Support debian-10 gateways, Add new gw01

README.md

@@ -0,0 +1,6 @@
+# Pjodd Ansible repo
+Tested with ansible version 2.10.5.
+
+## How to setup new gateway
+Setup a Debian 10 machine. Then run: `ansible-playbook -i hosts --limit gw00 ./setup-gateway.yml`
+

group_vars/dc-hel.yml

@@ -0,0 +1,17 @@
+---
+# file: group_vars/dc-hel.yml
+# VM on private server provided by friend of Robert
+
+outernet:
+  inet:
+    gw: 95.216.239.97
+    netmask: 255.255.255.224
+    subnet: 95.216.239
+    cidr: 27
+    dns: 46.246.46.246 194.132.32.32
+
+  inet6:
+    gw: "fe80::1"
+    subnet: "fe80::"
+    cidr: 64
+    dns: "2001:67C:1350:DEAD:BEEF::246 2C0F:F930:DEAD:BEEF::32"

group_vars/gateways.yml

@@ -11,6 +11,8 @@ pjoddnet:
   gw:
     1:
       range: "10.46.64.1 - 10.46.95.254"
+      dns: 46.246.46.246 194.132.32.32
+      bw: "128Mbit/128Mbit"
     2:
       range: "10.46.96.1 - 10.46.127.254"
     3:
@@ -38,15 +40,16 @@ gateway_packages:
   - iptables-persistent
   - net-tools
   - iftop
-  - tcpdump
-  - ifupdown2
-  - kea-dhcp4-server
-  - kea-dhcp6-server
   - radvd
   - unbound
   - ldnsutils
   - nsd
 
+# This is a hack. kea-dhcp-server is not available in debian 10, only debian 9.
+gateway_packages_kea:
+  - kea-dhcp4-server
+  - kea-dhcp6-server
+
 gateway_users:
   - omni
   - quite

hosts

@@ -1,18 +1,22 @@
 # Define hosts
-gw05=198.167.222.5
-gw06=198.167.222.6
-fwalpine=198.167.222.7
-builder=198.167.222.9
-simsek=simsek.pjodd.se
+
+gw01 gateway_number=1 ssh_port=7722 ansible_host=95.216.239.120
+gw05 gateway_number=5 ssh_port=5522 ansible_host=198.167.222.5
+gw06 gateway_number=6 ssh_port=6622 ansible_host=198.167.222.6
+fwalpine ansible_host=198.167.222.7
+builder ssh_port=9922 ansible_host=198.167.222.9
+simsek ansible_host=simsek.pjodd.se
 
 [gateways]
-gw05 gateway_number=5 ssh_port=5522
-gw06 gateway_number=6 ssh_port=6622
+gw01
+gw05
+gw06
 
 [builders]
-builder ssh_port=9922
+builder 
 
 [debians]
+gw01
 gw05
 gw06
 builder
@@ -27,5 +31,8 @@ gw05
 gw06
 builder
 
+[dc-hel]
+gw01
+
 [web]
 simsek ansible_user=root ansible_python_interpreter=/usr/bin/python3

roles/gateway/files/install_kea_dhcp_server.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Instructions from https://kb.isc.org/docs/kea-build-on-debian
+
+# install the build environment
+sudo apt -y install automake libtool pkg-config build-essential ccache
+# install the dependancies
+sudo apt -y install libboost-dev libboost-system-dev liblog4cplus-dev libssl-dev
+
+wget https://ftp.isc.org/isc/kea/1.5.0/kea-1.5.0.tar.gz
+tar xvfz kea-1.5.0.tar.gz
+cd kea-1.5.0
+
+export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig
+# export CC="ccache gcc" CXX="ccache g++"
+declare -x PATH="/usr/lib64/ccache:$PATH"
+autoreconf --install
+./configure [your additional options here]
+make -j4
+sudo make install
+echo "/usr/local/lib/hooks" > /etc/ld.so.conf.d/kea.conf
+ldconfig
+

roles/gateway/files/kea_dhcp_server_pinned.pref

@@ -0,0 +1,3 @@
+Package: *
+Pin: release o=Debian,a=oldstable,n=stretch
+Pin-Priority: 50

roles/gateway/handlers/main.yml

@@ -13,9 +13,10 @@
   shell: ip6tables-save > /etc/iptables/rules.v6
   listen: "save iptables"
 
-- name: run ifreload
-  command: ifreload -a
-  listen: "ifreload"
+- name: reload networking
+  service:
+    name: network
+    state: reloaded
 
 - name: restart fastd
   service:

roles/gateway/tasks/batman.yml

@@ -21,4 +21,4 @@
     owner: root
     group: root
     mode: 0644
-  notify: ifreload
+  notify: reload networking

roles/gateway/tasks/dns.yml

@@ -1,6 +1,7 @@
 ---
 # file: roles/gateway/tasks/dns.yml
 
+
 - name: unbound.conf
   template:
     src: 'unbound.conf.j2'
@@ -18,6 +19,13 @@
     group: root
     mode: 0644
 
+- name: Disable nsd on Hetzner hosts
+  ansible.builtin.service:
+    name: nsd
+    enabled: no 
+    state: stopped
+  when: provider is defined and provider == "hetzner"
+
 - name: unbound enabled & started
   service:
     name: unbound

roles/gateway/tasks/interfaces.yml

@@ -1,11 +1,24 @@
 ---
 # file: roles/gateway/tasks/interfaces.yml
 
+- name: Disable Hetzner cloud config
+  copy:
+    content: "network: {config: disabled}"
+    dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
+    force: yes
+  when: provider is defined and provider == "hetzner"
+
+- name: Delete Hetzner cloud config as well
+  file:
+    name: /etc/network/interfaces.d/50-cloud-init
+    state: absent
+  when: provider is defined and provider == "hetzner"
+
 - name: Template /etc/network/interfaces
   template:
     src: 'interfaces.j2'
     dest: '/etc/network/interfaces'
     owner: root
     group: root
     mode: 0644
-  notify: ifreload
+  notify: reload networking

roles/gateway/tasks/main.yml

@@ -4,6 +4,11 @@
 - import_tasks: packages.yml
 - import_tasks: interfaces.yml
 - import_tasks: firewall.yml
+
+- name: Reboot machine to enable network changes
+  reboot:
+  when: provider == "hetzner"
+
 - import_tasks: fastd.yml
 - import_tasks: batman.yml
 - import_tasks: dns.yml

roles/gateway/tasks/packages.yml

@@ -1,18 +1,40 @@
 ---
 # file: roles/gateway/tasks/packages.yml
 
-- name: Setup Debian Backports repo
-  apt_repository:
-    repo: deb http://ftp.se.debian.org/debian/ stretch-backports main
+# Not required for debian 10
+#- name: Setup Debian Backports repo
+#  apt_repository:
+#    repo: deb http://ftp.se.debian.org/debian/ stretch-backports main
+#    state: present
+
+#- name: Setup Debian Backports repo
+#  apt_repository:
+#    repo: deb http://ftp.se.debian.org/debian/ stretch-backports main
+#    state: present
+
+# TODO: switch to another dhcp server
+- name: Setup debian 9 repo (for kea-dhcp-server)
+  ansible.builtin.apt_repository:
+    repo: deb http://deb.debian.org/debian stretch main contrib non-free
     state: present
 
+- name: Set debian 9 repo to lower prio
+  copy:
+    src: files/kea_dhcp_server_pinned.pref
+    dest: /etc/apt/preferences.d/
+
 - name: Update installed packages
   apt:
     upgrade: dist
     update-cache: yes
 
 - name: Install packages
   apt:
-    pkg: "{{ item }}"
+    pkg: "{{ gateway_packages }}"
     state: latest
-  with_items: "{{ gateway_packages }}"
+
+# kea-dhcp-server is not available in debian 10
+- name: Install kea-dhcp-server
+  apt:
+    pkg: "{{ gateway_packages_kea }}"
+    state: latest

roles/gateway/templates/interfaces.j2

@@ -12,8 +12,15 @@ iface lo inet loopback
 # The primary network interface
 auto eth0
 iface eth0 inet static
+{% if outernet.inet.address is defined %}
+  address {{ outernet.inet.address }}/{{ outernet.inet.cidr }}
+{% else %}
   address {{ outernet.inet.subnet }}.{{ gateway_number }}/{{ outernet.inet.cidr }}
+{% endif %}
   gateway {{ outernet.inet.gw }}
+{% if outernet.inet.pointtopoint is defined %}
+  pointtopoint {{ outernet.inet.pointtopoint }}
+{% endif %}
   # dns-* options are implemented by the resolvconf package, if installed
   dns-nameservers {{ outernet.inet.dns }}
   dns-search pjodd.se