diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 458e648e..97bd1423 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -470,8 +470,10 @@ meshes: ipv6_public: - 2a03:2260:11a:ff::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -507,8 +509,10 @@ meshes: ipv6_public: - 2a03:2260:11a:1::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -544,8 +548,10 @@ meshes: ipv6_public: - 2a03:2260:11a:2::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -581,8 +587,10 @@ meshes: ipv6_public: - 2a03:2260:11a:3::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -618,8 +626,10 @@ meshes: ipv6_public: - 2a03:2260:11a:4::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -655,8 +665,10 @@ meshes: ipv6_public: - 2a03:2260:11a:5::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -692,8 +704,10 @@ meshes: ipv6_public: - 2a03:2260:11a:6::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -729,8 +743,10 @@ meshes: ipv6_public: - 2a03:2260:11a:7::/64 batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -771,8 +787,10 @@ meshes: - ffmz.org - user.ffmz.org batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 @@ -817,8 +835,10 @@ meshes: - ffwi.org - user.ffwi.org batman: - it: 10000 - gw: server 96mbit/96mbit + it: 10s + gw: server + up: 96M + down: 96M mm: 0 dat: 1 hop_penalty: 60 diff --git a/inventory/group_vars/gateways b/inventory/group_vars/gateways index 6dd95952..9f54d533 100644 --- a/inventory/group_vars/gateways +++ b/inventory/group_vars/gateways @@ -2,6 +2,7 @@ routing_tables: icvpn: 23 mwu: 41 + unreachable: 51 internet: 61 common_repos: diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 3786680c..b8b9640f 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -16,13 +16,10 @@ - service-ntpd - kmod-batman - wireguard - - network-routetables - - network-batman - - network-meshbridge - - network-fastd + - network-routing + - network-mesh - network-ffrl - network-iptables-gateway - - network-routing - service-nginx - service-nginx-firmware - service-prometheus diff --git a/playbooks/monitoring.yml b/playbooks/monitoring.yml index ece97586..9ca3b5c4 100755 --- a/playbooks/monitoring.yml +++ b/playbooks/monitoring.yml @@ -15,11 +15,8 @@ - service-ntpd - kmod-batman - wireguard - - network-routetables - - network-batman - - network-meshbridge - - network-fastd - network-routing + - network-mesh - service-nginx - service-nginx-openlayers - service-cpthook diff --git a/playbooks/services.yml b/playbooks/services.yml index d4179e7a..d0cd77e3 100755 --- a/playbooks/services.yml +++ b/playbooks/services.yml @@ -14,7 +14,6 @@ - service-haveged - service-ntpd - wireguard - - network-routetables - network-routing - service-bird - service-nginx diff --git a/roles/network-anycast/handlers/main.yml b/roles/network-anycast/handlers/main.yml index 191d07d1..ba4c4dbb 100644 --- a/roles/network-anycast/handlers/main.yml +++ b/roles/network-anycast/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload network interfaces +- name: restart networkd systemd: - name: networking - state: reloaded + name: systemd-networkd + state: restarted diff --git a/roles/network-anycast/tasks/main.yml b/roles/network-anycast/tasks/main.yml index a0ca1233..bf44fc59 100644 --- a/roles/network-anycast/tasks/main.yml +++ b/roles/network-anycast/tasks/main.yml @@ -1,6 +1,12 @@ --- -- name: create anycast interface +- name: create anycast.netdev template: - src: anycast.j2 - dest: "/etc/network/interfaces.d/anycast" - notify: reload network interfaces + src: anycast.netdev.j2 + dest: "/etc/systemd/network/anycast.netdev" + notify: restart networkd + +- name: create anycast.network + template: + src: anycast.network.j2 + dest: "/etc/systemd/network/anycast.netdev" + notify: restart networkd diff --git a/roles/network-anycast/templates/anycast.j2 b/roles/network-anycast/templates/anycast.j2 deleted file mode 100644 index 84d796e9..00000000 --- a/roles/network-anycast/templates/anycast.j2 +++ /dev/null @@ -1,8 +0,0 @@ -# -# {{ ansible_managed }} -# -auto anycast -iface anycast - link-type dummy - address {{ anycast_ipv4 | ipaddr('network/prefix') }} - address {{ anycast_ipv6 | ipaddr('network/prefix') }} diff --git a/roles/network-anycast/templates/anycast.netdev.j2 b/roles/network-anycast/templates/anycast.netdev.j2 new file mode 100644 index 00000000..530ff80d --- /dev/null +++ b/roles/network-anycast/templates/anycast.netdev.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name=anycast +Kind=dummy diff --git a/roles/network-anycast/templates/anycast.network.j2 b/roles/network-anycast/templates/anycast.network.j2 new file mode 100644 index 00000000..e8eea56c --- /dev/null +++ b/roles/network-anycast/templates/anycast.network.j2 @@ -0,0 +1,9 @@ +# +# {{ ansible_managed }} +# +[Match] +Name=anycast + +[Network] +Address={{ anycast_ipv4 | ipaddr('network/prefix') }} +Address={{ anycast_ipv6 | ipaddr('network/prefix') }} diff --git a/roles/network-batman/handlers/main.yml b/roles/network-batman/handlers/main.yml deleted file mode 100644 index 191d07d1..00000000 --- a/roles/network-batman/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-batman/tasks/main.yml b/roles/network-batman/tasks/main.yml deleted file mode 100644 index 08d72d62..00000000 --- a/roles/network-batman/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: create dummy interfaces - template: - src: dummy.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}" - notify: reload network interfaces - loop: "{{ meshes }}" - -- name: create batman interfaces - template: - src: batman.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}bat" - notify: reload network interfaces - loop: "{{ meshes }}" - -- name: flush handlers - meta: flush_handlers diff --git a/roles/network-batman/templates/batman.j2 b/roles/network-batman/templates/batman.j2 deleted file mode 100644 index bf44ea64..00000000 --- a/roles/network-batman/templates/batman.j2 +++ /dev/null @@ -1,15 +0,0 @@ -#jinja2: trim_blocks:False -{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} -{% set mac = '0201' + ip4hex -%} -# -# {{ ansible_managed }} -# -auto {{ item.id }}bat -iface {{ item.id }}bat - hwaddress {{ mac | hwaddr('linux') }} - batman-ifaces {{ item.id }} {% if server_type == 'gateway' %}{% for instance in item.fastd.nodes.instances %}{{ item.id }}vpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} {% endif %}{% for instance in item.fastd.backbone.instances %}{{ item.id }}igvpn-{{ instance.mtu }}{% if not loop.last %} {% endif %}{% endfor %} - batman-hop-penalty {{ item.batman.hop_penalty }} - post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }} - post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }} - post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }} - post-up /usr/sbin/batctl -m $IFACE gw {% if server_type == 'gateway' %}{{ item.batman.gw }}{% else %}off{% endif %} diff --git a/roles/network-fastd/README.md b/roles/network-fastd/README.md deleted file mode 100644 index e163825a..00000000 --- a/roles/network-fastd/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# Ansible role network-fastd - -Diese Ansible role konfiguriert Netzwerk Interfaces für die definierten fastd Instanzen. - -Es wird zwischen node- und backbone-Instanzen unterschieden. - -## Interface-Benamung -- Node-Interfaces: _$mesh.id_ + vpn + '-' + _$mesh.fastd.nodes.instances.xx.mtu_, z.B. "mzvpn-1312" -- Backbone-Interfaces: _$mesh.id_ + 'ig' + vpn + '-' + _$mesh.fastd.backbone.instances.xx.mtu_, z.B. "mzigvpn-1312" - -## Benötigte Variablen - -- Dictionary `meshes` - -``` -meshes: - - id: xx -... - ipv4_network: -... - fastd: - nodes: - instances: - - id: 0 # integer - mtu: # integer - ... - backbone: - instances: - - id: 0 # integer - mtu: # integer - ... - -``` - -- Host Variable `magic` - -- Host Variable `server_type` - -## MAC-Adressen - -Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. x = ID der fastd-Instanz. - -- xxvpn-$mtu prefix: `02:2x` -- xxigvpn-$mtu prefix: `02:3x` diff --git a/roles/network-fastd/handlers/main.yml b/roles/network-fastd/handlers/main.yml deleted file mode 100644 index 191d07d1..00000000 --- a/roles/network-fastd/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: reload network interfaces - systemd: - name: networking - state: reloaded diff --git a/roles/network-fastd/tasks/main.yml b/roles/network-fastd/tasks/main.yml deleted file mode 100644 index f6d34b12..00000000 --- a/roles/network-fastd/tasks/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: create fastd mesh interfaces - when: server_type == "gateway" - template: - src: fastd-mesh.j2 - dest: "/etc/network/interfaces.d/{{ item.0.id }}vpn-{{ item.1.mtu }}" - notify: reload network interfaces - loop: "{{ meshes | subelements('fastd.nodes.instances') }}" - -- name: create fastd backbone interfaces - template: - src: fastd-backbone.j2 - dest: "/etc/network/interfaces.d/{{ item.0.id }}igvpn-{{ item.1.mtu }}" - notify: reload network interfaces - loop: "{{ meshes | subelements('fastd.backbone.instances') }}" - -- name: flush handlers - meta: flush_handlers diff --git a/roles/network-ffrl/handlers/main.yml b/roles/network-ffrl/handlers/main.yml index 191d07d1..ba4c4dbb 100644 --- a/roles/network-ffrl/handlers/main.yml +++ b/roles/network-ffrl/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload network interfaces +- name: restart networkd systemd: - name: networking - state: reloaded + name: systemd-networkd + state: restarted diff --git a/roles/network-ffrl/tasks/main.yml b/roles/network-ffrl/tasks/main.yml index 96b72883..3c36a877 100644 --- a/roles/network-ffrl/tasks/main.yml +++ b/roles/network-ffrl/tasks/main.yml @@ -1,16 +1,35 @@ --- -- name: create ffrl interfaces +- name: create ffrl-nat.netdev template: - src: ffrl.j2 - dest: "/etc/network/interfaces.d/{{ item.key }}" - notify: reload network interfaces + src: ffrl-gre.netdev.j2 + dest: "/etc/systemd/network/{{ item.key }}.netdev" + notify: restart networkd loop: "{{ ffrl_exit_server | dict2items }}" -- name: create ffrl-nat dummy interface +- name: create ffrl-nat.network template: - src: ffrl_nat.j2 - dest: "/etc/network/interfaces.d/ffrl-nat" - notify: reload network interfaces + src: ffrl-gre.network.j2 + dest: "/etc/systemd/network/{{ item.key }}.network" + notify: restart networkd + loop: "{{ ffrl_exit_server | dict2items }}" + +- name: create ffrl-nat.netdev + template: + src: ffrl-nat.netdev.j2 + dest: "/etc/systemd/network/ffrl-nat.netdev" + notify: restart networkd + +- name: create ffrl-nat.network + template: + src: ffrl-nat.network.j2 + dest: "/etc/systemd/network/ffrl-nat.network" + notify: restart networkd + +- name: create ffrl-tunnel.conf + template: + src: ffrl-tunnel.conf.j2 + dest: "/etc/systemd/network/{{ ansible_default_ipv4.interface }}.network.d/ffrl-tunnel.conf" + notify: restart networkd - name: flush handlers meta: flush_handlers diff --git a/roles/network-ffrl/templates/ffrl-gre.netdev.j2 b/roles/network-ffrl/templates/ffrl-gre.netdev.j2 new file mode 100644 index 00000000..66ce430b --- /dev/null +++ b/roles/network-ffrl/templates/ffrl-gre.netdev.j2 @@ -0,0 +1,12 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name={{ item.key }} +Kind=gre +MTUBytes=1400 + +[Tunnel] +Local={{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }} +Remote={{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }} +TTL=64 diff --git a/roles/network-ffrl/templates/ffrl-gre.network.j2 b/roles/network-ffrl/templates/ffrl-gre.network.j2 new file mode 100644 index 00000000..ab7899d1 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl-gre.network.j2 @@ -0,0 +1,9 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.key }} + +[Network] +Address={{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }} +Address={{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }} diff --git a/roles/network-ffrl/templates/ffrl-nat.netdev.j2 b/roles/network-ffrl/templates/ffrl-nat.netdev.j2 new file mode 100644 index 00000000..f1b3a939 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl-nat.netdev.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name=ffrl-nat +Kind=dummy diff --git a/roles/network-ffrl/templates/ffrl-nat.network.j2 b/roles/network-ffrl/templates/ffrl-nat.network.j2 new file mode 100644 index 00000000..6bf428a8 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl-nat.network.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[Match] +Name=ffrl-nat + +[Network] +Address={{ ffrl_public_ipv4_nat | ipaddr('host') }} diff --git a/roles/network-ffrl/templates/ffrl-tunnel.conf.j2 b/roles/network-ffrl/templates/ffrl-tunnel.conf.j2 new file mode 100644 index 00000000..402c7826 --- /dev/null +++ b/roles/network-ffrl/templates/ffrl-tunnel.conf.j2 @@ -0,0 +1,7 @@ +# +# {{ ansible_managed }} +# +[Network] +{% for peer_id,_ in ffrl_exit_server.items() %} +Tunnel={{ peer_id }} +{% endfor%} diff --git a/roles/network-ffrl/templates/ffrl.j2 b/roles/network-ffrl/templates/ffrl.j2 deleted file mode 100644 index ba8d4e7c..00000000 --- a/roles/network-ffrl/templates/ffrl.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# -# {{ ansible_managed }} -# -auto {{ item.key }} -iface {{ item.key }} inet tunnel - mode gre - local {{ ansible_default_ipv4.address | ipaddr('public') | ipaddr('address') }} - endpoint {{ item.value.public_ipv4_address | ipaddr('public') | ipaddr('address') }} - - ttl 64 - mtu 1400 - tunnel-physdev {{ ansible_default_ipv4.interface }} - ip-forward on - ip6-forward on - - address {{ item.value.tunnel_ipv4_network | ipaddr('net') | ipaddr('1') | ipaddr('ip/prefix') }} - address {{ item.value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('ip/prefix') }} diff --git a/roles/network-ffrl/templates/ffrl_nat.j2 b/roles/network-ffrl/templates/ffrl_nat.j2 deleted file mode 100644 index 39523e98..00000000 --- a/roles/network-ffrl/templates/ffrl_nat.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# -# {{ ansible_managed }} -# -auto ffrl-nat -iface ffrl-nat - link-type dummy - address {{ ffrl_public_ipv4_nat | ipaddr('host') }} diff --git a/roles/network-loopback/handlers/main.yml b/roles/network-loopback/handlers/main.yml index 191d07d1..ba4c4dbb 100644 --- a/roles/network-loopback/handlers/main.yml +++ b/roles/network-loopback/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload network interfaces +- name: restart networkd systemd: - name: networking - state: reloaded + name: systemd-networkd + state: restarted diff --git a/roles/network-loopback/tasks/main.yml b/roles/network-loopback/tasks/main.yml index d4494af6..315b45e5 100644 --- a/roles/network-loopback/tasks/main.yml +++ b/roles/network-loopback/tasks/main.yml @@ -1,9 +1,15 @@ --- -- name: create loopback interface +- name: create loopback.netdev template: - src: loopback.j2 - dest: "/etc/network/interfaces.d/loopback" - notify: reload network interfaces + src: loopback.netdev.j2 + dest: "/etc/systemd/network/loopback.netdev" + notify: restart networkd + +- name: create loopback.network + template: + src: loopback.network.j2 + dest: "/etc/systemd/network/loopback.network" + notify: restart networkd - name: create check-anycast.sh template: diff --git a/roles/network-loopback/templates/loopback.j2 b/roles/network-loopback/templates/loopback.j2 deleted file mode 100644 index aca7802c..00000000 --- a/roles/network-loopback/templates/loopback.j2 +++ /dev/null @@ -1,8 +0,0 @@ -# -# {{ ansible_managed }} -# -auto loopback -iface loopback - link-type dummy - address {{ loopback_net_ipv4 | ipsubnet(32, magic) | ipaddr('network/prefix') }} - address {{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}/128 diff --git a/roles/network-loopback/templates/loopback.netdev.j2 b/roles/network-loopback/templates/loopback.netdev.j2 new file mode 100644 index 00000000..822ea63d --- /dev/null +++ b/roles/network-loopback/templates/loopback.netdev.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name=loopback +Kind=dummy diff --git a/roles/network-loopback/templates/loopback.network.j2 b/roles/network-loopback/templates/loopback.network.j2 new file mode 100644 index 00000000..cde808f0 --- /dev/null +++ b/roles/network-loopback/templates/loopback.network.j2 @@ -0,0 +1,9 @@ +# +# {{ ansible_managed }} +# +[Match] +Name=loopback + +[Network] +Address={{ loopback_net_ipv4 | ipsubnet(32, magic) | ipaddr('network/prefix') }} +Address={{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}/128 diff --git a/roles/network-batman/README.md b/roles/network-mesh/README.md similarity index 100% rename from roles/network-batman/README.md rename to roles/network-mesh/README.md diff --git a/roles/network-meshbridge/handlers/main.yml b/roles/network-mesh/handlers/main.yml similarity index 57% rename from roles/network-meshbridge/handlers/main.yml rename to roles/network-mesh/handlers/main.yml index 78481e41..7cda3f94 100644 --- a/roles/network-meshbridge/handlers/main.yml +++ b/roles/network-mesh/handlers/main.yml @@ -1,8 +1,8 @@ --- -- name: reload network interfaces +- name: restart networkd systemd: - name: networking - state: reloaded + name: systemd-networkd + state: restarted - name: activate sysfs variables systemd: diff --git a/roles/network-mesh/tasks/main.yml b/roles/network-mesh/tasks/main.yml new file mode 100644 index 00000000..66b19338 --- /dev/null +++ b/roles/network-mesh/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: create blackhole.conf + when: server_type == 'gateway' + template: + src: blackhole.conf.j2 + dest: "/etc/systemd/network/{{ ansible_default_ipv4.interface }}.network.d/blackhole.conf" + notify: restart networkd + +- name: create dummy.netdev + template: + src: dummy.netdev.j2 + dest: "/etc/systemd/network/{{ item.id }}.netdev" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create dummy.network + template: + src: dummy.network.j2 + dest: "/etc/systemd/network/{{ item.id }}.network" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create batman.netdev + template: + src: batman.netdev.j2 + dest: "/etc/systemd/network/{{ item.id }}bat.netdev" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create batman.network + template: + src: batman.network.j2 + dest: "/etc/systemd/network/{{ item.id }}bat.network" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create bridge.netdev + template: + src: bridge.netdev.j2 + dest: "/etc/systemd/network/{{ item.id }}br.netdev" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create bridge.network + template: + src: bridge.network.j2 + dest: "/etc/systemd/network/{{ item.id }}br.network" + notify: restart networkd + loop: "{{ meshes }}" + +- name: create fastd-backbone.link + template: + src: fastd-backbone.link.j2 + dest: "/etc/systemd/network/{{ item.0.id }}igvpn-{{ item.1.mtu }}.link" + notify: restart networkd + loop: "{{ meshes | subelements('fastd.backbone.instances') }}" + +- name: create fastd-backbone.network + template: + src: fastd-backbone.network.j2 + dest: "/etc/systemd/network/{{ item.0.id }}igvpn-{{ item.1.mtu }}.network" + notify: restart networkd + loop: "{{ meshes | subelements('fastd.backbone.instances') }}" + +- name: create fastd-mesh.link + when: server_type == "gateway" + template: + src: fastd-mesh.link.j2 + dest: "/etc/systemd/network/{{ item.0.id }}igvpn-{{ item.1.mtu }}.link" + notify: restart networkd + loop: "{{ meshes | subelements('fastd.nodes.instances') }}" + +- name: create fastd-mesh.network + when: server_type == "gateway" + template: + src: fastd-mesh.network.j2 + dest: "/etc/systemd/network/{{ item.0.id }}igvpn-{{ item.1.mtu }}.network" + notify: restart networkd + loop: "{{ meshes | subelements('fastd.nodes.instances') }}" + +- name: set sysfs variables + template: + src: sysfs.j2 + dest: "/etc/sysfs.d/99-{{ item.id }}br.conf" + loop: "{{ meshes }}" + notify: activate sysfs variables + +- name: flush handlers + meta: flush_handlers diff --git a/roles/network-mesh/templates/batman.netdev.j2 b/roles/network-mesh/templates/batman.netdev.j2 new file mode 100644 index 00000000..0e871aa3 --- /dev/null +++ b/roles/network-mesh/templates/batman.netdev.j2 @@ -0,0 +1,18 @@ +{% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} +{% set mac = '0201' + ip4hex -%} +# +# {{ ansible_managed }} +# +[NetDev] +Name={{ item.id }}bat +Kind=batadv +MACAddress={{ mac | hwaddr('linux') }} + +[BatmanAdvanced] +GatewayMode={% if 'gateways' in group_names %}{{ item.batman.gw }}{% else %}off{% endif %} +RoutingAlgorithm={{ item.batman.algo | default('BATMAN_IV') }} +DistributedArpTable={{ item.batman.dat }} +HopPenalty={{ item.batman.hop_penalty }} +OriginatorIntervalSec={{ item.batman.it }} +GatewayBandwithDown={{ item.batman.down }} +GatewayBandwithUp={{ item.batman.up }} diff --git a/roles/network-mesh/templates/batman.network.j2 b/roles/network-mesh/templates/batman.network.j2 new file mode 100644 index 00000000..6cb61450 --- /dev/null +++ b/roles/network-mesh/templates/batman.network.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.id }}bat + +[Network] +Bridge={{ item.id }}br diff --git a/roles/network-mesh/templates/blackhole.conf.j2 b/roles/network-mesh/templates/blackhole.conf.j2 new file mode 100644 index 00000000..89d3e24b --- /dev/null +++ b/roles/network-mesh/templates/blackhole.conf.j2 @@ -0,0 +1,214 @@ +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=0.0.0.0/8 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=10.0.0.0/8 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=100.64.0.0/10 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=127.0.0.0/8 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=169.254.0.0/16 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=172.16.0.0/12 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=192.0.0.0/24 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=192.0.2.0/24 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=192.88.99.0/24 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=192.168.0.0/16 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=198.18.0.0/15 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=198.51.100.0/24 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=203.0.113.0/24 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=224.0.0.0/4 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=240.0.0.0/4 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=255.255.255.255/32 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=fec0::/10 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=fc00::/7 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=ff00::/8 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=::/96 + +[Route] +Type=blackhole +Table={{ routing_tables.mwu.internet }} +Destination=0:0:0:0:0:ffff::/96 + +[Route] +Type=blackhole +Table=main +Destination=0.0.0.0/8 + +[Route] +Type=blackhole +Table=main +Destination=10.0.0.0/8 + +[Route] +Type=blackhole +Table=main +Destination=100.64.0.0/10 + +[Route] +Type=blackhole +Table=main +Destination=127.0.0.0/8 + +[Route] +Type=blackhole +Table=main +Destination=169.254.0.0/16 + +[Route] +Type=blackhole +Table=main +Destination=172.16.0.0/12 + +[Route] +Type=blackhole +Table=main +Destination=192.0.0.0/24 + +[Route] +Type=blackhole +Table=main +Destination=192.0.2.0/24 + +[Route] +Type=blackhole +Table=main +Destination=192.88.99.0/24 + +[Route] +Type=blackhole +Table=main +Destination=192.168.0.0/16 + +[Route] +Type=blackhole +Table=main +Destination=198.18.0.0/15 + +[Route] +Type=blackhole +Table=main +Destination=198.51.100.0/24 + +[Route] +Type=blackhole +Table=main +Destination=203.0.113.0/24 + +[Route] +Type=blackhole +Table=main +Destination=224.0.0.0/4 + +[Route] +Type=blackhole +Table=main +Destination=240.0.0.0/4 + +[Route] +Type=blackhole +Table=main +Destination=255.255.255.255/32 + +[Route] +Type=blackhole +Table=main +Destination=fec0::/10 + +[Route] +Type=blackhole +Table=main +Destination=fc00::/7 + +[Route] +Type=blackhole +Table=main +Destination=ff00::/8 + +[Route] +Type=blackhole +Table=main +Destination=::/96 + +[Route] +Type=blackhole +Table=main +Destination=0:0:0:0:0:ffff::/96 + +[Route] +Type=blackhole +Table=main +Destination=::/0 diff --git a/roles/network-mesh/templates/bridge.netdev.j2 b/roles/network-mesh/templates/bridge.netdev.j2 new file mode 100644 index 00000000..73afb9a4 --- /dev/null +++ b/roles/network-mesh/templates/bridge.netdev.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name={{ item.id }}br +Kind=bridge diff --git a/roles/network-mesh/templates/bridge.network.j2 b/roles/network-mesh/templates/bridge.network.j2 new file mode 100644 index 00000000..9bc758b9 --- /dev/null +++ b/roles/network-mesh/templates/bridge.network.j2 @@ -0,0 +1,48 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.id }}br + +[Network] +Address={{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} +{% for prefix in item.ipv6_ula %} +Address={{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} +{% endfor %} +{% for prefix in item.ipv6_public %} +Address={{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} +{% endfor %} +{% if mesh_gw_prefixes is defined %} +{% for prefix in mesh_gw_prefixes[item.id].ipv6_public %} +Address={{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(1) | ipaddr('ip/prefix') }} +{% endfor %} +{% endif %} +{% if 'gateways' in group_names %} +IPForward=yes +{% endif %} +IPv6AcceptRA=no + +[Route] +Destination={{ item.ipv4_network }} +Table={{ routing_tables.mwu }} + +{% for ula in item.ipv6_ula %} +[Route] +Destination={{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} +Table={{ routing_tables.mwu }} + +{% endfor %} +{% for public in item.ipv6_public %} +[Route] +Destination={{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} +Table={{ routing_tables.mwu }} + +{% endfor %} +{% if mesh_gw_prefixes is defined %} +{% for public in mesh_gw_prefixes[item.id].ipv6_public %} +[Route] +Destination={{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} +Table={{ routing_tables.mwu }} + +{% endfor %} +{% endif %} diff --git a/roles/network-batman/templates/dummy.j2 b/roles/network-mesh/templates/dummy.netdev.j2 similarity index 61% rename from roles/network-batman/templates/dummy.j2 rename to roles/network-mesh/templates/dummy.netdev.j2 index cf781bec..6ad3870b 100644 --- a/roles/network-batman/templates/dummy.j2 +++ b/roles/network-mesh/templates/dummy.netdev.j2 @@ -3,7 +3,7 @@ # # {{ ansible_managed }} # -auto {{ item.id }} -iface {{ item.id }} - link-type dummy - hwaddress {{ mac | hwaddr('linux') }} +[NetDev] +Name={{ item.id }} +Kind=dummy +MACAddress={{ mac | hwaddr('linux') }} diff --git a/roles/network-mesh/templates/dummy.network.j2 b/roles/network-mesh/templates/dummy.network.j2 new file mode 100644 index 00000000..fcf2d58c --- /dev/null +++ b/roles/network-mesh/templates/dummy.network.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.id }} + +[Network] +BatmanAdvanced={{ item.id }}bat diff --git a/roles/network-fastd/templates/fastd-backbone.j2 b/roles/network-mesh/templates/fastd-backbone.link.j2 similarity index 54% rename from roles/network-fastd/templates/fastd-backbone.j2 rename to roles/network-mesh/templates/fastd-backbone.link.j2 index e3961503..0f1e7dce 100644 --- a/roles/network-fastd/templates/fastd-backbone.j2 +++ b/roles/network-mesh/templates/fastd-backbone.link.j2 @@ -3,7 +3,9 @@ # # {{ ansible_managed }} # -auto {{ item.0.id }}igvpn-{{ item.1.mtu }} -iface {{ item.0.id }}igvpn-{{ item.1.mtu }} - mtu {{ item.1.mtu }} - hwaddress {{ mac | hwaddr('linux') }} +[Match] +Name={{ item.0.id }}igvpn-{{ item.1.mtu }} + +[Link] +MACAddress={{ mac | hwaddr('linux') }} +MTUBytes={{ item.1.mtu }} diff --git a/roles/network-mesh/templates/fastd-backbone.network.j2 b/roles/network-mesh/templates/fastd-backbone.network.j2 new file mode 100644 index 00000000..58576807 --- /dev/null +++ b/roles/network-mesh/templates/fastd-backbone.network.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.0.id }}igvpn-{{ item.1.mtu }} + +[Network] +BatmanAdvanced={{ item.0.id }}bat diff --git a/roles/network-fastd/templates/fastd-mesh.j2 b/roles/network-mesh/templates/fastd-mesh.link.j2 similarity index 54% rename from roles/network-fastd/templates/fastd-mesh.j2 rename to roles/network-mesh/templates/fastd-mesh.link.j2 index e0e7fdcb..621265f3 100644 --- a/roles/network-fastd/templates/fastd-mesh.j2 +++ b/roles/network-mesh/templates/fastd-mesh.link.j2 @@ -3,7 +3,9 @@ # # {{ ansible_managed }} # -auto {{ item.0.id }}vpn-{{ item.1.mtu }} -iface {{ item.0.id }}vpn-{{ item.1.mtu }} - mtu {{ item.1.mtu }} - hwaddress {{ mac | hwaddr('linux') }} +[Match] +Name={{ item.0.id }}vpn-{{ item.1.mtu }} + +[Link] +MACAddress={{ mac | hwaddr('linux') }} +MTUBytes={{ item.1.mtu }} diff --git a/roles/network-mesh/templates/fastd-mesh.network.j2 b/roles/network-mesh/templates/fastd-mesh.network.j2 new file mode 100644 index 00000000..e409e91b --- /dev/null +++ b/roles/network-mesh/templates/fastd-mesh.network.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[Match] +Name={{ item.0.id }}vpn-{{ item.1.mtu }} + +[Network] +BatmanAdvanced={{ item.0.id }}bat diff --git a/roles/network-meshbridge/templates/sysfs.j2 b/roles/network-mesh/templates/sysfs.j2 similarity index 100% rename from roles/network-meshbridge/templates/sysfs.j2 rename to roles/network-mesh/templates/sysfs.j2 diff --git a/roles/network-meshbridge/README.md b/roles/network-meshbridge/README.md deleted file mode 100644 index 9afcb6fa..00000000 --- a/roles/network-meshbridge/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Ansible role network-meshbridge - -Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes. - -- linux bridge pro mesh inklusive IP-Konfiguration -- konfiguriert sysfs variablen: - - hash_max - -## Benötigte Variablen - -- Dictionary `meshes` - -``` -meshes: - -id: xx -... - ipv4_network: -... - ipv6_ula: - - fdxx.../48 # ipv6 ula prefix - ipv6_public: - - 2xxx.../48 # ipv6 public prefix - -``` - -- Host Variable `magic` - -## MAC-Adressen - -Die MAC-Adressen der Interfaces werden aus dem IPv4-Subnetz sowie der `magic`-Nummer des Hosts berechnet. - -xxbr-prefix: `02:10` diff --git a/roles/network-meshbridge/tasks/main.yml b/roles/network-meshbridge/tasks/main.yml deleted file mode 100644 index 248fe434..00000000 --- a/roles/network-meshbridge/tasks/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: create mesh bridges - template: - src: bridge.j2 - dest: "/etc/network/interfaces.d/{{ item.id }}br" - notify: reload network interfaces - loop: "{{ meshes }}" - -- name: set sysfs variables - template: - src: sysfs.j2 - dest: "/etc/sysfs.d/99-{{ item.id }}br.conf" - loop: "{{ meshes }}" - notify: activate sysfs variables - -- name: flush handlers - meta: flush_handlers diff --git a/roles/network-meshbridge/templates/bridge.j2 b/roles/network-meshbridge/templates/bridge.j2 deleted file mode 100644 index 3ac23eb2..00000000 --- a/roles/network-meshbridge/templates/bridge.j2 +++ /dev/null @@ -1,23 +0,0 @@ -# -# {{ ansible_managed }} -# - -auto {{ item.id }}br -iface {{ item.id }}br - address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} -{% for prefix in item.ipv6_ula %} - address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} -{% endfor %} -{% for prefix in item.ipv6_public %} - address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }} -{% endfor %} -{% if mesh_gw_prefixes is defined %} -{% for prefix in mesh_gw_prefixes[item.id].ipv6_public %} - address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(1) | ipaddr('ip/prefix') }} -{% endfor %} -{% endif %} - bridge-ports {{ item.id }}bat -{% if server_type == 'gateway' %} - ip-forward on - ip6-forward on -{% endif %} diff --git a/roles/network-routetables/README.md b/roles/network-routetables/README.md deleted file mode 100644 index 6629687a..00000000 --- a/roles/network-routetables/README.md +++ /dev/null @@ -1,12 +0,0 @@ -# Ansible role network-routetables - -Diese Ansible role legt die erforderlichen routing tables an. - -## Benötigte Variablen - -- `routing_tables` - -``` -routing_tables: - $name: # integer -``` diff --git a/roles/network-routetables/tasks/main.yml b/roles/network-routetables/tasks/main.yml deleted file mode 100644 index bb517ed0..00000000 --- a/roles/network-routetables/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: create routing tables - lineinfile: - path: /etc/iproute2/rt_tables - regexp: '^{{ item.value }}' - line: "{{ item.value }}{{ '\t' }}{{ item.key }}" - state: present - loop: "{{ routing_tables | dict2items }}" diff --git a/roles/network-routing/handlers/main.yml b/roles/network-routing/handlers/main.yml index 42897d42..ba4c4dbb 100644 --- a/roles/network-routing/handlers/main.yml +++ b/roles/network-routing/handlers/main.yml @@ -1,14 +1,5 @@ --- -- name: reload systemd +- name: restart networkd systemd: - daemon_reload: yes - -- name: restart systemd unit ffmwu-static-routes - systemd: - name: ffmwu-static-routes - state: restarted - -- name: restart systemd unit ffmwu-ip-rules - systemd: - name: ffmwu-ip-rules + name: systemd-networkd state: restarted diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml index 95e0b8b0..327f0e04 100644 --- a/roles/network-routing/tasks/main.yml +++ b/roles/network-routing/tasks/main.yml @@ -1,64 +1,11 @@ --- -- name: write systemd unit ffmwu-static-routes.service - template: - src: ffmwu-static-routes.service.j2 - dest: /etc/systemd/system/ffmwu-static-routes.service - owner: root - group: root - mode: 0644 - notify: reload systemd - -- name: write static route scripts - template: - src: "{{ item }}.j2" - dest: "/usr/local/bin/{{ item }}" - owner: root - group: root - mode: 0750 - loop: - - ffmwu-add-static-routes.sh - - ffmwu-del-static-routes.sh - notify: restart systemd unit ffmwu-static-routes - -- name: enable systemd unit ffmwu-static-routes.service - systemd: - name: ffmwu-static-routes - enabled: yes - state: started - -- name: write systemd unit ffmwu-ip-rules.service - template: - src: ffmwu-ip-rules.service.j2 - dest: /etc/systemd/system/ffmwu-ip-rules.service - owner: root - group: root - mode: 0644 - notify: reload systemd - -- name: write ip rule scripts - template: - src: "{{ item }}.j2" - dest: "/usr/local/bin/{{ item }}" - owner: root - group: root - mode: 0750 - loop: - - ffmwu-add-ip-rules.sh - - ffmwu-del-ip-rules.sh - notify: restart systemd unit ffmwu-ip-rules - -- name: enable systemd unit ffmwu-ip-rules.service - systemd: - name: ffmwu-ip-rules - enabled: yes - state: started - -- name: set basic sysctl settings for routing - sysctl: - name: "{{ item.name }}" - value: "{{ item.value }}" +- name: create routing tables + lineinfile: + path: /etc/iproute2/rt_tables + regexp: '^{{ item.value }}' + line: "{{ item.value }}{{ '\t' }}{{ item.key }}" state: present - loop: "{{ sysctl_settings_routing_basic }}" + loop: "{{ routing_tables | dict2items }}" - name: set sysctl settings for ip forwarding when: server_type == "gateway" or server_type == "service" or server_type == "monitoring" @@ -67,3 +14,9 @@ value: "{{ item.value }}" state: present loop: "{{ sysctl_settings_routing_forwarding }}" + +- name: create policy-routing.conf + template: + src: policy-routing.conf.j2 + dest: "/etc/systemd/network/{{ ansible_default_ipv4.interface }}.network.d/policy-routing.conf" + notify: restart networkd diff --git a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 deleted file mode 100644 index 65efcd93..00000000 --- a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -# -# {{ ansible_managed }} -# - -# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces -{% if server_type == 'gateway' or server_type == 'monitoring' %} -{% for mesh in meshes %} -ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7 -ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7 -{% endfor %} -{% endif %} -{% for network in my_wireguard_networks %} -ip -4 rule add from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -6 rule add from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -4 rule add from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -6 rule add from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule add from {{ prefix.ipv4 }} lookup mwu priority 7 -ip -4 rule add to {{ prefix.ipv4 }} lookup mwu priority 7 -ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7 -ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7 -ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7 -{% endfor %} - -{% if server_type == 'gateway' %} -# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges -{% for mesh in meshes %} -ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23 -ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule add from {{ prefix.ipv4 }} lookup icvpn priority 23 -ip -4 rule add to {{ prefix.ipv4 }} lookup icvpn priority 23 -ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23 -ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23 -ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23 -{% endfor %} -ip -4 rule add from all oif icvpn lookup icvpn priority 23 -ip -6 rule add from all oif icvpn lookup icvpn priority 23 - -# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges -{% for mesh in meshes %} -ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule add from {{ prefix.ipv4 }} lookup internet priority 41 -ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41 -ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41 -ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41 -{% endfor %} -ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 -ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 - -# Priority 61 - at this point this is the end of policy routing for freifunk related routes -{% for mesh in meshes %} -ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61 -ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61 -{% endfor %} -ip -4 rule add from all iif icvpn type unreachable priority 61 -ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 -{% for server_id, server_value in ffrl_exit_server.items() %} -ip -4 rule add from all iif {{ server_id }} type unreachable priority 61 -ip -6 rule add from all iif {{ server_id }} type unreachable priority 61 -{% endfor %} -ip -6 rule add from all iif icvpn type unreachable priority 61 -ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 -{% for prefix in public_prefixes %} -ip -6 rule add from {{ prefix.ipv6 }} type unreachable priority 61 -ip -6 rule add to {{ prefix.ipv6 }} type unreachable priority 61 -{% endfor %} - -# Priority 107 - lookup policies for the gateway host self originating traffic -ip -4 rule add from all lookup mwu priority 107 -ip -4 rule add from all lookup icvpn priority 107 -ip -6 rule add from all lookup mwu priority 107 -ip -6 rule add from all lookup icvpn priority 107 -{% endif %} - -exit 0 diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 deleted file mode 100644 index d2264904..00000000 --- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh -# -# {{ ansible_managed }} -# - -{% for network in my_wireguard_networks %} -{% if magic < network.remote_magic %} -/sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('address') }} table mwu -{% else %} -/sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('1') | ipaddr('address') }} table mwu -{% endif %} -{% endfor %} -{% if server_type == 'gateway' or server_type == 'monitoring' %} -{% for mesh in meshes %} -# static {{ mesh.domain_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu -{% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% for public in mesh.ipv6_public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% if mesh_gw_prefixes is defined %} -{% for public in mesh_gw_prefixes[mesh.id].ipv6_public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% endif %} -{% if not loop.last %} - -{% endif %} -{% endfor %} -{% endif %} - -{% if server_type == 'gateway' %} -# static blackhole routes for rt_table internet -/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet -/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet -/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet -/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet -/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet -/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet -/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet -/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet -/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet -/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet -/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet -/sbin/ip -6 route add blackhole fec0::/10 table internet -/sbin/ip -6 route add blackhole fc00::/7 table internet -/sbin/ip -6 route add blackhole ff00::/8 table internet -/sbin/ip -6 route add blackhole ::/96 table internet -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet - -# static blackhole routes for rt_table main -/sbin/ip -4 route add blackhole 0.0.0.0/8 table main -/sbin/ip -4 route add blackhole 10.0.0.0/8 table main -/sbin/ip -4 route add blackhole 100.64.0.0/10 table main -/sbin/ip -4 route add blackhole 127.0.0.0/8 table main -/sbin/ip -4 route add blackhole 169.254.0.0/16 table main -/sbin/ip -4 route add blackhole 172.16.0.0/12 table main -/sbin/ip -4 route add blackhole 192.0.0.0/24 table main -/sbin/ip -4 route add blackhole 192.0.2.0/24 table main -/sbin/ip -4 route add blackhole 192.88.99.0/24 table main -/sbin/ip -4 route add blackhole 192.168.0.0/16 table main -/sbin/ip -4 route add blackhole 198.18.0.0/15 table main -/sbin/ip -4 route add blackhole 198.51.100.0/24 table main -/sbin/ip -4 route add blackhole 203.0.113.0/24 table main -/sbin/ip -4 route add blackhole 224.0.0.0/4 table main -/sbin/ip -4 route add blackhole 240.0.0.0/4 table main -/sbin/ip -4 route add blackhole 255.255.255.255/32 table main -/sbin/ip -6 route add blackhole fec0::/10 table main -/sbin/ip -6 route add blackhole fc00::/7 table main -/sbin/ip -6 route add blackhole ff00::/8 table main -/sbin/ip -6 route add blackhole ::/96 table main -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main -/sbin/ip -6 route add blackhole ::/0 table main -{% endif %} diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 deleted file mode 100644 index cf4f95f5..00000000 --- a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -# -# {{ ansible_managed }} -# - -# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces -{% if server_type == 'gateway' or server_type == 'monitoring' %} -{% for mesh in meshes %} -ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7 -ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7 -{% endfor %} -{% endif %} -{% for network in my_wireguard_networks %} -ip -4 rule del from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -6 rule del from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -4 rule del from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7 -ip -6 rule del from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule del from {{ prefix.ipv4 }} lookup mwu priority 7 -ip -4 rule del to {{ prefix.ipv4 }} lookup mwu priority 7 -ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7 -ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7 -ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7 -{% endfor %} - -{% if server_type == 'gateway' %} -# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges -{% for mesh in meshes %} -ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23 -ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule del from {{ prefix.ipv4 }} lookup icvpn priority 23 -ip -4 rule del to {{ prefix.ipv4 }} lookup icvpn priority 23 -ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23 -ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23 -ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23 -{% endfor %} -ip -4 rule del from all oif icvpn lookup icvpn priority 23 -ip -6 rule del from all oif icvpn lookup icvpn priority 23 - -# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges -{% for mesh in meshes %} -ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41 -{% endfor %} -{% for prefix in internal_prefixes %} -ip -4 rule del from {{ prefix.ipv4 }} lookup internet priority 41 -ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41 -ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41 -{% endfor %} -{% for prefix in public_prefixes %} -ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41 -ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41 -{% endfor %} -ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 -ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 - -# Priority 61 - at this point this is the end of policy routing for freifunk related routes -{% for mesh in meshes %} -ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61 -ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61 -{% endfor %} -ip -4 rule del from all iif icvpn type unreachable priority 61 -ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 -{% for server_id, server_value in ffrl_exit_server.items() %} -ip -4 rule del from all iif {{ server_id }} type unreachable priority 61 -ip -6 rule del from all iif {{ server_id }} type unreachable priority 61 -{% endfor %} -ip -6 rule del from all iif icvpn type unreachable priority 61 -ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 -{% for prefix in public_prefixes %} -ip -6 rule del from {{ prefix.ipv6 }} type unreachable priority 61 -ip -6 rule del to {{ prefix.ipv6 }} type unreachable priority 61 -{% endfor %} - -# Priority 107 - lookup policies for the gateway host self originating traffic -ip -4 rule del from all lookup mwu priority 107 -ip -4 rule del from all lookup icvpn priority 107 -ip -6 rule del from all lookup mwu priority 107 -ip -6 rule del from all lookup icvpn priority 107 -{% endif %} - -exit 0 diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 deleted file mode 100644 index b22c5add..00000000 --- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh -# -# {{ ansible_managed }} -# - -{% for network in my_wireguard_networks %} -{% if magic < network.remote_magic %} -/sbin/ip -4 route del {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('address') }} table mwu -{% else %} -/sbin/ip -4 route del {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('1') | ipaddr('address') }} table mwu -{% endif %} -{% endfor %} -{% if server_type == 'gateway' or server_type == 'monitoring' %} -{% for mesh in meshes %} -# static {{ mesh.domain_name }} routes for rt_table mwu -/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu -{% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% for public in mesh.ipv6_public %} -/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% if mesh_gw_prefixes is defined %} -{% for public in mesh_gw_prefixes[mesh.id].ipv6_public %} -/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu -{% endfor %} -{% endif%} -{% if not loop.last %} - -{% endif %} -{% endfor %} -{% endif %} - -{% if server_type == 'gateway' %} -# static blackhole routes for rt_table internet -/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet -/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet -/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet -/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet -/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet -/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet -/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet -/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet -/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet -/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet -/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet -/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet -/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet -/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet -/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet -/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet -/sbin/ip -6 route del blackhole fec0::/10 table internet -/sbin/ip -6 route del blackhole fc00::/7 table internet -/sbin/ip -6 route del blackhole ff00::/8 table internet -/sbin/ip -6 route del blackhole ::/96 table internet -/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet - -# static blackhole routes for rt_table main -/sbin/ip -4 route del blackhole 0.0.0.0/8 table main -/sbin/ip -4 route del blackhole 10.0.0.0/8 table main -/sbin/ip -4 route del blackhole 100.64.0.0/10 table main -/sbin/ip -4 route del blackhole 127.0.0.0/8 table main -/sbin/ip -4 route del blackhole 169.254.0.0/16 table main -/sbin/ip -4 route del blackhole 172.16.0.0/12 table main -/sbin/ip -4 route del blackhole 192.0.0.0/24 table main -/sbin/ip -4 route del blackhole 192.0.2.0/24 table main -/sbin/ip -4 route del blackhole 192.88.99.0/24 table main -/sbin/ip -4 route del blackhole 192.168.0.0/16 table main -/sbin/ip -4 route del blackhole 198.18.0.0/15 table main -/sbin/ip -4 route del blackhole 198.51.100.0/24 table main -/sbin/ip -4 route del blackhole 203.0.113.0/24 table main -/sbin/ip -4 route del blackhole 224.0.0.0/4 table main -/sbin/ip -4 route del blackhole 240.0.0.0/4 table main -/sbin/ip -4 route del blackhole 255.255.255.255/32 table main -/sbin/ip -6 route del blackhole fec0::/10 table main -/sbin/ip -6 route del blackhole fc00::/7 table main -/sbin/ip -6 route del blackhole ff00::/8 table main -/sbin/ip -6 route del blackhole ::/96 table main -/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main -/sbin/ip -6 route del blackhole ::/0 table main -{% endif %} diff --git a/roles/network-routing/templates/ffmwu-ip-rules.service.j2 b/roles/network-routing/templates/ffmwu-ip-rules.service.j2 deleted file mode 100644 index 0ef051ae..00000000 --- a/roles/network-routing/templates/ffmwu-ip-rules.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Manage Freifunk MWU IP rules -After=network-online.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh -ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh - -[Install] -WantedBy=multi-user.target diff --git a/roles/network-routing/templates/ffmwu-static-routes.service.j2 b/roles/network-routing/templates/ffmwu-static-routes.service.j2 deleted file mode 100644 index e793f812..00000000 --- a/roles/network-routing/templates/ffmwu-static-routes.service.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Manage Freifunk MWU static routes -After=network-online.target networking.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh -ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh - -[Install] -WantedBy=multi-user.target diff --git a/roles/network-routing/templates/policy-routing.conf.j2 b/roles/network-routing/templates/policy-routing.conf.j2 new file mode 100644 index 00000000..e69a09a2 --- /dev/null +++ b/roles/network-routing/templates/policy-routing.conf.j2 @@ -0,0 +1,239 @@ +# +# {{ ansible_managed }} +# + +# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces + +{% if server_type == 'gateway' or server_type == 'monitoring' %} +{% for mesh in meshes %} +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +OutgoingInterface={{ mesh.id }}br +Family=both + +{% endfor %} +{% endif %} +{% for network in my_wireguard_networks %} +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +IncomingInterface=wg-{{ network.remote[:11] }} +Family=both + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +OutgoingInterface=wg-{{ network.remote[:11] }} +Family=both + +{% endfor %} +{% for prefix in internal_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +From={{ prefix.ipv4 }} + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +To={{ prefix.ipv4 }} + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +To={{ prefix.ipv6 }} + +{% endfor %} +{% for prefix in public_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=7 +To={{ prefix.ipv6 }} + +{% endfor %} + +{% if server_type == 'gateway' %} +# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges + +{% for mesh in meshes %} +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +OutgoingInterface={{ mesh.id }}br +Family=both + +{% endfor %} +{% for prefix in internal_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +From={{ prefix.ipv4 }} + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +To={{ prefix.ipv4 }} + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +To={{ prefix.ipv6 }} + +{% endfor %} +{% for prefix in public_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +To={{ prefix.ipv6 }} + +{% endfor %} +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +IncomingInterface=icvpn +Family=both + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=23 +OutgoingInterface=icvpn +Family=both + +# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges + +{% for mesh in meshes %} +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +OutgoingInterface={{ mesh.id }}br +Family=both + +{% endfor %} +{% for prefix in internal_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +From={{ prefix.ipv4 }} + +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +To={{ prefix.ipv6 }} + +{% endfor %} +{% for prefix in public_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +To={{ prefix.ipv6 }} + +{% endfor %} +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +From={{ ffrl_public_ipv4_nat | ipaddr('host') }} + +[RoutingPolicyRule] +Table={{ routing_tables.internet }} +Priority=41 +To={{ ffrl_public_ipv4_nat | ipaddr('host') }} + +# Priority 61 - at this point this is the end of policy routing for freifunk related routes + +{% for mesh in meshes %} +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +IncomingInterface={{ mesh.id }}br +Family=both + +{% endfor %} +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +IncomingInterface=icvpn +Family=both + +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +IncomingInterface={{ ansible_default_ipv4.interface }} +Family=both + +{% for server_id, server_value in ffrl_exit_server.items() %} +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +IncomingInterface={{ server_id }} +Family=both + +{% endfor %} + +{% for prefix in public_prefixes %} +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +From={{ prefix.ipv6 }} + +[RoutingPolicyRule] +Table={{ routing_tables.unreachable }} +Priority=61 +To={{ prefix.ipv6 }} + +{% endfor %} +# Priority 107 - lookup policies for the gateway host self originating traffic + +[RoutingPolicyRule] +Table={{ routing_tables.mwu }} +Priority=107 +Family=both + +[RoutingPolicyRule] +Table={{ routing_tables.icvpn }} +Priority=107 +Family=both + +# workaround until networkd supports the unreachable type for policy routing rules + +[Route] +Destination=0.0.0.0/0 +Type=unreachable +Table=51 + +[Route] +Destination=::/0 +Type=unreachable +Table=51 + +{% endif %} diff --git a/roles/server-apt-repos/vars/main.yml b/roles/server-apt-repos/vars/main.yml index a68eaa16..25b6a396 100644 --- a/roles/server-apt-repos/vars/main.yml +++ b/roles/server-apt-repos/vars/main.yml @@ -1,8 +1,8 @@ --- repos: - name: freifunk - repo: 'deb [arch=amd64] http://repo.freifunk-mwu.de/debian {{ ansible_distribution_release }} main' + repo: 'deb [arch=amd64] http://repo.freifunk-mwu.de/debian ffmwu-systemd main' update_cache: yes - name: freifunk - repo: 'deb-src http://repo.freifunk-mwu.de/debian {{ ansible_distribution_release }} main' + repo: 'deb-src http://repo.freifunk-mwu.de/debian ffmwu-systemd main' update_cache: yes diff --git a/roles/server-basic/tasks/main.yml b/roles/server-basic/tasks/main.yml index 8c90a7bb..e97b15e7 100644 --- a/roles/server-basic/tasks/main.yml +++ b/roles/server-basic/tasks/main.yml @@ -27,6 +27,18 @@ name: "{{ additional_packages }}" state: present +- name: install libzstd1 from backports + apt: + name: libzstd1 + state: latest + default_release: "{{ ansible_distribution_release + '-backports' }}" + +- name: install systemd from ffmwu repo + apt: + name: systemd + state: latest + default_release: "ffmwu-systemd" + - name: ensure vim is default editor alternatives: name: editor @@ -138,6 +150,19 @@ notify: - reload systemd +- name: create overlay folder for primary interface + file: + path: "/etc/systemd/network/{{ ansible_default_ipv4.interface }}.network.d" + state: directory + owner: root + group: root + +- name: start and enable systemd unit systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started + - name: configure local nameserver check when: "'mail' in group_names or 'gateways' in group_names" block: diff --git a/roles/server-basic/vars/main.yml b/roles/server-basic/vars/main.yml index b58480fc..5ae170fa 100644 --- a/roles/server-basic/vars/main.yml +++ b/roles/server-basic/vars/main.yml @@ -5,7 +5,6 @@ packages: - debian-goodies - dnsutils - ethtool - - ifupdown2 - man-db - mlocate - moreutils diff --git a/roles/service-fastd-backbone/meta/main.yml b/roles/service-fastd-backbone/meta/main.yml index 2f66f754..994445a6 100644 --- a/roles/service-fastd-backbone/meta/main.yml +++ b/roles/service-fastd-backbone/meta/main.yml @@ -1,5 +1,5 @@ --- dependencies: - { role: git-repos } - - { role: network-fastd } + - { role: network-mesh } - { role: service-fastd } diff --git a/roles/service-fastd-backbone/templates/fastd-backbone.conf.j2 b/roles/service-fastd-backbone/templates/fastd-backbone.conf.j2 index c2388e56..96bba4c6 100644 --- a/roles/service-fastd-backbone/templates/fastd-backbone.conf.j2 +++ b/roles/service-fastd-backbone/templates/fastd-backbone.conf.j2 @@ -38,6 +38,6 @@ peer group "servers" { {% endif %} } -on up "/bin/systemctl reload networking"; +on up "/usr/bin/networkctl reconfigure {{ item.0.id }}bat"; status socket "/var/run/fastd-{{ item.0.id }}igvpn-{{ item.1.mtu }}.status"; diff --git a/roles/service-fastd-mesh/meta/main.yml b/roles/service-fastd-mesh/meta/main.yml index 924e8d34..efb60edb 100644 --- a/roles/service-fastd-mesh/meta/main.yml +++ b/roles/service-fastd-mesh/meta/main.yml @@ -2,6 +2,6 @@ dependencies: - { role: golang } - { role: git-repos } - - { role: network-fastd } + - { role: network-mesh } - { role: service-fastd } - { role: service-nginx } diff --git a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 index df3e79bb..3dda257c 100644 --- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 +++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2 @@ -20,7 +20,7 @@ secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short mtu {{ item.1.mtu }}; -on up "/bin/systemctl reload networking"; +on up "/usr/bin/networkctl reconfigure {{ item.0.id }}bat"; on verify "{{ gopath }}/bin/fastd-limiter verify $PEER_KEY"; diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml index 191d07d1..ba4c4dbb 100644 --- a/roles/wireguard/handlers/main.yml +++ b/roles/wireguard/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload network interfaces +- name: restart networkd systemd: - name: networking - state: reloaded + name: systemd-networkd + state: restarted diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 8e432650..cfe15a35 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -69,45 +69,35 @@ name: "{{ wireguard_packages }}" state: "present" -- name: Ensure WireGuard directory exists. - file: - path: "/etc/wireguard" - state: "directory" - owner: "root" - group: "root" - mode: "0640" - - name: Register the WireGuard public + private key. set_fact: wireguard_public_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=public') }}" wireguard_private_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=private') }}" no_log: True -- name: Write the WireGuard private key. - copy: - content: "{{ wireguard_private_key }}" - dest: "/etc/wireguard/wg.priv" - owner: "root" - group: "root" - mode: "0600" - -- name: Write the WireGuard config. +- name: Write the wireguard.netdev template: - src: "wg.conf.j2" - dest: "/etc/wireguard/wg-{{ item.remote[:11] }}.conf" + src: "wireguard.netdev.j2" + dest: "/etc/systemd/network/wg-{{ item.remote[:11] }}.netdev" owner: root - group: root + group: systemd-network mode: 0640 loop: "{{ my_wireguard_networks }}" + loop_control: + label: "{{ item.remote }}" + notify: restart networkd -- name: Configure the WireGuard interface config. +- name: Write the wireguard.network template: - src: "wireguard.j2" - dest: "/etc/network/interfaces.d/wireguard" + src: "wireguard.network.j2" + dest: "/etc/systemd/network/wg-{{ item.remote[:11] }}.network" owner: "root" group: "root" mode: "0644" - notify: reload network interfaces + loop: "{{ my_wireguard_networks }}" + loop_control: + label: "{{ item.remote }}" + notify: restart networkd - name: flush handlers meta: flush_handlers diff --git a/roles/wireguard/templates/wg.conf.j2 b/roles/wireguard/templates/wg.conf.j2 deleted file mode 100644 index 732680cf..00000000 --- a/roles/wireguard/templates/wg.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# {{ ansible_managed }} -# -# {{ inventory_hostname }} wg_{{ item.remote[:13] }} configuration -# -[Interface] -PrivateKey = {{ wireguard_private_key }} -ListenPort = {{ item.port }} - -[Peer] -Endpoint = {{ lookup('dig', item.remote_hostname, 'qtype=AAAA') | ipwrap }}:{{ item.port }} -PublicKey = {{ lookup('passwordstore', 'wireguard/' + item.remote + ' subkey=public') }} -AllowedIPs = 0.0.0.0/0,::/0 diff --git a/roles/wireguard/templates/wireguard.j2 b/roles/wireguard/templates/wireguard.j2 deleted file mode 100644 index 28ac5973..00000000 --- a/roles/wireguard/templates/wireguard.j2 +++ /dev/null @@ -1,24 +0,0 @@ -# -# {{ ansible_managed }} -# -{% for network in my_wireguard_networks %} -auto wg-{{ network.remote[:11] }} -iface wg-{{ network.remote[:11] }} - mtu 1420 -{% if server_type == 'gateway' %} - ip-forward on - ip6-forward on -{% endif %} - ipv6-addrgen off -{% if magic < network.remote_magic %} - address {{ network.ipv4 | ipaddr('ip/prefix') }} -{% else %} - address {{ network.ipv4 | ipaddr('1') | ipaddr('ip/prefix') }} -{% endif %} - address {{ 'fe80::/64' | ipaddr(magic) | ipaddr('ip/prefix') }} - pre-up ip link add dev $IFACE type wireguard - pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf - post-up ip link set up dev $IFACE - post-down ip link del $IFACE - -{% endfor %} diff --git a/roles/wireguard/templates/wireguard.netdev.j2 b/roles/wireguard/templates/wireguard.netdev.j2 new file mode 100644 index 00000000..e2846252 --- /dev/null +++ b/roles/wireguard/templates/wireguard.netdev.j2 @@ -0,0 +1,17 @@ +# +# {{ ansible_managed }} +# +[NetDev] +Name=wg-{{ item.remote[:11] }} +Kind=wireguard +MTUBytes=1420 + +[WireGuard] +ListenPort={{ item.port }} +PrivateKey={{ wireguard_private_key }} + +[WireGuardPeer] +Endpoint={{ lookup('dig', item.remote_hostname, 'qtype=AAAA') | ipwrap }}:{{ item.port }} +PublicKey={{ lookup('passwordstore', 'wireguard/' + item.remote + ' subkey=public') }} +AllowedIPs=0.0.0.0/0 +AllowedIPs=::/0 diff --git a/roles/wireguard/templates/wireguard.network.j2 b/roles/wireguard/templates/wireguard.network.j2 new file mode 100644 index 00000000..26fa6878 --- /dev/null +++ b/roles/wireguard/templates/wireguard.network.j2 @@ -0,0 +1,24 @@ +# +# {{ ansible_managed }} +# +[Match] +Name=wg-{{ item.remote[:11] }} + +[Network] +{% if magic < item.remote_magic %} +Address={{ item.ipv4 | ipaddr('ip/prefix') }} +{% else %} +Address={{ item.ipv4 | ipaddr('1') | ipaddr('ip/prefix') }} +{% endif %} +Address={{ 'fe80::/64' | ipaddr(magic) | ipaddr('ip/prefix') }} +IPForward=yes + +[Route] +Destination={{ item.ipv4 | ipaddr('network/prefix') }} +{% if magic < item.remote_magic %} +PreferredSource={{ item.ipv4 | ipaddr('address') }} +{% else %} +PreferredSource={{ item.ipv4 | ipaddr('1') | ipaddr('address') }} +{% endif %} +Scope=link +Table={{ routing_tables.mwu }}