Initial commit
This commit is contained in:
commit
a363bde348
10
Modulefile
Normal file
10
Modulefile
Normal file
|
@ -0,0 +1,10 @@
|
|||
name 'puppet-ff_gw'
|
||||
version '0.1.0'
|
||||
license 'BSD 2-clause license'
|
||||
author 'Martin Schuette <info@mschuette.name>'
|
||||
dependency 'puppetlabs/apt', '>= 1.4.0'
|
||||
dependency 'puppetlabs/vcsrepo', '>= 0.2.0'
|
||||
dependency 'saz/sudo', '>= 3.0.1'
|
||||
dependency 'torrancew/account', '>= 0.0.5'
|
||||
summary "Freifunk Hamburg Gateway"
|
||||
description "A module to setup and configure a Freifunk (Hamburg) Gateway"
|
6
README.md
Normal file
6
README.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Freifunk Gateway Module
|
||||
|
||||
Martin Schütte <info@mschuette.name>
|
||||
|
||||
This module tries to automate the configuration of a Freifunk (Hamburg) Gateway.
|
||||
|
26
files/etc/iptables/rules.v4
Normal file
26
files/etc/iptables/rules.v4
Normal file
|
@ -0,0 +1,26 @@
|
|||
# Generated by iptables-save v1.4.14 on Sun Mar 24 14:14:50 2013
|
||||
*filter
|
||||
:INPUT ACCEPT [273:40363]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [194:28568]
|
||||
COMMIT
|
||||
# Completed on Mon Mar 25 19:41:40 2013
|
||||
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [286:41734]
|
||||
:INPUT ACCEPT [273:40363]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [194:28568]
|
||||
:POSTROUTING ACCEPT [194:28568]
|
||||
-A PREROUTING -i br-ffhh -j MARK --set-xmark 0x1/0xffffffff
|
||||
COMMIT
|
||||
# Completed on Mon Mar 25 19:41:40 2013
|
||||
# Generated by iptables-save v1.4.14 on Mon Mar 25 19:41:40 2013
|
||||
*nat
|
||||
:PREROUTING ACCEPT [15:1459]
|
||||
:INPUT ACCEPT [2:88]
|
||||
:OUTPUT ACCEPT [1:74]
|
||||
:POSTROUTING ACCEPT [1:74]
|
||||
-A POSTROUTING -o mullvad -j MASQUERADE
|
||||
COMMIT
|
||||
# Completed on Mon Mar 25 19:41:40 2013
|
45
files/etc/openvpn/mullvad.conf
Normal file
45
files/etc/openvpn/mullvad.conf
Normal file
|
@ -0,0 +1,45 @@
|
|||
client
|
||||
|
||||
dev mullvad
|
||||
dev-type tun
|
||||
|
||||
proto udp
|
||||
|
||||
remote nl.mullvad.net # Servers in the Netherlands
|
||||
|
||||
# Keep trying indefinitely to resolve the
|
||||
# host name of the OpenVPN server. Very useful
|
||||
# on machines which are not permanently connected
|
||||
# to the internet such as laptops.
|
||||
resolv-retry infinite
|
||||
|
||||
# Most clients don't need to bind to
|
||||
# a specific local port number.
|
||||
nobind
|
||||
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
# Enable compression on the VPN link.
|
||||
comp-lzo
|
||||
|
||||
# Set log file verbosity.
|
||||
verb 3
|
||||
|
||||
remote-cert-tls server
|
||||
|
||||
ping-restart 60
|
||||
|
||||
# Allow calling of built-in executables and user-defined scripts.
|
||||
script-security 2
|
||||
|
||||
# Parses DHCP options from openvpn to update resolv.conf
|
||||
route-noexec
|
||||
up /etc/openvpn/mullvad/mullvad-up
|
||||
|
||||
ping 10
|
||||
|
||||
ca /etc/openvpn/mullvad/ca.crt
|
||||
cert /etc/openvpn/mullvad/client.crt
|
||||
key /etc/openvpn/mullvad/client.key
|
35
files/root/bin/autoupdate_fastd_keys.sh
Normal file
35
files/root/bin/autoupdate_fastd_keys.sh
Normal file
|
@ -0,0 +1,35 @@
|
|||
#!/bin/bash
|
||||
# Simple script to update fastd peers from git upstream
|
||||
# and only send HUP to fastd when changes happend.
|
||||
|
||||
# CONFIGURE THIS TO YOUR PEER DIRECTORY
|
||||
FASTD_PEERS=/etc/fastd/ffhh-mesh-vpn/peers
|
||||
|
||||
function getCurrentVersion() {
|
||||
# Get hash from latest revision
|
||||
git log --format=format:%H -1
|
||||
}
|
||||
|
||||
cd $FASTD_PEERS
|
||||
|
||||
# Get current version hash
|
||||
GIT_REVISION=$(getCurrentVersion)
|
||||
|
||||
# Automagically commit local changes
|
||||
# This preserves local changes
|
||||
git commit -m "CRON: auto commit"
|
||||
|
||||
# Pull latest changes from upstream
|
||||
git fetch
|
||||
git merge origin/master -m "Auto Merge"
|
||||
|
||||
# Get new version hash
|
||||
GIT_NEW_REVISION=$(getCurrentVersion)
|
||||
|
||||
if [ $GIT_REVISION != $GIT_NEW_REVISION ]
|
||||
then
|
||||
# Version has changed we need to update
|
||||
echo "Reload fastd peers"
|
||||
kill -HUP $(pidof fastd)
|
||||
fi
|
||||
|
22
files/usr/local/bin/check_gateway
Normal file
22
files/usr/local/bin/check_gateway
Normal file
|
@ -0,0 +1,22 @@
|
|||
#!/bin/bash
|
||||
INTERFACE=mullvad
|
||||
shopt -s nullglob
|
||||
|
||||
ping -q -I $INTERFACE 8.8.8.8 -c 4 -i 1 -W 5 >/dev/null 2>&1
|
||||
|
||||
if test $? -eq 0; then
|
||||
NEW_STATE=server
|
||||
else
|
||||
NEW_STATE=off
|
||||
fi
|
||||
|
||||
for MESH in /sys/class/net/*/mesh; do
|
||||
OLD_STATE="$(cat $MESH/gw_mode)"
|
||||
[ "$OLD_STATE" == "$NEW_STATE" ] && continue
|
||||
echo $NEW_STATE > $MESH/gw_mode
|
||||
echo 54MBit/54MBit > $MESH/gw_bandwidth
|
||||
logger "batman gateway mode changed to $NEW_STATE"
|
||||
done
|
||||
|
||||
# vim: noai:ts=4:sw=4:ff=unix:ft=text:fdm=marker
|
||||
|
40
files/usr/share/munin/plugins/udp-statistics
Normal file
40
files/usr/share/munin/plugins/udp-statistics
Normal file
|
@ -0,0 +1,40 @@
|
|||
#!/usr/bin/perl -w
|
||||
|
||||
if ( $ARGV[0] ) {
|
||||
|
||||
if ( $ARGV[0] eq 'autoconf' ) {
|
||||
if ( -r '/bin/netstat') {
|
||||
print "yes\n";
|
||||
exit 0;
|
||||
}
|
||||
print "no\n";
|
||||
exit 0;
|
||||
|
||||
} elsif ( $ARGV[0] eq 'config' ) {
|
||||
print <<EOM;
|
||||
graph_title UDP Statistics
|
||||
graph_args --base 1000 -l 0
|
||||
graph_vlabel Packets/\${graph_period}
|
||||
graph_category network
|
||||
received.label Received
|
||||
received.draw AREA
|
||||
received.type DERIVE
|
||||
received.min 0
|
||||
errors.label Errors
|
||||
errors.draw LINE1
|
||||
errors.type DERIVE
|
||||
errors.min 0
|
||||
sent.label Sent
|
||||
sent.draw LINE1
|
||||
sent.type DERIVE
|
||||
sent.min 0
|
||||
EOM
|
||||
exit 0;
|
||||
}
|
||||
}
|
||||
|
||||
@netstat = qx{/bin/netstat -us | awk '/packets sent/ \{ print "sent.value " \$1 \}
|
||||
/packets received/ \{ print "received.value " \$1 \}
|
||||
/packet receive errors/ \{ print "errors.value " \$1 \}'};
|
||||
|
||||
print @netstat;
|
132
files/usr/share/munin/plugins/vnstat_
Normal file
132
files/usr/share/munin/plugins/vnstat_
Normal file
|
@ -0,0 +1,132 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Munin plugin which reads the hourly, daily and monthly bandwidth usage.
|
||||
#
|
||||
# (c) 2011 Bram Schoenmakers <me@bramschoenmakers.nl>
|
||||
|
||||
#%# family=contrib
|
||||
#%# capabilities=autoconf
|
||||
|
||||
# par1 message
|
||||
error() {
|
||||
[ $# = 1 ] && echo "$1" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
# par1: "hourly", "daily" or "monthly"
|
||||
# par2: "tx" or "rx"
|
||||
getBandwidth() {
|
||||
[ $# != 2 ] && exit 1
|
||||
|
||||
local FIELD=-1
|
||||
[ $2 = "rx" ] && FIELD=4
|
||||
[ $2 = "tx" ] && FIELD=5
|
||||
|
||||
[ "$FIELD" -eq -1 ] && exit 1
|
||||
|
||||
local DATA=$(echo "$VNSTAT" | grep "^${1:0:1};0")
|
||||
local MIB=$(echo "$DATA" | cut -d ';' -f $FIELD)
|
||||
local KIB=$(echo "$DATA" | cut -d ';' -f $(( $FIELD + 2 )) )
|
||||
|
||||
echo "scale=3; $MIB + ( $KIB / 1024 )" | bc
|
||||
}
|
||||
|
||||
# par1: "hourly", "daily" or "monthly"
|
||||
# par2: value so far
|
||||
getEstimate() {
|
||||
[ $# != 2 ] && exit 1
|
||||
|
||||
case "$1" in
|
||||
"hourly")
|
||||
local MINUTESPASSED=$(( $( date +%M ) ))
|
||||
local MINUTESTOTAL=60
|
||||
;;
|
||||
"daily")
|
||||
local MINUTESPASSED=$( echo "$( date +%H ) * 60 + $( date +%M )" | bc )
|
||||
local MINUTESTOTAL=1440
|
||||
;;
|
||||
"monthly")
|
||||
local MINUTESPASSED=$( echo "( $( date +%d ) - 1 ) * 1440 + $( date +%H ) * 60 + $( date +%M )" | bc )
|
||||
local DAYSINMONTH=$(date -d "$(date +%Y)-$(($(date +%-m)+1))-01 -1 day" +%d)
|
||||
local MINUTESTOTAL=$(( $DAYSINMONTH * 1440 ))
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "scale=1; $MINUTESTOTAL * $2 / $MINUTESPASSED" | bc
|
||||
}
|
||||
|
||||
PARAMS=${0#*vnstat_}
|
||||
INTERFACE=$(echo "$PARAMS" | cut -d _ -f 1) # eth0
|
||||
PERIOD=$(echo "$PARAMS" | cut -d _ -f 2) # hourly, daily, monthly
|
||||
DIRECTION=$(echo "$PARAMS" | cut -d _ -f 3) # rx or tx
|
||||
|
||||
# determine whether estimates should be shown
|
||||
[ \( "${estimate:-0}" = 1 \) -o \( "${estimate:-0}" = "yes" \) -o \( "${estimate:-0}" = "true" \) ] && ESTIMATE=1 || ESTIMATE=0
|
||||
|
||||
# sanity checks
|
||||
[ "$PERIOD" = "hourly" ] || [ "$PERIOD" = "daily" ] || [ "$PERIOD" = "monthly" ] || error "Invalid period."
|
||||
[ "$DIRECTION" = "rx" ] || [ "$DIRECTION" = "tx" ] || [ "$DIRECTION" = "total" ] || [ "$DIRECTION" = "rxtx" ] || error "Invalid direction."
|
||||
|
||||
case "$1" in
|
||||
config)
|
||||
echo graph_category network
|
||||
echo graph_vlabel MiB
|
||||
|
||||
PERIODSTRING=${PERIOD%ly}
|
||||
PERIODSTRING=${PERIODSTRING/dai/day}
|
||||
if [ "$DIRECTION" = "rxtx" ]; then
|
||||
echo "graph_title Network bandwidth for $INTERFACE ($PERIOD, rx and tx)"
|
||||
echo value.label rx
|
||||
echo value2.label tx
|
||||
|
||||
# show estimates
|
||||
if [ $ESTIMATE -eq 1 ]; then
|
||||
echo "estimate.label rx estimate for this $PERIODSTRING"
|
||||
echo "estimate2.label tx estimate for this $PERIODSTRING"
|
||||
fi
|
||||
else
|
||||
echo "graph_title Network bandwidth for $INTERFACE ($PERIOD, $DIRECTION)"
|
||||
echo value.label $DIRECTION
|
||||
[ $ESTIMATE -eq 1 ] && echo "estimate.label estimate for this ${PERIODSTRING}"
|
||||
fi
|
||||
|
||||
exit 0;;
|
||||
autoconf)
|
||||
if ! which vnstat > /dev/null; then
|
||||
echo "no (vnstat unavailable)"
|
||||
elif ! which bc > /dev/null; then
|
||||
echo "no (bc unavailable)"
|
||||
else
|
||||
echo yes
|
||||
fi
|
||||
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
VNSTAT=$(vnstat -i $INTERFACE --dumpdb)
|
||||
|
||||
if [ "$DIRECTION" = "total" ] || [ "$DIRECTION" = "rxtx" ]; then
|
||||
VALUE1=$(getBandwidth $PERIOD rx)
|
||||
[ $? = 1 ] && error "Could not obtain data."
|
||||
VALUE2=$(getBandwidth $PERIOD tx)
|
||||
[ $? = 1 ] && error "Could not obtain data."
|
||||
|
||||
[ "$DIRECTION" = "total" ] && VALUE1=$( echo "scale=3; $VALUE1 + $VALUE2" | bc )
|
||||
else
|
||||
VALUE1=$(getBandwidth $PERIOD $DIRECTION)
|
||||
[ $? = 1 ] && error "Could not obtain data."
|
||||
fi
|
||||
|
||||
if [ "$DIRECTION" = "rxtx" ]; then
|
||||
echo value.value $VALUE1
|
||||
echo value2.value $VALUE2
|
||||
|
||||
if [ "$ESTIMATE" -eq 1 ]; then
|
||||
echo estimate.value $(getEstimate $PERIOD $VALUE1)
|
||||
echo estimate2.value $(getEstimate $PERIOD $VALUE2)
|
||||
fi
|
||||
else
|
||||
echo value.value $VALUE1
|
||||
[ "$ESTIMATE" -eq 1 ] && echo estimate.value $(getEstimate $PERIOD $VALUE1)
|
||||
fi
|
459
manifests/init.pp
Normal file
459
manifests/init.pp
Normal file
|
@ -0,0 +1,459 @@
|
|||
class ff_gw($mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $dhcprange_start, $dhcprange_end) {
|
||||
class { 'ff_gw::apt': }
|
||||
->
|
||||
class { 'ff_gw::software': }
|
||||
->
|
||||
class { 'ff_gw::fastd':
|
||||
mesh_mac => $mesh_mac,
|
||||
gw_ipv4 => $gw_ipv4,
|
||||
gw_ipv6 => $gw_ipv6,
|
||||
secret_key => $secret_key,
|
||||
}
|
||||
->
|
||||
class { 'ff_gw::dhcpd':
|
||||
gw_ipv4 => $gw_ipv4,
|
||||
dhcprange_start => $dhcprange_start,
|
||||
dhcprange_end => $dhcprange_end,
|
||||
}
|
||||
->
|
||||
class { 'ff_gw::radvd':
|
||||
own_ipv6 => $gw_ipv6,
|
||||
}
|
||||
->
|
||||
class { 'ff_gw::vpn': }
|
||||
->
|
||||
class { 'ff_gw::iptables': }
|
||||
->
|
||||
class { 'ff_gw::dnsmasq': }
|
||||
->
|
||||
class { 'ff_gw::bird':
|
||||
own_ipv4 => $gw_ipv4,
|
||||
own_ipv6 => $gw_ipv6,
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::apt() {
|
||||
class { '::apt':
|
||||
always_apt_update => true
|
||||
}
|
||||
# batman repo
|
||||
apt::source { 'universe-factory':
|
||||
location => 'http://repo.universe-factory.net/debian/',
|
||||
release => 'sid',
|
||||
repos => 'main',
|
||||
key => 'AB7A88C5B89033D8',
|
||||
key_server => 'pgpkeys.mit.edu',
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::software {
|
||||
package {
|
||||
'batctl':
|
||||
ensure => installed;
|
||||
'batman-adv-dkms':
|
||||
ensure => installed;
|
||||
'fastd':
|
||||
ensure => installed;
|
||||
'bridge-utils':
|
||||
ensure => installed;
|
||||
}
|
||||
exec {
|
||||
'enable_batman_mod':
|
||||
command => 'echo batman-adv >> /etc/modules',
|
||||
unless => 'grep -q ^batman-adv /etc/modules',
|
||||
path => ['/bin', '/usr/sbin'],
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key) {
|
||||
validate_re($mesh_mac, '^de:ad:be:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}$')
|
||||
|
||||
file {
|
||||
'/etc/fastd/ffhh-mesh-vpn':
|
||||
ensure => directory;
|
||||
'/etc/fastd/ffhh-mesh-vpn/fastd.conf':
|
||||
ensure => file,
|
||||
notify => Service['fastd'],
|
||||
content => template('ff_gw/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb');
|
||||
'/etc/fastd/ffhh-mesh-vpn/secret.conf':
|
||||
ensure => file,
|
||||
content => inline_template('secret "<%= @secret_key %>";');
|
||||
'/root/bin':
|
||||
ensure => directory;
|
||||
'/root/bin/autoupdate_fastd_keys.sh':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
source => 'puppet:///modules/ff_gw/root/bin/autoupdate_fastd_keys.sh';
|
||||
'/usr/local/bin/check_gateway':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
source => 'puppet:///modules/ff_gw/usr/local/bin/check_gateway';
|
||||
'/etc/network/interfaces':
|
||||
ensure => file,
|
||||
#
|
||||
content => inline_template('# managed by puppet
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# The primary network interface
|
||||
allow-hotplug eth0
|
||||
iface eth0 inet dhcp
|
||||
|
||||
auto br-ffhh
|
||||
iface br-ffhh inet6 static
|
||||
bridge-ports none
|
||||
address <%= @gw_ipv6 %>
|
||||
netmask 64
|
||||
iface br-ffhh inet static
|
||||
address <%= @gw_ipv4 %>
|
||||
netmask 255.255.192.0
|
||||
|
||||
allow-hotplug bat0
|
||||
iface bat0 inet6 manual
|
||||
pre-up modprobe batman-adv
|
||||
pre-up batctl if add ffhh-mesh-vpn
|
||||
up ip link set $IFACE up
|
||||
post-up brctl addif br-ffhh $IFACE
|
||||
post-up batctl it 10000
|
||||
post-up /sbin/ip rule add from all fwmark 0x1 table 42
|
||||
pre-down brctl delif br-ffhh $IFACE || true
|
||||
down ip link set $IFACE down
|
||||
');
|
||||
}
|
||||
->
|
||||
vcsrepo { '/etc/fastd/ffhh-mesh-vpn/peers':
|
||||
ensure => present,
|
||||
provider => git,
|
||||
source => 'git@freifunk-gw01.hamburg.ccc.de:fastdkeys',
|
||||
}
|
||||
|
||||
cron {
|
||||
'autoupdate_fastd':
|
||||
command => '/root/bin/autoupdate_fastd_keys.sh',
|
||||
user => root,
|
||||
minute => '*/5';
|
||||
'check_gateway':
|
||||
command => '/usr/local/bin/check_gateway',
|
||||
user => root,
|
||||
minute => '*';
|
||||
}
|
||||
exec {
|
||||
'start_bridge_if':
|
||||
command => '/sbin/brctl addbr br-ffhh && /sbin/ifup br-ffhh',
|
||||
unless => '/sbin/ifconfig br-ffhh';
|
||||
'batman_mod':
|
||||
command => '/sbin/modprobe batman-adv',
|
||||
unless => '/sbin/lsmod | /bin/grep -q "^batman_adv"';
|
||||
}
|
||||
->
|
||||
service {
|
||||
'fastd':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::dhcpd($gw_ipv4, $dhcprange_start, $dhcprange_end) {
|
||||
if ! is_ip_address($dhcprange_start)
|
||||
or ! is_ip_address($dhcprange_end)
|
||||
or ! is_ip_address($gw_ipv4) {
|
||||
fail('require gateway IP and DHCP range start/end')
|
||||
}
|
||||
|
||||
# this class uses way too much dependencies
|
||||
# -- but with all those exec resources we really want
|
||||
# to stop processing if anything goes wrong
|
||||
|
||||
package {
|
||||
'isc-dhcp-server':
|
||||
ensure => installed;
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/dhcp/dhcpd.conf':
|
||||
ensure => file,
|
||||
notify => Service['isc-dhcp-server'],
|
||||
content => template('ff_gw/etc/dhcp/dhcpd.conf.erb');
|
||||
}
|
||||
->
|
||||
user {
|
||||
'dhcpstatic':
|
||||
ensure => present,
|
||||
home => '/home/dhcpstatic';
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/home/dhcpstatic':
|
||||
ensure => directory,
|
||||
owner => dhcpstatic;
|
||||
}
|
||||
->
|
||||
vcsrepo { '/home/dhcpstatic/dhcp-static':
|
||||
ensure => present,
|
||||
provider => git,
|
||||
user => 'dhcpstatic',
|
||||
source => 'https://github.com/freifunkhamburg/dhcp-static',
|
||||
}
|
||||
->
|
||||
exec {
|
||||
'updateStatics':
|
||||
command => '/home/dhcpstatic/dhcp-static/updateStatics.sh',
|
||||
creates => '/etc/dhcp/static.conf';
|
||||
}
|
||||
->
|
||||
cron {
|
||||
'update_statics':
|
||||
command => '/home/dhcpstatic/dhcp-static/updateStatics.sh',
|
||||
user => root,
|
||||
minute => '*/5';
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/var/log/dhcpd.log':
|
||||
ensure => file,
|
||||
owner => 'root',
|
||||
group => 'adm',
|
||||
mode => '0600';
|
||||
'/etc/rsyslog.d/dhcpd.conf':
|
||||
ensure => file,
|
||||
notify => Service['rsyslog'],
|
||||
content => 'local7.warn /var/log/dhcpd.log';
|
||||
'/etc/default/isc-dhcpd':
|
||||
ensure => file,
|
||||
content => '# managed by puppet
|
||||
|
||||
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPD_PID=/var/run/dhcpd.pid
|
||||
#OPTIONS=""
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACES="br-ffhh"
|
||||
';
|
||||
}
|
||||
->
|
||||
exec {
|
||||
'syslog_filter_l7':
|
||||
command => 'sed -i \'s:\*\.\*;auth,authpriv\.none:*.*;auth,authpriv.none;local7.none:\' /etc/rsyslog.conf',
|
||||
unless => 'grep -q \'authpriv.none;local7.none\' /etc/rsyslog.conf',
|
||||
path => ['/bin', '/usr/sbin'],
|
||||
notify => Service['rsyslog'];
|
||||
}
|
||||
->
|
||||
service {
|
||||
'rsyslog':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
->
|
||||
service {
|
||||
'isc-dhcp-server':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::dnsmasq() {
|
||||
package {
|
||||
'dnsmasq':
|
||||
ensure => installed;
|
||||
}
|
||||
->
|
||||
user {
|
||||
'ffdnsmasq':
|
||||
ensure => present,
|
||||
home => '/home/ffdnsmasq',
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/home/ffdnsmasq':
|
||||
ensure => directory,
|
||||
owner => 'ffdnsmasq',
|
||||
}
|
||||
->
|
||||
vcsrepo { '/home/ffdnsmasq/dnsmasq':
|
||||
ensure => present,
|
||||
provider => git,
|
||||
user => 'ffdnsmasq',
|
||||
source => 'https://github.com/freifunkhamburg/dnsmasq',
|
||||
}
|
||||
->
|
||||
exec {
|
||||
'updateDnsmasq':
|
||||
command => '/home/ffdnsmasq/dnsmasq/updateDnsmasq.sh',
|
||||
creates => '/etc/dnsmasq.d/rules';
|
||||
'fix_dnsmasq_init.d':
|
||||
command => 'sed -i -e \'s/^# Required-Start: \$network \$remote_fs \$syslog/# Required-Start: $network $remote_fs $syslog openvpn/\' /etc/init.d/dnsmasq',
|
||||
unless => 'grep \'^# Required-Start: $network $remote_fs $syslog openvpn$\' /etc/init.d/dnsmasq',
|
||||
path => ['/bin'],
|
||||
}
|
||||
->
|
||||
cron {
|
||||
'update_Dnsmasq':
|
||||
command => '/home/ffdnsmasq/dnsmasq/updateDnsmasq.sh',
|
||||
user => root,
|
||||
minute => '*/5';
|
||||
}
|
||||
->
|
||||
service {
|
||||
'dnsmasq':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Service['openvpn'],
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::radvd($own_ipv6) {
|
||||
package {
|
||||
'radvd':
|
||||
ensure => installed;
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/radvd.conf':
|
||||
ensure => file,
|
||||
content => template('ff_gw/etc/radvd.conf.erb');
|
||||
}
|
||||
->
|
||||
service {
|
||||
'radvd':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
|
||||
augeas { 'enable_ip_forwarding':
|
||||
context => '/files/etc/sysctl.conf',
|
||||
changes => [
|
||||
'set net.ipv4.ip_forward 1',
|
||||
'set net.ipv6.conf.all.forwarding 1'
|
||||
],
|
||||
}
|
||||
~>
|
||||
exec {
|
||||
'sysctl':
|
||||
command => '/sbin/sysctl -p',
|
||||
# this gets notified to run only if /etc/sysctl.conf is changed:
|
||||
refreshonly => true;
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::vpn($openvpn_version, $vpnname, $ca_crt, $usr_crt, $usr_key, $ensure = 'running') {
|
||||
package {
|
||||
'openvpn':
|
||||
ensure => $openvpn_version;
|
||||
}
|
||||
->
|
||||
file {
|
||||
"/etc/openvpn/${vpnname}":
|
||||
ensure => directory;
|
||||
"/etc/openvpn/${vpnname}/ca.crt":
|
||||
ensure => file,
|
||||
content => $ca_crt;
|
||||
"/etc/openvpn/${vpnname}/client.crt":
|
||||
ensure => file,
|
||||
content => $usr_crt;
|
||||
"/etc/openvpn/${vpnname}/client.key":
|
||||
ensure => file,
|
||||
mode => '0600',
|
||||
content => $usr_key;
|
||||
"/etc/openvpn/${vpnname}/mullvad-up":
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
content => '#!/bin/sh
|
||||
ip route replace 0.0.0.0/1 via $5 table 42
|
||||
ip route replace 128.0.0.0/1 via $5 table 42
|
||||
exit 0';
|
||||
"/etc/openvpn/${vpnname}.conf":
|
||||
ensure => file,
|
||||
source => "puppet:///modules/ff_gw/etc/openvpn/${vpnname}.conf";
|
||||
}
|
||||
~>
|
||||
service { 'openvpn':
|
||||
ensure => $ensure,
|
||||
enable => true,
|
||||
}
|
||||
~>
|
||||
exec { 'openvpn_sleep':
|
||||
# OpenVPN takes some time to set up the interface
|
||||
command => '/bin/sleep 5',
|
||||
refreshonly => true,
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::iptables {
|
||||
package {
|
||||
'iptables-persistent':
|
||||
ensure => installed;
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/iptables/rules.v4':
|
||||
ensure => file,
|
||||
source => 'puppet:///modules/ff_gw/etc/iptables/rules.v4';
|
||||
'/etc/rc.local':
|
||||
ensure => file,
|
||||
content => '#!/bin/sh -e
|
||||
# managed by puppet
|
||||
#
|
||||
# rc.local
|
||||
#
|
||||
# This script is executed at the end of each multiuser runlevel.
|
||||
# Make sure that the script will "exit 0" on success or any other
|
||||
# value on error.
|
||||
#
|
||||
# In order to enable or disable this script just change the execution
|
||||
# bits.
|
||||
#
|
||||
# By default this script does nothing.
|
||||
|
||||
/sbin/ip route add unreachable default table 42
|
||||
/sbin/ip rule add from all fwmark 0x1 table 42
|
||||
exit 0';
|
||||
}
|
||||
~>
|
||||
service {
|
||||
'iptables-persistent':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
}
|
||||
|
||||
class ff_gw::bird($own_ipv4, $own_ipv6, $peerings_v4, $peerings_v6, $version = 'present') {
|
||||
package {
|
||||
'bird6':
|
||||
ensure => $version,
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/bird6.conf':
|
||||
ensure => file,
|
||||
content => template('ff_gw/etc/bird6.conf.erb');
|
||||
}
|
||||
~>
|
||||
service {
|
||||
'bird6':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Service['openvpn'],
|
||||
}
|
||||
|
||||
|
||||
package {
|
||||
'bird':
|
||||
ensure => $version,
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/bird.conf':
|
||||
ensure => file,
|
||||
content => template('ff_gw/etc/bird.conf.erb');
|
||||
}
|
||||
~>
|
||||
service {
|
||||
'bird':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
require => Service['openvpn'],
|
||||
}
|
||||
}
|
136
manifests/sysadmin.pp
Normal file
136
manifests/sysadmin.pp
Normal file
|
@ -0,0 +1,136 @@
|
|||
# kitchen sink class for various small settings
|
||||
class ff_gw::sysadmin {
|
||||
|
||||
# use Hiera as a Puppet data source
|
||||
file {
|
||||
'/etc/puppet/hiera.yaml':
|
||||
# content from git repo, not from puppet
|
||||
ensure => file;
|
||||
'/etc/hiera.yaml':
|
||||
ensure => link,
|
||||
target => '/etc/puppet/hiera.yaml';
|
||||
}
|
||||
|
||||
# use backports repo
|
||||
apt::source { 'wheezy-backports':
|
||||
location => 'http://ftp.de.debian.org/debian/',
|
||||
release => 'wheezy-backports',
|
||||
repos => 'main',
|
||||
}
|
||||
# some more packages
|
||||
package {
|
||||
['vim-nox', 'git', 'etckeeper', 'pv', 'curl', 'atop',
|
||||
'screen', 'tcpdump', 'rsync', 'file']:
|
||||
ensure => installed,
|
||||
}
|
||||
|
||||
# Sudo
|
||||
include sudo
|
||||
sudo::conf { 'admins':
|
||||
priority => 10,
|
||||
content => '%sudo ALL=(ALL) NOPASSWD: ALL',
|
||||
}
|
||||
|
||||
# sshd
|
||||
augeas { 'harden_sshd':
|
||||
context => '/files/etc/ssh/sshd_config',
|
||||
changes => [
|
||||
'set PermitRootLogin no',
|
||||
'set PasswordAuthentication no',
|
||||
'set PubkeyAuthentication yes'
|
||||
],
|
||||
}
|
||||
~>
|
||||
service { 'ssh':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
|
||||
# zabbix
|
||||
apt::source { 'zabbix':
|
||||
location => 'http://repo.zabbix.com/zabbix/2.2/debian',
|
||||
release => 'wheezy',
|
||||
repos => 'main',
|
||||
key => '79EA5ED4',
|
||||
key_server => 'pgpkeys.mit.edu',
|
||||
}
|
||||
->
|
||||
package { 'zabbix-agent':
|
||||
ensure => latest;
|
||||
}
|
||||
->
|
||||
file { '/etc/zabbix/zabbix_agentd.d/argos_monitoring.conf':
|
||||
ensure => file,
|
||||
content => "# managed by puppet
|
||||
Server=argos.mschuette.name
|
||||
HostnameItem=${::hostname}
|
||||
";
|
||||
}
|
||||
~>
|
||||
service { 'zabbix-agent':
|
||||
ensure => running,
|
||||
enable => true,
|
||||
}
|
||||
|
||||
# munin
|
||||
package {
|
||||
[ 'munin-node', 'vnstat' ]:
|
||||
ensure => installed,
|
||||
}
|
||||
->
|
||||
file {
|
||||
'/etc/munin/munin-node.conf':
|
||||
ensure => file,
|
||||
# mostly Debin pkg default
|
||||
content => inline_template('# managed by puppet
|
||||
log_level 4
|
||||
log_file /var/log/munin/munin-node.log
|
||||
pid_file /var/run/munin/munin-node.pid
|
||||
|
||||
background 1
|
||||
setsid 1
|
||||
|
||||
user root
|
||||
group root
|
||||
|
||||
# Regexps for files to ignore
|
||||
ignore_file [\#~]$
|
||||
ignore_file DEADJOE$
|
||||
ignore_file \.bak$
|
||||
ignore_file %$
|
||||
ignore_file \.dpkg-(tmp|new|old|dist)$
|
||||
ignore_file \.rpm(save|new)$
|
||||
ignore_file \.pod$
|
||||
|
||||
port 4949
|
||||
|
||||
host_name <%= @fqdn %>
|
||||
cidr_allow 78.47.49.236/32
|
||||
host <%= @ipaddress_eth0 %>
|
||||
');
|
||||
'/usr/share/munin/plugins/vnstat_':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/vnstat_';
|
||||
'/etc/munin/plugins/vnstat_eth0_monthly_rxtx':
|
||||
ensure => link,
|
||||
target => '/usr/share/munin/plugins/vnstat_';
|
||||
'/usr/share/munin/plugins/udp-statistics':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
source => 'puppet:///modules/ff_gw/usr/share/munin/plugins/udp-statistics';
|
||||
'/etc/munin/plugins/udp-statistics':
|
||||
ensure => link,
|
||||
target => '/usr/share/munin/plugins/udp-statistics';
|
||||
# TODO: delete not needed plugins
|
||||
'/etc/munin/plugin-conf.d/vnstat':
|
||||
ensure => file,
|
||||
content => '[vnstat_eth0_monthly_rxtx]
|
||||
env.estimate 1';
|
||||
}
|
||||
~>
|
||||
service { 'munin-node':
|
||||
ensure => running,
|
||||
enable => true;
|
||||
}
|
||||
}
|
143
templates/etc/bird.conf.erb
Normal file
143
templates/etc/bird.conf.erb
Normal file
|
@ -0,0 +1,143 @@
|
|||
router id <%= @own_ipv4 %>;
|
||||
|
||||
table ffhh; # BGP Peerings
|
||||
table ibgp;
|
||||
table icvpn; # BGP Peerings (ICVPN)
|
||||
table freifunk; # Kernel table 42 (Routing from Freifunk networks)
|
||||
|
||||
function is_freifunk_dn42() {
|
||||
return (net ~ [
|
||||
10.0.0.0/8{12,32},
|
||||
10.100.0.0/14,
|
||||
172.22.0.0/15+,
|
||||
172.31.0.0/16
|
||||
]);
|
||||
}
|
||||
|
||||
function is_freifunk() {
|
||||
return (net ~ [10.0.0.0/8+]);
|
||||
}
|
||||
|
||||
function is_chaosvpn() {
|
||||
return (net ~ [172.31.0.0/16+]);
|
||||
}
|
||||
|
||||
function is_self_net() {
|
||||
return (net ~ [10.112.0.0/16+]);
|
||||
}
|
||||
|
||||
function is_self() {
|
||||
return (proto = "static_ffhh");
|
||||
}
|
||||
|
||||
function is_dn42_aggregate() {
|
||||
return (net ~ [172.22.0.0/15{16,32}]);
|
||||
}
|
||||
|
||||
filter ffhh_internal_export {
|
||||
if (proto = "dn42_aggregate_ffhh" || proto = "local_ffhh") then accept;
|
||||
if (source != RTS_BGP && proto != "pipe_icvpn") then reject;
|
||||
if (proto ~ "bgp_ibgp_*") then reject;
|
||||
if (is_dn42_aggregate()) then reject;
|
||||
accept;
|
||||
}
|
||||
|
||||
|
||||
protocol pipe pipe_ffhh {
|
||||
peer table ffhh;
|
||||
import all;
|
||||
export none;
|
||||
};
|
||||
|
||||
protocol pipe pipe_icvpn {
|
||||
table ffhh;
|
||||
peer table icvpn;
|
||||
export where is_self();
|
||||
import all;
|
||||
mode opaque;
|
||||
};
|
||||
|
||||
protocol pipe pipe_freifunk {
|
||||
peer table freifunk;
|
||||
import none;
|
||||
export all;
|
||||
};
|
||||
|
||||
protocol pipe pipe_ibgp {
|
||||
peer table ibgp;
|
||||
import all;
|
||||
export where !is_self_net();
|
||||
mode opaque;
|
||||
};
|
||||
|
||||
protocol kernel kernel_master {
|
||||
scan time 20;
|
||||
import none;
|
||||
export filter {
|
||||
krt_prefsrc = <%= @own_ipv4 %>;
|
||||
accept;
|
||||
};
|
||||
};
|
||||
|
||||
protocol kernel kernel_freifunk {
|
||||
scan time 20;
|
||||
import none;
|
||||
export filter {
|
||||
krt_prefsrc = <%= @own_ipv4 %>;
|
||||
accept;
|
||||
};
|
||||
table freifunk;
|
||||
device routes;
|
||||
kernel table 42;
|
||||
};
|
||||
|
||||
# This pseudo-protocol watches all interface up/down events.
|
||||
protocol device {
|
||||
scan time 10; # Scan interfaces every 10 seconds
|
||||
};
|
||||
|
||||
protocol static unreachable_default {
|
||||
table freifunk;
|
||||
route 0.0.0.0/0 reject;
|
||||
};
|
||||
|
||||
protocol static static_ffhh {
|
||||
table ffhh;
|
||||
route 10.112.0.0/16 reject;
|
||||
};
|
||||
|
||||
protocol static local_ffhh {
|
||||
table ffhh;
|
||||
route 10.112.0.0/18 via "freifunk";
|
||||
};
|
||||
|
||||
protocol static dn42_aggregate_ffhh {
|
||||
table ffhh;
|
||||
route 172.22.0.0/15 reject;
|
||||
};
|
||||
|
||||
|
||||
template bgp bgp_ibgp {
|
||||
local as 65112;
|
||||
table ibgp;
|
||||
import filter {
|
||||
preference = 99;
|
||||
accept;
|
||||
};
|
||||
export all;
|
||||
gateway direct;
|
||||
next hop self;
|
||||
};
|
||||
|
||||
template bgp bgp_icvpn {
|
||||
local as 65112;
|
||||
table icvpn;
|
||||
import where (is_freifunk_dn42() && !is_self_net());
|
||||
export all;
|
||||
};
|
||||
|
||||
<% @peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%>
|
||||
protocol bgp <%= key %> from <%= hash["template"] %> {
|
||||
neighbor <%= hash["ip"] %> as <%= hash["as"] %>;
|
||||
};
|
||||
<% end -%><% end -%>
|
79
templates/etc/bird6.conf.erb
Normal file
79
templates/etc/bird6.conf.erb
Normal file
|
@ -0,0 +1,79 @@
|
|||
# managed by puppet
|
||||
#
|
||||
# the ff ip of the gateway
|
||||
router id <%= @own_ipv4 %>;
|
||||
|
||||
# routing tables
|
||||
table ffhh;
|
||||
|
||||
# filter to check ulas
|
||||
function is_ula() {
|
||||
return (net ~ [ fc00::/7{48,64} ]);
|
||||
}
|
||||
|
||||
function is_self() {
|
||||
return (proto = "static_ffhh");
|
||||
}
|
||||
|
||||
filter ffhh_internal_export {
|
||||
if (proto = "local_ffhh") then accept;
|
||||
if (source != RTS_BGP) then reject;
|
||||
if (is_ula() && proto != "static_ffhh") then accept;
|
||||
else reject;
|
||||
}
|
||||
|
||||
# don't use kernel's routes for bird, but export bird's routes to kernel
|
||||
protocol kernel {
|
||||
scan time 20; # Scan kernel routing table every 20 seconds
|
||||
import none; # Default is import all
|
||||
export all;
|
||||
}
|
||||
|
||||
# This pseudo-protocol watches all interface up/down events.
|
||||
protocol device {
|
||||
scan time 10; # Scan interfaces every 10 seconds
|
||||
}
|
||||
|
||||
# define our routes
|
||||
protocol static static_ffhh {
|
||||
table ffhh;
|
||||
# reject route if announced from external
|
||||
route fd51:2bb2:fd0d::/48 reject;
|
||||
};
|
||||
|
||||
protocol static local_ffhh {
|
||||
table ffhh;
|
||||
route fd51:2bb2:fd0d::/64 via "br-ffhh";
|
||||
};
|
||||
|
||||
protocol pipe pipe_ffhh {
|
||||
peer table ffhh;
|
||||
import all;
|
||||
export none;
|
||||
};
|
||||
|
||||
# template for internal routing
|
||||
template bgp bgp_ibgp {
|
||||
table ffhh;
|
||||
local as 65112;
|
||||
source address <%= @own_ipv6 %>;
|
||||
import all;
|
||||
export where source = RTS_BGP;
|
||||
gateway direct;
|
||||
next hop self;
|
||||
};
|
||||
|
||||
# icvpn template for hamburg03
|
||||
template bgp bgp_icvpn {
|
||||
local as 65112;
|
||||
source address <%= @own_ipv6 %>;
|
||||
table ffhh;
|
||||
import where is_ula();
|
||||
export where is_self() || (source = RTS_BGP);
|
||||
};
|
||||
|
||||
<% @peerings_v6.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv6 -%>
|
||||
protocol bgp <%= key %> from <%= hash["template"] %> {
|
||||
neighbor <%= hash["ip"] %> as <%= hash["as"] %>;
|
||||
};
|
||||
<% end -%><% end -%>
|
25
templates/etc/dhcp/dhcpd.conf.erb
Normal file
25
templates/etc/dhcp/dhcpd.conf.erb
Normal file
|
@ -0,0 +1,25 @@
|
|||
# The ddns-updates-style parameter controls whether or not the server will
|
||||
# attempt to do a DNS update when a lease is confirmed. We default to the
|
||||
# behavior of the version 2 packages ('none', since DHCP v2 didn't
|
||||
# have support for DDNS.)
|
||||
ddns-update-style none;
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
option domain-name ".ffhh";
|
||||
|
||||
default-lease-time 600;
|
||||
max-lease-time 3600;
|
||||
|
||||
log-facility local7;
|
||||
|
||||
subnet 10.112.0.0 netmask 255.255.192.0 {
|
||||
authoritative;
|
||||
range <%= @dhcprange_start %> <%= @dhcprange_end %>;
|
||||
|
||||
# DNS: srv01 (10.112.1.1) & gw01 (10.112.14.1)
|
||||
option domain-name-servers 10.112.1.1, 10.112.14.1;
|
||||
option routers <%= @gw_ipv4 %>;
|
||||
}
|
||||
|
||||
include "/etc/dhcp/static.conf";
|
||||
|
16
templates/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb
Normal file
16
templates/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb
Normal file
|
@ -0,0 +1,16 @@
|
|||
# managed by puppet -- editing is futile
|
||||
|
||||
log to syslog level info;
|
||||
interface "ffhh-mesh-vpn";
|
||||
method "salsa2012+gmac"; # new method, between gateways for the moment (faster)
|
||||
method "xsalsa20-poly1305"; # old method
|
||||
bind 0.0.0.0:10000;
|
||||
hide ip addresses yes;
|
||||
hide mac addresses yes;
|
||||
include "secret.conf";
|
||||
mtu 1426; # 1492 - IPv4 Header - fastd Header...
|
||||
include peers from "peers";
|
||||
on up "
|
||||
ifup bat0
|
||||
ip link set address <%= @mesh_mac %> up dev $INTERFACE
|
||||
";
|
15
templates/etc/radvd.conf.erb
Normal file
15
templates/etc/radvd.conf.erb
Normal file
|
@ -0,0 +1,15 @@
|
|||
# managed by puppet
|
||||
interface br-ffhh
|
||||
{
|
||||
AdvSendAdvert on;
|
||||
|
||||
MaxRtrAdvInterval 200;
|
||||
|
||||
prefix fd51:2bb2:fd0d::/64 {
|
||||
};
|
||||
|
||||
RDNSS <%= @own_ipv6 %> {
|
||||
};
|
||||
};
|
||||
|
||||
# vim: noai:ts=4:sw=4:ff=unix:ft=text:fdm=marker
|
Loading…
Reference in a new issue