---

# Defining the remote server where the package will be deployed

- name: "Deploy new gateway config"

  remote_user: root

  become: true

  become_method: ansible.builtin.sudo

  tasks:

    # Network interfaces

    - name: Setup network interfaces (bridge + bat0)

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/interface/freifunk.j2"

        dest: /etc/network/interfaces.d/freifunk

        owner: root

        group: root

        mode: '0644'

      tags: networking

    - name: Pull up new interfaces

      ansible.builtin.command: /usr/sbin/ifup -a

      tags: networking

    # iptables

    - name: Copy iptables rulesv4

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/iptables/rules.v4"

        dest: /etc/iptables/rules.v4

        owner: root

        group: root

        mode: "0644"

      tags: iptables

    - name: Restart iptables-persistent

      ansible.builtin.service:

        name: "netfilter-persistent"

        state: "restarted"

        enabled: true

      tags: iptables

    # dnsmasq

    - name: Setup dnsmasq config w/ IPv4 ranges

      ansible.builtin.template:

        src: "{{ server_config_dir }}/dnsmasq/fflux.j2"

        dest: /etc/dnsmasq.d/fflux

        owner: root

        group: root

        mode: "0644"

      tags: dns

    - name: Make sure dnsmasq is started

      ansible.builtin.service:

        name: "dnsmasq"

        state: "started"

        enabled: "true"

      tags: dns

    - name: Reload dnsmasq

      ansible.builtin.service:

        name: "dnsmasq"

        state: "reloaded"

      tags: dns

    # fastd

    - name: Setup fastd (fflux) config w/ MAC address

      ansible.builtin.template:

        src: "{{ server_config_dir }}/fastd/fastd.conf.j2"

        dest: /etc/fastd/fflux/fastd.conf

        owner: root

        group: root

        mode: "0644"

      tags: fastd

    - name: Copy fastd private key

      ansible.builtin.copy:

        src: "~/keys/{{ inventory_hostname }}.conf"

        dest: /etc/fastd/fflux/secret.conf

        owner: root

        group: root

        mode: "0640"

    - name: List all peers but ourselves

      ansible.builtin.find:

        path: "{{ server_config_dir }}/fastd/peers-gw/"

        excludes: "{{ inventory_hostname }}"

      delegate_to: localhost

      register: peers_to_copy

      tags: fastd

    - name: Copy fastd peers

      ansible.builtin.copy:

        src: "{{ item.path }}"

        dest: /etc/fastd/fflux/peers-gw/

        owner: root

        mode: "0644"

      with_items: "{{ peers_to_copy.files }}"

      tags: fastd

    - name: Make sure global fastd is stopped

      ansible.builtin.service:

        name: "fastd"

        state: "stopped"

        enabled: false

    - name: Start fastd@fflux

      ansible.builtin.service:

        name: "fastd@fflux"

        state: "restarted"

        enabled: true

---

- name: Initial Gateway Setup

  become: true

  become_method: ansible.builtin.sudo

  tasks:

    # Update packages

    - name: Update all packages to their latest version

      ansible.builtin.apt:

        update_cache: true

        upgrade: "yes"

      tags: update

    - name: Install a list of packages

      ansible.builtin.apt:

        update_cache: true

        pkg:

          - git

          - bridge-utils

          - ntp

          - dnsmasq

          - iptables-persistent

          - openvpn

          - fastd

          - build-essential

          - pkg-config

          - checkinstall

          - libnl-3-dev

          - libnl-genl-3-dev

          - linux-headers-amd64

          - dkms

          - lsb-release

          - ethtool

          - python3

          - wget # for fastd-blacklist

      tags: update

    - name: Reboot host and wait for it to restart

      ansible.builtin.reboot:

        msg: "Reboot initiated by Ansible"

        connect_timeout: 5

        reboot_timeout: 600

        pre_reboot_delay: 0

        post_reboot_delay: 30

        test_command: whoami

    - name: Add the routing table for freifunk

      ansible.builtin.blockinfile:

        path: /etc/iproute2/rt_tables

        backup: true

        block: |

          # freifunk

          33      lux

          42      icvpn

          100     vpn

      tags: config

    # Sysctl

    - name: Add the freifunk settings to sysctl config

      ansible.builtin.blockinfile:

        path: /etc/sysctl.conf

        block: |

          # Freifunk specific settings

          net.ipv4.ip_forward=1

          net.ipv4.icmp_errors_use_inbound_ifaddr=1

          net.bridge.bridge-nf-call-arptables = 0

          net.bridge.bridge-nf-call-ip6tables = 0

          net.bridge.bridge-nf-call-iptables = 0

          net.ipv6.conf.all.forwarding=1

          net.ipv6.conf.all.autoconf = 1

          net.ipv6.conf.default.autoconf = 0

          net.ipv6.conf.eth0.autoconf = 1

          net.ipv6.conf.all.accept_ra = 1

          net.ipv6.conf.default.accept_ra = 0

          net.ipv6.conf.eth0.accept_ra = 1

          net.ipv4.conf.default.rp_filter = 2

      tags: config

    - name: Reload sysctl config

      ansible.builtin.shell: sysctl -p /etc/sysctl.conf

      tags: config

    # Modules

    - name: Load `br_netfilter` kernel module

      community.general.modprobe:

        name: "br_netfilter"

        persistent: "disabled" # Initially just a modprobe? I don't understand why

        state: "present"

    - name: Add `nf_conntrack` to modules

      community.general.modprobe:

        name: "nf_conntrack"

        state: "present"

        persistent: "present"

      tags: config

    # Basic networking

    - name: Setup network interfaces (bridge + bat0)

# server list is here

# ansible_host = IP address of remote machine

# network_index = last number of MAC address (10-19)

# dhcp range = 10.24.XXX.1 - 10.24.YYY.1 // X = start_range, Y = end_ranges

fflux-test ansible_host=89.58.3.252 network_index=19 dhcp_start_range=188 dhcp_end_range=191 gateway_status="True" hardware_model="VPS 200 G8"

# machines which are used for tests

[test]

fflux-test

# variable for the test group come here

[test:vars]

#mac1=ca:fe:ca:fe:00:19

#ipv4=10.24.128.19

#ipv6=fd4e:f2d7:88d2:fffe::19

#vars_files: /etc/ansible/host_vars/firmware.freifunk.lu

# all machine variables come here

[all:vars]

ansible_python_interpreter=/usr/bin/python3

ansible_ssh_private_key_file=/home/fflux/.ssh/fflux_fflux

server_config_dir=~/repos/Infrastructure-Intern/server_config

server_scripts_dir=~/repos/Infrastructure-Intern/scripts

# new machine come here

[initial]

# machines which run api.freifunk.lu

[API]

# machines which run map.freifunk.lu

[MAP]

# machines which run stats.freifunk.lu

[STATS]

# machines which run firmware.freifunk.lu

[FIRMWARE]

# machines which run freifunk.lu

[WORDPRESS]

# machine which are gateways for freifunk.lu

[fflux]

[gw1]

[gw2]

[gw3]

---

- name: Initial Server Setup

  become: true

  vars_files:

    - ../user_vars.yml

  vars:

    password: Welcome1234

  tasks:

    - name: Update + Upgrade packages

      ansible.builtin.apt:

        upgrade: true

        update_cache: true

      tags: basic

    - name: Install some basic packages

      ansible.builtin.apt:

        pkg:

          - sudo

          - git

          - vim

          - python3

          - python3-pip

      tags: basic

    # Change Hostname

    - name: "Update Hostnames"

      ansible.builtin.hostname:

        name: "{{ inventory_hostname }}"

      tags: hostname

    # Update /etc/hosts

    - name: Make sure an IPV4 entry in /etc/hosts exists

      ansible.builtin.lineinfile:

        path: /etc/hosts

        regexp: "^{{ ansible_default_ipv4.address }}"

        line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"

        state: present

      tags: network,hostname,dns

    - name: Make sure an IPV6 entry in /etc/hosts exists

      ansible.builtin.lineinfile:

        path: /etc/hosts

        regexp: "^{{ ansible_default_ipv6.address }}"

        line: "{{ ansible_default_ipv6.address }} {{ inventory_hostname }} {{ inventory_hostname }}.freifunk.lu"

        state: present

      tags: network,hostname,dns

    # SSH security improvements (EmptyPass, PassAuth, RootLogin)

    - name: Disable SSH Password Auth

      ansible.builtin.copy:

        dest: /etc/ssh/sshd_config.d/disable_password_auth.conf

        owner: root

        mode: u=rw, g=r, o=r

        content: |

          '# {{ ansible_managed }}'

          'PasswordAuthentication no'

      tags: network,ssh

    - name: Disable SSH Empty Password

      ansible.builtin.copy:

        dest: /etc/ssh/sshd_config.d/disable_empty_password.conf

        owner: root

        mode: u=rw, g=r, o=r

        content: |

          '# {{ ansible_managed }}'

          'PermitEmptyPasswords no'

      tags: network,ssh

    - name: Disable SSH Root Login

      ansible.builtin.copy:

        dest: /etc/ssh/sshd_config.d/disable_root_login.conf

        owner: root

        mode: u=rw, g=r, o=r

        content: |

          '# {{ ansible_managed }}'

          'PermitRootLogin no'

      tags: network,ssh

    - name: Reload SSHD

      ansible.builtin.service:

        name: "sshd"

        state: "reloaded"

      tags: network,ssh

    # Create Freifunk Users

    - name: Create member users

      ansible.builtin.user:

        name: "{{ item.username }}"

        password: "{{ password | password_hash('sha512') }}"

        update_password: "on_create"

        groups:

          - sudo

        append: true

        state: present

      loop: "{{ users_member }}"

      tags: users

    - name: Create system users (no password)

      ansible.builtin.user:

        name: "{{ item.username }}"

        groups: