...
 
Commits (58)
......@@ -18,11 +18,11 @@ grp = inv.group("vpnservers",
batman_gateway=True,
firewall_enabled=True,
)
grp.host(1, "vpn01.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0", exit_ipv6_remote=False, exit_ipv6_interface="eth0")
grp.host(2, "vpn02.bremen.freifunk.net", exit_ipv4="gre")
grp.host(3, "vpn03.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth1", exit_ipv6_remote=False, exit_ipv6_interface="eth1")
grp.host(5, "vpn05.bremen.freifunk.net", exit_ipv4="gre")
grp.host(6, "vpn06.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0")
grp.host(1, "vpn01.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0", exit_ipv6_remote=False, exit_ipv6_interface="eth0", max_mtu=1462)
grp.host(2, "vpn02.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0", exit_ipv6_remote=False, exit_ipv6_interface="eth0", max_mtu=1438)
grp.host(3, "vpn03.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0", exit_ipv6_remote=False, exit_ipv6_interface="eth0", max_mtu=1462)
grp.host(5, "vpn05.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="ens3", exit_ipv6_remote=False, exit_ipv6_interface="ens3", max_mtu=1438)
grp.host(6, "vpn06.bremen.freifunk.net", exit_ipv4="default", exit_ipv4_interface="eth0", max_mtu=1462)
grp = inv.group("eventsserver")
grp.host(0, "mgmt.bremen.freifunk.net")
......@@ -31,7 +31,7 @@ grp = inv.group("webserver")
grp.host(0, "webserver.bremen.freifunk.net")
grp = inv.group("downlinks", batman_gateway=True, firewall_enabled=True)
grp.host(12, "ipv6-downlink.bremen.freifunk.net")
grp.host(12, "ipv6-downlink.bremen.freifunk.net", max_mtu=1462)
grp = inv.group("dnsserver");
grp.host(0, "dns.bremen.freifunk.net");
......@@ -40,12 +40,6 @@ grp = inv.group("vmhosts")
grp.host(0, "bre-1.bremen.freifunk.net")
grp.host(0, "bre-2.bremen.freifunk.net")
grp = inv.group("standardserver")
grp.host(0, "mail.bremen.freifunk.net")
grp.host(0, "syslog.bremen.freifunk.net")
grp.host(0, "jenkins.bremen.freifunk.net")
grp.child("vmhosts")
grp = inv.group("ffmapserver")
grp.host(0, "ffmap.bremen.freifunk.net")
......@@ -60,4 +54,19 @@ grp = inv.group("backbone")
grp.child("vpnservers")
grp.child("downlinks")
# alle Root-Server mit Standard-Config
grp = inv.group("standardserver")
grp.host(0, "bgp-plutex01.bremen.freifunk.net")
grp.host(0, "mail.bremen.freifunk.net")
grp.host(0, "syslog.bremen.freifunk.net")
grp.host(0, "jenkins.bremen.freifunk.net")
grp.host(0, "code.bremen.freifunk.net")
grp.host(0, "vpn04.bremen.freifunk.net")
grp.host(0, "babel-gw-lwlcom.bremen.freifunk.net")
grp.child("vmhosts")
grp.child("backbone")
grp.child("webserver")
grp.child("dnsserver")
grp.child("ffmapserver")
print inv.json_dump(indent=4)
......@@ -135,7 +135,11 @@ class Group:
decrypted = gpg.decrypt_file(f)
if decrypted.ok:
import yaml
vars.update(yaml.load(str(decrypted)))
try:
from yaml import CLoader as Loader, CDumper as Dumper
except ImportError:
from yaml import Loader, Dumper
vars.update(yaml.load(str(decrypted), Loader=Loader))
else:
print("There are secret variables for the host {}, but you don't have access to them.".format(hostname), file=sys.stderr)
except IOError:
......
......@@ -2,12 +2,5 @@
- hosts: dnsserver
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: system, tags: [system] }
- { role: tmpfs, tags: [tmpfs] }
- { role: tools, tags: [tools] }
- { role: motd, tags: [motd] }
- { role: nsd, tags: [nsd] }
- { role: monitoring-client, tags: [monitoring-client] }
- { role: etckeeper-post, tags: [etckeeper-post] }
......@@ -3,15 +3,9 @@
vars:
batman_gateway: false
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: etckeeper-pre, tags: [etckeeper-pre, always] }
- { role: batman-adv-14, tags: [batman-adv-14] }
- { role: main-bridge, tags: [main-bridge] }
- { role: backbone-gre, tags: [backbone-gre] }
- { role: chrony, tags: [chrony] }
- { role: system, tags: [system] }
- { role: tmpfs, tags: [tmpfs] }
- { role: tools, tags: [tools] }
- { role: motd, tags: [motd] }
- { role: etckeeper-post, tags: [etckeeper-post] }
- { role: etckeeper-post, tags: [etckeeper-post, always] }
......@@ -16,11 +16,5 @@
password: ""
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: system, tags: [system] }
- { role: tmpfs, tags: [tmpfs] }
- { role: tools, tags: [tools] }
- { role: motd, tags: [motd] }
- { role: yanic, tags: [yanic] }
- { role: etckeeper-post, tags: [etckeeper-post] }
---
- hosts: standardserver
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: etckeeper-pre, tags: [etckeeper-pre, always] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: system, tags: [system] }
......@@ -11,4 +11,4 @@
- { role: rkhunter, tags: [rkhunter] }
- { role: etckeeper, tags: [etckeeper] }
- { role: monitoring-client, tags: [monitoring-client] }
- { role: etckeeper-post, tags: [etckeeper-post] }
- { role: etckeeper-post, tags: [etckeeper-post, always] }
......@@ -3,12 +3,7 @@
vars:
batman_gateway: true
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: rkhunter, tags: [rkhunter] }
- { role: etckeeper, tags: [etckeeper] }
- { role: monitoring-client, tags: [monitoring-client] }
- { role: etckeeper-pre, tags: [etckeeper-pre, always] }
- { role: batman-adv-14, tags: [batman-adv-14] }
- { role: main-bridge, tags: [main-bridge] }
- { role: fastd, tags: [fastd] }
......@@ -20,10 +15,6 @@
- { role: chrony, tags: [chrony] }
- { role: unbound, tags: [unbound] }
- { role: dnsmasq, tags: [dnsmasq] }
- { role: system, tags: [system] }
- { role: tmpfs, tags: [tmpfs] }
- { role: tools, tags: [tools] }
- { role: motd, tags: [motd] }
- { role: nginx, tags: [nginx] }
- { role: speedtest, tags: [speedtest] }
- { role: etckeeper-post, tags: [etckeeper-post] }
- { role: etckeeper-post, tags: [etckeeper-post, always] }
......@@ -5,14 +5,6 @@
alt_domain: ffhb.de
roles:
- { role: etckeeper-pre, tags: [etckeeper-pre] }
- { role: apt, tags: [apt] }
- { role: openssh, tags: [openssh] }
- { role: system, tags: [system] }
- { role: sudo, tags: [sudo] }
- { role: etckeeper, tags: [etckeeper] }
- { role: tmpfs, tags: [tmpfs] }
- { role: tools, tags: [tools] }
- { role: motd, tags: [motd] }
- { role: chrony, tags: [chrony] }
- { role: letsencrypt, tags: [letsencrypt] }
- { role: apache, tags: [apache] }
......@@ -24,7 +16,6 @@
- { role: influxdb, tags: [influxdb] }
- { role: grafana, tags: [grafana] }
- { role: meshviewer, tags: [meshviewer] }
- { role: monitoring-client, tags: [monitoring-client] }
- { role: restic, tags: [restic] }
- { role: tasksite, tags: [tasksite] }
- { role: etckeeper-post, tags: [etckeeper-post] }
......@@ -121,12 +121,6 @@
- unique_id
notify: restart apache
- name: Create directory for log files
file:
path: /readonly
state: directory
mode: 0755
- name: Copy logrotate job
copy:
src: logrotate-apache2-user
......
DPkg::Post-Invoke { "if [ -x /usr/sbin/checkrestart ]; then checkrestart; fi"; };
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
......@@ -7,12 +7,11 @@
- name: Install APT https transport plugin
apt:
name: apt-transport-https
when: ansible_distribution == 'Debian' and ansible_distribution_version is version_compare("10", "<")
- name: Install debian-goodies for checkrestart
- name: Install needrestart
apt:
name:
- debian-goodies
- lsof
name: needrestart
- name: Configure periodic APT updates
copy:
......@@ -24,16 +23,31 @@
name: unattended-upgrades
- name: Configure unattended-upgrades
copy:
src: unattended-upgrades.conf
dest: /etc/apt/apt.conf.d/50unattended-upgrades
lineinfile:
path: '/etc/apt/apt.conf.d/50unattended-upgrades'
line: '{{ item.key }} "{{ item.value }}";'
regexp: '^\s*(//\s*)?{{ item.key | regex_escape() }}\b'
loop:
- key: 'Unattended-Upgrade::MinimalSteps'
value: 'true'
- key: 'Unattended-Upgrade::Mail'
value: 'root'
- key: 'Unattended-Upgrade::MailOnlyOnError'
value: 'true'
- name: Configure unattended-upgrades origins
lineinfile:
path: '/etc/apt/apt.conf.d/50unattended-upgrades'
line: ' "{{ item }}";'
insertafter: 'Unattended-Upgrade::Origins-Pattern\s*{'
regexp: '^\s*(//\s*)?"{{ item | regex_escape() }}";$'
loop:
- 'origin=Debian,codename=${distro_codename}-updates'
- 'origin=Debian,codename=${distro_codename}-proposed-updates'
- 'origin=Debian,codename=${distro_codename},label=Debian'
- 'origin=Debian,codename=${distro_codename},label=Debian-Security'
- name: Configure dpkg run with unattended-upgrades
copy:
src: unattended-upgrades-dpkg.conf
dest: /etc/apt/apt.conf.d/51unattended-upgrades
- name: Configure APT to run checkrestart after updates
copy:
src: apt-checkrestart.conf
dest: /etc/apt/apt.conf.d/99checkrestart
......@@ -9,6 +9,7 @@ iface {{ ifname }} inet manual
post-down ip link del $IFACE
up ip link set up $IFACE
down ip link set down $IFACE
up ip link set $IFACE mtu {{ [ hostvars[host].max_mtu, max_mtu ] | min }}
up batctl -m {{ batman_interface }} if add $IFACE
down batctl -m {{ batman_interface }} if del $IFACE
......
---
batman_adv_14_repository: 'https://repo.universe-factory.net/debian/ sid main'
batman_adv_14_repository_key: '6664E7BDA6B669881EC52E7516EF3F64CB201D9C'
batman_adv_14_apt_repository: 'https://repo.universe-factory.net/debian/ sid main'
batman_adv_14_repository: 'https://github.com/freifunk-gluon/batman-adv-legacy'
batman_adv_14_git_commit: '90b4d1511cd7bd3e0802412ca6d1b90e964d8691'
......@@ -2,7 +2,7 @@
# We're passed the version of the kernel being installed
inst_kern=$1
pkg_name=batman-adv
pkg_name=batman-adv-legacy
pkg_ver=2013.4.0
module_name=$pkg_name
......@@ -38,11 +38,12 @@ case "${uname_s}" in
;;
esac
if dkms status $pkg_name/$pkg_ver -k $inst_kern | grep -q ' installed$'; then
if dkms status -m $pkg_name -v $pkg_ver -k $inst_kern | grep -q ' installed$'; then
echo "$pkg_name in version $pkg_ver already installed." >&2
else
dkms uninstall $pkg_name/$pkg_ver -k $inst_kern || true
dkms install --force $pkg_name/$pkg_ver -k $inst_kern
dkms remove -m $pkg_name -v $pkg_ver -k $inst_kern || true
dkms build -m $pkg_name -v $pkg_ver -k $inst_kern
dkms install -m $pkg_name -v $pkg_ver --force -k $inst_kern
fi
if ! _check_kernel_dir $inst_kern ; then
......
---
# tasks file for batman-adv-14
- name: Add repository key for batman-adv compat 14
apt_key:
keyserver: "{{ pgp_keyserver }}"
id: "{{ batman_adv_14_repository_key }}"
- name: Add repository for batman-adv compat 14
- name: Remove old repository
apt_repository:
repo: "deb {{ batman_adv_14_repository }}"
repo: "deb {{ batman_adv_14_apt_repository }}"
state: absent
- name: Remove old dkms package
apt:
name: batman-adv-dkms
state: absent
purge: yes
- name: Install batman-adv dependencies
apt:
name:
- dkms
- lsof
- linux-headers-amd64
- batman-adv-dkms
- name: Clone batman-adv repo
git:
repo: "{{ batman_adv_14_repository }}"
dest: "/usr/src/batman-adv-legacy-2013.4.0"
version: "{{ batman_adv_14_git_commit }}"
- name: Add repo to dkms
shell: dkms add -m batman-adv-legacy -v 2013.4.0
args:
creates: /var/lib/dkms/batman-adv-legacy/2013.4.0/source/Makefile
- name: Copy kernel postinst downgrade hook
copy:
src: dkms-batman-adv-downgrade
dest: /etc/kernel/postinst.d/dkms-batman-adv-downgrade
dest: /etc/kernel/postinst.d/00dkms-batman-adv-downgrade
mode: 0755
- name: Ensure correct version was installed
shell: /etc/kernel/postinst.d/dkms-batman-adv-downgrade $(uname -r)
shell: /etc/kernel/postinst.d/00dkms-batman-adv-downgrade $(uname -r)
register: batman_adv_version_result
changed_when: '"already installed" not in batman_adv_version_result.stderr'
......
ipt -A INPUT -i {{ main_bridge }} -p udp --dport 123 -j ACCEPT
ipt6 -A INPUT -i {{ main_bridge }} -p udp --dport 123 -j ACCEPT
ipt -A INPUT -i '{{ main_bridge }}' -p udp --dport 123 -j ACCEPT
ipt6 -A INPUT -i '{{ main_bridge }}' -p udp --dport 123 -j ACCEPT
ipt4 -A INPUT -i {{ main_bridge }} -p udp --dport 67:68 -j ACCEPT
ipt4 -A INPUT -i '{{ main_bridge }}' -p udp --dport 67:68 -j ACCEPT
......@@ -8,4 +8,5 @@ AddDescription "Knotendaten für <a href=\"http://bremen.freifunk.net/map/list.h
AddDescription "Aktuelle Firmware, s.a. <a href=\"http://wiki.bremen.freifunk.net/Firmware-flashen\">Anleitung zum Flashen</a>" firmware
AddDescription "\"Freifunk verbindet!\"-Video" video
AddOutputFilter DEFLATE json
AddType text/plain manifest
Header set Access-Control-Allow-Origin "*"
[Unit]
Description=fast remote file copy program daemon
[Service]
ExecStart=/usr/bin/rsync --no-detach --daemon --config .config/rsyncd.conf
[Install]
WantedBy=default.target
#! /usr/bin/env bash
exec multilog t ./main
......@@ -3,7 +3,6 @@ dependencies:
- tools
- apache
- letsencrypt
- daemontools
galaxy_info:
platforms:
- name: Debian
......
......@@ -12,7 +12,7 @@
- name: Create directory for Apache log files
file:
path: "/readonly/{{ downloads_user }}/log"
path: "/var/log/apache2/{{ downloads_user }}"
state: directory
owner: root
group: "{{ downloads_group }}"
......@@ -30,7 +30,6 @@
- /home/{{ downloads_user }}/.ssh
- /home/{{ downloads_user }}/.var/run
- /var/www/{{ downloads_user }}/domains/{{ downloads_domain }}
- /var/www/{{ downloads_user }}/domains/{{ downloads_domain }}/data/nodes
- /var/www/{{ downloads_user }}/domains/{{ downloads_domain }}/firmware/all
- /var/www/{{ downloads_user }}/domains/{{ downloads_domain }}/opkg/modules
- /var/www/{{ downloads_user }}/domains/{{ downloads_domain }}/video
......@@ -90,48 +89,29 @@
- name: Copy rsync daemon config
template:
src: rsyncd.conf
dest: "/home/{{ downloads_user }}/.config/etc/rsyncd.conf"
dest: "/home/{{ downloads_user }}/.config/rsyncd.conf"
owner: "{{ downloads_user }}"
group: "{{ downloads_group }}"
mode: 0644
- name: Create daemontools folder
shell: /usr/local/bin/ffhb-setup-svscan creates=/home/{{ downloads_user }}/.config/service
become: yes
become_user: "{{ downloads_user }}"
- name: Create rsync daemontools folders
file:
path: "/home/{{ downloads_user }}/.config/etc/{{ item }}"
state: directory
recurse: yes
owner: "{{ downloads_user }}"
group: "{{ downloads_group }}"
mode: 0755
with_items:
- run-rsync
- run-rsync/log
- name: Copy start script of rsync
template:
src: run
dest: "/home/{{ downloads_user }}/.config/etc/run-rsync/run"
owner: "{{ downloads_user }}"
group: "{{ downloads_group }}"
mode: 0755
- name: Copy log script of rsync
- name: Copy rsync.service unit
copy:
src: run-log
dest: "/home/{{ downloads_user }}/.config/etc/run-rsync/log/run"
src: rsync.service
dest: "/home/{{ downloads_user }}/.config/systemd/user/"
owner: "{{ downloads_user }}"
group: "{{ downloads_group }}"
mode: 0755
mode: 0644
- name: Create symlink to start rsync
file:
src: "/home/{{ downloads_user }}/.config/etc/run-rsync"
dest: "/home/{{ downloads_user }}/.config/service/rsync"
state: link
owner: "{{ downloads_user }}"
group: "{{ downloads_group }}"
- name: Enable and start rsync.service
systemd:
name: rsync.service
scope: user
state: started
enabled: yes
become: yes
become_user: "{{ downloads_user }}"
- name: Enable linger for user systemd instance
command: loginctl enable-linger {{ downloads_user|quote }}
args:
creates: /var/lib/systemd/linger/{{ downloads_user|quote }}
......@@ -16,8 +16,7 @@
ProxyPass /opkg/openwrt/ https://downloads.openwrt.org/
ProxyPreserveHost Off
CustomLog /readonly/{{ downloads_user }}/log/default-access.log combined env=!dontlog
ErrorLog /readonly/{{ downloads_user }}/log/default-error.log
ErrorLog /var/log/apache2/{{ downloads_user }}/default-error.log
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ ANONYMIZED] %M% ,\ referer\ %{Referer}i"
SSLEngine on
......@@ -39,7 +38,6 @@
ProxyPass /opkg/openwrt/ http://downloads.openwrt.org/
ProxyPreserveHost Off
CustomLog /readonly/{{ downloads_user }}/log/default-access.log combined env=!dontlog
ErrorLog /readonly/{{ downloads_user }}/log/default-error.log
ErrorLog /var/log/apache2/{{ downloads_user }}/default-error.log
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ ANONYMIZED] %M% ,\ referer\ %{Referer}i"
</VirtualHost>
#! /usr/bin/env bash
set -eu
# These environment variables are sometimes needed by the running daemons
export USER={{ downloads_user }}
export HOME=/home/{{ downloads_user }}
# Include the user-specific profile, it's actually called .profile on debian.
. $HOME/.profile
# Now let's go!
exec /usr/bin/rsync --no-detach --daemon --config $HOME/.config/etc/rsyncd.conf 2>&1
......@@ -2,7 +2,7 @@
# Copy default route
if [ "$IFACE" = "{{ ansible_default_ipv4.interface }}" ]; then
if [ -z "$(ip -4 route list 0/0 table {{ ffhb_routing_table }} | grep '^default')" ]; then
ip -4 route list 0/0 | xargs ip route add table {{ ffhb_routing_table }}
if ! ip -4 route list 0/0 table '{{ ffhb_routing_table }}' | grep -q '^default'; then
ip -4 route list 0/0 | xargs ip route add table '{{ ffhb_routing_table }}'
fi
fi
#! /usr/bin/env sh
# {{ ansible_managed }}
exec /sbin/ip route add default dev "$1" table {{ ffhb_routing_table }}
exec /sbin/ip route add default dev "$1" table '{{ ffhb_routing_table }}'
#! /usr/bin/env bash
# {{ ansible_managed }}
/sbin/ip route add "$trusted_ip" via "$route_net_gateway"
/sbin/ip route add default via "$route_vpn_gateway" dev "$1" table {{ ffhb_routing_table }}
# shellcheck disable=SC2154
{
/sbin/ip route add "$trusted_ip" via "$route_net_gateway"
/sbin/ip route add default via "$route_vpn_gateway" dev "$1" table '{{ ffhb_routing_table }}'
}
ipt6 -A FORWARD -i {{ main_bridge }} -o {{ exit_ipv6_interface }} -j ACCEPT
ipt6 -A FORWARD -o {{ main_bridge }} -i {{ exit_ipv6_interface }} -j ACCEPT
ipt6 -A FORWARD -i {{ main_bridge }} -o {{ main_bridge }} -j ACCEPT
ipt6 -A FORWARD -i '{{ main_bridge }}' -o '{{ exit_ipv6_interface }}' -j ACCEPT
ipt6 -A FORWARD -o '{{ main_bridge }}' -i '{{ exit_ipv6_interface }}' -j ACCEPT
ipt6 -A FORWARD -i '{{ main_bridge }}' -o '{{ main_bridge }}' -j ACCEPT
ipt -A INPUT -p ipv6 -j ACCEPT
......@@ -4,7 +4,7 @@ iface vpn-uplink6 inet6 static
netmask 64
# create tunnel device
pre-up ip tunnel add $IFACE mode sit remote {{ exit_ipv6_remote }} local {{ ansible_default_ipv4.address }} ttl 255
post-down ip tunnel del $IFACE mode sit remote {{ exit_ipv6_remote }} local {{ ansible_default_ipv4.address }} ttl 255
post-down ip tunnel del $IFACE
# add default route
post-up ip -6 route add default via {{ ipv6_uplink_own_gateway.address }} dev $IFACE table default-freifunk
pre-down ip -6 route del default via {{ ipv6_uplink_own_gateway.address }} dev $IFACE table default-freifunk
......
......@@ -4,8 +4,6 @@
batman_interface: bat-{{ site_code }}
fastd_repository_key: '6664E7BDA6B669881EC52E7516EF3F64CB201D9C'
fastd_repository_url: 'https://repo.universe-factory.net/debian/ sid main'
fastd_peers_limit: -1
fastd_anonymous: true
......@@ -17,4 +15,4 @@ fastd_legacy_interface: vpn-{{ site_code }}-legacy
fastd_legacy_port: 10000
fastd_legacy_mtu: 1426
fastd_blacklist_git_commit: '57322c05c7f1535869b4acfd5ef4f588dfb74451'
fastd_blacklist_git_commit: 'bd01a3fc0252ed8d42d36e2b4ad8ddbee57a5577'
---
- name: Add repository-gpg-key for fastd
apt_key:
keyserver: "{{ pgp_keyserver }}"
id: "{{ fastd_repository_key }}"
- name: Add apt repository
apt_repository:
repo: 'deb {{ fastd_repository_url }}'
- name: Install fastd
apt:
name: fastd
......
ipt6 -A INPUT -p udp --dport {{ fastd_port }} -s 2002::/16 -j REJECT --reject-with icmp6-adm-prohibited
ipt -A INPUT -p udp --dport {{ fastd_port }} -j ACCEPT
ipt6 -A INPUT -p udp --dport '{{ fastd_port }}' -s 2002::/16 -j REJECT --reject-with icmp6-adm-prohibited
ipt -A INPUT -p udp --dport '{{ fastd_port }}' -j ACCEPT
# clear all tables, not only filter
for table in $(grep -oP '(?<=^iptable_)\S*' /proc/modules); do
for table in $(iptables-save | grep '^*' | cut -d'*' -f2); do
ipt -t $table -F
ipt -t $table -X
done
......
......@@ -34,11 +34,11 @@
name: firewall
enabled: yes
- name: Add nf_conntrack_ipv4 to /etc/modules
- name: Add nf_conntrack to /etc/modules
lineinfile:
dest: /etc/modules
regexp: "nf_conntrack_ipv4"
line: nf_conntrack_ipv4
line: nf_conntrack
regexp: '^nf_conntrack'
- name: Copy sysctl file for conntrack
copy:
......
......@@ -47,6 +47,7 @@ ipt6() {
case "$1" in
start|restart)
for rule in "$RULEPATH"/*; do
# shellcheck disable=SC1090
. "$rule"
done
;;
......
......@@ -7,7 +7,7 @@
- name: Create directory for Apache log files
file:
path: "/readonly/{{ gatemon_user }}/log"
path: "/var/log/apache2/{{ gatemon_user }}"
state: directory
owner: root
group: "{{ gatemon_group }}"
......
......@@ -26,8 +26,7 @@
ScriptAlias /fcgi-bin /var/www/{{ gatemon_user }}/fcgi-bin
Include /etc/apache2/user-php-exec.conf
CustomLog /readonly/{{ gatemon_user }}/log/{{ gatemon_domain }}-access.log combined env=!dontlog
ErrorLog /readonly/{{ gatemon_user }}/log/{{ gatemon_domain }}-error.log
ErrorLog /var/log/apache2/{{ gatemon_user }}/{{ gatemon_domain }}-error.log
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ ANONYMIZED] %M% ,\ referer\ %{Referer}i"
SSLEngine on
......
......@@ -9,6 +9,14 @@
ProxyPass / http://{{ grafana_addr }}:{{ grafana_port }}/
# Sets CORS headers for request from example1.com and example2.com pages
# for both SSL and non-SSL
SetEnvIf Origin "^https?://[^/]*(ffhb\.de|bremen\.freifunk\.net)$" ORIGIN=$0
Header set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
Header set Access-Control-Allow-Credentials "true" env=ORIGIN
# Always set Vary: Origin when it's possible you may send CORS headers
Header merge Vary Origin
# Don't add header to proxy
ProxyAddHeaders Off
......
......@@ -30,7 +30,6 @@
mode: 0755
with_items:
- tinc-down
- tinc-up
- name: Add network configuration
template:
......
ipt -A FORWARD -i {{ icvpn_interface }} -o {{ main_bridge }} -j ACCEPT
ipt -A FORWARD -o {{ icvpn_interface }} -i {{ main_bridge }} -j ACCEPT
ipt -A FORWARD -i '{{ icvpn_interface }}' -o '{{ main_bridge }}' -j ACCEPT
ipt -A FORWARD -o '{{ icvpn_interface }}' -i '{{ main_bridge }}' -j ACCEPT
ipt -A INPUT -p tcp --dport {{ icvpn_port }} -j ACCEPT
ipt -A INPUT -p udp --dport {{ icvpn_port }} -j ACCEPT
ipt -A INPUT -p tcp --dport '{{ icvpn_port }}' -j ACCEPT
ipt -A INPUT -p udp --dport '{{ icvpn_port }}' -j ACCEPT
......@@ -15,4 +15,6 @@ birdc6 configure > /dev/null
# TODO: This doesn't belong here but in the unbound role
sudo -u nobody /opt/{{ site_code }}/icvpn-scripts/mkdns -s "$DATADIR" -x bremen -f unbound > /etc/unbound/unbound.conf.d/icvpn.conf
unbound-control reload > /dev/null
if unbound-checkconf /etc/unbound/unbound.conf.d/icvpn.conf >/dev/null 2>&1; then
unbound-control reload > /dev/null
fi
......@@ -16,8 +16,8 @@ iface {{ icvpn_interface }} inet6 static
address {{ icvpn_ipv6.address }}
netmask {{ icvpn_ipv6.size }}
# network route in {{ ffhb_routing_table }}
post-up ip -4 route add {{ icvpn_ipv6_prefix }} dev $IFACE table {{ ffhb_routing_table }}
pre-down ip -4 route del {{ icvpn_ipv6_prefix }} dev $IFACE table {{ ffhb_routing_table }}
post-up ip -6 route add {{ icvpn_ipv6_prefix }} dev $IFACE table {{ ffhb_routing_table }}
pre-down ip -6 route del {{ icvpn_ipv6_prefix }} dev $IFACE table {{ ffhb_routing_table }}
# prevent leak of data
post-up ip -6 rule add from {{ icvpn_ipv6.address }} table {{ ffhb_routing_table }} priority 16389
pre-down ip -6 rule del from {{ icvpn_ipv6.address }} table {{ ffhb_routing_table }} priority 16389
......@@ -56,7 +56,7 @@ bind-address = ":8088"
https-certificate = "/etc/ssl/influxdb.pem"
[monitor]
store-enabled = true
store-enabled = false
store-database = "_internal"
store-interval = "10s"
......
---
letsencrypt_git_root: 'https://github.com/lukas2511/dehydrated.git'
letsencrypt_git_commit: 'ce3d6583779d9fad597012dd116ab2a8c000e9cb'
letsencrypt_git_commit: '05eda91a2fbaed1e13c733230238fc68475c535e'
......@@ -24,6 +24,8 @@ iface br-{{ site_code }} inet static
pre-down ip -4 rule del from {{ batman_ipv4.address }} table {{ ffhb_routing_table }} priority 16387
# tune ARP and IPv6 neighbor soolicitation
post-up sysctl -p /etc/sysctl.d/main-bridge-ip-neigh-tuning.conf
# increase multicast table
post-up bash -c 'echo 2048 > /sys/class/net/br-ffhb/bridge/hash_max'
iface br-{{ site_code }} inet6 static
address {{ batman_ipv6_local.address }}
......
ipt6 -A INPUT -i {{ main_bridge }} -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i vpn-{{ site_code }}-legacy -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i vpn-{{ site_code }} -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i '{{ main_bridge }}' -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i 'vpn-{{ site_code }}-legacy' -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i 'vpn-{{ site_code }}' -p udp --dport 1001 -j ACCEPT
/\[aio\]
/usr/sbin/xnbd-client
/dev/console
/initrd.log
#! /usr/bin/env bash
#
# ============================== SUMMARY =====================================
#
# Program : check_checkrestart.sh
# Version : 0.1
# Date : April 15 2014
# Author : Dirk Doerflinger - dirk(at)doerflinger(dot)org
# Summary : This is a Nagios plugin to check if any processes are still using
# old versions of updated libraries. I needs check_restart from
# debian-goodies. Debian only!
#
# Licence : MIT
#
# =========================== PROGRAM LICENSE =================================
#
# Copyright (C) 2014 Dirk Doerflinger
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# ===================== INFORMATION ABOUT THIS PLUGIN =========================
#
# This nagios plugin uses the checkrestart script from the debian-goodies to
# check if any processes are still using old version of updated libs.
#
# This program is written and maintained by:
# Dirk Doerflinger - dirk(at)doerflinger(dot)org
#
# ============================= SETUP NOTES ====================================
#
# Copy this file to your Nagios plugin folder, e.g. /usr/lib64/nagios/plugins/.
# Make sure it is executable for the nagios user
#
# You need to have debian-goodies installed, which provides
# /usr/sbin/checkrestart
#
# ./check_checkrestart.sh -w <warning> -c <critical>
#
# Where <warning> and <critical> is the number of processes found triggering
#
# ========================= SETUP EXAMPLES ==================================
#
# define command{
# command_name check_checkrestart
# command_line $USER1$/check_checkrestart.sh -w $ARG1$ -c $ARG2$
# }
#
# define service{
# use generic-service
# host_name debian-server
# service_description Debian obsolete libraries used
# check_command check_checkrestart!3!1
# normal_check_interval 3
# retry_check_interval 1
# }
#
# ================================ REVISION ==================================
#
# 0.1 Initial release
#
# ============================================================================
PACKAGE="check_checkrestart"
# Path to racadm binary
CHECK_RESTART_BIN="/usr/sbin/checkrestart"
# default values for warnings and critical
declare -i STATE_OK=0
declare -i STATE_WARNING=1
declare -i STATE_CRITICAL=2
declare -i STATE_UNKNOWN=3
# initialize an exit code
declare -i ERR_CODE=$STATE_OK
if [ "$(id -nu)" != "root" ]; then
echo "Check has to be run as root!"
exit $STATE_UNKNOWN
fi
# parse parameters
while test $# -gt 0; do
case "$1" in
-h|--help)
echo "$PACKAGE - Check obsolete libraries still in use"
echo
echo "Needs debian-goodies!"
echo
echo "$PACKAGE [options]"
echo
echo "options:"
echo "-h, --help show brief help"
echo "-w, --warning Warning number of processes using old libraries. Default: ${STATE_WARNING}"
echo "-c, --critical Crtitical number of processes using old libraries. Default: ${STATE_CRITICAL}"
exit $STATE_UNKNOWN
;;
-w|--warning)
shift
if test $# -gt 0; then
export STATE_WARNING=$1
else
echo "no warning level specified, defaulting to ${STATE_WARNING}"
fi
shift
;;
-c|--critical)
shift
if test $# -gt 0; then
export STATE_CRITICAL=$1
else
echo "no critical level specified, defaulting to ${STATE_CRITICAL}"
fi
shift
;;
esac
done
if [ -f /etc/nagios/checkrestart.cfg ]; then
RESULT=$(${CHECK_RESTART_BIN} -b /etc/nagios/checkrestart.cfg | grep Found | awk '{ print $2 }')
RESULT_PROGS="$(${CHECK_RESTART_BIN} -b /etc/nagios/checkrestart.cfg | grep '/' | grep -v '/etc/init.d' | awk '{ print $2 }' | while read line; do [ -z "$line" ] && continue; basename $line; done | sort | sort -u | xargs)"
else
RESULT=$(${CHECK_RESTART_BIN} | grep Found | awk '{ print $2 }')
RESULT_PROGS="$(${CHECK_RESTART_BIN} | grep '/' | grep -v '/etc/init.d' | awk '{ print $2 }' | while read line; do [ -z "$line" ] && continue; basename $line; done | sort | sort -u | xargs)"
fi
# Make sure we have a result. If we don't that usually means that the connection failed, e.g. wrom hostname or credentials
if [ -z $RESULT ]; then
echo "No data, maybe ${CHECK_RESTART_BIN} missing?"
exit 3
fi
if [ $RESULT -ge $STATE_CRITICAL ]; then
ERR_CODE=2
elif [ $RESULT -ge $STATE_WARNING ]; then
ERR_CODE=1
else
ERR_CODE=0
fi
if [ -n "$RESULT_PROGS" ]; then
RESULT_PROGS=" - ${RESULT_PROGS}"
fi
case $ERR_CODE in
0)
echo "OK${RESULT_PROGS}| $RESULT"
exit $STATE_OK
;;
1)
echo "WARNING${RESULT_PROGS}| $RESULT"
exit $STATE_WARNING
;;
2)
echo "CRITICAL${RESULT_PROGS}| $RESULT"
exit $STATE_CRITICAL
;;
*)
echo "UNKNOWN - Weird data"
exit $STATE_UNKOWN
;;
esac
#EOF
......@@ -85,9 +85,15 @@ else
EXPIRE_DATE=20180531
;;
jessie)
EXPIRE_DATE=20200430
EXPIRE_DATE=20200630
;;
stretch)
EXPIRE_DATE=20220630
;;
buster)
EXPIRE_DATE=20240630
;;
sid)
ERR_CODE=$STATE_OK
;;
*)
......
check_kernel = sudo /usr/lib/nagios/plugins/check_running_kernel
check_swap = /usr/lib/nagios/plugins/check_swap -w 20 -c 10
rnagios ALL=(root) NOPASSWD: \
/usr/local/lib/nagios/plugins/check_checkrestart "", \
/usr/local/lib/nagios/plugins/check_git_status /etc, \
/usr/lib/nagios/plugins/check_running_kernel ""
/usr/sbin/needrestart -p, \
/usr/local/lib/nagios/plugins/check_git_status /etc
......@@ -2,7 +2,6 @@
- name: Add user for nagios
user:
name: rnagios
uid: 996
home: /var/lib/rnagios
shell: /bin/bash
system: yes
......@@ -30,21 +29,23 @@
- libyaml-syck-perl
- lsb-release
- nagios-plugins-contrib
- needrestart
- name: Install Nagios checks
apt:
name:
- nagios-plugins-basic
- nagios-plugins-standard
when: (ansible_distribution == 'Debian' and ansible_distribution_major_version != '8') or
(ansible_distribution == 'Ubuntu')
when: (ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare("8", "<")) or
(ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare("16", "<"))
- name: Install Nagios checks for debian jessie
apt:
name:
- monitoring-plugins-basic
- monitoring-plugins-standard
when: ansible_distribution == 'Debian' and ansible_distribution_major_version == '8'
when: (ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare("8", ">=")) or
(ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare("16", ">="))
- name: Create directory for additional checks
file:
......@@ -70,51 +71,10 @@
path: /etc/nagios
state: directory
- name: Copy checkrestart configuration file
copy:
src: checkrestart.cfg
dest: /etc/nagios/checkrestart.cfg
- name: Copy default nagios configuration file
copy:
src: ssh-forcecommand.default.cfg
dest: /etc/nagios/ssh-forcecommand.default.cfg
- name: Copy contact nagios file
copy:
src: ssh-forcecommand.contact.cfg
dest: /etc/nagios/ssh-forcecommand.contact.cfg
force: no
- name: Copy kernel nagios configuration file
copy:
src: ssh-forcecommand.kernel.cfg
dest: /etc/nagios/ssh-forcecommand.kernel.cfg
when: ansible_virtualization_type is not defined or not (ansible_virtualization_role == 'guest' and (ansible_virtualization_type == 'openvz' or ansible_virtualization_type == 'lxc'))
- name: Remove kernel nagios configuration file
file:
dest: /etc/nagios/ssh-forcecommand.kernel.cfg
state: absent
when: ansible_virtualization_type is defined and (ansible_virtualization_role == 'guest' and (ansible_virtualization_type == 'openvz' or ansible_virtualization_type == 'lxc'))
- name: Copy swap nagios configuration file
copy:
src: ssh-forcecommand.swap.cfg
dest: /etc/nagios/ssh-forcecommand.swap.cfg
when: ansible_swaptotal_mb != 0
- name: Remove swap nagios configuration file
file:
dest: /etc/nagios/ssh-forcecommand.swap.cfg
state: absent
when: ansible_swaptotal_mb == 0
- name: Concat forcecommand files
assemble:
src: /etc/nagios
template:
src: ssh-forcecommand.cfg
dest: /etc/nagios/ssh-forcecommand.cfg
regexp: '^ssh-forcecommand\..*\.cfg$'
- name: Create sudo config
copy:
......
discover-cmds = /usr/bin/awk -F= '{ print $1 }' < /etc/nagios/ssh-forcecommand.cfg
discover-distro = /usr/bin/lsb_release -i -s
fetch-config = /bin/echo '{ "contact_groups": "{{ monitoring_client_contact_group }}" }'
check_load = /usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
check_disks = /usr/lib/nagios/plugins/check_disk -W 10% -K 5% -w 15% -c 10% -p / -p /var/tmp
check_zombies = /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
check_updates = /usr/lib/nagios/plugins/check_apt -d -t 30
check_checkrestart = sudo /usr/local/lib/nagios/plugins/check_checkrestart
check_needrestart = sudo /usr/sbin/needrestart -p
check_etckeeper = sudo /usr/local/lib/nagios/plugins/check_git_status /etc
check_lts_release = /usr/local/lib/nagios/plugins/check_lts_release
check_rkhunter = /usr/local/lib/nagios/plugins/check_rkhunter
check_mailq = /usr/lib/nagios/plugins/check_mailq -w 3 -c 5
{% if ansible_swaptotal_mb > 0 %}
check_swap = /usr/lib/nagios/plugins/check_swap -w 20 -c 10
{% endif %}
{% if 'vpnservers' in group_names %}
check_conntrack = /usr/local/lib/nagios/plugins/check_conntrack.sh 80 90
check_dhcp = sudo /usr/lib/nagios/plugins/check_dhcp -i br-ffhb -u -s 10.196.0.2 -t 5
check_tinc_running = /usr/lib/nagios/plugins/check_procs -C tincd -c 1:
{% endif %}
......@@ -4,7 +4,7 @@ monitoring_user: 'ffhb-monitoring'
monitoring_group: 'ffhb-monitoring'
monitoring_subdomain: 'monitoring'
monitoring_domain: '{{ monitoring_subdomain }}.{{ main_domain }}'
monitoring_icinga_version: 1.14.2
monitoring_nagios_plugins_version: 2.2.1
monitoring_nagios_version: 4.4.6
monitoring_nagios_plugins_version: 2.3.3
monitoring_global_access_contact: 'nagiosadmin'
monitoring_check_multi_version: 0.26
monitoring_global_access_contactgroup: 'icingaadmin'
define hostgroup {
hostgroup_name gluon-nodes
}
define service {
use generic-service
hostgroup_name gluon-nodes
service_description Gluon version up-to-date
check_command check_gluon_version
check_interval 720
}