From f62ba86aca4047ef690d6d50c18d8905223fd518 Mon Sep 17 00:00:00 2001
From: Paul Maruhn <paul@tapas.lan>
Date: Fri, 3 Apr 2020 19:54:27 +0200
Subject: [PATCH] update debian_base role
---
debian_setup.yml | 5 +
group_vars/all.yml | 1 +
host_vars/huextertor.yml | 9 +-
host_vars/kaisertor.yml | 17 +-
hosts_new | 3 +-
revert_and_setup.sh | 19 +-
.../files/etc/bind/named.conf.options | 6 +
roles/debian_base/files/etc/bind/named_.conf | 19 --
roles/debian_base/files/etc/bird/bird.conf | 43 ++--
.../debian_base/files/etc/bird/bird.conf.bk2 | 206 ++++++++++++++++++
roles/debian_base/files/etc/bird/bird6.conf | 180 ++++++++-------
.../fastd/ffhl_mesh_gwvpn/gateways/huextertor | 3 +
.../fastd/ffhl_mesh_gwvpn/gateways/kaisertor | 3 +
.../files/etc/fastd/ffhl_mesh_vpn/fastd.conf | 2 +-
.../iptables/{ip6tables.rules => rules.v6} | 0
.../systemd/network/10-ffhl-mesh-vpn.network | 10 +
.../etc/systemd/network/22-ffhl-bat0.network | 4 +-
.../network/22-ffhl-mesh-gwvpn.network | 10 +
.../etc/systemd/network/26-ffhl-mesh.network | 5 -
.../files/etc/systemd/system/batman.service | 23 ++
.../files/etc/systemd/system/batman@.service | 17 --
.../override.conf} | 0
.../{override.conf => override.conf_} | 0
.../{override.conf => override.conf_} | 0
.../system/fastd@.service.d/override.conf | 5 +-
.../files/host/muehlentor/etc/.keep | 0
.../files/post-merge/ffhl-mesh-vpn | 3 +-
roles/debian_base/tasks/bird.yml | 11 +-
roles/debian_base/tasks/fastd.yml | 3 +-
roles/debian_base/tasks/main.yml | 24 +-
roles/debian_base/tasks/software.yml | 17 +-
roles/debian_base/tasks/units.yml | 12 +-
.../templates/{ => bird}/bird6_host.conf.j2 | 0
.../templates/bird/bird_host.conf.j2 | 3 +
roles/debian_base/templates/bird_host.conf.j2 | 3 -
roles/debian_base/templates/dhcpd.conf.j2 | 2 +-
.../templates/fastd/ffhl_mesh_gwvpn/fastd-up | 6 +-
.../fastd/ffhl_mesh_gwvpn/gateways/holstentor | 3 -
.../fastd/ffhl_mesh_gwvpn/gateways/muehlentor | 3 -
.../templates/fastd/ffhl_mesh_vpn/fastd-up | 2 +-
.../iptables/rules.v4} | 3 +-
.../templates/network/10-internet.link.j2 | 5 -
.../templates/network/12-ffhl.network.j2 | 1 +
.../systemd/system/update-icvpn-meta.service | 2 +-
roles/icvpn/files/post-merge/icvpn-meta | 8 +-
roles/icvpn/tasks/icvpn-meta.yml | 11 +-
roles/icvpn/tasks/main.yml | 15 +-
roles/icvpn/tasks/units.yml | 7 +-
roles/icvpn/templates/40-icvpn.network.j2 | 3 +
roles/icvpn/templates/tinc.conf.j2 | 1 +
todo.md | 17 +-
51 files changed, 525 insertions(+), 230 deletions(-)
delete mode 100644 roles/debian_base/files/etc/bind/named_.conf
create mode 100644 roles/debian_base/files/etc/bird/bird.conf.bk2
create mode 100644 roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/huextertor
create mode 100644 roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/kaisertor
rename roles/debian_base/files/etc/iptables/{ip6tables.rules => rules.v6} (100%)
create mode 100644 roles/debian_base/files/etc/systemd/network/10-ffhl-mesh-vpn.network
create mode 100644 roles/debian_base/files/etc/systemd/network/22-ffhl-mesh-gwvpn.network
delete mode 100644 roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
create mode 100644 roles/debian_base/files/etc/systemd/system/batman.service
delete mode 100644 roles/debian_base/files/etc/systemd/system/batman@.service
rename roles/debian_base/files/etc/systemd/system/{isc-dhcp-server.service.d/override.service => bind9.service.d/override.conf} (100%)
rename roles/debian_base/files/etc/systemd/system/bird.service.d/{override.conf => override.conf_} (100%)
rename roles/debian_base/files/etc/systemd/system/bird6.service.d/{override.conf => override.conf_} (100%)
delete mode 100644 roles/debian_base/files/host/muehlentor/etc/.keep
rename roles/debian_base/templates/{ => bird}/bird6_host.conf.j2 (100%)
create mode 100644 roles/debian_base/templates/bird/bird_host.conf.j2
delete mode 100644 roles/debian_base/templates/bird_host.conf.j2
delete mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
delete mode 100644 roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
rename roles/debian_base/{files/host/muehlentor/etc/iptables/iptables.rules => templates/iptables/rules.v4} (73%)
delete mode 100644 roles/debian_base/templates/network/10-internet.link.j2
diff --git a/debian_setup.yml b/debian_setup.yml
index 9dca13d..be8f49e 100644
--- a/debian_setup.yml
+++ b/debian_setup.yml
@@ -3,3 +3,8 @@
become: yes
roles:
- debian_base
+
+- hosts: kaisertor
+ become: yes
+ roles:
+ - icvpn
diff --git a/group_vars/all.yml b/group_vars/all.yml
index ffbd175..a86d0f6 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,3 +3,4 @@ radvd_prefixes:
- 2001:67c:2d50::/64
dhcpd_subnet: 10.130.0.0
dhcpd_netmask: 255.255.0.0
+ff_subnet: 10.130.0.0/16
diff --git a/host_vars/huextertor.yml b/host_vars/huextertor.yml
index d56342f..3066275 100644
--- a/host_vars/huextertor.yml
+++ b/host_vars/huextertor.yml
@@ -1,9 +1,10 @@
ip4: 10.130.0.252
-ip6: 2001:67c:2d50::bb
-ip6_ula: fdef:ffc0:3dd7::bb
+ip6: 2001:67c:2d50::bbaa
+ip6_ula: fdef:ffc0:3dd7::bbaa
+freifunk_mac: de:ad:ca:fe:bb:aa
fastd_mesh_mac: de:ad:ca:fe:bb:bb
fastd_gw_mac: de:ad:ca:fe:bb:cc
-freifunk_mac: de:ad:ca:fe:bb:aa
dhcpd_start: 10.130.24.1
dhcpd_end: 10.130.31.254
-internet_iface_mac: 52:54:00:57:84:a3
+# edit this before deploying on final servers!!!
+exit_iface: enp1s0
diff --git a/host_vars/kaisertor.yml b/host_vars/kaisertor.yml
index 0c54b77..a0a3685 100644
--- a/host_vars/kaisertor.yml
+++ b/host_vars/kaisertor.yml
@@ -1,9 +1,18 @@
+# MAC address: de:ad:ca:fe:<gateway>:<iface-type>
+
ip4: 10.130.0.255
-ip6: 2001:67c:2d50::aa
-ip6_ula: fdef:ffc0:3dd7::aa
+ip6: 2001:67c:2d50::aaaa
+ip6_ula: fdef:ffc0:3dd7::aaaa
+freifunk_mac: de:ad:ca:fe:aa:aa
fastd_mesh_mac: de:ad:ca:fe:aa:bb
fastd_gw_mac: de:ad:ca:fe:aa:cc
-freifunk_mac: de:ad:ca:fe:aa:aa
dhcpd_start: 10.130.16.1
dhcpd_end: 10.130.23.254
-internet_iface_mac: 52:54:00:57:84:a3
+
+# the out-interface for NAT
+exit_iface: enp1s0
+
+# ICVPN variables
+icvpn_name: luebeck2
+icvpn_ip4: 10.207.0.131
+icvpn_ip6: fec0::a:cf:0:83
diff --git a/hosts_new b/hosts_new
index 03eaa0b..2756689 100644
--- a/hosts_new
+++ b/hosts_new
@@ -1,5 +1,6 @@
[gateways]
-kaisertor ansible_ssh_host=10.8.1.50 ansible_ssh_user=root
+kaisertor ansible_ssh_host=192.168.100.2 ansible_ssh_user=root
+huextertor ansible_ssh_host=192.168.100.3 ansible_ssh_user=root
[gateways:vars]
ansible_python_interpreter=/usr/bin/env python2
diff --git a/revert_and_setup.sh b/revert_and_setup.sh
index d7a7e2a..17c1e1a 100755
--- a/revert_and_setup.sh
+++ b/revert_and_setup.sh
@@ -2,16 +2,19 @@
set -e
-# virsh snapshot-revert --domain ffhl-test-gateway --current
-virsh snapshot-revert --domain ffhl-gw01 --current
-echo "restarting timesyncd and ntp"
-ssh -q root@10.8.1.50 systemctl restart systemd-timesyncd
-# ssh -q root@10.8.1.50 systemctl restart ntp
+for vm in ffhl-gw01 ffhl-gw02; do
+ echo "reverting $vm"
+
+ virsh snapshot-revert --current --domain $vm
+ ssh -q $vm systemctl restart systemd-timesyncd
+done
+
+
echo "waiting..."
-sleep 7
+sleep 5
echo "removing artifacts"
rm -rf artifacts
-echo "run the playbook"
-ansible-playbook -vvvv -i hosts_new debian_setup.yml
+echo "run the setup"
+ansible-playbook -vvv -i hosts_new debian_setup.yml
diff --git a/roles/debian_base/files/etc/bind/named.conf.options b/roles/debian_base/files/etc/bind/named.conf.options
index 0587a30..ecc2e40 100644
--- a/roles/debian_base/files/etc/bind/named.conf.options
+++ b/roles/debian_base/files/etc/bind/named.conf.options
@@ -19,4 +19,10 @@ options {
hostname none;
server-id none;
empty-zones-enable yes;
+ zone-statistics yes;
+};
+
+
+statistics-channels {
+ inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
diff --git a/roles/debian_base/files/etc/bind/named_.conf b/roles/debian_base/files/etc/bind/named_.conf
deleted file mode 100644
index 61ccbc2..0000000
--- a/roles/debian_base/files/etc/bind/named_.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "127.0.0.zone";
-};
-
-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
- type master;
- file "localhost.ip6.zone";
-};
-
-zone "255.in-addr.arpa" IN {
- type master;
- file "empty.zone";
-};
-
-zone "0.in-addr.arpa" IN {
- type master;
- file "empty.zone";
-};
diff --git a/roles/debian_base/files/etc/bird/bird.conf b/roles/debian_base/files/etc/bird/bird.conf
index 78507ac..9d743fb 100644
--- a/roles/debian_base/files/etc/bird/bird.conf
+++ b/roles/debian_base/files/etc/bird/bird.conf
@@ -21,14 +21,14 @@ define KERNEL_TABLE = ipt_freifunk;
# filter helpers
#################
-function is_default() { return net ~ [ 0.0.0.0/0 ]; }
-function is_freifunk() { return net ~ [ 10.0.0.0/8+ ]; }
-function is_dn42() { return net ~ [ 172.22.0.0/15+, 172.20.0.0/16+ ]; }
-function is_chaosvpn() { return net ~ [ 172.31.0.0/16+ ]; }
-function is_self_net() { return net ~ [ 10.130.0.0/16+ ]; }
-function is_self_mesh() { return net ~ [ 10.130.0.0/20+ ]; }
-function is_self_private() { return net ~ [ 10.130.64.0/18+ ]; }
-function is_self_mgmt() { return net ~ [ 10.130.127.224/27+ ]; }
+function is_default() { return net ~ [ 0.0.0.0/0 ]; }
+function is_freifunk() { return net ~ [ 10.0.0.0/8+ ]; }
+function is_dn42() { return net ~ [ 172.22.0.0/15+, 172.20.0.0/16+ ]; }
+function is_chaosvpn() { return net ~ [ 172.31.0.0/16+ ]; }
+function is_self() { return net ~ [ 10.130.0.0/16+ ]; }
+function is_self_mesh() { return net ~ [ 10.130.0.0/18+ ]; }
+function is_self_private() { return net ~ [ 10.130.64.0/18+ ]; }
+function is_self_mgmt() { return net ~ [ 10.130.127.224/27+ ]; }
# static routes
################
@@ -39,7 +39,7 @@ protocol static static_mesh {
};
protocol static local_mesh {
- route 10.130.0.0/20 via "freifunk-hl";
+ route 10.130.0.0/16 via "ffhl";
};
protocol static mesh_dn42 {
@@ -57,8 +57,8 @@ protocol static mesh_freifunk {
########################
protocol rip rip_mesh {
- table mesh;
- interface "freifunk-hl";
+ table mesh;
+ interface "ffhl";
import where is_self_private() && !is_self_mgmt();
export where !((OWNMAGIC, 1) ~ bgp_community) && !is_self_mesh();
};
@@ -71,7 +71,7 @@ protocol ospf ospf_mesh {
export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh";
import all;
area 0 {
- interface "freifunk-hl" {
+ interface "ffhl" {
authentication cryptographic;
include "password.conf";
type nonbroadcast;
@@ -79,7 +79,7 @@ protocol ospf ospf_mesh {
10.130.0.252 eligible; # huextertor
10.130.0.253 eligible; # holstentor
10.130.0.254 eligible; # muehlentor
- 10.130.0.255 eligible; # burgtor
+ 10.130.0.255 eligible; # kaisertor
};
};
};
@@ -131,7 +131,7 @@ protocol pipe {
protocol pipe {
peer table mesh;
import where source != RTS_STATIC;
- export where is_default() || is_self_net();
+ export where is_default() || is_self();
}
# static routes
@@ -150,11 +150,12 @@ template bgp bgp_ibgp {
local as OWNAS;
direct;
import all;
- export filter { bgp_community.add((OWNMAGIC, 1));
- if is_default() then reject;
- if source = RTS_BGP then accept;
- reject;
- };
+ export filter {
+ bgp_community.add((OWNMAGIC, 1));
+ if is_default() then reject;
+ if source = RTS_BGP then accept;
+ reject;
+ };
}
# InterCity VPN peerings
@@ -163,7 +164,7 @@ template bgp bgp_ibgp {
template bgp bgp_icvpn {
table peering;
local as OWNAS;
- import where (is_freifunk() || is_dn42() || is_chaosvpn()) && !is_self_net();
+ import where (is_freifunk() || is_dn42() || is_chaosvpn()) && !is_self();
export where (is_freifunk() || is_dn42());
};
@@ -194,6 +195,6 @@ template bgp bgp_dn42 {
################################################
include "bird_local.con?";
-include "bird_ibgp.con?";
+include "bird_ibgp.conf";
include "bird_icvpn.con?";
include "bird_ffrhein.con?";
diff --git a/roles/debian_base/files/etc/bird/bird.conf.bk2 b/roles/debian_base/files/etc/bird/bird.conf.bk2
new file mode 100644
index 0000000..0f19ab0
--- /dev/null
+++ b/roles/debian_base/files/etc/bird/bird.conf.bk2
@@ -0,0 +1,206 @@
+table peering;
+table kernelcopy;
+table mesh;
+
+protocol device {
+ scan time 10;
+}
+
+# host configuration
+#####################
+
+include "bird_host.conf";
+
+# constants
+############
+
+define OWNAS = 201173;
+define OWNMAGIC = 42;
+define KERNEL_TABLE = ipt_freifunk;
+
+# filter helpers
+#################
+
+function is_default() { return net ~ [ 0.0.0.0/0 ]; }
+function is_freifunk() { return net ~ [ 10.0.0.0/8+ ]; }
+function is_dn42() { return net ~ [ 172.22.0.0/15+, 172.20.0.0/16+ ]; }
+function is_chaosvpn() { return net ~ [ 172.31.0.0/16+ ]; }
+function is_self() { return net ~ [ 10.130.0.0/16+ ]; }
+function is_self_mesh() { return net ~ [ 10.130.0.0/18+ ]; }
+function is_self_private() { return net ~ [ 10.130.64.0/18+ ]; }
+function is_self_mgmt() { return net ~ [ 10.130.127.224/27+ ]; }
+
+# static routes
+################
+
+protocol static static_mesh {
+ table peering;
+ route 10.130.0.0/16 reject;
+};
+
+protocol static local_mesh {
+ route 10.130.0.0/16 via "ffhl";
+};
+
+protocol static mesh_dn42 {
+ table mesh;
+ route 172.20.0.0/16 reject;
+ route 172.22.0.0/15 reject;
+};
+
+protocol static mesh_freifunk {
+ table mesh;
+ route 10.0.0.0/8 reject;
+};
+
+# Mesh-internal routing
+########################
+
+protocol rip rip_mesh {
+ table mesh;
+ interface "ffhl";
+ import where is_self_private() && !is_self_mgmt();
+ export where !((OWNMAGIC, 1) ~ bgp_community) && !is_self_mesh();
+};
+
+# OSPF between gateways
+########################
+
+protocol ospf ospf_mesh {
+ preference 90;
+ # export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh";
+ export all;
+ import all;
+ area 0 {
+ interface "ffhl" {
+ authentication cryptographic;
+ include "password.conf";
+ type nonbroadcast;
+ neighbors {
+ 10.130.0.252 eligible; # huextertor
+ 10.130.0.253 eligible; # holstentor
+ 10.130.0.254 eligible; # muehlentor
+ 10.130.0.255 eligible; # kaisertor
+ };
+ };
+ };
+};
+
+# Kernel routing tables
+########################
+
+protocol static test {
+ route 10.80.0.0/16 via "enp1s0";
+};
+
+
+protocol kernel {
+ scan time 20;
+ device routes;
+ import all;
+ export all;
+ # export filter {
+ # if is_dn42() then { krt_prefsrc = OWNIP; accept ; }
+ # if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+ # reject;
+ # };
+};
+
+protocol kernel {
+ table kernelcopy;
+ kernel table KERNEL_TABLE;
+ scan time 20;
+ device routes;
+ import none;
+ export filter {
+ if is_default() then accept;
+ if is_dn42() then { krt_prefsrc = OWNIP; accept ; }
+ if is_freifunk() then { krt_prefsrc = OWNIP; accept ; }
+ reject;
+ };
+}
+
+# plumbing
+###########
+
+protocol pipe {
+ peer table kernelcopy;
+ import none;
+ export all;
+}
+
+protocol pipe {
+ peer table peering;
+ import all;
+ export none;
+}
+
+protocol pipe {
+ peer table mesh;
+ import where source != RTS_STATIC;
+ export where is_default() || is_self();
+}
+
+# static routes
+################
+
+protocol static unreachable_default {
+ preference 0;
+ route 0.0.0.0/0 reject;
+}
+
+# Mesh-internal BGP between all gateways
+#########################################
+
+template bgp bgp_ibgp {
+ table peering;
+ local as OWNAS;
+ direct;
+ import all;
+ export filter { bgp_community.add((OWNMAGIC, 1));
+ if is_default() then reject;
+ if source = RTS_BGP then accept;
+ reject;
+ };
+}
+
+# InterCity VPN peerings
+#########################
+
+template bgp bgp_icvpn {
+ table peering;
+ local as OWNAS;
+ import where (is_freifunk() || is_dn42() || is_chaosvpn()) && !is_self();
+ export where (is_freifunk() || is_dn42());
+};
+
+# ffrheinland ipv4
+###################
+
+template bgp bgp_ffrhein {
+ table peering;
+ local as 201173;
+ import all;
+ export where net ~ [185.66.193.32/29+];
+ next hop self;
+}
+
+# DN42 peerings
+################
+
+template bgp bgp_dn42 {
+ table peering;
+ local as OWNAS;
+ import where is_dn42() || is_chaosvpn();
+ export where !is_default();
+};
+
+# Include local configuration
+# '?' instead of 'f' avoids failures when these
+# files do not exist
+################################################
+
+include "bird_local.con?";
+# include "bird_ibgp.conf";
+include "bird_icvpn.con?";
+include "bird_ffrhein.con?";
diff --git a/roles/debian_base/files/etc/bird/bird6.conf b/roles/debian_base/files/etc/bird/bird6.conf
index c69b499..7d1b6b1 100644
--- a/roles/debian_base/files/etc/bird/bird6.conf
+++ b/roles/debian_base/files/etc/bird/bird6.conf
@@ -4,7 +4,7 @@ table kernelcopy;
table mesh;
protocol device {
- scan time 10;
+ scan time 10;
}
# host configuration
@@ -21,10 +21,9 @@ define KERNEL_TABLE = ipt_freifunk;
# ROA table
############
-
-# roa table roa_icvpn {
-# include "roa.ip6";
-# }
+roa table roa_icvpn {
+ include "roa6.con?";
+}
# filter helpers
@@ -36,11 +35,11 @@ function is_ula() { return net ~ [ fc00::/7{48,64} ]; }
function is_freifunk() { return net ~ [ 2001:bf7::/32+ ]; }
function is_self_public() { return net ~ [ 2001:67c:2d50::/48+ ]; }
function is_self_net() { return net ~ [ fdef:ffc0:3dd7::/48+
- , 2001:67c:2d50::/48+
- ]; }
+ , 2001:67c:2d50::/48+
+ ]; }
function is_self_mesh() { return net ~ [ fdef:ffc0:3dd7::/64+
- , 2001:67c:2d50::/64+
- ]; }
+ , 2001:67c:2d50::/64+
+ ]; }
function is_self_mgmt() { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
@@ -48,14 +47,14 @@ function is_self_mgmt() { return net ~ [ 2001:67c:2d50:1::a82:7fe0/123+ ]; }
##########
filter bgp_import_filter {
- if is_self_net() then reject;
- if is_ula() then accept;
- # if roa_check(roa_icvpn) = ROA_VALID then {
- # accept;
- # } else {
- # print "ROA check failed for ", net, " ASN ", bgp_path.last;
- # }
- accept;
+ if is_self_net() then reject;
+ if is_ula() then accept;
+ # if roa_check(roa_icvpn) = ROA_VALID then {
+ # accept;
+ # } else {
+ # print "ROA check failed for ", net, " ASN ", bgp_path.last;
+ # }
+ accept;
}
@@ -63,42 +62,36 @@ filter bgp_import_filter {
################
protocol static local_freifunk {
- table peering;
- route fdef:ffc0:3dd7::/48 reject;
- route 2001:67c:2d50::/48 reject;
+ table peering;
+ route fdef:ffc0:3dd7::/48 reject;
+ route 2001:67c:2d50::/48 reject;
}
protocol static local_freifunk_transit {
- table transit;
- route 2001:67c:2d50::/48 reject;
+ table transit;
+ route 2001:67c:2d50::/48 reject;
}
protocol static local_mesh {
- route fdef:ffc0:3dd7::/64 via "freifunk-hl";
- route 2001:67c:2d50::/64 via "freifunk-hl";
+ route fdef:ffc0:3dd7::/64 via "ffhl";
+ route 2001:67c:2d50::/64 via "ffhl";
}
protocol static mesh_ula {
- table mesh;
- route fc00::/7 reject;
+ table mesh;
+ route fc00::/7 reject;
}
-# 464XLAT
-##########
-
-protocol static static_464xlat {
- route 2001:67c:2d50:1::/96 via "nat64";
-}
# Mesh-internal routing
########################
protocol rip rip_mesh {
- table mesh;
- interface "freifunk-hl";
- preference 10;
- import where is_self_net() && !is_self_mgmt();
- export where is_self_net() || is_default() || (!((OWNMAGIC, 1) ~ bgp_community) && is_ula()) || source = RTS_STATIC;
+ table mesh;
+ interface "ffhl";
+ preference 10;
+ import where is_self_net() && !is_self_mgmt();
+ export where is_self_net() || is_default() || (!((OWNMAGIC, 1) ~ bgp_community) && is_ula()) || source = RTS_STATIC;
}
# OSPF between gateways
@@ -109,10 +102,10 @@ protocol ospf ospf_mesh {
export where !((OWNMAGIC, 1) ~ bgp_community) && proto != "rip_mesh" && proto != "unreachable_default";
import all;
area 0 {
- interface "freifunk-hl" {
-# OSPFv3 authentication not yet supported by bird
-# authentication cryptographic;
-# include "password.conf";
+ interface "ffhl" {
+ # OSPFv3 authentication not yet supported by bird
+ # authentication cryptographic;
+ # include "password.conf";
type nonbroadcast;
neighbors {
2001:67c:2d50::801 eligible; # huextertor
@@ -128,111 +121,112 @@ protocol ospf ospf_mesh {
########################
protocol kernel {
- scan time 20;
- device routes;
- import none;
- export filter {
- if is_ula() then { krt_prefsrc = ULA_IP; accept; }
- if is_self_net() then { krt_prefsrc = PUBLIC_IP; accept; }
- reject;
- };
+ scan time 20;
+ device routes;
+ import none;
+ export filter {
+ if is_ula() then { krt_prefsrc = ULA_IP; accept; }
+ if is_self_net() then { krt_prefsrc = PUBLIC_IP; accept; }
+ reject;
+ };
}
protocol kernel {
- table kernelcopy;
- kernel table KERNEL_TABLE;
- scan time 20;
- device routes;
- import none;
- export all;
+ table kernelcopy;
+ kernel table KERNEL_TABLE;
+ scan time 20;
+ device routes;
+ import none;
+ export all;
}
# plumbing
###########
protocol pipe {
- peer table kernelcopy;
- import none;
- export all;
+ peer table kernelcopy;
+ import none;
+ export all;
}
protocol pipe {
- peer table peering;
- import all;
- export none;
+ peer table peering;
+ import all;
+ export none;
}
protocol pipe {
- peer table transit;
- import all;
- export none;
+ peer table transit;
+ import all;
+ export none;
}
protocol pipe {
- peer table mesh;
- import where source != RTS_STATIC;
- export where is_default() || is_self_net();
+ peer table mesh;
+ import where source != RTS_STATIC;
+ export where is_default() || is_self_net();
}
# static routes
################
protocol static unreachable_default {
- preference 0;
- route ::/0 reject;
+ preference 0;
+ route ::/0 reject;
}
# Mesh-internal BGP between all gateways
#########################################
template bgp bgp_ibgp {
- table peering;
- local as OWNAS;
- direct;
- import all;
- export filter { bgp_community.add((OWNMAGIC, 1));
- if source = RTS_BGP then accept;
- reject;
- };
+ table peering;
+ local as OWNAS;
+ direct;
+ import all;
+ export filter {
+ bgp_community.add((OWNMAGIC, 1));
+ if source = RTS_BGP then accept;
+ reject;
+ };
}
# InterCity VPN peerings
#########################
template bgp bgp_icvpn {
- table peering;
- local as OWNAS;
- import keep filtered;
- import filter bgp_import_filter;
- export all;
+ table peering;
+ local as OWNAS;
+ import keep filtered;
+ import filter bgp_import_filter;
+ export all;
}
# public IPv6
##############
template bgp bgp_public {
- table transit;
- local as OWNAS;
- import where !is_self_net() && is_global();
- export where is_self_public();
- next hop self;
+ table transit;
+ local as OWNAS;
+ import where !is_self_net() && is_global();
+ export where is_self_public();
+ next hop self;
}
# DN42 peerings
################
template bgp bgp_dn42 {
- table peering;
- local as OWNAS;
- import filter bgp_import_filter;
- export all;
+ table peering;
+ local as OWNAS;
+ import filter bgp_import_filter;
+ export all;
}
# anycast DNS
##############
protocol static anycast_dns {
- route 2001:67c:2d50:1::10.130.127.224/128 via "anycast-dns";
+ route 2001:67c:2d50:1::10.130.127.224/128 via "anycast-dns";
}
# Include local configuration
@@ -240,6 +234,8 @@ protocol static anycast_dns {
# files do not exist
################################################
+
+
include "bird6_local.con?";
include "bird6_ibgp.con?";
include "bird6_icvpn.con?";
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/huextertor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/huextertor
new file mode 100644
index 0000000..8f42216
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/huextertor
@@ -0,0 +1,3 @@
+key "1bdc74ed0fc67931c7327fc21a3e83793ebce0f62eaf6c71e32f0e9669dd8997";
+remote 192.168.100.3 port 10001;
+float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/kaisertor b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/kaisertor
new file mode 100644
index 0000000..921f24a
--- /dev/null
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_gwvpn/gateways/kaisertor
@@ -0,0 +1,3 @@
+key "17cfa7ece927a3c32ec5f3a8c923cc7cdfeb82d6d1cfc7ef39611d38b8e7cf8c";
+remote 192.168.100.2 port 10001;
+float yes;
diff --git a/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
index 93b46e4..9bcca4d 100644
--- a/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
+++ b/roles/debian_base/files/etc/fastd/ffhl_mesh_vpn/fastd.conf
@@ -8,7 +8,7 @@ include "secret.conf";
mtu 1280;
hide ip addresses yes;
hide mac addresses yes;
-status socket "/run/fastd/fastd-ffhl_mesh_vpn.sock";
+status socket "/run/fastd/ffhl_mesh_vpn.sock";
include peers from "peers";
on up "./fastd-up";
diff --git a/roles/debian_base/files/etc/iptables/ip6tables.rules b/roles/debian_base/files/etc/iptables/rules.v6
similarity index 100%
rename from roles/debian_base/files/etc/iptables/ip6tables.rules
rename to roles/debian_base/files/etc/iptables/rules.v6
diff --git a/roles/debian_base/files/etc/systemd/network/10-ffhl-mesh-vpn.network b/roles/debian_base/files/etc/systemd/network/10-ffhl-mesh-vpn.network
new file mode 100644
index 0000000..5e37991
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/10-ffhl-mesh-vpn.network
@@ -0,0 +1,10 @@
+[Match]
+Name=ffhl_mesh_vpn
+
+[Network]
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+DHCP=no
+
+[Link]
+ARP=no
diff --git a/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
index 79f1f3e..673ca03 100644
--- a/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
+++ b/roles/debian_base/files/etc/systemd/network/22-ffhl-bat0.network
@@ -1,5 +1,7 @@
[Match]
-Name=ffhl_bat0
+Name=bat0
[Network]
+LinkLocalAddressing = no
+IPv6AcceptRA=no
Bridge=ffhl
diff --git a/roles/debian_base/files/etc/systemd/network/22-ffhl-mesh-gwvpn.network b/roles/debian_base/files/etc/systemd/network/22-ffhl-mesh-gwvpn.network
new file mode 100644
index 0000000..51f16b9
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/network/22-ffhl-mesh-gwvpn.network
@@ -0,0 +1,10 @@
+[Match]
+Name=ffhl_mesh_gwvpn
+
+[Network]
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+DHCP=no
+
+[Link]
+ARP=no
diff --git a/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network b/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
deleted file mode 100644
index 1c1e3cb..0000000
--- a/roles/debian_base/files/etc/systemd/network/26-ffhl-mesh.network
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-Name=ffhl_mesh_*
-
-[Network]
-LinkLocalAddressing = no
diff --git a/roles/debian_base/files/etc/systemd/system/batman.service b/roles/debian_base/files/etc/systemd/system/batman.service
new file mode 100644
index 0000000..37e8888
--- /dev/null
+++ b/roles/debian_base/files/etc/systemd/system/batman.service
@@ -0,0 +1,23 @@
+# It looks like this unit is not needed.
+# batctl creates automatically a batman interface when an interface is added.
+# `batctl -m fobar123 if add eth0` would automatically create foobar123
+# Then only a proper .network and .link file for systemd-networkd is needed
+
+[Unit]
+Description=batman setup for freifunk
+Wants=network.target
+BindsTo=sys-subsystem-net-devices-ffhl_mesh_vpn.device sys-subsystem-net-devices-ffhl_mesh_gwvpn.device
+After=sys-subsystem-net-devices-bat0.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=batctl -m bat0 if add ffhl_mesh_gwvpn
+ExecStart=batctl -m bat0 if add ffhl_mesh_vpn
+ExecStart=batctl -m bat0 gw server 50000/25000
+ExecStart=batctl -m bat0 nc disable
+
+ExecStop=ip link delete bat0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/batman@.service b/roles/debian_base/files/etc/systemd/system/batman@.service
deleted file mode 100644
index 85ab7f0..0000000
--- a/roles/debian_base/files/etc/systemd/system/batman@.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=batman setup for freifunk
-Wants=network.target
-# BindsTo=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
-# After=sys-subsystem-net-devices-%i_mesh_vpn.device sys-subsystem-net-devices-%i_mesh_gwvpn.device
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=ip link add %i type batadv
-# ExecStart=batctl -m %i_bat0 if add %i_mesh_vpn
-# ExecStart=batctl -m %i_bat0 if add %i_mesh_gwvpn
-# ExecStart=batctl -m %i_bat0 gw server
-# ExecStart=-batctl -m %i_bat0 nc disable
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service b/roles/debian_base/files/etc/systemd/system/bind9.service.d/override.conf
similarity index 100%
rename from roles/debian_base/files/etc/systemd/system/isc-dhcp-server.service.d/override.service
rename to roles/debian_base/files/etc/systemd/system/bind9.service.d/override.conf
diff --git a/roles/debian_base/files/etc/systemd/system/bird.service.d/override.conf b/roles/debian_base/files/etc/systemd/system/bird.service.d/override.conf_
similarity index 100%
rename from roles/debian_base/files/etc/systemd/system/bird.service.d/override.conf
rename to roles/debian_base/files/etc/systemd/system/bird.service.d/override.conf_
diff --git a/roles/debian_base/files/etc/systemd/system/bird6.service.d/override.conf b/roles/debian_base/files/etc/systemd/system/bird6.service.d/override.conf_
similarity index 100%
rename from roles/debian_base/files/etc/systemd/system/bird6.service.d/override.conf
rename to roles/debian_base/files/etc/systemd/system/bird6.service.d/override.conf_
diff --git a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
index 3df0c4f..cd828b9 100644
--- a/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
+++ b/roles/debian_base/files/etc/systemd/system/fastd@.service.d/override.conf
@@ -1,4 +1,3 @@
[Service]
-# make sure these dirs exists for fastd dignostics/metrics socket
-ExecStartPre=mkdir -p /run/fastd
-ExecStartPre=chown fastd:fastd /run/fastd
+ExecStartPre=-/usr/bin/mkdir /run/fastd
+ExecStartPre=/usr/bin/chown fastd:fastd /run/fastd
diff --git a/roles/debian_base/files/host/muehlentor/etc/.keep b/roles/debian_base/files/host/muehlentor/etc/.keep
deleted file mode 100644
index e69de29..0000000
diff --git a/roles/debian_base/files/post-merge/ffhl-mesh-vpn b/roles/debian_base/files/post-merge/ffhl-mesh-vpn
index 1814e2e..93f8c55 100755
--- a/roles/debian_base/files/post-merge/ffhl-mesh-vpn
+++ b/roles/debian_base/files/post-merge/ffhl-mesh-vpn
@@ -1,6 +1,5 @@
#!/bin/sh
-systemctl reload 'fastd@ffhl\x2dmesh\x2dvpn.service'
-systemctl reload 'fastd@ffhl\x2dmesh\x2dvpn\x2d2.service'
+systemctl reload 'fastd@ffhl_mesh_vpn.service'
exit 0
diff --git a/roles/debian_base/tasks/bird.yml b/roles/debian_base/tasks/bird.yml
index 3862993..1bb2336 100644
--- a/roles/debian_base/tasks/bird.yml
+++ b/roles/debian_base/tasks/bird.yml
@@ -1,3 +1,10 @@
---
-- template: src=bird_host.conf.j2 dest=/etc/bird/bird_host.conf
-- template: src=bird6_host.conf.j2 dest=/etc/bird/bird6_host.conf
+- template: src=bird/bird_host.conf.j2 dest=/etc/bird/bird_host.conf
+ tags: ["bird"]
+- template: src=bird/bird6_host.conf.j2 dest=/etc/bird/bird6_host.conf
+ tags: ["bird"]
+# - name: restart bird
+# tags: ["bird"]
+# systemd:
+# state: restarted
+# name: bird.service
diff --git a/roles/debian_base/tasks/fastd.yml b/roles/debian_base/tasks/fastd.yml
index fa5b21a..5eae033 100644
--- a/roles/debian_base/tasks/fastd.yml
+++ b/roles/debian_base/tasks/fastd.yml
@@ -13,9 +13,10 @@
cmd: fastd --generate-key | awk '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/{{ item }}/secret.conf
creates: /etc/fastd/{{ item }}/secret.conf
+
- name: generate peer file
shell:
- cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\";" }' > /etc/fastd/{{ item }}/peer.conf
+ cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\"; " }' > /etc/fastd/{{ item }}/peer.conf
- systemd:
diff --git a/roles/debian_base/tasks/main.yml b/roles/debian_base/tasks/main.yml
index 58c8078..ffa22af 100644
--- a/roles/debian_base/tasks/main.yml
+++ b/roles/debian_base/tasks/main.yml
@@ -7,9 +7,11 @@
- name: copy base configs
copy: src=etc/ dest=/etc
+ tags: [bird, fastd]
- name: copy host specific configs
copy: src=host/{{ inventory_hostname }}/etc/ dest=/etc
+ tags: [bird, fastd]
- name: copy scripts
copy: src=scripts/iptables-up dest=/usr/local/bin/iptables-up mode=755
@@ -33,12 +35,22 @@
block:
- template: src=network/10-ffhl.netdev.j2 dest=/etc/systemd/network/10-ffhl.netdev
- template: src=network/12-ffhl.network.j2 dest=/etc/systemd/network/12-ffhl.network
- - template: src=network/10-internet.link.j2 dest=/etc/systemd/network/12-internet.link
+
+- name: template iptables
+ block:
+ - template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4
+ # - template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6
+
# sometimes disabled (dunno why)
- name: enable systemd-networkd
command: systemctl enable systemd-networkd
+- name: restart systemd-networkd
+ systemd:
+ state: restarted
+ name: systemd-networkd
+
- name: create fastd configs
include_tasks: fastd.yml
@@ -47,20 +59,20 @@
- ffhl_mesh_gwvpn
-- include: radvd.yml
-
-- include: dhcpd.yml
-
-
- name: reload systemd
command: systemctl daemon-reload
+- include: radvd.yml
+- include: dhcpd.yml
+
- lineinfile: dest=/etc/iproute2/rt_tables line="42\tfreifunk"
- include: bird.yml
tags:
- bird
+
+
- include: ffhl-dns.yml
- include: ffhl-peers.yml
- include: units.yml
diff --git a/roles/debian_base/tasks/software.yml b/roles/debian_base/tasks/software.yml
index 3aef30e..2215330 100644
--- a/roles/debian_base/tasks/software.yml
+++ b/roles/debian_base/tasks/software.yml
@@ -15,30 +15,39 @@
update_cache: yes
state: present
name:
- - iptables-persistent
- apt-file
- batctl
- bind9
- bird
- bridge-utils
- curl
- - isc-dhcp-server
+ - dnsutils
- fastd
- git
- haveged
- htop
- iftop
+ - iperf3
+ - iptables-persistent
- iputils-ping
+ - isc-dhcp-server
- ntp
- openssh-client
- openssh-server
+ - prometheus-bind-exporter
+ - prometheus-bird-exporter
+ - prometheus-node-exporter
- python-apt
+ - python3-yaml
- radvd
- tcpdump
- tinc
- vim
- wget
- - iperf3
+ - socat
+ - jq
- name: load batman-adv
- command: modprobe batman-adv
+ modprobe:
+ name: batman-adv
+ state: present
diff --git a/roles/debian_base/tasks/units.yml b/roles/debian_base/tasks/units.yml
index 31cd13d..88158d5 100644
--- a/roles/debian_base/tasks/units.yml
+++ b/roles/debian_base/tasks/units.yml
@@ -2,15 +2,21 @@
- command: systemctl mask display-manager.service
+- name: stop bird
+ systemd:
+ state: stopped
+ name: bird.service
+
+
- name: restart services
systemd:
state: restarted
name: "{{ item }}"
with_items:
- - batman@ffhl_bat0.service
- - bird6.service
- - bird.service
- systemd-networkd.service
+ - batman.service
+ # - bird6.service
+ # - bird.service
- isc-dhcp-server.service
- "fastd@ffhl_mesh_vpn.service"
- "fastd@ffhl_mesh_gwvpn.service"
diff --git a/roles/debian_base/templates/bird6_host.conf.j2 b/roles/debian_base/templates/bird/bird6_host.conf.j2
similarity index 100%
rename from roles/debian_base/templates/bird6_host.conf.j2
rename to roles/debian_base/templates/bird/bird6_host.conf.j2
diff --git a/roles/debian_base/templates/bird/bird_host.conf.j2 b/roles/debian_base/templates/bird/bird_host.conf.j2
new file mode 100644
index 0000000..6302ce1
--- /dev/null
+++ b/roles/debian_base/templates/bird/bird_host.conf.j2
@@ -0,0 +1,3 @@
+router id {{ ip4 }};
+
+define OWNIP = {{ ip4 }};
diff --git a/roles/debian_base/templates/bird_host.conf.j2 b/roles/debian_base/templates/bird_host.conf.j2
deleted file mode 100644
index 41e6eca..0000000
--- a/roles/debian_base/templates/bird_host.conf.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-router id {{ ip4 }};
-
-define OWNIP = {{ ip4 }};
diff --git a/roles/debian_base/templates/dhcpd.conf.j2 b/roles/debian_base/templates/dhcpd.conf.j2
index e8bb6ed..06c80c6 100644
--- a/roles/debian_base/templates/dhcpd.conf.j2
+++ b/roles/debian_base/templates/dhcpd.conf.j2
@@ -3,7 +3,7 @@ default-lease-time 600;
max-lease-time 600;
subnet {{ dhcpd_subnet }} netmask {{ dhcpd_netmask }} {
- range {{ dhcpd_start }} {{ dhcpd_end }};
+ range {{ dhcpd_start }} {{ dhcpd_end }};
option routers {{ ip4 }};
option domain-name-servers {{ ip4 }};
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
index 88480f0..f8c182a 100644
--- a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
@@ -1,5 +1,5 @@
#!/bin/bash
-ip link set address {{ fastd_gw_mac }} dev $INTERFACE
-ip link set up $INTERFACE
-batctl -m ffhl_bat0 if add $INTERFACE
+ip link set $INTERFACE address {{ fastd_gw_mac }}
+ip link set $INTERFACE up
+batctl if add $INTERFACE
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
deleted file mode 100644
index 4ac8d29..0000000
--- a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/holstentor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "07197da0ff4a294f4356b50c567f957334728d8a1a31b2855ddd1f6f4d2fed07";
-remote "holstentor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor b/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
deleted file mode 100644
index d218c3d..0000000
--- a/roles/debian_base/templates/fastd/ffhl_mesh_gwvpn/gateways/muehlentor
+++ /dev/null
@@ -1,3 +0,0 @@
-key "2eba0e70a6b834a8435f7142b06f3ee79849b97f884d961f3dd899861373e54e";
-remote "muehlentor.mesh.ffhl.chaotikum.org" port 10001;
-float yes;
diff --git a/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
index a105b0a..67d52a0 100644
--- a/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
+++ b/roles/debian_base/templates/fastd/ffhl_mesh_vpn/fastd-up
@@ -2,4 +2,4 @@
ip link set address {{ fastd_mesh_mac }} dev $INTERFACE
ip link set up $INTERFACE
-batctl -m ffhl_bat0 if add $INTERFACE
+batctl if add $INTERFACE
diff --git a/roles/debian_base/files/host/muehlentor/etc/iptables/iptables.rules b/roles/debian_base/templates/iptables/rules.v4
similarity index 73%
rename from roles/debian_base/files/host/muehlentor/etc/iptables/iptables.rules
rename to roles/debian_base/templates/iptables/rules.v4
index e72c4f0..14fe14f 100644
--- a/roles/debian_base/files/host/muehlentor/etc/iptables/iptables.rules
+++ b/roles/debian_base/templates/iptables/rules.v4
@@ -2,11 +2,10 @@
-A OUTPUT -o internet -p icmp -m icmp --icmp-type 3/1 -j DROP
COMMIT
*nat
--A POSTROUTING -o exit -j SNAT --to-source 193.96.224.42
+-A POSTROUTING -s {{ ff_subnet }} -o {{ exit_iface }} -j MASQUERADE
COMMIT
*mangle
-A FORWARD -o ffrhein-+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A PREROUTING -i freifunk-+ -j MARK --set-xmark 0x1/0xffffffff
--A PREROUTING -i nat64 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i icvpn -j MARK --set-xmark 0x1/0xffffffff
COMMIT
diff --git a/roles/debian_base/templates/network/10-internet.link.j2 b/roles/debian_base/templates/network/10-internet.link.j2
deleted file mode 100644
index 1072857..0000000
--- a/roles/debian_base/templates/network/10-internet.link.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-[Match]
-MACAddress={{ internet_iface_mac }}
-
-[Link]
-Name=internet
diff --git a/roles/debian_base/templates/network/12-ffhl.network.j2 b/roles/debian_base/templates/network/12-ffhl.network.j2
index 45d85f4..80d1f13 100644
--- a/roles/debian_base/templates/network/12-ffhl.network.j2
+++ b/roles/debian_base/templates/network/12-ffhl.network.j2
@@ -8,3 +8,4 @@ Address={{ ip6 }}/64
Address={{ ip6_ula }}/64
LinkLocalAddressing=no
+IPv6AcceptRA=no
diff --git a/roles/icvpn/files/etc/systemd/system/update-icvpn-meta.service b/roles/icvpn/files/etc/systemd/system/update-icvpn-meta.service
index f2be936..eccd9e1 100644
--- a/roles/icvpn/files/etc/systemd/system/update-icvpn-meta.service
+++ b/roles/icvpn/files/etc/systemd/system/update-icvpn-meta.service
@@ -1,4 +1,4 @@
[Service]
Type=oneshot
-WorkingDirectory=/var/lib/icvpn-meta
+WorkingDirectory=/var/lib/icvpn/icvpn-meta
ExecStart=/usr/bin/git pull
diff --git a/roles/icvpn/files/post-merge/icvpn-meta b/roles/icvpn/files/post-merge/icvpn-meta
index 6ba450c..52cdacc 100755
--- a/roles/icvpn/files/post-merge/icvpn-meta
+++ b/roles/icvpn/files/post-merge/icvpn-meta
@@ -4,13 +4,13 @@ set -e
DATA=$(git rev-parse --show-toplevel)
-../icvpn-scripts/mkdns -s $DATA -x luebeck -f bind > /etc/named_ffdns.conf
+../icvpn-scripts/mkdns -s $DATA -x luebeck -f bind > /etc/bind/icvpn.conf
../icvpn-scripts/mkbgp -s $DATA -x luebeck -p icvpn_ -d bgp_icvpn > /etc/bird/bird6_icvpn.conf
../icvpn-scripts/mkbgp -s $DATA -x luebeck -p icvpn_ -d bgp_icvpn -4 > /etc/bird/bird_icvpn.conf
-../icvpn-scripts/mkroa -s $DATA -x luebeck -m 64 > /etc/bird/roa.ip6
-../icvpn-scripts/mkroa -s $DATA -x luebeck -m 32 -4 > /etc/bird/roa.ip4
+../icvpn-scripts/mkroa -s $DATA -x luebeck -m 64 > /etc/bird/roa6.conf
+../icvpn-scripts/mkroa -s $DATA -x luebeck -m 32 -4 > /etc/bird/roa4.conf
-systemctl try-reload-or-restart named.service
+systemctl try-reload-or-restart bind9.service
systemctl try-reload-or-restart bird6.service
systemctl try-reload-or-restart bird.service
diff --git a/roles/icvpn/tasks/icvpn-meta.yml b/roles/icvpn/tasks/icvpn-meta.yml
index b23bdb6..1714ad8 100644
--- a/roles/icvpn/tasks/icvpn-meta.yml
+++ b/roles/icvpn/tasks/icvpn-meta.yml
@@ -1,8 +1,9 @@
---
-- git: repo=https://github.com/freifunk/icvpn-scripts.git dest=/var/lib/icvpn-scripts
-- git: repo=https://github.com/freifunk/icvpn-meta.git dest=/var/lib/icvpn-meta
-- copy: src=post-merge/icvpn-meta dest=/var/lib/icvpn-meta/.git/hooks/post-merge mode=a+x
+- file: path=/var/lib/icvpn state=directory
+- git: repo=https://github.com/freifunk/icvpn-scripts.git dest=/var/lib/icvpn/icvpn-scripts
+- git: repo=https://github.com/freifunk/icvpn-meta.git dest=/var/lib/icvpn/icvpn-meta
+
+- copy: src=post-merge/icvpn-meta dest=/var/lib/icvpn/icvpn-meta/.git/hooks/post-merge mode=a+x
- command: .git/hooks/post-merge
args:
- chdir: /var/lib/icvpn-meta
- creates: /etc/named_ffdns.conf
+ chdir: /var/lib/icvpn/icvpn-meta
diff --git a/roles/icvpn/tasks/main.yml b/roles/icvpn/tasks/main.yml
index fafd441..e5538c0 100644
--- a/roles/icvpn/tasks/main.yml
+++ b/roles/icvpn/tasks/main.yml
@@ -1,12 +1,23 @@
---
- copy: src=etc/ dest=/etc
- include: icvpn-meta.yml
+
- template: src=40-icvpn.network.j2 dest=/etc/systemd/network/40-icvpn.network
+
+# The actual icvpn config
- file: state=directory dest=/etc/tinc
- git: repo=https://github.com/freifunk/icvpn.git dest=/etc/tinc/icvpn
- template: src=tinc.conf.j2 dest=/etc/tinc/icvpn/tinc.conf
-- copy: src=post-merge/icvpn dest=/etc/tinc/icvpn/.git/hooks/post-merge mode=a+x
+- command: cp /etc/tinc/icvpn/scripts/post-merge /etc/tinc/icvpn/.git/hooks/post-merge
+- file: path=/etc/tinc/icvpn/.git/hooks/post-merge mode=a+x
+
- command: .git/hooks/post-merge
args:
- chdir: /etc/tinc/icvpn
+ chdir: /etc/tinc/icvpn/
+
+# - systemd:
+# daemon_reload: yes # not required. run daemon-reload before doing any other operations, to make sure systemd has read any changes.
+# state: restarted # not required. choices: reloaded;restarted;started;stopped. C(started)/C(stopped) are idempotent actions that will not run commands unless necessary. C(restarted) will always bounce the service. C(reloaded) will always reload.
+# name: "{{ item }}" # not required. Name of the service. When using in a chroot environment you always need to specify the full name i.e. (crond.service).
+
- include: units.yml
diff --git a/roles/icvpn/tasks/units.yml b/roles/icvpn/tasks/units.yml
index b4b46d3..04c0cdc 100644
--- a/roles/icvpn/tasks/units.yml
+++ b/roles/icvpn/tasks/units.yml
@@ -1,7 +1,12 @@
---
-- command: systemctl enable {{ item }}
+- systemd:
+ enabled: yes
+ state: restarted
+ name: "{{ item }}"
with_items:
- tinc.service
- tinc@icvpn.service
- update-icvpn.timer
- update-icvpn-meta.timer
+ - bird.service
+ - bird6.service
diff --git a/roles/icvpn/templates/40-icvpn.network.j2 b/roles/icvpn/templates/40-icvpn.network.j2
index fd1484b..6dce712 100644
--- a/roles/icvpn/templates/40-icvpn.network.j2
+++ b/roles/icvpn/templates/40-icvpn.network.j2
@@ -5,3 +5,6 @@ Name=icvpn
IPForward=yes
Address={{ icvpn_ip4 }}/16
Address={{ icvpn_ip6 }}/96
+
+LinkLocalAddressing=no
+IPv6AcceptRA=no
diff --git a/roles/icvpn/templates/tinc.conf.j2 b/roles/icvpn/templates/tinc.conf.j2
index 354e431..4e1ab2d 100644
--- a/roles/icvpn/templates/tinc.conf.j2
+++ b/roles/icvpn/templates/tinc.conf.j2
@@ -1,2 +1,3 @@
Name = {{ icvpn_name }}
Mode = Switch
+GraphDumpFile = /tmp/icvpn.dot
diff --git a/todo.md b/todo.md
index 3be118b..31b800d 100644
--- a/todo.md
+++ b/todo.md
@@ -2,7 +2,20 @@ Things for a working Gateway:
- [x] fastd
- [x] batman
-- [ ] DHCP
-- [x] radvd
+- [x] DHCP
+- [x] radvd (~~brachen wir vllt. gar nicht. Bird kann auch RAdv machen~~)
- [ ] BGP
- [x] prometheus
+ - [ ] Bird exporter
+ - [ ] Bind exporter
+ - [x] Node exporter
+- [ ] Rheinland uplink
+- [ ] ICVPN peering
+
+
+# Batman
+Batman interfaces are created on-the-fly by batctl. ~~An additional .service or script is not needed.~~ We want to to be able
+to only only `restart batman` without restarting fastd.
+
+# RAdvd
+~~It looks like BIRD is capable of sending RA's. I would rather pass on RAdvd to minimize the installation and configuration.~~ The debian package is not compiled with RAdv support :(
--
GitLab