--- - name: Initial Gateway Setup hosts: test become: true become_method: ansible.builtin.sudo tasks: # Update packages - name: Update all packages to their latest version ansible.builtin.apt: update_cache: true upgrade: "yes" - name: Install a list of packages ansible.builtin.apt: update_cache: true pkg: - git - bridge-utils - ntp - dnsmasq - iptables-persistent - openvpn - fastd - build-essential - pkg-config - checkinstall - libnl-3-dev - libnl-genl-3-dev - linux-headers-amd64 - dkms - lsb-release - ethtool - python3 - wget # for fastd-blacklist - name: Reboot host and wait for it to restart ansible.builtin.reboot: msg: "Reboot initiated by Ansible" connect_timeout: 5 reboot_timeout: 600 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: whoami - name: Add the routing table for freifunk ansible.builtin.blockinfile: path: /etc/iproute2/rt_tables backup: true block: | # freifunk 33 lux 42 icvpn 100 vpn # Sysctl - name: Add the freifunk settings to sysctl config ansible.builtin.blockinfile: path: /etc/sysctl.conf backup: true block: | # Freifunk specific settings net.ipv4.ip_forward=1 net.ipv4.icmp_errors_use_inbound_ifaddr=1 net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.autoconf = 1 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.eth0.autoconf = 1 net.ipv6.conf.all.accept_ra = 1 net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.eth0.accept_ra = 1 net.ipv4.conf.default.rp_filter = 2 - name: Reload sysctl config ansible.builtin.shell: sysctl -p /etc/sysctl.conf # Modules - name: Load `br_netfilter` kernel module community.general.modprobe: name: "br_netfilter" persistent: "disabled" # Initially just a modprobe? I don't understand why state: "present" - name: Add `nf_conntrack` to modules community.general.modprobe: name: "nf_conntrack" state: "present" persistent: "present" # Basic networking - name: Setup network interfaces (bridge + bat0) ansible.builtin.template: src: "{{ server_config_dir }}/interface/freifunk.j2" dest: /etc/network/interfaces.d/freifunk owner: root group: root mode: "0644" register: basic_networking - name: Pull up new interfaces ansible.builtin.command: /usr/sbin/ifup -a - name: Copy iptables rulesv4 ansible.builtin.copy: src: "{{ server_config_dir }}/iptables/rules.v4" dest: /etc/iptables/rules.v4 owner: root group: root mode: "0644" - name: Restart iptables-persistent ansible.builtin.service: name: "netfilter-persistent" state: "restarted" enabled: true - name: Setup dnsmasq config w/ IPv4 ranges ansible.builtin.template: src: "{{ server_config_dir }}/dnsmasq/fflux.j2" dest: /etc/dnsmasq.d/fflux owner: root group: root mode: "0644" # fastd - name: Create the fflux dir inside of fastd ansible.builtin.file: path: /etc/fastd/fflux state: directory mode: "0755" - name: Setup fastd (fflux) config w/ MAC address ansible.builtin.template: src: "{{ server_config_dir }}/fastd/fastd.conf.j2" dest: /etc/fastd/fflux/fastd.conf owner: root group: root mode: "0644" - name: Create peers-gw directory in fastd/fflux ansible.builtin.file: path: /etc/fastd/fflux/peers-gw state: directory mode: "0755" # TODO: copy peers - name: Copy fastd peers - name: Copy fastd blacklist script ansible.builtin.copy: src: "{{ server_scripts_dir }}/fastd-blacklist.sh" dest: /etc/fastd/fflux/fastd-blacklist.sh owner: root group: root mode: "0755" - name: Set fastd to autostart all ansible.builtin.copy: src: "{{ server_config_dir }}/fastd/fastd" dest: /etc/default/fastd owner: root group: root mode: "0644" - name: Start fastd ansible.builtin.service: name: "fastd" state: "started" enabled: "true" # OpenVPN - name: Remove client directory ansible.builtin.file: path: /etc/openvpn/client state: absent - name: Remove server directory ansible.builtin.file: path: /etc/openvpn/server state: absent - name: Copy hideme config ansible.builtin.copy: src: "{{ server_config_dir }}/openvpn/hideme.conf" dest: /etc/openvpn/hideme.conf owner: root group: root mode: "0644" - name: Copy hideme auth file ansible.builtin.copy: src: "{{ server_config_dir }}/openvpn/auth.txt" dest: /etc/openvpn/auth.txt owner: root group: root mode: "0640" - name: Copy hideme-up script ansible.builtin.copy: src: "{{ server_scripts_dir }}/hideme-up" dest: /etc/openvpn/hideme-up owner: root group: root mode: "0755" - name: Copy hideme-down script ansible.builtin.copy: src: "{{ server_scripts_dir }}/hideme-down" dest: /etc/openvpn/hideme-down owner: root group: root mode: "0755" - name: Copy update-resolv-conf ansible.builtin.copy: src: "{{ server_config_dir }}/openvpn/update-resolv-conf" dest: /etc/openvpn/update-resolv-conf owner: root group: root mode: "0755" - name: Ensure OpenVPN sevice is enabled + starts ansible.builtin.service: name: "openvpn@hideme" state: "started" enabled: true # batman-adv - name: Add batman-adv to modules community.general.modprobe: name: "batman-adv" state: "present" persistent: "present" - name: Add nf_conntrack to modules community.general.modprobe: name: "nf_conntrack" state: "present" persistent: "present" - name: Add ebtables to modules community.general.modprobe: name: "ebtables" state: "present" persistent: "present" ansible.builtin.reboot: msg: "Reboot initiated by Ansible" connect_timeout: 5 reboot_timeout: 600 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: whoami # "check" scripts - name: Copy check gateway script ansible.builtin.copy: src: "{{ server_scripts_dir }}/check_gateway.sh" dest: /usr/local/bin owner: root group: root mode: "0755" - name: Copy check vpn script ansible.builtin.copy: src: "{{ server_scripts_dir }}/check_vpn.sh" dest: /usr/local/bin owner: root group: root mode: "0755" # mesh-announce - name: Clone mesh-announce git repo ansible.builtin.git: repo: "https://github.com/ffnord/mesh-announce" dest: /opt/mesh-announce # TODO: Verify that there has been no update! version: 40be9a18ee91fa058478bc04105cbd79fd70279e - name: Configure respondd.service file ansible.builtin.lineinfile: path: /opt/mesh-announce/respondd.service regexp: "^ExecStart=" line: "ExecStart=/opt/mesh-announce/respondd.py -d /opt/mesh-announce/providers -f /opt/mesh-announce/respondd.conf" state: present - name: Symbolic link for respondd.service ansible.builtin.file: src: /opt/mesh-announce/respondd.service dest: /etc/systemd/system/respondd.service owner: root group: root state: link force: true - name: Copy respondd.conf template w/ IP + Hardware ansible.builtin.template: src: "{{ server_config_dir }}/respondd.conf.j2" dest: /opt/mesh-announce/respondd.conf owner: root mode: "0644" - name: Enable + Start respondd.service ansible.builtin.service: name: "respondd" state: "started" enabled: "true" # Disables systemd-resolved Stub Listener - name: Stop systemd-resolved ansible.builtin.service: name: "systemd-resolved" state: "stopped" - name: Copy resolved.conf ansible.builtin.copy: src: "{{ server_config_dir }}/systemd-resolved/resolved.conf" dest: /etc/systemd/resolved.conf owner: root group: root mode: "0644" - name: Create a symbolic link for resolv.conf, replacing the initial resolv.conf ansible.builtin.file: src: /run/systemd/resolve/resolv.conf dest: /etc/resolv.conf owner: root group: root state: link force: true - name: Start systemd-resolved ansible.builtin.service: name: "systemd-resolved" state: "started" enabled: "true" - name: Make sure dnsmasq is started ansible.builtin.service: name: "dnsmasq" state: "started" enabled: "true" - name: Reload dnsmasq ansible.builtin.service: name: "dnsmasq" state: "reloaded" # Crontab - name: Add check_gateway to cron ansible.builtin.cron: name: "check if gateway is online" user: root job: "/usr/local/bin/check_gateway.sh > /dev/null 2>&1" state: "present" minute: "*" hour: "*" day: "*" month: "*" weekday: "*" - name: Add check_vpn to cron ansible.builtin.cron: name: "check if vpn is online" user: root job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1" state: "present" minute: "*" hour: "*" day: "*" month: "*" weekday: "*" - name: Regularly download the peer blacklist ansible.builtin.cron: name: "download blacklist" user: root job: "/usr/local/bin/check_vpn.sh > /dev/null 2>&1" state: "present" minute: "*/5" hour: "*" day: "*" month: "*" weekday: "*" # Reboot and reconnect - name: Reboot host and wait for it to restart ansible.builtin.reboot: msg: "Reboot initiated by Ansible" connect_timeout: 5 reboot_timeout: 600 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: whoami