---
# tasks file for 10-freifunk-supernode

# Install basic packages for Supernode
- name: Install all Packages
  ansible.builtin.apt: 
    name: 
      - batctl
      - iptables-persistent
      - conntrack
    state: latest
    update_cache: yes

## IP Forwarding
- name: IPv4-Paketweiterleitung aktivieren
  sysctl: 
    name: "net.ipv4.conf.all.forwarding" 
    value: 1 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf

- name: IPv6-Paketweiterleitung aktivieren
  sysctl: 
    name: "net.ipv6.conf.all.forwarding" 
    value: 1 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf

- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
  sysctl: 
    name: "net.ipv4.conf.default.rp_filter" 
    value: 0 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf

- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
  sysctl: 
    name: "net.ipv4.conf.all.rp_filter" 
    value: 0 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf

- name: Create Routing Table 42
  ansible.builtin.lineinfile:
    path: /etc/iproute2/rt_tables
    line: 42 ffrl
    create: yes

## Contrack
- name: Enable nf_conntrack_ipv4 module
  modprobe: 
    name: nf_conntrack_ipv4 
    state: present
  when: ansible_kernel is version_compare('4.19', '<')

- name: Enable nf_conntrack_ipv4 on system startup
  blockinfile:
    path: /etc/modules
    marker: "# {mark} Ansible managed block"
    block: |
      nf_conntrack_ipv4
  when: ansible_kernel is version_compare('4.19', '<')

- name: Enable nf_conntrack module
  modprobe: 
   name: nf_conntrack
   state: present
  when: ansible_kernel is version_compare('4.19', '>=')

- name: Enable nf_conntrack on system startup
  blockinfile:
    path: /etc/modules
    marker: "# {mark} Ansible managed block"
    block: |
      nf_conntrack
  when: ansible_kernel is version_compare('4.19', '>=')


- name: Set nf_conntrack_max to a higher value
  sysctl: 
    name: "net.netfilter.nf_conntrack_max" 
    value: 524288 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-netfilter.conf

- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
  sysctl: 
    name: "net.netfilter.nf_conntrack_tcp_timeout_established"
    value: 86400
    sysctl_set: yes
    state: present 
    reload: yes
    sysctl_file: /etc/sysctl.d/ff-netfilter.conf

- name: Set nf_conntrack_tcp_timeout_time_wait to 60
  sysctl: 
    name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" 
    value: 60 
    sysctl_set: yes 
    state: present 
    reload: yes 
    sysctl_file: /etc/sysctl.d/ff-netfilter.conf

- name: Get current nf_conntrack hashsize
  shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
  register: nf_conntrack_hashsize
  changed_when: false
  check_mode: no

- name: Set nf_conntrack hashsize to a higher value
  shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
  when: "nf_conntrack_hashsize.stdout != '32768'"