freifunk/Ansible-Configuration Changeset - c2cd654035e9 · Chaos Computer Club Lëtzebuerg Projects

Changeset - c2cd654035e9

Parent rev.

Child rev.

[Not reviewed]

0 1 0

x - 21 months ago 2023-08-22 01:51:43
xbr@c3l.lu

feat: initial_gw_setup, rewritten

1 file changed with 182 insertions and 231 deletions:

gateway/initial_gw_setup.yml

182

231

0 comments (0 inline, 0 general)

gateway/initial_gw_setup.yml

➞

Show inline comments

 ---
 - name: Initial Gateway Setup
   hosts: test
   remote_user: root
   become: true
   become_method: ansible.builtin.sudo
   vars:
     batman: 2022.2
   tasks:
     # Update packages
     - name: Update all packages to their latest version
       ansible.builtin.apt:
         update_cache: true
         upgrade: "yes"
     - name: Install a list of packages
       ansible.builtin.apt:
         update_cache: true
@@ @@ -30,14 +31,7 @@ @@
           - lsb-release
           - ethtool
           - python3
 # Updating all packages to their latest version
     - name: Update all packages to their latest version
       ansible.builtin.apt:
         update_cache: true
         upgrade: "yes"
 # Reboot and reconnect
           - wget # for fastd-blacklist
     - name: Reboot host and wait for it to restart
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"
@@ @@ -47,8 +41,7 @@ @@
         post_reboot_delay: 30
         test_command: whoami
 # edit routing tables
     - name: Add the routing table ports for freifunk
     - name: Add the routing table for freifunk
       ansible.builtin.blockinfile:
         path: /etc/iproute2/rt_tables
         backup: true
@@ @@ -58,7 +51,7 @@ @@
 icvpn
 vpn
-# edit rsysctl config
+    # Sysctl
     - name: Add the freifunk settings to sysctl config
       ansible.builtin.blockinfile:
         path: /etc/sysctl.conf
@@ @@ -82,230 +75,159 @@ @@
           net.ipv6.conf.default.accept_ra = 0
           net.ipv6.conf.eth0.accept_ra = 1
           net.ipv4.conf.default.rp_filter = 2
 # load kernel module
     - name: Load kernel module
       become: true
       become_user: root
       ansible.builtin.shell: modprobe br_netfilter
 # edit the module list
     - name: Add nf conntrack to modules
       ansible.builtin.blockinfile:
         path: /etc/modules
         backup: true
         block: |
           nf_conntrack
 # reload sysctl config
     - name: Reload sysctl config
       become: true
       become_user: root
       ansible.builtin.shell: sysctl -p /etc/sysctl.conf
 # Reboot and reconnect
     - name: Reboot host and wait for it to restart
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"
         connect_timeout: 5
         reboot_timeout: 600
         pre_reboot_delay: 0
         post_reboot_delay: 30
         test_command: whoami
 # create the Freifunk bridge interface file
 # copy default interface file to remote host
     - name: Copy interface file with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/interface/freifunk
     # Modules
     - name: Load `br_netfilter` kernel module
       community.general.modprobe:
         name: "br_netfilter"
         persistent: "disabled" # Initially just a modprobe? I don't understand why
         state: "present"
     - name: Add `nf_conntrack` to modules
       community.general.modprobe:
         name: "nf_conntrack"
         state: "present"
         persistent: "present"
     # Basic networking
     - name: Setup network interfaces (bridge + bat0)
       ansible.builtin.template:
         src: "{{ server_config_dir }}/interface/freifunk.j2"
         dest: /etc/network/interfaces.d/freifunk
         owner: root
         group: root
         mode: '0644'
 # create IPV4 Iptables rules
 # copy default IPV4 iptables rules file to remote host
     - name: Copy rulesv4 file with owner and permissions
         mode: "0644"
       register: basic_networking
     - name: Pull up new interfaces
       ansible.builtin.command: /usr/sbin/ifup -a
     - name: Copy iptables rulesv4
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/server_config/iptables/rules.v4
+        src: "{{ server_config_dir }}/iptables/rules.v4"
         dest: /etc/iptables/rules.v4
         owner: root
         group: root
         mode: '0644'
 # create dnsmasq file
 # copy default dnsmasq file to remote host
     - name: Copy dnsmasq file with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/dnsmasq/fflux
         mode: "0644"
     - name: Restart iptables-persistent
       ansible.builtin.service:
         name: "netfilter-persistent"
         state: "restarted"
         enabled: true
     - name: Setup dnsmasq config w/ IPv4 ranges
       ansible.builtin.template:
         src: "{{ server_config_dir }}/dnsmasq/fflux.j2"
         dest: /etc/dnsmasq.d/fflux
         owner: root
         group: root
-        mode: '0644'
+        mode: "0644"
 # Create directory fflux in fatsd
     - name: Create the directory fflux in fastd if it does not exist
     # fastd
     - name: Create the fflux dir inside of fastd
       ansible.builtin.file:
         path: /etc/fastd/fflux
         state: directory
         mode: '0755'
 # create fastd config file
 # copy default dnsmasq file to remote host
     - name: Copy fastd config file with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/fastd/fastd.conf
         mode: "0755"
     - name: Setup fastd (fflux) config w/ MAC address
       ansible.builtin.template:
         src: "{{ server_config_dir }}/fastd/fastd.conf.j2"
         dest: /etc/fastd/fflux/fastd.conf
         owner: root
         group: root
         mode: '0644'
 # Create directory  peers-gw in fatsd
     - name: Create the directory peers-gw in fastd/fflux if it does not exist
         mode: "0644"
     - name: Create peers-gw directory in fastd/fflux
       ansible.builtin.file:
         path: /etc/fastd/fflux/peers-gw
         state: directory
         mode: '0755'
 # create fastd blacklist script
 # copy fastd blacklist script to remote host
     - name: Copy fastd blacklist script with owner and permissions
         mode: "0755"
     # TODO: copy peers
     - name: Copy fastd peers
     - name: Copy fastd blacklist script
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/scripts/fastd-blacklist.sh
+        src: "{{ server_scripts_dir }}/fastd-blacklist.sh"
         dest: /etc/fastd/fflux/fastd-blacklist.sh
         owner: root
         group: root
         mode: '0755'
 # change fasts autostart to all
 # copy default fastd default file to remote host
     - name: Copy fastd config file with owner and permissions
         mode: "0755"
     - name: Set fastd to autostart all
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/server_config/fastd/fastd
+        src: "{{ server_config_dir }}/fastd/fastd"
         dest: /etc/default/fastd
         owner: root
         group: root
         mode: '0644'
         mode: "0644"
     - name: Start fastd
       ansible.builtin.service:
         name: "fastd"
         state: "started"
         enabled: "true"
-# Remove client directory from openvpn
+    # OpenVPN
     - name: Remove client directory
       ansible.builtin.file:
         path: /etc/openvpn/client
         state: absent
 # Remove server from openvpn
     - name: Remove server directory
       ansible.builtin.file:
         path: /etc/openvpn/server
         state: absent
 # create hideme config
 # copy the default hidme config to remote host
     - name: Copy hideme config with owner and permissions
     - name: Copy hideme config
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/server_config/openvpn/hideme.conf
+        src: "{{ server_config_dir }}/openvpn/hideme.conf"
         dest: /etc/openvpn/hideme.conf
         owner: root
         group: root
         mode: '0644'
 # create hideme-up script
 # copy hideme-up script to remote host
     - name: Copy hideme-up script with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/scripts/hideme-up
         dest: /etc/openvpn/hideme-up
         owner: root
         group: root
         mode: '0755'
     - name: Copy hideme-down script with owner and permissions
         mode: "0644"
     - name: Copy hideme auth file
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/scripts/hideme-down
         dest: /etc/openvpn/hideme-down
         src: "{{ server_config_dir }}/openvpn/auth.txt"
         dest: /etc/openvpn/auth.txt
         owner: root
         group: root
         mode: '0755'
 # create update resolv conf
 # copy update-resolv.conf script to remote host
     - name: Copy update-resolv.conf with owner and permissions
         mode: "0640"
     - name: Copy hideme-up script
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/openvpn/update-resolv-conf
         dest: /etc/openvpn/update-resolv-conf
         owner: root
         group: root
         mode: '0755'
 # Create for batman installation
     - name: Create directory for batman installation
       ansible.builtin.file:
         path: /usr/src/batman-adv-{{ batman }}
         state: directory
         mode: '0755'
 # Clone and check out batman repo
     - name: Clone and check out batman git repo
       ansible.builtin.git:
         repo: 'https://git.open-mesh.org/batman-adv.git'
         dest: /usr/src/batman-adv-{{ batman }}
         version: v{{ batman }}
 # create dkms conf
 # copy dkms conf to remote host
     - name: Copy dkms.conf with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/dkms/dkms.conf
         dest: /usr/src/batman-adv-{{ batman }}
         src: "{{ server_scripts_dir }}/hideme-up"
         dest: /etc/openvpn/hideme-up
         owner: root
         group: root
         mode: '0644'
 # create dkms install script
 # copy dkms install script to remote host
     - name: Copy dkms install script with owner and permissions
         mode: "0755"
     - name: Copy hideme-down script
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/scripts/install_dkms.sh
         dest: /usr/local/bin
         src: "{{ server_scripts_dir }}/hideme-down"
         dest: /etc/openvpn/hideme-down
         owner: root
         group: root
         mode: '0744'
 # create build batclt script
 # copy build batctl script to remote host
     - name: Copy build batctl script with owner and permissions
         mode: "0755"
     - name: Copy update-resolv-conf
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/scripts/build_batctl.sh
         dest: /usr/local/bin
         src: "{{ server_config_dir }}/openvpn/update-resolv-conf"
         dest: /etc/openvpn/update-resolv-conf
         owner: root
         group: root
         mode: '0744'
 # Run batman scripts
     - name: Run install_dkms.sh
       ansible.builtin.command: bash /usr/local/bin/install_dkms.sh
     - name: Run build_batctl.sh
       ansible.builtin.command: /usr/local/bin/build_batctl.sh
         mode: "0755"
     - name: Ensure OpenVPN sevice is enabled + starts
       ansible.builtin.service:
         name: "openvpn@hideme"
         state: "started"
         enabled: true
-# edit the module list
+    # batman-adv
     - name: Add batman-adv to modules
       ansible.builtin.blockinfile:
         path: /etc/modules
         backup: true
         block: |
           nf_conntrack
           batman-adv
     - name: Creating a file with content
       ansible.builtin.copy:
         dest: "/etc/modules-load.d/freifunk.conf"
         content: |
           ebtables
           batman_adv
 # Reboot and reconnect
     - name: Reboot host and wait for it to restart
       community.general.modprobe:
         name: "batman-adv"
         state: "present"
         persistent: "present"
     - name: Add nf_conntrack to modules
       community.general.modprobe:
         name: "nf_conntrack"
         state: "present"
         persistent: "present"
     - name: Add ebtables to modules
       community.general.modprobe:
         name: "ebtables"
         state: "present"
         persistent: "present"
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"
         connect_timeout: 5
@@ @@ -314,46 +236,36 @@ @@
         post_reboot_delay: 30
         test_command: whoami
 # create check gateway script
 # copy check gateway script to remote host
     - name: Copy check gateway script with owner and permissions
     # "check" scripts
     - name: Copy check gateway script
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/scripts/check_gateway.sh
+        src: "{{ server_scripts_dir }}/check_gateway.sh"
         dest: /usr/local/bin
         owner: root
         group: root
         mode: '0755'
 # create check vpn script
 # copy check vpn script to remote host
     - name: Copy check vpn script with owner and permissions
         mode: "0755"
     - name: Copy check vpn script
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/scripts/check_vpn.sh
+        src: "{{ server_scripts_dir }}/check_vpn.sh"
         dest: /usr/local/bin
         owner: root
         group: root
-        mode: '0755'
+        mode: "0755"
-# Clone mesh-announce repo
+    # mesh-announce
     - name: Clone mesh-announce git repo
       ansible.builtin.git:
-        repo: 'https://github.com/ffnord/mesh-announce'
+        repo: "https://github.com/ffnord/mesh-announce"
         dest: /opt/mesh-announce
         # TODO: Verify that there has been no update!
         version: 40be9a18ee91fa058478bc04105cbd79fd70279e
 # create respondd service
 # copy respondd service script to remote host
     - name: Copy respondd service script with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/scripts/respondd.service
         dest: /opt/mesh-announce/respondd.service
         owner: root
         group: root
         mode: '0755'
 # Create symlink for respondd service
     - name: Create a symbolic link
     - name: Configure respondd.service file
       ansible.builtin.lineinfile:
         path: /opt/mesh-announce/respondd.service
         regexp: "^ExecStart="
         line: "ExecStart=/opt/mesh-announce/respondd.py -d /opt/mesh-announce/providers -f /opt/mesh-announce/respondd.conf"
         state: present
     - name: Symbolic link for respondd.service
       ansible.builtin.file:
         src: /opt/mesh-announce/respondd.service
         dest: /etc/systemd/system/respondd.service
@@ @@ -361,25 +273,31 @@ @@
         group: root
         state: link
         force: true
     - name: Copy respondd.conf template w/ IP + Hardware
       ansible.builtin.template:
         src: "{{ server_config_dir }}/respondd.conf.j2"
         dest: /opt/mesh-announce/respondd.conf
         owner: root
         mode: "0644"
     - name: Enable + Start respondd.service
       ansible.builtin.service:
         name: "respondd"
         state: "started"
         enabled: "true"
-# Stop respondd
+    # Disables systemd-resolved Stub Listener
     - name: Stop systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "stopped"
 # create resolved conf
 # copy resolved conf to remote host
     - name: Copy resolved.conf with owner and permissions
     - name: Copy resolved.conf
       ansible.builtin.copy:
-        src: /home/fflux/Infrastructure-Intern/server_config/systemd-resolved/resolved.conf
+        src: "{{ server_config_dir }}/systemd-resolved/resolved.conf"
         dest: /etc/systemd/resolved.conf
         owner: root
         group: root
         mode: '0644'
 # Create symlink for resolved.con
     - name: Create a symbolic link
         mode: "0644"
     - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf
       ansible.builtin.file:
         src: /run/systemd/resolve/resolv.conf
         dest: /etc/resolv.conf
@@ @@ -387,24 +305,57 @@ @@
         group: root
         state: link
         force: true
 # Start respondd
     - name: Start systemd-resolved
       ansible.builtin.service:
         name: "systemd-resolved"
         state: "started"
 # create default crontab
 # copy default crontab to remote host
     - name: Copy crontab with owner and permissions
       ansible.builtin.copy:
         src: /home/fflux/Infrastructure-Intern/server_config/crontab/crontab
         dest: /etc/crontab
         owner: root
         group: root
         mode: '0644'
 # Reboot and reconnect
         enabled: "true"
     - name: Make sure dnsmasq is started
       ansible.builtin.service:
         name: "dnsmasq"
         state: "started"
         enabled: "true"
     - name: Reload dnsmasq
       ansible.builtin.service:
         name: "dnsmasq"
         state: "reloaded"
     # Crontab
     - name: Add check_gateway to cron
       ansible.builtin.cron:
         name: "check if gateway is online"
         user: root
         job: "/usr/local/bin/check_gateway.sh > /dev/null 2>&1"
         state: "present"
         minute: "*"
         hour: "*"
         day: "*"
         month: "*"
         weekday: "*"
     - name: Add check_vpn to cron
       ansible.builtin.cron:
         name: "check if vpn is online"
         user: root
         job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1"
         state: "present"
         minute: "*"
         hour: "*"
         day: "*"
         month: "*"
         weekday: "*"
     - name: Regularly download the peer blacklist
       ansible.builtin.cron:
         name: "download blacklist"
         user: root
         job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1"
         state: "present"
         minute: "*/5"
         hour: "*"
         day: "*"
         month: "*"
         weekday: "*"
     # Reboot and reconnect
     - name: Reboot host and wait for it to restart
       ansible.builtin.reboot:
         msg: "Reboot initiated by Ansible"

0 comments (0 inline, 0 general)