diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2021-03-28 04:43:59 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2021-03-28 04:43:59 +0200 |
| commit | 16ebb1d6cacbe1c0de76dc2a688382daaf96f7d9 (patch) | |
| tree | 68715b499f2a1c275192184f75a1106223c576b7 | |
| parent | upgrade standalone kubelets (diff) | |
add network zone settings for GLT and playbooks for gateways
| -rw-r--r-- | inventory/group_vars/glt-live/network.yml | 76 | ||||
| -rw-r--r-- | inventory/host_vars/ele-orpheum.yml | 1 | ||||
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ele-tub.yml | 1 | ||||
| -rw-r--r-- | inventory/host_vars/glt-gw-r3.yml | 147 | ||||
| -rw-r--r-- | inventory/host_vars/glt-gw-tug.yml | 177 | ||||
| -rw-r--r-- | inventory/hosts.ini | 10 | ||||
| -rw-r--r-- | roles/openwrt/image/defaults/main.yml | 2 | ||||
| -rw-r--r-- | roles/openwrt/image/tasks/main.yml | 6 | ||||
| -rw-r--r-- | spreadspace/glt-gw-r3.yml | 8 | ||||
| -rw-r--r-- | spreadspace/glt-gw-tug.yml | 8 |
11 files changed, 438 insertions, 0 deletions
diff --git a/inventory/group_vars/glt-live/network.yml b/inventory/group_vars/glt-live/network.yml new file mode 100644 index 00000000..c528dd20 --- /dev/null +++ b/inventory/group_vars/glt-live/network.yml @@ -0,0 +1,76 @@ +--- +network_zones: + r3_lan: + description: "realraum LAN, Internetuplink via Magenta" + vlan: 127 + prefix: 192.168.127.0/24 + gateway: 192.168.127.254 + dns: + - 192.168.127.254 + dhcp: + start: 1 + limit: 149 + offsets: + # Saal 1 + glt-s1mod: 150 + glt-s1slide: 151 + glt-s1speak1: 152 + glt-s1speak2: 153 + glt-s1info: 154 + glt-dione: 155 + glt-calypso: 156 + glt-s1atemctl: 157 + glt-s1atem: 158 + glt-s1switch: 159 + # Saal 2 + glt-s2mod: 160 + glt-s2slide: 161 + glt-s2speak: 162 + glt-s2info: 163 + glt-helene: 165 + glt-telesto: 166 + glt-s2atemctl: 167 + glt-s2atem: 168 + glt-s2switch: 169 + # Saal 3 + glt-s3mod: 170 + glt-s3slide: 171 + glt-s3speak: 172 + glt-s3info: 173 + glt-datacop: 175 + glt-thetys: 176 + glt-s3atemctl: 177 + glt-s3atem: 178 + glt-s3switch: 179 + # misc + equinox-t450s: 190 + spel: 191 + glt-gw-r3: 199 + + r3_pub: + description: "realraum LAN, Internetuplink via Funkfeuer and mur.at" + vlan: 127 + # prefix: 89.106.211.32/27 + # gateway: 89.106.211.33 + # dns: + # - 89.106.211.33 + # offsets: + # glt-gw-r3: 29 + prefix: 192.168.28.0/24 + gateway: 192.168.28.254 + dns: + - 9.9.9.9 + offsets: + glt-gw-r3: 61 + + tug_lan: + description: "glt@tug LAN, Internetuplink via TUG and ACOnet" + prefix: 192.168.27.0/24 + gateway: 192.168.27.254 + dns: + - 192.168.27.254 + dhcp: + start: 1 + limit: 199 + offsets: + glt-gw-tug: 254 diff --git a/inventory/host_vars/ele-orpheum.yml b/inventory/host_vars/ele-orpheum.yml index d181a0d6..6c50e21b 100644 --- a/inventory/host_vars/ele-orpheum.yml +++ b/inventory/host_vars/ele-orpheum.yml @@ -29,6 +29,7 @@ openwrt_packages_add: - nano - tcpdump-mini - iperf + - iperf3 - mtr - wireguard diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index fdcb66ca..520bd751 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -285,6 +285,7 @@ openwrt_packages_remove: - odhcpd-ipv6only openwrt_packages_add: - kmod-ipt-nat + - kmod-ipt-conntrack - haveged - htop - ip @@ -292,6 +293,7 @@ openwrt_packages_add: - nano - tcpdump-mini - iperf + - iperf3 - mtr - iptraf-ng - qos-scripts diff --git a/inventory/host_vars/ele-tub.yml b/inventory/host_vars/ele-tub.yml index 2f843d29..77a95e68 100644 --- a/inventory/host_vars/ele-tub.yml +++ b/inventory/host_vars/ele-tub.yml @@ -35,6 +35,7 @@ openwrt_packages_add: - olsrd-mod-txtinfo - tcpdump-mini - iperf + - iperf3 - mtr diff --git a/inventory/host_vars/glt-gw-r3.yml b/inventory/host_vars/glt-gw-r3.yml new file mode 100644 index 00000000..ae12896f --- /dev/null +++ b/inventory/host_vars/glt-gw-r3.yml @@ -0,0 +1,147 @@ +--- +openwrt_variant: openwrt +openwrt_release: 19.07.7 +openwrt_arch: x86 +openwrt_target: geode +openwrt_profile: Generic +openwrt_output_image_suffixes: + - "combined-ext4.img.gz" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall + - dnsmasq + - odhcpd-ipv6only +openwrt_packages_add: + - kmod-ipt-nat + - kmod-ipt-conntrack + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - iperf3 + - mtr + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K92network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + WAN_IF=$(uci get network.wan.ifname) + LAN_IF=$(uci get network.lan.ifname) + LAN_IP=$(uci get network.lan.ipaddr) + LAN_MASK=$(uci get network.lan.netmask) + + iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + ### external incoming + iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + ### internal + iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + + iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE + + ### default policies + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + iptables -F FORWARD + iptables -t nat -F POSTROUTING + } + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'wan' + options: + ifname: eth0 + proto: static + ipaddr: "{{ network_zones.r3_pub.prefix | ipaddr(network_zones.r3_pub.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_zones.r3_pub.prefix | ipaddr('netmask') }}" + gateway: "{{ network_zones.r3_pub.gateway }}" + dns: "{{ network_zones.r3_pub.dns }}" + + - name: interface 'lan' + options: + ifname: eth1 + proto: static + ipaddr: "{{ network_zones.r3_lan.prefix | ipaddr(network_zones.r3_lan.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_zones.r3_lan.prefix | ipaddr('netmask') }}" + + - name: interface 'unused' + options: + ifname: eth2 + proto: none diff --git a/inventory/host_vars/glt-gw-tug.yml b/inventory/host_vars/glt-gw-tug.yml new file mode 100644 index 00000000..33ebb757 --- /dev/null +++ b/inventory/host_vars/glt-gw-tug.yml @@ -0,0 +1,177 @@ +--- +openwrt_variant: openwrt +openwrt_release: 19.07.7 +openwrt_arch: x86 +openwrt_target: 64 +openwrt_profile: Generic +openwrt_output_image_suffixes: + - "combined-ext4.img.gz" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall +openwrt_packages_add: + - kmod-ipt-nat + - kmod-ipt-conntrack + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - iperf3 + - mtr + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K92network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + WAN_IF=$(uci get network.wan.ifname) + LAN_IF="br-lan" + LAN_IP=$(uci get network.lan.ipaddr) + LAN_MASK=$(uci get network.lan.netmask) + + iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + + ### external incoming + iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -p tcp --dport {{ ansible_port }} -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + ### internal + iptables -A INPUT -i "$LAN_IF" -p udp --dport 67 --sport 68 -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -p udp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -p tcp --dport 53 -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + + iptables -A INPUT -i "$LAN_IF" -p icmp -d "$LAN_IP" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A INPUT -i "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + iptables -A FORWARD -i "$LAN_IF" -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j ACCEPT + iptables -A FORWARD -i "$WAN_IF" -o "$LAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE + + ### default policies + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + iptables -F FORWARD + iptables -t nat -F POSTROUTING + } + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + dhcp: + - name: dnsmasq + options: + domainneeded: '1' + boguspriv: '0' + filterwin2k: '0' + localise_queries: '1' + rebind_protection: '0' + rebind_localhost: '1' + local: '/lan/' + domain: 'lan' + expandhosts: '1' + nonegcache: '0' + authoritative: '1' + readethers: '1' + leasefile: '/tmp/dhcp.leases' + resolvfile: '/tmp/resolv.conf.auto' + localservice: '1' + + - name: odhcpd 'odhcpd' + options: + maindhcp: '0' + leasefile: '/tmp/hosts/odhcpd' + leasetrigger: '/usr/sbin/odhcpd-update' + + - name: dhcp 'wan' + options: + interface: 'wan' + ignore: '1' + + - name: dhcp 'lan' + options: + interface: 'lan' + start: "{{ network_zones.tug_lan.dhcp.start }}" + limit: "{{ network_zones.tug_lan.dhcp.limit }}" + leasetime: "{{ network_zones.tug_lan.dhcp.leasetime | default('12h') }}" + dhcpv6: 'disabled' + ra: 'disabled' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: interface 'lan' + options: + type: bridge + ifname: "eth0 eth1 eth2 eth3 eth4" + proto: static + ipaddr: "{{ network_zones.tug_lan.prefix | ipaddr(network_zones.tug_lan.offsets[inventory_hostname]) | ipaddr('address') }}" + netmask: "{{ network_zones.tug_lan.prefix | ipaddr('netmask') }}" + + - name: interface 'wan' + options: + ifname: eth5 + proto: dhcp + macaddr: 00:11:22:33:44:55 diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 06c4fc47..919a687e 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -139,6 +139,16 @@ env_group=spreadspace [glt-live] glt-coturn host_name=cdn13 +[glt-live:children] +glt-live-r3 +glt-live-tug + +[glt-live-r3] +glt-gw-r3 host_name=gw-r3 + +[glt-live-tug] +glt-gw-tug host_name=gw-tug + ############################### # environment: dan diff --git a/roles/openwrt/image/defaults/main.yml b/roles/openwrt/image/defaults/main.yml index e32d817f..a0d888ec 100644 --- a/roles/openwrt/image/defaults/main.yml +++ b/roles/openwrt/image/defaults/main.yml @@ -15,3 +15,5 @@ openwrt_output_image_suffixes: openwrt_packages_remove: [] openwrt_packages_add: [] openwrt_packages_extra: [] + +openwrt_keep_temporary_build_dir: false diff --git a/roles/openwrt/image/tasks/main.yml b/roles/openwrt/image/tasks/main.yml index 82a1c50d..c029f4c7 100644 --- a/roles/openwrt/image/tasks/main.yml +++ b/roles/openwrt/image/tasks/main.yml @@ -53,6 +53,12 @@ dest: "{{ openwrt_output_dir }}/build-stderr.log" - name: Delete the temporary build directory + when: not openwrt_keep_temporary_build_dir file: path: "{{ openwrt_imgbuilder_dir }}" state: absent + + - name: print temporary build directory information + when: openwrt_keep_temporary_build_dir + debug: + msg: "The temporary build directory has not been deleted, the path to the directory is: {{ openwrt_imgbuilder_dir }}" diff --git a/spreadspace/glt-gw-r3.yml b/spreadspace/glt-gw-r3.yml new file mode 100644 index 00000000..c3123092 --- /dev/null +++ b/spreadspace/glt-gw-r3.yml @@ -0,0 +1,8 @@ +--- +- name: Basic Setup + hosts: glt-gw-r3 + connection: local + gather_facts: no + + roles: + - role: openwrt/image diff --git a/spreadspace/glt-gw-tug.yml b/spreadspace/glt-gw-tug.yml new file mode 100644 index 00000000..f9e40e2e --- /dev/null +++ b/spreadspace/glt-gw-tug.yml @@ -0,0 +1,8 @@ +--- +- name: Basic Setup + hosts: glt-gw-tug + connection: local + gather_facts: no + + roles: + - role: openwrt/image |