freifunk/Ansible-Configuration Changeset - bbab498c1c5a · Chaos Computer Club Lëtzebuerg Projects

Changeset - bbab498c1c5a

Parent rev.

Child rev.

[Not reviewed]

0 1 0

x - 21 months ago 2023-08-22 14:28:13
xbr@c3l.lu

feat: initial_gw_setup, add config tag to tasks

1 file changed with 48 insertions and 9 deletions:

gateway/initial_gw_setup.yml

0 comments (0 inline, 0 general)

gateway/initial_gw_setup.yml

➞

Show inline comments

@@ @@ -10,6 +10,7 @@ @@
       ansible.builtin.apt:
         update_cache: true
         upgrade: "yes"
       tags: update
     - name: Install a list of packages
       ansible.builtin.apt:
         update_cache: true
@@ @@ -32,6 +33,7 @@ @@
           - ethtool
           - python3
           - wget # for fastd-blacklist
       tags: update
     - name: Reboot host and wait for it to restart
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"
@@ @@ -50,6 +52,7 @@ @@
 lux
 icvpn
 vpn
       tags: config
     # Sysctl
     - name: Add the freifunk settings to sysctl config
@@ @@ -75,8 +78,10 @@ @@
           net.ipv6.conf.default.accept_ra = 0
           net.ipv6.conf.eth0.accept_ra = 1
           net.ipv4.conf.default.rp_filter = 2
       tags: config
     - name: Reload sysctl config
       ansible.builtin.shell: sysctl -p /etc/sysctl.conf
       tags: config
     # Modules
     - name: Load `br_netfilter` kernel module
@@ @@ -89,6 +94,7 @@ @@
         name: "nf_conntrack"
         state: "present"
         persistent: "present"
       tags: config
     # Basic networking
     - name: Setup network interfaces (bridge + bat0)
@@ @@ -98,9 +104,10 @@ @@
         owner: root
         group: root
         mode: "0644"
-      register: basic_networking
+      tags: config
     - name: Pull up new interfaces
       ansible.builtin.command: /usr/sbin/ifup -a
       tags: config
     - name: Copy iptables rulesv4
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/iptables/rules.v4"
@@ @@ -108,11 +115,13 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Restart iptables-persistent
       ansible.builtin.service:
         name: "netfilter-persistent"
         state: "restarted"
         enabled: true
       tags: config
     - name: Setup dnsmasq config w/ IPv4 ranges
       ansible.builtin.template:
         src: "{{ server_config_dir }}/dnsmasq/fflux.j2"
@@ @@ -120,6 +129,7 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     # fastd
     - name: Create the fflux dir inside of fastd
@@ @@ -127,6 +137,7 @@ @@
         path: /etc/fastd/fflux
         state: directory
         mode: "0755"
       tags: config
     - name: Setup fastd (fflux) config w/ MAC address
       ansible.builtin.template:
         src: "{{ server_config_dir }}/fastd/fastd.conf.j2"
@@ @@ -134,22 +145,28 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Create peers-gw directory in fastd/fflux
       ansible.builtin.file:
         path: /etc/fastd/fflux/peers-gw
         state: directory
         mode: "0755"
       tags: config
     - name: List all peers but ourselves
       ansible.builtin.find:
         path: "{{ server_config_dir }}/fastd/peers-gw/"
         excludes: "{{ inventory_hostname }}"
       delegate_to: localhost
       register: peers_to_copy
       tags: config
     - name: Copy fastd peers
       ansible.builtin.copy:
         src: "{{ item.path }}"
         dest: /etc/fastd/fflux/peers-gw/
         owner: root
         mode: "0644"
       with_items: "{{ peers_to_copy.files }}"
       tags: config
     - name: Copy fastd blacklist script
       ansible.builtin.copy:
         src: "{{ server_scripts_dir }}/fastd-blacklist.sh"
@@ @@ -157,6 +174,7 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     - name: Set fastd to autostart all
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/fastd/fastd"
@@ @@ -164,22 +182,25 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Start fastd
       ansible.builtin.service:
         name: "fastd"
         state: "started"
         enabled: "true"
+      tags: config
     # OpenVPN
     - name: Remove client directory
       ansible.builtin.file:
         path: /etc/openvpn/client
         state: absent
       tags: config
     - name: Remove server directory
       ansible.builtin.file:
         path: /etc/openvpn/server
         state: absent
       tags: config
     - name: Copy hideme config
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/openvpn/hideme.conf"
@@ @@ -187,6 +208,7 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Copy hideme auth file
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/openvpn/auth.txt"
@@ @@ -194,6 +216,7 @@ @@
         owner: root
         group: root
         mode: "0640"
       tags: config
     - name: Copy hideme-up script
       ansible.builtin.copy:
         src: "{{ server_scripts_dir }}/hideme-up"
@@ @@ -201,6 +224,7 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     - name: Copy hideme-down script
       ansible.builtin.copy:
         src: "{{ server_scripts_dir }}/hideme-down"
@@ @@ -208,6 +232,7 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     - name: Copy update-resolv-conf
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/openvpn/update-resolv-conf"
@@ @@ -215,11 +240,13 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     - name: Ensure OpenVPN sevice is enabled + starts
       ansible.builtin.service:
         name: "openvpn@hideme"
         state: "started"
         enabled: true
       tags: config
     # batman-adv
     - name: Add batman-adv to modules
@@ @@ -227,23 +254,19 @@ @@
         name: "batman-adv"
         state: "present"
         persistent: "present"
       tags: config
     - name: Add nf_conntrack to modules
       community.general.modprobe:
         name: "nf_conntrack"
         state: "present"
         persistent: "present"
       tags: config
     - name: Add ebtables to modules
       community.general.modprobe:
         name: "ebtables"
         state: "present"
         persistent: "present"
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"
         connect_timeout: 5
         reboot_timeout: 600
         pre_reboot_delay: 0
         post_reboot_delay: 30
         test_command: whoami
       tags: config
     # "check" scripts
     - name: Copy check gateway script
@@ @@ -253,6 +276,7 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     - name: Copy check vpn script
       ansible.builtin.copy:
         src: "{{ server_scripts_dir }}/check_vpn.sh"
@@ @@ -260,6 +284,7 @@ @@
         owner: root
         group: root
         mode: "0755"
       tags: config
     # mesh-announce
     - name: Clone mesh-announce git repo
@@ @@ -268,12 +293,14 @@ @@
         dest: /opt/mesh-announce
         # TODO: Verify that there has been no update!
         version: 40be9a18ee91fa058478bc04105cbd79fd70279e
       tags: config
     - name: Configure respondd.service file
       ansible.builtin.lineinfile:
         path: /opt/mesh-announce/respondd.service
         regexp: "^ExecStart="
         line: "ExecStart=/opt/mesh-announce/respondd.py -d /opt/mesh-announce/providers -f /opt/mesh-announce/respondd.conf"
         state: present
       tags: config
     - name: Symbolic link for respondd.service
       ansible.builtin.file:
         src: /opt/mesh-announce/respondd.service
@@ @@ -282,23 +309,27 @@ @@
         group: root
         state: link
         force: true
       tags: config
     - name: Copy respondd.conf template w/ IP + Hardware
       ansible.builtin.template:
         src: "{{ server_config_dir }}/respondd.conf.j2"
         dest: /opt/mesh-announce/respondd.conf
         owner: root
         mode: "0644"
       tags: config
     - name: Enable + Start respondd.service
       ansible.builtin.service:
         name: "respondd"
         state: "started"
         enabled: "true"
       tags: config
     # Disables systemd-resolved Stub Listener
     - name: Stop systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "stopped"
       tags: config
     - name: Copy resolved.conf
       ansible.builtin.copy:
         src: "{{ server_config_dir }}/systemd-resolved/resolved.conf"
@@ @@ -306,6 +337,7 @@ @@
         owner: root
         group: root
         mode: "0644"
       tags: config
     - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf
       ansible.builtin.file:
         src: /run/systemd/resolve/resolv.conf
@@ @@ -314,20 +346,24 @@ @@
         group: root
         state: link
         force: true
       tags: config
     - name: Start systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "started"
         enabled: "true"
       tags: config
     - name: Make sure dnsmasq is started
       ansible.builtin.service:
         name: "dnsmasq"
         state: "started"
         enabled: "true"
       tags: config
     - name: Reload dnsmasq
       ansible.builtin.service:
         name: "dnsmasq"
         state: "reloaded"
       tags: config
     # Crontab
     - name: Add check_gateway to cron
@@ @@ -341,6 +377,7 @@ @@
         day: "*"
         month: "*"
         weekday: "*"
       tags: config
     - name: Add check_vpn to cron
       ansible.builtin.cron:
         name: "check if vpn is online"
@@ @@ -352,6 +389,7 @@ @@
         day: "*"
         month: "*"
         weekday: "*"
       tags: config
     - name: Regularly download the peer blacklist
       ansible.builtin.cron:
         name: "download blacklist"
@@ @@ -363,6 +401,7 @@ @@
         day: "*"
         month: "*"
         weekday: "*"
       tags: config
     # Reboot and reconnect
     - name: Reboot host and wait for it to restart

0 comments (0 inline, 0 general)