From 629fa3398d7d4344204ce0cab79a35e05773e726 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 1 Sep 2024 14:50:55 +0200 Subject: rename mz-* to ch-mz-* and streamline installation --- chaos-at-home/ch-mz-ap.yml | 7 + chaos-at-home/ch-mz-router.yml | 15 ++ chaos-at-home/host_vars/mz-router.yml | 61 -------- chaos-at-home/mz-ap.yml | 7 - chaos-at-home/mz-router.yml | 14 -- inventory/host_vars/ch-mz-ap.yml | 191 +++++++++++++++++++++++ inventory/host_vars/ch-mz-router.yml | 276 +++++++++++++++++++++++++++++++++ inventory/host_vars/ch-pan.yml | 2 +- inventory/host_vars/mz-ap.yml | 191 ----------------------- inventory/host_vars/mz-router.yml | 282 ---------------------------------- inventory/hosts.ini | 8 +- 11 files changed, 494 insertions(+), 560 deletions(-) create mode 100644 chaos-at-home/ch-mz-ap.yml create mode 100644 chaos-at-home/ch-mz-router.yml delete mode 100644 chaos-at-home/host_vars/mz-router.yml delete mode 100644 chaos-at-home/mz-ap.yml delete mode 100644 chaos-at-home/mz-router.yml create mode 100644 inventory/host_vars/ch-mz-ap.yml create mode 100644 inventory/host_vars/ch-mz-router.yml delete mode 100644 inventory/host_vars/mz-ap.yml delete mode 100644 inventory/host_vars/mz-router.yml diff --git a/chaos-at-home/ch-mz-ap.yml b/chaos-at-home/ch-mz-ap.yml new file mode 100644 index 00000000..545d8c4a --- /dev/null +++ b/chaos-at-home/ch-mz-ap.yml @@ -0,0 +1,7 @@ +--- +- name: Basic Setup + hosts: ch-mz-ap + connection: local + gather_facts: no + roles: + - role: installer/openwrt/image diff --git a/chaos-at-home/ch-mz-router.yml b/chaos-at-home/ch-mz-router.yml new file mode 100644 index 00000000..65c0c2b0 --- /dev/null +++ b/chaos-at-home/ch-mz-router.yml @@ -0,0 +1,15 @@ +--- +- name: Basic Setup + hosts: ch-mz-router + connection: local + gather_facts: no + roles: + - role: installer/openwrt/image + post_tasks: + - pause: + prompt: | + * scp -O {{ output_images[0] }} ch-mz-router:/tmp/openwrt.bin + * ssh ch-mz-router sysupgrade -n /tmp/openwrt.bin + * ssh ch-mz-router dropbearkey -t ed25519 -f /etc/dyndns/id_ed25519 + replace the key at the dyndns server (ch-pan: /var/lib/dyndns/.ssh/authorized_keys) + after that run the dyndns update script manually to accept the ssh host-key diff --git a/chaos-at-home/host_vars/mz-router.yml b/chaos-at-home/host_vars/mz-router.yml deleted file mode 100644 index 9d5b814b..00000000 --- a/chaos-at-home/host_vars/mz-router.yml +++ /dev/null @@ -1,61 +0,0 @@ -$ANSIBLE_VAULT;1.2;AES256;chaos-at-home -65643339366566643435323363386430633134636135383962623132373433393832663837376539 -3235323334643539356336333737646438393664336265660a393134323731336665386165613435 -33393233666434643462323235656163373365333565373566616666666339616632663464326436 -3061343337356139330a653463376366343835616237646239643338333866653530613364323638 -35336561633037366437333866306231613738336339646538373261656365386231393265363130 -37303830386562646335353462353662383636393233623962376565363435643366633733626334 -35643363306163666662353962393231643939313230343961666661333334313438653234373733 -37376530633163323462366434623532626536323830333562316239306634303731643965386233 -32383466356366613262653731663665343036373136343731393332616435636165393639643165 -30363663376236613533393333663163376332326536396465656162653961316563373861323662 -64393265636566306631323937333164613165616232393633386438316362656635383062303337 -39333932616535613230346666373635653363333761373765346237313731343166666136323734 -31383930646434306137333262376264323539383365303931353666333738666639386537353831 -63616366346336326331663938383161373837356331633265303266353738633233303039383066 -62633738376139626662366632373435373337323737336639306339653231336433333863303130 -64663964393562616635633738333139646334636433316638393835306366363238623562626134 -39643465303936633564373933343163643637616239663534666631633536613165326663663431 -37623931303461376336653562646366383836343534386366306334666330306635396561303661 -62353830666234616438383565636638663436303830356535323935653034646366396530313336 -61646137336435313138326535376339333735393931373333323561373936396664333537336361 -61646332623639663264646362393133356562616338303835336330393265663432323139356233 -66356161366564316339623835613266343233373434666462326531303361313230633638353963 -34303262653534326562623138313566646631343136393766316434663735326661623930626539 -66363066363236363965613765666362616137333035383331666163623266316434353731306366 -32623733613165653265386430663361373466396430306262353631326238396130613165656332 -34373139313063336636626461646563373531383935376436653933306333346431393833656366 -61356437333031346634616539326438613931346666346234333365303463626465353039616437 -37613433396138636534326638393966356661386662396330623234616638633333333161653735 -38386261306561383632613065653538376136306239336663356662386638623338613462353663 -62373666633333333461333963386632613137326165396433633439363938623838656665326339 -30323765613437373539333339646136633263323061653764306264316437353832313263323139 -32323633323562626661313534616263326561613030656363616461393334363833396133323266 -66386139383163386537383433396261373766653164373736323235643631656161393262383738 -61316533336662646232303936356236366436663265646131363237366463363732343964363366 -37653037303630613330333663623535663739643430333263636539613632303738653031663936 -38623665643939353733386335356161336531663333623538343332336264376663623261656633 -30333638646363356236303532363532353039323862366135653166316336623062333537366335 -31633839396461336361643465636664646164663762346236363763396263383163326465653964 -34663134623430353432646130633661636237613435323836386262333363373139376462363765 -63623638366136646265396432333339653234643532336233383461386361616630313936303162 -35626366366262623934333961653363616135313836643365613836343438353365383264623037 -31663231316462616137373435663039633434623466356266633235313865323362393636393862 -64343062336433343137316565373535666337653833353136376635666539656662373763623238 -30666532633965386264323565353431306633666364656662333631646139386138393066356238 -62653837656664333462363334373664373937333932313465353237636134626466343735633466 -31643039333866303233613762323866333264313135373130623166393339613131323537373537 -35626633373838363766623233626130646332336435316333323439613636373536343233633137 -30363863656465636635633936356165386633653637333932396164653835313163376363616133 -35376637376630636336386538353235353364313464313231633663616536323532336432376232 -64396234303332313134366133643664643165393932323361616666383162303337626663396131 -35613865373635303834373062666539386462663238383332616565303866316239613361373661 -37346162623764336332663431303664343430366562633361623566356266616534656562363833 -63366238656261646564306133623433306663376531373563363032303938303538356630636466 -30616630306334616237346661346235376133303538306638663631376163383138636365326230 -32376139373030303239376631316166393363613465323436633932376463303531386161313264 -65323261326232366332396335386639313735353135356139343937386232653737393565376639 -31363530313038306131383236396364666165393837343538316539336263333663643031623136 -30316436633662353162363836633238613833613530613762383662653435393263626161373938 -61613133643937346433643862326165326233363335656431663064336165383462623636383334 -63313438346136633461 diff --git a/chaos-at-home/mz-ap.yml b/chaos-at-home/mz-ap.yml deleted file mode 100644 index 46b0aa88..00000000 --- a/chaos-at-home/mz-ap.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Basic Setup - hosts: mz-ap - connection: local - gather_facts: no - roles: - - role: installer/openwrt/image diff --git a/chaos-at-home/mz-router.yml b/chaos-at-home/mz-router.yml deleted file mode 100644 index 8f4f056f..00000000 --- a/chaos-at-home/mz-router.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Basic Setup - hosts: mz-router - connection: local - gather_facts: no - roles: - - role: installer/openwrt/image - post_tasks: - - pause: - prompt: "\n****** copy and install image onto router and wait for it to come back ******\n" - - - shell: "base64 -d | ssh chmz-router \"/bin/sh -c 'umask 077; cat > /etc/dyndns/id_rsa'\"" - args: - stdin: "{{ vault_dyndns_ssh_key_b64 }}" diff --git a/inventory/host_vars/ch-mz-ap.yml b/inventory/host_vars/ch-mz-ap.yml new file mode 100644 index 00000000..044f41f9 --- /dev/null +++ b/inventory/host_vars/ch-mz-ap.yml @@ -0,0 +1,191 @@ +--- +openwrt_arch: ath79 +openwrt_target: generic +openwrt_profile: tplink_tl-wdr3500-v1 +openwrt_output_image_suffixes: + - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - dnsmasq + - firewall + - firewall4 + - odhcpd + - odhcpd-ipv6only + - wpad-basic-mbedtls +openwrt_packages_add: + - wpad-mbedtls + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - mtr + - usbutils + - kmod-usb-printer + - p910nd + + +openwrt_mixin: + /etc/sysctl.conf: + content: | + # Defaults are configured in /etc/sysctl.d/* and can be customized in this file + # + # disable IP forwarding, we don't need it since we are + # only an AP that bridges VLANs to Wifi SSIDs + net.ipv4.conf.default.forwarding=0 + net.ipv4.conf.all.forwarding=0 + net.ipv4.ip_forward=0 + net.ipv6.conf.default.forwarding=0 + net.ipv6.conf.all.forwarding=0 + + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /usr/bin/list-stations: + mode: "0755" + file: "{{ global_files_dir }}/common/openwrt/list-stations" + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '0' + server: + - '192.168.2.254' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + p910nd: + - name: p910nd + options: + device: /dev/usb/lp0 + port: 0 + bidirectional: 1 + enabled: 1 + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + device: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: switch + options: + name: switch0 + reset: 1 + enable_vlan: 1 + + - name: switch_vlan + options: + device: switch0 + vlan: 1 + ports: 1 2 3 4 0t + + - name: device + options: + name: br-lan + type: bridge + ports: + - eth0.1 + + - name: interface 'lan' + options: + device: br-lan + proto: static + ipaddr: 192.168.2.201 + netmask: 255.255.255.0 + gateway: 192.168.2.254 + dns: + - 192.168.2.254 + + - name: interface 'wan' + options: + ifname: eth1 + proto: none + + wireless: + - name: wifi-device 'radio5g' + options: + type: mac80211 + band: 5g + country: AT + path: "pci0000:00/0000:00:00.0" + htmode: HT20 + txpower: 19 + + - name: wifi-device 'radio2g' + options: + type: mac80211 + channel: 5 + band: 2g + country: AT + path: "platform/ahb/18100000.wmac" + htmode: HT20 + cell_density: 0 + txpower: 20 + + - name: wifi-iface wds5g + options: + device: radio5g + network: lan + mode: sta + wds: 1 + ssid: "chaosWDS" + encryption: 'sae-mixed' + key: '{{ vault_wifi_keys.wds_mz }}' + + - name: wifi-iface lan2g + options: + device: radio2g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'sae-mixed' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca00' + ft_over_ds: '1' + + - name: wifi-iface lan2gl + options: + device: radio2g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home (legacy)" + encryption: 'psk2' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca01' + ft_over_ds: '1' diff --git a/inventory/host_vars/ch-mz-router.yml b/inventory/host_vars/ch-mz-router.yml new file mode 100644 index 00000000..c798623b --- /dev/null +++ b/inventory/host_vars/ch-mz-router.yml @@ -0,0 +1,276 @@ +--- +openwrt_arch: ath79 +openwrt_target: generic +openwrt_profile: tplink_tl-wdr4300-v1 +openwrt_output_image_suffixes: + - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" + +openwrt_packages_remove: + - ppp + - ppp-mod-pppoe + - firewall + - firewall4 + - wpad-basic-mbedtls +openwrt_packages_add: + - hostapd-mbedtls + - haveged + - htop + - ip + - less + - nano + - tcpdump-mini + - iperf + - mtr + - usbutils + - nftables + - kmod-nft-nat + + +openwrt_mixin: + /etc/dropbear/authorized_keys: + content: "{{ ssh_keys_root | join('\n') }}\n" + + /etc/htoprc: + file: "{{ global_files_dir }}/common/htoprc" + + /usr/bin/list-stations: + mode: "0755" + file: "{{ global_files_dir }}/common/openwrt/list-stations" + + /etc/rc.d/S21nftables: + link: "../init.d/nftables" + + /etc/rc.d/K89nftables: + link: "../init.d/nftables" + + /etc/init.d/nftables: + mode: "0755" + content: | + #!/bin/sh /etc/rc.common + + START=21 + STOP=89 + + start() { + nft -f /etc/nftables.conf + } + + stop() { + nft flush ruleset + } + + /etc/nftables.conf: + content: | + flush ruleset + + define nic_wan = eth0.2 + define nic_lan = br-lan + define prefix_lan = 192.168.2.0/24 + + table inet global { + ## INPUT + chain input_wan { + ip protocol icmp accept + ip6 nexthdr ipv6-icmp accept + tcp dport { {{ ansible_port }} } accept + } + + chain input { + type filter hook input priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname vmap { lo: accept, $nic_lan: accept, $nic_wan: jump input_wan } + } + + + ## FORWARD + chain forward { + type filter hook forward priority filter; policy drop; + ct state vmap { established: accept, related: accept, invalid: drop } + iifname $nic_lan ip saddr $prefix_lan oifname $nic_wan accept + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr $prefix_lan oifname $nic_wan masquerade + } + } + + /etc/dyndns/update.sh: + mode: "0755" + content: | + #!/bin/sh + /usr/bin/ssh -i /etc/dyndns/id_ed25519 -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns + + /etc/crontabs/root: + mode: "0755" + content: | + # run dyndns update script every 10 minutes + */10 * * * * /etc/dyndns/update.sh > /dev/null + + +openwrt_uci: + system: + - name: system + options: + hostname: '{{ host_name }}' + timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' + ttylogin: '0' + log_size: '64' + urandom_seed: '0' + + - name: timeserver 'ntp' + options: + enabled: '1' + enable_server: '1' + server: + - '0.at.pool.ntp.org' + - '1.at.pool.ntp.org' + - '2.at.pool.ntp.org' + - '3.at.pool.ntp.org' + + dropbear: + - name: dropbear + options: + PasswordAuth: 'off' + RootPasswordAuth: 'off' + Port: '{{ ansible_port }}' + + network: + - name: globals 'globals' + options: + ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" + + - name: interface 'loopback' + options: + device: lo + proto: static + ipaddr: 127.0.0.1 + netmask: 255.0.0.0 + + - name: switch + options: + name: switch0 + reset: 1 + enable_vlan: 1 + + - name: switch_vlan + options: + device: switch0 + vlan: 1 + ports: 2 3 4 5 0t + + - name: switch_vlan + options: + device: switch0 + vlan: 2 + ports: 1 0t + + - name: device + options: + name: br-lan + type: bridge + ports: + - eth0.1 + + - name: interface 'lan' + options: + device: br-lan + proto: static + ipaddr: 192.168.2.254 + netmask: 255.255.255.0 + + - name: interface 'wan' + options: + ifname: eth0.2 + proto: dhcp + + wireless: + - name: wifi-device 'radio5g' + options: + type: mac80211 + channel: 40 + band: 5g + country: AT + path: "pci0000:00/0000:00:00.0" + htmode: HT20 + cell_density: 0 + txpower: 19 + + - name: wifi-device 'radio2g' + options: + type: mac80211 + channel: 11 + band: 2g + country: AT + path: "platform/ahb/18100000.wmac" + htmode: HT20 + cell_density: 0 + txpower: 20 + + - name: wifi-iface wds5g + options: + device: radio5g + network: lan + mode: ap + wds: 1 + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaosWDS" + encryption: 'sae-mixed' + key: '{{ vault_wifi_keys.wds_mz }}' + + - name: wifi-iface lan5g + options: + device: radio5g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'sae-mixed' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca00' + ft_over_ds: '1' + + - name: wifi-iface lan5gl + options: + device: radio5g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'psk2' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca01' + ft_over_ds: '1' + + - name: wifi-iface lan2g + options: + device: radio2g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home" + encryption: 'sae-mixed' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca00' + ft_over_ds: '1' + + - name: wifi-iface lan2gl + options: + device: radio2g + network: lan + mode: ap + disassoc_low_ack: 1 + rsn_preauth: 1 + ssid: "chaos at home (legacy)" + encryption: 'psk2' + key: '{{ vault_wifi_keys.lan }}' + ieee80211r: '1' + mobility_domain: 'ca01' + ft_over_ds: '1' diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index 29ec85ae..74e630a7 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -88,7 +88,7 @@ dyndns: - "dyn.schaaas.at. 7200 IN AAAA 2a02:3e0:407::19" - "captive.schaaas.at. 7200 IN CNAME dyn.schaaas.at." clients: - mz-router: mzl + ch-mz-router: mzl ch-equinox-t450s: equinox ele-media: elemedia diff --git a/inventory/host_vars/mz-ap.yml b/inventory/host_vars/mz-ap.yml deleted file mode 100644 index 044f41f9..00000000 --- a/inventory/host_vars/mz-ap.yml +++ /dev/null @@ -1,191 +0,0 @@ ---- -openwrt_arch: ath79 -openwrt_target: generic -openwrt_profile: tplink_tl-wdr3500-v1 -openwrt_output_image_suffixes: - - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - dnsmasq - - firewall - - firewall4 - - odhcpd - - odhcpd-ipv6only - - wpad-basic-mbedtls -openwrt_packages_add: - - wpad-mbedtls - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - mtr - - usbutils - - kmod-usb-printer - - p910nd - - -openwrt_mixin: - /etc/sysctl.conf: - content: | - # Defaults are configured in /etc/sysctl.d/* and can be customized in this file - # - # disable IP forwarding, we don't need it since we are - # only an AP that bridges VLANs to Wifi SSIDs - net.ipv4.conf.default.forwarding=0 - net.ipv4.conf.all.forwarding=0 - net.ipv4.ip_forward=0 - net.ipv6.conf.default.forwarding=0 - net.ipv6.conf.all.forwarding=0 - - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /usr/bin/list-stations: - mode: "0755" - file: "{{ global_files_dir }}/common/openwrt/list-stations" - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '0' - server: - - '192.168.2.254' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - p910nd: - - name: p910nd - options: - device: /dev/usb/lp0 - port: 0 - bidirectional: 1 - enabled: 1 - - network: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: switch - options: - name: switch0 - reset: 1 - enable_vlan: 1 - - - name: switch_vlan - options: - device: switch0 - vlan: 1 - ports: 1 2 3 4 0t - - - name: device - options: - name: br-lan - type: bridge - ports: - - eth0.1 - - - name: interface 'lan' - options: - device: br-lan - proto: static - ipaddr: 192.168.2.201 - netmask: 255.255.255.0 - gateway: 192.168.2.254 - dns: - - 192.168.2.254 - - - name: interface 'wan' - options: - ifname: eth1 - proto: none - - wireless: - - name: wifi-device 'radio5g' - options: - type: mac80211 - band: 5g - country: AT - path: "pci0000:00/0000:00:00.0" - htmode: HT20 - txpower: 19 - - - name: wifi-device 'radio2g' - options: - type: mac80211 - channel: 5 - band: 2g - country: AT - path: "platform/ahb/18100000.wmac" - htmode: HT20 - cell_density: 0 - txpower: 20 - - - name: wifi-iface wds5g - options: - device: radio5g - network: lan - mode: sta - wds: 1 - ssid: "chaosWDS" - encryption: 'sae-mixed' - key: '{{ vault_wifi_keys.wds_mz }}' - - - name: wifi-iface lan2g - options: - device: radio2g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home" - encryption: 'sae-mixed' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca00' - ft_over_ds: '1' - - - name: wifi-iface lan2gl - options: - device: radio2g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home (legacy)" - encryption: 'psk2' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca01' - ft_over_ds: '1' diff --git a/inventory/host_vars/mz-router.yml b/inventory/host_vars/mz-router.yml deleted file mode 100644 index 254aaf02..00000000 --- a/inventory/host_vars/mz-router.yml +++ /dev/null @@ -1,282 +0,0 @@ ---- -## TOOD: -# After router upgrades run this command to generate a new dyndns ssh key -# $ dropbearkey -t ed25519 -f /etc/dyndns/id_ed25519 -# Then replace the key at the dyndns server (/var/lib/dyndns/.ssh/authorized_keys) -# after that run the dyndns update script manually to accept the ssh host-key - -openwrt_arch: ath79 -openwrt_target: generic -openwrt_profile: tplink_tl-wdr4300-v1 -openwrt_output_image_suffixes: - - "{{ openwrt_target }}-{{ openwrt_profile }}-squashfs-sysupgrade.bin" - -openwrt_packages_remove: - - ppp - - ppp-mod-pppoe - - firewall - - firewall4 - - wpad-basic-mbedtls -openwrt_packages_add: - - hostapd-mbedtls - - haveged - - htop - - ip - - less - - nano - - tcpdump-mini - - iperf - - mtr - - usbutils - - nftables - - kmod-nft-nat - - -openwrt_mixin: - /etc/dropbear/authorized_keys: - content: "{{ ssh_keys_root | join('\n') }}\n" - - /etc/htoprc: - file: "{{ global_files_dir }}/common/htoprc" - - /usr/bin/list-stations: - mode: "0755" - file: "{{ global_files_dir }}/common/openwrt/list-stations" - - /etc/rc.d/S21nftables: - link: "../init.d/nftables" - - /etc/rc.d/K89nftables: - link: "../init.d/nftables" - - /etc/init.d/nftables: - mode: "0755" - content: | - #!/bin/sh /etc/rc.common - - START=21 - STOP=89 - - start() { - nft -f /etc/nftables.conf - } - - stop() { - nft flush ruleset - } - - /etc/nftables.conf: - content: | - flush ruleset - - define nic_wan = eth0.2 - define nic_lan = br-lan - define prefix_lan = 192.168.2.0/24 - - table inet global { - ## INPUT - chain input_wan { - ip protocol icmp accept - ip6 nexthdr ipv6-icmp accept - tcp dport { {{ ansible_port }} } accept - } - - chain input { - type filter hook input priority filter; policy drop; - ct state vmap { established: accept, related: accept, invalid: drop } - iifname vmap { lo: accept, $nic_lan: accept, $nic_wan: jump input_wan } - } - - - ## FORWARD - chain forward { - type filter hook forward priority filter; policy drop; - ct state vmap { established: accept, related: accept, invalid: drop } - iifname $nic_lan ip saddr $prefix_lan oifname $nic_wan accept - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - ip saddr $prefix_lan oifname $nic_wan masquerade - } - } - - /etc/dyndns/update.sh: - mode: "0755" - content: | - #!/bin/sh - /usr/bin/ssh -i /etc/dyndns/id_ed25519 -p 222 dyndns@dyn.schaaas.at mzl | logger -t dyndns - - /etc/crontabs/root: - mode: "0755" - content: | - # run dyndns update script every 10 minutes - */10 * * * * /etc/dyndns/update.sh > /dev/null - - -openwrt_uci: - system: - - name: system - options: - hostname: '{{ host_name }}' - timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' - ttylogin: '0' - log_size: '64' - urandom_seed: '0' - - - name: timeserver 'ntp' - options: - enabled: '1' - enable_server: '1' - server: - - '0.at.pool.ntp.org' - - '1.at.pool.ntp.org' - - '2.at.pool.ntp.org' - - '3.at.pool.ntp.org' - - dropbear: - - name: dropbear - options: - PasswordAuth: 'off' - RootPasswordAuth: 'off' - Port: '{{ ansible_port }}' - - network: - - name: globals 'globals' - options: - ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - - - name: interface 'loopback' - options: - device: lo - proto: static - ipaddr: 127.0.0.1 - netmask: 255.0.0.0 - - - name: switch - options: - name: switch0 - reset: 1 - enable_vlan: 1 - - - name: switch_vlan - options: - device: switch0 - vlan: 1 - ports: 2 3 4 5 0t - - - name: switch_vlan - options: - device: switch0 - vlan: 2 - ports: 1 0t - - - name: device - options: - name: br-lan - type: bridge - ports: - - eth0.1 - - - name: interface 'lan' - options: - device: br-lan - proto: static - ipaddr: 192.168.2.254 - netmask: 255.255.255.0 - - - name: interface 'wan' - options: - ifname: eth0.2 - proto: dhcp - - wireless: - - name: wifi-device 'radio5g' - options: - type: mac80211 - channel: 40 - band: 5g - country: AT - path: "pci0000:00/0000:00:00.0" - htmode: HT20 - cell_density: 0 - txpower: 19 - - - name: wifi-device 'radio2g' - options: - type: mac80211 - channel: 11 - band: 2g - country: AT - path: "platform/ahb/18100000.wmac" - htmode: HT20 - cell_density: 0 - txpower: 20 - - - name: wifi-iface wds5g - options: - device: radio5g - network: lan - mode: ap - wds: 1 - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaosWDS" - encryption: 'sae-mixed' - key: '{{ vault_wifi_keys.wds_mz }}' - - - name: wifi-iface lan5g - options: - device: radio5g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home" - encryption: 'sae-mixed' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca00' - ft_over_ds: '1' - - - name: wifi-iface lan5gl - options: - device: radio5g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home" - encryption: 'psk2' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca01' - ft_over_ds: '1' - - - name: wifi-iface lan2g - options: - device: radio2g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home" - encryption: 'sae-mixed' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca00' - ft_over_ds: '1' - - - name: wifi-iface lan2gl - options: - device: radio2g - network: lan - mode: ap - disassoc_low_ack: 1 - rsn_preauth: 1 - ssid: "chaos at home (legacy)" - encryption: 'psk2' - key: '{{ vault_wifi_keys.lan }}' - ieee80211r: '1' - mobility_domain: 'ca01' - ft_over_ds: '1' diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 60f41c10..f4c61e2a 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -71,8 +71,8 @@ chaos-at-home-sensors chaos-at-home-ups [chaos-at-home_mz] -mz-router ansible_host=chmz-router -mz-ap ansible_host=chmz-ap +ch-mz-router host_name=mz-router +ch-mz-ap host_name=mz-ap [chaos-at-home_mur-at] ch-atlas host_name=atlas @@ -328,8 +328,8 @@ ch-testvm-openwrt ch-installsmb ch-gw-c3voc ch-raspi-openwrt -mz-ap -mz-router +ch-mz-ap +ch-mz-router ele-router-hmtsaal ele-router-orpheum ele-router-emc -- cgit v1.2.3