From af2d7aa5757158d7c4c7a21402bbeaad6abdfdae Mon Sep 17 00:00:00 2001
From: Paul Maruhn <paulmaruhn@posteo.de>
Date: Thu, 27 Feb 2020 18:26:24 +0100
Subject: [PATCH] add setup role for debian based gateways
---
.gitignore | 2 +
host_vars/burgtor.yml | 16 -----
host_vars/holstentor.yml | 7 +-
host_vars/huextertor.yml | 15 ++--
host_vars/kaisertor.yml | 8 +++
host_vars/muehlentor.yml | 3 +-
hosts | 5 +-
hosts_new | 5 ++
revert_and_setup.sh | 17 +++++
roles/debian_base/files/etc/bird.conf | 1 -
.../files/{bird/base => etc/bird}/bird.conf | 7 --
.../files/{bird/base => etc/bird}/bird6.conf | 20 +++---
.../{bird/base => etc/bird}/bird6_ibgp.conf | 0
.../{bird/base => etc/bird}/bird_ibgp.conf | 0
.../debian_base/files/etc/bird/password.conf | 1 +
roles/debian_base/files/etc/bird6.conf | 1 -
.../files/etc/fastd/ffhl-gw-vpn/fastd.conf | 15 ----
.../etc/fastd/ffhl-gw-vpn/gateways/burgtor | 3 -
.../etc/fastd/ffhl-gw-vpn/gateways/huextertor | 3 -
.../etc/fastd/ffhl-mesh-vpn-2/fastd.conf | 17 -----
.../files/etc/fastd/ffhl-mesh-vpn/fastd.conf | 19 -----
.../etc/fastd/ffhl_mesh_gwvpn/fastd.conf | 11 +++
.../gateways/holstentor | 0
.../gateways/muehlentor | 0
.../files/etc/fastd/ffhl_mesh_vpn/fastd.conf | 14 ++++
.../files/etc/iptables/ip6tables.rules | 1 -
roles/debian_base/files/etc/ntp.conf | 23 ------
.../etc/systemd/network/00-nat64.network | 7 --
.../etc/systemd/network/04-anycast-dns.netdev | 3 -
.../systemd/network/04-anycast-dns.network | 5 --
.../etc/systemd/network/22-ffhl-bat0.network | 5 ++
.../etc/systemd/network/22-mesh-hl.network | 5 --
.../network/25-ffhl-mesh-vpn-2.network | 2 -
.../systemd/network/25-ffhl-mesh-vpn.network | 2 -
.../systemd/network/26-ffhl-gw-vpn.network | 2 -
.../etc/systemd/network/26-ffhl-mesh.network | 5 ++
.../files/etc/systemd/system/alfred@.service | 11 ---
.../etc/systemd/system/batadv-vis@.service | 10 ---
.../systemd/system/batman-freifunk@.service | 17 -----
.../files/etc/systemd/system/batman@.service | 17 +++++
.../files/etc/systemd/system/dhcpd4.service | 13 ----
.../system/fastd@.service.d/override.conf | 5 +-
.../systemd/system/freifunk-ip-rule.service | 28 ++++----
.../etc/systemd/system/iptables-up.service | 10 +++
.../override.service | 3 +
.../system/update-ffhl-mesh-vpn.service | 2 +-
roles/debian_base/files/etc/tayga.conf | 3 -
.../burgtor/etc/bird}/bird6_local.conf | 0
.../burgtor/etc/bird}/bird_local.conf | 0
.../etc/systemd/network}/30-he-ipv6.netdev | 0
.../etc/systemd/network}/30-he-ipv6.network | 0
.../network}/31-ffrhein-fra3-v4.netdev | 0
.../network}/31-ffrhein-fra3-v4.network | 0
.../network}/32-ffrhein-fra3-v6.netdev | 0
.../network}/32-ffrhein-fra3-v6.network | 0
.../systemd/network}/33-ffrhein-dus-v4.netdev | 0
.../network}/33-ffrhein-dus-v4.network | 0
.../systemd/network}/34-ffrhein-dus-v6.netdev | 0
.../network}/34-ffrhein-dus-v6.network | 0
.../holstentor/etc/bird}/bird6_local.conf | 0
.../holstentor/etc/bird}/bird_local.conf | 0
.../etc/systemd/network}/00-eth1.network | 0
.../etc/systemd/network}/30-he-ipv6.netdev | 0
.../etc/systemd/network}/30-he-ipv6.network | 0
.../systemd/network}/31-ffrhein-ber.netdev | 0
.../systemd/network}/31-ffrhein-ber.network | 0
.../systemd/network}/32-ffrhein-fra3.netdev | 0
.../systemd/network}/32-ffrhein-fra3.network | 0
.../huextertor/etc/bird}/bird6_local.conf | 0
.../huextertor/etc/bird}/bird_local.conf | 0
.../host/kaisertor/etc/bird/bird6_local.conf | 27 +++++++
.../host/kaisertor/etc/bird/bird_local.conf | 0
.../muehlentor/etc/bird}/bird6_local.conf | 0
.../muehlentor/etc/bird}/bird_local.conf | 0
roles/debian_base/files/scripts/iptables-up | 8 +++
roles/debian_base/tasks/bird.yml | 2 -
roles/debian_base/tasks/dhcpd.yml | 12 ++++
roles/debian_base/tasks/fastd.yml | 43 +++++++++++
roles/debian_base/tasks/ffhl-peers.yml | 4 +-
roles/debian_base/tasks/main.yml | 71 ++++++++++++++-----
roles/debian_base/tasks/radvd.yml | 3 +
roles/debian_base/tasks/software.yml | 46 ++++++++++--
roles/debian_base/tasks/units.yml | 31 ++++----
roles/debian_base/templates/dhcpd.conf.j2 | 4 +-
roles/debian_base/templates/fastd-gw-mac.j2 | 1 -
roles/debian_base/templates/fastd-mac-2.j2 | 1 -
roles/debian_base/templates/fastd-mac.j2 | 1 -
.../templates/fastd/ffhl_mesh_gwvpn/fastd-up | 5 ++
.../fastd/ffhl_mesh_gwvpn/gateways/holstentor | 3 +
.../fastd/ffhl_mesh_gwvpn/gateways/muehlentor | 3 +
.../templates/fastd/ffhl_mesh_vpn/fastd-up | 5 ++
.../10-ffhl.netdev.j2} | 2 +-
.../12-ffhl.network.j2} | 4 +-
roles/debian_base/templates/radvd.conf.j2 | 16 -----
.../debian_base/templates/radvd/radvd.conf.j2 | 14 ++++
todo.md | 8 +++
96 files changed, 392 insertions(+), 291 deletions(-)
delete mode 100644 host_vars/burgtor.yml
create mode 100644 host_vars/kaisertor.yml
create mode 100644 hosts_new
create mode 100755 revert_and_setup.sh
delete mode 100644 roles/debian_base/files/etc/bird.conf
rename roles/debian_base/files/{bird/base => etc/bird}/bird.conf (97%)
rename roles/debian_base/files/{bird/base => etc/bird}/bird6.conf (95%)
rename roles/debian_base/files/{bird/base => etc/bird}/bird6_ibgp.conf (100%)
rename roles/debian_base/files/{bird/base => etc/bird}/bird_ibgp.conf (100%)
create mode 100644 roles/debian_base/files/etc/bird/password.conf
delete mode 100644 roles/debian_base/files/etc/bird6.conf
delete mode 100644 roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf
delete mode 100644 roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor
delete mode 100644 roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor
delete mode 100644 roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf
delete mode 100644 roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf
create mode 100644 roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf
rename roles/debian_base/files/etc/fastd/{ffhl-gw-vpn => ffhl_mesh_gwvpn}/gateways/holstentor (100%)
rename roles/debian_base/files/etc/fastd/{ffhl-gw-vpn => ffhl_mesh_gwvpn}/gateways/muehlentor (100%)
create mode 100644 roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
delete mode 100644 roles/debian_base/files/etc/ntp.conf
delete mode 100644 roles/debian_base/files/etc/systemd/network/00-nat64.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev
delete mode 100644 roles/debian_base/files/etc/systemd/network/04-anycast-dns.network
create mode 100644 roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/22-mesh-hl.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network
create mode 100644 roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
delete mode 100644 roles/debian_base/files/etc/systemd/system/alfred@.service
delete mode 100644 roles/debian_base/files/etc/systemd/system/batadv-vis@.service
delete mode 100644 roles/debian_base/files/etc/systemd/system/batman-freifunk@.service
create mode 100644 roles/debian_base/files/etc/systemd/system/batman@.service
delete mode 100644 roles/debian_base/files/etc/systemd/system/dhcpd4.service
create mode 100644 roles/debian_base/files/etc/systemd/system/iptables-up.service
create mode 100644 roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
delete mode 100644 roles/debian_base/files/etc/tayga.conf
rename roles/debian_base/files/{bird/burgtor => host/burgtor/etc/bird}/bird6_local.conf (100%)
rename roles/debian_base/files/{bird/burgtor => host/burgtor/etc/bird}/bird_local.conf (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/30-he-ipv6.netdev (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/30-he-ipv6.network (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/31-ffrhein-fra3-v4.netdev (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/31-ffrhein-fra3-v4.network (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/32-ffrhein-fra3-v6.netdev (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/32-ffrhein-fra3-v6.network (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/33-ffrhein-dus-v4.netdev (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/33-ffrhein-dus-v4.network (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/34-ffrhein-dus-v6.netdev (100%)
rename roles/debian_base/files/{netconfig/burgtor => host/burgtor/etc/systemd/network}/34-ffrhein-dus-v6.network (100%)
rename roles/debian_base/files/{bird/holstentor => host/holstentor/etc/bird}/bird6_local.conf (100%)
rename roles/debian_base/files/{bird/holstentor => host/holstentor/etc/bird}/bird_local.conf (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/00-eth1.network (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/30-he-ipv6.netdev (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/30-he-ipv6.network (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/31-ffrhein-ber.netdev (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/31-ffrhein-ber.network (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/32-ffrhein-fra3.netdev (100%)
rename roles/debian_base/files/{netconfig/holstentor => host/holstentor/etc/systemd/network}/32-ffrhein-fra3.network (100%)
rename roles/debian_base/files/{bird/huextertor => host/huextertor/etc/bird}/bird6_local.conf (100%)
rename roles/debian_base/files/{bird/huextertor => host/huextertor/etc/bird}/bird_local.conf (100%)
create mode 100644 roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf
create mode 100644 roles/debian_base/files/host/kaisertor/etc/bird/bird_local.conf
rename roles/debian_base/files/{bird/muehlentor => host/muehlentor/etc/bird}/bird6_local.conf (100%)
rename roles/debian_base/files/{bird/muehlentor => host/muehlentor/etc/bird}/bird_local.conf (100%)
create mode 100644 roles/debian_base/files/scripts/iptables-up
create mode 100644 roles/debian_base/tasks/dhcpd.yml
create mode 100644 roles/debian_base/tasks/fastd.yml
create mode 100644 roles/debian_base/tasks/radvd.yml
delete mode 100644 roles/debian_base/templates/fastd-gw-mac.j2
delete mode 100644 roles/debian_base/templates/fastd-mac-2.j2
delete mode 100644 roles/debian_base/templates/fastd-mac.j2
create mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
create mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
create mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
create mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
rename roles/debian_base/templates/{10-freifunk-hl.netdev.j2 => network/10-ffhl.netdev.j2} (75%)
rename roles/debian_base/templates/{12-freifunk-hl.network.j2 => network/12-ffhl.network.j2} (74%)
delete mode 100644 roles/debian_base/templates/radvd.conf.j2
create mode 100644 roles/debian_base/templates/radvd/radvd.conf.j2
create mode 100644 todo.md
diff --git a/.gitignore b/.gitignore
index 16d183e..a2b61ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
/.vagrant
/playbook.retry
+secret*
+/artifacts
diff --git a/host_vars/burgtor.yml b/host_vars/burgtor.yml
deleted file mode 100644
index 949e137..0000000
--- a/host_vars/burgtor.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-ip4: 10.130.0.255
-ip6: 2001:67c:2d50::e01
-ip6_ula: fdef:ffc0:3dd7::e01
-fastd_mac: 52:54:00:f3:62:d9
-fastd_mac_2: ea:af:13:66:6d:71
-fastd_gw_mac: 52:54:00:f3:62:da
-freifunk_mac: 52:54:00:ee:5c:d7
-dhcpd_start: 10.130.12.63
-dhcpd_end: 10.130.15.254
-snat_dev: ffrhein-+
-snat_ip4: 185.66.193.32
-icvpn_name: luebeck2
-icvpn_ip4: 10.207.0.131
-icvpn_ip6: fec0::a:cf:0:83
-units_enable:
- - "'fastd@dn42\\x2dchaos.service'"
diff --git a/host_vars/holstentor.yml b/host_vars/holstentor.yml
index 669c093..547d4ea 100644
--- a/host_vars/holstentor.yml
+++ b/host_vars/holstentor.yml
@@ -1,16 +1,17 @@
ip4: 10.130.0.253
ip6: 2001:67c:2d50::c01
ip6_ula: fdef:ffc0:3dd7::c01
-fastd_mac: d6:89:49:08:f6:9d
-fastd_mac_2: ce:69:95:f0:a9:53
+fastd_mesh_mac: d6:89:49:08:f6:9d
fastd_gw_mac: d6:89:49:08:f6:9e
freifunk_mac: 52:54:00:0c:bb:eb
dhcpd_start: 10.130.4.191
dhcpd_end: 10.130.8.126
+
+# additional config
snat_dev: ffrhein-+
snat_ip4: 185.66.193.33
icvpn_name: luebeck1
icvpn_ip4: 10.207.0.130
icvpn_ip6: fec0::a:cf:0:82
units_enable:
- - "'fastd@dn42\\x2dchaos.service'"
+ - "'fastd@dn42-chaos.service'"
diff --git a/host_vars/huextertor.yml b/host_vars/huextertor.yml
index 1dedb9f..88e5507 100644
--- a/host_vars/huextertor.yml
+++ b/host_vars/huextertor.yml
@@ -1,9 +1,8 @@
ip4: 10.130.0.252
-ip6: 2001:67c:2d50::801
-ip6_ula: fdef:ffc0:3dd7::801
-fastd_mac: d2:d0:93:63:f7:da
-fastd_mac_2: 66:3a:16:58:af:5c
-fastd_gw_mac: d2:d0:93:63:f7:db
-freifunk_mac: 6e:e4:d2:8a:3b:63
-dhcpd_start: 10.130.1.0
-dhcpd_end: 10.130.4.190
+ip6: 2001:67c:2d50::d01
+ip6_ula: fdef:ffc0:3dd7::d01
+fastd_mesh_mac: de:ad:ca:fe:aa:bb
+fastd_gw_mac: de:ad:ca:fe:bb:dd
+freifunk_mac: de:ad:ca:fe:cc:dd
+dhcpd_start: 10.130.12.63
+dhcpd_end: 10.130.15.255
diff --git a/host_vars/kaisertor.yml b/host_vars/kaisertor.yml
new file mode 100644
index 0000000..98e37c2
--- /dev/null
+++ b/host_vars/kaisertor.yml
@@ -0,0 +1,8 @@
+ip4: 10.130.0.255
+ip6: 2001:67c:2d50::b01
+ip6_ula: fdef:ffc0:3dd7::b01
+fastd_mesh_mac: de:ad:ca:fe:aa:aa
+fastd_gw_mac: de:ad:ca:fe:bb:bb
+freifunk_mac: de:ad:ca:fe:cc:bb
+dhcpd_start: 10.130.1.0
+dhcpd_end: 10.130.4.190
diff --git a/host_vars/muehlentor.yml b/host_vars/muehlentor.yml
index a6ae397..b0db1fb 100644
--- a/host_vars/muehlentor.yml
+++ b/host_vars/muehlentor.yml
@@ -1,8 +1,7 @@
ip4: 10.130.0.254
ip6: 2001:67c:2d50::a01
ip6_ula: fdef:ffc0:3dd7::a01
-fastd_mac: 26:9c:57:9b:5c:b2
-fastd_mac_2: 6a:0a:8d:97:50:69
+fastd_mesh_mac: 26:9c:57:9b:5c:b2
fastd_gw_mac: 26:9c:57:9b:5c:b3
freifunk_mac: de:ad:ca:fe:46:1d
dhcpd_start: 10.130.8.127
diff --git a/hosts b/hosts
index 491e0d3..b740cba 100644
--- a/hosts
+++ b/hosts
@@ -1,5 +1,8 @@
[gateways]
-ffhl-gateway ansible_ssh_host=10.10.1.100 ansible_ssh_user=root
+burgtor ansible_ssh_host=burgtor.luebeck.freifunk.net
+holstentor ansible_ssh_host=holstentor.luebeck.freifunk.net
+muehlentor ansible_ssh_host=muehlentor.luebeck.freifunk.net
+huextertor ansible_ssh_host=huextertor.luebeck.freifunk.net
[gateways:vars]
ansible_python_interpreter=/usr/bin/env python2
diff --git a/hosts_new b/hosts_new
new file mode 100644
index 0000000..03eaa0b
--- /dev/null
+++ b/hosts_new
@@ -0,0 +1,5 @@
+[gateways]
+kaisertor ansible_ssh_host=10.8.1.50 ansible_ssh_user=root
+
+[gateways:vars]
+ansible_python_interpreter=/usr/bin/env python2
diff --git a/revert_and_setup.sh b/revert_and_setup.sh
new file mode 100755
index 0000000..ac9813c
--- /dev/null
+++ b/revert_and_setup.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+# virsh snapshot-revert --domain ffhl-test-gateway --current
+virsh snapshot-revert --domain ffhl-test-gateway 1579128050
+echo "restarting timesyncd and ntp"
+ssh -q root@10.8.1.50 systemctl restart systemd-timesyncd
+ssh -q root@10.8.1.50 systemctl restart ntp
+echo "waiting..."
+sleep 7
+
+echo "removing artifacts"
+rm -rf artifacts
+
+echo "run the playbook"
+ansible-playbook -vvvv -i hosts debian_setup.yml
diff --git a/roles/debian_base/files/etc/bird.conf b/roles/debian_base/files/etc/bird.conf
deleted file mode 100644
index a44d2a5..0000000
--- a/roles/debian_base/files/etc/bird.conf
+++ /dev/null
@@ -1 +0,0 @@
-include "bird/bird.conf";
diff --git a/roles/debian_base/files/bird/base/bird.conf b/roles/debian_base/files/etc/bird/bird.conf
similarity index 97%
rename from roles/debian_base/files/bird/base/bird.conf
rename to roles/debian_base/files/etc/bird/bird.conf
index 610391d..78507ac 100644
--- a/roles/debian_base/files/bird/base/bird.conf
+++ b/roles/debian_base/files/etc/bird/bird.conf
@@ -53,13 +53,6 @@ protocol static mesh_freifunk {
route 10.0.0.0/8 reject;
};
-# 464XLAT
-##########
-
-protocol static static_464xlat {
- route 10.130.64.0/18 via "nat64";
-}
-
# Mesh-internal routing
########################
diff --git a/roles/debian_base/files/bird/base/bird6.conf b/roles/debian_base/files/etc/bird/bird6.conf
similarity index 95%
rename from roles/debian_base/files/bird/base/bird6.conf
rename to roles/debian_base/files/etc/bird/bird6.conf
index 0f7d3fb..c69b499 100644
--- a/roles/debian_base/files/bird/base/bird6.conf
+++ b/roles/debian_base/files/etc/bird/bird6.conf
@@ -22,9 +22,10 @@ define KERNEL_TABLE = ipt_freifunk;
# ROA table
############
-roa table roa_icvpn {
- include "roa.ip6";
-}
+# roa table roa_icvpn {
+# include "roa.ip6";
+# }
+
# filter helpers
#################
@@ -49,14 +50,15 @@ function is_self_mgmt() { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
filter bgp_import_filter {
if is_self_net() then reject;
if is_ula() then accept;
- if roa_check(roa_icvpn) = ROA_VALID then {
- accept;
- } else {
- print "ROA check failed for ", net, " ASN ", bgp_path.last;
- }
- reject;
+ # if roa_check(roa_icvpn) = ROA_VALID then {
+ # accept;
+ # } else {
+ # print "ROA check failed for ", net, " ASN ", bgp_path.last;
+ # }
+ accept;
}
+
# static routes
################
diff --git a/roles/debian_base/files/bird/base/bird6_ibgp.conf b/roles/debian_base/files/etc/bird/bird6_ibgp.conf
similarity index 100%
rename from roles/debian_base/files/bird/base/bird6_ibgp.conf
rename to roles/debian_base/files/etc/bird/bird6_ibgp.conf
diff --git a/roles/debian_base/files/bird/base/bird_ibgp.conf b/roles/debian_base/files/etc/bird/bird_ibgp.conf
similarity index 100%
rename from roles/debian_base/files/bird/base/bird_ibgp.conf
rename to roles/debian_base/files/etc/bird/bird_ibgp.conf
diff --git a/roles/debian_base/files/etc/bird/password.conf b/roles/debian_base/files/etc/bird/password.conf
new file mode 100644
index 0000000..efc2d5e
--- /dev/null
+++ b/roles/debian_base/files/etc/bird/password.conf
@@ -0,0 +1 @@
+password "dummy";
diff --git a/roles/debian_base/files/etc/bird6.conf b/roles/debian_base/files/etc/bird6.conf
deleted file mode 100644
index 2c9b7ed..0000000
--- a/roles/debian_base/files/etc/bird6.conf
+++ /dev/null
@@ -1 +0,0 @@
-include "bird/bird6.conf";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf
deleted file mode 100644
index 0b1fdd2..0000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-gw-vpn";
-method "salsa2012+umac";
-bind any:10001;
-include "secret.conf";
-mtu 1280;
-status socket "/run/fastd/gw-vpn.sock";
-
-include peers from "gateways";
-
-on up "
- ip link set address $(cat mac) dev $INTERFACE
- ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor
deleted file mode 100644
index 63f3adb..0000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "5a15ffbef06ba2f887a17a60bf1feeae56fa6a9a94f3ea7f84390291406b0b4e";
-remote "burgtor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor b/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor
deleted file mode 100644
index 8d70194..0000000
--- a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "eb2ef5487527ec1643448943dd9427d9965870bc1a5db37f8edc8aea84005f9f";
-remote "huextertor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf
deleted file mode 100644
index e640465..0000000
--- a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-mesh-vpn-2";
-method "null";
-method "salsa2012+umac";
-bind any:10002;
-include "../ffhl-mesh-vpn/secret.conf";
-mtu 1280;
-hide ip addresses yes;
-status socket "/run/fastd/mesh-vpn-2.sock";
-
-include peers from "../ffhl-mesh-vpn/peers";
-
-on up "
- ip link set address $(cat mac) dev $INTERFACE
- ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf
deleted file mode 100644
index 338dd95..0000000
--- a/roles/debian_base/files/etc/fastd/ffhl-mesh-vpn/fastd.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-log to syslog level debug;
-user "fastd";
-interface "ffhl-mesh-vpn";
-method "salsa2012+umac";
-method "salsa2012+gmac";
-method "xsalsa20-poly1305";
-bind 0.0.0.0:10000;
-include "secret.conf";
-mtu 1426;
-hide ip addresses yes;
-secure handshakes no;
-status socket "/run/fastd/mesh-vpn.sock";
-
-include peers from "peers";
-
-on up "
- ip link set address $(cat mac) dev $INTERFACE
- ip link set up $INTERFACE
-";
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf
new file mode 100644
index 0000000..27354e0
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf
@@ -0,0 +1,11 @@
+log to syslog level debug;
+user "fastd";
+interface "ffhl_mesh_gwvpn";
+method "salsa2012+umac";
+bind any:10001;
+include "secret.conf";
+mtu 1280;
+status socket "/run/fastd/ffhl_mesh_gwvpn.sock";
+on up "./fastd-up";
+
+include peers from "gateways";
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/holstentor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/holstentor
similarity index 100%
rename from roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/holstentor
rename to roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/holstentor
diff --git a/roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/muehlentor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
similarity index 100%
rename from roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/muehlentor
rename to roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
new file mode 100644
index 0000000..93b46e4
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
@@ -0,0 +1,14 @@
+log to syslog level debug;
+user "fastd";
+interface "ffhl_mesh_vpn";
+method "null";
+method "salsa2012+umac";
+bind any:10002;
+include "secret.conf";
+mtu 1280;
+hide ip addresses yes;
+hide mac addresses yes;
+status socket "/run/fastd/fastd-ffhl_mesh_vpn.sock";
+include peers from "peers";
+
+on up "./fastd-up";
diff --git a/roles/debian_base/files/etc/iptables/ip6tables.rules b/roles/debian_base/files/etc/iptables/ip6tables.rules
index 24b8ff1..f9d67a6 100644
--- a/roles/debian_base/files/etc/iptables/ip6tables.rules
+++ b/roles/debian_base/files/etc/iptables/ip6tables.rules
@@ -4,6 +4,5 @@
COMMIT
*mangle
-A PREROUTING -i freifunk-+ -j MARK --set-xmark 0x1/0xffffffff
--A PREROUTING -i nat64 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i icvpn -j MARK --set-xmark 0x1/0xffffffff
COMMIT
diff --git a/roles/debian_base/files/etc/ntp.conf b/roles/debian_base/files/etc/ntp.conf
deleted file mode 100644
index bbe0281..0000000
--- a/roles/debian_base/files/etc/ntp.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# With the default settings below, ntpd will only synchronize your clock.
-#
-# For details, see:
-# - the ntp.conf man page
-# - http://support.ntp.org/bin/view/Support/GettingStarted
-# - https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon
-
-# Associate to public NTP pool servers; see http://www.pool.ntp.org/
-server 0.pool.ntp.org
-server 1.pool.ntp.org
-server 2.pool.ntp.org
-
-# Only allow read-only access from localhost
-restrict default noquery nopeer
-restrict 127.0.0.1
-restrict ::1
-
-# ffhl mesh
-restrict fdef:ffc0:3dd7:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
-restrict 2001:67c:2d50:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
-
-# Location of drift file
-driftfile /var/lib/ntp/ntp.drift
diff --git a/roles/debian_base/files/etc/systemd/network/00-nat64.network b/roles/debian_base/files/etc/systemd/network/00-nat64.network
deleted file mode 100644
index cc0e092..0000000
--- a/roles/debian_base/files/etc/systemd/network/00-nat64.network
+++ /dev/null
@@ -1,7 +0,0 @@
-[Match]
-Name=nat64
-
-[Network]
-IPForward=yes
-Address=fe80::1/64
-Address=127.0.0.2/8
diff --git a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev b/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev
deleted file mode 100644
index af7baec..0000000
--- a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.netdev
+++ /dev/null
@@ -1,3 +0,0 @@
-[NetDev]
-Name=anycast-dns
-Kind=dummy
diff --git a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network b/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network
deleted file mode 100644
index 47153f1..0000000
--- a/roles/debian_base/files/etc/systemd/network/04-anycast-dns.network
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-Name=anycast-dns
-
-[Network]
-Address=2001:67c:2d50:1::10.130.127.224/128
diff --git a/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
new file mode 100644
index 0000000..79f1f3e
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
@@ -0,0 +1,5 @@
+[Match]
+Name=ffhl_bat0
+
+[Network]
+Bridge=ffhl
diff --git a/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network b/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network
deleted file mode 100644
index ec1f92d..0000000
--- a/roles/debian_base/files/etc/systemd/network/22-mesh-hl.network
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-Name=mesh-hl
-
-[Network]
-Bridge=freifunk-hl
diff --git a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network b/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network
deleted file mode 100644
index a72a611..0000000
--- a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn-2.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-mesh-vpn-2
diff --git a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network b/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network
deleted file mode 100644
index 2902fe3..0000000
--- a/roles/debian_base/files/etc/systemd/network/25-ffhl-mesh-vpn.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-mesh-vpn
diff --git a/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network b/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network
deleted file mode 100644
index 846c180..0000000
--- a/roles/debian_base/files/etc/systemd/network/26-ffhl-gw-vpn.network
+++ /dev/null
@@ -1,2 +0,0 @@
-[Match]
-Name=ffhl-gw-vpn
diff --git a/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network b/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
new file mode 100644
index 0000000..1c1e3cb
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
@@ -0,0 +1,5 @@
+[Match]
+Name=ffhl_mesh_*
+
+[Network]
+LinkLocalAddressing = no
diff --git a/roles/debian_base/files/etc/systemd/system/alfred@.service b/roles/debian_base/files/etc/systemd/system/alfred@.service
deleted file mode 100644
index b88012e..0000000
--- a/roles/debian_base/files/etc/systemd/system/alfred@.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=A.L.F.R.E.D.
-Wants=network.target
-BindsTo=sys-subsystem-net-devices-mesh\x2d%i.device
-After=sys-subsystem-net-devices-mesh\x2d%i.device
-
-[Service]
-ExecStart=/usr/bin/alfred -i freifunk-%i -b mesh-%i
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/batadv-vis@.service b/roles/debian_base/files/etc/systemd/system/batadv-vis@.service
deleted file mode 100644
index 872072b..0000000
--- a/roles/debian_base/files/etc/systemd/system/batadv-vis@.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=A.L.F.R.E.D. batadv-vis
-After=alfred@%i.service
-
-[Service]
-ExecStart=/usr/bin/batadv-vis -s -i mesh-%i
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service b/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service
deleted file mode 100644
index 52c66fc..0000000
--- a/roles/debian_base/files/etc/systemd/system/batman-freifunk@.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=batman setup for freifunk
-Wants=network.target
-BindsTo=sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn.device sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn\x2d2.device sys-subsystem-net-devices-ff%i\x2dgw\x2dvpn.device
-After=sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn.device sys-subsystem-net-devices-ff%i\x2dmesh\x2dvpn\x2d2.device sys-subsystem-net-devices-ff%i\x2dgw\x2dvpn.device
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-mesh-vpn
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-mesh-vpn-2
-ExecStart=/usr/bin/batctl -m mesh-%i if add ff%i-gw-vpn
-ExecStart=/usr/bin/batctl -m mesh-%i gw server
-ExecStart=-/usr/bin/batctl -m mesh-%i nc disable
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/batman@.service b/roles/debian_base/files/etc/systemd/system/batman@.service
new file mode 100644
index 0000000..85ab7f0
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/batman@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=batman setup for freifunk
+Wants=network.target
+# BindsTo=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
+# After=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=ip link add %i type batadv
+# ExecStart=batctl -m %i_bat0 if add %i_mesh_vpn
+# ExecStart=batctl -m %i_bat0 if add %i_mesh_gwvpn
+# ExecStart=batctl -m %i_bat0 gw server
+# ExecStart=-batctl -m %i_bat0 nc disable
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/dhcpd4.service b/roles/debian_base/files/etc/systemd/system/dhcpd4.service
deleted file mode 100644
index c1105f2..0000000
--- a/roles/debian_base/files/etc/systemd/system/dhcpd4.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=IPv4 DHCP server
-BindsTo=sys-subsystem-net-devices-freifunk\x2dhl.device
-After=network.target sys-subsystem-net-devices-freifunk\x2dhl.device
-
-[Service]
-Type=forking
-PIDFile=/run/dhcpd4.pid
-ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid
-KillSignal=SIGINT
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
index cd828b9..3df0c4f 100644
--- a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
+++ b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
@@ -1,3 +1,4 @@
[Service]
-ExecStartPre=-/usr/bin/mkdir /run/fastd
-ExecStartPre=/usr/bin/chown fastd:fastd /run/fastd
+# make sure these dirs exists for fastd dignostics/metrics socket
+ExecStartPre=mkdir -p /run/fastd
+ExecStartPre=chown fastd:fastd /run/fastd
diff --git a/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service b/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
index 30fa746..63c926e 100644
--- a/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
+++ b/roles/debian_base/files/etc/systemd/system/freifunk-ip-rule.service
@@ -4,20 +4,20 @@ Before=network.target
[Service]
Type=oneshot
-ExecStart=/usr/sbin/ip rule add from 10.130.0.0/16 table freifunk
-ExecStart=/usr/sbin/ip rule add from 10.207.0.0/16 table freifunk
-ExecStart=/usr/sbin/ip rule add from all fwmark 0x1 table freifunk
-ExecStart=/usr/sbin/ip rule add from 185.66.193.32/29 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from 2001:67c:2d50::/48 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from all fwmark 0x1 table freifunk
-ExecStart=/usr/sbin/ip -6 rule add from all table freifunk priority 32767
-ExecStop=/usr/sbin/ip rule del from 10.130.0.0/16 table freifunk
-ExecStop=/usr/sbin/ip rule del from 10.207.0.0/16 table freifunk
-ExecStop=/usr/sbin/ip rule del from all fwmark 0x1 table freifunk
-ExecStop=/usr/sbin/ip rule del from 185.66.193.32/29 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from 2001:67c:2d50::/48 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from all fwmark 0x1 table freifunk
-ExecStop=/usr/sbin/ip -6 rule del from all table freifunk priority 32767
+ExecStart=ip rule add from 10.130.0.0/16 table freifunk
+ExecStart=ip rule add from 10.207.0.0/16 table freifunk
+ExecStart=ip rule add from all fwmark 0x1 table freifunk
+ExecStart=ip rule add from 185.66.193.32/29 table freifunk
+ExecStart=ip -6 rule add from 2001:67c:2d50::/48 table freifunk
+ExecStart=ip -6 rule add from all fwmark 0x1 table freifunk
+ExecStart=ip -6 rule add from all table freifunk priority 32767
+ExecStop=ip rule del from 10.130.0.0/16 table freifunk
+ExecStop=ip rule del from 10.207.0.0/16 table freifunk
+ExecStop=ip rule del from all fwmark 0x1 table freifunk
+ExecStop=ip rule del from 185.66.193.32/29 table freifunk
+ExecStop=ip -6 rule del from 2001:67c:2d50::/48 table freifunk
+ExecStop=ip -6 rule del from all fwmark 0x1 table freifunk
+ExecStop=ip -6 rule del from all table freifunk priority 32767
RemainAfterExit=yes
[Install]
diff --git a/roles/debian_base/files/etc/systemd/system/iptables-up.service b/roles/debian_base/files/etc/systemd/system/iptables-up.service
new file mode 100644
index 0000000..26b5708
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/iptables-up.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Load *.rules from /etc/iptables and apply them
+After=systemd-networkd
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/iptables-up
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service b/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
new file mode 100644
index 0000000..521366d
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
@@ -0,0 +1,3 @@
+[Unit]
+BindsTo=sys-subsystem-net-devices-ffhl.device
+After=network.target sys-subsystem-net-devices-ffhl.device
diff --git a/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service b/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
index 76ddf53..304b0ae 100644
--- a/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
+++ b/roles/debian_base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
@@ -1,4 +1,4 @@
[Service]
Type=oneshot
-WorkingDirectory=/etc/fastd/ffhl-mesh-vpn/peers
+WorkingDirectory=/etc/fastd/ffhl_mesh_vpn/peers
ExecStart=/usr/bin/git pull
diff --git a/roles/debian_base/files/etc/tayga.conf b/roles/debian_base/files/etc/tayga.conf
deleted file mode 100644
index 5b441c1..0000000
--- a/roles/debian_base/files/etc/tayga.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-tun-device nat64
-ipv4-addr 10.130.127.225
-prefix 2001:67c:2d50:1::/96
diff --git a/roles/debian_base/files/bird/burgtor/bird6_local.conf b/roles/debian_base/files/host/burgtor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/burgtor/bird6_local.conf
rename to roles/debian_base/files/host/burgtor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/burgtor/bird_local.conf b/roles/debian_base/files/host/burgtor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/burgtor/bird_local.conf
rename to roles/debian_base/files/host/burgtor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/netconfig/burgtor/30-he-ipv6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/30-he-ipv6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/30-he-ipv6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/30-he-ipv6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/30-he-ipv6.network
diff --git a/roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/31-ffrhein-fra3-v4.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/31-ffrhein-fra3-v4.network
diff --git a/roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/32-ffrhein-fra3-v6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/32-ffrhein-fra3-v6.network
diff --git a/roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/33-ffrhein-dus-v4.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/33-ffrhein-dus-v4.network
diff --git a/roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.netdev b/roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.netdev
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.netdev
diff --git a/roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.network b/roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/burgtor/34-ffrhein-dus-v6.network
rename to roles/debian_base/files/host/burgtor/etc/systemd/network/34-ffrhein-dus-v6.network
diff --git a/roles/debian_base/files/bird/holstentor/bird6_local.conf b/roles/debian_base/files/host/holstentor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/holstentor/bird6_local.conf
rename to roles/debian_base/files/host/holstentor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/holstentor/bird_local.conf b/roles/debian_base/files/host/holstentor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/holstentor/bird_local.conf
rename to roles/debian_base/files/host/holstentor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/netconfig/holstentor/00-eth1.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/00-eth1.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/00-eth1.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/00-eth1.network
diff --git a/roles/debian_base/files/netconfig/holstentor/30-he-ipv6.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/30-he-ipv6.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/30-he-ipv6.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/30-he-ipv6.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/30-he-ipv6.network
diff --git a/roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/31-ffrhein-ber.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/31-ffrhein-ber.network
diff --git a/roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.netdev b/roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.netdev
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.netdev
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.netdev
diff --git a/roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.network b/roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.network
similarity index 100%
rename from roles/debian_base/files/netconfig/holstentor/32-ffrhein-fra3.network
rename to roles/debian_base/files/host/holstentor/etc/systemd/network/32-ffrhein-fra3.network
diff --git a/roles/debian_base/files/bird/huextertor/bird6_local.conf b/roles/debian_base/files/host/huextertor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/huextertor/bird6_local.conf
rename to roles/debian_base/files/host/huextertor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/huextertor/bird_local.conf b/roles/debian_base/files/host/huextertor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/huextertor/bird_local.conf
rename to roles/debian_base/files/host/huextertor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf b/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf
new file mode 100644
index 0000000..6284a73
--- /dev/null
+++ b/roles/debian_base/files/host/kaisertor/etc/bird/bird6_local.conf
@@ -0,0 +1,27 @@
+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_public {
+ neighbor 2a03:2260:0:59::1 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_public {
+ neighbor 2a03:2260:0:60::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+ neighbor 2001:470:12:35::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+ source address fe80::ac16:fd92;
+ neighbor fe80::ac16:fd91%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+ source address 2001:67c:2d50::c01;
+ neighbor 2001:67c:2d50::2b as 76129;
+}
diff --git a/roles/debian_base/files/host/kaisertor/etc/bird/bird_local.conf b/roles/debian_base/files/host/kaisertor/etc/bird/bird_local.conf
new file mode 100644
index 0000000..e69de29
diff --git a/roles/debian_base/files/bird/muehlentor/bird6_local.conf b/roles/debian_base/files/host/muehlentor/etc/bird/bird6_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/muehlentor/bird6_local.conf
rename to roles/debian_base/files/host/muehlentor/etc/bird/bird6_local.conf
diff --git a/roles/debian_base/files/bird/muehlentor/bird_local.conf b/roles/debian_base/files/host/muehlentor/etc/bird/bird_local.conf
similarity index 100%
rename from roles/debian_base/files/bird/muehlentor/bird_local.conf
rename to roles/debian_base/files/host/muehlentor/etc/bird/bird_local.conf
diff --git a/roles/debian_base/files/scripts/iptables-up b/roles/debian_base/files/scripts/iptables-up
new file mode 100644
index 0000000..83d6093
--- /dev/null
+++ b/roles/debian_base/files/scripts/iptables-up
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# this loads all files *.rules in /etc/iptables
+
+
+for i in /etc/iptables/*.rules; do
+ iptables-restore < "$i"
+done
diff --git a/roles/debian_base/tasks/bird.yml b/roles/debian_base/tasks/bird.yml
index ca6ed3e..3862993 100644
--- a/roles/debian_base/tasks/bird.yml
+++ b/roles/debian_base/tasks/bird.yml
@@ -1,5 +1,3 @@
---
-- copy: src=bird/base/ dest=/etc/bird
-- copy: src=bird/{{ inventory_hostname }}/ dest=/etc/bird
- template: src=bird_host.conf.j2 dest=/etc/bird/bird_host.conf
- template: src=bird6_host.conf.j2 dest=/etc/bird/bird6_host.conf
diff --git a/roles/debian_base/tasks/dhcpd.yml b/roles/debian_base/tasks/dhcpd.yml
new file mode 100644
index 0000000..0c75b93
--- /dev/null
+++ b/roles/debian_base/tasks/dhcpd.yml
@@ -0,0 +1,12 @@
+- name: process dhcpd templates
+ tags:
+ - dhcp
+ template: src=dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf
+
+- name: tell dhcpd what interfaces it should listen
+ tags:
+ - dhcp
+ lineinfile:
+ path: /etc/default/isc-dhcp-server
+ regexp: '^INTERFACESv4='
+ line: INTERFACESv4="ffhl"
diff --git a/roles/debian_base/tasks/fastd.yml b/roles/debian_base/tasks/fastd.yml
new file mode 100644
index 0000000..fa5b21a
--- /dev/null
+++ b/roles/debian_base/tasks/fastd.yml
@@ -0,0 +1,43 @@
+---
+- user: name=fastd system=yes home=/etc/fastd
+
+
+- template:
+ src: fastd/{{ item }}/fastd-up
+ dest: /etc/fastd/{{ item }}/fastd-up
+ owner: fastd
+ mode: 0744
+
+- name: generate fastd key
+ shell:
+ cmd: fastd --generate-key | awk '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/{{ item }}/secret.conf
+ creates: /etc/fastd/{{ item }}/secret.conf
+
+- name: generate peer file
+ shell:
+ cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\";" }' > /etc/fastd/{{ item }}/peer.conf
+
+
+- systemd:
+ enabled: yes
+ name: fastd@{{ item }}
+
+
+- fetch:
+ src: /etc/fastd/{{ item }}/peer.conf
+ dest: artifacts/
+
+
+
+
+ #
+ # - template:
+ # src: fastd/ffhl_mesh_vpn/fastd-up
+ # dest: /etc/fastd/ffhl_mesh_vpn/fastd-up
+ # owner: fastd
+ # mode: 0744
+ #
+ # - name: generate fastd key
+ # command: fastd --generate-key | awk -e '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/ffhl_mesh_vpn/secret.conf
+ # args:
+ # creates: /etc/fastd/ffhl_mesh_vpn/secret.conf
diff --git a/roles/debian_base/tasks/ffhl-peers.yml b/roles/debian_base/tasks/ffhl-peers.yml
index e2ab059..12af779 100644
--- a/roles/debian_base/tasks/ffhl-peers.yml
+++ b/roles/debian_base/tasks/ffhl-peers.yml
@@ -1,3 +1,3 @@
---
-- git: repo=git@srv01.luebeck.freifunk.net:fastd-keys dest=/etc/fastd/ffhl-mesh-vpn/peers accept_hostkey=True
-- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl-mesh-vpn/peers/.git/hooks/post-merge mode=a+x
+- git: repo=git@srv01.luebeck.freifunk.net:fastd-keys dest=/etc/fastd/ffhl_mesh_vpn/peers accept_hostkey=True
+- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl_mesh_vpn/peers/.git/hooks/post-merge mode=a+x
diff --git a/roles/debian_base/tasks/main.yml b/roles/debian_base/tasks/main.yml
index f03319f..2513d6e 100644
--- a/roles/debian_base/tasks/main.yml
+++ b/roles/debian_base/tasks/main.yml
@@ -1,25 +1,62 @@
---
-- include: update.yml
+-
- include: software.yml
+
- name: Disable root login with password
lineinfile: dest=/etc/ssh/sshd_config regexp="^#?PermitRootLogin" line="PermitRootLogin without-password"
-- user: name=fastd system=yes home=/etc/fastd
-- copy: src=etc/ dest=/etc
-- copy: src=netconfig/{{ inventory_hostname }}/ dest=/etc/systemd/network
- ignore_errors: True
-- copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
- ignore_errors: True
-- file: state=link src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
-- template: src=fastd-mac.j2 dest=/etc/fastd/ffhl-mesh-vpn/mac
-- template: src=fastd-mac-2.j2 dest=/etc/fastd/ffhl-mesh-vpn-2/mac
-- template: src=fastd-gw-mac.j2 dest=/etc/fastd/ffhl-gw-vpn/mac
-- template: src=dhcpd.conf.j2 dest=/etc/dhcpd.conf
-- template: src=radvd.conf.j2 dest=/etc/radvd.conf
-- template: src=10-freifunk-hl.netdev.j2 dest=/etc/systemd/network/10-freifunk-hl.netdev
-- template: src=12-freifunk-hl.network.j2 dest=/etc/systemd/network/12-freifunk-hl.network
-- command: systemctl daemon-reload
-- copy: content="createUser guest SHA guestffhl AES guestffhl" dest=/var/net-snmp/snmpd.conf
+
+- name: copy base configs
+ copy: src=etc/ dest=/etc
+
+- name: copy host specific configs
+ copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
+
+- name: copy scripts
+ copy: src=scripts/iptables-up dest=/usr/local/bin/iptables-up mode=755
+
+
+
+# configurations and stuff
+
+- name: set local timezone
+ file: state=link src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
+
+- name: configure ntp
+ blockinfile:
+ path: /etc/ntp.conf
+ block: |
+ restrict fdef:ffc0:3dd7:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
+ restrict 2001:67c:2d50:: mask ffff:ffff:ffff:ffff:: nomodify notrap nopeer
+
+
+- name: networkd templates
+ block:
+ - template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
+ - template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
+
+# sometimes disabled (dunno why)
+- name: enable systemd-networkd
+ command: systemctl enable systemd-networkd
+
+
+- name: create fastd configs
+ include_tasks: fastd.yml
+ loop:
+ - ffhl_mesh_vpn
+ - ffhl_mesh_gwvpn
+
+
+- include: radvd.yml
+
+- include: dhcpd.yml
+
+
+- name: reload systemd
+ command: systemctl daemon-reload
+
+
- lineinfile: dest=/etc/iproute2/rt_tables line="42\tfreifunk"
+
- include: bird.yml
tags:
- bird
diff --git a/roles/debian_base/tasks/radvd.yml b/roles/debian_base/tasks/radvd.yml
new file mode 100644
index 0000000..1853b43
--- /dev/null
+++ b/roles/debian_base/tasks/radvd.yml
@@ -0,0 +1,3 @@
+---
+- name: radvd templates
+ template: src=radvd/radvd.conf.j2 dest=/etc/radvd.conf
diff --git a/roles/debian_base/tasks/software.yml b/roles/debian_base/tasks/software.yml
index c0381bb..3aef30e 100644
--- a/roles/debian_base/tasks/software.yml
+++ b/roles/debian_base/tasks/software.yml
@@ -1,6 +1,44 @@
---
-- apt: update_cache=yes
+# - lineinfile:
+# path: /etc/apt/sources.list
+# regexp: '^deb .* main$'
+# line: deb http://deb.debian.org/debian stable main
+
+- name: apt python update
+ command: apt-get update
+
+- name: install python-apt
+ command: apt-get install -y python-apt
+
- name: install tools
- apt: state=present name=openssh-server,openssh-client,git,wget,curl,zsh,tcpdump,iftop,iputils-ping,htop,bridge-utils,batctl
-- name: install networking stuff
- apt: state=present name=bird,tinc,bind9,fastd,radvd,dhcpd,ntp,haveged
+ apt:
+ update_cache: yes
+ state: present
+ name:
+ - iptables-persistent
+ - apt-file
+ - batctl
+ - bind9
+ - bird
+ - bridge-utils
+ - curl
+ - isc-dhcp-server
+ - fastd
+ - git
+ - haveged
+ - htop
+ - iftop
+ - iputils-ping
+ - ntp
+ - openssh-client
+ - openssh-server
+ - python-apt
+ - radvd
+ - tcpdump
+ - tinc
+ - vim
+ - wget
+ - iperf3
+
+- name: load batman-adv
+ command: modprobe batman-adv
diff --git a/roles/debian_base/tasks/units.yml b/roles/debian_base/tasks/units.yml
index d3e92ce..31cd13d 100644
--- a/roles/debian_base/tasks/units.yml
+++ b/roles/debian_base/tasks/units.yml
@@ -1,30 +1,27 @@
---
- command: systemctl mask display-manager.service
-- command: systemctl enable {{ item }}
+
+
+- name: restart services
+ systemd:
+ state: restarted
+ name: "{{ item }}"
with_items:
- # - alfred@hl.service
- # - batadv-vis@hl.service
- - batman-freifunk@hl.service
+ - batman@ffhl_bat0.service
- bird6.service
- bird.service
- - dhcpd4.service
- - "'fastd@ffhl\\x2dmesh\\x2dvpn.service'"
- - "'fastd@ffhl\\x2dmesh\\x2dvpn\\x2d2.service'"
- - "'fastd@ffhl\\x2dgw\\x2dvpn.service'"
+ - systemd-networkd.service
+ - isc-dhcp-server.service
+ - "fastd@ffhl_mesh_vpn.service"
+ - "fastd@ffhl_mesh_gwvpn.service"
- freifunk-ip-rule.service
- haveged.service
- - ip6tables.service
- - iptables.service
- - named.service
- - ntpd.service
+ - bind9.service
+ - ntp.service
- radvd.service
- - snmpd.service
- sshd.service
- - systemd-networkd.service
- - tayga.service
- update-ffhl-dns.timer
- update-ffhl-mesh-vpn.timer
- - vnstat.service
+
- command: systemctl enable {{ item }}
with_items: "{{ units_enable|default([]) }}"
-
diff --git a/roles/debian_base/templates/dhcpd.conf.j2 b/roles/debian_base/templates/dhcpd.conf.j2
index 22af242..e8bb6ed 100644
--- a/roles/debian_base/templates/dhcpd.conf.j2
+++ b/roles/debian_base/templates/dhcpd.conf.j2
@@ -5,6 +5,6 @@ max-lease-time 600;
subnet {{ dhcpd_subnet }} netmask {{ dhcpd_netmask }} {
range {{ dhcpd_start }} {{ dhcpd_end }};
- option routers {{ ip4 }};
- option domain-name-servers {{ ip4 }};
+ option routers {{ ip4 }};
+ option domain-name-servers {{ ip4 }};
}
diff --git a/roles/debian_base/templates/fastd-gw-mac.j2 b/roles/debian_base/templates/fastd-gw-mac.j2
deleted file mode 100644
index e15d4e1..0000000
--- a/roles/debian_base/templates/fastd-gw-mac.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_gw_mac }}
diff --git a/roles/debian_base/templates/fastd-mac-2.j2 b/roles/debian_base/templates/fastd-mac-2.j2
deleted file mode 100644
index 1a27d4c..0000000
--- a/roles/debian_base/templates/fastd-mac-2.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_mac_2 }}
diff --git a/roles/debian_base/templates/fastd-mac.j2 b/roles/debian_base/templates/fastd-mac.j2
deleted file mode 100644
index 6ee50b1..0000000
--- a/roles/debian_base/templates/fastd-mac.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ fastd_mac }}
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
new file mode 100644
index 0000000..88480f0
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ip link set address {{ fastd_gw_mac }} dev $INTERFACE
+ip link set up $INTERFACE
+batctl -m ffhl_bat0 if add $INTERFACE
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
new file mode 100644
index 0000000..4ac8d29
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
@@ -0,0 +1,3 @@
+key "07197da0ff4a294f4356b50c567f957334728d8a1a31b2855ddd1f6f4d2fed07";
+remote "holstentor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
new file mode 100644
index 0000000..d218c3d
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
@@ -0,0 +1,3 @@
+key "2eba0e70a6b834a8435f7142b06f3ee79849b97f884d961f3dd899861373e54e";
+remote "muehlentor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
new file mode 100644
index 0000000..a105b0a
--- /dev/null
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ip link set address {{ fastd_mesh_mac }} dev $INTERFACE
+ip link set up $INTERFACE
+batctl -m ffhl_bat0 if add $INTERFACE
diff --git a/roles/debian_base/templates/10-freifunk-hl.netdev.j2 b/roles/debian_base/templates/network/10-ffhl.netdev.j2
similarity index 75%
rename from roles/debian_base/templates/10-freifunk-hl.netdev.j2
rename to roles/debian_base/templates/network/10-ffhl.netdev.j2
index c3bee1a..943e09d 100644
--- a/roles/debian_base/templates/10-freifunk-hl.netdev.j2
+++ b/roles/debian_base/templates/network/10-ffhl.netdev.j2
@@ -1,4 +1,4 @@
[NetDev]
-Name=freifunk-hl
+Name=ffhl
Kind=bridge
MACAddress={{ freifunk_mac }}
diff --git a/roles/debian_base/templates/12-freifunk-hl.network.j2 b/roles/debian_base/templates/network/12-ffhl.network.j2
similarity index 74%
rename from roles/debian_base/templates/12-freifunk-hl.network.j2
rename to roles/debian_base/templates/network/12-ffhl.network.j2
index 3f83eaa..e82136f 100644
--- a/roles/debian_base/templates/12-freifunk-hl.network.j2
+++ b/roles/debian_base/templates/network/12-ffhl.network.j2
@@ -1,8 +1,10 @@
[Match]
-Name=freifunk-hl
+Name=ffhl
[Network]
IPForward=yes
Address={{ ip4 }}/20
Address={{ ip6 }}/64
Address={{ ip6_ula }}/64
+
+LinkLocalAddressing=no
diff --git a/roles/debian_base/templates/radvd.conf.j2 b/roles/debian_base/templates/radvd.conf.j2
deleted file mode 100644
index b38646f..0000000
--- a/roles/debian_base/templates/radvd.conf.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-interface freifunk-hl
-{
- AdvSendAdvert on;
- IgnoreIfMissing on;
- MaxRtrAdvInterval 200;
-
-{% for prefix in radvd_prefixes %}
- prefix {{ prefix }}
- {
- };
-
-{% endfor %}
- RDNSS 2001:67c:2d50:1::a82:7fe0
- {
- };
-};
diff --git a/roles/debian_base/templates/radvd/radvd.conf.j2 b/roles/debian_base/templates/radvd/radvd.conf.j2
new file mode 100644
index 0000000..f7ab354
--- /dev/null
+++ b/roles/debian_base/templates/radvd/radvd.conf.j2
@@ -0,0 +1,14 @@
+interface freifunk-hl
+{
+ AdvSendAdvert on;
+ IgnoreIfMissing on;
+ MaxRtrAdvInterval 200;
+
+{% for prefix in radvd_prefixes %}
+ prefix {{ prefix }} {
+ };
+{% endfor %}
+
+ RDNSS 2001:67c:2d50:1::a82:7fe0 {
+ };
+};
diff --git a/todo.md b/todo.md
new file mode 100644
index 0000000..bbb07f0
--- /dev/null
+++ b/todo.md
@@ -0,0 +1,8 @@
+Things for a working Gateway:
+
+[x] fastd
+[x] batman
+[ ] DHCP
+[ ] radvd
+[ ] BGP
+[x] prometheus
--
GitLab