# First install ssh-key at remote computer # In case of python error start: # ansible troisdorf4 -u root -m raw -a "apt-get update && apt-get install python -y" - name: Install Freifunk Troisdorf super node # hosts: FreifunkSupernodesL2TP hosts: '{{ target }}' sudo: False user: root gather_facts: False vars: snversion: master_v3.1.4 batmanversion: v2017.4 common_required_packages: - git - make - gcc - build-essential - pkg-config - libgps-dev - libnl-3-dev - libjansson-dev - isc-dhcp-server - libcap-dev - iproute - libnetfilter-conntrack3 - python-dev - libevent-dev - ebtables - python-virtualenv - iptables-persistent - iftop - screen - bridge-utils - tcpdump - bind9 - radvd - curl - htop - psmisc - dnsutils - ntp - libnl-genl-3-dev - virtualenv - batman-adv - batctl - libffi-dev - libnetfilter-conntrack-dev - libnfnetlink-dev modules_required: - batman-adv - nf_conntrack_netlink - nf_conntrack - nfnetlink - l2tp_netlink - l2tp_core - l2tp_eth tunneldigger_scripts: - start-broker.sh # - start-broker-backup.sh - batdelif.sh tunneldigger_service: - tunneldigger.service # - tunneldigger-backup.service broker_cfg: # - l2tp_broker-backup.cfg - l2tp_broker.cfg # bind_zone_fftdf: # - named.conf.fftdf # check_gw_script: # - keepalive.sh authorized_keys: - authorized_keys logrotate_config: - logrotate.conf # supernode_config: # - supernode.mode # - loadbalancing.mode tasks: - name: Remove cdrom in sources.list raw: "sed -i '/deb cdrom/c\\#' /etc/apt/sources.list" - name: Make this server ansible compatible raw: "apt-get update && apt-get install python apt-transport-https dirmngr -y" - name: Adding Freifuck GPG Key raw: "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B2522557E6AB9BF5" # apt_key: # id: B2522557E6AB9BF5 # url: https://keyserver.ubuntu.com # url: https://pool.sks-keyservers.net # url: https://sks.pod01.fleetstreetops.com # state: present - name: Add Freifuck repo to source list apt_repository: repo='deb https://freifuck.de/debian stretch main' state=present - name: Add backport repo to source list apt_repository: repo='deb http://http.debian.net/debian stretch-backports main' state=present - name: Update apt cache apt: update_cache=yes - name: Gathering facts setup: - name: Set IPv4 in hostfile lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv4.address }}' line='{{ ansible_default_ipv4.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present - name: Set IPv6 in hostfile lineinfile: dest=/etc/hosts regexp='^{{ ansible_default_ipv6.address }}' line='{{ ansible_default_ipv6.address }} {{ sn_hostname }}.{{ sn_fqdn }} {{ sn_hostname }}' owner=root group=root mode=0644 state=present when: ansible_default_ipv6.address is defined - name: set hostname hostname: name='{{ sn_hostname }}' register: sethostname - name: disable multi CPU Kernel (SMP) lineinfile: dest=/etc/default/grub regexp='^GRUB_CMDLINE_LINUX_DEFAULT=' line='GRUB_CMDLINE_LINUX_DEFAULT="quiet maxcpus=0 nosmp"' state=present register: grubnosmp - name: Update grub shell: update-grub2 when: grubnosmp.changed - name: Reboot the server shell: sleep 2 && shutdown -r now "Ansible updates triggered, no SMP" async: 1 poll: 0 ignore_errors: true when: sethostname.changed - name: waiting for server to come back (1st) local_action: wait_for host={{ inventory_hostname }} port=22 delay=20 timeout=300 when: hosts.changed when: sethostname.changed # - apt: update_cache=yes - name: Install common required packages apt: name: "{{ item }}" state: present update_cache: yes with_items: "{{ common_required_packages }}" register: aptupdates - name: Set clock shell: /etc/init.d/ntp stop && /usr/sbin/ntpd -q -g && /etc/init.d/ntp start # - name: Add modules # lineinfile: dest=/etc/modules line={{ item }} # with_items: modules_required # register: modules_req # - name: Load modules # modprobe: name={{ item }} # with_items: modules_required # when: modules_req.changed # - name: Install Linux headers # shell: > # apt-get install linux-headers-$(uname -r) -y # when: aptupdates.changed # - name: Get batman-adv # git: repo=https://git.open-mesh.org/batman-adv.git # dest=/tmp/batman-adv # when: aptupdates.changed # register: getbatman # - name: Get batman-adv no rebrotcast patch # get_url: url=http://map.freifunk-moehne.de/stuff/1001-batman-adv-introduce-no_rebroadcast-option.patch dest=/tmp/batman-adv/1001-batman-adv-introduce-no_rebroadcast-option.patch # when: getbatman.changed # - name: Install batman-adv # shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && make && make install # shell: cd /tmp/batman-adv && git checkout {{ batmanversion }} && git apply 1001-batman-adv-introduce-no_rebroadcast-option.patch && make && make install # when: getbatman.changed # - name: Get batctl # git: repo=http://git.open-mesh.org/batctl.git # dest=/tmp/batctl # when: aptupdates.changed # register: getbatctl # - name: Install batctl # shell: cd /tmp/batctl && git checkout {{ batmanversion }} && make && make install # when: getbatctl.changed - name: Get Tunneldigger # git: repo=https://github.com/Freifunk-Troisdorf/tunneldigger.git dest=/srv/tunneldigger # git: repo=https://github.com/wlanslovenija/tunneldigger.git dest=/srv/tunneldigger version=v0.1.0 # git: repo=https://github.com/wlanslovenija/tunneldigger.git dest=/srv/tunneldigger # git: repo=https://github.com/ffrl/tunneldigger.git dest=/srv/tunneldigger git: repo=https://github.com/Freifunk-Troisdorf/tunneldigger.git dest=/srv/tunneldigger # version: release-0.22 register: tunneldigger when: aptupdates.changed - name: Configure tunneldigger raw: "cd /srv/tunneldigger && virtualenv env_tunneldigger && source env_tunneldigger/bin/activate && cd broker && python setup.py install" # command: "{{item}}" # with_items: # - virtualenv /srv/tunneldigger/ -p python2.7 # - virtualenv /srv/tunneldigger/ when: tunneldigger.changed # - name: Tunneldigger requirements # pip: requirements=/srv/tunneldigger/broker/requirements.txt virtualenv=/srv/tunneldigger/ # when: tunneldigger.changed - name: Copy l2tp broker config template template: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0444 with_items: "{{ broker_cfg }}" when: tunneldigger.changed - name: Copy tunneldigger script template template: src=./files/bataddif.sh.j2 dest=/srv/tunneldigger/bataddif.sh owner=root group=root mode=0500 when: tunneldigger.changed - name: Copy tunneldigger scripts copy: src=./files/{{ item }} dest=/srv/tunneldigger owner=root group=root mode=0500 with_items: "{{ tunneldigger_scripts }}" when: tunneldigger.changed - name: Copy tunneldigger service template copy: src=./files/{{ item }} dest=/etc/systemd/system owner=root group=root mode=0444 with_items: "{{ tunneldigger_service }}" when: tunneldigger.changed ########## - name: Add modules lineinfile: dest=/etc/modules line={{ item }} with_items: "{{ modules_required }}" register: modules_req # - name: Load modules # modprobe: name= "{{ item }}" # with_items: "{{ modules_required }}" # when: modules_req.changed ######### - name: Tunneldigger reload command: "{{item}}" with_items: - systemctl daemon-reload - systemctl enable tunneldigger.service # - systemctl enable tunneldigger-backup.service when: tunneldigger.changed - name: Copy logrotate config copy: src=./files/{{ item }} dest=/etc/ owner=root group=root mode=0500 with_items: "{{logrotate_config}}" - name: Create freifunk directory file: path=/opt/freifunk state=directory mode=0755 # - name: Create keepalive directory # file: path=/etc/supernode-status state=directory mode=0755 # - name: Create supernode config files # file: path=/etc/supernode-status/{{ item }} state=touch owner=root group=root mode=0644 # with_items: supernode_config # - name: Supernode set default mode # lineinfile: dest=/etc/supernode-status/{{ item }} regexp=^0 line=0 # with_items: supernode_config # - name: Check gateway / keepalive script supernode # copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500 # with_items: check_gw_script # register: check_gw # when: sn_exit is undefined # - name: Check gateway / keepalive script super- and exitnode # template: src=./files/keepalive.exit.sh.j2 dest=/opt/freifunk/keepalive.sh owner=root group=root mode=0500 # register: check_gw # when: sn_exit is defined # - name: Add cron job with check gateway script # cron: name=check_gw special_time=reboot job="/opt/freifunk/keepalive.sh > /dev/null 2>&1 &" user="root" # when: check_gw.changed # - name: Supernode Config script super- and exitnode # copy: src=./files/supernode dest=/usr/bin/supernode owner=root group=root mode=0500 # when: sn_exit is defined - name: Copy dhcpd template file template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444 register: dhcpd - name: Clone static DHCP config git: repo=https://github.com/Freifunk-Troisdorf/static-dhcp dest=/opt/freifunk/static-dhcp when: dhcpd.changed - name: Add cron static DHCP cron: name=StaticDHCP minute="*" job="/opt/freifunk/static-dhcp/dhcp-update.sh" when: dhcpd.changed - name: Restart dhcpd service: name=isc-dhcp-server state=restarted when: dhcpd.changed ignore_errors: yes - name: Add cron backbone script cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh" - name: Add cron startup script cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh" - name: Copy backbone script template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 when: sn_exit is undefined - name: Copy backbone script template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544 when: sn_exit is defined # - name: Collectd template file # template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444 # register: collectd # - name: Restart collectd # service: name=collectd state=restarted # when: collectd.changed - name: configure startup script supernode template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 when: sn_exit is undefined - name: Exit node startup script super- and exitnode template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500 when: sn_exit is defined - name: SSH authorized_keys copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400 with_items: "{{ authorized_keys }}" - name: Bind9, activate fftdf zone lineinfile: dest=/etc/bind/named.conf line='include "/etc/bind/fftdf/fftdf.conf";' state=present - name: Copy option template template: src=./files/named.conf.options.j2 dest=/etc/bind/named.conf.options owner=root group=bind mode=644 - name: Create fftdf directory file: path=/etc/bind/fftdf state=directory - name: Copy FFTDF Zones copy: src=./files/fftdf/{{ item }} dest=/etc/bind/fftdf/{{ item }} owner=root group=bind mode=644 with_items: - fftdf.conf - name: Copy fftdf Zone config template template: src=./files/fftdf/db.fftdf.j2 dest=/etc/bind/fftdf/db.fftdf owner=radvd group=root mode=0444 - name: Copy radvd config template template: src=./files/radvd.conf.j2 dest=/etc/radvd.conf owner=radvd group=root mode=0444 - name: Interface configuration with ffrl gre tunnel copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544 when: sn_exit is defined - apt: update_cache=yes - name: Install bird apt: state=present pkg=bird when: sn_exit is defined - name: Bird configuration copy: src=./files/bird-{{ sn_hostname }}.conf dest=/etc/bird/bird.conf owner=bird group=bird mode=0444 when: sn_exit is defined - name: Bird configuration copy: src=./files/bird6-{{ sn_hostname }}.conf dest=/etc/bird/bird6.conf owner=bird group=bird mode=0444 when: sn_exit is defined # - name: Get speedtest-cli # get_url: url=https://raw.githubusercontent.com/MightySCollins/speedtest-cli/master/speedtest_cli.py dest=/usr/bin/speedtest-cli # - name: Change rights speedtest-cli # file: path=/usr/bin/speedtest-cli owner=root group=root mode=0755 - name: Copy Slacktee Config template: src=./files/slacktee.conf.j2 dest=/etc/slacktee.conf owner=root group=root mode=0544 - name: Copy Slacktee copy: src=./files/slacktee.sh dest=/usr/local/bin/slacktee.sh owner=root group=root mode=0744 - name: set netfilter rules lineinfile: dest: /etc/sysctl.conf line: "{{ item }}" with_items: - net.ipv4.netfilter.ip_conntrack_generic_timeout = 240 - net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000 - net.netfilter.nf_conntrack_max = 65536 - name: check modprobe.conf stat: path=/etc/modprobe.conf register: modprobe1 - name: create /etc/modprobe.conf when not present file: path=/etc/modprobe.conf state=touch owner=root group=root mode=0544 when: modprobe1.stat.exists == False - name: check /etc/modprobe.conf lineinfile: dest=/etc/modprobe.conf line="options ip_conntrack hashsize=65536" - name: Change root password user: name: root password: "{{ sn_rootpasswd }}" - name: Logrotate rights file: path=/etc/logrotate.conf mode=0644 owner=root group=root - name: Wirte version information shell: touch /etc/sn_version && echo {{ snversion }} > /etc/sn_version - name: Reboot the server finally shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 ignore_errors: true when: tunneldigger.changed - name: waiting for server to come back local_action: wait_for host={{ inventory_hostname }} port=22 delay=20 timeout=300 when: tunneldigger.changed - name: Send notification message via Slack local_action: module: slack token: "{{ slack_token }}" msg: "{{ inventory_hostname }} completed with {{ snversion }}" channel: "#technik" username: "Ansible on {{ inventory_hostname }}" parse: 'none'