123 lines
3.1 KiB
YAML
123 lines
3.1 KiB
YAML
---
|
|
# tasks file for 10-freifunk-supernode
|
|
|
|
# Install basic packages for Supernode
|
|
- name: Install all Packages
|
|
ansible.builtin.apt:
|
|
name:
|
|
- batctl
|
|
- iptables-persistent
|
|
- conntrack
|
|
state: latest
|
|
update_cache: yes
|
|
|
|
## IP Forwarding
|
|
- name: IPv4-Paketweiterleitung aktivieren
|
|
sysctl:
|
|
name: "net.ipv4.conf.all.forwarding"
|
|
value: 1
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
|
|
|
|
- name: IPv6-Paketweiterleitung aktivieren
|
|
sysctl:
|
|
name: "net.ipv6.conf.all.forwarding"
|
|
value: 1
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
|
|
|
|
- name: sysctl Reverse-Path-Filter default deaktivieren - Quellroute nicht prüfen
|
|
sysctl:
|
|
name: "net.ipv4.conf.default.rp_filter"
|
|
value: 0
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
|
|
|
|
- name: sysctl Reverse-Path-Filter all deaktivieren - Quellroute nicht prüfen
|
|
sysctl:
|
|
name: "net.ipv4.conf.all.rp_filter"
|
|
value: 0
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-ip_forwarding.conf
|
|
|
|
- name: Create Routing Table 42
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/iproute2/rt_tables
|
|
line: 42 ffrl
|
|
create: yes
|
|
|
|
## Contrack
|
|
- name: Enable nf_conntrack_ipv4 module
|
|
modprobe:
|
|
name: nf_conntrack_ipv4
|
|
state: present
|
|
when: ansible_kernel is version_compare('4.19', '<')
|
|
|
|
- name: Enable nf_conntrack_ipv4 on system startup
|
|
blockinfile:
|
|
path: /etc/modules
|
|
marker: "# {mark} Ansible managed block"
|
|
block: |
|
|
nf_conntrack_ipv4
|
|
when: ansible_kernel is version_compare('4.19', '<')
|
|
|
|
- name: Enable nf_conntrack module
|
|
modprobe:
|
|
name: nf_conntrack
|
|
state: present
|
|
when: ansible_kernel is version_compare('4.19', '>=')
|
|
|
|
- name: Enable nf_conntrack on system startup
|
|
blockinfile:
|
|
path: /etc/modules
|
|
marker: "# {mark} Ansible managed block"
|
|
block: |
|
|
nf_conntrack
|
|
when: ansible_kernel is version_compare('4.19', '>=')
|
|
|
|
|
|
- name: Set nf_conntrack_max to a higher value
|
|
sysctl:
|
|
name: "net.netfilter.nf_conntrack_max"
|
|
value: 524288
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
|
|
|
|
- name: Set nf_conntrack_tcp_timeout_established to 86400 (one day)
|
|
sysctl:
|
|
name: "net.netfilter.nf_conntrack_tcp_timeout_established"
|
|
value: 86400
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
|
|
|
|
- name: Set nf_conntrack_tcp_timeout_time_wait to 60
|
|
sysctl:
|
|
name: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"
|
|
value: 60
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
sysctl_file: /etc/sysctl.d/ff-netfilter.conf
|
|
|
|
- name: Get current nf_conntrack hashsize
|
|
shell: "cat /sys/module/nf_conntrack/parameters/hashsize"
|
|
register: nf_conntrack_hashsize
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: Set nf_conntrack hashsize to a higher value
|
|
shell: "echo 32768 > /sys/module/nf_conntrack/parameters/hashsize"
|
|
when: "nf_conntrack_hashsize.stdout != '32768'"
|