Compare commits
No commits in common. "8f7518a55beab220f99bc566a3023bcf13d63687" and "d16d30e9aab81338ce3f3580ed8c761c27dbcfb3" have entirely different histories.
8f7518a55b
...
d16d30e9aa
14
README.md
|
@ -34,15 +34,5 @@ setup dei belvederi
|
||||||
ansible-playbook -i hosts -i inventory.yml infra.yml
|
ansible-playbook -i hosts -i inventory.yml infra.yml
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
## build
|
https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem
|
||||||
In roles/stable/build un ruolo per buildare opernwrt e libremesh.
|
|
||||||
Permette di aggiungere pacchetti e configurazioni attraverso i profili
|
|
||||||
|
|
||||||
|
|
||||||
i devices si possono aggiungere nel file di hosts mesh_devices.yml
|
|
||||||
lime-<macaddress>:
|
|
||||||
hostname:
|
|
||||||
|
|
||||||
nel ruolo è presente una fase iniziale, di preflight che genera un file di variabili per ciascun dispositivo, in host_vars
|
|
||||||
che vengono poi usate per la generazione dei file di configurazione lime-<macaddress>
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
esempio di test per buiildare per tutti i targets
|
esempio di test per buildare per tutti i targets
|
||||||
|
|
||||||
ansible-playbook \
|
ansible-playbook \
|
||||||
-i hosts \
|
-i hosts \
|
||||||
|
@ -14,15 +14,15 @@ ansible-playbook \
|
||||||
playbooks/build_all_targets.yml
|
playbooks/build_all_targets.yml
|
||||||
|
|
||||||
#### configura e builda
|
#### configura e builda
|
||||||
ansible-playbook \
|
ansible-playbook \
|
||||||
-i hosts \
|
-i hosts \
|
||||||
-i mesh_devices.yml \
|
-i mesh_devices.yml \
|
||||||
-i inventory.yml \
|
-i inventory.yml \
|
||||||
--skip-tags preflight \
|
--skip-tags preflight \
|
||||||
--skip-tags openwrt_install \
|
--skip-tags openwrt_install \
|
||||||
--skip-tags libremesh_install \
|
--skip-tags libremesh_install \
|
||||||
--skip-tags webserver \
|
--skip-tags webserver \
|
||||||
playbooks/generate-new-test-device_dev.yml
|
playbooks/build_single_target_dev_test.yml
|
||||||
|
|
||||||
|
|
||||||
# nuovo target
|
# nuovo target
|
||||||
|
@ -30,8 +30,7 @@ ansible-playbook \
|
||||||
-i hosts \
|
-i hosts \
|
||||||
-i mesh_devices.yml \
|
-i mesh_devices.yml \
|
||||||
-i inventory.yml \
|
-i inventory.yml \
|
||||||
--skip-tags preflight \
|
playbooks/build_single_target_dev_test.yml
|
||||||
playbooks/generate-new-test-device_dev.yml
|
|
||||||
|
|
||||||
|
|
||||||
ansible-playbook \
|
ansible-playbook \
|
||||||
|
|
2
TODO.md
|
@ -19,3 +19,5 @@ config device
|
||||||
option type 'bridge'
|
option type 'bridge'
|
||||||
list ports 'eth0'
|
list ports 'eth0'
|
||||||
list ports 'bat0'
|
list ports 'bat0'
|
||||||
|
|
||||||
|
[ ] try to add support for lbe-m5 on openwrt 21.02.3
|
||||||
|
|
|
@ -1,4 +1,8 @@
|
||||||
|
|
||||||
|
[passwordstore_lookup]
|
||||||
|
lock=readwrite
|
||||||
|
locktimeout=45000s
|
||||||
|
|
||||||
[defaults]
|
[defaults]
|
||||||
inventory = ./inventory.yml
|
inventory = ./inventory.yml
|
||||||
interpreter_python = /usr/bin/python3
|
interpreter_python = /usr/bin/python3
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
---
|
|
||||||
## Monitoring
|
|
||||||
- name: Monitoring
|
|
||||||
hosts: belvedere
|
|
||||||
roles:
|
|
||||||
- 'stable/monitoring/prometheus'
|
|
||||||
# - 'stable/monitoring/blackbox_exporter'
|
|
||||||
# - 'stable/monitoring/alertmanager'
|
|
||||||
# - 'stable/dnsmasq'
|
|
||||||
vars_files:
|
|
||||||
- monitoring.yml
|
|
||||||
- smtp.yml
|
|
||||||
- telegram.yml
|
|
||||||
tags: monitoring
|
|
||||||
# with_vars:
|
|
||||||
# prometheus_skip_install: true
|
|
|
@ -1,6 +0,0 @@
|
||||||
|
|
||||||
vpn_wg1_endpoint_host: <redacted>
|
|
||||||
vpn_wg1_endpoint_port: 51800
|
|
||||||
vpn_wg1_publickey: <redacted>
|
|
||||||
vpn_wg1_allowed_ips: 192.168.0.0/16
|
|
||||||
vpn_wg1_persistent_keepalive: 25
|
|
|
@ -8,7 +8,7 @@ main_ipv4_address: 10.170.0.0/16
|
||||||
# END ANSIBLE MANAGED BLOCK lime-000000000000 common
|
# END ANSIBLE MANAGED BLOCK lime-000000000000 common
|
||||||
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 config
|
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 config
|
||||||
config_lime_system: option hostname 'ninux-000000'
|
config_lime_system: option hostname 'ninux-000000'
|
||||||
config_lime_network: option channel_5ghz '48'
|
config_lime_wifi: option channel_5ghz '48'
|
||||||
# END ANSIBLE MANAGED BLOCK lime-000000000000 config
|
# END ANSIBLE MANAGED BLOCK lime-000000000000 config
|
||||||
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 vpn wireguard wg0
|
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 vpn wireguard wg0
|
||||||
vpn_wg0_privatekey: UIHZ9uTOxW07jHTQHAzUvmWAS6tkPtQWqZU9Gp6LcHY=
|
vpn_wg0_privatekey: UIHZ9uTOxW07jHTQHAzUvmWAS6tkPtQWqZU9Gp6LcHY=
|
||||||
|
|
4
hosts
|
@ -29,8 +29,8 @@ valsamoggia:
|
||||||
vps:
|
vps:
|
||||||
hosts:
|
hosts:
|
||||||
jitsi:
|
jitsi:
|
||||||
ansible_host: 135.181.109.184
|
ansible_host: 10.0.0.1
|
||||||
ansible_user: antennine
|
ansible_user: <redacted>
|
||||||
ansible_become_user: root
|
ansible_become_user: root
|
||||||
ansible_become_pass: "{{ lookup('passwordstore', 'chiavi_antennine/jitsi/user_root', errors='strict') | default(omit) }}"
|
ansible_become_pass: "{{ lookup('passwordstore', 'chiavi_antennine/jitsi/user_root', errors='strict') | default(omit) }}"
|
||||||
ansible_become_method: su
|
ansible_become_method: su
|
||||||
|
|
|
@ -1,20 +0,0 @@
|
||||||
---
|
|
||||||
## Monitoring
|
|
||||||
- name: Monitoring
|
|
||||||
gather_facts: false
|
|
||||||
hosts: belvedere-test
|
|
||||||
roles:
|
|
||||||
# - 'stable/monitoring/prometheus'
|
|
||||||
# - 'stable/monitoring/blackbox_exporter'
|
|
||||||
# - 'stable/monitoring/alertmanager'
|
|
||||||
# - 'stable/dnsmasq'
|
|
||||||
# - 'wireguard'
|
|
||||||
- 'stable/nginx'
|
|
||||||
vars_files:
|
|
||||||
# - monitoring.yml
|
|
||||||
# - smtp.yml
|
|
||||||
# - telegram.yml
|
|
||||||
# - test.yml
|
|
||||||
# - wireguard.yml
|
|
||||||
- belvederi.yml
|
|
||||||
tags: monitoring
|
|
14
infra.yml
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
## Monitoring
|
|
||||||
- name: Monitoring
|
|
||||||
hosts: belvederi
|
|
||||||
roles:
|
|
||||||
- 'stable/monitoring/prometheus'
|
|
||||||
- 'stable/monitoring/blackbox_exporter'
|
|
||||||
- 'stable/monitoring/alertmanager'
|
|
||||||
- 'stable/dnsmasq'
|
|
||||||
vars_files:
|
|
||||||
- monitoring.yml
|
|
||||||
- smtp.yml
|
|
||||||
- telegram.yml
|
|
||||||
tags: monitoring
|
|
8
playbooks/ada.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
## Ada
|
||||||
|
- name: Ada
|
||||||
|
hosts: ada
|
||||||
|
become: yes
|
||||||
|
roles:
|
||||||
|
- '../roles/stable/openssl_certificates'
|
||||||
|
tags: certificates
|
14
playbooks/belvedere.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
## Monitoring
|
||||||
|
- name: Monitoring
|
||||||
|
hosts: belvedere
|
||||||
|
roles:
|
||||||
|
- '../roles/stable/monitoring/prometheus'
|
||||||
|
- '../roles/stable/monitoring/blackbox_exporter'
|
||||||
|
- '../roles/stable/monitoring/alertmanager'
|
||||||
|
- '../roles/stable/dnsmasq'
|
||||||
|
vars_files:
|
||||||
|
- ../vars/monitoring.yml
|
||||||
|
- ../vars/smtp.yml
|
||||||
|
- ../vars/telegram.yml
|
||||||
|
tags: monitoring
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
# Build all targets
|
# Build all targets
|
||||||
|
|
||||||
# - name: Build {{ openwrt_version }} ath79_generic
|
- name: Build {{ openwrt_version }} ath79_generic
|
||||||
# gather_facts: false
|
gather_facts: false
|
||||||
# hosts: builder
|
hosts: builder
|
||||||
# roles:
|
roles:
|
||||||
# - ../roles/stable/build
|
- ../roles/stable/build
|
||||||
# vars_files:
|
vars_files:
|
||||||
# - ../vars/build/dev_test.yml
|
- ../vars/build/dev_test.yml
|
||||||
# - ../vars/build/targets/ath79_generic.yml
|
- ../vars/build/targets/ath79_generic.yml
|
||||||
# tags: generate device
|
tags: generate device
|
||||||
|
|
||||||
- name: Build {{ openwrt_version }} ar71xx_generic
|
- name: Build {{ openwrt_version }} ar71xx_generic
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
|
|
30
playbooks/build_single_target_dev_test.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
# Build single target dev_test.
|
||||||
|
#
|
||||||
|
- name: Build single target dev_test.
|
||||||
|
gather_facts: false
|
||||||
|
hosts: builder
|
||||||
|
roles:
|
||||||
|
- ../roles/stable/build
|
||||||
|
vars_files:
|
||||||
|
- ../vars/build/openwrt.yml
|
||||||
|
- ../vars/build/dev_test.yml
|
||||||
|
- ../vars/build/_h5ai.yml
|
||||||
|
- ../vars/build/targets/test_stable_ramips_mt7620.yml
|
||||||
|
# - ../vars/build/targets/test_stable_ath79_generic.yml
|
||||||
|
# - ../vars/build/targets/22.03.1_ath79_generic.yml
|
||||||
|
tags: generate_device
|
||||||
|
|
||||||
|
- name: Build single target dev_test.
|
||||||
|
gather_facts: false
|
||||||
|
hosts: builder
|
||||||
|
roles:
|
||||||
|
- ../roles/stable/build
|
||||||
|
vars_files:
|
||||||
|
- ../vars/build/openwrt.yml
|
||||||
|
- ../vars/build/dev_test.yml
|
||||||
|
- ../vars/build/_h5ai.yml
|
||||||
|
# - ../vars/build/targets/test_stable_ramips_mt7620.yml
|
||||||
|
- ../vars/build/targets/test_stable_ath79_generic.yml
|
||||||
|
# - ../vars/build/targets/22.03.1_ath79_generic.yml
|
||||||
|
tags: generate_device
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
# Generate a new device.
|
|
||||||
#
|
|
||||||
- name: Generate a new device.
|
|
||||||
gather_facts: false
|
|
||||||
hosts: builder
|
|
||||||
roles:
|
|
||||||
- ../roles/stable/build
|
|
||||||
vars_files:
|
|
||||||
- ../vars/build/dev_test.yml
|
|
||||||
- ../vars/build/_h5ai.yml
|
|
||||||
# - ../vars/build/targets/ath79_generic.yml
|
|
||||||
- ../vars/build/targets/21.02.3_ramips_mt76x8.yml
|
|
||||||
tags: generate device
|
|
20
playbooks/infra.test.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
## Monitoring
|
||||||
|
- name: Monitoring
|
||||||
|
gather_facts: false
|
||||||
|
hosts: belvedere-test
|
||||||
|
roles:
|
||||||
|
- '../roles/stable/monitoring/prometheus'
|
||||||
|
- '../roles/stable/monitoring/blackbox_exporter'
|
||||||
|
- '../roles/stable/monitoring/alertmanager'
|
||||||
|
- '../roles/stable/dnsmasq'
|
||||||
|
- '../roles/wireguard'
|
||||||
|
- '../roles/stable/nginx'
|
||||||
|
vars_files:
|
||||||
|
- ../vars/monitoring.yml
|
||||||
|
- ../vars/smtp.yml
|
||||||
|
- ../vars/telegram.yml
|
||||||
|
- ../vars/test.yml
|
||||||
|
- ../vars/wireguard.yml
|
||||||
|
- ../vars/belvederi.yml
|
||||||
|
tags: monitoring
|
14
playbooks/infra.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
## Monitoring
|
||||||
|
- name: Monitoring
|
||||||
|
hosts: belvederi
|
||||||
|
roles:
|
||||||
|
- '../roles/stable/monitoring/prometheus'
|
||||||
|
- '../roles/stable/monitoring/blackbox_exporter'
|
||||||
|
- '../roles/stable/monitoring/alertmanager'
|
||||||
|
- '../roles/stable/dnsmasq'
|
||||||
|
vars_files:
|
||||||
|
- ../vars/monitoring.yml
|
||||||
|
- ../vars/smtp.yml
|
||||||
|
- ../vars/telegram.yml
|
||||||
|
tags: monitoring
|
|
@ -4,6 +4,7 @@ skip_openwrt_install: false
|
||||||
skip_libremesh_install: false
|
skip_libremesh_install: false
|
||||||
skip_configure_profiles: false
|
skip_configure_profiles: false
|
||||||
skip_configure_clean: false
|
skip_configure_clean: false
|
||||||
|
skip_configure_custom: false
|
||||||
skip_configure_init: false
|
skip_configure_init: false
|
||||||
skip_webserver_update: false
|
skip_webserver_update: false
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan
|
||||||
|
PROFILE_DEPENDS:= +lime-system
|
||||||
|
|
||||||
|
include ../../profile.mk
|
||||||
|
|
||||||
|
# call BuildPackage - OpenWrt buildroot signature
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
uci add_list "network.@device[0].ports=bat0"
|
||||||
|
exit 0
|
|
@ -0,0 +1,8 @@
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan
|
||||||
|
PROFILE_DEPENDS:= +lime-system
|
||||||
|
|
||||||
|
include ../../profile.mk
|
||||||
|
|
||||||
|
# call BuildPackage - OpenWrt buildroot signature
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
uci set "uci set dhcp.@dnsmasq[0].confdir=/etc/dnsmasq.d/"
|
||||||
|
exit 0
|
|
@ -1,12 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
export ip=$(uci get network.lan.ipaddr)
|
|
||||||
export ip=${ip#*.*}
|
|
||||||
export ip34=${ip#*.*}
|
|
||||||
|
|
||||||
sed -ie "s/$PLACEHOLDER_ADDRESS/192.168."${ip34}"\/16/" /etc/fastd/fastd0/fastd.conf
|
|
||||||
fastd -d -c /etc/fastd/fastd0/fastd.conf
|
|
||||||
|
|
||||||
/etc/init.d/network reload
|
|
||||||
ifdown fastd0
|
|
||||||
ifup fastd0
|
|
|
@ -1,27 +0,0 @@
|
||||||
include $(TOPDIR)/rules.mk
|
|
||||||
|
|
||||||
PROFILE_DESCRIPTION:=Generic valsamoggia configuration
|
|
||||||
PROFILE_DEPENDS:= +prometheus-node-exporter-lua \
|
|
||||||
+prometheus-node-exporter-lua-wifi \
|
|
||||||
+prometheus-node-exporter-lua-wifi_stations \
|
|
||||||
+prometheus-node-exporter-lua-openwrt \
|
|
||||||
+lime-proto-babeld \
|
|
||||||
+lime-proto-batadv \
|
|
||||||
+lime-proto-anygw \
|
|
||||||
+lime-proto-wan \
|
|
||||||
+lime-hwd-openwrt-wan \
|
|
||||||
+shared-state \
|
|
||||||
+hotplug-initd-services \
|
|
||||||
+shared-state-babeld_hosts \
|
|
||||||
+shared-state-bat_hosts \
|
|
||||||
+shared-state-dnsmasq_hosts \
|
|
||||||
+shared-state-dnsmasq_leases \
|
|
||||||
+shared-state-nodes_and_links \
|
|
||||||
+check-date-http \
|
|
||||||
+lime-app \
|
|
||||||
+lime-hwd-ground-routing \
|
|
||||||
+lime-debug
|
|
||||||
|
|
||||||
include ../../profile.mk
|
|
||||||
|
|
||||||
# call BuildPackage - OpenWrt buildroot signature
|
|
|
@ -1,68 +0,0 @@
|
||||||
config lime system
|
|
||||||
option hostname 'ninux-%M4%M5%M6'
|
|
||||||
option domain 'valsamoggia.ninux.org'
|
|
||||||
option keep_on_upgrade 'libremesh base-files-essential /etc/sysupgrade.conf'
|
|
||||||
option root_password_policy 'SET_SECRET'
|
|
||||||
option root_password_secret '$1$5OlrdoPc$q0p0th7CmSUuCBqsS2.6W.'
|
|
||||||
|
|
||||||
config lime network
|
|
||||||
option primary_interface 'eth0'
|
|
||||||
option main_ipv4_address '10.170.128.0/16/17'
|
|
||||||
option anygw_dhcp_start '5120'
|
|
||||||
option anygw_dhcp_limit '27648'
|
|
||||||
option main_ipv6_address 'fd%N1:%N2%N3:%N4%N5::/64'
|
|
||||||
list protocols ieee80211s
|
|
||||||
list protocols lan
|
|
||||||
list protocols anygw
|
|
||||||
list protocols batadv:%N1
|
|
||||||
list protocols babeld:17
|
|
||||||
list resolvers 4.2.2.2 # b.resolvers.Level3.net
|
|
||||||
list resolvers 141.1.1.1 # cns1.cw.net
|
|
||||||
list resolvers 2001:470:20::2 # ordns.he.net
|
|
||||||
option anygw_mac "aa:aa:aa:%N1:%N2:aa"
|
|
||||||
option use_odhcpd false
|
|
||||||
|
|
||||||
config lime 'wifi'
|
|
||||||
option ap_ssid 'ninux'
|
|
||||||
option apname_ssid 'ninux/%H'
|
|
||||||
option ieee80211s_mesh_fwding '0'
|
|
||||||
option ieee80211s_mesh_id 'LiMe'
|
|
||||||
|
|
||||||
config lime-wifi-band '2ghz'
|
|
||||||
list modes 'ap'
|
|
||||||
list modes 'apname'
|
|
||||||
list modes 'ieee80211s'
|
|
||||||
option channel '11'
|
|
||||||
option distance '1000'
|
|
||||||
|
|
||||||
config lime-wifi-band '5ghz'
|
|
||||||
list modes 'ap'
|
|
||||||
list modes 'apname'
|
|
||||||
list modes 'ieee80211s'
|
|
||||||
option distance '10000'
|
|
||||||
option htmode 'HT40'
|
|
||||||
option channel '48'
|
|
||||||
|
|
||||||
config generic_uci_config prometheus
|
|
||||||
list uci_set "prometheus-node-exporter-lua.main.listen_interface=*"
|
|
||||||
list uci_set "prometheus-node-exporter-lua.main.listen_ipv6=0"
|
|
||||||
list uci_set "prometheus-node-exporter-lua.main.listen_port=9090"
|
|
||||||
|
|
||||||
config run_asset prometheus_enable
|
|
||||||
option asset 'community/prometheus_enable'
|
|
||||||
option when 'ATFIRSTBOOT'
|
|
||||||
|
|
||||||
config run_asset cron_reboot
|
|
||||||
option asset 'community/cron_reboot'
|
|
||||||
option when 'ATFIRSTBOOT'
|
|
||||||
|
|
||||||
config generic_uci_config dropbear
|
|
||||||
list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off"
|
|
||||||
|
|
||||||
config generic_uci_config wireguard_server
|
|
||||||
list uci_set "wireguard.peer_1=wg0"
|
|
||||||
list uci_set "wireguard.peer_1.public_key=l2aW0F6yXppR4g/+yh6C4bhiq4mdo7+qZPB74l3XfT4="
|
|
||||||
list uci_set "wireguard.peer_1.endpoint_host=135.181.109.184"
|
|
||||||
list uci_set "wireguard.peer_1.endpoint_port=51800"
|
|
||||||
list uci_set "wireguard.peer_1.allowed_ips=192.168.0.0/16"
|
|
||||||
list uci_set "wireguard.peer_1.persistent_keepalive=25"
|
|
|
@ -1,9 +0,0 @@
|
||||||
|
|
||||||
config lime 'system'
|
|
||||||
# option hostname 'ninux-%M4%M5%M6'
|
|
||||||
|
|
||||||
config lime 'network'
|
|
||||||
|
|
||||||
config lime 'wifi'
|
|
||||||
# option channel_5ghz '48'
|
|
||||||
# option distance_5ghz '8000'
|
|
|
@ -1,3 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQKltRbIX4D1akDOIQM+BrFQmWtRDQyojM9ZAwH87ju kiki@digitigrafo.it
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwAsTNUxOjxe2FCeSZuoLU0ZmRvd6hOTN8885NoJTK00XdI5WZOUP9J42rGtRiWQ+rG29ZID33ALZCotS0PtLDg3LMOpJyOSluLhP1FeOsx0MzLhzFCBjfAUSUXqdTqLiFXbbNWdqYQO4XaAFbFEiMUyvsxdnVg59Uf5iLXh85dR7WUBE4AonNcfyxh7uSKOu2etUY/RpqnqFMzn068kHnDNlw6cSfJrAgLe7HAqhFiBls1/lofH/fDJqVmEjFhgaGAE59ELyg6fxhfqr5MiJD3CR6CetYxbZ6G9KKTuY9Vk8Vi3/lwFgv+0xcaMuxF4YYZ138w6fSRlhbwjPK1nnUZPFTMFbWOj95BlKXZWubIWz1bOVnJN+44CPyof2W5+2PhOq2U+TEkVwkJBCRX6LewwltPLtITWE3XZEjf7dGMtZOPF6Ue3ZCYKZls1112+pCPtIZfCS38FTQ6rJruFfh0BQFHHxlQerWwCaTd475N+KVpAU0Z6W0RmB3L5vKjRrnGTRbnUVS9hxYWQ6yDRUA76sircjKvZtKRYQJbhOEsFElLrh+4nOipL9ttLFNEux7SnKJdnXK9mgfHjd5skfs9uxjdgRhNkAsDFpKYdZ80NMLipsKSmeR/b80uL8Ng8935wvOxfFNchpLq3PgRvjiEgR4VesHdsmyeZbylsms9Q== agave@dracaena.it
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkVKuMvdWtExnsB2U2vF9DK4EUEwqiu92u34LU6MjavcvL6vSDu1D+jcFA4r+gVN667CMDcK/Biw/zByUW9pYh9Ynx7x+DGx2MyYbJ+9AQCJzb4X/QPxH/evVap9bOh6DjiWrZZ73kZ6yvVKm3N6+KZpUx2y4hC/NEtNJQ60/9upN6DuLPhi2h31A97ylCp+J4imrVKMTNWOPVleQXTmi93xiJqR+REOz3RM8F01WF42B+PQnkFrtubnvJ+CiHEdhVXiMhOt6x8rDrvrhAaqjn1fMUQU7ZA9pSMyya/qV+EmpYQYJkBncuIYxMi39+zcPjd6OXcGA3i/eQvlM4yC309rhUVcr+dxc8DOYcCXhUVo8hTa5vBELysnhCuSOWAgU7JVjJ+cUAZqEfckD9C6GXfcLKfXoRq6Hbb68Lixxoc38UFcSMPBJgSnoZKy0D1zdJWsNC+zwtedPreUDYQxFU9Ma9CB86iGGv7xYs4TnrljXklQ9t6uPEHO2LgSfidQy3ubHzCNVPtRHfIDnHi7HiaxmTHJ+EV9JLquuAxIhAivNk37jbMuhDDyaldSMR2yMr4aLm5oiR3K8CADhXY+Vu+6zW2G+mDPAtBey3+ftmK/IU2KE2UqA3Th3gNzIf0p37W/Ija1Twf3yBcYzRvln2hTx//TOzRY3DdfLiWQ56Bw== cricco@debian
|
|
|
@ -1,3 +0,0 @@
|
||||||
!#/bin/sh
|
|
||||||
echo "30 3 * * * reboot" >> /etc/crontabs/root
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
!#/bin/sh
|
|
||||||
|
|
||||||
[ -x /etc/init.d/prometheus-node-exporter-lua ] &&
|
|
||||||
/etc/init.d/prometheus-node-exporter-lua enable
|
|
||||||
exit 0
|
|
|
@ -20,8 +20,7 @@ PROFILE_DEPENDS:= +prometheus-node-exporter-lua \
|
||||||
+check-date-http \
|
+check-date-http \
|
||||||
+lime-app \
|
+lime-app \
|
||||||
+lime-hwd-ground-routing \
|
+lime-hwd-ground-routing \
|
||||||
+lime-debug \
|
+lime-debug
|
||||||
+luci
|
|
||||||
|
|
||||||
include ../../profile.mk
|
include ../../profile.mk
|
||||||
|
|
||||||
|
|
|
@ -58,3 +58,7 @@ config run_asset cron_reboot
|
||||||
|
|
||||||
config generic_uci_config dropbear
|
config generic_uci_config dropbear
|
||||||
list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off"
|
list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off"
|
||||||
|
|
||||||
|
config run_asset wireguard_server
|
||||||
|
option asset 'community/wireguard_server'
|
||||||
|
option when 'ATFIRSTBOOT'
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQKltRbIX4D1akDOIQM+BrFQmWtRDQyojM9ZAwH87ju kiki@digitigrafo.it
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwAsTNUxOjxe2FCeSZuoLU0ZmRvd6hOTN8885NoJTK00XdI5WZOUP9J42rGtRiWQ+rG29ZID33ALZCotS0PtLDg3LMOpJyOSluLhP1FeOsx0MzLhzFCBjfAUSUXqdTqLiFXbbNWdqYQO4XaAFbFEiMUyvsxdnVg59Uf5iLXh85dR7WUBE4AonNcfyxh7uSKOu2etUY/RpqnqFMzn068kHnDNlw6cSfJrAgLe7HAqhFiBls1/lofH/fDJqVmEjFhgaGAE59ELyg6fxhfqr5MiJD3CR6CetYxbZ6G9KKTuY9Vk8Vi3/lwFgv+0xcaMuxF4YYZ138w6fSRlhbwjPK1nnUZPFTMFbWOj95BlKXZWubIWz1bOVnJN+44CPyof2W5+2PhOq2U+TEkVwkJBCRX6LewwltPLtITWE3XZEjf7dGMtZOPF6Ue3ZCYKZls1112+pCPtIZfCS38FTQ6rJruFfh0BQFHHxlQerWwCaTd475N+KVpAU0Z6W0RmB3L5vKjRrnGTRbnUVS9hxYWQ6yDRUA76sircjKvZtKRYQJbhOEsFElLrh+4nOipL9ttLFNEux7SnKJdnXK9mgfHjd5skfs9uxjdgRhNkAsDFpKYdZ80NMLipsKSmeR/b80uL8Ng8935wvOxfFNchpLq3PgRvjiEgR4VesHdsmyeZbylsms9Q== agave@dracaena.it
|
|
||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkVKuMvdWtExnsB2U2vF9DK4EUEwqiu92u34LU6MjavcvL6vSDu1D+jcFA4r+gVN667CMDcK/Biw/zByUW9pYh9Ynx7x+DGx2MyYbJ+9AQCJzb4X/QPxH/evVap9bOh6DjiWrZZ73kZ6yvVKm3N6+KZpUx2y4hC/NEtNJQ60/9upN6DuLPhi2h31A97ylCp+J4imrVKMTNWOPVleQXTmi93xiJqR+REOz3RM8F01WF42B+PQnkFrtubnvJ+CiHEdhVXiMhOt6x8rDrvrhAaqjn1fMUQU7ZA9pSMyya/qV+EmpYQYJkBncuIYxMi39+zcPjd6OXcGA3i/eQvlM4yC309rhUVcr+dxc8DOYcCXhUVo8hTa5vBELysnhCuSOWAgU7JVjJ+cUAZqEfckD9C6GXfcLKfXoRq6Hbb68Lixxoc38UFcSMPBJgSnoZKy0D1zdJWsNC+zwtedPreUDYQxFU9Ma9CB86iGGv7xYs4TnrljXklQ9t6uPEHO2LgSfidQy3ubHzCNVPtRHfIDnHi7HiaxmTHJ+EV9JLquuAxIhAivNk37jbMuhDDyaldSMR2yMr4aLm5oiR3K8CADhXY+Vu+6zW2G+mDPAtBey3+ftmK/IU2KE2UqA3Th3gNzIf0p37W/Ija1Twf3yBcYzRvln2hTx//TOzRY3DdfLiWQ56Bw== cricco@debian
|
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
[ -f /etc/config/wireguard ] &&
|
[ -f /etc/config/wireguard ] &&
|
||||||
|
touch /etc/config/wireguard
|
||||||
uci set "wireguard.peer_1=wg0"
|
uci set "wireguard.peer_1=wg0"
|
||||||
uci set "wireguard.peer_1.public_key=HgdBD20UBNzWkDJfP4H20Nr+IyzOyWBdqXCV69XktQA="
|
uci set "wireguard.peer_1.public_key=<redacted>"
|
||||||
uci set "wireguard.peer_1.endpoint_host=13.13.13.13"
|
uci set "wireguard.peer_1.endpoint_host=<redacted>"
|
||||||
uci set "wireguard.peer_1.endpoint_port=51800"
|
uci set "wireguard.peer_1.endpoint_port=51800"
|
||||||
uci set "wireguard.peer_1.allowed_ips=192.168.0.0/16"
|
uci set "wireguard.peer_1.allowed_ips=192.168.0.0/16"
|
||||||
uci set "wireguard.peer_1.persistent_keepalive=25"
|
uci set "wireguard.peer_1.persistent_keepalive=25"
|
8
roles/stable/build/files/packages/vs-test/Makefile
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PROFILE_DESCRIPTION:=vs-test
|
||||||
|
PROFILE_DEPENDS:= +lime-system
|
||||||
|
|
||||||
|
include ../../profile.mk
|
||||||
|
|
||||||
|
# call BuildPackage - OpenWrt buildroot signature
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
uci set "lime-node.system.domain=test"
|
||||||
|
uci set "lime-node.network.main_ipv4_address=10.%N1.128.1/16/17"
|
||||||
|
uci set "lime-node.wifi.ieee80211s_mesh_id=Test"
|
||||||
|
uci set "lime-node.wifi.ap_ssid=aa_test"
|
||||||
|
exit 0
|
5
roles/stable/build/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: update and install feeds
|
||||||
|
shell: ./scripts/feeds update -a; ./scripts/feeds install -a
|
||||||
|
args:
|
||||||
|
chdir: "{{ openwrt_build_dir }}"
|
|
@ -1,43 +1,18 @@
|
||||||
---
|
---
|
||||||
- name: configure - profiles
|
|
||||||
include_tasks: configure_profiles.yml
|
|
||||||
when: not skip_configure_profiles
|
|
||||||
tags:
|
|
||||||
- configure_profiles
|
|
||||||
|
|
||||||
- name: configure - clean
|
- name: configure - clean
|
||||||
include_tasks: configure_clean.yml
|
include_tasks: configure_clean.yml
|
||||||
when: not skip_configure_clean
|
when: not skip_configure_clean
|
||||||
tags:
|
tags:
|
||||||
- configure_clean
|
- configure_clean
|
||||||
|
|
||||||
- name: configure - Check if .config is present
|
|
||||||
stat:
|
|
||||||
path: "{{ openwrt_build_dir }}/.config"
|
|
||||||
register: openwrt_config_initialized
|
|
||||||
|
|
||||||
- name: configure - init
|
- name: configure - init
|
||||||
include_tasks: configure_init.yml
|
include_tasks: configure_init.yml
|
||||||
when: not openwrt_config_initialized.stat.exists and not skip_configure_init
|
when: not skip_configure_init
|
||||||
tags:
|
tags:
|
||||||
- configure_init
|
- configure_init
|
||||||
|
|
||||||
- name: configure - Copy default_config to .config
|
- name: configure - custom
|
||||||
shell: "cp configs/default_config .config"
|
include_tasks: configure_custom.yml
|
||||||
args:
|
when: not skip_configure_custom
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
tags:
|
||||||
|
- configure_custom
|
||||||
- name: configure - Apply custom configs
|
|
||||||
blockinfile:
|
|
||||||
path: "{{ openwrt_build_dir }}/.config"
|
|
||||||
block: "{{ lookup('ansible.builtin.template', 'default_config.j2') }}"
|
|
||||||
|
|
||||||
- name: configure - Expand to full config via make defconfig
|
|
||||||
shell: "make defconfig"
|
|
||||||
args:
|
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
|
||||||
|
|
||||||
- name: configure - Diffconfig to configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
|
|
||||||
shell: ./scripts/diffconfig.sh > configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
|
|
||||||
args:
|
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
- name: configure - clean - Make targetclean
|
- name: configure - clean - stagin_dir/toolchain*
|
||||||
shell:
|
shell:
|
||||||
cmd:
|
cmd:
|
||||||
make clean ;
|
# make config-clean;
|
||||||
# rm -rf build_dir/toolchain*;
|
rm -rf build_dir/toolchain*;
|
||||||
# rm -rf staging_dir/toolchain*;
|
rm -rf staging_dir/toolchain*;
|
||||||
args:
|
args:
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
chdir: "{{ openwrt_build_dir }}"
|
||||||
|
|
||||||
|
|
11
roles/stable/build/tasks/configure_custom.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
- name: configure - Apply custom configs
|
||||||
|
blockinfile:
|
||||||
|
path: "{{ openwrt_build_dir }}/.config"
|
||||||
|
block: "{{ lookup('ansible.builtin.template', 'default_config.j2') }}"
|
||||||
|
|
||||||
|
- name: configure - Expand to full config via make defconfig
|
||||||
|
shell: "cd {{ openwrt_build_dir }}; make defconfig"
|
||||||
|
|
||||||
|
- name: configure - Diffconfig to configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}}
|
||||||
|
shell: "cd {{ openwrt_build_dir }}; ./scripts/diffconfig.sh > configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}}"
|
|
@ -1,12 +1,16 @@
|
||||||
---
|
---
|
||||||
- name: configure - Initialize .config
|
- name: configure - Initialize .config
|
||||||
shell: "make defconfig"
|
shell: "cd {{ openwrt_build_dir }}; rm .config; make defconfig"
|
||||||
args:
|
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
|
||||||
when: not skip_configure_clean or not openwrt_config_initialized.stat.exists
|
|
||||||
|
|
||||||
- name: configure - Copy .config to configs/default_config
|
- name: configure - Append target .config
|
||||||
shell: "mkdir configs; cp .config configs/default_config"
|
blockinfile:
|
||||||
args:
|
path: "{{ openwrt_build_dir }}/.config"
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
block: "{{ lookup('ansible.builtin.template', 'default_target_config.j2') }}"
|
||||||
when: not skip_configure_clean or not openwrt_config_initialized.stat.exists
|
|
||||||
|
- name: configure - Expand to full config
|
||||||
|
shell: "cd {{ openwrt_build_dir }}; make defconfig"
|
||||||
|
|
||||||
|
- name: configure - Copy .config to configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
|
||||||
|
shell: "cd {{ openwrt_build_dir }}; \
|
||||||
|
mkdir configs; \
|
||||||
|
cp .config configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}"
|
||||||
|
|
|
@ -29,7 +29,7 @@
|
||||||
path: ../host_vars/{{ item }}.yml
|
path: ../host_vars/{{ item }}.yml
|
||||||
block: |
|
block: |
|
||||||
config_lime_system: option hostname '{{ hostvars[item].hostname }}'
|
config_lime_system: option hostname '{{ hostvars[item].hostname }}'
|
||||||
config_lime_network: option channel_5ghz '{% if hostvars[item].channel_5ghz is defined %}{{ hostvars[item].channel_5ghz }}{% else %}{{ default_channel_5ghz }}{% endif %}'
|
config_lime_wifi: option channel_5ghz '{% if hostvars[item].channel_5ghz is defined %}{{ hostvars[item].channel_5ghz }}{% else %}{{ default_channel_5ghz }}{% endif %}'
|
||||||
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} config"
|
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} config"
|
||||||
create: yes
|
create: yes
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
7
roles/stable/build/tasks/install_feeds_libremesh.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: install feeds - libremesh - Add Libremesh feeds
|
||||||
|
blockinfile:
|
||||||
|
path: "{{ openwrt_build_dir }}/feeds.conf"
|
||||||
|
block: "{{ libremesh_feeds }}"
|
||||||
|
register: feeds
|
||||||
|
notify: "update and install feeds"
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: packages - Add local packages
|
- name: install feeds - packages - Add local packages
|
||||||
ansible.posix.synchronize:
|
ansible.posix.synchronize:
|
||||||
src: packages/
|
src: packages/
|
||||||
dest: "{{ libremesh_profile_directory }}/"
|
dest: "{{ libremesh_profile_directory }}/"
|
||||||
delete: yes
|
delete: yes
|
||||||
|
notify: "update and install feeds"
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: install - openwrt - Requirements
|
- name: install - openwrt - Requirements
|
||||||
include_tasks: openwrt_requirements.yml
|
include_tasks: install_openwrt_requirements.yml
|
||||||
|
|
||||||
- name: install - openwrt - Check if openwrt_build_dir is present
|
- name: install - openwrt - Check if openwrt_build_dir is present
|
||||||
stat:
|
stat:
|
||||||
|
@ -20,8 +20,4 @@
|
||||||
cmd: cp feeds.conf.default feeds.conf
|
cmd: cp feeds.conf.default feeds.conf
|
||||||
args:
|
args:
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
chdir: "{{ openwrt_build_dir }}"
|
||||||
|
notify: "update and install feeds"
|
||||||
- name: install - openwrt - Update and install all feeds
|
|
||||||
shell: ./scripts/feeds update -a; ./scripts/feeds install -a
|
|
||||||
args:
|
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
- name: install - libremesh - Add Libremesh feeds
|
|
||||||
blockinfile:
|
|
||||||
path: "{{ openwrt_build_dir }}/feeds.conf"
|
|
||||||
block: "{{ libremesh_feeds }}"
|
|
||||||
register: feeds
|
|
||||||
|
|
||||||
- name: install - libremesh - Update and install Libremesh feeds
|
|
||||||
shell: ./scripts/feeds update libremesh; ./scripts/feeds install -p libremesh
|
|
||||||
args:
|
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
|
|
@ -6,27 +6,37 @@
|
||||||
- preflight
|
- preflight
|
||||||
|
|
||||||
- name: install - openwrt
|
- name: install - openwrt
|
||||||
include_tasks: openwrt_install.yml
|
include_tasks: install_openwrt.yml
|
||||||
when: not skip_openwrt_install
|
when: not skip_openwrt_install
|
||||||
tags:
|
tags:
|
||||||
- openwrt_install
|
- openwrt_install
|
||||||
|
|
||||||
- name: install - libremesh
|
- name: install - libremesh
|
||||||
include_tasks: libremesh_install.yml
|
include_tasks: install_feeds_libremesh.yml
|
||||||
when: not skip_libremesh_install
|
when: not skip_libremesh_install
|
||||||
tags:
|
tags:
|
||||||
- libremesh_install
|
- libremesh_install
|
||||||
|
|
||||||
- name: packages
|
- name: install - packages
|
||||||
include_tasks: packages.yml
|
include_tasks: install_feeds_packages.yml
|
||||||
tags:
|
tags:
|
||||||
- libremesh_packages
|
- feeds_packages
|
||||||
|
|
||||||
|
- name: Flush handlers
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: conf-files - lime mac
|
||||||
|
include_tasks: conf_files_lime_mac.yml
|
||||||
|
tags:
|
||||||
|
- conf_files_lime_mac
|
||||||
|
|
||||||
- name: configure
|
- name: configure
|
||||||
include_tasks: configure.yml
|
include_tasks: configure.yml
|
||||||
|
tags:
|
||||||
|
- configure
|
||||||
|
|
||||||
- name: build - Build
|
- name: build - Build
|
||||||
shell: make -j $(nproc) EXTRA_IMAGE_NAME="{{openwrt_extra_image_name}}"
|
shell: make -j $(nproc) download world EXTRA_IMAGE_NAME="{{openwrt_extra_image_name}}"
|
||||||
args:
|
args:
|
||||||
chdir: "{{ openwrt_build_dir }}"
|
chdir: "{{ openwrt_build_dir }}"
|
||||||
tags:
|
tags:
|
||||||
|
|
|
@ -2,19 +2,9 @@
|
||||||
# CONFIG_PACKAGE_ppp is not set
|
# CONFIG_PACKAGE_ppp is not set
|
||||||
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
|
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
|
||||||
|
|
||||||
CONFIG_USES_SQUASHFS=y
|
{{ target_configs }}
|
||||||
CONFIG_TARGET_ROOTFS_SQUASHFS=y
|
|
||||||
# CONFIG_TARGET_ROOTFS_EXT4FS is not set
|
|
||||||
# CONFIG_TARGET_IMAGES_GZIP is not set
|
|
||||||
|
|
||||||
CONFIG_TARGET_{{ openwrt_target }}=y
|
{{ unstable_defaults }}
|
||||||
CONFIG_TARGET_{{ openwrt_target }}_{{ openwrt_subtarget }}=y
|
|
||||||
CONFIG_TARGET_MULTI_PROFILE=y
|
|
||||||
{% for device in openwrt_devices %}
|
|
||||||
CONFIG_TARGET_DEVICE_{{ openwrt_target }}_{{ openwrt_subtarget }}_DEVICE_{{ device }}=y
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{{ target_configs}}
|
|
||||||
|
|
||||||
{% if with_wireguard %}
|
{% if with_wireguard %}
|
||||||
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-wg=y
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-wg=y
|
||||||
|
|
12
roles/stable/build/templates/default_target_config.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
CONFIG_USES_SQUASHFS=y
|
||||||
|
CONFIG_TARGET_ROOTFS_SQUASHFS=y
|
||||||
|
# CONFIG_TARGET_ROOTFS_EXT4FS is not set
|
||||||
|
# CONFIG_TARGET_IMAGES_GZIP is not set
|
||||||
|
|
||||||
|
CONFIG_TARGET_{{ openwrt_target }}=y
|
||||||
|
CONFIG_TARGET_MULTI_PROFILE=y
|
||||||
|
CONFIG_TARGET_{{ openwrt_target }}_{{ openwrt_subtarget }}=y
|
||||||
|
|
||||||
|
{% for device in openwrt_devices %}
|
||||||
|
CONFIG_TARGET_DEVICE_{{ openwrt_target }}_{{ openwrt_subtarget }}_DEVICE_{{ device }}=y
|
||||||
|
{% endfor %}
|
|
@ -9,6 +9,9 @@ config lime network
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
config lime wifi
|
config lime wifi
|
||||||
|
{% if hostvars[item].config_lime_wifi is defined %}
|
||||||
|
{{ hostvars[item].config_lime_wifi }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if with_wireguard %}
|
{% if with_wireguard %}
|
||||||
config generic_uci_config wireguard
|
config generic_uci_config wireguard
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
# {{ hostvars[device].hostname }}
|
# {{ hostvars[device].hostname }}
|
||||||
PublicKey = {{ hostvars[device].vpn_wg0_publickey | trim }}
|
PublicKey = {{ hostvars[device].vpn_wg0_publickey }}
|
||||||
Endpoint = 0.0.0.0:51800
|
Endpoint = 0.0.0.0:51800
|
||||||
AllowedIPs = {{ vpn_wg0_network }}.{{ hostvars[device].ip_host | trim }}/32
|
AllowedIPs = {{ vpn_wg0_network }}.{{ hostvars[device].ip_host }}/32
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
@ -2,4 +2,5 @@
|
||||||
reverse_services: []
|
reverse_services: []
|
||||||
fpm_services: []
|
fpm_services: []
|
||||||
with_certbot: false
|
with_certbot: false
|
||||||
|
with_ssl: false
|
||||||
with_distributed_certificates: false
|
with_distributed_certificates: false
|
||||||
|
|
|
@ -47,6 +47,21 @@
|
||||||
state: link
|
state: link
|
||||||
loop: "{{ fpm_services }}"
|
loop: "{{ fpm_services }}"
|
||||||
|
|
||||||
|
- name: Configure Static Services
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: static_service.conf.j2
|
||||||
|
dest: /etc/nginx/sites-available/{{item.server_name}}.conf
|
||||||
|
loop: "{{ static_services }}"
|
||||||
|
|
||||||
|
- name: Link NGINX Static Services
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
|
||||||
|
dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
|
||||||
|
state: link
|
||||||
|
loop: "{{ static_services }}"
|
||||||
|
|
||||||
- name: Make sure NGINX Service is running
|
- name: Make sure NGINX Service is running
|
||||||
become: yes
|
become: yes
|
||||||
service:
|
service:
|
||||||
|
|
|
@ -8,7 +8,7 @@ server {
|
||||||
keepalive_timeout 200;
|
keepalive_timeout 200;
|
||||||
{{item.custom_config | default('') | indent(2)}}
|
{{item.custom_config | default('') | indent(2)}}
|
||||||
|
|
||||||
{% if with_distributed_certificates %}
|
{% if with_ssl %}
|
||||||
|
|
||||||
ssl_session_timeout 5m;
|
ssl_session_timeout 5m;
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
33
roles/stable/nginx/templates/static_service.conf.j2
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name {{item.server_name}};
|
||||||
|
|
||||||
|
keepalive_timeout 200;
|
||||||
|
{{item.custom_config | default('') | indent(2)}}
|
||||||
|
|
||||||
|
{% if with_ssl %}
|
||||||
|
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_certificate /etc/nginx/certs/ada/ada.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/certs/ada/ada.key;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
root {{ item.server_root }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
|
||||||
|
# compression
|
||||||
|
gzip on;
|
||||||
|
gzip_types text/plain application/xml application/json;
|
||||||
|
gzip_proxied no-cache no-store private expired auth;
|
||||||
|
gzip_min_length 1000;
|
||||||
|
|
||||||
|
# cache
|
||||||
|
proxy_cache STATIC;
|
||||||
|
}
|
||||||
|
}
|
4
roles/stable/openssl_certificates/defaults/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
skip_certification_authority: false
|
||||||
|
skip_certification_authority_webserver: true
|
||||||
|
skip_server_certificate: false
|
||||||
|
skip_server_certificate_webserver: true
|
After Width: | Height: | Size: 97 KiB |
After Width: | Height: | Size: 52 KiB |
After Width: | Height: | Size: 39 KiB |
After Width: | Height: | Size: 31 KiB |
BIN
roles/stable/openssl_certificates/files/ca/images/green_lock.png
Normal file
After Width: | Height: | Size: 10 KiB |
After Width: | Height: | Size: 38 KiB |
After Width: | Height: | Size: 58 KiB |
|
@ -0,0 +1,41 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||||
|
<svg
|
||||||
|
xmlns:dc="http://purl.org/dc/elements/1.1/"
|
||||||
|
xmlns:cc="http://creativecommons.org/ns#"
|
||||||
|
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
|
||||||
|
xmlns:svg="http://www.w3.org/2000/svg"
|
||||||
|
xmlns="http://www.w3.org/2000/svg"
|
||||||
|
version="1.1"
|
||||||
|
id="svg2"
|
||||||
|
viewBox="0 0 973.70528 248.96588"
|
||||||
|
height="25.5px"
|
||||||
|
width="100px">
|
||||||
|
<defs
|
||||||
|
id="defs4" />
|
||||||
|
<g
|
||||||
|
transform="translate(60.758696,-843.33549)"
|
||||||
|
id="layer1">
|
||||||
|
<text
|
||||||
|
id="text3336"
|
||||||
|
y="1012.3623"
|
||||||
|
x="3.8487569e-06"
|
||||||
|
style="font-style:normal;font-weight:normal;line-height:0%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
|
||||||
|
xml:space="preserve"><tspan
|
||||||
|
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:180px;line-height:1.25;font-family:sans-serif;-inkscape-font-specification:'sans-serif Bold'"
|
||||||
|
y="1012.3623"
|
||||||
|
x="3.8487569e-06"
|
||||||
|
id="tspan3338"><tspan
|
||||||
|
id="tspan3340"
|
||||||
|
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:180px;font-family:sans-serif;-inkscape-font-specification:sans-serif;fill:#480e0c;fill-opacity:1">Open</tspan>SSL</tspan></text>
|
||||||
|
<text
|
||||||
|
id="text817"
|
||||||
|
y="1049.0681"
|
||||||
|
x="176.75166"
|
||||||
|
style="font-style:normal;font-weight:normal;font-size:17.49999619px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.93749976"
|
||||||
|
xml:space="preserve"><tspan
|
||||||
|
style="font-size:37.49998856px;stroke-width:0.93749976"
|
||||||
|
y="1049.0681"
|
||||||
|
x="176.75166"
|
||||||
|
id="tspan815">Cryptography and SSL/TLS Toolkit</tspan></text>
|
||||||
|
</g>
|
||||||
|
</svg>
|
After Width: | Height: | Size: 1.8 KiB |
6
roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.css
vendored
Normal file
6
roles/stable/openssl_certificates/files/ca/vendor/imagebox.min.js
vendored
Normal file
44
roles/stable/openssl_certificates/tasks/authority.yml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
- name: Install openssl
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
state: present
|
||||||
|
pkg:
|
||||||
|
- openssl
|
||||||
|
|
||||||
|
- name: Make certificates directory
|
||||||
|
file:
|
||||||
|
path: "{{ ca_cert_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Certification Authority - Check if the private key is already present
|
||||||
|
stat:
|
||||||
|
path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.key"
|
||||||
|
register: ca_cert_key
|
||||||
|
|
||||||
|
- name: Certification Authority - Generate the CA private key
|
||||||
|
shell: openssl genrsa -des3 -passout pass:"{{ ca_cert_key_pass }}" -out {{ ca_cert_name }}.key 4096
|
||||||
|
args:
|
||||||
|
chdir: "{{ ca_cert_dir }}"
|
||||||
|
when: not ca_cert_key.stat.exists
|
||||||
|
|
||||||
|
- name: Certification Authority - Check if the CA root certificate is already presentt
|
||||||
|
stat:
|
||||||
|
path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.pem"
|
||||||
|
register: ca_cert_pem
|
||||||
|
|
||||||
|
- name: Certification Authority - Generate the CA root configuration file
|
||||||
|
template:
|
||||||
|
src: authority.conf.j2
|
||||||
|
dest: "{{ ca_cert_dir }}/{{ ca_cert_name }}.conf"
|
||||||
|
when: not ca_cert_pem.stat.exists
|
||||||
|
|
||||||
|
- name: Certification Authority - Generate the CA root certificate
|
||||||
|
shell: openssl req -x509 -new -nodes \
|
||||||
|
-key {{ ca_cert_name }}.key \
|
||||||
|
-passin pass:"{{ ca_cert_key_pass }}" \
|
||||||
|
-sha256 -days {{ ca_cert_days }} -out {{ ca_cert_name }}.pem \
|
||||||
|
-config {{ ca_cert_name }}.conf
|
||||||
|
args:
|
||||||
|
chdir: "{{ ca_cert_dir }}"
|
||||||
|
when: not ca_cert_pem.stat.exists
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
- name: Certification Authority - Webserver - Create static_service root
|
||||||
|
file:
|
||||||
|
path: /home/antennine/ca/certs
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver - Copy certificates to webserver dir
|
||||||
|
copy:
|
||||||
|
src: /etc/certs/{{ ca_cert_name }}.pem
|
||||||
|
dest: /home/antennine/ca/certs/
|
||||||
|
remote_src: true
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver - Create sha1 fingerprint
|
||||||
|
shell: openssl x509 -sha1 -in {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -noout -fingerprint
|
||||||
|
register: ca_cert_sha1
|
||||||
|
|
||||||
|
# - name: Certification Authority - Webserver - Convert certificate in format DER
|
||||||
|
# shell: openssl x509 -in {{ ca_cert_name }}.pem -inform pem -out {{ ca_cert_name }}.der -outform der
|
||||||
|
# register: ca_cert_der
|
||||||
|
|
||||||
|
# - name: Certification Authority - Webserver - Convert certificate in format TXT
|
||||||
|
# shell:
|
||||||
|
# register: ca_cert_txt
|
||||||
|
|
||||||
|
# - name: Certification Authority - Webserver - Create certificate revocation list CRL
|
||||||
|
# shell:
|
||||||
|
# register: ca_cert_crl
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver - Generate index.html
|
||||||
|
template:
|
||||||
|
src: authority.html.j2
|
||||||
|
dest: "/home/antennine/ca/index.html"
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver - Copy files
|
||||||
|
copy:
|
||||||
|
src: ./ca/
|
||||||
|
dest: /home/antennine/ca/
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver - Webserver
|
||||||
|
include_role:
|
||||||
|
name: ../roles/stable/nginx
|
||||||
|
tasks_from: main
|
16
roles/stable/openssl_certificates/tasks/main.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: Certification Authority
|
||||||
|
include_tasks: authority.yml
|
||||||
|
when: not skip_certification_authority
|
||||||
|
|
||||||
|
- name: Server Certificate
|
||||||
|
include_tasks: server.yml
|
||||||
|
when: not skip_server_certificate
|
||||||
|
|
||||||
|
- name: Certification Authority - Webserver
|
||||||
|
include_tasks: authority_webserver.yml
|
||||||
|
when: not skip_certification_authority_webserver
|
||||||
|
|
||||||
|
- name: Server Certificate - Webserver
|
||||||
|
include_tasks: server_webserver.yml
|
||||||
|
when: not skip_server_certificate_webserver
|
42
roles/stable/openssl_certificates/tasks/server.yml
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
- name: Server Certificate - Make certificates directory
|
||||||
|
file:
|
||||||
|
path: "{{ server_cert_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Server Certificate - Check if private key is already present
|
||||||
|
stat:
|
||||||
|
path: "{{ server_cert_dir }}/{{ server_cert_name }}.key"
|
||||||
|
register: server_cert_key
|
||||||
|
|
||||||
|
- name: Server Certificate - Generate the private key
|
||||||
|
shell: openssl genrsa -out {{ server_cert_name }}.key 4096
|
||||||
|
args:
|
||||||
|
chdir: "{{ server_cert_dir }}"
|
||||||
|
when: not server_cert_key.stat.exists
|
||||||
|
|
||||||
|
- name: Server Certificate - Generate the server configuration file
|
||||||
|
template:
|
||||||
|
src: server.conf.j2
|
||||||
|
dest: "{{ server_cert_dir }}/{{ server_cert_name }}.conf"
|
||||||
|
|
||||||
|
- name: Server Certificate - Create the certificate signin request
|
||||||
|
shell: openssl req -new -key {{ server_cert_name }}.key -days {{ server_cert_days }} -out {{ server_cert_name }}.csr -config {{ server_cert_name }}.conf
|
||||||
|
args:
|
||||||
|
chdir: "{{ server_cert_dir }}"
|
||||||
|
|
||||||
|
- name: Server Certificate - Create the X509 V3 extension config file to define SAN
|
||||||
|
template:
|
||||||
|
src: server.ext.j2
|
||||||
|
dest: "{{ server_cert_dir }}/{{ server_cert_name }}.ext"
|
||||||
|
|
||||||
|
- name: Server Certificate - Sign the certificate with x509 V3 extensions
|
||||||
|
shell: openssl x509 -req \
|
||||||
|
-in {{ server_cert_name }}.csr \
|
||||||
|
-CA {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -CAkey {{ ca_cert_dir }}/{{ ca_cert_name }}.key -CAcreateserial \
|
||||||
|
-passin pass:"{{ ca_cert_key_pass }}" \
|
||||||
|
-out {{ server_cert_name }}.crt \
|
||||||
|
-days {{ server_cert_days }} -sha256 \
|
||||||
|
-extfile {{ server_cert_name }}.ext
|
||||||
|
args:
|
||||||
|
chdir: "{{ server_cert_dir }}"
|
20
roles/stable/openssl_certificates/tasks/server_webserver.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
- name: Server Certificate - Webserver - Ensure webserver certs dir exists
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/certs/{{ server_cert_name }}/
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Server Certificate - Webserver - Copy server key
|
||||||
|
copy:
|
||||||
|
src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.key
|
||||||
|
dest: /etc/nginx/certs/{{ server_cert_name }}/
|
||||||
|
remote_src: true
|
||||||
|
|
||||||
|
- name: Server Certificate - Webserver - Copy server certificate
|
||||||
|
copy:
|
||||||
|
src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.crt
|
||||||
|
dest: /etc/nginx/certs/{{ server_cert_name }}/
|
||||||
|
remote_src: true
|
||||||
|
|
||||||
|
- name: Server Certificate - Webserver - Restart Nginx
|
||||||
|
shell: systemctl restart nginx
|
|
@ -0,0 +1,14 @@
|
||||||
|
[req]
|
||||||
|
default_bits = 4096
|
||||||
|
prompt = no
|
||||||
|
default_md = sha256
|
||||||
|
distinguished_name = dn
|
||||||
|
|
||||||
|
[dn]
|
||||||
|
C = {{ ca_distinguished_name['C'] }}
|
||||||
|
ST = {{ ca_distinguished_name['ST'] }}
|
||||||
|
L = {{ ca_distinguished_name['L'] }}
|
||||||
|
O = {{ ca_distinguished_name['O'] }}
|
||||||
|
OU = {{ ca_distinguished_name['OU'] }}
|
||||||
|
emailAddress = {{ ca_distinguished_name['emailAddress'] }}
|
||||||
|
CN = {{ ca_distinguished_name['CN'] }}
|
140
roles/stable/openssl_certificates/templates/authority.html.j2
Normal file
|
@ -0,0 +1,140 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="content-type" content="text/html;charset=utf-8">
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||||
|
<title>Certificati di Antennine</title>
|
||||||
|
<link rel="shortcut icon" href="images/green_lock.png" type="image/png" />
|
||||||
|
<link rel="stylesheet" href="vendor/imagebox.min.css" />
|
||||||
|
<script src="vendor/imagebox.min.js"></script>
|
||||||
|
</head>
|
||||||
|
<style>
|
||||||
|
:root{font-size:14px;font-family:sans-serif}
|
||||||
|
body{padding-top:3rem;background:#efefef}
|
||||||
|
body > a {position:fixed;max-width:10rem;top:1rem;right:1rem}
|
||||||
|
h2{margin:4rem 0 1rem}
|
||||||
|
h3{margin:0 0 1rem}
|
||||||
|
img{max-width:90vw}
|
||||||
|
figure{margin:1rem}
|
||||||
|
figure img{padding:1rem 0}
|
||||||
|
.site-name{flex-wrap:nowrap}
|
||||||
|
.site-logo{width:2rem;height:2rem;padding:1rem 1rem 1rem 0}
|
||||||
|
code {background:#333;color:#fff;padding:0.6rem;border-radius:3px;display:block;overflow-x:scroll}
|
||||||
|
article,figure div{display:flex;flex-wrap:wrap}
|
||||||
|
article:first-of-type{align-items:center}
|
||||||
|
@media screen and (min-width:640px)
|
||||||
|
{
|
||||||
|
body{padding:1rem}
|
||||||
|
figure,figure img{max-width: 400px}
|
||||||
|
figure div img{max-width: calc(200px - 1rem);margin: 0 0.5rem}
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
<a href="https://openssl.org">
|
||||||
|
<img alt="Openssl logo" src="/images/openssl_logo.svg">
|
||||||
|
</a>
|
||||||
|
<main>
|
||||||
|
<article class="site-name">
|
||||||
|
<img class="site-logo" alt="Openssl logo" src="/images/green_lock.png">
|
||||||
|
<h1>Certificati di {{ ca_distinguished_name['O'] }}</h1>
|
||||||
|
</article>
|
||||||
|
|
||||||
|
<div>
|
||||||
|
<p>In questa pagina si trovano i certificati e le informazioni riguardanti la
|
||||||
|
Certification Authority di {{ ca_distinguished_name['O'] }}.</p>
|
||||||
|
|
||||||
|
<p>Il certificato è disponibile:
|
||||||
|
<ul>
|
||||||
|
<!-- <li>in formato <a href="certs/{{ ca_cert_name }}.der">DER</a></li> -->
|
||||||
|
<li>in formato <a href="certs/{{ ca_cert_name }}.pem">PEM</a></li>
|
||||||
|
<!-- <li>in formato <a href="certs/{{ ca_cert_name }}.txt">testo</a></li> -->
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<!-- <p>La Certification Revocation List è reperibile all'indirizzo
|
||||||
|
<a href="https://{{ static_services[0]['server_name'] }}/crl.pem">https://{{ static_services[0]['server_name'] }}/crl.pem</a>.</p> -->
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<h2>Verifica</h2>
|
||||||
|
<div>
|
||||||
|
<p>Dopo aver scaricato il certificato, verificare la fingerprint tramite il comando di openssl:</p>
|
||||||
|
<code>$ openssl x509 -sha1 -in {{ ca_cert_name }}.pem -noout -fingerprint</code>
|
||||||
|
<p>Che deve resitituire questo risultato:</p>
|
||||||
|
<code>{{ ca_cert_sha1.stdout }}</code>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<h2>Installazione su sistema Linux</h2>
|
||||||
|
<article>
|
||||||
|
<figure>
|
||||||
|
<figcaption>
|
||||||
|
<h3>Firefox</h3>
|
||||||
|
<p>Andare in <a href="about:preferences#privacy">about:preferences#privacy</a></p>
|
||||||
|
<p>Ed importare il certificato nella sezione <b>Authorities</b></p>
|
||||||
|
</figcaption>
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Firefox" src="./images/linux_firefox.jpg">
|
||||||
|
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<figcaption>
|
||||||
|
<h3>Chromium</h3>
|
||||||
|
<p>Andare in <a href="chrome://settings/certificates">chrome://settings/certificates</a></p>
|
||||||
|
<p>Ed importare il certificato nella sezione <b>Authorities</b></p>
|
||||||
|
</figcaption>
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Chromium" src="./images/linux_chromium.jpg">
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<h3>Linux system-wide (Debian, Ubuntu)</h3>
|
||||||
|
<p>Per installare la CA system-wide su Linux usare i seguenti passi:</p>
|
||||||
|
|
||||||
|
<p>Mettere una copia del certificato in formato PEM in <b>/usr/share/ca-certificates/</b></p>
|
||||||
|
<code># cp ~/Downloads/antennineCA.pem /usr/share/ca-certificates/</code>
|
||||||
|
<p>Aggiungere il nome del file del certificato (senza directory) alla fine di <b>/etc/ca-certificates.conf</b></p>
|
||||||
|
<code># echo {{ ca_cert_name }}.pem >> /etc/ca-certificates.conf</code>
|
||||||
|
<p>Installare il certificato</p>
|
||||||
|
<code># update-ca-certificates --verbose</code>
|
||||||
|
</figure>
|
||||||
|
</article>
|
||||||
|
|
||||||
|
<h2>Installazione su sistema Android</h2>
|
||||||
|
<p>Nota: su Android è necessario installare la CA su tutto il sistema (system-wide).</p>
|
||||||
|
<p>Firefox inoltre richiede di abilitare l'utilizzo dei certificati installati dall'utente.</p>
|
||||||
|
|
||||||
|
<article>
|
||||||
|
<figure>
|
||||||
|
<figcaption>
|
||||||
|
<h3>Android system-wide</h3>
|
||||||
|
<p>Andare in <b>Settings</b> e ricercare la sezione dei certificati</p>
|
||||||
|
<p>Installare il certificato che verrà inserito nella sezione <b>User</b> e non <b>System</b></p>
|
||||||
|
<p>Ora sui browsers Chrome, Brave, ecc. sarà possibile navigare col protocollo sicuro <b>https://</b></p>
|
||||||
|
</figcaption>
|
||||||
|
<div>
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Android" src="./images/android-12_settings_ca-install.jpg">
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Android" src="./images/android-12_settings_ca-installed.jpg">
|
||||||
|
</div>
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<figcaption>
|
||||||
|
<h3>Firefox</h3>
|
||||||
|
<p>Andare in <b>Settings</b> e poi in <b>About Firefox</b></p>
|
||||||
|
<p>Toccare 7 volte il logo di Firefox per abilitare i <b>Secret Settings</b></p>
|
||||||
|
<p>Andare in <b>Settings</b> e poi in <b>Secret Settings</b>, e abilitare <b>Use third party CA certificates</b></p>
|
||||||
|
</figcaption>
|
||||||
|
<div>
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Firefox Android" src="./images/android-12_firefox_ca-enable.jpg">
|
||||||
|
<img data-imagebox alt="Screenshot installazione su Firefox Android" src="./images/android-12_firefox_ca-enabled.jpg">
|
||||||
|
</div>
|
||||||
|
</figure>
|
||||||
|
|
||||||
|
<figure>
|
||||||
|
<h3>Firefox Beta, Firefox Nightly, IceCatMobile</h3>
|
||||||
|
<p>In altre versioni derivate da Firefox ricercare about:config</p>
|
||||||
|
<p>Andare in <a href="about:config">about:config</a> e impostare:</p>
|
||||||
|
<p><b>security.enterprise_roots.enabled = true</b></p>
|
||||||
|
</figure>
|
||||||
|
</article>
|
||||||
|
</main>
|
||||||
|
</body>
|
||||||
|
</html>
|
14
roles/stable/openssl_certificates/templates/server.conf.j2
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[req]
|
||||||
|
default_bits = 4096
|
||||||
|
prompt = no
|
||||||
|
default_md = sha256
|
||||||
|
distinguished_name = dn
|
||||||
|
|
||||||
|
[dn]
|
||||||
|
C = {{ server_distinguished_name['C'] }}
|
||||||
|
ST = {{ server_distinguished_name['ST'] }}
|
||||||
|
L = {{ server_distinguished_name['L'] }}
|
||||||
|
O = {{ server_distinguished_name['O'] }}
|
||||||
|
OU = {{ server_distinguished_name['OU'] }}
|
||||||
|
emailAddress = {{ server_distinguished_name['emailAddress'] }}
|
||||||
|
CN = {{ server_distinguished_name['CN'] }}
|
26
roles/stable/openssl_certificates/templates/server.ext.j2
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
authorityKeyIdentifier=keyid,issuer
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = ada
|
||||||
|
|
||||||
|
# wildcard
|
||||||
|
DNS.2 = test.ada
|
||||||
|
DNS.3 = *.test.ada
|
||||||
|
DNS.4 = infra.ada
|
||||||
|
DNS.5 = *.infra.ada
|
||||||
|
|
||||||
|
# common
|
||||||
|
DNS.6 = info.ada
|
||||||
|
DNS.7 = doc.ada
|
||||||
|
DNS.8 = ca.ada
|
||||||
|
|
||||||
|
# network
|
||||||
|
DNS.9 = panorama.ada
|
||||||
|
DNS.10 = mappe.ada
|
||||||
|
DNS.11 = librespeed.ada
|
||||||
|
DNS.12 = nodi.ada
|
||||||
|
DNS.13 = torrent.ada
|
||||||
|
DNS.14 = firmware.ada
|
36
roles/stable/openssl_certificates/vars/main.yml
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
skip_certification_authority: false
|
||||||
|
skip_certification_authority_webserver: false
|
||||||
|
skip_server_certificate: false
|
||||||
|
skip_server_certificate_webserver: false
|
||||||
|
|
||||||
|
ca_cert_dir: /etc/certs/
|
||||||
|
ca_cert_name: antennineCA
|
||||||
|
ca_cert_days: 3650 # ten years
|
||||||
|
ca_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/antennineCA.key', errors='strict') | default(omit) }}"
|
||||||
|
ca_distinguished_name:
|
||||||
|
C: IT
|
||||||
|
ST: Emilia-Romagna
|
||||||
|
L: Prunarolo
|
||||||
|
O: Antennine
|
||||||
|
OU: antennine.noblogs.org
|
||||||
|
emailAddress: eno@burdig.one
|
||||||
|
CN: Antennine CA
|
||||||
|
|
||||||
|
with_ssl: true
|
||||||
|
static_services:
|
||||||
|
- ca:
|
||||||
|
server_name: ca.ada
|
||||||
|
server_root: /home/antennine/ca/
|
||||||
|
|
||||||
|
server_cert_dir: /etc/certs/ada
|
||||||
|
server_cert_name: ada
|
||||||
|
server_cert_days: 1095 # 3 years
|
||||||
|
server_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/ada.key', errors='strict') | default(omit) }}"
|
||||||
|
server_distinguished_name:
|
||||||
|
C: IT
|
||||||
|
ST: Emilia-Romagna
|
||||||
|
L: Prunarolo
|
||||||
|
O: Antennine
|
||||||
|
OU: antennine.noblogs.org
|
||||||
|
emailAddress: eno@burdig.one
|
||||||
|
CN: Ada
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
openwrt_version: "21.02.3"
|
openwrt_version: "{{openwrt_release['old_stable']}}"
|
||||||
libremesh_version: "librerouteros"
|
libremesh_version: "librerouteros"
|
||||||
libremesh_profile: valsamoggia.ninux.org
|
libremesh_profile: valsamoggia.ninux.org
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
libremesh_profile_device: vs-ninux-generic
|
||||||
|
|
||||||
skip_preflight: false
|
skip_preflight: false
|
||||||
skip_openwrt_install: false
|
skip_openwrt_install: false
|
||||||
|
@ -12,7 +12,6 @@ skip_configure_clean: true
|
||||||
skip_webserver_update: false
|
skip_webserver_update: false
|
||||||
|
|
||||||
with_wireguard: true
|
with_wireguard: true
|
||||||
with_luci: false
|
|
||||||
|
|
||||||
# webserver index
|
# webserver index
|
||||||
webui_path: /opt/openwrt-lime-firmware_test
|
webui_path: /opt/openwrt-lime-firmware_test
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
openwrt_version: "21.02.3"
|
openwrt_version: "21.02.3"
|
||||||
libremesh_version: "librerouteros"
|
libremesh_version: "librerouteros"
|
||||||
libremesh_profile: valsamoggia.ninux.org
|
libremesh_profile: valsamoggia.ninux.org
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
libremesh_profile_device: vs-ninux-generic
|
||||||
|
|
||||||
skip_preflight: false
|
skip_preflight: false
|
||||||
skip_openwrt_install: false
|
skip_openwrt_install: false
|
||||||
|
|
7
vars/build/openwrt.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
openwrt_release:
|
||||||
|
stable: 22.03.2 # 17. October 2022
|
||||||
|
old_stable: 21.02.5 # 17. October 2022
|
||||||
|
|
||||||
|
openwrt_release_archive:
|
||||||
|
19: 19.07.10 #
|
||||||
|
18: 18.06 #
|
|
@ -6,14 +6,13 @@ openwrt_devices:
|
||||||
|
|
||||||
# override
|
# override
|
||||||
openwrt_version: 21.02.3
|
openwrt_version: 21.02.3
|
||||||
|
libremesh_profile_device: vs-ninux-generic
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
|
||||||
|
|
||||||
# configs
|
# configs
|
||||||
skip_configure_clean: true
|
skip_configure_clean: true
|
||||||
|
|
||||||
target_configs: |
|
target_configs: |
|
||||||
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
# CONFIG_PACKAGE_kmod-ppp is not set
|
||||||
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
||||||
# CONFIG_PACKAGE_luci is not set
|
# CONFIG_PACKAGE_luci is not set
|
||||||
|
@ -25,14 +24,3 @@ target_configs: |
|
||||||
# CONFIG_PACKAGE_ATH_DFS is not set
|
# CONFIG_PACKAGE_ATH_DFS is not set
|
||||||
# CONFIG_ATH_USER_REGD is not set
|
# CONFIG_ATH_USER_REGD is not set
|
||||||
CONFIG_PACKAGE_kmod-mt7603=y
|
CONFIG_PACKAGE_kmod-mt7603=y
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
|
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci is not set
|
|
||||||
# CONFIG_PACKAGE_wpad-basic=y
|
|
||||||
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
|
|
||||||
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
|
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
# ath79_generic
|
|
||||||
openwrt_target: ath79
|
|
||||||
openwrt_subtarget: generic
|
|
||||||
openwrt_devices:
|
|
||||||
- tplink_cpe510-v3
|
|
||||||
|
|
||||||
# override
|
|
||||||
openwrt_version: 22.03.1
|
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
|
||||||
|
|
||||||
# configs
|
|
||||||
skip_configure_clean: true
|
|
||||||
|
|
||||||
target_configs: |
|
|
||||||
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
|
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci is not set
|
|
||||||
CONFIG_PACKAGE_babeld-auto-gw-mode=y
|
|
||||||
CONFIG_PACKAGE_ubus-lime-batman-adv=y
|
|
||||||
CONFIG_PACKAGE_wpad-basic=y
|
|
||||||
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
|
|
||||||
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
|
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
|
||||||
# CONFIG_PACKAGE_luci is not set
|
|
||||||
# CONFIG_PACKAGE_wpad-basic=y
|
|
||||||
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
|
|
||||||
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
|
|
|
@ -14,7 +14,6 @@ libremesh_profile_device: vs-ninux-generic
|
||||||
# configs
|
# configs
|
||||||
skip_configure_clean: true
|
skip_configure_clean: true
|
||||||
|
|
||||||
|
|
||||||
target_configs: |
|
target_configs: |
|
||||||
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
# CONFIG_PACKAGE_kmod-ppp is not set
|
||||||
|
@ -24,6 +23,7 @@ target_configs: |
|
||||||
CONFIG_PACKAGE_ATH_DEBUG=y
|
CONFIG_PACKAGE_ATH_DEBUG=y
|
||||||
CONFIG_PACKAGE_ATH_DYNACK=y
|
CONFIG_PACKAGE_ATH_DYNACK=y
|
||||||
CONFIG_PACKAGE_ATH_SPECTRAL=y
|
CONFIG_PACKAGE_ATH_SPECTRAL=y
|
||||||
|
CONFIG_PACKAGE_luci=y
|
||||||
CONFIG_PACKAGE_prometheus-node-exporter-lua-location-latlon=y
|
CONFIG_PACKAGE_prometheus-node-exporter-lua-location-latlon=y
|
||||||
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-params=y
|
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-params=y
|
||||||
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-stations-extra=y
|
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-stations-extra=y
|
||||||
|
|
|
@ -5,15 +5,15 @@ openwrt_devices:
|
||||||
- tplink_cpe510-v3
|
- tplink_cpe510-v3
|
||||||
|
|
||||||
# override
|
# override
|
||||||
openwrt_version: 21.02.3
|
openwrt_version: "{{openwrt_release['old_stable']}}"
|
||||||
|
libremesh_profile_device: vs-ninux-generic
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
|
||||||
|
|
||||||
# configs
|
# configs
|
||||||
skip_configure_clean: true
|
skip_configure_clean: true
|
||||||
|
|
||||||
target_configs: |
|
target_configs: |
|
||||||
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
||||||
# CONFIG_PACKAGE_kmod-ppp is not set
|
# CONFIG_PACKAGE_kmod-ppp is not set
|
||||||
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
# CONFIG_PACKAGE_luci-proto-ppp is not set
|
||||||
# CONFIG_PACKAGE_luci is not set
|
# CONFIG_PACKAGE_luci is not set
|
28
vars/build/targets/test_stable_ath79_generic.yml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# ath79_generic
|
||||||
|
openwrt_target: ath79
|
||||||
|
openwrt_subtarget: generic
|
||||||
|
openwrt_devices:
|
||||||
|
- tplink_cpe510-v3
|
||||||
|
|
||||||
|
# override
|
||||||
|
openwrt_version: "{{openwrt_release['stable']}}"
|
||||||
|
libremesh_profile_device: vs-ninux-generic
|
||||||
|
|
||||||
|
# configs
|
||||||
|
skip_configure_clean: false
|
||||||
|
|
||||||
|
# test commenting
|
||||||
|
target_configs: |
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y
|
||||||
|
CONFIG_PACKAGE_luci=y
|
||||||
|
CONFIG_PACKAGE_babeld-auto-gw-mode=y
|
||||||
|
CONFIG_PACKAGE_ubus-lime-batman-adv=y
|
||||||
|
CONFIG_PACKAGE_wpad-basic=y
|
||||||
|
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
|
||||||
|
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
|
||||||
|
|
||||||
|
unstable_defaults: |
|
||||||
|
CONFIG_PACKAGE_rssileds=y
|
27
vars/build/targets/test_stable_ramips_mt7620.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# mt7620 _generic
|
||||||
|
openwrt_target: ramips
|
||||||
|
openwrt_subtarget: mt7620
|
||||||
|
openwrt_devices:
|
||||||
|
- asus_rt-ac51u
|
||||||
|
|
||||||
|
# override
|
||||||
|
openwrt_version: "{{openwrt_release['stable']}}"
|
||||||
|
libremesh_profile_device: vs-ninux-generic
|
||||||
|
|
||||||
|
# configs
|
||||||
|
skip_configure_clean: false
|
||||||
|
|
||||||
|
target_configs: |
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
|
||||||
|
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y
|
||||||
|
CONFIG_PACKAGE_luci=y
|
||||||
|
CONFIG_PACKAGE_babeld-auto-gw-mode=y
|
||||||
|
CONFIG_PACKAGE_ubus-lime-batman-adv=y
|
||||||
|
CONFIG_PACKAGE_wpad-basic=y
|
||||||
|
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
|
||||||
|
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
|
||||||
|
|
||||||
|
unstable_defaults: |
|
||||||
|
CONFIG_DRIVER_11AC_SUPPORT=y
|
|
@ -2,7 +2,7 @@
|
||||||
openwrt_version: "21.02.3"
|
openwrt_version: "21.02.3"
|
||||||
libremesh_version: "librerouteros"
|
libremesh_version: "librerouteros"
|
||||||
libremesh_profile: valsamoggia.ninux.org
|
libremesh_profile: valsamoggia.ninux.org
|
||||||
libremesh_profile_device: vs-ninux-generic-no-luci
|
libremesh_profile_device: vs-ninux-generic
|
||||||
|
|
||||||
skip_preflight: false
|
skip_preflight: false
|
||||||
skip_openwrt_install: false
|
skip_openwrt_install: false
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
wireguard_server_public_ip: 13.13.13.13
|
wireguard_server_public_ip: <redacted>
|
||||||
wireguard_server_PublicKey: '<redacted>'
|
wireguard_server_PublicKey: '<redacted>'
|
||||||
wireguard_server_wg0_port: 51820
|
wireguard_server_wg0_port: 51820
|
||||||
|
|
||||||
|
|