diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2019-04-20 21:14:23 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2019-04-20 21:22:59 +0200 |
| commit | 2480ad755f94e0c2b1d3e5f32ac240da3cda6e21 (patch) | |
| tree | 1613a01ef94a3df684dbd87026f7faa79537467f | |
| parent | hetzner smaller root lv (diff) | |
added mz-router
| -rw-r--r-- | chaos-at-home/mz-router.yml | 6 | ||||
| -rw-r--r-- | inventory/host_vars/mz-router.yml | 201 | ||||
| -rw-r--r-- | inventory/hosts.ini | 1 |
3 files changed, 208 insertions, 0 deletions
diff --git a/chaos-at-home/mz-router.yml b/chaos-at-home/mz-router.yml new file mode 100644 index 00000000..7adc9b6a --- /dev/null +++ b/chaos-at-home/mz-router.yml @@ -0,0 +1,6 @@ +--- +- hosts: mz-router + connection: local + roles: + - role: openwrt/image + delegate_to: localhost diff --git a/inventory/host_vars/mz-router.yml b/inventory/host_vars/mz-router.yml new file mode 100644 index 00000000..d32bc9c9 --- /dev/null +++ b/inventory/host_vars/mz-router.yml @@ -0,0 +1,201 @@ +--- +openwrt_variant: openwrt +openwrt_release: 18.06.2 +openwrt_arch: ar71xx +openwrt_target: generic +openwrt_profile: tl-wdr4300-v1 +openwrt_output_image_suffixes: + - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall +openwrt_packages_add: + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - mtr + - usbutils + - kmod-ipt-nat + - kmod-ipt-conntrack + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /etc/rc.d/S22network-fw: + link: "../init.d/network-fw" + + /etc/rc.d/K91network-fw: + link: "../init.d/network-fw" + + /etc/init.d/network-fw: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=22 + STOP=91 + + start() { + LAN_IP=$(uci get network.lan.ipaddr) + LAN_MASK=$(uci get network.lan.netmask) + + WAN_IF=$(uci get network.wan.ifname) + + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -i br-lan -j ACCEPT + + iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT + iptables -A INPUT -i "$WAN_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + iptables -A FORWARD -i br-lan -o "$WAN_IF" -j ACCEPT + iptables -A FORWARD -i "$WAN_IF" -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$LAN_IP/$LAN_MASK" -j MASQUERADE + + iptables -P INPUT DROP + iptables -P FORWARD DROP + } + + stop() { + iptables -P INPUT ACCEPT + iptables -F INPUT + iptables -P FORWARD ACCEPT + iptables -F FORWARD + iptables -t nat -F POSTROUTING + } + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '0.lede.pool.ntp.org' + - '1.lede.pool.ntp.org' + - '2.lede.pool.ntp.org' + - '3.lede.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '22000' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + ifname: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: switch + options: + name: switch0 + reset: 1 + enable_vlan: 1 + + - name: switch_vlan + options: + device: switch0 + vlan: 1 + ports: 2 3 4 5 0t + + - name: switch_vlan + options: + device: switch0 + vlan: 2 + ports: 1 0t + + - name: interface 'lan' + options: + ifname: eth0.1 + force_link: 1 + type: bridge + proto: static + ipaddr: 192.168.2.254 + netmask: 255.255.255.0 + + - name: interface 'wan' + options: + ifname: eth0.2 + proto: dhcp + + wireless: + - name: wifi-device 'radio5g' + options: + type: mac80211 + path: "pci0000:00/0000:00:00.0" + hwmode: 11a + htmode: HT20 + country: AT + txpower: 19 + + - name: wifi-device 'radio2g4' + options: + type: mac80211 + path: "platform/ar934x_wmac" + hwmode: 11g + htmode: HT20 + channel: 4 + country: AT + txpower: 20 + + - name: wifi-iface wds5g + options: + device: radio5g + network: lan + mode: ap + wds: 1 + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaosWDS" + encryption: 'psk2+ccmp' + key: '{{ vault_wifi_keys.wds_mz }}' + + - name: wifi-iface lan5g + options: + device: radio5g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'psk2+ccmp' + key: '{{ vault_wifi_keys.lan }}' + + - name: wifi-iface lan2g4 + options: + device: radio2g4 + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'psk2+ccmp' + key: '{{ vault_wifi_keys.lan }}' diff --git a/inventory/hosts.ini b/inventory/hosts.ini index df885051..8a8a26d9 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -25,6 +25,7 @@ mz-chaos-at-home [mz-chaos-at-home] +mz-router ansible_host=chmz-router mz-ap ansible_host=chmz-ap |