accesspoint role config almost done now
authorChristian Pointner <equinox@realraum.at>
Sat, 24 Nov 2018 22:56:33 +0000 (23:56 +0100)
committernicoo <nicoo@realraum.at>
Mon, 26 Nov 2018 21:23:59 +0000 (22:23 +0100)
ansible/group_vars/accesspoints/main.yml
ansible/group_vars/openwrt/main.yml
ansible/hosts.ini
ansible/roles/openwrt-image/README.md
ansible/roles/openwrt-image/openwrt-keyring.gpg

index 7992383..480ccaa 100644 (file)
@@ -1,4 +1,139 @@
 ---
+accesspoint_wifi_channels:
+  2.4g:
+    ap0: 3
+    ap1: 8
+    ap2: 13
+  5g:
+    ap0: 36
+    ap1: 48
+    ap2: 40
+
+accesspoint_zones:
+  iot:
+    ssid: "realstuff"
+    encryption: "psk2"
+    key: "this-should-come-from-vault"
+  guests:
+    ssid: "realraum"
+    encryption: "psk2"
+    key: "same-here"
+  members:
+    ssid: "r3members"
+    encryption: "psk2"
+    key: "this-will-probably-use-radius-and-not-even-have-a-key"
+
+
+
+accesspoint_wired_interface: eth0
+accesspoint_wireless_device_paths:
+  2.4g: "platform/qca956x_wmac"
+  5g: "pci0000:00/0000:00:00.0"
+
+accesspoint_network_base:
+  - name: globals 'globals'
+    options:
+      ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48"
+
+  - name: interface 'loopback'
+    options:
+      ifname: lo
+      proto: static
+      ipaddr: 127.0.0.1
+      netmask: 255.0.0.0
+
+  - name: interface 'raw'
+    options:
+      ifname: "{{ accesspoint_wired_interface }}"
+      proto: none
+      accept_ra: 0
+
+  - name: interface 'mgmt'
+    options:
+      type: bridge
+      ifname: "{{ accesspoint_wired_interface }}.{{ net.mgmt.vlan }}"
+      accept_ra: 0
+      proto: static
+      ipaddr: "{{ net.mgmt.prefix | ipaddr(net.mgmt.offsets.accesspoints + groups.accesspoints.index(inventory_hostname)) | ipaddr('address') }}"
+      netmask: "{{ net.mgmt.prefix | ipaddr('netmask') }}"
+      gateway: "{{ net.mgmt.gw }}"
+      dns: "{{ net.mgmt.dns | join(' ') }}"
+      dns_search: realraum.at
+
+accesspoint_network_zones: []
+# accesspoint_network_zone_template:
+#   - name: interface '{{ item }}'
+#     options:
+#       type: bridge
+#       ifname: "{{ accesspoint_wired_interface }}.{{ net[item].vlan }}"
+#       accept_ra: 0
+#       proto: none
+
+
+
+accesspoint_wireless_devices:
+  - name: wifi-device 'radio5'
+    options:
+      type: 'mac80211'
+      channel: "{{ accesspoint_wifi_channels['5g'][inventory_hostname] }}"
+      hwmode: '11a'
+      country: AT
+      path: "{{ accesspoint_wireless_device_paths['5g'] }}"
+      htmode: 'VHT80'
+
+  - name: wifi-device 'radio24'
+    options:
+      type: 'mac80211'
+      channel: "{{ accesspoint_wifi_channels['2.4g'][inventory_hostname] }}"
+      hwmode: '11g'
+      country: AT
+      path: "{{ accesspoint_wireless_device_paths['2.4g'] }}"
+      htmode: 'HT20'
+
+accesspoint_wireless_ifaces: []
+# accesspoint_wireless_iface_template:
+#   - name: wifi-iface '{{ item }}24s'
+#     options:
+#       device: 'radio24'
+#       network: '{{ item }}'
+#       mode: 'ap'
+#       ssid: '{{ accesspoint_zones[item].ssid }}24'
+#       encryption: '{{ accesspoint_zones[item].encryption }}'
+#       key: '{{ accesspoint_zones[item].key }}'
+
+#   - name: wifi-iface '{{ item }}5s'
+#     options:
+#       device: 'radio5'
+#       network: '{{ item }}'
+#       mode: 'ap'
+#       ssid: '{{ accesspoint_zones[item].ssid }}5'
+#       encryption: '{{ accesspoint_zones[item].encryption }}'
+#       key: '{{ accesspoint_zones[item].key }}'
+
+#   - name: wifi-iface '{{ item }}24'
+#     options:
+#       device: 'radio24'
+#       network: '{{ item }}'
+#       mode: 'ap'
+#       ssid: '{{ accesspoint_zones[item].ssid }}'
+#       encryption: '{{ accesspoint_zones[item].encryption }}'
+#       key: '{{ accesspoint_zones[item].key }}'
+
+#   - name: wifi-iface '{{ item }}5'
+#     options:
+#       device: 'radio5'
+#       network: '{{ item }}'
+#       mode: 'ap'
+#       ssid: '{{ accesspoint_zones[item].ssid }}'
+#       encryption: '{{ accesspoint_zones[item].encryption }}'
+#       key: '{{ accesspoint_zones[item].key }}'
+
+
+
+
+
+openwrt_variant: openwrt
+openwrt_release: 18.06.1
 openwrt_arch: ar71xx
 openwrt_target: generic
 openwrt_profile: ubnt-unifiac-lite
@@ -6,12 +141,54 @@ openwrt_output_image_suffixes:
   - "generic-{{ openwrt_profile }}-squashfs-sysupgrade.bin"
 
 openwrt_mixin:
+  /etc/sysctl.conf:
+    content: |
+      # Defaults are configured in /etc/sysctl.d/* and can be customized in this file
+      #
+      # disable IP forwarding, we don't need it since we are
+      # only an AP that bridges VLANs to Wifi SSIDs
+      net.ipv4.conf.default.forwarding=0
+      net.ipv4.conf.all.forwarding=0
+      net.ipv4.ip_forward=0
+      net.ipv6.conf.default.forwarding=0
+      net.ipv6.conf.all.forwarding=0
+
   /etc/dropbear/authorized_keys:
     content: |-
       {% for key in noc_ssh_keys %}
       {{ key }}
       {% endfor %}
 
+  /root/.config/htop/htoprc:
+    content: |
+      # Beware! This file is rewritten by htop when settings are changed in the interface.
+      # The parser is also very primitive, and not human-friendly.
+      fields=0 48 17 18 38 39 40 2 46 47 49 1
+      sort_key=46
+      sort_direction=1
+      hide_threads=0
+      hide_kernel_threads=1
+      hide_userland_threads=0
+      shadow_other_users=0
+      show_thread_names=0
+      show_program_path=1
+      highlight_base_name=1
+      highlight_megabytes=1
+      highlight_threads=1
+      tree_view=1
+      header_margin=1
+      detailed_cpu_time=0
+      cpu_count_from_zero=0
+      update_process_names=0
+      account_guest_in_cpu_meter=0
+      color_scheme=0
+      delay=15
+      left_meters=AllCPUs Memory Swap
+      left_meter_modes=1 1 1
+      right_meters=Tasks LoadAverage Uptime
+      right_meter_modes=2 2 2
+
+
 openwrt_uci:
   system:
     - name: system
@@ -32,40 +209,12 @@ openwrt_uci:
           - '2.lede.pool.ntp.org'
           - '3.lede.pool.ntp.org'
 
-  network:
-    - name: globals 'globals'
-      options:
-        ula_prefix: fdc9:e01f:83db::/48
-
-    - name: interface 'loopback'
+  dropbear:
+    - name: dropbear
       options:
-        ifname: lo
-        proto: static
-        ipaddr: 127.0.0.1
-        netmask: 255.0.0.0
+        PasswordAuth: 'off'
+        RootPasswordAuth: 'off'
+        Port: '22000'
 
-    - name: interface 'mgmt'
-      options:
-        type: bridge
-        ifname: "eth0.{{ net.mgmt.vlan }}"
-        accept_ra: 0
-        proto: static
-        ipaddr: "{{ net.mgmt.prefix | ipaddr(net.mgmt.offsets.accesspoints + groups.accesspoints.index(inventory_hostname)) | ipaddr('address') }}"
-        netmask: "{{ net.mgmt.prefix | ipaddr('netmask') }}"
-        gateway: "{{ net.mgmt.gw }}"
-        dns: "{{ net.mgmt.dns | join(' ') }}"
-        dns_search: realraum.at
-
-    - name: interface 'iot'
-      options:
-        type: bridge
-        ifname: "eth0.{{ net.iot.vlan }}"
-        accept_ra: 0
-        proto: none
-
-    - name: interface 'lan'
-      options:
-        type: bridge
-        ifname: "eth0.{{ net.lan.vlan }}"
-        accept_ra: 0
-        proto: none
+  network: "{{ accesspoint_network_base + accesspoint_network_zones }}"
+  wireless: "{{ accesspoint_wireless_devices + accesspoint_wireless_ifaces }}"
index 2337b9f..2c29b78 100644 (file)
@@ -5,6 +5,7 @@ openwrt_packages_remove:
   - dnsmasq
   - firewall
   - odhcpd
+  - odhcpd-ipv6only
 openwrt_packages_add:
   - haveged
   - htop
index 874f87e..26bb727 100644 (file)
@@ -66,7 +66,7 @@ virtualservers
 wuerfel
 
 [accesspoints]
-ap[0:1]
+ap[0:2]
 
 [openwrt]
 torwaechter
index d56affe..95d9d10 100644 (file)
@@ -1,3 +1,8 @@
 # Build OpenWRT images with Ansible
 
+TODO: add possibility to disable root logins using /etc/shadow
+      this will also take care of the annoying
+         "There is no root password defined ..."
+      message when you log in.
+
 ## Configuration
index f4cab00..e8a3e8b 100644 (file)
Binary files a/ansible/roles/openwrt-image/openwrt-keyring.gpg and b/ansible/roles/openwrt-image/openwrt-keyring.gpg differ