summaryrefslogtreecommitdiff
path: root/inventory/host_vars/ch-mz-router.yml
diff options
context:
space:
mode:
Diffstat (limited to 'inventory/host_vars/ch-mz-router.yml')
-rw-r--r--inventory/host_vars/ch-mz-router.yml276
1 files changed, 276 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-mz-router.yml b/inventory/host_vars/ch-mz-router.yml
new file mode 100644
index 00000000..c798623b
--- /dev/null
+++ b/inventory/host_vars/ch-mz-router.yml
@@ -0,0 +1,276 @@
+---
+openwrt_arch: ath79
+openwrt_target: generic
+openwrt_profile: tplink_tl-wdr4300-v1
+openwrt_output_image_suffixes:
+ - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
+
+openwrt_packages_remove:
+ - ppp
+ - ppp-mod-pppoe
+ - firewall
+ - firewall4
+ - wpad-basic-mbedtls
+openwrt_packages_add:
+ - hostapd-mbedtls
+ - haveged
+ - htop
+ - ip
+ - less
+ - nano
+ - tcpdump-mini
+ - iperf
+ - mtr
+ - usbutils
+ - nftables
+ - kmod-nft-nat
+
+
+openwrt_mixin:
+ /etc/dropbear/authorized_keys:
+ content: "{{ ssh_keys_root | join('\n') }}\n"
+
+ /etc/htoprc:
+ file: "{{ global_files_dir }}/common/htoprc"
+
+ /usr/bin/list-stations:
+ mode: "0755"
+ file: "{{ global_files_dir }}/common/openwrt/list-stations"
+
+ /etc/rc.d/S21nftables:
+ link: "../init.d/nftables"
+
+ /etc/rc.d/K89nftables:
+ link: "../init.d/nftables"
+
+ /etc/init.d/nftables:
+ mode: "0755"
+ content: |
+ #!/bin/sh /etc/rc.common
+
+ START=21
+ STOP=89
+
+ start() {
+ nft -f /etc/nftables.conf
+ }
+
+ stop() {
+ nft flush ruleset
+ }
+
+ /etc/nftables.conf:
+ content: |
+ flush ruleset
+
+ define nic_wan = eth0.2
+ define nic_lan = br-lan
+ define prefix_lan = 192.168.2.0/24
+
+ table inet global {
+ ## INPUT
+ chain input_wan {
+ ip protocol icmp accept
+ ip6 nexthdr ipv6-icmp accept
+ tcp dport { {{ ansible_port }} } accept
+ }
+
+ chain input {
+ type filter hook input priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iifname vmap { lo: accept, $nic_lan: accept, $nic_wan: jump input_wan }
+ }
+
+
+ ## FORWARD
+ chain forward {
+ type filter hook forward priority filter; policy drop;
+ ct state vmap { established: accept, related: accept, invalid: drop }
+ iifname $nic_lan ip saddr $prefix_lan oifname $nic_wan accept
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority srcnat; policy accept;
+ ip saddr $prefix_lan oifname $nic_wan masquerade
+ }
+ }
+
+ /etc/dyndns/update.sh:
+ mode: "0755"
+ content: |
+ #!/bin/sh
+ /usr/bin/ssh -i /etc/dyndns/id_ed25519 -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns
+
+ /etc/crontabs/root:
+ mode: "0755"
+ content: |
+ # run dyndns update script every 10 minutes
+ */10 * * * * /etc/dyndns/update.sh > /dev/null
+
+
+openwrt_uci:
+ system:
+ - name: system
+ options:
+ hostname: '{{ host_name }}'
+ timezone: 'CET-1CEST,M3.5.0,M10.5.0/3'
+ ttylogin: '0'
+ log_size: '64'
+ urandom_seed: '0'
+
+ - name: timeserver 'ntp'
+ options:
+ enabled: '1'
+ enable_server: '1'
+ server:
+ - '0.at.pool.ntp.org'
+ - '1.at.pool.ntp.org'
+ - '2.at.pool.ntp.org'
+ - '3.at.pool.ntp.org'
+
+ dropbear:
+ - name: dropbear
+ options:
+ PasswordAuth: 'off'
+ RootPasswordAuth: 'off'
+ Port: '{{ ansible_port }}'
+
+ network:
+ - name: globals 'globals'
+ options:
+ ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+ - name: interface 'loopback'
+ options:
+ device: lo
+ proto: static
+ ipaddr: 127.0.0.1
+ netmask: 255.0.0.0
+
+ - name: switch
+ options:
+ name: switch0
+ reset: 1
+ enable_vlan: 1
+
+ - name: switch_vlan
+ options:
+ device: switch0
+ vlan: 1
+ ports: 2 3 4 5 0t
+
+ - name: switch_vlan
+ options:
+ device: switch0
+ vlan: 2
+ ports: 1 0t
+
+ - name: device
+ options:
+ name: br-lan
+ type: bridge
+ ports:
+ - eth0.1
+
+ - name: interface 'lan'
+ options:
+ device: br-lan
+ proto: static
+ ipaddr: 192.168.2.254
+ netmask: 255.255.255.0
+
+ - name: interface 'wan'
+ options:
+ ifname: eth0.2
+ proto: dhcp
+
+ wireless:
+ - name: wifi-device 'radio5g'
+ options:
+ type: mac80211
+ channel: 40
+ band: 5g
+ country: AT
+ path: "pci0000:00/0000:00:00.0"
+ htmode: HT20
+ cell_density: 0
+ txpower: 19
+
+ - name: wifi-device 'radio2g'
+ options:
+ type: mac80211
+ channel: 11
+ band: 2g
+ country: AT
+ path: "platform/ahb/18100000.wmac"
+ htmode: HT20
+ cell_density: 0
+ txpower: 20
+
+ - name: wifi-iface wds5g
+ options:
+ device: radio5g
+ network: lan
+ mode: ap
+ wds: 1
+ disassoc_low_ack: 1
+ rsn_preauth: 1
+ ssid: "chaosWDS"
+ encryption: 'sae-mixed'
+ key: '{{ vault_wifi_keys.wds_mz }}'
+
+ - name: wifi-iface lan5g
+ options:
+ device: radio5g
+ network: lan
+ mode: ap
+ disassoc_low_ack: 1
+ rsn_preauth: 1
+ ssid: "chaos at home"
+ encryption: 'sae-mixed'
+ key: '{{ vault_wifi_keys.lan }}'
+ ieee80211r: '1'
+ mobility_domain: 'ca00'
+ ft_over_ds: '1'
+
+ - name: wifi-iface lan5gl
+ options:
+ device: radio5g
+ network: lan
+ mode: ap
+ disassoc_low_ack: 1
+ rsn_preauth: 1
+ ssid: "chaos at home"
+ encryption: 'psk2'
+ key: '{{ vault_wifi_keys.lan }}'
+ ieee80211r: '1'
+ mobility_domain: 'ca01'
+ ft_over_ds: '1'
+
+ - name: wifi-iface lan2g
+ options:
+ device: radio2g
+ network: lan
+ mode: ap
+ disassoc_low_ack: 1
+ rsn_preauth: 1
+ ssid: "chaos at home"
+ encryption: 'sae-mixed'
+ key: '{{ vault_wifi_keys.lan }}'
+ ieee80211r: '1'
+ mobility_domain: 'ca00'
+ ft_over_ds: '1'
+
+ - name: wifi-iface lan2gl
+ options:
+ device: radio2g
+ network: lan
+ mode: ap
+ disassoc_low_ack: 1
+ rsn_preauth: 1
+ ssid: "chaos at home (legacy)"
+ encryption: 'psk2'
+ key: '{{ vault_wifi_keys.lan }}'
+ ieee80211r: '1'
+ mobility_domain: 'ca01'
+ ft_over_ds: '1'
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 12:52:46 +0000