From c2cd654035e93e3f01d773858ebe5204bcd73ede 2023-08-22 01:51:43 From: x Date: 2023-08-22 01:51:43 Subject: [PATCH] feat: initial_gw_setup, rewritten --- diff --git a/gateway/initial_gw_setup.yml b/gateway/initial_gw_setup.yml index a0470501b399d0cdd2b4f779d09ad90b5b4e523b..1a7fffef646d81b4af29fe0b3e2f08d0e513aa2e 100644 --- a/gateway/initial_gw_setup.yml +++ b/gateway/initial_gw_setup.yml @@ -1,14 +1,15 @@ --- - name: Initial Gateway Setup hosts: test - remote_user: root become: true become_method: ansible.builtin.sudo - vars: - batman: 2022.2 - tasks: + # Update packages + - name: Update all packages to their latest version + ansible.builtin.apt: + update_cache: true + upgrade: "yes" - name: Install a list of packages ansible.builtin.apt: update_cache: true @@ -30,14 +31,7 @@ - lsb-release - ethtool - python3 - -# Updating all packages to their latest version - - name: Update all packages to their latest version - ansible.builtin.apt: - update_cache: true - upgrade: "yes" - -# Reboot and reconnect + - wget # for fastd-blacklist - name: Reboot host and wait for it to restart ansible.builtin.reboot: msg: "Reboot initiated by Ansible" @@ -47,8 +41,7 @@ post_reboot_delay: 30 test_command: whoami -# edit routing tables - - name: Add the routing table ports for freifunk + - name: Add the routing table for freifunk ansible.builtin.blockinfile: path: /etc/iproute2/rt_tables backup: true @@ -58,7 +51,7 @@ 42 icvpn 100 vpn -# edit rsysctl config + # Sysctl - name: Add the freifunk settings to sysctl config ansible.builtin.blockinfile: path: /etc/sysctl.conf @@ -82,230 +75,159 @@ net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 1 net.ipv4.conf.default.rp_filter = 2 - -# load kernel module - - name: Load kernel module - become: true - become_user: root - ansible.builtin.shell: modprobe br_netfilter - -# edit the module list - - name: Add nf conntrack to modules - ansible.builtin.blockinfile: - path: /etc/modules - backup: true - block: | - nf_conntrack - -# reload sysctl config - name: Reload sysctl config - become: true - become_user: root ansible.builtin.shell: sysctl -p /etc/sysctl.conf -# Reboot and reconnect - - name: Reboot host and wait for it to restart - ansible.builtin.reboot: - msg: "Reboot initiated by Ansible" - connect_timeout: 5 - reboot_timeout: 600 - pre_reboot_delay: 0 - post_reboot_delay: 30 - test_command: whoami - -# create the Freifunk bridge interface file -# copy default interface file to remote host - - name: Copy interface file with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/interface/freifunk + # Modules + - name: Load `br_netfilter` kernel module + community.general.modprobe: + name: "br_netfilter" + persistent: "disabled" # Initially just a modprobe? I don't understand why + state: "present" + - name: Add `nf_conntrack` to modules + community.general.modprobe: + name: "nf_conntrack" + state: "present" + persistent: "present" + + # Basic networking + - name: Setup network interfaces (bridge + bat0) + ansible.builtin.template: + src: "{{ server_config_dir }}/interface/freifunk.j2" dest: /etc/network/interfaces.d/freifunk owner: root group: root - mode: '0644' - -# create IPV4 Iptables rules -# copy default IPV4 iptables rules file to remote host - - name: Copy rulesv4 file with owner and permissions + mode: "0644" + register: basic_networking + - name: Pull up new interfaces + ansible.builtin.command: /usr/sbin/ifup -a + - name: Copy iptables rulesv4 ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/iptables/rules.v4 + src: "{{ server_config_dir }}/iptables/rules.v4" dest: /etc/iptables/rules.v4 owner: root group: root - mode: '0644' - -# create dnsmasq file -# copy default dnsmasq file to remote host - - name: Copy dnsmasq file with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/dnsmasq/fflux + mode: "0644" + - name: Restart iptables-persistent + ansible.builtin.service: + name: "netfilter-persistent" + state: "restarted" + enabled: true + - name: Setup dnsmasq config w/ IPv4 ranges + ansible.builtin.template: + src: "{{ server_config_dir }}/dnsmasq/fflux.j2" dest: /etc/dnsmasq.d/fflux owner: root group: root - mode: '0644' + mode: "0644" -# Create directory fflux in fatsd - - name: Create the directory fflux in fastd if it does not exist + # fastd + - name: Create the fflux dir inside of fastd ansible.builtin.file: path: /etc/fastd/fflux state: directory - mode: '0755' - -# create fastd config file -# copy default dnsmasq file to remote host - - name: Copy fastd config file with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/fastd/fastd.conf + mode: "0755" + - name: Setup fastd (fflux) config w/ MAC address + ansible.builtin.template: + src: "{{ server_config_dir }}/fastd/fastd.conf.j2" dest: /etc/fastd/fflux/fastd.conf owner: root group: root - mode: '0644' - -# Create directory peers-gw in fatsd - - name: Create the directory peers-gw in fastd/fflux if it does not exist + mode: "0644" + - name: Create peers-gw directory in fastd/fflux ansible.builtin.file: path: /etc/fastd/fflux/peers-gw state: directory - mode: '0755' - -# create fastd blacklist script -# copy fastd blacklist script to remote host - - name: Copy fastd blacklist script with owner and permissions + mode: "0755" + # TODO: copy peers + - name: Copy fastd peers + - name: Copy fastd blacklist script ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/fastd-blacklist.sh + src: "{{ server_scripts_dir }}/fastd-blacklist.sh" dest: /etc/fastd/fflux/fastd-blacklist.sh owner: root group: root - mode: '0755' - -# change fasts autostart to all -# copy default fastd default file to remote host - - name: Copy fastd config file with owner and permissions + mode: "0755" + - name: Set fastd to autostart all ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/fastd/fastd + src: "{{ server_config_dir }}/fastd/fastd" dest: /etc/default/fastd owner: root group: root - mode: '0644' + mode: "0644" + - name: Start fastd + ansible.builtin.service: + name: "fastd" + state: "started" + enabled: "true" + -# Remove client directory from openvpn + # OpenVPN - name: Remove client directory ansible.builtin.file: path: /etc/openvpn/client state: absent - -# Remove server from openvpn - name: Remove server directory ansible.builtin.file: path: /etc/openvpn/server state: absent - -# create hideme config -# copy the default hidme config to remote host - - name: Copy hideme config with owner and permissions + - name: Copy hideme config ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/openvpn/hideme.conf + src: "{{ server_config_dir }}/openvpn/hideme.conf" dest: /etc/openvpn/hideme.conf owner: root group: root - mode: '0644' - -# create hideme-up script -# copy hideme-up script to remote host - - name: Copy hideme-up script with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/hideme-up - dest: /etc/openvpn/hideme-up - owner: root - group: root - mode: '0755' - - - name: Copy hideme-down script with owner and permissions + mode: "0644" + - name: Copy hideme auth file ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/hideme-down - dest: /etc/openvpn/hideme-down + src: "{{ server_config_dir }}/openvpn/auth.txt" + dest: /etc/openvpn/auth.txt owner: root group: root - mode: '0755' - -# create update resolv conf -# copy update-resolv.conf script to remote host - - name: Copy update-resolv.conf with owner and permissions + mode: "0640" + - name: Copy hideme-up script ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/openvpn/update-resolv-conf - dest: /etc/openvpn/update-resolv-conf - owner: root - group: root - mode: '0755' - -# Create for batman installation - - name: Create directory for batman installation - ansible.builtin.file: - path: /usr/src/batman-adv-{{ batman }} - state: directory - mode: '0755' - -# Clone and check out batman repo - - name: Clone and check out batman git repo - ansible.builtin.git: - repo: 'https://git.open-mesh.org/batman-adv.git' - dest: /usr/src/batman-adv-{{ batman }} - version: v{{ batman }} - -# create dkms conf -# copy dkms conf to remote host - - name: Copy dkms.conf with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/dkms/dkms.conf - dest: /usr/src/batman-adv-{{ batman }} + src: "{{ server_scripts_dir }}/hideme-up" + dest: /etc/openvpn/hideme-up owner: root group: root - mode: '0644' - -# create dkms install script -# copy dkms install script to remote host - - name: Copy dkms install script with owner and permissions + mode: "0755" + - name: Copy hideme-down script ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/install_dkms.sh - dest: /usr/local/bin + src: "{{ server_scripts_dir }}/hideme-down" + dest: /etc/openvpn/hideme-down owner: root group: root - mode: '0744' - -# create build batclt script -# copy build batctl script to remote host - - name: Copy build batctl script with owner and permissions + mode: "0755" + - name: Copy update-resolv-conf ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/build_batctl.sh - dest: /usr/local/bin + src: "{{ server_config_dir }}/openvpn/update-resolv-conf" + dest: /etc/openvpn/update-resolv-conf owner: root group: root - mode: '0744' - -# Run batman scripts - - name: Run install_dkms.sh - ansible.builtin.command: bash /usr/local/bin/install_dkms.sh - - - name: Run build_batctl.sh - ansible.builtin.command: /usr/local/bin/build_batctl.sh + mode: "0755" + - name: Ensure OpenVPN sevice is enabled + starts + ansible.builtin.service: + name: "openvpn@hideme" + state: "started" + enabled: true -# edit the module list + # batman-adv - name: Add batman-adv to modules - ansible.builtin.blockinfile: - path: /etc/modules - backup: true - block: | - nf_conntrack - batman-adv - - - name: Creating a file with content - ansible.builtin.copy: - dest: "/etc/modules-load.d/freifunk.conf" - content: | - ebtables - batman_adv - -# Reboot and reconnect - - name: Reboot host and wait for it to restart + community.general.modprobe: + name: "batman-adv" + state: "present" + persistent: "present" + - name: Add nf_conntrack to modules + community.general.modprobe: + name: "nf_conntrack" + state: "present" + persistent: "present" + - name: Add ebtables to modules + community.general.modprobe: + name: "ebtables" + state: "present" + persistent: "present" ansible.builtin.reboot: msg: "Reboot initiated by Ansible" connect_timeout: 5 @@ -314,46 +236,36 @@ post_reboot_delay: 30 test_command: whoami -# create check gateway script -# copy check gateway script to remote host - - name: Copy check gateway script with owner and permissions + # "check" scripts + - name: Copy check gateway script ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/check_gateway.sh + src: "{{ server_scripts_dir }}/check_gateway.sh" dest: /usr/local/bin owner: root group: root - mode: '0755' - -# create check vpn script -# copy check vpn script to remote host - - name: Copy check vpn script with owner and permissions + mode: "0755" + - name: Copy check vpn script ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/check_vpn.sh + src: "{{ server_scripts_dir }}/check_vpn.sh" dest: /usr/local/bin owner: root group: root - mode: '0755' + mode: "0755" -# Clone mesh-announce repo + # mesh-announce - name: Clone mesh-announce git repo ansible.builtin.git: - repo: 'https://github.com/ffnord/mesh-announce' + repo: "https://github.com/ffnord/mesh-announce" dest: /opt/mesh-announce # TODO: Verify that there has been no update! version: 40be9a18ee91fa058478bc04105cbd79fd70279e - -# create respondd service -# copy respondd service script to remote host - - name: Copy respondd service script with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/scripts/respondd.service - dest: /opt/mesh-announce/respondd.service - owner: root - group: root - mode: '0755' - -# Create symlink for respondd service - - name: Create a symbolic link + - name: Configure respondd.service file + ansible.builtin.lineinfile: + path: /opt/mesh-announce/respondd.service + regexp: "^ExecStart=" + line: "ExecStart=/opt/mesh-announce/respondd.py -d /opt/mesh-announce/providers -f /opt/mesh-announce/respondd.conf" + state: present + - name: Symbolic link for respondd.service ansible.builtin.file: src: /opt/mesh-announce/respondd.service dest: /etc/systemd/system/respondd.service @@ -361,25 +273,31 @@ group: root state: link force: true + - name: Copy respondd.conf template w/ IP + Hardware + ansible.builtin.template: + src: "{{ server_config_dir }}/respondd.conf.j2" + dest: /opt/mesh-announce/respondd.conf + owner: root + mode: "0644" + - name: Enable + Start respondd.service + ansible.builtin.service: + name: "respondd" + state: "started" + enabled: "true" -# Stop respondd + # Disables systemd-resolved Stub Listener - name: Stop systemd-resolved ansible.builtin.service: name: "systemd-resolved" state: "stopped" - -# create resolved conf -# copy resolved conf to remote host - - name: Copy resolved.conf with owner and permissions + - name: Copy resolved.conf ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/systemd-resolved/resolved.conf + src: "{{ server_config_dir }}/systemd-resolved/resolved.conf" dest: /etc/systemd/resolved.conf owner: root group: root - mode: '0644' - -# Create symlink for resolved.con - - name: Create a symbolic link + mode: "0644" + - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf ansible.builtin.file: src: /run/systemd/resolve/resolv.conf dest: /etc/resolv.conf @@ -387,24 +305,57 @@ group: root state: link force: true - -# Start respondd - name: Start systemd-resolved ansible.builtin.service: name: "systemd-resolved" state: "started" - -# create default crontab -# copy default crontab to remote host - - name: Copy crontab with owner and permissions - ansible.builtin.copy: - src: /home/fflux/Infrastructure-Intern/server_config/crontab/crontab - dest: /etc/crontab - owner: root - group: root - mode: '0644' - -# Reboot and reconnect + enabled: "true" + - name: Make sure dnsmasq is started + ansible.builtin.service: + name: "dnsmasq" + state: "started" + enabled: "true" + - name: Reload dnsmasq + ansible.builtin.service: + name: "dnsmasq" + state: "reloaded" + + # Crontab + - name: Add check_gateway to cron + ansible.builtin.cron: + name: "check if gateway is online" + user: root + job: "/usr/local/bin/check_gateway.sh > /dev/null 2>&1" + state: "present" + minute: "*" + hour: "*" + day: "*" + month: "*" + weekday: "*" + - name: Add check_vpn to cron + ansible.builtin.cron: + name: "check if vpn is online" + user: root + job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1" + state: "present" + minute: "*" + hour: "*" + day: "*" + month: "*" + weekday: "*" + - name: Regularly download the peer blacklist + ansible.builtin.cron: + name: "download blacklist" + user: root + job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1" + state: "present" + minute: "*/5" + hour: "*" + day: "*" + month: "*" + weekday: "*" + + # Reboot and reconnect - name: Reboot host and wait for it to restart ansible.builtin.reboot: msg: "Reboot initiated by Ansible"