freifunk/Ansible-Configuration Files · gateway/initial_gw_setup.yml

Files @ 310348fbc682
Branch filter:
Location: freifunk/Ansible-Configuration/gateway/initial_gw_setup.yml

310348fbc682 11.2 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
feat: add br_netfilter as a persistent module
---
- name: Initial Gateway Setup
  hosts: initial
  become: true
  become_method: ansible.builtin.sudo

  tasks:
    # Update packages
    - name: Update all packages to their latest version
      ansible.builtin.apt:
        update_cache: true
        upgrade: "yes"
      tags: update
    - name: Install a list of packages
      ansible.builtin.apt:
        update_cache: true
        pkg:
          - git
          - bridge-utils
          - ntp
          - dnsmasq
          - iptables-persistent
          - openvpn
          - fastd
          - build-essential
          - pkg-config
          - checkinstall
          - libnl-3-dev
          - libnl-genl-3-dev
          - linux-headers-amd64
          - dkms
          - lsb-release
          - ethtool
          - python3
          - wget # for fastd-blacklist
      tags: update

    - name: Add the routing table for freifunk
      ansible.builtin.blockinfile:
        path: /etc/iproute2/rt_tables
        backup: true
        block: |
          # freifunk
          33      lux
          42      icvpn
          100     vpn
      tags: config

    # Modules
    - name: Load `br_netfilter` kernel module
      community.general.modprobe:
        name: "br_netfilter"
        persistent: "present"
        state: "present"
    - name: Add `nf_conntrack` to modules
      community.general.modprobe:
        name: "nf_conntrack"
        state: "present"
        persistent: "present"
      tags: config

    # Sysctl
    - name: Add the freifunk settings to sysctl config
      ansible.builtin.blockinfile:
        path: /etc/sysctl.conf
        block: |
          # Freifunk specific settings
          net.ipv4.ip_forward=1
          net.ipv4.icmp_errors_use_inbound_ifaddr=1

          net.bridge.bridge-nf-call-arptables = 0
          net.bridge.bridge-nf-call-ip6tables = 0
          net.bridge.bridge-nf-call-iptables = 0

          net.ipv6.conf.all.forwarding=1

          net.ipv6.conf.all.autoconf = 1
          net.ipv6.conf.default.autoconf = 0
          net.ipv6.conf.eth0.autoconf = 1

          net.ipv6.conf.all.accept_ra = 1
          net.ipv6.conf.default.accept_ra = 0
          net.ipv6.conf.eth0.accept_ra = 1
          net.ipv4.conf.default.rp_filter = 2
      tags: config
    - name: Reload sysctl config
      ansible.builtin.shell: sysctl -p /etc/sysctl.conf
      tags: config

    # Basic networking
    - name: Setup network interfaces (bridge + bat0)
      ansible.builtin.template:
        src: "{{ server_config_dir }}/interface/freifunk.j2"
        dest: /etc/network/interfaces.d/freifunk
        owner: root
        group: root
        mode: "0644"
      tags: config
    - name: Pull up new interfaces
      ansible.builtin.command: /usr/sbin/ifup -a
      tags: config
    - name: Copy iptables rulesv4
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/iptables/rules.v4"
        dest: /etc/iptables/rules.v4
        owner: root
        group: root
        mode: "0644"
      tags: config
    - name: Restart iptables-persistent
      ansible.builtin.service:
        name: "netfilter-persistent"
        state: "restarted"
        enabled: true
      tags: config
    - name: Setup dnsmasq config w/ IPv4 ranges
      ansible.builtin.template:
        src: "{{ server_config_dir }}/dnsmasq/fflux.j2"
        dest: /etc/dnsmasq.d/fflux
        owner: root
        group: root
        mode: "0644"
      tags: config

    # fastd
    - name: Create the fflux dir inside of fastd
      ansible.builtin.file:
        path: /etc/fastd/fflux
        state: directory
        mode: "0755"
      tags: config
    - name: Setup fastd (fflux) config w/ MAC address
      ansible.builtin.template:
        src: "{{ server_config_dir }}/fastd/fastd.conf.j2"
        dest: /etc/fastd/fflux/fastd.conf
        owner: root
        group: root
        mode: "0644"
      tags: config
    - name: Create peers-gw directory in fastd/fflux
      ansible.builtin.file:
        path: /etc/fastd/fflux/peers-gw
        state: directory
        mode: "0755"
      tags: config
    - name: List all peers but ourselves
      ansible.builtin.find:
        path: "{{ server_config_dir }}/fastd/peers-gw/"
        excludes: "{{ inventory_hostname }}"
      delegate_to: localhost
      register: peers_to_copy
      tags: config
    - name: Copy fastd peers
      ansible.builtin.copy:
        src: "{{ item.path }}"
        dest: /etc/fastd/fflux/peers-gw/
        owner: root
        mode: "0644"
      with_items: "{{ peers_to_copy.files }}"
      tags: config
    - name: Copy fastd blacklist script
      ansible.builtin.copy:
        src: "{{ server_scripts_dir }}/fastd-blacklist.sh"
        dest: /etc/fastd/fflux/fastd-blacklist.sh
        owner: root
        group: root
        mode: "0755"
      tags: config
    - name: Start + Enable fastd
      ansible.builtin.service:
        name: "fastd@fflux"
        state: "started"
        enabled: true
      tags: config

    # OpenVPN
    - name: Remove client directory
      ansible.builtin.file:
        path: /etc/openvpn/client
        state: absent
      tags: config
    - name: Remove server directory
      ansible.builtin.file:
        path: /etc/openvpn/server
        state: absent
      tags: config
    - name: Copy hideme config
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/openvpn/hideme.conf"
        dest: /etc/openvpn/hideme.conf
        owner: root
        group: root
        mode: "0644"
      tags: config
    - name: Copy hideme auth file
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/openvpn/auth.txt"
        dest: /etc/openvpn/auth.txt
        owner: root
        group: root
        mode: "0640"
      tags: config
    - name: Copy hideme-up script
      ansible.builtin.copy:
        src: "{{ server_scripts_dir }}/hideme-up"
        dest: /etc/openvpn/hideme-up
        owner: root
        group: root
        mode: "0755"
      tags: config
    - name: Copy hideme-down script
      ansible.builtin.copy:
        src: "{{ server_scripts_dir }}/hideme-down"
        dest: /etc/openvpn/hideme-down
        owner: root
        group: root
        mode: "0755"
      tags: config
    - name: Copy update-resolv-conf
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/openvpn/update-resolv-conf"
        dest: /etc/openvpn/update-resolv-conf
        owner: root
        group: root
        mode: "0755"
      tags: config
    - name: Ensure OpenVPN sevice is enabled + starts
      ansible.builtin.service:
        name: "openvpn@hideme"
        state: "started"
        enabled: true
      tags: config

    # batman-adv
    - name: Add batman-adv to modules
      community.general.modprobe:
        name: "batman-adv"
        state: "present"
        persistent: "present"
      tags: config
    - name: Add nf_conntrack to modules
      community.general.modprobe:
        name: "nf_conntrack"
        state: "present"
        persistent: "present"
      tags: config
    - name: Add ebtables to modules
      community.general.modprobe:
        name: "ebtables"
        state: "present"
        persistent: "present"
      tags: config

    # "check" scripts
    - name: Copy check gateway script
      ansible.builtin.copy:
        src: "{{ server_scripts_dir }}/check_gateway.sh"
        dest: /usr/local/bin
        owner: root
        group: root
        mode: "0755"
      tags: config
    - name: Copy check vpn script
      ansible.builtin.copy:
        src: "{{ server_scripts_dir }}/check_vpn.sh"
        dest: /usr/local/bin
        owner: root
        group: root
        mode: "0755"
      tags: config

    # mesh-announce
    - name: Clone mesh-announce git repo
      ansible.builtin.git:
        repo: "https://github.com/ffnord/mesh-announce"
        dest: /opt/mesh-announce
        # TODO: Verify that there has been no update!
        version: 40be9a18ee91fa058478bc04105cbd79fd70279e
      tags: config
    - name: Configure respondd.service file
      ansible.builtin.lineinfile:
        path: /opt/mesh-announce/respondd.service
        regexp: "^ExecStart="
        line: "ExecStart=/opt/mesh-announce/respondd.py -d /opt/mesh-announce/providers -f /opt/mesh-announce/respondd.conf"
        state: present
      tags: config
    - name: Symbolic link for respondd.service
      ansible.builtin.file:
        src: /opt/mesh-announce/respondd.service
        dest: /etc/systemd/system/respondd.service
        owner: root
        group: root
        state: link
        force: true
      tags: config
    - name: Copy respondd.conf template w/ IP + Hardware
      ansible.builtin.template:
        src: "{{ server_config_dir }}/respondd.conf.j2"
        dest: /opt/mesh-announce/respondd.conf
        owner: root
        mode: "0644"
      tags: config
    - name: Enable + Start respondd.service
      ansible.builtin.service:
        name: "respondd"
        state: "started"
        enabled: "true"
      tags: config

    # Disables systemd-resolved Stub Listener
    - name: Stop systemd-resolved
      ansible.builtin.service:
        name: "systemd-resolved"
        state: "stopped"
      tags: config
    - name: Copy resolved.conf
      ansible.builtin.copy:
        src: "{{ server_config_dir }}/systemd-resolved/resolved.conf"
        dest: /etc/systemd/resolved.conf
        owner: root
        group: root
        mode: "0644"
      tags: config
    - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf
      ansible.builtin.file:
        src: /run/systemd/resolve/resolv.conf
        dest: /etc/resolv.conf
        owner: root
        group: root
        state: link
        force: true
      tags: config
    - name: Start systemd-resolved
      ansible.builtin.service:
        name: "systemd-resolved"
        state: "started"
        enabled: "true"
      tags: config
    - name: Make sure dnsmasq is started
      ansible.builtin.service:
        name: "dnsmasq"
        state: "started"
        enabled: "true"
      tags: config
    - name: Reload dnsmasq
      ansible.builtin.service:
        name: "dnsmasq"
        state: "reloaded"
      tags: config

    # Crontab
    - name: Add check_gateway to cron
      ansible.builtin.cron:
        name: "check if gateway is online"
        user: root
        job: "/usr/local/bin/check_gateway.sh > /dev/null 2>&1"
        state: "present"
        minute: "*"
        hour: "*"
        day: "*"
        month: "*"
        weekday: "*"
      tags: config
    - name: Add check_vpn to cron
      ansible.builtin.cron:
        name: "check if vpn is online"
        user: root
        job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1"
        state: "present"
        minute: "*"
        hour: "*"
        day: "*"
        month: "*"
        weekday: "*"
      tags: config
    - name: Regularly download the peer blacklist
      ansible.builtin.cron:
        name: "download blacklist"
        user: root
        job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1"
        state: "present"
        minute: "*/5"
        hour: "*"
        day: "*"
        month: "*"
        weekday: "*"
      tags: config

    # Reboot and reconnect
    - name: Reboot host and wait for it to restart
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible"
        connect_timeout: 5
        reboot_timeout: 600
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: whoami