42
routing-policy:
- from: {{ ansible_host }}
table: 42
- from: {{ ansible_host_ipv6 }}
table: 42
ens19:
dhcp4: false
addresses:
- {{ freifunk_internal_ip }}
nameservers:
addresses:
- 1.1.1.1
routes:
- to: default
via: {{ core_router }}
version: 2

11
roles/01-vpn-router-config/tasks/main.yml
View File

@ -1,11 +0,0 @@
- name: create config directory
file:
path: '{{ playbook_dir }}/edgerouter_configs/'
state: directory
- name: Generate EdgeOS Config
ansible.builtin.template:
src: edgerouter.conf.j2
dest: '{{ playbook_dir }}/edgerouter_configs/{{ inventory_hostname }}.md'
mode: 0755

106
roles/01-vpn-router-config/templates/edgerouter.conf.j2
View File

@ -1,106 +0,0 @@
## Webinterface Wizard ausführen
WAN auf eth0
Ein LAN mit Adresse: {{ ipv4_address }}
Dann auf der Konsole weiter
## Install Wireguard
cd /tmp
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
####
cd /config/auth
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
cat wg.public
cat wg.key
####
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
set firewall group network-group LAN-VPN network {{ ipv4_network }}
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall modify LAN_to_VPN rule 100 action modify
set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
set firewall modify LAN_to_VPN rule 100 modify table 2
set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description WireGuard
set firewall name WAN_LOCAL rule 20 destination port 51821
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1340
set firewall options mss-clamp6 interface-type all
set firewall options mss-clamp6 mss 1340
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set interfaces switch switch0 address {{ ipv4_address }}/24
set interfaces switch switch0 address '{{ ipv6_address }}'
set interfaces switch switch0 description Local
set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
set interfaces switch switch0 firewall in modify LAN_to_VPN
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 1328
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port interface eth2
set interfaces switch switch0 switch-port interface eth3
set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg0 address {{ wireguard_address }}
set interfaces wireguard wg0 address {{ wireguard_v6_address }}
set interfaces wireguard wg0 listen-port 51822
set interfaces wireguard wg0 mtu 1380
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 route-allowed-ips false
set protocols static interface-route6 ::/0 next-hop-interface wg0
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
delete service dhcp-server
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
set service dhcp-server static-arp disable
set service dhcp-server use-dnsmasq disable
set service dns forwarding cache-size 150
set service dns forwarding listen-on switch0
set service nat rule 5010 description 'masquerade for VPN'
set service nat rule 5010 outbound-interface wg0
set service nat rule 5010 protocol all
set service nat rule 5010 type masquerade
set service unms
set service unms connection '{{ unms_vault_URL }}'
set system host-name {{ inventory_hostname }}
set system time-zone UTC

38
roles/10-freifunk-supernode/README.md
View File

@ -1,38 +0,0 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

122
roles/10-freifunk-supernode/tasks/main.yml
View File

@ -1,122 +0,0 @@
---
# tasks file for 10-freifunk-supernode
# Install basic packages for Supernode
- name: Install all Packages
ansible.builtin.apt:
name:
- batctl
- iptables-persistent
- conntrack
state: latest
update_cache: yes
## IP Forwarding
- name: IPv4-Paketweiterleitung aktivieren
sysctl:
name: "net.ipv4.conf.all.forwarding"
value: 1
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: IPv6-Paketweiterleitung aktivieren
sysctl:
name: "net.ipv6.conf.all.forwarding"
value: 1
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
sysctl:
name: "net.ipv4.conf.default.rp_filter"
value: 0
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
sysctl:
name: "net.ipv4.conf.all.rp_filter"
value: 0
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
- name: Create Routing Table 42
ansible.builtin.lineinfile:
path: /etc/iproute2/rt_tables
line: 42 ffrl
create: yes
## Contrack
- name: Enable nf_conntrack_ipv4 module
modprobe:
name: nf_conntrack_ipv4
state: present
when: ansible_kernel is version_compare('4.19', '<')
- name: Enable nf_conntrack_ipv4 on system startup
blockinfile:
path: /etc/modules
marker: "# {mark} Ansible managed block"
block: |
nf_conntrack_ipv4
when: ansible_kernel is version_compare('4.19', '<')
- name: Enable nf_conntrack module
modprobe:
name: nf_conntrack
state: present
when: ansible_kernel is version_compare('4.19', '>=')
- name: Enable nf_conntrack on system startup
blockinfile:
path: /etc/modules
marker: "# {mark} Ansible managed block"
block: |
nf_conntrack
when: ansible_kernel is version_compare('4.19', '>=')
- name: Set nf_conntrack_max to a higher value
sysctl:
name: "net.netfilter.nf_conntrack_max"
value: 524288
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
sysctl:
name: "net.netfilter.nf_conntrack_tcp_timeout_established"
value: 86400
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Set nf_conntrack_tcp_timeout_time_wait to 60
sysctl:
name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"
value: 60
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
- name: Get current nf_conntrack hashsize
shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
register: nf_conntrack_hashsize
changed_when: false
check_mode: no
- name: Set nf_conntrack hashsize to a higher value
shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
when: "nf_conntrack_hashsize.stdout != '32768'"

6
roles/10.1-dhcp/handlers/main.yml
View File

@ -1,6 +0,0 @@
---
- name: restart isc-dhcp-server
service: name=isc-dhcp-server state=restarted
- name: restart isc-dhcp6-server
service: name=isc-dhcp6-server state=restarted

22
roles/10.1-dhcp/tasks/main.yml
View File

@ -1,22 +0,0 @@
---
- name: Install Packages for DHCP Server
ansible.builtin.apt:
name:
- isc-dhcp-server
state: latest
update_cache: yes
- name: create dhcp defaults
template:
src: isc-dhcp-server.conf.j2
dest: /etc/default/isc-dhcp-server
notify:
- restart isc-dhcp-server
- name: create dhcp config
template:
src: dhcpd.conf.j2
dest: /etc/dhcp/dhcpd.conf
notify:
- restart isc-dhcp-server

17
roles/10.1-dhcp/templates/dhcpd.conf.j2
View File

@ -1,17 +0,0 @@
# {{ ansible_managed }}
default-lease-time 300;
max-lease-time 1800;
authoritative;
log-facility local7;
subnet {{ dhcp.ff_subnet }} netmask {{ dhcp.ff_netmask }} {
range {{dhcp.range_start}} {{dhcp.range_end}};
option routers {{ network.ff_v4_address }};
option domain-name-servers {{ network.ff_v4_address }};
option interface-mtu {{ dhcp.mtu }};
interface bat0;
}

3
roles/10.1-dhcp/templates/isc-dhcp-server.conf.j2
View File

@ -1,3 +0,0 @@
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="bat0"

3
roles/10.2-named/handlers/main.yml
View File

@ -1,3 +0,0 @@
---
- name: restart bind9
service: name=bind9 state=restarted

41
roles/10.2-named/tasks/main.yml
View File

@ -1,41 +0,0 @@
---
- name: Install all Packages for Bind9
ansible.builtin.apt:
name:
- bind9
state: latest
update_cache: yes
- name: create named config
template:
src: named.conf.j2
dest: /etc/bind/named.conf
notify:
- restart bind9
- name: create named.local config
template:
src: named.conf.local.j2
dest: /etc/bind/named.conf.local
notify:
- restart bind9
- name: create named.options config
template:
src: named.conf.options.j2
dest: /etc/bind/named.conf.options
notify:
- restart bind9
- name: create named fftdf config
template:
src: named.fftdf.conf.j2
dest: /etc/bind/named.fftdf.conf
notify:
- restart bind9
- name: create named fftdf db
template:
src: named.fftdf.db.j2
dest: /etc/bind/named.fftdf.db
notify:
- restart bind9

28
roles/10.2-named/templates/named.conf.default-zones.j2
View File

@ -1,28 +0,0 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//
//zone "localhost" {
// type master;
// file "/etc/bind/db.local";
//};
//
//zone "127.in-addr.arpa" {
// type master;
// file "/etc/bind/db.127";
//};
//
//zone "0.in-addr.arpa" {
// type master;
// file "/etc/bind/db.0";
//};
//
//zone "255.in-addr.arpa" {
// type master;
// file "/etc/bind/db.255";
//};

12
roles/10.2-named/templates/named.conf.j2
View File

@ -1,12 +0,0 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.fftdf.conf";

7
roles/10.2-named/templates/named.conf.local.j2
View File

@ -1,7 +0,0 @@
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

6
roles/10.2-named/templates/named.fftdf.conf.j2
View File

@ -1,6 +0,0 @@
// Zone declarations for Freifunk Troisdorf
zone "fftdf" {
type master;
file "/etc/bind/named.fftdf.db";
};

24
roles/10.2-named/templates/named.fftdf.db.j2
View File

@ -1,24 +0,0 @@
;; db.fftdf
;; Forwardlookupzone für .fftdf
;;
$TTL 600
@ IN SOA fftdf. root.fftdf. (
2016584547 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
3H ) ; NX (TTL Negativ Cache)
@ IN NS troisdorf5.infra.fftdf.
IN A 10.188.32.5
IN AAAA 2a03:2260:121:2::5
localhost IN A 127.0.0.1
IN AAAA ::1
nextnode IN A 10.188.0.1
IN AAAA 2a03:2260:121::1
;; Update Servers
update1.infra IN AAAA 2a03:2260:121:4000:6038:61ff:fe34:3461
update2.infra IN AAAA 2a01:4f8:11d:600::183
;;update3.infra IN AAAA 2a03:2260:121::24
;; Unifi
unifi IN A 195.201.216.131

6
roles/10.3-tunneldigger/files/tunneldigger.conf
View File

@ -1,6 +0,0 @@
nf_conntrack_netlink
nf_conntrack
nfnetlink
l2tp_netlink
l2tp_core
l2tp_eth

14
roles/10.3-tunneldigger/files/tunneldigger.service
View File

@ -1,14 +0,0 @@
[Unit]
Description=tunneldigger tunnelling network daemon using l2tpv3 for domain %i
After=network.target auditd.service
[Service]
Type=simple
WorkingDirectory=/srv/tunneldigger
ExecStart=/srv/tunneldigger/env_tunneldigger/bin/python3 -m tunneldigger_broker.main /srv/tunneldigger/broker/l2tp_broker.cfg
KillMode=process
KillSignal=SIGINT
Restart=on-failure
[Install]
WantedBy=multi-user.target

2
roles/10.3-tunneldigger/handlers/main.yml
View File

@ -1,2 +0,0 @@
- name: load kernel modules
shell: /etc/init.d/kmod start || true

80
roles/10.3-tunneldigger/tasks/main.yml
View File

@ -1,80 +0,0 @@
- name: Install dependencies for this role
apt:
pkg: "{{ item }}"
state: present
with_items:
- bridge-utils
- ebtables
- git
- iproute2
- libnetfilter-conntrack-dev
- libnfnetlink-dev
- python3-dev
- python3-virtualenv
- virtualenv
- gcc
- libnl-3-dev
- libevent-dev
- name: Get Tunneldigger
git:
repo: https://github.com/wlanslovenija/tunneldigger
dest: /srv/tunneldigger
register: tunneldigger
- name: generate virtualenv.
command:
"virtualenv -p /usr/bin/python3 env_tunneldigger"
args:
chdir: /srv/tunneldigger/
creates: "/srv/tunneldigger/env_tunneldigger/bin/python3"
when: tunneldigger.changed
- name: Install python dependencies
command: "/srv/tunneldigger/env_tunneldigger/bin/python setup.py install"
args:
chdir: /srv/tunneldigger/broker
when: tunneldigger.changed
- name: Copy l2tp broker config template
template:
src: l2tp_broker.cfg.j2
dest: /srv/tunneldigger/l2tp_broker.cfg
owner: root
group: root
mode: 0444
- name: Copy tunneldigger script template
template:
src: bataddif.sh.j2
dest: /srv/tunneldigger/bataddif.sh
owner: root
group: root
mode: 0500
- name: Copy tunneldigger scripts
template:
src: batdelif.sh.j2
dest: /srv/tunneldigger/batdelif.sh
owner: root
group: root
mode: 0500
- name: Copy tunneldigger service template
copy:
src: tunneldigger.service
dest: /etc/systemd/system/tunneldigger.service
mode: 0444
- name: Deploy tunneldigger.conf to /etc/modules-load.d/
copy:
src: tunneldigger.conf
dest: /etc/modules-load.d/tunneldigger.conf
notify: load kernel modules
- name: Tunneldigger reload
command: "{{item}}"
with_items:
- systemctl daemon-reload
- systemctl enable tunneldigger.service
when: tunneldigger.changed

17
roles/10.3-tunneldigger/templates/bataddif.sh.j2
View File

@ -1,17 +0,0 @@
#!/bin/bash
INTERFACE="$3"
MAC="$8"
brctl=/sbin/brctl
BLOCKLISTE=$(/bin/cat /opt/freifunk/tunneldigger-blacklist.txt)
wget -q -O /opt/freifunk/tunneldigger-blacklist.txt https://raw.githubusercontent.com/Freifunk-Troisdorf/tunneldigger-blockliste/master/macs.txt
/bin/ip link set dev $INTERFACE up mtu 1312
for i in $BLOCKLISTE;
do
if [[ $i == $MAC ]]; then
exit 1
fi
done
$brctl addif br-nodes $INTERFACE

4
roles/10.3-tunneldigger/templates/batdelif.sh.j2
View File

@ -1,4 +0,0 @@
#!/bin/bash
INTERFACE="$3"
/sbin/brctl delif br-nodes $INTERFACE

28
roles/21-docker/tasks/main.yml
View File

@ -1,28 +0,0 @@
---
- name: Install required system packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu jammy stable
state: present
- name: Update apt and install docker-ce
apt:
name:
- docker-ce
- docker-compose
state: latest
update_cache: true

29
roles/21-install-oitc/tasks/main.yml
View File

@ -1,29 +0,0 @@
- name: Add OITC GPG Key
ansible.builtin.get_url:
url: https://packages.openitcockpit.io/repokey.txt
dest: /etc/apt/keyrings/openitcockpit-agent-keyring.asc
- name: Add specified repository into sources list
ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/openitcockpit-agent-keyring.asc] https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main"
state: present
- name: Install OITC-Agent
apt: name={{ item }} state=latest update_cache=yes
with_items:
- openitcockpit-agent
- name: Copy Config File
ansible.builtin.template:
src: oitc.ini.j2
dest: /etc/openitcockpit-agent/config.ini
owner: root
group: root
mode: '0775'
register: openitcockpit_config
- name: Restart service httpd, in all cases
ansible.builtin.service:
name: openitcockpit-agent
state: restarted
when: openitcockpit_config.changed

177
roles/21-install-oitc/templates/oitc.ini.j2
View File

@ -1,177 +0,0 @@
[default]
#
# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x
# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out!
#########################
# Web Server #
#########################
# Bind address of the build-in web server
# Use 0.0.0.0 to bind on all interfaces
address = 0.0.0.0
# Port of the Agents build-in web server
# Default port is 3333
port = 3333
#########################
# Security Settings #
#########################
# Try to enable auto ssl mode for webserver
try-autossl = True
# File paths used to store autossl related files (default: /etc/openitcockpit-agent/):
# Leave this blank to use the default values
# Example: /etc/openitcockpit-agent/agent.csr
#autossl-csr-file =
# Example: /etc/openitcockpit-agent/agent.crt
#autossl-crt-file =
# Example: /etc/openitcockpit-agent/agent.key
#autossl-key-file =
# Example: /etc/openitcockpit-agent/server_ca.crt
#autossl-ca-file =
# If a certificate file is given, the agent will only be accessible through HTTPS
# Instead of messing around with self-signed certificates we recommend to use the autossl feature.
# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem
#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
# Private key file of the given TLS certificate
# Example: /etc/ssl/private/ssl-cert-snakeoil.key
#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
# Enable remote read and write access to the current agent configuration (this file) and
# the customchecks config
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# ! WARNING: This could lead to remote code execution !
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
config-update-mode = False
# Enable HTTP Basic Authentication
# Example: auth = user:password
#auth = user:password
#########################
# Checks #
#########################
# Determines in seconds how often the agent will schedule all internal checks
interval = 30
# Remote Plugin Execution
# Path to config will where custom checks can be defined
# Comment to use the default value
#
# Linux: /etc/openitcockpit-agent/customchecks.ini
# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini
# macOS: /Applications/openitcockpit-agent/customchecks.ini
#customchecks = /etc/openitcockpit-agent/customchecks.ini
#########################
# Enable/Disable checks #
#########################
# Enable CPU monitoring
cpustats = True
# Enable memory monitoring
memory = True
# Enable Swap monitoring
swap = True
# Enable monitoring of running processes
processstats = True
# Enable monitoring of network interfaces
netstats = True
# Enable monitoring of the traffic (I/O) of network interfaces
netio = True
# Enable disk usage monitoring
diskstats = True
# Enable monitoring of disk I/O
diskio = True
# Enable monitoring of Systemd Services (Linux only)
systemdservices = True
# Enable monitoring of Launchd Services (macOS only)
launchdservices = True
# Enable monitoring of Windows Services (Windows only)
winservices = True
# Enable monitoring of Windows Event Log records (Windows only)
wineventlog = False
# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log.
# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default
# As alternative the Agent could use the PowerShell Get-EventLog cmdlet.
# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround
# on the other hand could lead to blue screens (OA-40).
wineventlog-method = WMI
#wineventlog-method = PowerShell
# Define comma separated windows event log log types
# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application
wineventlog-logtypes = System,Application,Security
# Enable monitoring of temperature and battery sensors
sensorstats = True
# Enable support to monitor Docker containers
# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40
# Workaround: export DOCKER_API_VERSION=1.40
dockerstats = False
# Check KVMs through libvirt
# This requires to complie the openITCOCKPIT Monitoring Agent by yourself.
# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary
libvirt = True
# Enable logged in users check
userstats = True
#########################
# Push mode #
#########################
# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent.
# In a cloud environments or behind a NAT network it could become handy
# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server
[oitc]
# Enable Push Mode
enabled = False
# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode.
# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend
# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS
enable-webserver = False
# Address of your openITCOCKPIT Server where the Agent will push the results to
# Example: https://demo.openitcockpit.io
url =
# Enable this option when your openITCOCKPIT server uses valid TLS certificates
# like from Let's Encrypt
verify-server-certificate = False
# Timeout in seconds for the HTTP push client
timeout = 10
# API-Key of your openITCOCKPIT Server
apikey =
# Address of HTTP/HTTPS Proxy if required.
# Comment to disable
# Example: http://10.10.1.10:3128
#proxy = http://10.10.1.10:3128

5
roles/21-install-wireguard/handlers/main.yml
View File

@ -1,5 +0,0 @@
---
- name: reconfigure wireguard
ansible.builtin.service:
name: "wg-quick@vpn01"
state: restarted

91
roles/21-install-wireguard/tasks/main.yml
View File

@ -1,91 +0,0 @@
- name: Install Wireguard
apt: name={{ item }} state=latest update_cache=yes
with_items:
- wireguard
- name: Register if config/private key already exists on target host
ansible.builtin.stat:
path: /etc/wireguard/vpn01.conf
register: wireguard__register_config_file
tags:
- wg-generate-keys
- wg-config
- name: WireGuard private key handling for new keys
block:
- name: Generate WireGuard private key
ansible.builtin.command: "wg genkey"
register: wireguard__register_private_key
changed_when: false
tags:
- wg-generate-keys
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
tags:
- wg-generate-keys
when:
- not wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: WireGuard private key handling for existing keys
block:
- name: Read WireGuard config file
ansible.builtin.slurp:
src: /etc/wireguard/vpn01.conf
register: wireguard__register_config
tags:
- wg-config
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
tags:
- wg-config
when:
- wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: Derive WireGuard public key
ansible.builtin.command: "wg pubkey"
args:
stdin: "{{ wireguard_private_key }}"
register: wireguard__register_public_key
changed_when: false
check_mode: false
tags:
- wg-config
- name: Set public key fact
ansible.builtin.set_fact:
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
tags:
- wg-config
- name: Create WireGuard configuration directory
ansible.builtin.file:
dest: /etc/wireguard/
state: directory
mode: 0700
tags:
- wg-config
- name: Generate WireGuard configuration file
ansible.builtin.template:
src: wg.conf.j2
dest: /etc/wireguard/vpn01.conf
owner: root
group: root
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service
ansible.builtin.service:
name: "wg-quick@vpn01"
state: started
enabled: yes

32
roles/21-install-wireguard/templates/wg.conf.j2
View File

@ -1,32 +0,0 @@
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
# {{ ansible_managed }}
# PublicKey: {{ wireguard__register_public_key.stdout }}
[Interface]
# {{ inventory_hostname }}
Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
MTU = 1380
{% if wireguard_unmanaged_peers is defined %}
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{% endif %}
{% endfor %}
{% endif %}

106
roles/21.1-portainer-compose/files/portainer.yml
View File

@ -1,106 +0,0 @@
version: "3"
services:
portainer:
image: portainer/portainer-ce:2.18.1
ports:
- 9443:9443
volumes:
- portainer_data:/data
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik-public
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.routers.portainer-http.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.portainer-http.entrypoints=http
- traefik.http.routers.portainer-http.middlewares=https-redirect
- traefik.http.routers.portainer-http.service=portainer
- traefik.http.routers.portainer-https.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.portainer-https.entrypoints=https
- traefik.http.routers.portainer-https.tls=true
- traefik.http.routers.portainer-https.tls.certresolver=le
- traefik.http.routers.portainer-https.service=portainer
- traefik.http.services.portainer.loadbalancer.server.port=9000
traefik:
image: traefik:v2.4.8
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- 80:80
# Listen on port 443, default for HTTPS
- 443:443
# Listen on 2222 for SSH Gitea
- 2222:2222
labels:
- traefik.enable=true
- traefik.docker.network=traefik-public
- traefik.constraint-label=traefik-public
- traefik.http.middlewares.admin-auth.basicauth.users=admin:$$2y$$05$$HmqkgwL5AxrYrwBWvvlVIuMVb5UMWrrChmhmRYFFkMXpLCFgi60US
- traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
- traefik.http.routers.traefik-public-http.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.traefik-public-http.entrypoints=http
- traefik.http.routers.traefik-public-http.middlewares=https-redirect
- traefik.http.routers.traefik-public-https.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
- traefik.http.routers.traefik-public-https.entrypoints=https
- traefik.http.routers.traefik-public-https.tls=true
# Use the special Traefik service api@internal with the web UI/Dashboard
- traefik.http.routers.traefik-public-https.service=api@internal
# Use the "le" (Let's Encrypt) resolver created below
- traefik.http.routers.traefik-public-https.tls.certresolver=le
# Enable HTTP Basic auth, using the middleware created above
- traefik.http.routers.traefik-public-https.middlewares=admin-auth
# Define the port inside of the Docker service to use
- traefik.http.services.traefik-public.loadbalancer.server.port=8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-public-certificates:/certificates
#- /opt/docker/traefik:/etc/traefik
command:
# Enable Docker in Traefik, so that it reads labels from Docker services
- --providers.docker
# Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
- --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
# Do not expose all Docker services, only the ones explicitly exposed
- --providers.docker.exposedbydefault=false
# Enable Docker Swarm mode
#- --providers.docker.swarmmode
# Create an entrypoint "http" listening on port 80
- --entrypoints.http.address=:80
# Create an entrypoint "https" listening on port 443
- --entrypoints.https.address=:443
# Create an entrypoint for SSH
- --entrypoints.ssh.address=:2222/tcp
# Create an entrypoint for DNS
#- --entrypoints.dns-tcp.address=:5353/tcp
# Create an entrypoint for DNS
#- --entrypoints.dns-udp.address=:5353/udp
# Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
- --certificatesresolvers.le.acme.email=info@hoffmann-hosting.de
# Store the Let's Encrypt certificates in the mounted volume
- --certificatesresolvers.le.acme.storage=/certificates/acme.json
# Use the TLS Challenge for Let's Encrypt
- --certificatesresolvers.le.acme.tlschallenge=true
# Enable the access log, with HTTP requests
- --accesslog
# Enable the Traefik log, for configurations and errors
- --log
# Enable the Dashboard and API
- --api
- --serverstransport.insecureskipverify=true
networks:
# Use the public network created to be shared between Traefik and
# any other service that needs to be publicly available with HTTPS
- traefik-public
volumes:
traefik-public-certificates:
portainer_data:
networks:
traefik-public:
driver: bridge
attachable: true

11
roles/21.1-portainer-compose/tasks/main.yml
View File

@ -1,11 +0,0 @@
---
- name: Create Docker Folder
ansible.builtin.file:
path: /opt/docker
state: directory
mode: '0755'
- name: Copy Docker-Compose File
copy:
src: portainer.yml
dest: /opt/docker/docker-compose.yml

3
roles/vyos-config/tasks/main.yml
View File

@ -1,3 +0,0 @@
- name: render a Jinja2 template onto the VyOS router
vyos.vyos.vyos_config:
src: config.j2

422
roles/vyos-config/templates/config.j2
View File

@ -1,422 +0,0 @@
interfaces {
ethernet eth0 {
address {{ wan_address }}{{ wan_net }}
description WAN
}
ethernet eth1 {
address {{ lan_address }}/24
description "Freifunk WAN"
ipv6 {
address {
autoconf
}
}
}
loopback lo {
address {{ ffrl_address }}/32
address {{ ffrl_address_v6 }}
}
tunnel tun0 {
address {{ gre_ber_a_address }}{{gre_bb_transfer_net}}
address {{ gre_ber_a_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_ber_a_description }}
encapsulation gre
remote {{ gre_ber_a_remote }}
source-address {{ wan_address }}
}
tunnel tun1 {
address {{ gre_ber_b_address }}{{gre_bb_transfer_net}}
address {{ gre_ber_b_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_ber_b_description }}
encapsulation gre
remote {{ gre_ber_b_remote }}
source-address {{ wan_address }}
}
tunnel tun2 {
address {{ gre_a_dus_address }}{{gre_bb_transfer_net}}
address {{ gre_a_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_a_dus_description }}
encapsulation gre
remote {{ gre_a_dus_remote }}
source-address {{ wan_address }}
}
tunnel tun3 {
address {{ gre_b_dus_address }}{{gre_bb_transfer_net}}
address {{ gre_b_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_b_dus_description }}
encapsulation gre
remote {{ gre_b_dus_remote }}
source-address {{ wan_address }}
}
tunnel tun4 {
address {{ gre_a_fra_address }}{{gre_bb_transfer_net}}
address {{ gre_a_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_a_fra_description }}
encapsulation gre
remote {{ gre_a_fra_remote }}
source-address {{ wan_address }}
}
tunnel tun5 {
address {{ gre_b_fra_address }}{{gre_bb_transfer_net}}
address {{ gre_b_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
description {{ gre_b_fra_description }}
encapsulation gre
remote {{ gre_b_fra_remote }}
source-address {{ wan_address }}
}
}
nat {
source {
rule 1 {
outbound-interface any
source {
address {{ lan_network }}
}
translation {
address {{ ffrl_address }}
}
}
}
}
policy {
local-route {
rule 10 {
set {
table 42
}
source {{ wan_address }}
}
}
prefix-list FFRL-IN {
rule 10 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list FFRL-OUT {
rule 10 {
action permit
prefix {{ ffrl_address }}/32
}
}
prefix-list6 FFRL-IN-6 {
rule 10 {
action permit
prefix ::/0
}
}
prefix-list6 FFRL-OUT-6 {
rule 10 {
action permit
prefix {{ ffrl_net_v6 }}
}
}
route-map FFRL-IN {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-IN
}
}
}
}
}
route-map FFRL-OUT {
rule 10 {
action permit
match {
ip {
address {
prefix-list FFRL-OUT
}
}
}
}
}
route-map FFRL-IN-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-IN-6
}
}
}
}
}
route-map FFRL-OUT-6 {
rule 10 {
action permit
match {
ipv6 {
address {
prefix-list FFRL-OUT-6
}
}
}
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network {{ ffrl_address }}/32 {
}
}
ipv6-unicast {
network {{ ffrl_net_v6 }} {
}
}
}
neighbor {{ gre_ber_a_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_ber_a_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_a_address }}
}
neighbor {{ gre_ber_b_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_ber_b_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_b_address }}
}
neighbor {{ gre_a_dus_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_a_dus_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_dus_address }}
}
neighbor {{ gre_b_dus_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_b_dus_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_dus_address }}
}
neighbor {{ gre_a_fra_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_a_fra_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_fra_address }}
}
neighbor {{ gre_b_fra_neighbor }} {
address-family {
ipv4-unicast {
route-map {
export FFRL-OUT
import FFRL-IN
}
}
}
description {{ gre_b_fra_description }}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_fra_address }}
}
neighbor {{ gre_ber_a_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_a_address_v6 }}
}
neighbor {{ gre_ber_b_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_ber_b_address_v6 }}
}
neighbor {{ gre_a_dus_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_dus_address_v6 }}
}
neighbor {{ gre_b_dus_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_dus_address_v6 }}
}
neighbor {{ gre_a_fra_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_a_fra_address_v6 }}
}
neighbor {{ gre_b_fra_neighbor_v6 }} {
address-family {
ipv6-unicast {
route-map {
export FFRL-OUT-6
import FFRL-IN-6
}
}
}
remote-as {{ gre_bb_renote_as }}
update-source {{ gre_b_fra_address_v6 }}
}
parameters {
router-id {{ wan_address }}
}
system-as {{ gre_bb_local_as }}
}
static {
table 42 {
route 0.0.0.0/0 {
next-hop {{ wan_gateway }} {
}
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
router-advert {
interface eth1 {
default-lifetime 300
default-preference high
hop-limit 64
interval {
max 30
}
link-mtu 1500
name-server 2606:4700:4700::1111
prefix {{ ffrl_net_v6 }} {
preferred-lifetime 300
valid-lifetime 900
}
reachable-time 90000
retrans-timer 0
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name {{ inventory_hostname }}
login {
banner {
post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
}
user vyos {
authentication {
public-keys nils {
key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ==
type ssh-rsa
}
public-keys stefan {
key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB
type ssh-rsa
}
}
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

14
system-setup-supernode.yml
View File

@ -1,14 +0,0 @@
# ansible-playbook -i hosts.yml system-setup-supernode.yml -e vault.yml --ask-vault-password
- name: System preperation
hosts: freifunk_supernodes
roles:
- 00-ubuntu-basic
- 21-install-oitc
- name: VPN Offloader Setup
hosts: freifunk_supernodes
roles:
- 10-freifunk-supernode
- 10.1-dhcp
- 10.2-named
- 10.3-tunneldigger

16
system-setup-unifi.yml
View File

@ -1,16 +0,0 @@
# ansible-playbook -i hosts.yml system-setup-unifi.yml
- name: System preperation
hosts: service_server
roles:
- 00-ubuntu-basic
- name: Docker Setup
hosts: unifi
roles:
- 21-docker
- 21.1-portainer-compose
- name: Docker Setup
hosts: uisp
roles:
- 21-docker

17
system-setup.yml
View File

@ -1,17 +0,0 @@
# ansible-playbook -i hosts.yml system-setup.yml -e vault.yml --ask-vault-password
- name: System preperation
hosts: supernodes
roles:
- 00-ubuntu-basic
- 21-install-oitc
- name: VPN Offloader Setup
hosts: vpn_offloader_wireguard
roles:
- 01-vpn-offloader-setup
- 21-install-wireguard
- name: VPN Offloader Setup
hosts: vpn_offloader_openvpn
roles:
- 01-vpn-offloader-setup

10
update_wg.yml
View File

@ -1,10 +0,0 @@
# ansible-playbook -i hosts.yml update_wg.yml -e vault.yml --ask-vault-password
- name: System preperation
hosts: vpn-offloader-wireguard
roles:
- 21-install-wireguard
- name: System preperation
hosts: edge_router
roles:
- 01-vpn-router-config

6
vyos_config.yml
View File

@ -1,6 +0,0 @@
# ansible-playbook -i hosts.yml vyos_config.yml
- name: System preperation
hosts: router
roles:
- vyos-config
gather_facts: no