add setup role for debian based gateways

.gitignore

 /.vagrant
 /playbook.retry
+secret*
+/artifacts

host_vars/burgtor.yml

-ip4: 10.130.0.255
-ip6: 2001:67c:2d50::e01
-ip6_ula: fdef:ffc0:3dd7::e01
-fastd_mac: 52:54:00:f3:62:d9
-fastd_mac_2: ea:af:13:66:6d:71
-fastd_gw_mac: 52:54:00:f3:62:da
-freifunk_mac: 52:54:00:ee:5c:d7
-dhcpd_start: 10.130.12.63
-dhcpd_end: 10.130.15.254
-snat_dev: ffrhein-+
-snat_ip4: 185.66.193.32
-icvpn_name: luebeck2
-icvpn_ip4: 10.207.0.131
-icvpn_ip6: fec0::a:cf:0:83
-units_enable:
-  - "'fastd@dn42\\x2dchaos.service'"

host_vars/holstentor.yml

 ip4: 10.130.0.253
 ip6: 2001:67c:2d50::c01
 ip6_ula: fdef:ffc0:3dd7::c01
-fastd_mac: d6:89:49:08:f6:9d
-fastd_mac_2: ce:69:95:f0:a9:53
+fastd_mesh_mac: d6:89:49:08:f6:9d
 fastd_gw_mac: d6:89:49:08:f6:9e
 freifunk_mac: 52:54:00:0c:bb:eb
 dhcpd_start: 10.130.4.191
 dhcpd_end: 10.130.8.126
+
+# additional config
 snat_dev: ffrhein-+
 snat_ip4: 185.66.193.33
 icvpn_name: luebeck1
 icvpn_ip4: 10.207.0.130
 icvpn_ip6: fec0::a:cf:0:82
 units_enable:
-  - "'fastd@dn42\\x2dchaos.service'"
+  - "'fastd@dn42-chaos.service'"

host_vars/huextertor.yml

 ip4: 10.130.0.252
-ip6: 2001:67c:2d50::801
-ip6_ula: fdef:ffc0:3dd7::801
-fastd_mac: d2:d0:93:63:f7:da
-fastd_mac_2: 66:3a:16:58:af:5c
-fastd_gw_mac: d2:d0:93:63:f7:db
-freifunk_mac: 6e:e4:d2:8a:3b:63
-dhcpd_start: 10.130.1.0
-dhcpd_end: 10.130.4.190
+ip6: 2001:67c:2d50::d01
+ip6_ula: fdef:ffc0:3dd7::d01
+fastd_mesh_mac: de:ad:ca:fe:aa:bb
+fastd_gw_mac: de:ad:ca:fe:bb:dd
+freifunk_mac: de:ad:ca:fe:cc:dd
+dhcpd_start: 10.130.12.63
+dhcpd_end: 10.130.15.255

host_vars/kaisertor.yml

+ip4: 10.130.0.255
+ip6: 2001:67c:2d50::b01
+ip6_ula: fdef:ffc0:3dd7::b01
+fastd_mesh_mac: de:ad:ca:fe:aa:aa
+fastd_gw_mac: de:ad:ca:fe:bb:bb
+freifunk_mac: de:ad:ca:fe:cc:bb
+dhcpd_start: 10.130.1.0
+dhcpd_end: 10.130.4.190

host_vars/muehlentor.yml

 ip4: 10.130.0.254
 ip6: 2001:67c:2d50::a01
 ip6_ula: fdef:ffc0:3dd7::a01
-fastd_mac: 26:9c:57:9b:5c:b2
-fastd_mac_2: 6a:0a:8d:97:50:69
+fastd_mesh_mac: 26:9c:57:9b:5c:b2
 fastd_gw_mac: 26:9c:57:9b:5c:b3
 freifunk_mac: de:ad:ca:fe:46:1d
 dhcpd_start: 10.130.8.127

hosts

 [gateways]
-ffhl-gateway ansible_ssh_host=10.10.1.100 ansible_ssh_user=root
+burgtor ansible_ssh_host=burgtor.luebeck.freifunk.net
+holstentor ansible_ssh_host=holstentor.luebeck.freifunk.net
+muehlentor ansible_ssh_host=muehlentor.luebeck.freifunk.net
+huextertor ansible_ssh_host=huextertor.luebeck.freifunk.net
 
 [gateways:vars]
 ansible_python_interpreter=/usr/bin/env python2

hosts_new

+[gateways]
+kaisertor ansible_ssh_host=10.8.1.50 ansible_ssh_user=root
+
+[gateways:vars]
+ansible_python_interpreter=/usr/bin/env python2

revert_and_setup.sh

+#!/bin/sh
+
+set -e
+
+# virsh snapshot-revert --domain ffhl-test-gateway --current
+virsh snapshot-revert --domain ffhl-test-gateway 1579128050
+echo "restarting timesyncd and ntp"
+ssh -q root@10.8.1.50 systemctl restart systemd-timesyncd
+ssh -q root@10.8.1.50 systemctl restart ntp
+echo "waiting..."
+sleep 7
+
+echo "removing artifacts"
+rm -rf artifacts
+
+echo "run the playbook"
+ansible-playbook -vvvv -i hosts debian_setup.yml

roles/debian_base/files/etc/bird.conf

-include "bird/bird.conf";

roles/debian_base/files/bird/base/bird.conf → roles/debian_base/files/etc/bird/bird.conf

@@ -53,13 +53,6 @@ protocol static mesh_freifunk {
   route 10.0.0.0/8 reject;
 };
 
-# 464XLAT
-##########
-
-protocol static static_464xlat {
-  route 10.130.64.0/18 via "nat64";
-}
-
 # Mesh-internal routing
 ########################
 

roles/debian_base/files/bird/base/bird6.conf → roles/debian_base/files/etc/bird/bird6.conf

@@ -22,9 +22,10 @@ define KERNEL_TABLE = ipt_freifunk;
 # ROA table
 ############
 
-roa table roa_icvpn {
-  include "roa.ip6";
-}
+# roa table roa_icvpn {
+#   include "roa.ip6";
+# }
+
 
 # filter helpers
 #################
@@ -49,14 +50,15 @@ function is_self_mgmt()   { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
 filter bgp_import_filter {
   if is_self_net() then reject;
   if is_ula() then accept;
-  if roa_check(roa_icvpn) = ROA_VALID then {
-    accept;
-  } else {
-    print "ROA check failed for ", net, " ASN ", bgp_path.last;
-  }
-  reject;
+  # if roa_check(roa_icvpn) = ROA_VALID then {
+  #   accept;
+  # } else {
+  #   print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  # }
+  accept;
 }
 
+
 # static routes
 ################
 

roles/debian_base/files/etc/bird/password.conf

+password "dummy";

roles/debian_base/files/etc/bird6.conf

-include "bird/bird6.conf";

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor

-key "5a15ffbef06ba2f887a17a60bf1feeae56fa6a9a94f3ea7f84390291406b0b4e";
-remote "burgtor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor

-key "eb2ef5487527ec1643448943dd9427d9965870bc1a5db37f8edc8aea84005f9f";
-remote "huextertor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;

roles/debian_base/files/etc/fastd/ffhl-mesh-vpn-2/fastd.conf

-log to syslog level debug;
-user "fastd";
-interface "ffhl-mesh-vpn-2";
-method "null";
-method "salsa2012+umac";
-bind any:10002;
-include "../ffhl-mesh-vpn/secret.conf";
-mtu 1280;
-hide ip addresses yes;
-status socket "/run/fastd/mesh-vpn-2.sock";
-
-include peers from "../ffhl-mesh-vpn/peers";
-
-on up "
-        ip link set address $(cat mac) dev $INTERFACE
-        ip link set up $INTERFACE
-";

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf → roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/fastd.conf

 log to syslog level debug;
 user "fastd";
-interface "ffhl-gw-vpn";
+interface "ffhl_mesh_gwvpn";
 method "salsa2012+umac";
 bind any:10001;
 include "secret.conf";
 mtu 1280;
-status socket "/run/fastd/gw-vpn.sock";
+status socket "/run/fastd/ffhl_mesh_gwvpn.sock";
+on up "./fastd-up";
 
 include peers from "gateways";
-
-on up "
-        ip link set address $(cat mac) dev $INTERFACE
-        ip link set up $INTERFACE
-";