make mesh_ipv6 optional, refactor sysctl

playbooks/common.yml

@@ -4,4 +4,5 @@
   roles:
   - ffdo.hostname
   - ffdo.resolvconf
-  - ffdo.authentication
+  - ffdo.authentication
+  - ffdo.sysctl

playbooks/host_vars/mapserver/host.yml

@@ -1,4 +0,0 @@
-mesh_mac: 96:48:76:b5:a3:65
-bat_mac: f2:43:13:c0:d7:03
-mesh_ipv4: 10.42.0.32/16
-mesh_ipv6: fdec:16a3:681b:865c::32/64

playbooks/host_vars/node01/supernode.yml

@@ -1,6 +0,0 @@
-mesh_mac: 96:48:76:b5:a3:61
-bat_mac: f2:43:13:c0:d7:06
-mesh_ipv4: 10.42.0.8/16
-mesh_ipv6: fdec:16a3:681b:865c::8/64
-dhcp_range_start: 10.42.0.32
-dhcp_range_end: 10.42.5.254

playbooks/host_vars/node02/supernode.yml

@@ -1,6 +0,0 @@
-mesh_mac: 96:48:76:b5:a3:62
-bat_mac: f2:43:13:c0:d7:07
-mesh_ipv4: 10.42.0.16/16
-mesh_ipv6: fdec:16a3:681b:865c::16/64
-dhcp_range_start: 10.42.6.32
-dhcp_range_end: 10.42.10.254

roles/internal/ffdo.bird/templates/bird.conf.j2

@@ -5,12 +5,10 @@
 log syslog all;
 router id {{routerid}};
 
-protocol direct {
-        interface "*";
-};
-
 protocol kernel {
+        persist;
         device routes;
+        scan time 20;
         import all;
         export all;
         kernel table 42;

roles/internal/ffdo.bird/templates/bird6.conf.j2

@@ -5,15 +5,6 @@
 log syslog all;
 router id {{routerid}};
 
-protocol static uplink_hostroute {
-   import all;
-   export all;
-}
-
-protocol direct {
-        interface "*";
-}
-
 protocol kernel {
         persist;
         device routes;
@@ -24,7 +15,7 @@ protocol kernel {
 }
 
 protocol device {
-        scan time 10;
+        scan time 8;
 }
 
 include "{{bird_config_dir}}/conf6.d/*.conf";

roles/internal/ffdo.mesh-interfaces/tasks/main.yml

@@ -1,10 +1,6 @@
 ---
 # tasks file for mesh-interfaces
 
-- template: 
-    src: test.j2
-    dest: /etc/test-hosts.info
-
 - name: Install bird.conf
   template: src=bird.conf.j2 dest=/etc/bird/conf.d/mesh.conf
   notify: Reload bird daemons
@@ -13,11 +9,6 @@
   template: src=bird6.conf.j2 dest=/etc/bird/conf6.d/mesh.conf
   notify: Reload bird daemons
 
-- name: Ensure interface definitions from other files are included
-  lineinfile:
-    dest: /etc/network/interfaces
-    line: "source /etc/network/interfaces.d/*.cfg"
-
 - name: Install mesh interface definitions
   template:
     dest: "/etc/network/interfaces.d/mesh.cfg"

roles/internal/ffdo.mesh-interfaces/templates/bird.conf.j2

@@ -2,6 +2,12 @@
 # This file is managed by ansible. Do not edit by hand!
 #
 
+protocol direct {
+        interface "bat*";
+        interface "peer-*";
+        interface "lo";
+};
+
 template bgp ibgp {
         local as {{as}};
         import all;

roles/internal/ffdo.mesh-interfaces/templates/bird6.conf.j2

@@ -2,6 +2,13 @@
 # This file is managed by ansible. Do not edit by hand!
 #
 
+protocol direct {
+        interface "bat*";
+        interface "peer-*";
+        interface "lo";
+}
+
+{% if mesh_ipv6 is defined %}
 template bgp ibgp {
         local as {{as}};
         source address {{mesh_ipv6|ipaddr('address')}};
@@ -19,4 +26,5 @@ protocol bgp {{hostvars[host]['inventory_hostname_short']}} from ibgp {
         default bgp_med 4;
 }
 {% endif %}
-{% endfor %}
+{% endfor %}
+{% endif %}

roles/internal/ffdo.mesh-interfaces/templates/mesh_interfaces.j2

@@ -31,6 +31,7 @@ iface bat0 inet static
     down ip link set down dev alfred0
     down ip link del dev alfred0
 
+{% if mesh_ipv6 is defined %}
 iface bat0 inet6 static
     address {{mesh_ipv6}}
     pre-up ip -6 rule add from {{mesh_ipv6|ipaddr('cidr')}} table 42
@@ -38,3 +39,4 @@ iface bat0 inet6 static
     post-down ip -6 rule del from {{mesh_ipv6|ipaddr('cidr')}} table 42
     post-down ip -6 rule del to {{mesh_ipv6|ipaddr('cidr')}} table 42
     #pre-up ebtables -A FORWARD -p IPv6 -i $IFACE --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
+{% endif %}

roles/internal/ffdo.peering/tasks/main.yml

@@ -1,18 +1,5 @@
 ---
-# tasks file for supernode-interfaces
-
-- name: Install supernode specific sysctl config
-  template: src=supernode.sysctl.j2 dest=/etc/sysctl.d/supernode.conf
-  register: supernode_sysctl_installed
-
-- name: Load sysctl variables
-  when: supernode_sysctl_installed|changed
-  shell: sysctl -p /etc/sysctl.d/supernode.conf || true
-
-- name: Ensure interface definitions from other files are included
-  lineinfile:
-    dest: /etc/network/interfaces
-    line: "source /etc/network/interfaces.d/*.cfg"
+# tasks file for peering
 
 - name: Install interface definitions
   template:
@@ -22,10 +9,10 @@
   - file: peering.cfg
     template: peering_interfaces.j2
 
-- name: Install bird.conf
-  template: src=bird.conf.j2 dest=/etc/bird/conf.d/peering.conf
-  notify: Reload bird daemons
+# - name: Install bird.conf
+#   template: src=bird.conf.j2 dest=/etc/bird/conf.d/peering.conf
+#   notify: Reload bird daemons
 
-- name: Install bird6.conf
-  template: src=bird6.conf.j2 dest=/etc/bird/conf6.d/peering.conf
-  notify: Reload bird daemons
+# - name: Install bird6.conf
+#   template: src=bird6.conf.j2 dest=/etc/bird/conf6.d/peering.conf
+#   notify: Reload bird daemons

roles/internal/ffdo.peering/templates/peering_interfaces.j2

@@ -1,20 +1,19 @@
 {% if peers is defined %}
 {% for peer in peers %}
-{% if peer.gre is defined %}
+{% if peer.gre_endpoint is defined %}
 auto peer-{{peer.name}}
 iface peer-{{peer.name}} inet tunnel
     mode gre
-    address {{peer.gre.ip|ipaddr('address')}}
+    address {{peer.source_ip4}}
     dstaddr {{peer.peer_ip4}}
-    netmask {{peer.gre.ip|ipaddr('netmask')}}
     local {{ansible_default_ipv4.address}}
-    endpoint {{peer.gre.endpoint}}
-    mtu 1400
+    endpoint {{peer.gre_endpoint}}
     ttl 64
+    mtu 1400
 
 iface peer-{{peer.name}} inet6 static
     address {{peer.gre.ip6}}
 
 {% endif %}
 {% endfor %}
-{% endif %}
+{% endif %}

roles/internal/ffdo.radvd/templates/radvd.conf.j2

@@ -1,3 +1,4 @@
+{% if mesh_ipv6 is defined %}
 interface bat0
 {
     AdvSendAdvert on;
@@ -10,6 +11,7 @@ interface bat0
     };
 
     RDNSS {{mesh_ipv6|ipaddr('address')}}
-{
+    {
     };
-};
+};
+{% endif %}

roles/internal/ffdo.supernode/templates/ntp.conf.j2

@@ -54,7 +54,9 @@ restrict ::1
 
 # allow from ff-do-subnets
 restrict {{mesh_ipv4|ipaddr('network')}} mask {{mesh_ipv4|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+{% if mesh_ipv6 is defined %}
 restrict {{mesh_ipv6|ipaddr('network')}} mask {{mesh_ipv6|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+{% endif %}
 
 # Clients from this (example!) subnet have unlimited access, but only if
 # cryptographically authenticated.

roles/internal/ffdo.sysctl/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+# tasks file for sysctl
+
+- name: Install router specific sysctl config
+  template: src=sysctl.conf.j2 dest=/etc/sysctl.d/supernode.conf
+  register: supernode_sysctl_installed
+
+- name: Load sysctl variables
+  when: supernode_sysctl_installed|changed
+  shell: sysctl -p /etc/sysctl.d/supernode.conf || true

roles/internal/ffdo.sysctl/templates/sysctl.conf.j2

@@ -0,0 +1,66 @@
+#
+# This file is managed by ansible. Do not edit by hand!
+#
+
+# Reboot 1 second after kernel panic, oops or BUG (usually in batman-adv.ko)
+kernel.panic = 1
+kernel.panic_on_oops = 1
+
+# throw kernel panic on softlockup
+kernel.softlockup_panic=1
+
+
+## Networking
+# See https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+# Don't pass bridged traffic to iptables/arptables
+net.bridge.bridge-nf-call-arptables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
+
+
+## IPv4 tuning
+
+# Reset all configuration parameters to RFC1812
+net.ipv4.ip_forward = 1
+
+# Disable routing to eth0
+net.ipv4.conf.eth0.forwarding = 0
+
+# Accept ICMP redirect messages; default = 0
+net.ipv4.conf.default.accept_redirects = 1
+net.ipv4.conf.all.accept_redirects = 1
+
+# Use larger ARP cache
+net.ipv4.neigh.default.gc_thresh1 = 2048
+net.ipv4.neigh.default.gc_thresh2 = 4096
+net.ipv4.neigh.default.gc_thresh3 = 8192
+
+# Maximum number of routes allowed in the kernel
+net.ipv4.route.max_size = 8388608
+
+
+## IPv6 tuning
+
+# Configure router behaviour
+net.ipv6.conf.all.forwarding = 1
+
+# Disable routing to eth0
+net.ipv6.conf.eth0.forwarding = 0
+net.ipv6.conf.eth0.accept_ra = 0
+
+# Accept Redirects; default = 0
+net.ipv6.conf.default.accept_redirects = 1
+net.ipv6.conf.all.accept_redirects = 1
+
+# Accept Duplicate Address Detection; default = 1
+net.ipv6.conf.default.accept_dad = 0
+net.ipv6.conf.all.accept_dad = 0
+
+# Use larger neighbor table
+net.ipv6.neigh.default.gc_thresh1 = 2048
+net.ipv6.neigh.default.gc_thresh2 = 4096
+net.ipv6.neigh.default.gc_thresh3 = 8192
+
+# Maximum number of routes allowed in the kernel
+net.ipv6.route.max_size = 8388608

roles/internal/ffdo.unbound/templates/unbound-supernode.conf.j2

@@ -3,14 +3,22 @@ server:
   module-config: "iterator"
   interface: 0.0.0.0
   interface: ::0
+{% if mesh_ipv4 is defined %}
   access-control: {{mesh_ipv4|ipaddr('network')}} allow
+{% endif %}
+{% if mesh_ipv6 is defined %}
   access-control: {{mesh_ipv6|ipaddr('network')}} allow
+{% endif %}
   access-control: fe80::/10 allow
 
 local-zone: "services.ffdo.de." static
 {% for host in groups['supernodes'] %}
+{% if hostvars[host].mesh_ipv4 is defined %}
 local-data: "{{loop.index}}.ntp.services.ffdo.de. A {{hostvars[host].mesh_ipv4|ipaddr('address')}}"
+{% endif %}
+{% if hostvars[host].mesh_ipv6 is defined %}
 local-data: "{{loop.index}}.ntp.services.ffdo.de. AAAA {{hostvars[host].mesh_ipv6|ipaddr('address')}}"
+{% endif %}
 {% endfor %}
 local-data: "update.services.ffdo.de. AAAA {{ffruhr_update_server}}"