Added UISP

Reviewed-on: #1

.gitignore

@@ -0,0 +1,2 @@
+.DS_Store
+edgerouter_configs/**

README.md

@@ -1,22 +0,0 @@
-# ansible.fftdf.supernode
-Ansible yml file to manage Freifunk Troisdorf supernodes
-
-At this time you have to start it explicit with the target server
-example: ansible-playbook install.sn.yml --extra-vars "target=troisdorf5"
-example: ansible-playbook install.sn.yml --extra-vars "target=troisdorf[4,5,6]"
-
-You need this information in your hosts (/etc/ansible/hosts) file:
-#example, I hope self explaining
-[troisdorf5]
-78.46.233.212
-
-[troisdorf5:vars]
-sn_hostname=troisdorf5
-sn_dhcp_range=10.188.115.1 10.188.115.254
-sn_dhcp_dns=10.188.1.100, 10.188.1.23
-sn_dhcp_router=10.188.255.5
-sn_mesh_IPv6=fda0:747e:ab29:7405:255::5
-sn_mesh_IPv4=10.188.255.5
-sn_mesh_MAC=a2:8c:ae:6f:f6:05
-sn_fqdn=freifunk-troisdorf.de
-sn_l2tp_tb_port=53844

conf.conf

@@ -0,0 +1,474 @@
+interfaces {
+    ethernet eth0 {
+        address 5.9.220.113/29
+        description WAN
+    }
+    ethernet eth1 {
+        address 172.16.7.1/24
+        description "Freifunk WAN"
+        ipv6 {
+            address {
+                autoconf
+            }
+        }
+    }
+    loopback lo {
+        address 185.66.193.107/32
+        address 2a03:2260:121:600::0/128
+    }
+    tunnel tun0 {
+        address 100.64.6.25/31
+        address 2a03:2260:0:30c::2/64
+        description gre_bb_a_ak_ber
+        encapsulation gre
+        remote 185.66.195.0
+        source-address 5.9.220.113
+    }
+    tunnel tun1 {
+        address 100.64.6.31/31
+        address 2a03:2260:0:30f::2/64
+        description gre_bb_b_ak_ber
+        encapsulation gre
+        remote 185.66.195.1
+        source-address 5.9.220.113
+    }
+    tunnel tun2 {
+        address 100.64.6.29/31
+        address 2a03:2260:0:30e::2/64
+        description gre_bb_a_ix_dus
+        encapsulation gre
+        remote 185.66.193.0
+        source-address 5.9.220.113
+    }
+    tunnel tun3 {
+        address 100.64.6.35/31
+        address 2a03:2260:0:311::2/64
+        description gre_bb_b_ix_dus
+        encapsulation gre
+        remote 185.66.193.1
+        source-address 5.9.220.113
+    }
+    tunnel tun4 {
+        address 100.64.6.27/31
+        address 2a03:2260:0:30d::2/64
+        description gre_bb_a_fra3_f
+        encapsulation gre
+        remote 185.66.194.0
+        source-address 5.9.220.113
+    }
+    tunnel tun5 {
+        address 100.64.6.33/31
+        address 2a03:2260:0:310::2/64
+        description gre-bb-b.fra3.f
+        encapsulation gre
+        remote 185.66.194.1
+        source-address 5.9.220.113
+    }
+}
+nat {
+    destination {
+        rule 1 {
+            description "Allow SSH to VPN-01 Port 2222"
+            destination {
+                address 185.66.193.107/32
+                port 2222
+            }
+            inbound-interface any
+            protocol tcp
+            translation {
+                address 172.16.7.2
+                port 22
+            }
+        }
+        rule 2 {
+            description "Wireguard VPN-01 42001"
+            destination {
+                address 185.66.193.107
+                port 42001
+            }
+            inbound-interface any
+            protocol udp
+            translation {
+                address 172.16.7.2
+            }
+        }
+    }
+    source {
+        rule 1 {
+            outbound-interface any
+            source {
+                address 172.16.7.0/24
+            }
+            translation {
+                address 185.66.193.107
+            }
+        }
+    }
+}
+policy {
+    local-route {
+        rule 10 {
+            set {
+                table 42
+            }
+            source 5.9.220.113
+        }
+    }
+    prefix-list FFRL-IN {
+        rule 10 {
+            action permit
+            prefix 0.0.0.0/0
+        }
+    }
+    prefix-list FFRL-OUT {
+        rule 10 {
+            action permit
+            prefix 185.66.193.107/32
+        }
+    }
+    prefix-list6 FFRL-IN-6 {
+        rule 10 {
+            action permit
+            prefix ::/0
+        }
+    }
+    prefix-list6 FFRL-OUT-6 {
+        rule 10 {
+            action permit
+            prefix 2a03:2260:121:600::/55
+        }
+    }
+    route-map FFRL-IN {
+        rule 10 {
+            action permit
+            match {
+                ip {
+                    address {
+                        prefix-list FFRL-IN
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-OUT {
+        rule 10 {
+            action permit
+            match {
+                ip {
+                    address {
+                        prefix-list FFRL-OUT
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-IN-6 {
+        rule 10 {
+            action permit
+            match {
+                ipv6 {
+                    address {
+                        prefix-list FFRL-IN-6
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-OUT-6 {
+        rule 10 {
+            action permit
+            match {
+                ipv6 {
+                    address {
+                        prefix-list FFRL-OUT-6
+                    }
+                }
+            }
+        }
+    }
+}
+protocols {
+    bgp {
+        address-family {
+            ipv4-unicast {
+                network 185.66.193.107/32 {
+                }
+            }
+            ipv6-unicast {
+                network 2a03:2260:121:600::/55 {
+                }
+            }
+        }
+        neighbor 100.64.6.24 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_a_ak_ber
+            remote-as 201701
+            update-source 100.64.6.25
+        }
+        neighbor 100.64.6.26 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_a_fra3_fra
+            remote-as 201701
+            update-source 100.64.6.27
+        }
+        neighbor 100.64.6.28 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_a_ix_dus
+            remote-as 201701
+            update-source 100.64.6.29
+        }
+        neighbor 100.64.6.30 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_b_ak_ber
+            remote-as 201701
+            update-source 100.64.6.31
+        }
+        neighbor 100.64.6.32 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_b_fra3_fra
+            remote-as 201701
+            update-source 100.64.6.33
+        }
+        neighbor 100.64.6.34 {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description ffrl_bb_b_ix_dus
+            remote-as 201701
+            update-source 100.64.6.35
+        }
+        neighbor 2a03:2260:0:30c::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:30c::2
+        }
+        neighbor 2a03:2260:0:30d::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:30d::2
+        }
+        neighbor 2a03:2260:0:30e::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:30e::2
+        }
+        neighbor 2a03:2260:0:30f::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:30f::2
+        }
+        neighbor 2a03:2260:0:310::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:310::2
+        }
+        neighbor 2a03:2260:0:311::1 {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as 201701
+            update-source 2a03:2260:0:311::2
+        }
+        parameters {
+            router-id 10.188.255.7
+        }
+        system-as 65066
+    }
+    static {
+        route6 2a03:2260:121:e000::/54 {
+            interface eth1 {
+            }
+        }
+        table 42 {
+            route 0.0.0.0/0 {
+                next-hop 5.9.220.112 {
+                }
+            }
+        }
+    }
+}
+service {
+    dhcp-server {
+        listen-address 172.16.7.1
+        shared-network-name freifunk {
+            subnet 172.16.7.0/24 {
+                default-router 172.16.7.1
+                name-server 1.1.1.1
+                name-server 1.0.0.1
+                range dhcp {
+                    start 172.16.7.10
+                    stop 172.16.7.200
+                }
+                static-mapping vpn-01 {
+                    ip-address 172.16.7.2
+                    mac-address 36:f3:82:18:9b:03
+                }
+            }
+        }
+    }
+    ntp {
+        allow-client {
+            address 0.0.0.0/0
+            address ::/0
+        }
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+        server time3.vyos.net {
+        }
+    }
+    router-advert {
+        interface eth1 {
+            default-lifetime 300
+            default-preference high
+            hop-limit 64
+            interval {
+                max 30
+            }
+            link-mtu 1500
+            name-server 2001:4860:4860::8888
+            other-config-flag
+            prefix 2a03:2260:121:600::/58 {
+                preferred-lifetime 300
+                valid-lifetime 900
+            }
+            reachable-time 90000
+            retrans-timer 0
+        }
+    }
+    ssh {
+        port 22
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    conntrack {
+        modules {
+            ftp
+            h323
+            nfs
+            pptp
+            sip
+            sqlnet
+            tftp
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name 7.fftdf.de
+    login {
+        banner {
+            post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
+        }
+        user vyos {
+            authentication {
+                encrypted-password ****************
+                plaintext-password ****************
+                public-keys nils {
+                    key ****************
+                    type ssh-rsa
+                }
+                public-keys stefan {
+                    key ****************
+                    type ssh-rsa
+                }
+            }
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}

definition.md

@@ -0,0 +1,57 @@
+# Network
+## IP Spaces
+
+### From FFRL
+
+External IPv4:
+- troisdorf4: 185.66.193.104
+- troisdorf5: 185.66.193.105
+- troisdorf6: 185.66.193.106
+- troisdorf7: 185.66.193.107
+
+IPv6 Prefix: 2a03:2260:121::/48
+
+### Internal and Segmentation:
+
+#### IPv4:
+Wir unterscheiden zwischen Gluon Netzen und VPN-Offloader Netzen
+
+Die Gluon Netze sind im bereich 10.188.0.0/16
+
+Die VPN Offloader Netze im Bereich 10.0.0.0/8
+
+#### IPv6:
+
+FFRL    2a03:2260:121::/48
+Wir nutzen jetzt nur das Netz 2a03:2260:121::/52
+
+GRE-Router: bekommen ein /55
+https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121::/prefix=52/subnetNo=8
+
+gre1: 2a03:2260:121::/55        (FFRL Tunnel-Paar 1, momentan TDF4)
+gre2: 2a03:2260:121:200::/55    (FFRL Tunnel-Paar 2, momentan TDF5)
+gre3: 2a03:2260:121:400::/55    (FFRL Tunnel-Paar 3, momentan TDF6)
+gre4: 2a03:2260:121:600::/55    (FFRL Tunnel-Paar 4, momentane Testumgebung)
+gre5: 2a03:2260:121:800::/55    (noch keine verwendung)
+gre6: 2a03:2260:121:a00::/55    (noch keine verwendung)
+gre7: 2a03:2260:121:c00::/55    (noch keine verwendung)
+gre8: 2a03:2260:121:e00::/55    (noch keine verwendung)
+
+
+Supernodes / VPN Server bekommen ein /58 aus dem Netz des GRE Routers (hier am beispiel gre4)
+https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=55/subnetNo=8
+
+vpn1:   2a03:2260:121:600::/58
+vpn2:   2a03:2260:121:640::/58
+vpn3:   2a03:2260:121:680::/58
+vpn4:   2a03:2260:121:6c0::/58
+vpn5:   2a03:2260:121:700::/58
+vpn6:   2a03:2260:121:740::/58
+vpn7:   2a03:2260:121:780::/58
+vpn8:   2a03:2260:121:7c0::/58
+
+Router/Clients bekommen dann jeweils ein /64 aus dem vpn Netz:
+https://www.internex.at/de/toolbox/ipv6/ip6=2a03:2260:121:600::/prefix=58/subnetNo=64
+
+client1:    2a03:2260:121:601::/64
+usw...

er-test.yml

@@ -0,0 +1,5 @@
+# ansible-playbook -i hosts.yml er-test.yml --ask-vault-password
+- name: System preperation
+  hosts: edge_router
+  roles:
+     - 01-vpn-router-config

files/alfred.sh.j2

@@ -1,51 +0,0 @@
-#!/bin/sh
-
-release=$(/bin/uname -r)
-nodeid=$( /bin/echo {{ sn_mesh_MAC }} | /bin/sed s/://g)
-#meshh_if=$(/bin/cat /sys/class/net/troisdorf*/address | /bin/grep -v ^00:00:00)
-meshh_if=$(/bin/cat /sys/class/net/l2tp*/address | /bin/grep -v ^00:00:00)
-tempfile=/tmp/alfred_info
-
-if [ -f $tempfile ]
- then
-  /bin/rm $tempfile
-fi
-
-/bin/cat > $tempfile <<EOF
-{
-"network": {
-"mac": "{{ sn_mesh_MAC }}",
-"addresses": [
-"{{ sn_mesh_IPv6 }}",
-"{{ sn_mesh_IPv4 }}"
-],
-"mesh_interfaces": [
-$(for i in $meshh_if; do /bin/echo '"'$i'",';done)
-"{{ ul_mesh_MAC }}",
-"{{ sn_mesh_MAC }}"
-]
-},
-"vpn": true,
-"node_id": "$nodeid",
-"hostname": "Gateway:{{ sn_hostname }}",
-"hardware": {
-"model": "vServer"
-},
-"owner": {
-"contact": "stefan@freifunk-troisdorf.de"
-}
-}
-EOF
-
-if [ -f $tempfile ]
- then
-  /bin/cat "$tempfile" | /bin/gzip | /usr/local/sbin/alfred -s 158
-fi
-
-if [ -f $tempfile ]
- then
-  /bin/rm $tempfile
-fi
-
-exit 0
-

files/authorized_keys

@@ -1,9 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= Roman
-
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux
-
-ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEA5OYOF+VBtXXxv/wZkT5K3P7QAUJaM88zJqeGh8NJCO7EDg9jLoWLzAP7LnM9XEA4ycWdl8HX1+EUKqVXAbSNItTZZkO9LCbIiIe1w8oJd2j9hY0IpxPqbz9ePPZh0JtxAZMh3NgOoSiND0leAeOt0lTlDPh4g3G4KvR33d9PIj5ZerU47ceLyy4xEwNbZDKD04+frpq1W+lDqglR0jV/h/pcoQTAEBflbmGLeXIXRsR6zq/of4Wx/MlX18VD9SXPLGXvQ5c4lt5PvV/oeHz4gEjPv2hrI3s3fyWakadAuI9ah48CaEgpVReUGjtYDc0PskvjAH/+slqIHW1D5El+R1Z/2wn/aEGokFHUc0SiFb3NAOwxWvMtUHhXi9ZiTHt0p/0FwWZ1pxqRzODvK8uZ7LAJRGe6q9NYQkIax6SLOfWm4MFWDpDLgWz5MSbPqo+Kfo0614z1mxA3vpY53lUqEGRx4I6z/PDaOHMFd3sxhSMPGvmMvAOLTRofFppwUq1YqQkd6embsJjBN0gU9AilpL5Q2il0OoW4g0rUR8HPJczuDzmHZTXpPU2dY6MhAJ0sbNmk0XhmyoEH9/A1zPEHmirTcBMmbFUsYmR6+MnHEhxnRu5PQpXqcu2vN+JAeasgJShRl7g+rHIdutswHUAWWyfgaD0GF3f6zuOLooz1XQU= localadmin@tst-ansible
-
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDA2KJvzjFxFrjJvxJj/AZ3rPKGT15JUnV7LhTo0BuXITwx+DpEK6u2m3yjigf2B8ws4VbpL7ceWyP8L3wspozqbqOgyYrQ9TISipkNV9O/DzR+F8R7mhn5mV7+pEOJu1Ba6rtYTfJTcloRKklfO9UjaFLwM69H0GNsomcKMd5Kl4c7DMMwcpXfhb8b7ET5agtfAhXU0CHalnhdAVCwmsC3mj9blOLlX4lxFLonGKVcZB7nWQEmvVAG+9yp6UWZZzeBCPea8Bw4hUVAZcsbK9XLbE4D+gUoxHu2oKGRja4kUnYmlWZOyqlUGbRD6bUxmnW1aBCh8x+b91YLlGv38vT6Y/sy0tPOoVK5kHxJ2yQmnlpgRzgBZf8Kl9ouO/onvExR787C+6TGG834ROW3SaiEeta0RvWwLzugexotT02qqpJmlIXu+gpvN+O9LSfQWzcaCFJTB6MD8mox1ks/W15Uij1pCeleUmiFdVtmt3PCs/ouuG1Uhm9MSWOBNwdFlTpAngopqBHSKYpTY+LhDD9Bv+U4Tno3i4dIGLYqNVmaRij2A0jZeSKOi/OgAaQsD7CzrDhn7C8dlsBFzPjtpFNqgk2Ss5bv3dpfQhBKsaxAe0X5W57vqJD+986039H3fj9/2o2PGuWCNr1LCWSjiy8t/P++cbn0rGdJAIexgTj3Q== supernodeadmin@update1
-
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUTvOdUbtWOmQ1HHh1rNm9LvGozlVPOu0XVcmZ2/NfSOrDbnN99Y4o2Q2mm/ZITWtEZkijnS+LdqB/SO+I2c8NWQO3+gCd9WzI/pqRso2eDIMtPfidnEGdUi4+hHmT96TGOh6P/SrR71646AJkQr5vxLDs/U/57uyTxNwgHFYb1zfekeK4J8gm9StfiGTdfFDTQsYQljrO0YxGrNG2koRXDwgUca4kGjx/HYwnjtl1nDRSAa8HvgxqAASFFrqSOhCkrlCgxoKZZwGIFccYTcAJFDhqIG32q2tRAQOtqxy5OWbTkJLBTBaR7dG4W9iYHbV6vscfNQD7Ml3aMrS+TA0x stefan@ff-stefan@tst-office

files/bataddif.sh.j2

@@ -1,8 +0,0 @@
-#!/bin/bash
-INTERFACE="$3"
-MAC="$8"
-brctl=/sbin/brctl
-
-/bin/ip link set dev $INTERFACE up mtu 1312
-#echo "enabled" > /sys/devices/virtual/net/$INTERFACE/batman_adv/no_rebroadcast
-$brctl addif br-nodes $INTERFACE

files/batdelif.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-INTERFACE="$3"
-
-/sbin/brctl delif br-nodes $INTERFACE

files/bird-troisdorf5.conf

@@ -1,84 +0,0 @@
-/*
- *      This is an example configuration file.
- */
-
-# Yes, even shell-like comments work...
-
-# Configure logging
-#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
-#log stderr all;
-#log "tmp" all;
-#log syslog all;
-
-#debug protocols all;
-
-# Override router ID
-router id 10.188.255.5;
-
-
-protocol direct {
-        interface "*";
-};
-
-protocol kernel {
-        device routes;
-        import all;
-        export all;
-        kernel table 42;
-};
-
-protocol device {
-        scan time 8;
-};
-
-function is_default() {
-        return (net ~ [0.0.0.0/0]);
-};
-
-# own network
-function is_self_net() {
-    return (net ~ [ 10.188.0.0/16+ ]);
-}
-
-# freifunk ip ranges in general
-function is_freifunk() {
-  return net ~ [ 10.0.0.0/8+,
-    104.0.0.0/8+
-  ];
-}
-
-filter hostroute {
-        if net ~ 185.66.193.105/32 then accept;
-        reject;
-};
-
-# Uplink über ff Rheinland
-template bgp uplink {
-        local as 65066;
-        import where is_default();
-        export filter hostroute;
-        next hop self;
-        multihop 64;
-        default bgp_local_pref 200;
-};
-
-protocol bgp ffrl_bb_a_ak_ber from uplink {
-        source address 100.64.2.151;
-        neighbor 100.64.2.150 as 201701;
-};
-
-protocol bgp ffrl_bb_b_ak_ber from uplink {
-        source address 100.64.2.153;
-        neighbor 100.64.2.152 as 201701;
-};
-
-protocol bgp ffrl_bb_a_ix_dus from uplink {
-        source address 100.64.2.155;
-        neighbor 100.64.2.154 as 201701;
-};
-
-protocol bgp ffrl_bb_b_ix_dus from uplink {
-        source address 100.64.2.157;
-        neighbor 100.64.2.156 as 201701;
-};
-

files/bird-troisdorf6.conf

@@ -1,84 +0,0 @@
-/*
- *      This is an example configuration file.
- */
-
-# Yes, even shell-like comments work...
-
-# Configure logging
-#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
-#log stderr all;
-#log "tmp" all;
-#log syslog all;
-
-#debug protocols all;
-
-# Override router ID
-router id 10.188.255.6;
-
-
-protocol direct {
-        interface "*";
-};
-
-protocol kernel {
-        device routes;
-        import all;
-        export all;
-        kernel table 42;
-};
-
-protocol device {
-        scan time 8;
-};
-
-function is_default() {
-        return (net ~ [0.0.0.0/0]);
-};
-
-# own network
-function is_self_net() {
-    return (net ~ [ 10.188.0.0/16+ ]);
-}
-
-# freifunk ip ranges in general
-function is_freifunk() {
-  return net ~ [ 10.0.0.0/8+,
-    104.0.0.0/8+
-  ];
-}
-
-filter hostroute {
-        if net ~ 185.66.193.106/32 then accept;
-        reject;
-};
-
-# Uplink über ff Rheinland
-template bgp uplink {
-        local as 65066;
-        import where is_default();
-        export filter hostroute;
-        next hop self;
-        multihop 64;
-        default bgp_local_pref 200;
-};
-
-protocol bgp ffrl_bb_a_ak_ber from uplink {
-        source address 100.64.2.159;
-        neighbor 100.64.2.158 as 201701;
-};
-
-protocol bgp ffrl_bb_b_ak_ber from uplink {
-        source address 100.64.2.161;
-        neighbor 100.64.2.160 as 201701;
-};
-
-protocol bgp ffrl_bb_a_ix_dus from uplink {
-        source address 100.64.2.163;
-        neighbor 100.64.2.162 as 201701;
-};
-
-protocol bgp ffrl_bb_b_ix_dus from uplink {
-        source address 100.64.2.165;
-        neighbor 100.64.2.164 as 201701;
-};
-

files/bird6-troisdorf5.conf

@@ -1,82 +0,0 @@
-# Configure logging
-#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
-#log stderr all;
-#log "tmp" all;
-#log syslog all;
-
-#debug protocols all;
-
-# Override router ID
-router id 10.188.255.5;
-
-protocol direct {
-#        interface "*";  # Restrict network interfaces it works with
-#        interface "bat0", "gre-*", "eth*", "lo";  # Restrict network interfaces it works with
-        interface "bat0", "gre-*", "lo";  # Restrict network interfaces it works with
-
-}
-
-
-protocol kernel {
-        device routes;
-        import all;
-        export all;             # Default is export none
-        kernel table 42;                # Kernel table to synchronize with (default: main)
-}
-
-protocol device {
-        scan time 10;           # Scan interfaces every 10 seconds
-}
-
-function is_default() {
-        return (net ~ [::/0]);
-}
-
-# own networks
-function is_self_net() {
-return net ~ [ fda0:747e:ab29:7405::/64+ ];
-}
-
-# freifunk ip ranges in general
-function is_freifunk() {
-return net ~ [ fc00::/7{48,64},
-2001:bf7::/32+];
-}
-
-filter hostroute {
-        if net ~ 2a03:2260:121::/48 then accept;
-        reject;
-}
-
-
-
-# Uplink zum FF Rheinland
-template bgp uplink {
-        local as 65066;
-        import where is_default();
-        export filter hostroute;
-        gateway recursive;
-}
-
-
-protocol bgp ffrl_bb_a_ak_ber from uplink {
-        source address 2a03:2260:0:155::2;
-        neighbor 2a03:2260:0:155::1 as 201701;
-}
-
-protocol bgp ffrl_bb_b_ak_ber from uplink {
-        source address 2a03:2260:0:156::2;
-        neighbor 2a03:2260:0:156::1 as 201701;
-}
-
-
-protocol bgp ffrl_bb_a_ix_dus from uplink {
-        source address 2a03:2260:0:157::2;
-        neighbor 2a03:2260:0:157::1 as 201701;
-}
-
-protocol bgp ffrl_bb_b_ix_dus from uplink {
-        source address 2a03:2260:0:158::2;
-        neighbor 2a03:2260:0:158::1 as 201701;
-}
-

files/bird6-troisdorf6.conf

@@ -1,82 +0,0 @@
-# Configure logging
-#log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
-#log stderr all;
-#log "tmp" all;
-#log syslog all;
-
-#debug protocols all;
-
-# Override router ID
-router id 10.188.255.6;
-
-protocol direct {
-#        interface "*";  # Restrict network interfaces it works with
-#        interface "bat0", "gre-*", "eth*", "lo";  # Restrict network interfaces it works with
-        interface "bat0", "gre-*", "lo";  # Restrict network interfaces it works with
-
-}
-
-
-protocol kernel {
-        device routes;
-        import all;
-        export all;             # Default is export none
-        kernel table 42;                # Kernel table to synchronize with (default: main)
-}
-
-protocol device {
-        scan time 10;           # Scan interfaces every 10 seconds
-}
-
-function is_default() {
-        return (net ~ [::/0]);
-}
-
-# own networks
-function is_self_net() {
-return net ~ [ fda0:747e:ab29:7405::/64+ ];
-}
-
-# freifunk ip ranges in general
-function is_freifunk() {
-return net ~ [ fc00::/7{48,64},
-2001:bf7::/32+];
-}
-
-filter hostroute {
-        if net ~ 2a03:2260:121::/48 then accept;
-        reject;
-}
-
-
-
-# Uplink zum FF Rheinland
-template bgp uplink {
-        local as 65066;
-        import where is_default();
-        export filter hostroute;
-        gateway recursive;
-}
-
-
-protocol bgp ffrl_bb_a_ak_ber from uplink {
-        source address 2a03:2260:0:159::2;
-        neighbor 2a03:2260:0:159::1 as 201701;
-}
-
-protocol bgp ffrl_bb_b_ak_ber from uplink {
-        source address 2a03:2260:0:15a::2;
-        neighbor 2a03:2260:0:15a::1 as 201701;
-}
-
-
-protocol bgp ffrl_bb_a_ix_dus from uplink {
-        source address a03:2260:0:15b::2;
-        neighbor 2a03:2260:0:15b::1 as 201701;
-}
-
-protocol bgp ffrl_bb_b_ix_dus from uplink {
-        source address 2a03:2260:0:15c::2;
-        neighbor 2a03:2260:0:15c::1 as 201701;
-}
-

files/collectd.conf.j2

@@ -1,53 +0,0 @@
-# Config file for collectd(1).
-#
-# Some plugins need additional configuration and are disabled by default.
-# Please read collectd.conf(5) for details.
-#
-# You should also read /usr/share/doc/collectd-core/README.Debian.plugins
-# before enabling any more plugins.
-
-## General ##
-
-Hostname "{{ sn_hostname }}"
-FQDNLookup true
-BaseDir "/var/lib/collectd"
-PluginDir "/usr/lib/collectd"
-Interval 60
-Timeout 2
-ReadThreads 5
-
-## Load Plugins ##
-LoadPlugin write_graphite
-LoadPlugin syslog
-LoadPlugin cpu
-LoadPlugin load
-LoadPlugin memory
-LoadPlugin processes
-LoadPlugin users
-LoadPlugin uptime
-LoadPlugin interface
-LoadPlugin filecount
-<Plugin "filecount">
-  <Directory "/opt/freifunk/tunneldigger_interfaces">
-    Instance "tunneldigger-connections"
-    Name "l2tp*"
-  </Directory>
-</Plugin>
-<Plugin write_graphite>
-        <Carbon>
-		Host "10.188.1.27"
-                Port "2003"
-                Prefix "collectd.gateways."
-                StoreRates true
-                AlwaysAppendDS false
-                EscapeCharacter "_"
-        </Carbon>
-</Plugin>
-
-<Plugin syslog>
-        LogLevel info
-</Plugin>
-
-###########################################################
-Include "/etc/collectd/filters.conf"
-Include "/etc/collectd/thresholds.conf"

files/collectd_td_stat.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-#Check if foldes exists
-if ! [ -d /opt/freifunk/tunneldigger_interfaces ]; then
-mkdir /opt/freifunk/tunneldigger_interfaces
-fi
-#Remove old Interfaces
-rm /opt/freifunk/tunneldigger_interfaces/*
-#Create Interace files
-for i in `/sbin/brctl show br-nodes | grep l2tp`;
-do
-        touch /opt/freifunk/tunneldigger_interfaces/$i
-done
-#Remove wrong file
-rm /opt/freifunk/tunneldigger_interfaces/no
-rm /opt/freifunk/tunneldigger_interfaces/br-*
-rm /opt/freifunk/tunneldigger_interfaces/8*

files/dhcpd.conf.j2

@@ -1,15 +0,0 @@
-# Version 1.3
-ddns-update-style none;
-option domain-name "fftdf";
-default-lease-time 300;
-max-lease-time 3600;
-log-facility local7;
-subnet 10.188.0.0 netmask 255.255.0.0 {
-authoritative;
-range {{ sn_dhcp_range }};
-option domain-name-servers {{ sn_mesh_IPv4 }}, {{ sn_dhcp_dns_v4 }};
-option routers {{ sn_mesh_IPv4 }};
-option interface-mtu {{ sn_mtu }};
-interface bat0;
-}
-include "/opt/freifunk/static-dhcp/static.conf";

files/dhcpd6.conf.j2

@@ -1,22 +0,0 @@
-# Enable RFC 5007 support (same than for DHCPv4)
-allow leasequery;
-
-authoritative;
-
-default-lease-time 300;
-max-lease-time 600;
-
-#option dhcp6.name-servers {{ sn_mesh_IPv6 }};
-option dhcp6.name-servers {{ sn_mesh_IPv6 }}, {{ sn_dhcp_dns_v6 }};
-
-option dhcp6.domain-search "fftdf";
-
-subnet6 2a03:2260:121::/64 {
-#
-#       # Range for clients
-#       range6 2a03:2260:121::201 2a03:2260:121::ffff;
-#
-#       # Range for clients requesting a temporary address
-#       range6 2a03:2260:121::/64 temporary;
-}
-

files/interfaces-troisdorf5

@@ -1,80 +0,0 @@
-# This file describes the network interfaces available on your system
-# and how to activate them. For more information, see interfaces(5).
-
-source /etc/network/interfaces.d/*
-
-# The loopback network interface
-auto lo
-iface lo inet loopback
-        up ip address add 185.66.193.105/32 dev lo
-
-iface lo inet6 loopback
-        up ip address add 2a03:2260:121::105/48 dev lo
-
-
-# The primary network interface
-allow-hotplug eth0
-iface eth0 inet dhcp
-
-iface eth0 inet6 static
-        address 2a01:4f8:c17:173b::2
-        netmask 64
-        gateway fe80::1
-
-# GRE Tunnel zum Rheinland Backbone
-# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
-
-# Berlin Router A
-auto gre-bb-a.ak.ber
-iface gre-bb-a.ak.ber inet static
-        address 100.64.2.151
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.0 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-a.ak.ber inet6 static
-        address 2a03:2260:0:155::2/64
-        netmask 64
-
-# Berlin Router B
-auto gre-bb-b.ak.ber
-iface gre-bb-b.ak.ber inet static
-        address 100.64.2.153
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.195.1 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-b.ak.ber inet6 static
-        address 2a03:2260:0:156::2/64
-        netmask 64
-
-
-# Duesseldorf Router A
-auto gre-bb-a.ix.dus
-iface gre-bb-a.ix.dus inet static
-        address 100.64.2.155
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.0 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-a.ix.dus inet6 static
-        address 2a03:2260:0:157::2/64
-        netmask 64
-
-
-# Duesseldorf Router B
-auto gre-bb-b.ix.dus
-iface gre-bb-b.ix.dus inet static
-        address 100.64.2.157
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 172.31.1.100 remote 185.66.193.1 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-b.ix.dus inet6 static
-        address 2a03:2260:0:158::2/64
-        netmask 64
-

files/interfaces-troisdorf6

@@ -1,85 +0,0 @@
-# This file describes the network interfaces available on your system
-# and how to activate them. For more information, see interfaces(5).
-
-source /etc/network/interfaces.d/*
-
-# The loopback network interface
-auto lo
-iface lo inet loopback
-        up ip address add 185.66.193.106/32 dev lo
-
-iface lo inet6 loopback
-        up ip address add 2a03:2260:121::106/48 dev lo
-
-
-# The primary network interface
-allow-hotplug eth0
-#iface eth0 inet dhcp
-iface eth0 inet static
-        address 46.4.138.189
-        netmask 255.255.255.192
-        gateway 46.4.138.129
-        dns-nameserver 213.133.100.100 213.133.99.99 213.133.98.98
-
-iface eth0 inet6 static
-        address 2a01:4f8:11d:600::189
-        netmask 59
-        gateway 2a01:4f8:11d:600::1
-
-# GRE Tunnel zum Rheinland Backbone
-# - Die Konfigurationsdaten werden vom Rheinland Backbone vergeben und zugewiesen
-
-# Berlin Router A
-auto gre-bb-a.ak.ber
-iface gre-bb-a.ak.ber inet static
-        address 100.64.2.159
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.0 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-a.ak.ber inet6 static
-        address 2a03:2260:0:159::2/64
-        netmask 64
-
-# Berlin Router B
-auto gre-bb-b.ak.ber
-iface gre-bb-b.ak.ber inet static
-        address 100.64.2.161
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.195.1 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-b.ak.ber inet6 static
-        address 2a03:2260:0:15a::2/64
-        netmask 64
-
-
-# Duesseldorf Router A
-auto gre-bb-a.ix.dus
-iface gre-bb-a.ix.dus inet static
-        address 100.64.2.163
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.0 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-a.ix.dus inet6 static
-        address 2a03:2260:0:15b::2/64
-        netmask 64
-
-
-# Duesseldorf Router B
-auto gre-bb-b.ix.dus
-iface gre-bb-b.ix.dus inet static
-        address 100.64.2.165
-        netmask 255.255.255.254
-        pre-up ip tunnel add $IFACE mode gre local 46.4.138.189 remote 185.66.193.1 ttl 255
-        post-up ip link set $IFACE mtu 1400
-        post-down ip tunnel del $IFACE
-
-iface gre-bb-b.ix.dus inet6 static
-        address 2a03:2260:0:15c::2/64
-        netmask 64
-

files/keepalive.exit.sh.j2

@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# -q quiet
-# -c nb of pings
-
-HOST1=8.8.8.8
-HOST2=8.8.4.4
-BATCTL=/usr/local/sbin/batctl
-
-ping -q -c5 $HOST1 > /dev/null
-if [ $? -eq 0 ]
-then
-        echo "ok"
-        $BATCTL gw server 100Mbit/100Mbit
-else
-
-        echo "$HOST1 NICHT ok"
-        ping -q -c5 $HOST2 > /dev/null
-        if [ $? -eq 0 ]
-                then
-                        echo "$HOST2 ok"
-                        $BATCTL gw server 100Mbit/100Mbit
-                else
-                        echo "$HOST2 NICHT ok"
-                        $BATCTL gw off
-        fi
-
-fi
-

files/keepalive.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-# Version 1.6
-# Parameter setzen
-GATEWAY1ext=185.66.193.105
-GATEWAY2ext=185.66.193.106
-GATEWAY1=10.188.255.5
-GATEWAY2=10.188.255.6
-GATEWAY1v6=2a03:2260:121::255:5
-GATEWAY2v6=2a03:2260:121::255:6
-IP=/sbin/ip
-PING=/bin/ping
-BATCTL=/usr/local/sbin/batctl
-
-#if [ "hostname = troisdorf1 | troisdorf2" ]
-if [ $(hostname) = "troisdorf1" ] || [ $(hostname) = "troisdorf2" ]
-    then
-        DEFAULT_GATEWAY=$GATEWAY1
-	DEFAULT_GATEWAYext=$GATEWAY1ext
-        FALLBACK_GATEWAY=$GATEWAY2
-	FALLBACK_GATEWAYext=$GATEWAY2ext
-	DEFAULT_GATEWAYv6=$GATEWAY1v6
-	FALLBACK_GATEWAYv6=$GATEWAY2v6
-    else
-        DEFAULT_GATEWAY=$GATEWAY2
-	DEFAULT_GATEWAYext=$GATEWAY2ext
-        FALLBACK_GATEWAY=$GATEWAY1
-        FALLBACK_GATEWAYext=$GATEWAY1ext
-	DEFAULT_GATEWAYv6=$GATEWAY2v6
-	FALLBACK_GATEWAYv6=$GATEWAY1v6
-
-fi
-
-if $PING -c 1 $DEFAULT_GATEWAYext
-        then
-                $IP route replace default via $DEFAULT_GATEWAY table 42
-                $IP -6 route replace default via $DEFAULT_GATEWAYv6 table 42
-                $BATCTL gw server 100Mbit/100Mbit
-                echo "Gateway erreichbar"
-        else
-        if $PING -c 1 $FALLBACK_GATEWAYext
-            then
-                $IP route replace default via $FALLBACK_GATEWAY table 42
-                $IP -6 route replace default via $FALLBACK_GATEWAYv6 table 42
-                $BATCTL gw server 80Mbit/80Mbit
-                echo "Nun FALLBACK_GATEWAY"
-            else
-                $BATCTL gw off
-                #Kein Gateway erreichbar, batctl gw off
-        fi
-fi
-

files/l2tp_backbone.sh.exit.j2

@@ -1,61 +0,0 @@
-#!/bin/sh
-# Version 6
-# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
-communityname="troisdorf"
-server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
-#server="troisdorf7 {{ sn_hostname }}"
-domain="freifunk-troisdorf.de"
-mtu={{ sn_mtu }}
-# community MAC address, without the last Byte (:)!
-communitymacaddress="a2:8c:ae:6f:f6"
-tunnelPrefix=10
-sessionPrefix=1
-# Netzwerkteil des Netzes, ohne abschliessenden Punkt
-communitynetwork="10.188"
-# IPv6 network
-#communitynetworkv6="fda0:747e:ab29:7405:255::"
-communitynetworkv6="2a03:2260:121::"
-# Drittes Octet des serverbereichs
-octet3rd="255"
-# CIDR muss /16 sein
-localserver=$(/bin/hostname)
-batadv=/usr/local/sbin/batadv-vis
-alfred=/usr/local/sbin/alfred
-batctl=/usr/local/sbin/batctl
-ip=/sbin/ip
-dig=/usr/bin/dig
-
-for i in $server; do
-(
-        for j in $server; do
-                if [ $i  != $j ]; then
-                        if [ $i = $localserver ]; then
-                                 ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname  -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
-                                 ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
-                                 #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
-                                 ip link set dev l2tp-$j mtu $mtu
-                                 ip link set up l2tp-$j
-                                 $batctl if add l2tp-$j
-                        fi
-                fi
-        done
-)
-done
-
-# Rest starten
-$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
-$ip link set up dev bat0
-$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
-$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
-
-/usr/bin/killall alfred
-/usr/bin/killall batadv-vis
-/bin/sleep 5
-$alfred -i bat0 > /dev/null 2>&1 &
-/bin/sleep 15
-$batadv -i bat0 -s > /dev/null 2>&1 &
-/bin/systemctl restart isc-dhcp-server
-/bin/systemctl restart bind9
-#/usr/local/sbin/batctl gw client 3
-/usr/local/sbin/batctl gw server 100Mbit/100Mbit
-

files/l2tp_backbone.sh.j2

@@ -1,59 +0,0 @@
-#!/bin/sh
-# Version 6
-# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
-communityname="troisdorf"
-server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
-#server="troisdorf7 {{ sn_hostname }}"
-domain="freifunk-troisdorf.de"
-mtu={{ sn_mtu }}
-# community MAC address, without the last Byte (:)!
-communitymacaddress="a2:8c:ae:6f:f6"
-tunnelPrefix=10
-sessionPrefix=1
-# Netzwerkteil des Netzes, ohne abschliessenden Punkt
-communitynetwork="10.188"
-# IPv6 network
-#communitynetworkv6="fda0:747e:ab29:7405:255::"
-communitynetworkv6="2a03:2260:121::"
-# Drittes Octet des serverbereichs
-octet3rd="255"
-# CIDR muss /16 sein
-localserver=$(/bin/hostname)
-batadv=/usr/local/sbin/batadv-vis
-alfred=/usr/local/sbin/alfred
-batctl=/usr/local/sbin/batctl
-ip=/sbin/ip
-dig=/usr/bin/dig
-
-for i in $server; do
-(
-        for j in $server; do
-                if [ $i  != $j ]; then
-                        if [ $i = $localserver ]; then
-                                 ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname  -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
-                                 ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
-                                 #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
-                                 ip link set dev l2tp-$j mtu $mtu
-                                 ip link set up l2tp-$j
-                                 $batctl if add l2tp-$j
-                        fi
-                fi
-        done
-)
-done
-
-# Rest starten
-$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
-#$ip link set address $communitymacaddress:ff dev bat0
-$ip link set up dev bat0
-$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
-$ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 dev bat0
-
-/usr/bin/killall alfred
-/usr/bin/killall batadv-vis
-/bin/sleep 5
-$alfred -i bat0 > /dev/null 2>&1 &
-/bin/sleep 15
-$batadv -i bat0 -s > /dev/null 2>&1 &
-/usr/sbin/service bind9 restart
-/usr/local/sbin/batctl gw server 100Mbit/100Mbit

files/l2tp_backbone_ffswitch.sh.j2

@@ -1,56 +0,0 @@
-#!/bin/sh
-# Version 5
-# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
-communityname="troisdorf"
-server="troisdorf0 troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
-#server="troisdorf0 {{ sn_hostname }}"
-domain="freifunk-troisdorf.de"
-mtu={{ sn_mtu }}
-# community MAC address, without the last Byte (:)!
-communitymacaddress="a2:8c:ae:6f:f6"
-tunnelPrefix=10
-sessionPrefix=1
-# Netzwerkteil des Netzes, ohne abschliessenden Punkt
-communitynetwork="10.188"
-# IPv6 network
-communitynetworkv6="fda0:747e:ab29:7405:255::"
-# Drittes Octet des serverbereichs
-octet3rd="255"
-# CIDR muss /16 sein
-localserver=$(/bin/hostname)
-batadv=/usr/local/sbin/batadv-vis
-alfred=/usr/local/sbin/alfred
-batctl=/usr/local/sbin/batctl
-ip=/sbin/ip
-dig=/usr/bin/dig
-
-for i in $server; do
-(
-        for j in $server; do
-                if [ $i  != $j ]; then
-                        if [ $i = $localserver ]; then
-                                 ip l2tp add tunnel remote $($dig +short $j.$domain) local $(/bin/hostname  -I | /usr/bin/cut -f1 -d' ') tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} peer_tunnel_id $tunnelPrefix${j#$communityname}${i#$communityname} encap udp udp_sport 300${i#$communityname}${j#$communityname} udp_dport 300${j#$communityname}${i#$communityname}
-                                 ip l2tp add session name l2tp-$j tunnel_id $tunnelPrefix${i#$communityname}${j#$communityname} session_id $sessionPrefix${i#$communityname}${j#$communityname} peer_session_id $sessionPrefix${j#$communityname}${i#$communityname}
-                                 #ip link set address $communitymacaddress:${i#$communityname}${j#$communityname} dev l2tp-$j
-                                 ip link set dev l2tp-$j mtu $mtu
-                                 ip link set up l2tp-$j
-                                 $batctl if add l2tp-$j
-                        fi
-                fi
-        done
-)
-done
-
-# Rest starten
-$ip link set address $communitymacaddress:0${localserver#$communityname} dev bat0
-#$ip link set address $communitymacaddress:ff dev bat0
-$ip link set up dev bat0
-$ip addr add $communitynetwork.$octet3rd.${localserver#$communityname}/16 broadcast $communitynetwork.255.255 dev bat0
-$ip -6 addr add $communitynetworkv6${localserver#$communityname}/64 dev bat0
-
-/usr/bin/killall alfred
-/usr/bin/killall batadv-vis
-/bin/sleep 5
-$alfred -i bat0 > /dev/null 2>&1 &
-/bin/sleep 15
-$batadv -i bat0 -s > /dev/null 2>&1 &

files/logrotate.conf

@@ -1,34 +0,0 @@
-# see "man logrotate" for details
-# rotate log files weekly
-#weekly
-daily
-
-# keep 4 weeks worth of backlogs
-#rotate 4
-rotate 0
-
-# create new (empty) log files after rotating old ones
-create
-
-# uncomment this if you want your log files compressed
-#compress
-
-# packages drop log rotation information into this directory
-include /etc/logrotate.d
-
-# no packages own wtmp, or btmp -- we'll rotate them here
-/var/log/wtmp {
-    missingok
-    monthly
-    create 0664 root utmp
-    rotate 1
-}
-
-/var/log/btmp {
-    missingok
-    monthly
-    create 0660 root utmp
-    rotate 1
-}
-
-# system-specific logs may be configured here

files/named.conf.fftdf

@@ -1,6 +0,0 @@
-zone "fftdf" {
-  type slave;
-  masters { 10.188.1.100; };
-  file "/var/lib/bind/db.fftdf";
-};
-

files/radvd.conf.j2

@@ -1,13 +0,0 @@
-interface bat0 {
-        AdvSendAdvert on;
-        IgnoreIfMissing on;
-        MaxRtrAdvInterval 200;
-        RDNSS {{ sn_mesh_IPv6 }} {};
-#        prefix fda0:747e:ab29:7405::/64 {
-        prefix 2a03:2260:121::/64 {
-                AdvOnLink on;
-                AdvAutonomous on;
-                AdvRouterAddr on;
-        };
-};
-

files/sn_startup.exit.sh.j2

@@ -1,81 +0,0 @@
-#!/bin/sh
-# Version 1.7
-
-curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
-
-# Block RFC1918 and APIPA destination via WAN
-/sbin/iptables -P OUTPUT ACCEPT
-for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
-/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
-done
-
-# Activate IP forwarding
-/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
-/sbin/sysctl -w net.ipv4.ip_forward=1
-
-# restart when kernel panic
-/sbin/sysctl kernel.panic=1
-
-# Routing table 42
-/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
-
-# Set table for traffice with mark 4
-/bin/ip rule add fwmark 0x4 table 42
-/bin/ip -6 rule add fwmark 0x4 table 42
-
-# Set mark 4 to Freifunk traffic
-/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
-#/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
-/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
-
-# NAT on eth0
-/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-
-# NAT on GRE Freifunk interface
-#/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source 185.66.193.105
-/sbin/iptables -t nat -A POSTROUTING -o gre-+ -j SNAT --to-source {{ sn_ffrl_IPv4 }}
-
-# MTU
-/sbin/iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
-/sbin/ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o gre-+ -j TCPMSS --set-mss 1312
-
-# All from FF IPv4 via routing table 42
-/bin/ip rule add from {{ sn_ffrl_IPv4 }}/32 lookup 42
-/bin/ip -6 rule add from  2a03:2260:121::/64 lookup 42
-
-# Allow MAC address spoofing
-/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
-
-# Create Tunneldigger Bridge
-/sbin/brctl addbr br-nodes
-/sbin/ip link set dev br-nodes up
-/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
-/usr/local/sbin/batctl if add br-nodes
-
-sleep 5
-
-# Fixing the nf_conntrack … dropping packets error
-# hashsize = nf_conntrack_max / 4
-sysctl -w net.netfilter.nf_conntrack_max=131072
-echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
-
-# Against Denial of Service attacks from internal network
-# Check with: sysctl -a | grep conntrack | grep timeout
-sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
-sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
-
-# restart bird
-/bin/systemctl start bird
-/bin/systemctl start bird6
-/bin/systemctl enable bird
-/bin/systemctl enable bird6
-
-# Start tunneldigger
-/bin/systemctl restart tunneldigger
-/bin/systemctl enable tunneldigger
-
-# radvd restart
-/bin/systemctl restart radvd
-/bin/systemctl enable radvd
-
-exit 0

files/sn_startup.sh.j2

@@ -1,74 +0,0 @@
-#!/bin/sh
-# Version 1.7
-
-curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
-
-# Block RFC1918 and APIPA destination via WAN
-/sbin/iptables -P OUTPUT ACCEPT
-for i in 10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.168.0.0/16; do
-/sbin/iptables -A OUTPUT -o eth0 -d $i -j DROP
-done
-
-# Activate IP forwarding
-/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
-/sbin/sysctl -w net.ipv4.ip_forward=1
-
-# restart when kernel panic
-/sbin/sysctl kernel.panic=1
-
-# Stop tunneldigger until bat0 is up
-/usr/sbin/service tunneldigger stop
-
-# Routing table 42
-/bin/grep 42 /etc/iproute2/rt_tables || /bin/echo 42 ffrl >> /etc/iproute2/rt_tables
-
-# Set table for traffice with mark 4
-/bin/ip rule add fwmark 0x4 table 42
-/bin/ip -6 rule add fwmark 0x4 table 42
-
-# Set mark 4 to Freifunk traffic
-/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MARK --set-mark 4
-/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/48 ! -d 2a03:2260:121::/48 -j MARK --set-mark 4
-/sbin/ip6tables -t mangle -A PREROUTING -s 2a03:2260:121::/64 ! -d 2a03:2260:121::/64 -j MARK --set-mark 4
-
-# NAT on eth0
-/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-
-# All from FF IPv4 via routing table 42
-/bin/ip rule add from 185.66.193.104/30 lookup 42
-/bin/ip -6 rule add from  2a03:2260:121::/64 lookup 42
-
-# Allow MAC address spoofing
-/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
-
-# Create Tunneldigger Bridge
-/sbin/brctl addbr br-nodes
-/sbin/ip link set dev br-nodes up
-/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
-/usr/local/sbin/batctl if add br-nodes
-
-sleep 5
-
-# Fixing the nf_conntrack … dropping packets error
-# hashsize = nf_conntrack_max / 4
-sysctl -w net.netfilter.nf_conntrack_max=131072
-echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
-
-# Against Denial of Service attacks from internal network
-# Check with: sysctl -a | grep conntrack | grep timeout
-sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
-sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
-
-# Start tunneldigger
-/bin/systemctl restart tunneldigger
-/bin/systemctl enable tunneldigger
-
-# radvd restart
-/bin/systemctl restart radvd
-/bin/systemctl enable radvd
-
-# restart DHCP
-/bin/systemctl restart isc-dhcp-server
-/bin/systemctl enable isc-dhcp-server
-
-exit 0

files/start-broker.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-WDIR=/srv/tunneldigger
-VIRTUALENV_DIR=/srv/tunneldigger
-
-cd $WDIR
-source $VIRTUALENV_DIR/bin/activate
-
-bin/python broker/l2tp_broker.py l2tp_broker.cfg

files/tunneldigger.service

@@ -1,9 +0,0 @@
-[Unit]
-Description = Start tunneldigger L2TPv3 broker
-After = network.target
-
-[Service]
-ExecStart = /srv/tunneldigger/start-broker.sh
-
-[Install]
-WantedBy = multi-user.target

host_vars/core4.yml

@@ -0,0 +1,61 @@
+ansible_connection: network_cli
+ansible_network_os: vyos
+ansible_ssh_host: 5.9.220.113
+ansible_user: vyos
+ansible_python_interpreter: /usr/bin/python3
+
+wan_address: 5.9.220.113
+wan_gateway: 5.9.220.112
+wan_net: /29
+lan_address: 172.16.7.1
+lan_network: 172.16.7.0/24
+ffrl_address: 185.66.193.107
+ffrl_address_v6: 2a03:2260:121:600::0/128
+ffrl_net_v6: 2a03:2260:121:600::/55
+
+gre_bb_transfer_net: /31
+gre_bb_transfer_net_v6: /64
+gre_bb_renote_as: 201701
+gre_bb_local_as: 65066
+
+gre_ber_a_address: 100.64.6.25
+gre_ber_a_neighbor: 100.64.6.24
+gre_ber_a_address_v6: 2a03:2260:0:30c::2
+gre_ber_a_neighbor_v6: 2a03:2260:0:30c::1
+gre_ber_a_description: gre_ber_a
+gre_ber_a_remote: 185.66.195.0
+
+gre_ber_b_address: 100.64.6.31
+gre_ber_b_neighbor: 100.64.6.30
+gre_ber_b_address_v6: 2a03:2260:0:30f::2
+gre_ber_b_neighbor_v6: 2a03:2260:0:30f::1
+gre_ber_b_description: gre_b_ber
+gre_ber_b_remote: 185.66.195.1
+
+gre_a_dus_address: 100.64.6.29
+gre_a_dus_neighbor: 100.64.6.28
+gre_a_dus_address_v6: 2a03:2260:0:30e::2
+gre_a_dus_neighbor_v6: 2a03:2260:0:30e::1
+gre_a_dus_description: gre_a_dus
+gre_a_dus_remote: 185.66.193.0
+
+gre_b_dus_address: 100.64.6.35
+gre_b_dus_neighbor: 100.64.6.34
+gre_b_dus_address_v6: 2a03:2260:0:311::2
+gre_b_dus_neighbor_v6: 2a03:2260:0:311::1
+gre_b_dus_description: gre_b_dus
+gre_b_dus_remote: 185.66.193.1
+
+gre_a_fra_address: 100.64.6.27
+gre_a_fra_neighbor: 100.64.6.26
+gre_a_fra_address_v6: 2a03:2260:0:30d::2
+gre_a_fra_neighbor_v6: 2a03:2260:0:30d::1
+gre_a_fra_description: gre_a_fra
+gre_a_fra_remote: 185.66.194.0
+
+gre_b_fra_address: 100.64.6.33
+gre_b_fra_neighbor: 100.64.6.32
+gre_b_fra_address_v6: 2a03:2260:0:310::2
+gre_b_fra_neighbor_v6: 2a03:2260:0:310::1
+gre_b_fra_description: gre_b_fra
+gre_b_fra_remote: 185.66.194.1

host_vars/edge1/vars.yml

@@ -0,0 +1,14 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.1.0.0/16
+ipv4_dhcp_start: 10.1.0.30
+ipv4_dhcp_stop: 10.1.0.250
+ipv4_address: 10.1.0.1
+ipv6_network: 2a03:2260:121:603::/64
+ipv6_address: 2a03:2260:121:603::1/64
+wireguard_address: 10.255.1.2/24
+wireguard_v6_address: fd80:3ea2:e399:203a::3
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1

host_vars/edge1/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/edge2/vars.yml

@@ -0,0 +1,14 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.7.0.0/16
+ipv4_dhcp_start: 10.7.0.30
+ipv4_dhcp_stop: 10.7.0.250
+ipv4_address: 10.7.0.1
+ipv6_network: 2a03:2260:121:607::/64
+ipv6_address: 2a03:2260:121:607::1/64
+wireguard_address: 10.255.1.7/24
+wireguard_v6_address: fd80:3ea2:e399:203a::7
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1

host_vars/edge2/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/edge3/vars.yml

@@ -0,0 +1,14 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.9.0.0/16
+ipv4_dhcp_start: 10.9.0.30
+ipv4_dhcp_stop: 10.9.0.250
+ipv4_address: 10.9.0.1
+ipv6_network: 2a03:2260:121:609::/64
+ipv6_address: 2a03:2260:121:609::1/64
+wireguard_address: 10.255.1.9/24
+wireguard_v6_address: fd80:3ea2:e399:203a::9
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1

host_vars/edge3/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/edge4/vars.yml

@@ -0,0 +1,14 @@
+ansible_host: localhost
+ansible_connection: local
+ansible_python_interpreter: /usr/bin/python3
+
+ipv4_network: 10.10.0.0/16
+ipv4_dhcp_start: 10.10.0.30
+ipv4_dhcp_stop: 10.10.0.250
+ipv4_address: 10.10.0.1
+ipv6_network: 2a03:2260:121:60a::/64
+ipv6_address: 2a03:2260:121:60a::1/64
+wireguard_address: 10.255.1.10/24
+wireguard_v6_address: fd80:3ea2:e399:203a::10
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1

host_vars/edge4/vault.yml

@@ -0,0 +1,12 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373161393033633933653763653661626365376332306438326363333263656366623837333061
+3665663736393837663634653439356465356234613933320a613530656335326538326262376163
+36336139633033326430663362633839653831326362326439303634376666623862663037636533
+3031306666356637370a396164386339653630343366393163623136333166643162393663323931
+65376261356666313034633237323531363733343061396166343333666538313232616265303933
+32303633343666346134666332626635396132313932623535383538326639316465633432343239
+32353563643565393034653933356235663434376131366565636634376332353738363730626162
+31353236303764663236346437613031623634663762653664383534613738353363346563313063
+66363430306533666263356365383365303564303565316462306664356236316430653065613036
+30386238616564326132303262623664313935376332373037343664666138303932316330336238
+363762633930393837363662343133666363

host_vars/uisp.yml

@@ -0,0 +1,4 @@
+ansible_host: 5.9.220.117
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3

host_vars/unifi.yml

@@ -0,0 +1,4 @@
+ansible_host: 5.9.220.118
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3

host_vars/vpn01/vars.yml

@@ -0,0 +1,62 @@
+###
+### Ansible
+###
+ansible_host: 5.9.220.114
+ansible_host_net: /29
+ansible_host_ipv6: 2a01:4f8:262:5112::101
+ansible_host_ipv6_net: /64
+ipv4_gateway: 5.9.220.112
+ipv6_gateway: 2a01:4f8:262:5112::3
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3
+
+###
+### Vars Freifunk
+###
+internal_network: "10.255.0.0/16"
+freifunk_internal_ip: 172.16.7.10/24
+core_router: 172.16.7.1
+
+###
+### Wireguard
+###
+ipv6_network: 2a03:2260:121:600::/58
+wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
+wireguard_port: 42001
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1
+
+wireguard_unmanaged_peers:
+  ## Ticket #188933
+  vpn2-Kabel-Waechter:
+    public_key: IuU88/zIE5fsSi3gN68vmz/72iJadOgip3I+lCOo5hk=
+    allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:602::/64
+  ## Ticket #521263
+  vpn3-FFRS-VPN:
+    public_key: 0T+vKvbB94SkUgjw9Y4wiOKp7eJQ6IFNeY7sve/F0Ag=
+    allowed_ips: 10.255.1.3/32, 10.3.0.0/16, fd80:3ea2:e399:203a::3/128, 2a03:2260:121:603::/64
+  ## Ticket #150439
+  vpn4-sg:
+    public_key: IarM0mG08rfZ1k8d557H49nqRK6mKUrVuffhm8QYN1Q=
+    allowed_ips: 10.255.1.4/32, 10.4.0.0/16, fd80:3ea2:e399:203a::4/128, 2a03:2260:121:604::/64
+  ## ERX-Testing Stefan
+  vpn6-stefan:
+    public_key: KxjuZJs7aIPFAUm/J5iw/oWiv4O44hjpnnfN+VN0iQ0=
+    allowed_ips: 10.255.1.7/32, 10.7.0.0/16, fd80:3ea2:e399:203a::7/128, 2a03:2260:121:607::/64
+  ## Nils
+  vpn8-nils:
+    public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
+    allowed_ips: 10.255.1.8/32, 10.8.0.0/16, fd80:3ea2:e399:203a::8/128, 2a03:2260:121:608::/64
+  ## edge3
+  vpn9-edge3:
+    public_key: pUBPZFl9VGb1zLseKenGS7pvOLWuWQNJdDEpHtOsxlg=
+    allowed_ips: 10.255.1.9/32, 10.9.0.0/16, fd80:3ea2:e399:203a::9/128, 2a03:2260:121:609::/64
+  ## edge4
+  vpn10-edge4:
+    public_key: 2Cq7gW5mSTcOJGzvw4dvdERhAFx3EIga5Ftds9zKlT8=
+    allowed_ips: 10.255.1.10/32, 10.10.0.0/16, fd80:3ea2:e399:203a::10/128, 2a03:2260:121:60a::/64
+  ## Stefan_Test
+  vpn10-edge4:
+    public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
+    allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:60b::/64

host_vars/vpn01/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31653333646534336164323064616261666365636438363761663837663635613333386165313962
+3732656532643062333235366564333633623937353335650a343334393265316131313935363337
+61323339356237646631303039646132663161623739393130383338383339373063373566666330
+3463346562336166340a313562613835386431613636303637626133346433393630623837646236
+66633239393134336539346430343965383339653061633463653864653834633862353861663432
+39633663663833373264623138376431353437623765643530373266643539616231376162663831
+33643334323861653564333739376561306462316561336531656663396134336635666639343433
+38613630313731343736

host_vars/vpn02/vars.yml

@@ -0,0 +1,35 @@
+ansible_host: 5.9.220.115
+ansible_host_net: /29
+ansible_host_ipv6: 2a01:4f8:262:5112::102
+ansible_host_ipv6_net: /64
+ipv4_gateway: 5.9.220.112
+ipv6_gateway: 2a01:4f8:262:5112::3
+ansible_port: 22
+ansible_ssh_user: root
+ansible_python_interpreter: /usr/bin/python3
+
+###
+### Vars Freifunk
+###
+internal_network: "10.255.0.0/16"
+freifunk_internal_ip: 172.16.7.11/24
+core_router: 172.16.7.1
+
+###
+### Wireguard
+###
+ipv6_network: 2a03:2260:121:640::/58
+wireguard_address: "10.255.1.1/24, fd80:3ea2:e399:203a::1/64"
+wireguard_port: 42001
+wireguard_public: 5B/YTaDPVWVApUyHshJp899iXXlBy8rBqJUpYvKo+1s=
+wiregurad_v4: 10.255.1.1
+
+wireguard_unmanaged_peers:
+  ## Nils
+  vpn8-nils:
+    public_key: g+l9gP3SR99Q8TZ3uKs7yu1mANy97EFA21THrC/n1W0=
+    allowed_ips: 10.255.1.2/32, 10.2.0.0/16, fd80:3ea2:e399:203a::2/128, 2a03:2260:121:642::/64
+  ## Stefan_Test
+  vpn10-edge4:
+    public_key: UHaYitx18sO71Ssk2SVUgdjLaAILbCthCmosU+Fs5Es=
+    allowed_ips: 10.255.1.11/32, 10.11.0.0/16, fd80:3ea2:e399:203a::11/128, 2a03:2260:121:64b::/64

host_vars/vpn02/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+31653333646534336164323064616261666365636438363761663837663635613333386165313962
+3732656532643062333235366564333633623937353335650a343334393265316131313935363337
+61323339356237646631303039646132663161623739393130383338383339373063373566666330
+3463346562336166340a313562613835386431613636303637626133346433393630623837646236
+66633239393134336539346430343965383339653061633463653864653834633862353861663432
+39633663663833373264623138376431353437623765643530373266643539616231376162663831
+33643334323861653564333739376561306462316561336531656663396134336635666639343433
+38613630313731343736

hosts.yml

@@ -0,0 +1,35 @@
+######################
+#
+# Ansible Hosts for FFTDF Supernodes. atm only the new offloader
+#
+######################
+all:
+  children:
+    router:
+      children:
+        ffrl_uplink:
+          hosts:
+            core4:
+    supernodes:
+      children:
+        vpn_offloader_wireguard:
+          hosts:
+            vpn01:
+            vpn02:
+        freifunk_supernodes:
+          hosts: 
+    service_server:
+      children:
+        unifi:
+          hosts:
+            unifi:
+        uisp:
+          hosts:
+            uisp:
+    edge_router:
+      hosts:
+        edge1:
+        edge2:
+        edge3:
+        edge4:
+            

install.sn.yml

@@ -1,303 +0,0 @@
-# First install ssh-key at remote computer
-# In case of python error start:
-# ansible troisdorf4 -u root -m raw -a "apt-get update && apt-get install python -y"
-
-- name: Install Freifunk Troisdorf super node
-#  hosts: FreifunkSupernodesL2TP
-  hosts: '{{ target }}'
-  sudo: False
-  user: root
-  gather_facts: False
-  vars:
-    snversion: master_v3.0.0
-    batmanversion: v2015.2
-    common_required_packages:
-      - git
-      - make
-      - gcc
-      - build-essential
-      - pkg-config
-      - libgps-dev
-      - libnl-3-dev
-      - libjansson-dev
-      - isc-dhcp-server
-      - collectd
-      - libcap-dev
-      - iproute
-      - libnetfilter-conntrack3
-      - python-dev
-      - libevent-dev
-      - ebtables
-      - python-virtualenv
-      - iptables-persistent
-      - iftop
-      - screen
-      - bridge-utils
-      - tcpdump
-      - bind9
-      - radvd
-      - curl
-      - htop
-      - psmisc
-      - dnsutils
-      - ntp
-    modules_required:
-      - batman-adv
-      - nf_conntrack_netlink
-      - nf_conntrack
-      - nfnetlink
-      - l2tp_netlink
-      - l2tp_core
-      - l2tp_eth
-    tunneldigger_scripts:
-      - start-broker.sh
-      - batdelif.sh
-    tunneldigger_service:
-      - tunneldigger.service
-    bind_zone_fftdf:
-      - named.conf.fftdf
-    check_gw_script:
-      - keepalive.sh
-    authorized_keys:
-      - authorized_keys
-    logrotate_config:
-      - logrotate.conf
-    tunneld_stats_file:
-      - collectd_td_stat.sh
-
-
-  tasks:
-    - name: Remove cdrom in sources.list
-      raw: "sed -i '/deb cdrom/c\\#' /etc/apt/sources.list"
-    - name: Make this server ansible compatible
-      raw: "apt-get update && apt-get install python -y"
-#    - name: Add backport repo to source list #target: /etc/apt/sources.list.d
-#      apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present 
-    - name: Update apt cache
-      apt: update_cache=yes
-    - name: Gathering facts
-      setup:
-    - name: Set IPv4 in hostfile
-      lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv4.address }}' line='{{ ansible_default_ipv4.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
-    - name: Set IPv6 in hostfile
-      lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv6.address }}' line='{{ ansible_default_ipv6.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present
-      when: ansible_default_ipv6.address is defined
-    - name: set hostname
-      hostname: name='{{ sn_hostname }}'
-      register: sethostname
-    - name: disable multi CPU Kernel (SMP)
-      lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present
-      register: grubnosmp
-    - name: Update grub
-      shell: update-grub2
-      when: grubnosmp.changed
-    - name: Reboot the server
-      shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-      async: 1
-      poll: 0
-      ignore_errors: true
-      when: sethostname.changed
-    - name: waiting for server to come back (1st)
-      local_action:
-                   wait_for
-                   host={{ inventory_hostname }}
-                   port=22
-                   delay=20
-                   timeout=300
-      when: hosts.changed
-      when: sethostname.changed
-    - apt: update_cache=yes
-    - name: Install common required packages
-      apt: state=installed pkg={{ item }}
-      with_items: common_required_packages
-      register: aptupdates
-    - name: Set clock
-      shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start
-    - name: Add modules
-      lineinfile: dest=/etc/modules line={{ item }}
-      with_items: modules_required
-      register: modules_req
-    - name: Load modules
-      modprobe: name={{ item }}
-      with_items: modules_required
-      when: modules_req.changed
-    - name: Install Linux headers
-      shell: >
-        apt-get install linux-headers-$(uname -r) -y
-      when: aptupdates.changed
-    - name: Get batman-adv
-      git: repo=https://git.open-mesh.org/batman-adv.git
-           dest=/tmp/batman-adv
-      when: aptupdates.changed
-      register: getbatman
-    - name: Get batman-adv no rebrotcast patch
-      get_url: url=http://map.freifunk-moehne.de/stuff/1001-batman-adv-introduce-no_rebroadcast-option.patch dest=/tmp/batman-adv/1001-batman-adv-introduce-no_rebroadcast-option.patch
-      when: getbatman.changed
-    - name: Install batman-adv
-      shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && make && make install
-#      shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && git apply 1001-batman-adv-introduce-no_rebroadcast-option.patch && make && make install
-      when: getbatman.changed
-    - name: Get batctl
-      git: repo=http://git.open-mesh.org/batctl.git
-           dest=/tmp/batctl
-      when: aptupdates.changed
-      register: getbatctl
-    - name: Install batctl
-      shell: cd /tmp/batctl && git checkout {{ batmanversion }} && make && make install
-      when: getbatctl.changed
-    - name: Get alfred
-      git: repo=http://git.open-mesh.org/alfred.git
-           dest=/tmp/alfred
-      when: aptupdates.changed
-      register: getalfred
-    - name: Install alfred
-      shell: cd /tmp/alfred && git checkout {{ batmanversion }} && make && make install
-      when: getalfred.changed
-    - name: Get Tunneldigger
-#      git: repo=https://github.com/wlanslovenija/tunneldigger.git
-      git: repo=https://github.com/ffrl/tunneldigger.git
-           dest=/srv/tunneldigger
-      register: tunneldigger
-      when: aptupdates.changed
-    - name: Configure tunneldigger
-      command: "{{item}}"
-      with_items:
-       - virtualenv /srv/tunneldigger/ -p python2.7
-      when: tunneldigger.changed
-    - name: Tunneldigger requirements
-      pip: requirements=/srv/tunneldigger/broker/requirements.txt virtualenv=/srv/tunneldigger/
-      when: tunneldigger.changed
-    - name: Copy l2tp broker config template
-      template: src=./files/l2tp_broker.cfg.j2 dest=/srv/tunneldigger/l2tp_broker.cfg owner=root group=root mode=0444
-      when: tunneldigger.changed
-    - name: Copy tunneldigger script template
-      template: src=./files/bataddif.sh.j2 dest=/srv/tunneldigger/bataddif.sh owner=root group=root mode=0500
-      when: tunneldigger.changed
-    - name: Copy tunneldigger scripts
-      copy: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0500
-      with_items: tunneldigger_scripts
-      when: tunneldigger.changed
-    - name: Copy tunneldigger service file
-      copy: src=./files/{{ item }} dest=/etc/systemd/system/tunneldigger.service owner=root group=root mode=0444
-      with_items: tunneldigger_service
-      when: tunneldigger.changed
-    - name: Tunneldigger reload
-      command: "{{item}}"
-      with_items:
-      - systemctl daemon-reload
-      - systemctl enable tunneldigger.service
-      when: tunneldigger.changed
-    - name: Copy logrotate config
-      copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500
-      with_items: logrotate_config
-    - name: Create freifunk directory
-      file: path=/opt/freifunk state=directory mode=0755
-    - name: Check gateway / keepalive script supernode
-      copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
-      with_items: check_gw_script
-      register: check_gw
-      when: sn_exit is undefined
-    - name: Check gateway / keepalive script super- and exitnode
-      template: src=./files/keepalive.exit.sh.j2 dest=/opt/freifunk/keepalive.sh owner=root group=root mode=0500
-      register: check_gw
-      when: sn_exit is defined
-    - name: Add cron job with check gateway script
-      cron: name=check_gw job="/opt/freifunk/keepalive.sh > /dev/null 2>&1" user="root" 
-      when: check_gw.changed
-    - name: Tunneldigger stats
-      copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
-      with_items: tunneld_stats_file
-      register: tunneld_stats
-#      when: sn_exit is undefined
-    - name: Add cron job tunneldigger stats
-      cron: name=tunneld_stats job="/opt/freifunk/collectd_td_stat.sh > /dev/null 2>&1" user="root"
-      when: tunneld_stats.changed
-    - name: Copy dhcpd template file
-      template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
-      register: dhcpd
-    - name: Clone static DHCP config
-      git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp
-           dest=/opt/freifunk/static-dhcp
-      when: dhcpd.changed 
-    - name: Add cron static DHCP
-      cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh"
-      when: dhcpd.changed
-    - name: Restart dhcpd
-      service: name=isc-dhcp-server state=restarted
-      when: dhcpd.changed
-      ignore_errors: yes
-    - name: Add cron backbone script
-      cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh"
-    - name: Add cron startup script
-      cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
-    - name: Copy backbone script
-      template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
-      when: sn_exit is undefined 
-    - name: Copy backbone script
-      template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
-      when: sn_exit is defined
-    - name: Collectd template file
-      template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444
-      register: collectd
-    - name: Restart collectd
-      service: name=collectd state=restarted
-      when: collectd.changed
-    - name: configure startup script supernode
-      template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
-      when: sn_exit is undefined
-    - name: Exit node startup script super- and exitnode
-      template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
-      when: sn_exit is defined
-    - name: SSH authorized_keys
-      copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
-      with_items: authorized_keys
-    - name: Copy secondary zone file
-      copy: src=./files/{{ item }} dest=/etc/bind owner=root group=bind mode=644
-      with_items: bind_zone_fftdf
-    - name: Bind9, activate fftdf zone
-      lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/named.conf.fftdf";' state=present
-    - name: Copy option template
-      template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644
-    - name: Copy radvd config template
-      template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444
-    - name: Alfed message
-      template: src=./files/alfred.sh.j2 dest=/opt/freifunk/alfred.sh owner=root group=root mode=0544
-    - name: Add cron job with alfred info script
-      cron: name=alfred_info job="/opt/freifunk/alfred.sh > /dev/null 2>&1" user="root"
-    - name: Interface configuration with ffrl gre tunnel
-      copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544
-      when: sn_exit is defined
-    - apt: update_cache=yes
-    - name: Install bird
-      apt: state=installed pkg=bird
-      when: sn_exit is defined
-    - name: Bird configuration
-      copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444
-      when: sn_exit is defined
-    - name: Bird configuration
-      copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444
-      when: sn_exit is defined
-    - name: Reboot the server finally
-      shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-      async: 1
-      poll: 0
-      ignore_errors: true
-      when: tunneldigger.changed
-    - name: Wirte version information
-      shell: touch /etc/sn_version && echo {{ snversion }} > /etc/sn_version
-    - name: waiting for server to come back
-      local_action:
-                   wait_for
-                   host={{ inventory_hostname }}
-                   port=22
-                   delay=20
-                   timeout=300
-      when: tunneldigger.changed
-    - name: Send notification message via Slack
-      local_action:
-        module: slack
-        token: "{{ slack_token }}"
-        msg: "{{ inventory_hostname }} completed with {{ snversion }}"
-        channel: "#technik"
-        username: "Ansible on {{ inventory_hostname }}"
-        parse: 'none'

readme.md

@@ -0,0 +1,18 @@
+# Supernode mit direkter VPN Ausleitung
+
+Ausleitung über das FFRL Backbone.
+Supernode Config:
+- GRE-Tunnel zum FFRL Backbone
+- VPN per Wireguard
+- NAT auf VPN Routern
+
+## Naming:
+
+CORE[1-x]
+Core Router auf Vyos mit Verbidung zum FFRL Backbone über GRE Tunnel. Die Core Router stellen das Freifunk Netz über ein LAN auf unseren Proxmox Servern bereit.
+
+VPN[1-x]
+VPN Server aka Supernodes. Die VPN Server nehmen VPN Verbindungen von Routern und/oder Clients entgegen und managen diese. Hier sind diekte anbindungen möglich, ebenso aber Supernodes mit dem klassischen Freifunk (Batman) Konzept.
+
+ROUTER[1-x], EDGE[1-x], CLIENT[1-x]
+Angebundene Router oder Clients an einen VPN Server, falls dieser aus diesem Ansible eine Config erhält.

roles/00-ubuntu-basic/files/nils.key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== Nils Stinnesbeck

roles/00-ubuntu-basic/files/roman.key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAos0JvQsyAsP3FcsqDCBTDqzUGBeoxMKDj/SSRoy5MBDPUaWm37b93Lqmg1wMj0qvUURBKpWsRiRUzzRAaQrIdhcZjo0Gkw4vv7tpFQCmvWqxUpzH00GDKjLrMvNfcv+5b0Ctl06Bo+e4nb2SVsFhjaP9MLIjHiKpgivIPx9aKwxKx/VjsW920eWOG+VaDKIJTxPGUYedaUgIktvhutAbOyRR/OJlIZ3Qs0cnyT4KTM4pe4br2p3+mNs6J7G+z8Lw99WiUBfUwsRLVO68nJA2PKlJNEUGJycngqV06iQpcDfei88DFRMetN9bhVYxWFIzCQfjjqs8dkomEhfFQwfOTYiOouhaycZABwU4pPmQwZIkp1q4KduodU/KYsf78WitYgavHVInWBQuAUljafwQpTLHy8AI6M3XmbKi5rvNZiy4hoxfaT7rYJGuBoTwsZEHI7Sf26XsyQKJdu29mmIYPpzPKP7VAyjAVLqruLX1Yy0oZuM22YFFj5MHuoEN3WdXOYymvZyOM05xXeQk6gVh3EE6MpbK8CFz1KPNEjd+vce1zUyACDvqdt6ZIjqmUdivBsvHDTqMgH9mSxjjjwLy+Sd7snXx0bqksTdPChAlXN9vs3ez8FJl0P4inzjza8l8zGqaa2A1CsO8dRcyojohczLYoTHWQTB3tVIdcj55UIE= roman

roles/00-ubuntu-basic/files/stefan.key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB stefan@Stefan-Linux

roles/00-ubuntu-basic/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+# Set System Hostname
+- name: Ensure hostname set
+  hostname:
+    name: "{{ inventory_hostname }}"
+  when: not inventory_hostname|trim is match('(\d{1,3}\.){3}\d{1,3}')
+  become: yes
+  register: hostname_set
+
+- name: Reboot host and wait for it to restart
+  reboot:
+    msg: "Reboot initiated by Ansible"
+    connect_timeout: 5
+    reboot_timeout: 600
+    pre_reboot_delay: 0
+    post_reboot_delay: 30
+    test_command: whoami
+  when: hostname_set.changed
+
+# Users defined in /vars/main.yml
+# pub key files in /files/{USER}.key.pub
+
+- name: "Create user accounts and add users to groups"
+  user:
+    name: "{{ item }}"
+    groups: sudo
+  with_items: "{{ users }}"
+
+- name: "Add authorized keys"
+  authorized_key:
+    user: "{{ item }}"
+    key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
+  with_items: "{{ users }}"
+
+- name: Allow 'sudo' group to have passwordless sudo
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: '/usr/sbin/visudo -cf %s'
+
+# Install basic packages for Ubuntu minimal Systems
+- name: Install all Packages
+  ansible.builtin.apt: 
+    name: 
+      - curl
+      - nano
+      - vim
+      - htop
+      - screen
+      - iproute2
+      - iptables
+      - cron
+      - qemu-guest-agent
+      - iputils-ping
+      - iw
+      - speedtest-cli
+      - telnet
+    state: latest
+    update_cache: yes
+
+- name: uninstall unneeded packages
+  apt:
+    name:
+      - rpcbind
+    update_cache: yes
+    state: absent

roles/00-ubuntu-basic/vars/main.yml

@@ -0,0 +1,4 @@
+users:
+  - stefan
+  - nils
+  - roman

roles/01-vpn-offloader-setup/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+- name: Setup NAT
+  ansible.builtin.iptables:
+    chain: POSTROUTING
+    table: nat
+    source: "{{ internal_network }}"
+    jump: MASQUERADE
+  register: iptables
+
+- name: Enable kernel panic reboots
+  ansible.posix.sysctl:
+    name: kernel.panic
+    value: '1'
+
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: true
+
+- name: Create Routing Table 42
+  ansible.builtin.lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: 42 ffrl
+    create: yes
+
+- name: Generate NDPPD Config
+  ansible.builtin.template:
+    src: ndppd.conf.j2
+    dest: /etc/ndppd.conf
+    owner: root
+    group: root
+    mode: 755
+
+- name: Install all Packages for VPN Servers
+  ansible.builtin.apt: 
+    name: 
+      - libndp0
+      - libndp-tools
+      - ndppd
+      - iptables-persistent
+    state: latest
+    update_cache: yes
+
+- name: Find all Netplan Files without of the freifunk file 
+  find:
+    paths: /etc/netplan/
+    file_type: file
+    excludes: 
+      - "01-freifunk.yaml"
+  register: found_files
+
+- name: Delete files
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  with_items: "{{ found_files['files'] }}"
+
+- name: Copy Netplan Template for Internal Network
+  ansible.builtin.template:
+    src: netplan.j2
+    dest: /etc/netplan/01-freifunk.yaml
+    owner: root
+    group: root
+    mode: 755
+  register: netplan_config
+
+- name: saveip6tables
+  ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
+  when: iptables.changed
+
+- name: saveip4tables
+  ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
+  when: iptables.changed
+  
+- name: Apply Netplan
+  ansible.builtin.shell: netplan apply
+  when: netplan_config.changed
+
+- name: Enable Proxy_NDP on interface ens19
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.ens19.proxy_ndp
+    value: '1'
+    sysctl_set: true

roles/01-vpn-offloader-setup/templates/ndppd.conf.j2

@@ -0,0 +1,5 @@
+proxy ens19 {
+   rule {{ ipv6_network }} {
+      static
+   }
+}

roles/01-vpn-offloader-setup/templates/netplan.j2

@@ -0,0 +1,32 @@
+network:
+  ethernets:
+    ens18:
+      addresses:
+      - {{ ansible_host }}{{ ansible_host_net }}
+      - {{ ansible_host_ipv6 }}{{ ansible_host_ipv6_net }}
+      nameservers:
+        addresses:
+        - 1.1.1.1
+      routes:
+      - to: default
+        via: {{ ipv4_gateway }}
+        table: 42
+      - to: default
+        via: {{ ipv6_gateway }}
+        table: 42
+      routing-policy:
+      - from: {{ ansible_host }}
+        table: 42
+      - from: {{ ansible_host_ipv6 }}
+        table: 42
+    ens19:
+      dhcp4: false
+      addresses:
+      - {{ freifunk_internal_ip }}
+      nameservers:
+        addresses:
+        - 1.1.1.1
+      routes:
+      - to: default
+        via: {{ core_router }}
+  version: 2

roles/01-vpn-router-config/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: create config directory
+  file:
+    path: '{{ playbook_dir }}/edgerouter_configs/'
+    state: directory
+
+- name: Generate EdgeOS Config
+  ansible.builtin.template:
+    src: edgerouter.conf.j2
+    dest: '{{ playbook_dir }}/edgerouter_configs/{{ inventory_hostname }}.md'
+    mode: 0755
+  

roles/01-vpn-router-config/templates/edgerouter.conf.j2

@@ -0,0 +1,106 @@
+## Webinterface Wizard ausführen
+WAN auf eth0
+Ein LAN mit Adresse: {{ ipv4_address }}
+
+Dann auf der Konsole weiter
+
+## Install Wireguard
+cd /tmp
+curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
+sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
+
+####
+cd /config/auth
+wg genkey | tee /config/auth/wg.key | wg pubkey >  wg.public
+cat wg.public
+cat wg.key
+####
+
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall group ipv6-network-group LAN-VPN-V6 description 'Networks on LAN destined to go out VPN by default'
+set firewall group ipv6-network-group LAN-VPN-V6 ipv6-network '{{ ipv6_network }}'
+set firewall group network-group LAN-VPN description 'Networks on LAN destined to go out VPN by default'
+set firewall group network-group LAN-VPN network {{ ipv4_network }}
+
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 action modify
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 modify table 2
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 source group ipv6-network-group LAN-VPN-V6
+set firewall ipv6-modify LAN_to_VPN_V6 rule 1 description 'Route traffic from group LAN-VPN through LAN_to_VPN_V6 table'
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall modify LAN_to_VPN rule 100 action modify
+set firewall modify LAN_to_VPN rule 100 description 'Route traffic from group LAN-VPN through LAN_to_VPN table'
+set firewall modify LAN_to_VPN rule 100 modify table 2
+set firewall modify LAN_to_VPN rule 100 source group network-group LAN-VPN
+set firewall name WAN_LOCAL default-action drop
+set firewall name WAN_LOCAL rule 20 action accept
+set firewall name WAN_LOCAL rule 20 description WireGuard
+set firewall name WAN_LOCAL rule 20 destination port 51821
+set firewall name WAN_LOCAL rule 20 protocol udp
+set firewall options mss-clamp interface-type all
+set firewall options mss-clamp mss 1340
+set firewall options mss-clamp6 interface-type all
+set firewall options mss-clamp6 mss 1340
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces switch switch0 address {{ ipv4_address }}/24
+set interfaces switch switch0 address '{{ ipv6_address }}'
+set interfaces switch switch0 description Local
+set interfaces switch switch0 firewall in ipv6-modify LAN_to_VPN_V6
+set interfaces switch switch0 firewall in modify LAN_to_VPN
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
+set interfaces switch switch0 ipv6 router-advert link-mtu 1328
+set interfaces switch switch0 ipv6 router-advert managed-flag true
+set interfaces switch switch0 ipv6 router-advert max-interval 600
+set interfaces switch switch0 ipv6 router-advert name-server '2606:4700:4700::1111'
+set interfaces switch switch0 ipv6 router-advert other-config-flag false
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' autonomous-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' on-link-flag true
+set interfaces switch switch0 ipv6 router-advert prefix '{{ ipv6_network }}' valid-lifetime 2592000
+set interfaces switch switch0 ipv6 router-advert reachable-time 0
+set interfaces switch switch0 ipv6 router-advert retrans-timer 0
+set interfaces switch switch0 ipv6 router-advert send-advert true
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg0 address {{ wireguard_address }}
+set interfaces wireguard wg0 address {{ wireguard_v6_address }}
+set interfaces wireguard wg0 listen-port 51822
+set interfaces wireguard wg0 mtu 1380
+set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips 0.0.0.0/0
+set interfaces wireguard wg0 peer {{ wireguard_public }} allowed-ips '::0/0'
+set interfaces wireguard wg0 peer {{ wireguard_public }} endpoint 'vpn01.fftdf.de:42001'
+set interfaces wireguard wg0 private-key /config/auth/wg.key
+set interfaces wireguard wg0 route-allowed-ips false
+set protocols static interface-route6 ::/0 next-hop-interface wg0
+set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface wg0
+set protocols static table 2 interface-route6 '::/0' next-hop-interface wg0
+delete service dhcp-server
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 default-router {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 dns-server {{ ipv4_address }}
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 lease 86400
+set service dhcp-server shared-network-name LAN subnet {{ ipv4_address }}/24 start {{ ipv4_dhcp_start }} stop {{ ipv4_dhcp_stop }}
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 150
+set service dns forwarding listen-on switch0
+set service nat rule 5010 description 'masquerade for VPN'
+set service nat rule 5010 outbound-interface wg0
+set service nat rule 5010 protocol all
+set service nat rule 5010 type masquerade
+set service unms
+set service unms connection '{{ unms_vault_URL }}'
+set system host-name {{ inventory_hostname }}
+set system time-zone UTC

roles/10-freifunk-supernode/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/10-freifunk-supernode/tasks/main.yml

@@ -0,0 +1,122 @@
+---
+# tasks file for 10-freifunk-supernode
+
+# Install basic packages for Supernode
+- name: Install all Packages
+  ansible.builtin.apt: 
+    name: 
+      - batctl
+      - iptables-persistent
+      - conntrack
+    state: latest
+    update_cache: yes
+
+## IP Forwarding
+- name: IPv4-Paketweiterleitung aktivieren
+  sysctl: 
+    name: "net.ipv4.conf.all.forwarding" 
+    value: 1 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: IPv6-Paketweiterleitung aktivieren
+  sysctl: 
+    name: "net.ipv6.conf.all.forwarding" 
+    value: 1 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
+  sysctl: 
+    name: "net.ipv4.conf.default.rp_filter" 
+    value: 0 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
+  sysctl: 
+    name: "net.ipv4.conf.all.rp_filter" 
+    value: 0 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
+
+- name: Create Routing Table 42
+  ansible.builtin.lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: 42 ffrl
+    create: yes
+
+## Contrack
+- name: Enable nf_conntrack_ipv4 module
+  modprobe: 
+    name: nf_conntrack_ipv4 
+    state: present
+  when: ansible_kernel is version_compare('4.19', '<')
+
+- name: Enable nf_conntrack_ipv4 on system startup
+  blockinfile:
+    path: /etc/modules
+    marker: "# {mark} Ansible managed block"
+    block: |
+      nf_conntrack_ipv4
+  when: ansible_kernel is version_compare('4.19', '<')
+
+- name: Enable nf_conntrack module
+  modprobe: 
+   name: nf_conntrack
+   state: present
+  when: ansible_kernel is version_compare('4.19', '>=')
+
+- name: Enable nf_conntrack on system startup
+  blockinfile:
+    path: /etc/modules
+    marker: "# {mark} Ansible managed block"
+    block: |
+      nf_conntrack
+  when: ansible_kernel is version_compare('4.19', '>=')
+
+
+- name: Set nf_conntrack_max to a higher value
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_max" 
+    value: 524288 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_tcp_timeout_established"
+    value: 86400
+    sysctl_set: yes
+    state: present 
+    reload: yes
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Set nf_conntrack_tcp_timeout_time_wait to 60
+  sysctl: 
+    name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" 
+    value: 60 
+    sysctl_set: yes 
+    state: present 
+    reload: yes 
+    sysctl_file: /etc/sysctl.d/ff-netfilter.conf
+
+- name: Get current nf_conntrack hashsize
+  shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
+  register: nf_conntrack_hashsize
+  changed_when: false
+  check_mode: no
+
+- name: Set nf_conntrack hashsize to a higher value
+  shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
+  when: "nf_conntrack_hashsize.stdout != '32768'"

roles/10.1-dhcp/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart isc-dhcp-server
+  service: name=isc-dhcp-server state=restarted
+
+- name: restart isc-dhcp6-server
+  service: name=isc-dhcp6-server state=restarted

roles/10.1-dhcp/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Install Packages for DHCP Server
+  ansible.builtin.apt: 
+    name: 
+      - isc-dhcp-server
+    state: latest
+    update_cache: yes
+
+- name: create dhcp defaults 
+  template: 
+    src: isc-dhcp-server.conf.j2
+    dest: /etc/default/isc-dhcp-server
+  notify:
+    - restart isc-dhcp-server
+  
+- name: create dhcp config
+  template: 
+    src: dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+  notify:
+    - restart isc-dhcp-server

roles/10.1-dhcp/templates/dhcpd.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+default-lease-time 300;
+max-lease-time 1800;
+
+authoritative;
+
+log-facility local7;
+
+subnet {{ dhcp.ff_subnet }} netmask {{ dhcp.ff_netmask }} {
+    range {{dhcp.range_start}} {{dhcp.range_end}};
+
+    option routers {{ network.ff_v4_address }};
+    option domain-name-servers {{ network.ff_v4_address }};
+    option interface-mtu {{ dhcp.mtu }};
+    interface bat0;
+}

roles/10.1-dhcp/templates/isc-dhcp-server.conf.j2

@@ -0,0 +1,3 @@
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACES="bat0"

roles/10.2-named/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart bind9
+  service: name=bind9 state=restarted

roles/10.2-named/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Install all Packages for Bind9
+  ansible.builtin.apt: 
+    name: 
+      - bind9
+    state: latest
+    update_cache: yes
+
+- name: create named config
+  template: 
+    src: named.conf.j2
+    dest: /etc/bind/named.conf
+  notify:
+    - restart bind9
+
+- name: create named.local config
+  template: 
+    src: named.conf.local.j2
+    dest: /etc/bind/named.conf.local
+  notify:
+    - restart bind9
+
+- name: create named.options config
+  template: 
+    src: named.conf.options.j2
+    dest: /etc/bind/named.conf.options
+  notify:
+    - restart bind9
+
+- name: create named fftdf config
+  template: 
+    src: named.fftdf.conf.j2
+    dest: /etc/bind/named.fftdf.conf
+  notify:
+    - restart bind9
+- name: create named fftdf db
+  template: 
+    src: named.fftdf.db.j2
+    dest: /etc/bind/named.fftdf.db
+  notify:
+    - restart bind9

roles/10.2-named/templates/named.conf.default-zones.j2

@@ -0,0 +1,28 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+//
+//zone "localhost" {
+//	type master;
+//	file "/etc/bind/db.local";
+//};
+//
+//zone "127.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.127";
+//};
+//
+//zone "0.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.0";
+//};
+//
+//zone "255.in-addr.arpa" {
+//	type master;
+//	file "/etc/bind/db.255";
+//};

roles/10.2-named/templates/named.conf.j2

@@ -0,0 +1,12 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+include "/etc/bind/named.fftdf.conf";

roles/10.2-named/templates/named.conf.local.j2

@@ -0,0 +1,7 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";

roles/10.2-named/templates/named.conf.options.j2

@@ -21,6 +21,6 @@ options {
         dnssec-validation auto;
 
         auth-nxdomain no;    # conform to RFC1035
-        listen-on { {{ sn_mesh_IPv4 }}; };
-        listen-on-v6 { {{ sn_mesh_IPv6 }}; };
-};
+        listen-on { {{ network.ff_v4_address }}; };
+        listen-on-v6 { {{ network.ff_v6_address }}; };
+};

roles/10.2-named/templates/named.fftdf.conf.j2

@@ -0,0 +1,6 @@
+// Zone declarations for Freifunk Troisdorf
+
+zone "fftdf" {
+  type master;
+  file "/etc/bind/named.fftdf.db";
+};

roles/10.2-named/templates/named.fftdf.db.j2

@@ -0,0 +1,24 @@
+;; db.fftdf
+;; Forwardlookupzone für .fftdf
+;;
+$TTL 600
+@       IN      SOA     fftdf. root.fftdf. (
+                        2016584547      ; Serial
+                                8H      ; Refresh
+                                2H      ; Retry
+                                4W      ; Expire
+                                3H )    ; NX (TTL Negativ Cache)
+
+@                               IN      NS      troisdorf5.infra.fftdf.
+                                IN      A       10.188.32.5
+                                IN      AAAA	2a03:2260:121:2::5
+localhost			IN	A    	127.0.0.1
+				IN  	AAAA    ::1
+nextnode			IN  	A       10.188.0.1
+				IN  	AAAA    2a03:2260:121::1
+;; Update Servers
+update1.infra			IN      AAAA    2a03:2260:121:4000:6038:61ff:fe34:3461
+update2.infra			IN      AAAA    2a01:4f8:11d:600::183
+;;update3.infra			IN      AAAA    2a03:2260:121::24
+;; Unifi
+unifi				IN	A	195.201.216.131

roles/10.3-tunneldigger/files/tunneldigger.conf

@@ -0,0 +1,6 @@
+nf_conntrack_netlink
+nf_conntrack
+nfnetlink
+l2tp_netlink
+l2tp_core
+l2tp_eth

roles/10.3-tunneldigger/files/tunneldigger.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=tunneldigger tunnelling network daemon using l2tpv3 for domain %i
+After=network.target auditd.service
+
+[Service]
+Type=simple
+WorkingDirectory=/srv/tunneldigger
+ExecStart=/srv/tunneldigger/env_tunneldigger/bin/python3 -m tunneldigger_broker.main /srv/tunneldigger/broker/l2tp_broker.cfg
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

roles/10.3-tunneldigger/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: load kernel modules
+  shell: /etc/init.d/kmod start || true

roles/10.3-tunneldigger/tasks/main.yml

@@ -0,0 +1,80 @@
+- name: Install dependencies for this role
+  apt:
+    pkg: "{{ item }}"
+    state: present
+  with_items:
+    - bridge-utils
+    - ebtables
+    - git
+    - iproute2
+    - libnetfilter-conntrack-dev
+    - libnfnetlink-dev
+    - python3-dev
+    - python3-virtualenv
+    - virtualenv
+    - gcc
+    - libnl-3-dev
+    - libevent-dev
+
+- name: Get Tunneldigger
+  git: 
+    repo: https://github.com/wlanslovenija/tunneldigger
+    dest: /srv/tunneldigger
+  register: tunneldigger
+
+- name: generate virtualenv.
+  command:
+    "virtualenv -p /usr/bin/python3 env_tunneldigger"
+  args:
+    chdir: /srv/tunneldigger/
+    creates: "/srv/tunneldigger/env_tunneldigger/bin/python3"
+  when: tunneldigger.changed
+
+- name: Install python dependencies
+  command: "/srv/tunneldigger/env_tunneldigger/bin/python setup.py install"
+  args:
+    chdir: /srv/tunneldigger/broker
+  when: tunneldigger.changed
+
+- name: Copy l2tp broker config template
+  template: 
+    src: l2tp_broker.cfg.j2
+    dest: /srv/tunneldigger/l2tp_broker.cfg
+    owner: root 
+    group: root 
+    mode: 0444
+
+- name: Copy tunneldigger script template
+  template: 
+    src: bataddif.sh.j2 
+    dest: /srv/tunneldigger/bataddif.sh 
+    owner: root 
+    group: root 
+    mode: 0500
+
+- name: Copy tunneldigger scripts
+  template: 
+    src: batdelif.sh.j2
+    dest: /srv/tunneldigger/batdelif.sh
+    owner: root 
+    group: root 
+    mode: 0500
+
+- name: Copy tunneldigger service template
+  copy: 
+    src: tunneldigger.service
+    dest: /etc/systemd/system/tunneldigger.service
+    mode: 0444
+
+- name: Deploy tunneldigger.conf to /etc/modules-load.d/
+  copy: 
+    src: tunneldigger.conf 
+    dest: /etc/modules-load.d/tunneldigger.conf
+  notify: load kernel modules
+  
+- name: Tunneldigger reload
+  command: "{{item}}"
+  with_items:
+  - systemctl daemon-reload
+  - systemctl enable tunneldigger.service
+  when: tunneldigger.changed

roles/10.3-tunneldigger/templates/bataddif.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/bash
+INTERFACE="$3"
+MAC="$8"
+brctl=/sbin/brctl
+BLOCKLISTE=$(/bin/cat /opt/freifunk/tunneldigger-blacklist.txt)
+wget -q -O /opt/freifunk/tunneldigger-blacklist.txt https://raw.githubusercontent.com/Freifunk-Troisdorf/tunneldigger-blockliste/master/macs.txt
+
+/bin/ip link set dev $INTERFACE up mtu 1312
+
+for i in $BLOCKLISTE;
+do
+    if [[ $i == $MAC ]]; then
+      exit 1
+    fi
+done
+
+$brctl addif br-nodes $INTERFACE

roles/10.3-tunneldigger/templates/batdelif.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+INTERFACE="$3"
+
+/sbin/brctl delif br-nodes $INTERFACE

roles/10.3-tunneldigger/templates/l2tp_broker.cfg.j2

@@ -1,10 +1,10 @@
 [broker]
 ; IP address the broker will listen and accept tunnels on
-address={{ ansible_default_ipv4.address }}
+address={{ ansible_host }}
 ; Ports where the broker will listen on
-port={{ sn_l2tp_tb_port }}
+port={{ tunneldigger.td_port }}
 ; Interface with that IP address
-interface=eth0
+interface={{ tunneldigger.td_wan_interface }}
 ; Maximum number of cached cookies, required for establishing a
 ; session with the broker
 max_cookies=1024
@@ -23,6 +23,18 @@ pmtu_discovery=false
 ; namespacing to work
 namespace=troisdorf
 
+; Reject connections if there are less than N seconds since the last connection.
+; Can be less than a second (e.g., 0.1).
+connection_rate_limit=2
+
+; Set PMTU to a fixed value.  Use 0 for automatic PMTU discovery.  A non-0 value also disables
+; PMTU discovery on the client side, by having the server not respond to client-side PMTU
+; discovery probes.
+pmtu=0
+
+; The batman device of this Hood (e.g. bat2)
+batdev=bat0
+
 [log]
 ; Log filename
 filename=/var/log/tunneldigger-broker.log
@@ -48,4 +60,4 @@ session.pre-down=/srv/tunneldigger/batdelif.sh
 ; Called after the tunnel interface goes down
 session.down=
 ; Called after the tunnel MTU gets changed because of PMTU discovery
-session.mtu-changed=
+session.mtu-changed=

roles/21-docker/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Install required system packages
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - software-properties-common
+    state: latest
+    update_cache: true
+
+- name: Add Docker GPG apt Key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker Repository
+  apt_repository:
+    repo: deb https://download.docker.com/linux/ubuntu jammy stable
+    state: present
+
+- name: Update apt and install docker-ce
+  apt:
+    name: 
+      - docker-ce
+      - docker-compose
+    state: latest
+    update_cache: true

roles/21-install-oitc/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Add OITC  GPG Key
+  ansible.builtin.get_url:
+    url: https://packages.openitcockpit.io/repokey.txt
+    dest: /etc/apt/keyrings/openitcockpit-agent-keyring.asc
+
+- name: Add specified repository into sources list
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/openitcockpit-agent-keyring.asc] https://packages.openitcockpit.io/openitcockpit-agent/deb/stable deb main"
+    state: present
+
+- name: Install OITC-Agent
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - openitcockpit-agent
+
+- name: Copy Config File
+  ansible.builtin.template:
+    src: oitc.ini.j2
+    dest: /etc/openitcockpit-agent/config.ini
+    owner: root
+    group: root
+    mode: '0775'
+  register: openitcockpit_config
+
+- name: Restart service httpd, in all cases
+  ansible.builtin.service:
+    name: openitcockpit-agent
+    state: restarted
+  when: openitcockpit_config.changed

roles/21-install-oitc/templates/oitc.ini.j2

@@ -0,0 +1,177 @@
+[default]
+#
+# This is the configuration file for the openITCOCKPIT Monitoring Agent 3.x
+# Notice: Empty values will not been ignored! If you want to disable an option like proxy comment it out!
+
+#########################
+#       Web Server      #
+#########################
+
+# Bind address of the build-in web server
+# Use 0.0.0.0 to bind on all interfaces
+address = 0.0.0.0
+
+# Port of the Agents build-in web server
+# Default port is 3333
+port = 3333
+
+#########################
+#   Security Settings   #
+#########################
+
+# Try to enable auto ssl mode for webserver
+try-autossl = True
+
+# File paths used to store autossl related files (default: /etc/openitcockpit-agent/):
+# Leave this blank to use the default values
+# Example: /etc/openitcockpit-agent/agent.csr
+#autossl-csr-file =
+
+# Example: /etc/openitcockpit-agent/agent.crt
+#autossl-crt-file =
+
+# Example: /etc/openitcockpit-agent/agent.key
+#autossl-key-file =
+
+# Example: /etc/openitcockpit-agent/server_ca.crt
+#autossl-ca-file =
+
+# If a certificate file is given, the agent will only be accessible through HTTPS
+# Instead of messing around with self-signed certificates we recommend to use the autossl feature.
+# Example: /etc/ssl/certs/ssl-cert-snakeoil.pem
+#certfile = /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+# Private key file of the given TLS certificate
+# Example: /etc/ssl/private/ssl-cert-snakeoil.key
+#keyfile = /etc/ssl/private/ssl-cert-snakeoil.key
+
+# Enable remote read and write access to the current agent configuration (this file) and
+# the customchecks config
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+# ! WARNING: This could lead to remote code execution    !
+# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+config-update-mode = False
+
+# Enable HTTP Basic Authentication
+# Example: auth = user:password
+#auth = user:password
+
+#########################
+#        Checks         #
+#########################
+
+# Determines in seconds how often the agent will schedule all internal checks
+interval = 30
+
+# Remote Plugin Execution
+# Path to config will where custom checks can be defined
+# Comment to use the default value
+#
+# Linux: /etc/openitcockpit-agent/customchecks.ini
+# Windows: C:\Program Files\it-novum\openitcockpit-agent\customchecks.ini
+# macOS: /Applications/openitcockpit-agent/customchecks.ini
+#customchecks = /etc/openitcockpit-agent/customchecks.ini
+
+#########################
+# Enable/Disable checks #
+#########################
+
+# Enable CPU monitoring
+cpustats = True
+
+# Enable memory monitoring
+memory = True
+
+# Enable Swap monitoring
+swap = True
+
+# Enable monitoring of running processes
+processstats = True
+
+# Enable monitoring of network interfaces
+netstats = True
+
+# Enable monitoring of the traffic (I/O) of network interfaces
+netio = True
+
+# Enable disk usage monitoring
+diskstats = True
+
+# Enable monitoring of disk I/O
+diskio = True
+
+# Enable monitoring of Systemd Services (Linux only)
+systemdservices = True
+
+# Enable monitoring of Launchd Services (macOS only)
+launchdservices = True
+
+# Enable monitoring of Windows Services (Windows only)
+winservices = True
+
+# Enable monitoring of Windows Event Log records (Windows only)
+wineventlog = False
+
+# Determines how the openITCOCKPIT Monitoring Agent should query the Windows Event Log.
+# Since Version 3.0.9 WMI (Windows Management Instrumentation) will be used by default
+# As alternative the Agent could use the PowerShell Get-EventLog cmdlet.
+# The WMI method will maybe memory leak on Windows Server 2016. The PowerShell workaround
+# on the other hand could lead to blue screens (OA-40).
+wineventlog-method = WMI
+#wineventlog-method = PowerShell
+
+# Define comma separated windows event log log types
+# Event Logs containing spaces DO NOT need to be quoted: Security,Sophos Cloud AD Sync,Application
+wineventlog-logtypes = System,Application,Security
+
+# Enable monitoring of temperature and battery sensors
+sensorstats = True
+
+# Enable support to monitor Docker containers
+# Known issues: Error response from daemon: client version 1.41 is too new. Maximum supported API version is 1.40
+# Workaround: export DOCKER_API_VERSION=1.40
+dockerstats = False
+
+# Check KVMs through libvirt
+# This requires to complie the openITCOCKPIT Monitoring Agent by yourself.
+# Please see the Wiki for instructions: https://github.com/it-novum/openitcockpit-agent-go/wiki/Build-binary
+libvirt = True
+
+# Enable logged in users check
+userstats = True
+
+#########################
+#       Push mode       #
+#########################
+
+# By default openITCOCKPIT will pull check results from the openITCOCKPIT Agent.
+# In a cloud environments or behind a NAT network it could become handy
+# if the openITCOCKPIT Monitoring Agent will push the results to your openITCOCKPIT Server
+[oitc]
+
+# Enable Push Mode
+enabled = False
+
+# This option disables the webserver of the openITCOCKPIT Monitoring Agent when running in PUSH mode.
+# When you also want to enable the Webserver even if the agent is running in PUSH mode we highly recommend
+# to enable HTTP Basic Authentication and to use the certfile and keyfile options to enable HTTPS
+enable-webserver = False
+
+# Address of your openITCOCKPIT Server where the Agent will push the results to
+# Example: https://demo.openitcockpit.io
+url = 
+
+# Enable this option when your openITCOCKPIT server uses valid TLS certificates
+# like from Let's Encrypt
+verify-server-certificate = False
+
+# Timeout in seconds for the HTTP push client
+timeout = 10
+
+# API-Key of your openITCOCKPIT Server
+apikey = 
+
+# Address of HTTP/HTTPS Proxy if required.
+# Comment to disable
+# Example: http://10.10.1.10:3128
+#proxy = http://10.10.1.10:3128

roles/21-install-wireguard/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reconfigure wireguard
+  ansible.builtin.service:
+    name: "wg-quick@vpn01"
+    state: restarted

roles/21-install-wireguard/tasks/main.yml

@@ -0,0 +1,91 @@
+- name: Install Wireguard
+  apt: name={{ item }} state=latest update_cache=yes
+  with_items:
+    - wireguard
+
+
+- name: Register if config/private key already exists on target host
+  ansible.builtin.stat:
+    path: /etc/wireguard/vpn01.conf
+  register: wireguard__register_config_file
+  tags:
+    - wg-generate-keys
+    - wg-config
+
+- name: WireGuard private key handling for new keys
+  block:
+    - name: Generate WireGuard private key
+      ansible.builtin.command: "wg genkey"
+      register: wireguard__register_private_key
+      changed_when: false
+      tags:
+        - wg-generate-keys
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
+      tags:
+        - wg-generate-keys
+  when:
+    - not wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: WireGuard private key handling for existing keys
+  block:
+    - name: Read WireGuard config file
+      ansible.builtin.slurp:
+        src: /etc/wireguard/vpn01.conf
+      register: wireguard__register_config
+      tags:
+        - wg-config
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+      tags:
+        - wg-config
+  when:
+    - wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+
+- name: Derive WireGuard public key
+  ansible.builtin.command: "wg pubkey"
+  args:
+    stdin: "{{ wireguard_private_key }}"
+  register: wireguard__register_public_key
+  changed_when: false
+  check_mode: false
+  tags:
+    - wg-config
+
+- name: Set public key fact
+  ansible.builtin.set_fact:
+    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
+  tags:
+    - wg-config
+
+- name: Create WireGuard configuration directory
+  ansible.builtin.file:
+    dest: /etc/wireguard/
+    state: directory
+    mode: 0700
+  tags:
+    - wg-config
+
+- name: Generate WireGuard configuration file
+  ansible.builtin.template:
+    src: wg.conf.j2
+    dest: /etc/wireguard/vpn01.conf
+    owner: root
+    group: root
+    mode: 755
+  tags:
+    - wg-config
+  notify:
+    - reconfigure wireguard
+
+- name: Start and enable WireGuard service
+  ansible.builtin.service:
+    name: "wg-quick@vpn01"
+    state: started
+    enabled: yes

roles/21-install-wireguard/templates/wg.conf.j2

@@ -0,0 +1,32 @@
+#jinja2: lstrip_blocks:"True",trim_blocks:"True"
+# {{ ansible_managed }}
+# PublicKey: {{ wireguard__register_public_key.stdout }}
+
+[Interface]
+# {{ inventory_hostname }}
+Address = {{ wireguard_address }}
+PrivateKey = {{ wireguard_private_key }}
+ListenPort = {{ wireguard_port }}
+MTU = 1380
+
+
+{% if wireguard_unmanaged_peers is defined %}
+# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
+{% for peer in wireguard_unmanaged_peers.keys() %}
+[Peer]
+# {{ peer }}
+PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
+{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
+Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+{%     endif %}
+{%   endfor %}
+{% endif %}

roles/21.1-portainer-compose/files/portainer.yml

@@ -0,0 +1,106 @@
+version: "3"
+services:
+  portainer:
+    image: portainer/portainer-ce:2.18.1
+    ports:
+      - 9443:9443
+    volumes:
+      - portainer_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - traefik-public
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
+      - traefik.http.routers.portainer-http.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
+      - traefik.http.routers.portainer-http.entrypoints=http
+      - traefik.http.routers.portainer-http.middlewares=https-redirect
+      - traefik.http.routers.portainer-http.service=portainer
+      - traefik.http.routers.portainer-https.rule=Host(`portainer-unifi.freifunk-troisdorf.de`)
+      - traefik.http.routers.portainer-https.entrypoints=https
+      - traefik.http.routers.portainer-https.tls=true
+      - traefik.http.routers.portainer-https.tls.certresolver=le
+      - traefik.http.routers.portainer-https.service=portainer
+      - traefik.http.services.portainer.loadbalancer.server.port=9000
+
+
+  traefik:
+    image: traefik:v2.4.8
+    ports:
+      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
+      - 80:80
+      # Listen on port 443, default for HTTPS
+      - 443:443
+      # Listen on 2222 for SSH Gitea
+      - 2222:2222
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=traefik-public
+      - traefik.constraint-label=traefik-public
+      - traefik.http.middlewares.admin-auth.basicauth.users=admin:$$2y$$05$$HmqkgwL5AxrYrwBWvvlVIuMVb5UMWrrChmhmRYFFkMXpLCFgi60US
+      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
+      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
+      - traefik.http.routers.traefik-public-http.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
+      - traefik.http.routers.traefik-public-http.entrypoints=http
+      - traefik.http.routers.traefik-public-http.middlewares=https-redirect
+      - traefik.http.routers.traefik-public-https.rule=Host(`traefik-unifi.freifunk-troisdorf.de`)
+      - traefik.http.routers.traefik-public-https.entrypoints=https
+      - traefik.http.routers.traefik-public-https.tls=true
+      # Use the special Traefik service api@internal with the web UI/Dashboard
+      - traefik.http.routers.traefik-public-https.service=api@internal
+      # Use the "le" (Let's Encrypt) resolver created below
+      - traefik.http.routers.traefik-public-https.tls.certresolver=le
+      # Enable HTTP Basic auth, using the middleware created above
+      - traefik.http.routers.traefik-public-https.middlewares=admin-auth
+      # Define the port inside of the Docker service to use
+      - traefik.http.services.traefik-public.loadbalancer.server.port=8080
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-public-certificates:/certificates
+      #- /opt/docker/traefik:/etc/traefik
+    command:
+      # Enable Docker in Traefik, so that it reads labels from Docker services
+      - --providers.docker
+      # Add a constraint to only use services with the label "traefik.constraint-label=traefik-public"
+      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik-public`)
+      # Do not expose all Docker services, only the ones explicitly exposed
+      - --providers.docker.exposedbydefault=false
+      # Enable Docker Swarm mode
+      #- --providers.docker.swarmmode
+      # Create an entrypoint "http" listening on port 80
+      - --entrypoints.http.address=:80
+      # Create an entrypoint "https" listening on port 443
+      - --entrypoints.https.address=:443
+      # Create an entrypoint for SSH
+      - --entrypoints.ssh.address=:2222/tcp
+      # Create an entrypoint for DNS
+      #- --entrypoints.dns-tcp.address=:5353/tcp
+      # Create an entrypoint for DNS
+      #- --entrypoints.dns-udp.address=:5353/udp
+      # Create the certificate resolver "le" for Let's Encrypt, uses the environment variable EMAIL
+      - --certificatesresolvers.le.acme.email=info@hoffmann-hosting.de
+      # Store the Let's Encrypt certificates in the mounted volume
+      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
+      # Use the TLS Challenge for Let's Encrypt
+      - --certificatesresolvers.le.acme.tlschallenge=true
+      # Enable the access log, with HTTP requests
+      - --accesslog
+      # Enable the Traefik log, for configurations and errors
+      - --log
+      # Enable the Dashboard and API
+      - --api
+      - --serverstransport.insecureskipverify=true
+    networks:
+      # Use the public network created to be shared between Traefik and
+      # any other service that needs to be publicly available with HTTPS
+      - traefik-public
+
+volumes:
+  traefik-public-certificates:
+  portainer_data:
+
+networks:
+  traefik-public:
+    driver: bridge
+    attachable: true

roles/21.1-portainer-compose/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Create Docker Folder
+  ansible.builtin.file:
+    path: /opt/docker
+    state: directory
+    mode: '0755'
+
+- name: Copy Docker-Compose File
+  copy: 
+    src: portainer.yml
+    dest: /opt/docker/docker-compose.yml

roles/vyos-config/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: render a Jinja2 template onto the VyOS router
+  vyos.vyos.vyos_config:
+    src: config.j2

roles/vyos-config/templates/config.j2

@@ -0,0 +1,422 @@
+interfaces {
+    ethernet eth0 {
+        address {{ wan_address }}{{ wan_net }}
+        description WAN
+    }
+    ethernet eth1 {
+        address {{ lan_address }}/24
+        description "Freifunk WAN"
+        ipv6 {
+            address {
+                autoconf
+            }
+        }
+    }
+    loopback lo {
+        address {{ ffrl_address }}/32
+        address {{ ffrl_address_v6 }}
+    }
+    tunnel tun0 {
+        address {{ gre_ber_a_address }}{{gre_bb_transfer_net}}
+        address {{ gre_ber_a_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_ber_a_description }}
+        encapsulation gre
+        remote {{ gre_ber_a_remote }}
+        source-address {{ wan_address }}
+    }
+    tunnel tun1 {
+        address {{ gre_ber_b_address }}{{gre_bb_transfer_net}}
+        address {{ gre_ber_b_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_ber_b_description }}
+        encapsulation gre
+        remote {{ gre_ber_b_remote }}
+        source-address {{ wan_address }}
+    }
+    tunnel tun2 {
+        address {{ gre_a_dus_address }}{{gre_bb_transfer_net}}
+        address {{ gre_a_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_a_dus_description }}
+        encapsulation gre
+        remote {{ gre_a_dus_remote }}
+        source-address {{ wan_address }}
+    }
+    tunnel tun3 {
+        address {{ gre_b_dus_address }}{{gre_bb_transfer_net}}
+        address {{ gre_b_dus_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_b_dus_description }}
+        encapsulation gre
+        remote {{ gre_b_dus_remote }}
+        source-address {{ wan_address }}
+    }
+    tunnel tun4 {
+        address {{ gre_a_fra_address }}{{gre_bb_transfer_net}}
+        address {{ gre_a_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_a_fra_description }}
+        encapsulation gre
+        remote {{ gre_a_fra_remote }}
+        source-address {{ wan_address }}
+    }
+    tunnel tun5 {
+        address {{ gre_b_fra_address }}{{gre_bb_transfer_net}}
+        address {{ gre_b_fra_address_v6 }}{{ gre_bb_transfer_net_v6 }}
+        description {{ gre_b_fra_description }}
+        encapsulation gre
+        remote {{ gre_b_fra_remote }}
+        source-address {{ wan_address }}
+    }
+}
+nat {
+    source {
+        rule 1 {
+            outbound-interface any
+            source {
+                address {{ lan_network }}
+            }
+            translation {
+                address {{ ffrl_address }}
+            }
+        }
+    }
+}
+policy {
+    local-route {
+        rule 10 {
+            set {
+                table 42
+            }
+            source {{ wan_address }}
+        }
+    }
+    prefix-list FFRL-IN {
+        rule 10 {
+            action permit
+            prefix 0.0.0.0/0
+        }
+    }
+    prefix-list FFRL-OUT {
+        rule 10 {
+            action permit
+            prefix {{ ffrl_address }}/32
+        }
+    }
+    prefix-list6 FFRL-IN-6 {
+        rule 10 {
+            action permit
+            prefix ::/0
+        }
+    }
+    prefix-list6 FFRL-OUT-6 {
+        rule 10 {
+            action permit
+            prefix {{ ffrl_net_v6 }}
+        }
+    }
+    route-map FFRL-IN {
+        rule 10 {
+            action permit
+            match {
+                ip {
+                    address {
+                        prefix-list FFRL-IN
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-OUT {
+        rule 10 {
+            action permit
+            match {
+                ip {
+                    address {
+                        prefix-list FFRL-OUT
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-IN-6 {
+        rule 10 {
+            action permit
+            match {
+                ipv6 {
+                    address {
+                        prefix-list FFRL-IN-6
+                    }
+                }
+            }
+        }
+    }
+    route-map FFRL-OUT-6 {
+        rule 10 {
+            action permit
+            match {
+                ipv6 {
+                    address {
+                        prefix-list FFRL-OUT-6
+                    }
+                }
+            }
+        }
+    }
+}
+protocols {
+    bgp {
+        address-family {
+            ipv4-unicast {
+                network {{ ffrl_address }}/32 {
+                }
+            }
+            ipv6-unicast {
+                network {{ ffrl_net_v6 }} {
+                }
+            }
+        }
+        neighbor {{ gre_ber_a_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_ber_a_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_ber_a_address }}
+        }
+        neighbor {{ gre_ber_b_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_ber_b_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_ber_b_address }}
+        }
+        neighbor {{ gre_a_dus_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_a_dus_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_a_dus_address }}
+        }
+        neighbor {{ gre_b_dus_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_b_dus_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_b_dus_address }}
+        }
+        neighbor {{ gre_a_fra_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_a_fra_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_a_fra_address }}
+        }
+        neighbor {{ gre_b_fra_neighbor }} {
+            address-family {
+                ipv4-unicast {
+                    route-map {
+                        export FFRL-OUT
+                        import FFRL-IN
+                    }
+                }
+            }
+            description {{ gre_b_fra_description }}
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_b_fra_address }}
+        }
+        neighbor {{ gre_ber_a_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_ber_a_address_v6 }}
+        }
+        neighbor {{ gre_ber_b_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_ber_b_address_v6 }}
+        }
+        neighbor {{ gre_a_dus_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_a_dus_address_v6 }}
+        }
+        neighbor {{ gre_b_dus_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_b_dus_address_v6 }}
+        }
+        neighbor {{ gre_a_fra_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_a_fra_address_v6 }}
+        }
+        neighbor {{ gre_b_fra_neighbor_v6 }} {
+            address-family {
+                ipv6-unicast {
+                    route-map {
+                        export FFRL-OUT-6
+                        import FFRL-IN-6
+                    }
+                }
+            }
+            remote-as {{ gre_bb_renote_as }}
+            update-source {{ gre_b_fra_address_v6 }}
+        }
+        parameters {
+            router-id {{ wan_address }}
+        }
+        system-as {{ gre_bb_local_as }}
+    }
+    static {
+        table 42 {
+            route 0.0.0.0/0 {
+                next-hop {{ wan_gateway }} {
+                }
+            }
+        }
+    }
+}
+service {
+    ntp {
+        allow-client {
+            address 0.0.0.0/0
+            address ::/0
+        }
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+        server time3.vyos.net {
+        }
+    }
+    router-advert {
+        interface eth1 {
+            default-lifetime 300
+            default-preference high
+            hop-limit 64
+            interval {
+                max 30
+            }
+            link-mtu 1500
+            name-server 2606:4700:4700::1111
+            prefix {{ ffrl_net_v6 }} {
+                preferred-lifetime 300
+                valid-lifetime 900
+            }
+            reachable-time 90000
+            retrans-timer 0
+        }
+    }
+    ssh {
+        port 22
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    conntrack {
+        modules {
+            ftp
+            h323
+            nfs
+            pptp
+            sip
+            sqlnet
+            tftp
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name {{ inventory_hostname }}
+    login {
+        banner {
+            post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n"
+        }
+        user vyos {
+            authentication {
+                public-keys nils {
+                    key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ==
+                    type ssh-rsa
+                }
+                public-keys stefan {
+                    key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB
+                    type ssh-rsa
+                }
+            }
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}

system-setup-supernode.yml

@@ -0,0 +1,14 @@
+# ansible-playbook -i hosts.yml system-setup-supernode.yml -e vault.yml --ask-vault-password
+- name: System preperation
+  hosts: freifunk_supernodes
+  roles:
+    - 00-ubuntu-basic
+    - 21-install-oitc
+
+- name: VPN Offloader Setup
+  hosts: freifunk_supernodes
+  roles:
+    - 10-freifunk-supernode
+    - 10.1-dhcp
+    - 10.2-named
+    - 10.3-tunneldigger

system-setup-unifi.yml

@@ -0,0 +1,16 @@
+# ansible-playbook -i hosts.yml system-setup-unifi.yml
+- name: System preperation
+  hosts: service_server
+  roles:
+    - 00-ubuntu-basic
+
+- name: Docker Setup
+  hosts: unifi
+  roles:
+    - 21-docker
+    - 21.1-portainer-compose
+
+- name: Docker Setup
+  hosts: uisp
+  roles:
+    - 21-docker

system-setup.yml

@@ -0,0 +1,17 @@
+# ansible-playbook -i hosts.yml system-setup.yml -e vault.yml --ask-vault-password
+- name: System preperation
+  hosts: supernodes
+  roles:
+    - 00-ubuntu-basic
+    - 21-install-oitc
+
+- name: VPN Offloader Setup
+  hosts: vpn_offloader_wireguard
+  roles:
+    - 01-vpn-offloader-setup
+    - 21-install-wireguard
+
+- name: VPN Offloader Setup
+  hosts: vpn_offloader_openvpn
+  roles:
+    - 01-vpn-offloader-setup

update_wg.yml

@@ -0,0 +1,10 @@
+# ansible-playbook -i hosts.yml update_wg.yml -e vault.yml --ask-vault-password
+- name: System preperation
+  hosts: vpn-offloader-wireguard
+  roles:
+     - 21-install-wireguard
+
+- name: System preperation
+  hosts: edge_router
+  roles:
+     - 01-vpn-router-config

vyos_config.yml

@@ -0,0 +1,6 @@
+# ansible-playbook -i hosts.yml vyos_config.yml
+- name: System preperation
+  hosts: router
+  roles:
+    - vyos-config
+  gather_facts: no