add apt tasks

debian_setup.yml

+---
+- hosts: gateways
+  become: yes
+  roles:
+    - debian_base

hosts

 [gateways]
-burgtor ansible_ssh_host=burgtor.luebeck.freifunk.net
-holstentor ansible_ssh_host=holstentor.luebeck.freifunk.net
-muehlentor ansible_ssh_host=muehlentor.luebeck.freifunk.net
-huextertor ansible_ssh_host=huextertor.luebeck.freifunk.net
+ffhl-gateway ansible_ssh_host=10.10.1.100 ansible_ssh_user=root
 
 [gateways:vars]
 ansible_python_interpreter=/usr/bin/env python2

roles/debian_base/files/bird/base/bird.conf

+table peering;
+table kernelcopy;
+table mesh;
+
+protocol device {
+	scan time 10;
+}
+
+# host configuration
+#####################
+
+include "bird_host.conf";
+
+# constants
+############
+
+define OWNAS = 201173;
+define OWNMAGIC = 42;
+define KERNEL_TABLE = ipt_freifunk;
+
+# filter helpers
+#################
+
+function is_default()        { return net ~ [ 0.0.0.0/0          ]; }
+function is_freifunk()       { return net ~ [ 10.0.0.0/8+        ]; }
+function is_dn42()           { return net ~ [ 172.22.0.0/15+, 172.20.0.0/16+ ]; }
+function is_chaosvpn()       { return net ~ [ 172.31.0.0/16+     ]; }
+function is_self_net()       { return net ~ [ 10.130.0.0/16+     ]; }
+function is_self_mesh()      { return net ~ [ 10.130.0.0/20+     ]; }
+function is_self_private()   { return net ~ [ 10.130.64.0/18+    ]; }
+function is_self_mgmt()      { return net ~ [ 10.130.127.224/27+ ]; }
+
+# static routes
+################
+
+protocol static static_mesh {
+	table peering;
+	route 10.130.0.0/16 reject;
+};
+
+protocol static local_mesh {
+	route 10.130.0.0/20 via "freifunk-hl";
+};
+
+protocol static mesh_dn42 {
+  table mesh;
+  route 172.20.0.0/16 reject;
+  route 172.22.0.0/15 reject;
+};
+
+protocol static mesh_freifunk {
+  table mesh;
+  route 10.0.0.0/8 reject;
+};
+
+# 464XLAT
+##########
+
+protocol static static_464xlat {
+  route 10.130.64.0/18 via "nat64";
+}
+
+# Mesh-internal routing
+########################
+
+protocol rip rip_mesh {
+  table mesh;
+	interface "freifunk-hl";
+	import where is_self_private() && !is_self_mgmt();
+	export where !((OWNMAGIC, 1) ~ bgp_community) && !is_self_mesh();
+};
+
+# OSPF between gateways
+########################
+
+protocol ospf ospf_mesh {
+	preference 90;
+	export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh";
+	import all;
+	area 0 {
+		interface "freifunk-hl" {
+			authentication cryptographic;
+			include "password.conf";
+			type nonbroadcast;
+			neighbors {
+				10.130.0.252 eligible; # huextertor
+				10.130.0.253 eligible; # holstentor
+				10.130.0.254 eligible; # muehlentor
+				10.130.0.255 eligible; # burgtor
+			};
+		};
+	};
+};
+
+# Kernel routing tables
+########################
+
+protocol kernel {
+	scan time 20;
+	device routes;
+	import none;
+	export filter {
+		if is_dn42()     then { krt_prefsrc = OWNIP; accept ; }
+		if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+		reject;
+	};
+};
+
+protocol kernel {
+	table kernelcopy;
+	kernel table KERNEL_TABLE;
+	scan time 20;
+	device routes;
+	import none;
+	export filter {
+		if is_default()  then accept;
+		if is_dn42()     then { krt_prefsrc = OWNIP; accept ; }
+		if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+		reject;
+	};
+}
+
+# plumbing
+###########
+
+protocol pipe {
+	peer table kernelcopy;
+	import none;
+	export all;
+}
+
+protocol pipe {
+	peer table peering;
+	import all;
+	export none;
+}
+
+protocol pipe {
+  peer table mesh;
+  import where source != RTS_STATIC;
+  export where is_default() || is_self_net();
+}
+
+# static routes
+################
+
+protocol static unreachable_default {
+	preference 0;
+	route 0.0.0.0/0 reject;
+}
+
+# Mesh-internal BGP between all gateways
+#########################################
+
+template bgp bgp_ibgp {
+	table peering;
+	local as OWNAS;
+	direct;
+	import all;
+	export filter { bgp_community.add((OWNMAGIC, 1));
+	                if is_default() then reject;
+	                if source = RTS_BGP then accept;
+	                reject;
+	              };
+}
+
+# InterCity VPN peerings
+#########################
+
+template bgp bgp_icvpn {
+	table peering;
+	local as OWNAS;
+	import where (is_freifunk() || is_dn42() || is_chaosvpn()) && !is_self_net();
+	export where (is_freifunk() || is_dn42());
+};
+
+# ffrheinland ipv4
+###################
+
+template bgp bgp_ffrhein {
+	table peering;
+	local as 201173;
+	import all;
+	export where net ~ [185.66.193.32/29+];
+	next hop self;
+}
+
+# DN42 peerings
+################
+
+template bgp bgp_dn42 {
+	table peering;
+	local as OWNAS;
+	import where is_dn42() || is_chaosvpn();
+	export where !is_default();
+};
+
+# Include local configuration
+# '?' instead of 'f' avoids failures when these
+# files do not exist
+################################################
+
+include "bird_local.con?";
+include "bird_ibgp.con?";
+include "bird_icvpn.con?";
+include "bird_ffrhein.con?";

roles/debian_base/files/bird/base/bird6.conf

+table peering;
+table transit;
+table kernelcopy;
+table mesh;
+
+protocol device {
+  scan time 10;
+}
+
+# host configuration
+#####################
+
+include "bird6_host.conf";
+
+# constants
+############
+
+define OWNAS        = 201173;
+define OWNMAGIC     = 42;
+define KERNEL_TABLE = ipt_freifunk;
+
+# ROA table
+############
+
+roa table roa_icvpn {
+  include "roa.ip6";
+}
+
+# filter helpers
+#################
+
+function is_default()     { return net ~ [ ::/0                ]; }
+function is_global()      { return net ~ [ 2000::/3+           ]; }
+function is_ula()         { return net ~ [ fc00::/7{48,64}     ]; }
+function is_freifunk()    { return net ~ [ 2001:bf7::/32+      ]; }
+function is_self_public() { return net ~ [ 2001:67c:2d50::/48+ ]; }
+function is_self_net()    { return net ~ [ fdef:ffc0:3dd7::/48+
+                                         , 2001:67c:2d50::/48+
+                                         ]; }
+function is_self_mesh()   { return net ~ [ fdef:ffc0:3dd7::/64+
+                                         , 2001:67c:2d50::/64+
+                                         ]; }
+
+function is_self_mgmt()   { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
+
+# filters
+##########
+
+filter bgp_import_filter {
+  if is_self_net() then reject;
+  if is_ula() then accept;
+  if roa_check(roa_icvpn) = ROA_VALID then {
+    accept;
+  } else {
+    print "ROA check failed for ", net, " ASN ", bgp_path.last;
+  }
+  reject;
+}
+
+# static routes
+################
+
+protocol static local_freifunk {
+  table peering;
+  route fdef:ffc0:3dd7::/48 reject;
+  route 2001:67c:2d50::/48 reject;
+}
+
+protocol static local_freifunk_transit {
+  table transit;
+  route 2001:67c:2d50::/48 reject;
+}
+
+protocol static local_mesh {
+  route fdef:ffc0:3dd7::/64 via "freifunk-hl";
+  route 2001:67c:2d50::/64 via "freifunk-hl";
+}
+
+protocol static mesh_ula {
+  table mesh;
+  route fc00::/7 reject;
+}
+
+# 464XLAT
+##########
+
+protocol static static_464xlat {
+  route 2001:67c:2d50:1::/96 via "nat64";
+}
+
+# Mesh-internal routing
+########################
+
+protocol rip rip_mesh {
+  table mesh;
+  interface "freifunk-hl";
+  preference 10;
+  import where is_self_net() && !is_self_mgmt();
+  export where is_self_net() || is_default() || (!((OWNMAGIC, 1) ~ bgp_community) && is_ula()) || source = RTS_STATIC;
+}
+
+# OSPF between gateways
+########################
+
+protocol ospf ospf_mesh {
+	preference 90;
+	export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh" && proto != "unreachable_default";
+	import all;
+	area 0 {
+		interface "freifunk-hl" {
+# OSPFv3 authentication not yet supported by bird
+#			authentication cryptographic;
+#			include "password.conf";
+			type nonbroadcast;
+			neighbors {
+				2001:67c:2d50::801 eligible; # huextertor
+				2001:67c:2d50::a01 eligible; # muehlentor
+				2001:67c:2d50::c01 eligible; # holstentor
+				2001:67c:2d50::e01 eligible; # burgtor
+			};
+		};
+	};
+};
+
+# Kernel routing tables
+########################
+
+protocol kernel {
+  scan time 20;
+  device routes;
+  import none;
+  export filter {
+    if is_ula()      then { krt_prefsrc = ULA_IP;    accept; }
+    if is_self_net() then { krt_prefsrc = PUBLIC_IP; accept; }
+    reject;
+  };
+}
+
+protocol kernel {
+  table kernelcopy;
+  kernel table KERNEL_TABLE;
+  scan time 20;
+  device routes;
+  import none;
+  export all;
+}
+
+# plumbing
+###########
+
+protocol pipe {
+  peer table kernelcopy;
+  import none;
+  export all;
+}
+
+protocol pipe {
+  peer table peering;
+  import all;
+  export none;
+}
+
+protocol pipe {
+  peer table transit;
+  import all;
+  export none;
+}
+
+protocol pipe {
+  peer table mesh;
+  import where source != RTS_STATIC;
+  export where is_default() || is_self_net();
+}
+
+# static routes
+################
+
+protocol static unreachable_default {
+  preference 0;
+  route ::/0 reject;
+}
+
+# Mesh-internal BGP between all gateways
+#########################################
+
+template bgp bgp_ibgp {
+  table peering;
+  local as OWNAS;
+  direct;
+  import all;
+  export filter { bgp_community.add((OWNMAGIC, 1));
+                  if source = RTS_BGP then accept;
+                  reject;
+                };
+}
+
+# InterCity VPN peerings
+#########################
+
+template bgp bgp_icvpn {
+  table peering;
+  local as OWNAS;
+  import keep filtered;
+  import filter bgp_import_filter;
+  export all;
+}
+
+# public IPv6
+##############
+
+template bgp bgp_public {
+  table transit;
+  local as OWNAS;
+  import where !is_self_net() && is_global();
+  export where is_self_public();
+  next hop self;
+}
+
+# DN42 peerings
+################
+
+template bgp bgp_dn42 {
+  table peering;
+  local as OWNAS;
+  import filter bgp_import_filter;
+  export all;
+}
+
+# anycast DNS
+##############
+
+protocol static anycast_dns {
+  route 2001:67c:2d50:1::10.130.127.224/128 via "anycast-dns";
+}
+
+# Include local configuration
+# '?' instead of 'f' avoids failures when these
+# files do not exist
+################################################
+
+include "bird6_local.con?";
+include "bird6_ibgp.con?";
+include "bird6_icvpn.con?";

roles/debian_base/files/bird/base/bird6_ibgp.conf

+protocol bgp bgp_ibgp_huextertor from bgp_ibgp {
+  neighbor 2001:67c:2d50::801 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_muehlentor from bgp_ibgp {
+  neighbor 2001:67c:2d50::a01 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_holstentor from bgp_ibgp {
+  neighbor 2001:67c:2d50::c01 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_burgtor from bgp_ibgp {
+  neighbor 2001:67c:2d50::e01 as OWNAS;
+}

roles/debian_base/files/bird/base/bird_ibgp.conf

+protocol bgp bgp_ibgp_huextertor from bgp_ibgp {
+	neighbor 10.130.0.252 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_holstentor from bgp_ibgp {
+	neighbor 10.130.0.253 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_muehlentor from bgp_ibgp {
+	neighbor 10.130.0.254 as OWNAS;
+}
+
+protocol bgp bgp_ibgp_burgtor from bgp_ibgp {
+	neighbor 10.130.0.255 as OWNAS;
+}

roles/debian_base/files/bird/burgtor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_fra3 from bgp_public {
+	neighbor 2a03:2260:0:36::1 as 201701;
+}
+
+protocol bgp ffrhein_dus from bgp_public {
+	neighbor 2a03:2260:0:37::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+	neighbor 2001:470:12:8::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	source address fe80::ac16:fd8c;
+	neighbor fe80::ac16:fd8b%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_dn42_mneme from bgp_dn42 {
+	neighbor 2a01:4f8:200:71e3:5054:ff:feff:cbce as 76112;
+}
+
+protocol bgp bgp_dn42_nbsp_router from bgp_dn42 {
+	source address 2001:67c:2d50::e01;
+	neighbor 2001:67c:2d50::2b as 76129;
+}

roles/debian_base/files/bird/burgtor/bird_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_fra3 from bgp_ffrhein {
+	source address 100.64.0.95;
+	neighbor 100.64.0.94 as 201701;
+}
+
+protocol bgp ffrhein_dus from bgp_ffrhein {
+	source address 100.64.0.93;
+	neighbor 100.64.0.92 as 201701;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	neighbor 172.22.253.139 as 64784;
+};
+
+protocol bgp bgp_dn42_mneme from bgp_dn42 {
+	neighbor 172.23.190.65 as 76112;
+};
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+	neighbor 10.130.0.43 as 76129;
+};

roles/debian_base/files/bird/holstentor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_public {
+        neighbor 2a03:2260:0:59::1 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_public {
+        neighbor 2a03:2260:0:60::1 as 201701;
+}
+
+protocol bgp he from bgp_public {
+        neighbor 2001:470:12:35::1 as 6939;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+	source address fe80::ac16:fd92;
+	neighbor fe80::ac16:fd91%dn42_chaos as 64784;
+}
+
+protocol bgp bgp_nbsp_router from bgp_dn42 {
+  source address 2001:67c:2d50::c01;
+  neighbor 2001:67c:2d50::2b as 76129;
+}

roles/debian_base/files/bird/holstentor/bird_local.conf

+# public BGP
+#############
+
+protocol bgp ffrhein_ber from bgp_ffrhein {
+        source address 100.64.0.165;
+        neighbor 100.64.0.164 as 201701;
+}
+
+protocol bgp ffrhein_fra3 from bgp_ffrhein {
+        source address 100.64.0.167;
+        neighbor 100.64.0.166 as 201701;
+}
+
+# dn42
+#######
+
+protocol bgp bgp_dn42_chaos from bgp_dn42 {
+        neighbor 172.22.253.145 as 64784;
+}
+
+protocol bgp bgp_dn42_nbsp_router from bgp_dn42 {
+        neighbor 10.130.0.43 as 76129;
+}

roles/debian_base/files/bird/huextertor/bird6_local.conf

+# public BGP
+#############
+
+protocol bgp ffhh_wende0 from bgp_public {
+        neighbor 2a03:2267:ffff:b01::1 as 49009;
+}

roles/debian_base/files/bird/huextertor/bird_local.conf

+# default routes
+#################

roles/debian_base/files/bird/muehlentor/bird6_local.conf

+# public BGP
+#############
+
+#protocol bgp he from bgp_public {
+#	neighbor 2001:470:12:11e::1 as 6939;
+#}

roles/debian_base/files/bird/muehlentor/bird_local.conf

+# default routes
+#################
+
+protocol static default_route {
+	route 0.0.0.0/0 via 100.64.112.126;
+}

roles/debian_base/files/etc/bird.conf

+include "bird/bird.conf";

roles/debian_base/files/etc/bird6.conf

+include "bird/bird6.conf";

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/fastd.conf

+log to syslog level debug;
+user "fastd";
+interface "ffhl-gw-vpn";
+method "salsa2012+umac";
+bind any:10001;
+include "secret.conf";
+mtu 1280;
+status socket "/run/fastd/gw-vpn.sock";
+
+include peers from "gateways";
+
+on up "
+        ip link set address $(cat mac) dev $INTERFACE
+        ip link set up $INTERFACE
+";

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/burgtor

+key "5a15ffbef06ba2f887a17a60bf1feeae56fa6a9a94f3ea7f84390291406b0b4e";
+remote "burgtor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/holstentor

+key "07197da0ff4a294f4356b50c567f957334728d8a1a31b2855ddd1f6f4d2fed07";
+remote "holstentor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;

roles/debian_base/files/etc/fastd/ffhl-gw-vpn/gateways/huextertor

+key "eb2ef5487527ec1643448943dd9427d9965870bc1a5db37f8edc8aea84005f9f";
+remote "huextertor.mesh.ffhl.chaotikum.org" port 10001;
+float yes;