From f7ce46247407338d089ab037cecd2d8fc1b5a86c Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sun, 19 Dec 2021 00:34:54 +0100 Subject: [PATCH 01/10] clearfog pro: remove config that does not correspond to anything that comes with the board --- config/board/clearfogpro.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/config/board/clearfogpro.yml b/config/board/clearfogpro.yml index 1cba82358..aa3436d43 100644 --- a/config/board/clearfogpro.yml +++ b/config/board/clearfogpro.yml @@ -26,22 +26,5 @@ bridges: - "eth2" ip: "{{management_ip}}" -vlan_links: - # the WAN interface - - name: "vlan_wan" - device: eth0 - vlan_id: 7 - -# USB WiFi dongle firmwares -additional_packages: - - firmware-atheros - - firmware-ralink - -# WAN interface. The ADSL setup will configure this to be the PPPoE outgoing interface -wan_interface: vlan_wan - -# WLAN interface. Will be added to the {{lanif_name}} bridge interface -wlan_interface: wlan0 - other_interfaces: - eth1 From 9aac614fbf32eceb6e53331208e63dc0fd0921eb Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Wed, 28 Dec 2022 06:34:24 +0000 Subject: [PATCH 02/10] hostapd.conf updated to recent version --- roles/accesspoint/templates/hostapd.conf.j2 | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/accesspoint/templates/hostapd.conf.j2 b/roles/accesspoint/templates/hostapd.conf.j2 index 868119a85..c808688da 100644 --- a/roles/accesspoint/templates/hostapd.conf.j2 +++ b/roles/accesspoint/templates/hostapd.conf.j2 @@ -192,16 +192,16 @@ dtim_period=2 # (default: 2007) max_num_sta=255 -# RTS/CTS threshold; 2347 = disabled (default); range 0..2347 -# If this field is not included in hostapd.conf, hostapd will not control -# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. -rts_threshold=2347 +# RTS/CTS threshold; -1 = disabled (default); range -1..65535 +# # If this field is not included in hostapd.conf, hostapd will not control +# # RTS threshold and 'iwconfig wlan# rts ' can be used to set it. +rts_threshold=-1 -# Fragmentation threshold; 2346 = disabled (default); range 256..2346 -# If this field is not included in hostapd.conf, hostapd will not control -# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set -# it. -fragm_threshold=2346 +# Fragmentation threshold; -1 = disabled (default); range -1, 256..2346 +# # If this field is not included in hostapd.conf, hostapd will not control +# # fragmentation threshold and 'iwconfig wlan# frag ' can be used to set +# # it. +fragm_threshold=-1 # Rate configuration # Default is to enable all rates supported by the hardware. This configuration @@ -1071,7 +1071,7 @@ own_ip_addr=127.0.0.1 # and/or WPA2 (full IEEE 802.11i/RSN): # bit0 = WPA # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) -wpa=1 +wpa=2 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase From 574cc4ee2794aee1d35a72e88dd479c51aca8607 Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Fri, 30 Dec 2022 22:11:23 +0100 Subject: [PATCH 03/10] detect_early_failure not needed for forking and notify services --- roles/dns/tasks/main.yml | 1 - roles/sshd-config/handlers/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index f8c690895..032afe21d 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -38,4 +38,3 @@ enabled: True state: started daemon_reload: True - detect_early_failure: yes diff --git a/roles/sshd-config/handlers/main.yml b/roles/sshd-config/handlers/main.yml index f35663b64..491a6c983 100644 --- a/roles/sshd-config/handlers/main.yml +++ b/roles/sshd-config/handlers/main.yml @@ -2,4 +2,3 @@ systemd: name: ssh.service state: restarted - detect_early_failure: yes From 77ee47cdb15a4adaa152bf628ebc5d1c63571082 Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sat, 31 Dec 2022 00:21:50 +0100 Subject: [PATCH 04/10] remove detect_early_failure flags completely for now Will port this to latest Ansible versions and try to get it merged upstream --- roles/accesspoint/handlers/main.yml | 1 - roles/accesspoint/tasks/main.yml | 1 - roles/dns/handlers/main.yml | 1 - roles/monitoring/handlers/main.yml | 1 - roles/monitoring/tasks/main.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/roles/accesspoint/handlers/main.yml b/roles/accesspoint/handlers/main.yml index c3baef5c7..d0dbf7259 100644 --- a/roles/accesspoint/handlers/main.yml +++ b/roles/accesspoint/handlers/main.yml @@ -2,4 +2,3 @@ systemd: name: hostapd.service state: restarted - detect_early_failure: yes diff --git a/roles/accesspoint/tasks/main.yml b/roles/accesspoint/tasks/main.yml index 83cf8a3ab..1bf8e04b7 100644 --- a/roles/accesspoint/tasks/main.yml +++ b/roles/accesspoint/tasks/main.yml @@ -34,4 +34,3 @@ enabled: True state: started daemon_reload: True - detect_early_failure: yes diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml index 135d844ee..2ab136517 100644 --- a/roles/dns/handlers/main.yml +++ b/roles/dns/handlers/main.yml @@ -2,4 +2,3 @@ systemd: name: dnsmasq.service state: restarted - detect_early_failure: yes diff --git a/roles/monitoring/handlers/main.yml b/roles/monitoring/handlers/main.yml index 2381b9ca2..546d89f69 100644 --- a/roles/monitoring/handlers/main.yml +++ b/roles/monitoring/handlers/main.yml @@ -2,4 +2,3 @@ systemd: name: prometheus-node-exporter.service state: restarted - detect_early_failure: yes diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml index ae5454c0b..50e6c80b2 100644 --- a/roles/monitoring/tasks/main.yml +++ b/roles/monitoring/tasks/main.yml @@ -18,4 +18,3 @@ enabled: True state: started daemon_reload: True - detect_early_failure: yes \ No newline at end of file From 7bf794200b016c524511d64c299e78ea8bd27a4e Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Wed, 4 Jan 2023 01:16:16 +0100 Subject: [PATCH 05/10] routerbox: disable systemd-resolved (conflicts with dnsmasq) --- roles/dns/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 032afe21d..f307d9e4f 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,3 +1,11 @@ +- name: disable systemd-resolved + systemd: + name: "{{item}}" + enabled: False + state: stopped + with_items: + - systemd-resolved + - name: install dnsmasq package package: name: "{{item}}" From 35c5731a0ff7737352d4109e53a5f4ed2f8a60b4 Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Wed, 4 Jan 2023 01:16:53 +0100 Subject: [PATCH 06/10] routerbox: node-exporter config adapted to latest version --- .../templates/prometheus-node-exporter.j2 | 60 +------------------ 1 file changed, 1 insertion(+), 59 deletions(-) diff --git a/roles/monitoring/templates/prometheus-node-exporter.j2 b/roles/monitoring/templates/prometheus-node-exporter.j2 index 41a0dd00f..27d4c067b 100644 --- a/roles/monitoring/templates/prometheus-node-exporter.j2 +++ b/roles/monitoring/templates/prometheus-node-exporter.j2 @@ -1,60 +1,2 @@ # Set the command-line arguments to pass to the server. -ARGS="-collector.diskstats.ignored-devices=^(ram|loop|fd)\d+$ \ - -collector.filesystem.ignored-mount-points=^/(sys|proc|dev|run)($|/) \ - -collector.textfile.directory=/var/lib/prometheus/node-exporter \ - -web.listen-address {{lan_prefix}}.1:9100" - -# Prometheus-node-exporter supports the following options: -# -# -collector.diskstats.ignored-devices string -# Regexp of devices to ignore for diskstats. -# (default "^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$") -# -collector.filesystem.ignored-fs-types string -# Regexp of filesystem types to ignore for filesystem collector. -# (default "^(sys|proc)fs$") -# -collector.filesystem.ignored-mount-points string -# Regexp of mount points to ignore for filesystem collector. -# (default "^/(sys|proc|dev)($|/)") -# -collector.megacli.command string -# Command to run megacli. (default "megacli") -# -collector.netdev.ignored-devices string -# Regexp of net devices to ignore for netdev collector. (default "^$") -# -collector.ntp.protocol-version int -# NTP protocol version (default 4) -# -collector.ntp.server string -# NTP server to use for ntp collector. -# -collector.procfs string -# procfs mountpoint. (default "/proc") -# -collector.supervisord.url string -# XML RPC endpoint (default "http://localhost:9001/RPC2") -# -collector.sysfs string -# sysfs mountpoint. (default "/sys") -# -collector.systemd.private -# Establish a private, direct connection to systemd without dbus. -# -collector.systemd.unit-blacklist string -# Regexp of systemd units to blacklist. Units must both match whitelist -# and not match blacklist to be included. -# -collector.systemd.unit-whitelist string -# Regexp of systemd units to whitelist. Units must both match whitelist -# and not match blacklist to be included. (default ".+") -# -collector.textfile.directory string -# Directory to read text files with metrics from. -# -collectors.enabled string -# Comma-separated list of collectors to use. -# (default "conntrack,diskstats,entropy,filefd,filesystem,hwmon,\ -# loadavg,mdadm,meminfo,netdev,netstat,sockstat,stat,textfile,time,\ -# uname,vmstat") -# -collectors.print -# If true, print available collectors and exit. -# -log.format value -# Set the log target and format. -# Example: "logger:syslog?appname=bob&local=7" or -# "logger:stdout?json=true" (default "logger:stderr") -# -log.level value -# Only log messages with the given severity or above. -# Valid levels: [debug, info, warn, error, fatal] (default "info") -# -web.listen-address string -# Address on which to expose metrics and web interface. -# (default ":9100") -# -web.telemetry-path string -# Path under which to expose metrics. (default "/metrics") +ARGS="--web.listen-address {{lan_prefix}}.1:9100" From 10bc1875d20b8a0178dc320ed13085acaec51a3f Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sun, 8 Jan 2023 05:47:15 +0100 Subject: [PATCH 07/10] routerbox sshd-config write fixed --- roles/sshd-config/defaults/main.yml | 3 +-- roles/sshd-config/tasks/main.yml | 10 ++++------ roles/sshd-config/templates/routerbox.conf.j2 | 3 +++ 3 files changed, 8 insertions(+), 8 deletions(-) create mode 100644 roles/sshd-config/templates/routerbox.conf.j2 diff --git a/roles/sshd-config/defaults/main.yml b/roles/sshd-config/defaults/main.yml index 9c28a58a0..7bc036118 100644 --- a/roles/sshd-config/defaults/main.yml +++ b/roles/sshd-config/defaults/main.yml @@ -1,3 +1,2 @@ sshd_options: - - ['PermitRootLogin', 'no'] - - ['PasswordAuthentication', 'no'] \ No newline at end of file + - ['PasswordAuthentication', 'no'] diff --git a/roles/sshd-config/tasks/main.yml b/roles/sshd-config/tasks/main.yml index e16efd3d7..24a7311c0 100644 --- a/roles/sshd-config/tasks/main.yml +++ b/roles/sshd-config/tasks/main.yml @@ -1,9 +1,7 @@ - name: set sshd options - lineinfile: - dest: /etc/ssh/sshd_config - regexp: "^{{item[0]}}" - line: "{{item[0]}} {{item[1]}}" - with_items: - - "{{sshd_options}}" + template: + src: templates/routerbox.conf.j2 + dest: /etc/ssh/sshd_config.d/routerbox.conf + mode: 0644 notify: - restart sshd service diff --git a/roles/sshd-config/templates/routerbox.conf.j2 b/roles/sshd-config/templates/routerbox.conf.j2 new file mode 100644 index 000000000..1feb1c835 --- /dev/null +++ b/roles/sshd-config/templates/routerbox.conf.j2 @@ -0,0 +1,3 @@ +{% for item in sshd_options -%} +{{item[0]}} {{item[1]}} +{% endfor %} From c19acd29590e6de4441e12ccc5d7b5bc1a9e4615 Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sun, 8 Jan 2023 06:44:22 +0100 Subject: [PATCH 08/10] routerbox: configure ssh host keys --- config/postproc/99-mine.yml.sample | 26 +++++++++++++++++++++++ roles/sshd-config/defaults/main.yml | 2 ++ roles/sshd-config/tasks/main.yml | 5 +++++ roles/sshd-config/tasks/write_hostkey.yml | 16 ++++++++++++++ 4 files changed, 49 insertions(+) create mode 100644 roles/sshd-config/tasks/write_hostkey.yml diff --git a/config/postproc/99-mine.yml.sample b/config/postproc/99-mine.yml.sample index 59cb4dc77..04f4460a1 100644 --- a/config/postproc/99-mine.yml.sample +++ b/config/postproc/99-mine.yml.sample @@ -6,6 +6,32 @@ authorized_keys: - 'ssh-rsa xxxxxxxxx olaf@tackd' - 'ssh-rsa yyyyyyyyy oklischat@Olafs-MacBook-Air.local' +# SSH host keys +sshd_host_private_keys: + ecdsa: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS + 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRjnuPST5KRDN0XT7AwHiR0eyE0N6Gi + ..... + ..... + -----END OPENSSH PRIVATE KEY----- + ed25519: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACAP/2bLdjMWzy1xZ2BzJ4S59FvT1xjLwvFH88LH7p3LdgAAAJhRFFllURRZ + ..... + ..... + -----END OPENSSH PRIVATE KEY----- + rsa: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn + NhAAAAAwEAAQAAAYEAvBfiiBNc8WkYk7RtH0m83CvFLZ+9Mfe1bnJLqH1NBgyzvDIYMeAi + fl/RCUi2UlWNZeenqzxnkWUsxPP+32UqgpnFd1PmbqjANTvgxFrqDeSUPDQxDzyzoWsYKR + jnflxN7mmBYqfdO1i+iOUMjZv6BVjYWIuDYEJ4/a9BNrJOlExsiDnKTs8+eBN+zmGHVec2 + ..... + ..... + -----END OPENSSH PRIVATE KEY----- + # /24 network in which to assign the LAN IPs. # must be a /24 lan_prefix: 192.168.143 diff --git a/roles/sshd-config/defaults/main.yml b/roles/sshd-config/defaults/main.yml index 7bc036118..6913b2375 100644 --- a/roles/sshd-config/defaults/main.yml +++ b/roles/sshd-config/defaults/main.yml @@ -1,2 +1,4 @@ sshd_options: - ['PasswordAuthentication', 'no'] + +sshd_host_private_keys: {} diff --git a/roles/sshd-config/tasks/main.yml b/roles/sshd-config/tasks/main.yml index 24a7311c0..c6ff587c0 100644 --- a/roles/sshd-config/tasks/main.yml +++ b/roles/sshd-config/tasks/main.yml @@ -5,3 +5,8 @@ mode: 0644 notify: - restart sshd service + +- name: configure ssh host keys + include_tasks: write_hostkey.yml + with_dict: "{{sshd_host_private_keys}}" + no_log: True diff --git a/roles/sshd-config/tasks/write_hostkey.yml b/roles/sshd-config/tasks/write_hostkey.yml new file mode 100644 index 000000000..e274d9d22 --- /dev/null +++ b/roles/sshd-config/tasks/write_hostkey.yml @@ -0,0 +1,16 @@ +- name: upload host private key + copy: + dest: "/etc/ssh/ssh_host_{{item.key}}_key" + content: "{{item.value}}" + mode: 0600 + notify: + - restart sshd service + +- name: generate host public key + shell: + cmd: "ssh-keygen -f /etc/ssh/ssh_host_{{item.key}}_key -y >/etc/ssh/ssh_host_{{item.key}}_key.pub && touch {{ created_file }}" + creates: "{{ created_file }}" + vars: + created_file: "/etc/ssh/.routerbox-created-pubkey-{{item.value | hash('sha1')}}" + notify: + - restart sshd service From 2dd38919c48ce516c5ae73497423fab82a8285b8 Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sat, 13 May 2023 11:44:38 +0200 Subject: [PATCH 09/10] accesspoint: more configurability --- roles/accesspoint/defaults/main.yml | 9 ++++++--- roles/accesspoint/templates/hostapd.conf.j2 | 12 +++++++----- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/roles/accesspoint/defaults/main.yml b/roles/accesspoint/defaults/main.yml index eeda4dbb4..fffa62243 100644 --- a/roles/accesspoint/defaults/main.yml +++ b/roles/accesspoint/defaults/main.yml @@ -7,7 +7,10 @@ wlan_hw_mode: g wlan_channel: 2 # todo automatic channel selection (see conf) wlan_ieee80211n: 1 -wlan_wpa_passphrase: "supersecret" - +wlan_ieee80211ac: 0 +wlan_require_ht: 0 +wlan_require_vht: 0 +wlan_vht_oper_chwidth: 1 +wlan_vht_oper_centr_freq_seg0_idx: 42 -# TODO ieee80211n +wlan_wpa_passphrase: "supersecret" diff --git a/roles/accesspoint/templates/hostapd.conf.j2 b/roles/accesspoint/templates/hostapd.conf.j2 index c808688da..e2b1264e1 100644 --- a/roles/accesspoint/templates/hostapd.conf.j2 +++ b/roles/accesspoint/templates/hostapd.conf.j2 @@ -508,7 +508,7 @@ ieee80211n={{wlan_ieee80211n}} #ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] # Require stations to support HT PHY (reject association if they do not) -#require_ht=1 +require_ht={{wlan_require_ht}} # If set non-zero, require stations to perform scans of overlapping # channels to test for stations which would be affected by 40 MHz traffic. @@ -523,7 +523,7 @@ ieee80211n={{wlan_ieee80211n}} # 0 = disabled (default) # 1 = enabled # Note: You will also need to enable WMM for full VHT functionality. -#ieee80211ac=1 +ieee80211ac={{wlan_ieee80211ac}} # vht_capab: VHT capabilities (list of flags) # @@ -645,19 +645,21 @@ ieee80211n={{wlan_ieee80211n}} #vht_capab=[SHORT-GI-80][HTC-VHT] # # Require stations to support VHT PHY (reject association if they do not) -#require_vht=1 +require_vht={{wlan_require_vht}} # 0 = 20 or 40 MHz operating Channel width # 1 = 80 MHz channel width # 2 = 160 MHz channel width # 3 = 80+80 MHz channel width -#vht_oper_chwidth=1 +#vht_oper_chwidth={{wlan_vht_oper_chwidth}} + # # center freq = 5 GHz + (5 * index) # So index 42 gives center freq 5.210 GHz # which is channel 42 in 5G band # -#vht_oper_centr_freq_seg0_idx=42 +vht_oper_centr_freq_seg0_idx={{wlan_vht_oper_centr_freq_seg0_idx}} + # # center freq = 5 GHz + (5 * index) # So index 159 gives center freq 5.795 GHz From 917e66f2667a1c8da20b77839fbc511e0043967f Mon Sep 17 00:00:00 2001 From: Olaf Klischat Date: Sun, 23 Jun 2024 16:13:40 +0200 Subject: [PATCH 10/10] accesspoint: ability to set ht_capab/vht_capab --- roles/accesspoint/templates/hostapd.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/accesspoint/templates/hostapd.conf.j2 b/roles/accesspoint/templates/hostapd.conf.j2 index e2b1264e1..e20e51446 100644 --- a/roles/accesspoint/templates/hostapd.conf.j2 +++ b/roles/accesspoint/templates/hostapd.conf.j2 @@ -507,6 +507,8 @@ ieee80211n={{wlan_ieee80211n}} # L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) #ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] +ht_capab={{wlan_ht_capab}} + # Require stations to support HT PHY (reject association if they do not) require_ht={{wlan_require_ht}} @@ -643,6 +645,8 @@ ieee80211ac={{wlan_ieee80211ac}} # 0 = Tx antenna pattern might change during the lifetime of an association # 1 = Tx antenna pattern does not change during the lifetime of an association #vht_capab=[SHORT-GI-80][HTC-VHT] +vht_capab={{wlan_vht_capab}} + # # Require stations to support VHT PHY (reject association if they do not) require_vht={{wlan_require_vht}}