Refactor common roles

roles/common-net/tasks/resolvconf.yml

@@ -6,4 +6,4 @@
 - name: Ensure nameservers are set in resolv.conf
   copy:
     dest: /etc/resolv.conf
-    content: "{% for ip in network.nameservers %}nameserver {{ ip }}\n{% endfor %}"
+    content: "{% for ip in nameservers %}nameserver {{ ip }}\n{% endfor %}"

roles/common-system/tasks/kernel.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Ensure latest backports kernel is installed
+  apt: name=linux-image-amd64 default_release={{ ansible_lsb.codename|lower }}-backports install_recommends=no

roles/common-system/tasks/main.yml

@@ -4,4 +4,5 @@
 - include: crypto.yml
 - include: time.yml
 - include: journald.yml
+- include: kernel.yml
 - include: tools.yml

roles/common-system/tasks/sysctl.yml

@@ -1,5 +1,5 @@
 ---
 
-- name: Install router specific sysctl config
-  template: src=sysctl.conf.j2 dest=/etc/sysctl.d/system.conf
+- name: Install custom sysctl variables
+  copy: src=sysctl.conf dest=/etc/sysctl.d/system.conf
   notify: Load sysctl variables

roles/mesh-interfaces/tasks/batman.yml

@@ -1,13 +1,7 @@
 ---
-# tasks file for batman
 
-- name: Install B.A.T.M.A.N. ctl via APT
-  apt: name={{item}} state=present update_cache=yes cache_valid_time=3600
-  with_items:
-  - batctl
-
-- include: ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+- name: Ensure batctl is installed
+  apt: name=batctl
 
 - name: Enable batman module on boot
   lineinfile: dest=/etc/modules line=batman_adv
@@ -15,4 +9,7 @@
 - name: Load batman-adv kernel module
   modprobe: name=batman_adv state=present
 
-# TODO make sure bat14 mode is used
+- name: Install batman-adv mesh interface definition
+  template:
+    dest: "/etc/network/interfaces.d/10_batman.cfg"
+    src: "batman.cfg.j2"

roles/mesh-interfaces/tasks/main.yml

@@ -1,20 +1,4 @@
 ---
-# tasks file for mesh-interfaces
 
-- name: Install bird.conf
-  template: src=bird.conf.j2 dest=/etc/bird/conf.d/mesh.conf
-  notify: Reload bird daemons
-
-- name: Install bird6.conf
-  template: src=bird6.conf.j2 dest=/etc/bird/conf6.d/mesh.conf
-  notify: Reload bird daemons
-
-- name: Install mesh interface definitions
-  template:
-    dest: "/etc/network/interfaces.d/mesh.cfg"
-    src: "mesh_interfaces.j2"
-
-- name: Install gre tunnel definitions
-  template:
-    dest: "/etc/network/interfaces.d/backbone.cfg"
-    src: "gre-tunnel.j2"
+- include: batman.yml
+- include: tunnel.yml

roles/mesh-interfaces/tasks/tunnel.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Install gretap tunnel definitions
+  template:
+    dest: "/etc/network/interfaces.d/20_mesh-tunnel.cfg"
+    src: "mesh-tunnel.cfg.j2"

roles/mesh-interfaces/templates/mesh_interfaces.j2

@@ -1,4 +1,4 @@
-# Mesh interfaces
+# batman-adv mesh interface
 
 # Dummy-Interface als MainIF mit manueller MAC fuer batman-adv
 auto meshdummy0

roles/mesh-interfaces/templates/bird.conf.j2

@@ -1,27 +0,0 @@
-#
-# This file is managed by ansible. Do not edit by hand!
-#
-
-protocol direct {
-        interface "bat*";
-        interface "peer-*";
-        interface "lo";
-};
-
-template bgp ibgp {
-        local as {{as}};
-        import all;
-        export all;
-        next hop self;
-        multihop 64;
-};
-
-{% for host in groups['all'] %}
-{% if hostvars[host]["inventory_hostname"] != inventory_hostname %}
-protocol bgp {{hostvars[host]['inventory_hostname_short']}} from ibgp {
-        source address {{mesh_ipv4|ipaddr('address')}};
-        neighbor {{hostvars[host]['mesh_ipv4']|ipaddr('address')}} as {{as}};
-        default bgp_med 4;
-};
-{% endif %}
-{% endfor %}

roles/mesh-interfaces/templates/bird6.conf.j2

@@ -1,30 +0,0 @@
-#
-# This file is managed by ansible. Do not edit by hand!
-#
-
-protocol direct {
-        interface "bat*";
-        interface "peer-*";
-        interface "lo";
-}
-
-{% if mesh_ipv6 is defined %}
-template bgp ibgp {
-        local as {{as}};
-        source address {{mesh_ipv6|ipaddr('address')}};
-        import all;
-        export all;
-        next hop self;
-        direct;
-        gateway direct;
-}
-
-{% for host in groups['all'] %}
-{% if hostvars[host]['inventory_hostname'] != inventory_hostname %}
-protocol bgp {{hostvars[host]['inventory_hostname_short']}} from ibgp {
-        neighbor {{hostvars[host].mesh_ipv6|ipaddr('address')}} as {{as}};
-        default bgp_med 4;
-}
-{% endif %}
-{% endfor %}
-{% endif %}

roles/mesh-interfaces/templates/test.j2

@@ -1,3 +0,0 @@
-{% for host in groups['all'] %}
-Host: {{host}}
-{% endfor %}

roles/mesh-routing/files/bird.gpg

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQINBFQO7UYBEAC7nEcPmukF6D7kDOf1tbIT/aXbiI0yqj4d8PPR9cHEDJrm/IwI
+jWGVtlv5k66g2BVymqXSVgDhvJVg+9XH8yEO0dX1Ho8nfO4ftxX0K2LryXZvSJGd
+5QNauYsQAukOTnma6vlLiEEIrKUCuD7D7emvtWTpJLJQFNpMzymbjnjvRrLzUgZL
+ez7TqglY1DZ+vhvoO3v6bx5I4p8UEnP4jViaLpr6f7qX+gFBZVW4iv80XaGJXJ0c
+smbnUUvWD46GpfLEr/7H0peukljxqy0UC7zII4I4vnJMlRSMxmwb/n+HMhiDCPF7
+NUaoRFs51hQVa+2Q9xb7usKw0kUMwOBKHTfcqp7qMosKhiVGTApmo1GGpaqpqfCy
+gs9I86wLmtT0k73H5FY2+n2uwEgJ8+c7j83gVeDeFRosLF+8HAwTwfpf4SatWKXl
+QudTGvK5ppTFwIx62rqWX2MdJ07xmAs4Mkxntk0gU2heDDGSy6j8UcJ42yQoo/Vu
+C3i1l8+VyfniTpNdoRzLbd0MFu+kClUt1aMiRNrw6Z1Sx0hhVug3ZjTCPOQm0UOK
+yWrorqZC88hnc8XU9P35VOhdQEC0pdSdWPRYhodb3oAb3D6qmTAYP7GIAsupJ4dk
+eGD58jlai8j8ScoG95d0o5UzKxXOCiKKyV97tsL27J2ayjjwXO8HSRSCSQARAQAB
+tEFDWi5OSUMgTGFicyBBcmNoaXZlIEF1dG9tYXRpYyBTaWduaW5nIEtleSA8ZnRw
+bWFzdGVyQGxhYnMubmljLmN6PokCNwQTAQoAIQUCVA7tRgIbAwULCQgHAwUVCgkI
+CwUWAwIBAAIeAQIXgAAKCRCsDkdYSnpxTQSLD/9l1suU3IrnM6czffvit9WEjtHi
+0DgLQwVSqFmz2IQgiKEG3YnGF+2Xn7SHq/uPRgpwBJuU/CkufioZg2JFOWIIO/Sr
+o1DYWB0y9BHv9Ilif17AzZfjHedKdxOlu0Wn/Xjs2T5tWhAkjnMpoARm0ah5cgQX
+QDzO3t8QIXydGG+kdennR7FUgSxBKJ4l1Ubd01hVpYP9fkTpYNyKkb5IY/CY8Xqi
+DJuh3tYg+8u0v2oT5Jhs7/6VvZiJqxWsDWYZB+v9aB8fuhicK3+FPVmU6Cb09J6g
+XFQoaMGfe4hSBaXIRRZfMlb9zeJzia9ViIDoCVrtwt69xyF2keKKph2Gs2pvcKjJ
+HhKqB9sBebzwewONGellcYBoQ/66pLhl/vT4MsVob3cZPfFbwQfkqDHZEP9ZIrp+
+CEmsongKVO66XqtUKJYPaAVdH4S8POF8tYG/8ak5OBqyozstR6keSFmpIAEFBKD9
+nf4VRmxWkJUE7Pkyg1IPUF3HQrzNTPAAbzzuRPJq1T1TQY8QvWnqFYX7Y2mNnfl4
+aRD2kw/XT4Q55lIPGjhSO9fS+kPKh1qx/muaKUtPBK8HOFhBrzdojmid7+0MBur9
+S0uUNghDYPt7YEoFhlZIb31U1zpLYL6Dn2yxFYuq++PTGxOPMECh3cbgfwSbNfbn
+wbgwIefP50Qc07X5ELkCDQRUDu1GARAAxs2Zfd8zgrBrUSjKARxhvzvuA+yAmnqq
+Vysv7aAJ5n/Zx7VVuljN11+6kk9QmWAyDWiUybrSKbdFKyTQv/EyJzH4VwWkygA1
++eToKvfQqBqs4Orrek8rw8Ty5DaT5qogoDsh9Am4Za0hc9urmkI0IMcxBpe7MWsv
+Jo2DnuQn0tbrPWIlvTDTOjOZ5RLoB7btJ03u7fJB8UqH8uTH55ySI1B7UFtxth5D
+key1sakvFWA+WKAewwzGIFb9QgZb2UFw9VBcgXifdNvyfZzmBfpw5tjMWw2dauGX
+bddh9/gL4Q8J3Rklk/j/E9efwyt0f/6cuPDmYBElWhPHT31WelNTRQeS3TyJVutG
+yZkZ0b7lC4lY1tHpy56CYFgdEyjF+ePYaYSMxY5HkLojFIPrvpHGRY4b4SbO6zJH
+yvqj7JWnBEJqsoWt0/8sXImVUF8UvjNRSlQqn815myjtgLJkRbTf7bnzFu7OGDTT
+TvJql69Y8go30/Wf2oEdXR1P/P0B3saU5V5Au1A1Y7Cy+d5v3orlE9yrROFHDFlC
+TuFAXnIHjw5fivqjO0Ls2KdpDoE79HyVfJr/G6hXBjdRHau+6L/F6+3VJ195AUeN
+KW/UOLdLfz+F8whQB+bpRUtJ2M/au0FJRJijMy6kfhP/0q6zhE2cC3p7sUMu7i1e
+FV7Lhxy3/kEAEQEAAYkCHwQYAQoACQUCVA7tRgIbDAAKCRCsDkdYSnpxTbJPEACM
+iN/xxw8UZuwRKIL9ZARNgJSMTPwprU/ul/54ATvwbCO+HIn/JQefh3IEal1BZYOB
+ntoRkvwxygbbJZFJ8A2iBQsC78Cx0mcczCfsVy+/aenE/g+DAinMmTAselbK+sl4
+Er1Vymhu+w3ZTOi2dx58MR+kYM1or1Rffm+1jBNCIPZokJGQvFr8E5HqxaQE6wXp
+SqCHtCshiC2GBGpLhZ9FS2vWVhshr5TA4KIS1Rke22bYDu44br2mgdRMESDFwLhg
+mFtSFoVJxY3ugEZmV491cVcWPHEMkeQJGDx3xKVacEd9n+4L6aTPEMq2rI35oRxU
+a1FQZLX8kUJGAZO0MbZO6PpSk6rLeu+sSE7kGYyNN3g93rdgayx0hTxiYlyOGOJX
+85jGcpCpvp+qedaVSavQbHTJwXoGYOCL+WNwH6Xrr9tHJho30Qd+9qjyeNhGwekZ
+FJy14s8L7m5nvSxRIB8QJ5Csaj6s9wK7iesywZfaYyqDDRAkSE44dQUuVQViAoMG
+9qluxcR71yID59xHfLv9ho8cLg0QI2JfvENGouSnPsgJGYa/AYzFv+H5vIR1m0n6
+NoWefRc6e9w/Q6IvWG5se3rh1sgJTajKoSca0EGQX+EbL5wLdFmO82gptQwCAjMd
+IwsvfZGLfuzTOahvuEMccjo5L7K4HpCDHuFPjfE0rA==
+=0VaR
+-----END PGP PUBLIC KEY BLOCK-----

roles/common-net/templates/sysctl.conf.j2

@@ -1,24 +1,6 @@
-#
-# This file is managed by ansible. Do not edit by hand!
-#
-
-# Reboot 1 second after kernel panic, oops or BUG (usually in batman-adv.ko)
-kernel.panic = 1
-kernel.panic_on_oops = 1
-
-# throw kernel panic on softlockup
-kernel.softlockup_panic=1
-
-
 ## Networking
 # See https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 
-# Don't pass bridged traffic to iptables/arptables
-net.bridge.bridge-nf-call-arptables = 0
-net.bridge.bridge-nf-call-iptables = 0
-net.bridge.bridge-nf-call-ip6tables = 0
-
-
 ## IPv4 tuning
 
 # Reset all configuration parameters to RFC1812
@@ -27,10 +9,6 @@ net.ipv4.ip_forward = 1
 # Disable routing to eth0
 net.ipv4.conf.eth0.forwarding = 0
 
-# Accept ICMP redirect messages; default = 0
-net.ipv4.conf.default.accept_redirects = 1
-net.ipv4.conf.all.accept_redirects = 1
-
 # Use larger ARP cache
 net.ipv4.neigh.default.gc_thresh1 = 2048
 net.ipv4.neigh.default.gc_thresh2 = 4096
@@ -49,10 +27,6 @@ net.ipv6.conf.all.forwarding = 1
 net.ipv6.conf.eth0.forwarding = 0
 net.ipv6.conf.eth0.accept_ra = 0
 
-# Accept Redirects; default = 0
-net.ipv6.conf.default.accept_redirects = 1
-net.ipv6.conf.all.accept_redirects = 1
-
 # Accept Duplicate Address Detection; default = 1
 net.ipv6.conf.default.accept_dad = 0
 net.ipv6.conf.all.accept_dad = 0
@@ -63,4 +37,4 @@ net.ipv6.neigh.default.gc_thresh2 = 4096
 net.ipv6.neigh.default.gc_thresh3 = 8192
 
 # Maximum number of routes allowed in the kernel
-net.ipv6.route.max_size = 8388608
+net.ipv6.route.max_size = 8388608

roles/mesh-routing/handlers/bird.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Reload bird daemons
+  service: name={{item}} state=reloaded
+  with_items:
+  - bird
+  - bird6

roles/mesh-routing/handlers/main.yml

@@ -1,8 +1,4 @@
 ---
-# handlers file for ffdo.bird
 
-- name: Reload bird daemons
-  service: name={{item}} state=reloaded
-  with_items:
-  - bird
-  - bird6
+- include: sysctl.yml
+- include: bird.yml

roles/mesh-routing/handlers/sysctl.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Load sysctl variables
+  shell: sysctl -p /etc/sysctl.d/routing.conf || true

roles/mesh-routing/tasks/bird.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Ensure bird repository key is installed
+  apt_key:
+    id: 4A7A714D
+    data: "{{ lookup('file', 'bird.gpg') }}"
+
+- name: Ensure bird Debian repository is installed
+  apt_repository: repo='deb http://bird.network.cz/debian {{ ansible_lsb.codename|lower }} main'
+
+- name: Ensure bird routing daemon is installed
+  apt: name=bird install_recommends=no
+
+- name: Ensure bird include dirs exists
+  file: name={{bird_config_dir}}/{{item}} state=directory
+  with_items:
+    - conf.d
+    - conf6.d
+
+- name: Install bird.conf
+  template: src=bird.conf.j2 dest={{bird_config_dir}}/bird.conf
+  notify: Reload bird daemons
+
+- name: Install bird6.conf
+  template: src=bird6.conf.j2 dest={{bird_config_dir}}/bird6.conf
+  notify: Reload bird daemons
+
+- name: Enable and start bird and bird6
+  service: name={{item}} state=started enabled=yes
+  with_items:
+    - bird
+    - bird6

roles/mesh-routing/tasks/igp.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Install OSPF IGP configuration for bird
+  template: src=igp.conf.j2 dest=/etc/bird/conf.d/igp.conf
+  notify: Reload bird daemons
+
+- name: Install OSPF IGP configuration for bird6
+  template: src=igp6.conf.j2 dest=/etc/bird/conf6.d/igp6.conf
+  notify: Reload bird daemons

roles/mesh-routing/tasks/main.yml

@@ -1,28 +1,5 @@
 ---
-# tasks file for ffdo.bird
 
-- name: Ensure bird routing daemon is installed
-  apt: name=bird state=present update_cache=yes cache_valid_time=3600
-
-- name: Ensure bird config dir exists
-  file: name={{bird_config_dir}} state=directory
-
-- name: Ensure bird include dirs exists
-  file: name={{bird_config_dir}}/{{item}} state=directory
-  with_items:
-    - conf.d
-    - conf6.d
-
-- name: Install bird.conf
-  template: src=bird.conf.j2 dest={{bird_config_dir}}/bird.conf
-  notify: Reload bird daemons
-
-- name: Install bird6.conf
-  template: src=bird6.conf.j2 dest={{bird_config_dir}}/bird6.conf
-  notify: Reload bird daemons
-
-- name: Enable and start bird and bird6
-  service: name={{item}} state=started enabled=yes
-  with_items:
-    - bird
-    - bird6
+- include: sysctl.yml
+- include: bird.yml
+- include: igp.yml

roles/mesh-routing/tasks/sysctl.yml

@@ -1,10 +1,5 @@
 ---
-# tasks file for sysctl
 
-- name: Install router specific sysctl config
-  template: src=sysctl.conf.j2 dest=/etc/sysctl.d/supernode.conf
-  register: supernode_sysctl_installed
-
-- name: Load sysctl variables
-  when: supernode_sysctl_installed|changed
-  shell: sysctl -p /etc/sysctl.d/supernode.conf || true
+- name: Install routing specific sysctl variables
+  copy: src=sysctl.conf dest=/etc/sysctl.d/routing.conf
+  notify: Load sysctl variables

roles/mesh-routing/templates/bird.conf.j2

@@ -1,21 +1,26 @@
-#
-# This file is managed by ansible. Do not edit by hand!
-#
-
 log syslog all;
+
 router id {{routerid}};
 
+# table ffrl; # BGP Peerings
+# table ibgp;
+# table freifunk; # Kernel table 42 (Routing from Freifunk networks)
+
 protocol kernel {
-        persist;
-        device routes;
         scan time 20;
+        device routes;
         import all;
         export all;
         kernel table 42;
-};
+}
 
 protocol device {
-        scan time 8;
+        scan time 10;
+}
+
+protocol static unreachable_default {
+    preference 1;
+    route 0.0.0.0/0 reject;
 };
 
-include "{{bird_config_dir}}/conf.d/*.conf";
+include "/etc/bird/conf.d/*.conf";

roles/mesh-routing/templates/bird6.conf.j2

@@ -1,21 +1,35 @@
-#
-# This file is managed by ansible. Do not edit by hand!
-#
-
 log syslog all;
 router id {{routerid}};
 
+protocol static uplink_hostroute {
+    import all;
+    export all;
+};
+
+protocol direct {
+    interface "*";
+};
+
 protocol kernel {
-        persist;
-        device routes;
-        scan time 20;
-        import all;
-        export all;
-        kernel table 42;
-}
+    persist;
+    device routes;
+    scan time 20;
+    import all;
+    export all;
+    kernel table 42;
+};
 
 protocol device {
-        scan time 8;
+        scan time 10;
 }
 
-include "{{bird_config_dir}}/conf6.d/*.conf";
+protocol static {
+    preference 1;
+    route ::/0 unreachable;
+};
+
+protocol static {
+    route {{ ipv6_network }} via "lo";
+};
+
+include "/etc/bird/conf6.d/*.conf";

roles/mesh-routing/templates/igp.conf.j2

@@ -0,0 +1,17 @@
+protocol direct {
+        interface "bat*";
+        interface "mesh-*";
+        interface "lo";
+};
+
+protocol ospf IGP {
+        area 0.0.0.0 {
+                interface "mesh-*";
+                interface "lo" {
+                        stub;
+                };
+        };
+
+        import all;
+        export none;
+}

roles/mesh-routing/templates/igp6.conf.j2

@@ -0,0 +1,17 @@
+protocol direct {
+        interface "bat*";
+        interface "mesh-*";
+        interface "lo";
+}
+
+protocol ospf IGP {
+        area 0.0.0.0 {
+                interface "mesh-*";
+                interface "lo" {
+                        stub;
+                };
+        };
+
+        import all;
+        export none;
+}

roles/mesh-routing/vars/main.yml

@@ -1,4 +0,0 @@
----
-# vars file for ffdo.bird
-
-bird_config_dir: /etc/bird

site.yml

@@ -1,4 +1,5 @@
 ---
+
 - hosts: all
   roles:
     - common-net
@@ -8,19 +9,20 @@
     - mesh-interfaces
     - mesh-routing
 
-- hosts: supernodes
-  roles:
-    - mesh-vpn-fastd
-    - peering
-    - service-ra
-    - service-dhcp
-    - service-dns
-    - service-ntp
+# - hosts: supernodes
+#   roles:
+#     - mesh-vpn-fastd
+#     - gateway-peering
+#     - gateway-nat
+#     - service-dns
+#     - service-ntp
+#     - service-ra
+#     - service-dhcp
 
-- hosts: mapservers
-  roles:
-    - service-nginx
-    - service-map
-    - service-wiki
-    - service-gitolite
-    - service-images
+# - hosts: mapservers
+#   roles:
+#     - service-nginx
+#     - service-map
+#     - service-wiki
+#     - service-gitolite
+#     - service-images