Compare commits

...

No commits in common. "8f7518a55beab220f99bc566a3023bcf13d63687" and "d16d30e9aab81338ce3f3580ed8c761c27dbcfb3" have entirely different histories.

88 changed files with 826 additions and 384 deletions

View file

@ -34,15 +34,5 @@ setup dei belvederi
ansible-playbook -i hosts -i inventory.yml infra.yml
## build
In roles/stable/build un ruolo per buildare opernwrt e libremesh.
Permette di aggiungere pacchetti e configurazioni attraverso i profili
i devices si possono aggiungere nel file di hosts mesh_devices.yml
lime-<macaddress>:
hostname:
nel ruolo è presente una fase iniziale, di preflight che genera un file di variabili per ciascun dispositivo, in host_vars
che vengono poi usate per la generazione dei file di configurazione lime-<macaddress>
#
https://openwrt.org/docs/guide-developer/toolchain/use-buildsystem

View file

@ -1,5 +1,5 @@
esempio di test per buiildare per tutti i targets
esempio di test per buildare per tutti i targets
ansible-playbook \
-i hosts \
@ -22,7 +22,7 @@ ansible-playbook \
--skip-tags openwrt_install \
--skip-tags libremesh_install \
--skip-tags webserver \
playbooks/generate-new-test-device_dev.yml
playbooks/build_single_target_dev_test.yml
# nuovo target
@ -30,8 +30,7 @@ ansible-playbook \
-i hosts \
-i mesh_devices.yml \
-i inventory.yml \
--skip-tags preflight \
playbooks/generate-new-test-device_dev.yml
playbooks/build_single_target_dev_test.yml
ansible-playbook \

View file

@ -19,3 +19,5 @@ config device
option type 'bridge'
list ports 'eth0'
list ports 'bat0'
[ ] try to add support for lbe-m5 on openwrt 21.02.3

View file

@ -1,4 +1,8 @@
[passwordstore_lookup]
lock=readwrite
locktimeout=45000s
[defaults]
inventory = ./inventory.yml
interpreter_python = /usr/bin/python3

View file

@ -1,16 +0,0 @@
---
## Monitoring
- name: Monitoring
hosts: belvedere
roles:
- 'stable/monitoring/prometheus'
# - 'stable/monitoring/blackbox_exporter'
# - 'stable/monitoring/alertmanager'
# - 'stable/dnsmasq'
vars_files:
- monitoring.yml
- smtp.yml
- telegram.yml
tags: monitoring
# with_vars:
# prometheus_skip_install: true

View file

@ -1,6 +0,0 @@
vpn_wg1_endpoint_host: <redacted>
vpn_wg1_endpoint_port: 51800
vpn_wg1_publickey: <redacted>
vpn_wg1_allowed_ips: 192.168.0.0/16
vpn_wg1_persistent_keepalive: 25

View file

@ -8,7 +8,7 @@ main_ipv4_address: 10.170.0.0/16
# END ANSIBLE MANAGED BLOCK lime-000000000000 common
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 config
config_lime_system: option hostname 'ninux-000000'
config_lime_network: option channel_5ghz '48'
config_lime_wifi: option channel_5ghz '48'
# END ANSIBLE MANAGED BLOCK lime-000000000000 config
# BEGIN ANSIBLE MANAGED BLOCK lime-000000000000 vpn wireguard wg0
vpn_wg0_privatekey: UIHZ9uTOxW07jHTQHAzUvmWAS6tkPtQWqZU9Gp6LcHY=

4
hosts
View file

@ -29,8 +29,8 @@ valsamoggia:
vps:
hosts:
jitsi:
ansible_host: 135.181.109.184
ansible_user: antennine
ansible_host: 10.0.0.1
ansible_user: <redacted>
ansible_become_user: root
ansible_become_pass: "{{ lookup('passwordstore', 'chiavi_antennine/jitsi/user_root', errors='strict') | default(omit) }}"
ansible_become_method: su

View file

@ -1,20 +0,0 @@
---
## Monitoring
- name: Monitoring
gather_facts: false
hosts: belvedere-test
roles:
# - 'stable/monitoring/prometheus'
# - 'stable/monitoring/blackbox_exporter'
# - 'stable/monitoring/alertmanager'
# - 'stable/dnsmasq'
# - 'wireguard'
- 'stable/nginx'
vars_files:
# - monitoring.yml
# - smtp.yml
# - telegram.yml
# - test.yml
# - wireguard.yml
- belvederi.yml
tags: monitoring

View file

@ -1,14 +0,0 @@
---
## Monitoring
- name: Monitoring
hosts: belvederi
roles:
- 'stable/monitoring/prometheus'
- 'stable/monitoring/blackbox_exporter'
- 'stable/monitoring/alertmanager'
- 'stable/dnsmasq'
vars_files:
- monitoring.yml
- smtp.yml
- telegram.yml
tags: monitoring

8
playbooks/ada.yml Normal file
View file

@ -0,0 +1,8 @@
---
## Ada
- name: Ada
hosts: ada
become: yes
roles:
- '../roles/stable/openssl_certificates'
tags: certificates

14
playbooks/belvedere.yml Normal file
View file

@ -0,0 +1,14 @@
---
## Monitoring
- name: Monitoring
hosts: belvedere
roles:
- '../roles/stable/monitoring/prometheus'
- '../roles/stable/monitoring/blackbox_exporter'
- '../roles/stable/monitoring/alertmanager'
- '../roles/stable/dnsmasq'
vars_files:
- ../vars/monitoring.yml
- ../vars/smtp.yml
- ../vars/telegram.yml
tags: monitoring

View file

@ -1,15 +1,15 @@
---
# Build all targets
# - name: Build {{ openwrt_version }} ath79_generic
# gather_facts: false
# hosts: builder
# roles:
# - ../roles/stable/build
# vars_files:
# - ../vars/build/dev_test.yml
# - ../vars/build/targets/ath79_generic.yml
# tags: generate device
- name: Build {{ openwrt_version }} ath79_generic
gather_facts: false
hosts: builder
roles:
- ../roles/stable/build
vars_files:
- ../vars/build/dev_test.yml
- ../vars/build/targets/ath79_generic.yml
tags: generate device
- name: Build {{ openwrt_version }} ar71xx_generic
gather_facts: false

View file

@ -0,0 +1,30 @@
---
# Build single target dev_test.
#
- name: Build single target dev_test.
gather_facts: false
hosts: builder
roles:
- ../roles/stable/build
vars_files:
- ../vars/build/openwrt.yml
- ../vars/build/dev_test.yml
- ../vars/build/_h5ai.yml
- ../vars/build/targets/test_stable_ramips_mt7620.yml
# - ../vars/build/targets/test_stable_ath79_generic.yml
# - ../vars/build/targets/22.03.1_ath79_generic.yml
tags: generate_device
- name: Build single target dev_test.
gather_facts: false
hosts: builder
roles:
- ../roles/stable/build
vars_files:
- ../vars/build/openwrt.yml
- ../vars/build/dev_test.yml
- ../vars/build/_h5ai.yml
# - ../vars/build/targets/test_stable_ramips_mt7620.yml
- ../vars/build/targets/test_stable_ath79_generic.yml
# - ../vars/build/targets/22.03.1_ath79_generic.yml
tags: generate_device

View file

@ -1,14 +0,0 @@
---
# Generate a new device.
#
- name: Generate a new device.
gather_facts: false
hosts: builder
roles:
- ../roles/stable/build
vars_files:
- ../vars/build/dev_test.yml
- ../vars/build/_h5ai.yml
# - ../vars/build/targets/ath79_generic.yml
- ../vars/build/targets/21.02.3_ramips_mt76x8.yml
tags: generate device

20
playbooks/infra.test.yml Normal file
View file

@ -0,0 +1,20 @@
---
## Monitoring
- name: Monitoring
gather_facts: false
hosts: belvedere-test
roles:
- '../roles/stable/monitoring/prometheus'
- '../roles/stable/monitoring/blackbox_exporter'
- '../roles/stable/monitoring/alertmanager'
- '../roles/stable/dnsmasq'
- '../roles/wireguard'
- '../roles/stable/nginx'
vars_files:
- ../vars/monitoring.yml
- ../vars/smtp.yml
- ../vars/telegram.yml
- ../vars/test.yml
- ../vars/wireguard.yml
- ../vars/belvederi.yml
tags: monitoring

14
playbooks/infra.yml Normal file
View file

@ -0,0 +1,14 @@
---
## Monitoring
- name: Monitoring
hosts: belvederi
roles:
- '../roles/stable/monitoring/prometheus'
- '../roles/stable/monitoring/blackbox_exporter'
- '../roles/stable/monitoring/alertmanager'
- '../roles/stable/dnsmasq'
vars_files:
- ../vars/monitoring.yml
- ../vars/smtp.yml
- ../vars/telegram.yml
tags: monitoring

View file

@ -4,6 +4,7 @@ skip_openwrt_install: false
skip_libremesh_install: false
skip_configure_profiles: false
skip_configure_clean: false
skip_configure_custom: false
skip_configure_init: false
skip_webserver_update: false

View file

@ -0,0 +1,8 @@
include $(TOPDIR)/rules.mk
PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan
PROFILE_DEPENDS:= +lime-system
include ../../profile.mk
# call BuildPackage - OpenWrt buildroot signature

View file

@ -0,0 +1,4 @@
#!/bin/sh
uci add_list "network.@device[0].ports=bat0"
exit 0

View file

@ -0,0 +1,8 @@
include $(TOPDIR)/rules.mk
PROFILE_DESCRIPTION:=fix openwrt21 add bat0 to brlan
PROFILE_DEPENDS:= +lime-system
include ../../profile.mk
# call BuildPackage - OpenWrt buildroot signature

View file

@ -0,0 +1,4 @@
#!/bin/sh
uci set "uci set dhcp.@dnsmasq[0].confdir=/etc/dnsmasq.d/"
exit 0

View file

@ -1,12 +0,0 @@
#!/bin/sh
export ip=$(uci get network.lan.ipaddr)
export ip=${ip#*.*}
export ip34=${ip#*.*}
sed -ie "s/$PLACEHOLDER_ADDRESS/192.168."${ip34}"\/16/" /etc/fastd/fastd0/fastd.conf
fastd -d -c /etc/fastd/fastd0/fastd.conf
/etc/init.d/network reload
ifdown fastd0
ifup fastd0

View file

@ -1,27 +0,0 @@
include $(TOPDIR)/rules.mk
PROFILE_DESCRIPTION:=Generic valsamoggia configuration
PROFILE_DEPENDS:= +prometheus-node-exporter-lua \
+prometheus-node-exporter-lua-wifi \
+prometheus-node-exporter-lua-wifi_stations \
+prometheus-node-exporter-lua-openwrt \
+lime-proto-babeld \
+lime-proto-batadv \
+lime-proto-anygw \
+lime-proto-wan \
+lime-hwd-openwrt-wan \
+shared-state \
+hotplug-initd-services \
+shared-state-babeld_hosts \
+shared-state-bat_hosts \
+shared-state-dnsmasq_hosts \
+shared-state-dnsmasq_leases \
+shared-state-nodes_and_links \
+check-date-http \
+lime-app \
+lime-hwd-ground-routing \
+lime-debug
include ../../profile.mk
# call BuildPackage - OpenWrt buildroot signature

View file

@ -1,68 +0,0 @@
config lime system
option hostname 'ninux-%M4%M5%M6'
option domain 'valsamoggia.ninux.org'
option keep_on_upgrade 'libremesh base-files-essential /etc/sysupgrade.conf'
option root_password_policy 'SET_SECRET'
option root_password_secret '$1$5OlrdoPc$q0p0th7CmSUuCBqsS2.6W.'
config lime network
option primary_interface 'eth0'
option main_ipv4_address '10.170.128.0/16/17'
option anygw_dhcp_start '5120'
option anygw_dhcp_limit '27648'
option main_ipv6_address 'fd%N1:%N2%N3:%N4%N5::/64'
list protocols ieee80211s
list protocols lan
list protocols anygw
list protocols batadv:%N1
list protocols babeld:17
list resolvers 4.2.2.2 # b.resolvers.Level3.net
list resolvers 141.1.1.1 # cns1.cw.net
list resolvers 2001:470:20::2 # ordns.he.net
option anygw_mac "aa:aa:aa:%N1:%N2:aa"
option use_odhcpd false
config lime 'wifi'
option ap_ssid 'ninux'
option apname_ssid 'ninux/%H'
option ieee80211s_mesh_fwding '0'
option ieee80211s_mesh_id 'LiMe'
config lime-wifi-band '2ghz'
list modes 'ap'
list modes 'apname'
list modes 'ieee80211s'
option channel '11'
option distance '1000'
config lime-wifi-band '5ghz'
list modes 'ap'
list modes 'apname'
list modes 'ieee80211s'
option distance '10000'
option htmode 'HT40'
option channel '48'
config generic_uci_config prometheus
list uci_set "prometheus-node-exporter-lua.main.listen_interface=*"
list uci_set "prometheus-node-exporter-lua.main.listen_ipv6=0"
list uci_set "prometheus-node-exporter-lua.main.listen_port=9090"
config run_asset prometheus_enable
option asset 'community/prometheus_enable'
option when 'ATFIRSTBOOT'
config run_asset cron_reboot
option asset 'community/cron_reboot'
option when 'ATFIRSTBOOT'
config generic_uci_config dropbear
list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off"
config generic_uci_config wireguard_server
list uci_set "wireguard.peer_1=wg0"
list uci_set "wireguard.peer_1.public_key=l2aW0F6yXppR4g/+yh6C4bhiq4mdo7+qZPB74l3XfT4="
list uci_set "wireguard.peer_1.endpoint_host=135.181.109.184"
list uci_set "wireguard.peer_1.endpoint_port=51800"
list uci_set "wireguard.peer_1.allowed_ips=192.168.0.0/16"
list uci_set "wireguard.peer_1.persistent_keepalive=25"

View file

@ -1,9 +0,0 @@
config lime 'system'
# option hostname 'ninux-%M4%M5%M6'
config lime 'network'
config lime 'wifi'
# option channel_5ghz '48'
# option distance_5ghz '8000'

View file

@ -1,3 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQKltRbIX4D1akDOIQM+BrFQmWtRDQyojM9ZAwH87ju kiki@digitigrafo.it
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwAsTNUxOjxe2FCeSZuoLU0ZmRvd6hOTN8885NoJTK00XdI5WZOUP9J42rGtRiWQ+rG29ZID33ALZCotS0PtLDg3LMOpJyOSluLhP1FeOsx0MzLhzFCBjfAUSUXqdTqLiFXbbNWdqYQO4XaAFbFEiMUyvsxdnVg59Uf5iLXh85dR7WUBE4AonNcfyxh7uSKOu2etUY/RpqnqFMzn068kHnDNlw6cSfJrAgLe7HAqhFiBls1/lofH/fDJqVmEjFhgaGAE59ELyg6fxhfqr5MiJD3CR6CetYxbZ6G9KKTuY9Vk8Vi3/lwFgv+0xcaMuxF4YYZ138w6fSRlhbwjPK1nnUZPFTMFbWOj95BlKXZWubIWz1bOVnJN+44CPyof2W5+2PhOq2U+TEkVwkJBCRX6LewwltPLtITWE3XZEjf7dGMtZOPF6Ue3ZCYKZls1112+pCPtIZfCS38FTQ6rJruFfh0BQFHHxlQerWwCaTd475N+KVpAU0Z6W0RmB3L5vKjRrnGTRbnUVS9hxYWQ6yDRUA76sircjKvZtKRYQJbhOEsFElLrh+4nOipL9ttLFNEux7SnKJdnXK9mgfHjd5skfs9uxjdgRhNkAsDFpKYdZ80NMLipsKSmeR/b80uL8Ng8935wvOxfFNchpLq3PgRvjiEgR4VesHdsmyeZbylsms9Q== agave@dracaena.it
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkVKuMvdWtExnsB2U2vF9DK4EUEwqiu92u34LU6MjavcvL6vSDu1D+jcFA4r+gVN667CMDcK/Biw/zByUW9pYh9Ynx7x+DGx2MyYbJ+9AQCJzb4X/QPxH/evVap9bOh6DjiWrZZ73kZ6yvVKm3N6+KZpUx2y4hC/NEtNJQ60/9upN6DuLPhi2h31A97ylCp+J4imrVKMTNWOPVleQXTmi93xiJqR+REOz3RM8F01WF42B+PQnkFrtubnvJ+CiHEdhVXiMhOt6x8rDrvrhAaqjn1fMUQU7ZA9pSMyya/qV+EmpYQYJkBncuIYxMi39+zcPjd6OXcGA3i/eQvlM4yC309rhUVcr+dxc8DOYcCXhUVo8hTa5vBELysnhCuSOWAgU7JVjJ+cUAZqEfckD9C6GXfcLKfXoRq6Hbb68Lixxoc38UFcSMPBJgSnoZKy0D1zdJWsNC+zwtedPreUDYQxFU9Ma9CB86iGGv7xYs4TnrljXklQ9t6uPEHO2LgSfidQy3ubHzCNVPtRHfIDnHi7HiaxmTHJ+EV9JLquuAxIhAivNk37jbMuhDDyaldSMR2yMr4aLm5oiR3K8CADhXY+Vu+6zW2G+mDPAtBey3+ftmK/IU2KE2UqA3Th3gNzIf0p37W/Ija1Twf3yBcYzRvln2hTx//TOzRY3DdfLiWQ56Bw== cricco@debian

View file

@ -1,3 +0,0 @@
!#/bin/sh
echo "30 3 * * * reboot" >> /etc/crontabs/root

View file

@ -1,5 +0,0 @@
!#/bin/sh
[ -x /etc/init.d/prometheus-node-exporter-lua ] &&
/etc/init.d/prometheus-node-exporter-lua enable
exit 0

View file

@ -20,8 +20,7 @@ PROFILE_DEPENDS:= +prometheus-node-exporter-lua \
+check-date-http \
+lime-app \
+lime-hwd-ground-routing \
+lime-debug \
+luci
+lime-debug
include ../../profile.mk

View file

@ -58,3 +58,7 @@ config run_asset cron_reboot
config generic_uci_config dropbear
list uci_set "dropbear.@dropbear[0].RootPasswordAuth=off"
config run_asset wireguard_server
option asset 'community/wireguard_server'
option when 'ATFIRSTBOOT'

View file

@ -1,4 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQKltRbIX4D1akDOIQM+BrFQmWtRDQyojM9ZAwH87ju kiki@digitigrafo.it
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwAsTNUxOjxe2FCeSZuoLU0ZmRvd6hOTN8885NoJTK00XdI5WZOUP9J42rGtRiWQ+rG29ZID33ALZCotS0PtLDg3LMOpJyOSluLhP1FeOsx0MzLhzFCBjfAUSUXqdTqLiFXbbNWdqYQO4XaAFbFEiMUyvsxdnVg59Uf5iLXh85dR7WUBE4AonNcfyxh7uSKOu2etUY/RpqnqFMzn068kHnDNlw6cSfJrAgLe7HAqhFiBls1/lofH/fDJqVmEjFhgaGAE59ELyg6fxhfqr5MiJD3CR6CetYxbZ6G9KKTuY9Vk8Vi3/lwFgv+0xcaMuxF4YYZ138w6fSRlhbwjPK1nnUZPFTMFbWOj95BlKXZWubIWz1bOVnJN+44CPyof2W5+2PhOq2U+TEkVwkJBCRX6LewwltPLtITWE3XZEjf7dGMtZOPF6Ue3ZCYKZls1112+pCPtIZfCS38FTQ6rJruFfh0BQFHHxlQerWwCaTd475N+KVpAU0Z6W0RmB3L5vKjRrnGTRbnUVS9hxYWQ6yDRUA76sircjKvZtKRYQJbhOEsFElLrh+4nOipL9ttLFNEux7SnKJdnXK9mgfHjd5skfs9uxjdgRhNkAsDFpKYdZ80NMLipsKSmeR/b80uL8Ng8935wvOxfFNchpLq3PgRvjiEgR4VesHdsmyeZbylsms9Q== agave@dracaena.it
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkVKuMvdWtExnsB2U2vF9DK4EUEwqiu92u34LU6MjavcvL6vSDu1D+jcFA4r+gVN667CMDcK/Biw/zByUW9pYh9Ynx7x+DGx2MyYbJ+9AQCJzb4X/QPxH/evVap9bOh6DjiWrZZ73kZ6yvVKm3N6+KZpUx2y4hC/NEtNJQ60/9upN6DuLPhi2h31A97ylCp+J4imrVKMTNWOPVleQXTmi93xiJqR+REOz3RM8F01WF42B+PQnkFrtubnvJ+CiHEdhVXiMhOt6x8rDrvrhAaqjn1fMUQU7ZA9pSMyya/qV+EmpYQYJkBncuIYxMi39+zcPjd6OXcGA3i/eQvlM4yC309rhUVcr+dxc8DOYcCXhUVo8hTa5vBELysnhCuSOWAgU7JVjJ+cUAZqEfckD9C6GXfcLKfXoRq6Hbb68Lixxoc38UFcSMPBJgSnoZKy0D1zdJWsNC+zwtedPreUDYQxFU9Ma9CB86iGGv7xYs4TnrljXklQ9t6uPEHO2LgSfidQy3ubHzCNVPtRHfIDnHi7HiaxmTHJ+EV9JLquuAxIhAivNk37jbMuhDDyaldSMR2yMr4aLm5oiR3K8CADhXY+Vu+6zW2G+mDPAtBey3+ftmK/IU2KE2UqA3Th3gNzIf0p37W/Ija1Twf3yBcYzRvln2hTx//TOzRY3DdfLiWQ56Bw== cricco@debian

View file

@ -1,9 +1,10 @@
#!/bin/sh
[ -f /etc/config/wireguard ] &&
touch /etc/config/wireguard
uci set "wireguard.peer_1=wg0"
uci set "wireguard.peer_1.public_key=HgdBD20UBNzWkDJfP4H20Nr+IyzOyWBdqXCV69XktQA="
uci set "wireguard.peer_1.endpoint_host=13.13.13.13"
uci set "wireguard.peer_1.public_key=<redacted>"
uci set "wireguard.peer_1.endpoint_host=<redacted>"
uci set "wireguard.peer_1.endpoint_port=51800"
uci set "wireguard.peer_1.allowed_ips=192.168.0.0/16"
uci set "wireguard.peer_1.persistent_keepalive=25"

View file

@ -0,0 +1,8 @@
include $(TOPDIR)/rules.mk
PROFILE_DESCRIPTION:=vs-test
PROFILE_DEPENDS:= +lime-system
include ../../profile.mk
# call BuildPackage - OpenWrt buildroot signature

View file

@ -0,0 +1,7 @@
#!/bin/sh
uci set "lime-node.system.domain=test"
uci set "lime-node.network.main_ipv4_address=10.%N1.128.1/16/17"
uci set "lime-node.wifi.ieee80211s_mesh_id=Test"
uci set "lime-node.wifi.ap_ssid=aa_test"
exit 0

View file

@ -0,0 +1,5 @@
---
- name: update and install feeds
shell: ./scripts/feeds update -a; ./scripts/feeds install -a
args:
chdir: "{{ openwrt_build_dir }}"

View file

@ -1,43 +1,18 @@
---
- name: configure - profiles
include_tasks: configure_profiles.yml
when: not skip_configure_profiles
tags:
- configure_profiles
- name: configure - clean
include_tasks: configure_clean.yml
when: not skip_configure_clean
tags:
- configure_clean
- name: configure - Check if .config is present
stat:
path: "{{ openwrt_build_dir }}/.config"
register: openwrt_config_initialized
- name: configure - init
include_tasks: configure_init.yml
when: not openwrt_config_initialized.stat.exists and not skip_configure_init
when: not skip_configure_init
tags:
- configure_init
- name: configure - Copy default_config to .config
shell: "cp configs/default_config .config"
args:
chdir: "{{ openwrt_build_dir }}"
- name: configure - Apply custom configs
blockinfile:
path: "{{ openwrt_build_dir }}/.config"
block: "{{ lookup('ansible.builtin.template', 'default_config.j2') }}"
- name: configure - Expand to full config via make defconfig
shell: "make defconfig"
args:
chdir: "{{ openwrt_build_dir }}"
- name: configure - Diffconfig to configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
shell: ./scripts/diffconfig.sh > configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
args:
chdir: "{{ openwrt_build_dir }}"
- name: configure - custom
include_tasks: configure_custom.yml
when: not skip_configure_custom
tags:
- configure_custom

View file

@ -1,10 +1,10 @@
---
- name: configure - clean - Make targetclean
- name: configure - clean - stagin_dir/toolchain*
shell:
cmd:
make clean ;
# rm -rf build_dir/toolchain*;
# rm -rf staging_dir/toolchain*;
# make config-clean;
rm -rf build_dir/toolchain*;
rm -rf staging_dir/toolchain*;
args:
chdir: "{{ openwrt_build_dir }}"

View file

@ -0,0 +1,11 @@
---
- name: configure - Apply custom configs
blockinfile:
path: "{{ openwrt_build_dir }}/.config"
block: "{{ lookup('ansible.builtin.template', 'default_config.j2') }}"
- name: configure - Expand to full config via make defconfig
shell: "cd {{ openwrt_build_dir }}; make defconfig"
- name: configure - Diffconfig to configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}}
shell: "cd {{ openwrt_build_dir }}; ./scripts/diffconfig.sh > configs/custom_config_{{openwrt_target}}_{{ openwrt_subtarget}}"

View file

@ -1,12 +1,16 @@
---
- name: configure - Initialize .config
shell: "make defconfig"
args:
chdir: "{{ openwrt_build_dir }}"
when: not skip_configure_clean or not openwrt_config_initialized.stat.exists
shell: "cd {{ openwrt_build_dir }}; rm .config; make defconfig"
- name: configure - Copy .config to configs/default_config
shell: "mkdir configs; cp .config configs/default_config"
args:
chdir: "{{ openwrt_build_dir }}"
when: not skip_configure_clean or not openwrt_config_initialized.stat.exists
- name: configure - Append target .config
blockinfile:
path: "{{ openwrt_build_dir }}/.config"
block: "{{ lookup('ansible.builtin.template', 'default_target_config.j2') }}"
- name: configure - Expand to full config
shell: "cd {{ openwrt_build_dir }}; make defconfig"
- name: configure - Copy .config to configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}
shell: "cd {{ openwrt_build_dir }}; \
mkdir configs; \
cp .config configs/default_config_{{openwrt_target}}_{{ openwrt_subtarget}}"

View file

@ -29,7 +29,7 @@
path: ../host_vars/{{ item }}.yml
block: |
config_lime_system: option hostname '{{ hostvars[item].hostname }}'
config_lime_network: option channel_5ghz '{% if hostvars[item].channel_5ghz is defined %}{{ hostvars[item].channel_5ghz }}{% else %}{{ default_channel_5ghz }}{% endif %}'
config_lime_wifi: option channel_5ghz '{% if hostvars[item].channel_5ghz is defined %}{{ hostvars[item].channel_5ghz }}{% else %}{{ default_channel_5ghz }}{% endif %}'
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item }} config"
create: yes
delegate_to: localhost

View file

@ -0,0 +1,7 @@
---
- name: install feeds - libremesh - Add Libremesh feeds
blockinfile:
path: "{{ openwrt_build_dir }}/feeds.conf"
block: "{{ libremesh_feeds }}"
register: feeds
notify: "update and install feeds"

View file

@ -1,6 +1,7 @@
---
- name: packages - Add local packages
- name: install feeds - packages - Add local packages
ansible.posix.synchronize:
src: packages/
dest: "{{ libremesh_profile_directory }}/"
delete: yes
notify: "update and install feeds"

View file

@ -1,6 +1,6 @@
---
- name: install - openwrt - Requirements
include_tasks: openwrt_requirements.yml
include_tasks: install_openwrt_requirements.yml
- name: install - openwrt - Check if openwrt_build_dir is present
stat:
@ -20,8 +20,4 @@
cmd: cp feeds.conf.default feeds.conf
args:
chdir: "{{ openwrt_build_dir }}"
- name: install - openwrt - Update and install all feeds
shell: ./scripts/feeds update -a; ./scripts/feeds install -a
args:
chdir: "{{ openwrt_build_dir }}"
notify: "update and install feeds"

View file

@ -1,11 +0,0 @@
---
- name: install - libremesh - Add Libremesh feeds
blockinfile:
path: "{{ openwrt_build_dir }}/feeds.conf"
block: "{{ libremesh_feeds }}"
register: feeds
- name: install - libremesh - Update and install Libremesh feeds
shell: ./scripts/feeds update libremesh; ./scripts/feeds install -p libremesh
args:
chdir: "{{ openwrt_build_dir }}"

View file

@ -6,27 +6,37 @@
- preflight
- name: install - openwrt
include_tasks: openwrt_install.yml
include_tasks: install_openwrt.yml
when: not skip_openwrt_install
tags:
- openwrt_install
- name: install - libremesh
include_tasks: libremesh_install.yml
include_tasks: install_feeds_libremesh.yml
when: not skip_libremesh_install
tags:
- libremesh_install
- name: packages
include_tasks: packages.yml
- name: install - packages
include_tasks: install_feeds_packages.yml
tags:
- libremesh_packages
- feeds_packages
- name: Flush handlers
meta: flush_handlers
- name: conf-files - lime mac
include_tasks: conf_files_lime_mac.yml
tags:
- conf_files_lime_mac
- name: configure
include_tasks: configure.yml
tags:
- configure
- name: build - Build
shell: make -j $(nproc) EXTRA_IMAGE_NAME="{{openwrt_extra_image_name}}"
shell: make -j $(nproc) download world EXTRA_IMAGE_NAME="{{openwrt_extra_image_name}}"
args:
chdir: "{{ openwrt_build_dir }}"
tags:

View file

@ -2,20 +2,10 @@
# CONFIG_PACKAGE_ppp is not set
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
CONFIG_USES_SQUASHFS=y
CONFIG_TARGET_ROOTFS_SQUASHFS=y
# CONFIG_TARGET_ROOTFS_EXT4FS is not set
# CONFIG_TARGET_IMAGES_GZIP is not set
CONFIG_TARGET_{{ openwrt_target }}=y
CONFIG_TARGET_{{ openwrt_target }}_{{ openwrt_subtarget }}=y
CONFIG_TARGET_MULTI_PROFILE=y
{% for device in openwrt_devices %}
CONFIG_TARGET_DEVICE_{{ openwrt_target }}_{{ openwrt_subtarget }}_DEVICE_{{ device }}=y
{% endfor %}
{{ target_configs }}
{{ unstable_defaults }}
{% if with_wireguard %}
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-wg=y
{% else %}

View file

@ -0,0 +1,12 @@
CONFIG_USES_SQUASHFS=y
CONFIG_TARGET_ROOTFS_SQUASHFS=y
# CONFIG_TARGET_ROOTFS_EXT4FS is not set
# CONFIG_TARGET_IMAGES_GZIP is not set
CONFIG_TARGET_{{ openwrt_target }}=y
CONFIG_TARGET_MULTI_PROFILE=y
CONFIG_TARGET_{{ openwrt_target }}_{{ openwrt_subtarget }}=y
{% for device in openwrt_devices %}
CONFIG_TARGET_DEVICE_{{ openwrt_target }}_{{ openwrt_subtarget }}_DEVICE_{{ device }}=y
{% endfor %}

View file

@ -9,6 +9,9 @@ config lime network
{% endif %}
config lime wifi
{% if hostvars[item].config_lime_wifi is defined %}
{{ hostvars[item].config_lime_wifi }}
{% endif %}
{% if with_wireguard %}
config generic_uci_config wireguard

View file

@ -2,8 +2,8 @@
[Peer]
# {{ hostvars[device].hostname }}
PublicKey = {{ hostvars[device].vpn_wg0_publickey | trim }}
PublicKey = {{ hostvars[device].vpn_wg0_publickey }}
Endpoint = 0.0.0.0:51800
AllowedIPs = {{ vpn_wg0_network }}.{{ hostvars[device].ip_host | trim }}/32
AllowedIPs = {{ vpn_wg0_network }}.{{ hostvars[device].ip_host }}/32
{% endfor %}

View file

@ -2,4 +2,5 @@
reverse_services: []
fpm_services: []
with_certbot: false
with_ssl: false
with_distributed_certificates: false

View file

@ -47,6 +47,21 @@
state: link
loop: "{{ fpm_services }}"
- name: Configure Static Services
become: yes
template:
src: static_service.conf.j2
dest: /etc/nginx/sites-available/{{item.server_name}}.conf
loop: "{{ static_services }}"
- name: Link NGINX Static Services
become: yes
file:
src: "/etc/nginx/sites-available/{{item.server_name}}.conf"
dest: "/etc/nginx/sites-enabled/{{item.server_name}}.conf"
state: link
loop: "{{ static_services }}"
- name: Make sure NGINX Service is running
become: yes
service:

View file

@ -8,7 +8,7 @@ server {
keepalive_timeout 200;
{{item.custom_config | default('') | indent(2)}}
{% if with_distributed_certificates %}
{% if with_ssl %}
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;

View file

@ -0,0 +1,33 @@
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
server_name {{item.server_name}};
keepalive_timeout 200;
{{item.custom_config | default('') | indent(2)}}
{% if with_ssl %}
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/ada/ada.crt;
ssl_certificate_key /etc/nginx/certs/ada/ada.key;
{% endif %}
root {{ item.server_root }};
location / {
# compression
gzip on;
gzip_types text/plain application/xml application/json;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
# cache
proxy_cache STATIC;
}
}

View file

@ -0,0 +1,4 @@
skip_certification_authority: false
skip_certification_authority_webserver: true
skip_server_certificate: false
skip_server_certificate_webserver: true

Binary file not shown.

After

Width:  |  Height:  |  Size: 97 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 52 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 31 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 58 KiB

View file

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
version="1.1"
id="svg2"
viewBox="0 0 973.70528 248.96588"
height="25.5px"
width="100px">
<defs
id="defs4" />
<g
transform="translate(60.758696,-843.33549)"
id="layer1">
<text
id="text3336"
y="1012.3623"
x="3.8487569e-06"
style="font-style:normal;font-weight:normal;line-height:0%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:180px;line-height:1.25;font-family:sans-serif;-inkscape-font-specification:'sans-serif Bold'"
y="1012.3623"
x="3.8487569e-06"
id="tspan3338"><tspan
id="tspan3340"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:180px;font-family:sans-serif;-inkscape-font-specification:sans-serif;fill:#480e0c;fill-opacity:1">Open</tspan>SSL</tspan></text>
<text
id="text817"
y="1049.0681"
x="176.75166"
style="font-style:normal;font-weight:normal;font-size:17.49999619px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.93749976"
xml:space="preserve"><tspan
style="font-size:37.49998856px;stroke-width:0.93749976"
y="1049.0681"
x="176.75166"
id="tspan815">Cryptography and SSL/TLS Toolkit</tspan></text>
</g>
</svg>

After

Width:  |  Height:  |  Size: 1.8 KiB

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,44 @@
---
- name: Install openssl
apt:
update_cache: yes
state: present
pkg:
- openssl
- name: Make certificates directory
file:
path: "{{ ca_cert_dir }}"
state: directory
- name: Certification Authority - Check if the private key is already present
stat:
path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.key"
register: ca_cert_key
- name: Certification Authority - Generate the CA private key
shell: openssl genrsa -des3 -passout pass:"{{ ca_cert_key_pass }}" -out {{ ca_cert_name }}.key 4096
args:
chdir: "{{ ca_cert_dir }}"
when: not ca_cert_key.stat.exists
- name: Certification Authority - Check if the CA root certificate is already presentt
stat:
path: "{{ ca_cert_dir }}/{{ ca_cert_name }}.pem"
register: ca_cert_pem
- name: Certification Authority - Generate the CA root configuration file
template:
src: authority.conf.j2
dest: "{{ ca_cert_dir }}/{{ ca_cert_name }}.conf"
when: not ca_cert_pem.stat.exists
- name: Certification Authority - Generate the CA root certificate
shell: openssl req -x509 -new -nodes \
-key {{ ca_cert_name }}.key \
-passin pass:"{{ ca_cert_key_pass }}" \
-sha256 -days {{ ca_cert_days }} -out {{ ca_cert_name }}.pem \
-config {{ ca_cert_name }}.conf
args:
chdir: "{{ ca_cert_dir }}"
when: not ca_cert_pem.stat.exists

View file

@ -0,0 +1,42 @@
---
- name: Certification Authority - Webserver - Create static_service root
file:
path: /home/antennine/ca/certs
state: directory
- name: Certification Authority - Webserver - Copy certificates to webserver dir
copy:
src: /etc/certs/{{ ca_cert_name }}.pem
dest: /home/antennine/ca/certs/
remote_src: true
- name: Certification Authority - Webserver - Create sha1 fingerprint
shell: openssl x509 -sha1 -in {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -noout -fingerprint
register: ca_cert_sha1
# - name: Certification Authority - Webserver - Convert certificate in format DER
# shell: openssl x509 -in {{ ca_cert_name }}.pem -inform pem -out {{ ca_cert_name }}.der -outform der
# register: ca_cert_der
# - name: Certification Authority - Webserver - Convert certificate in format TXT
# shell:
# register: ca_cert_txt
# - name: Certification Authority - Webserver - Create certificate revocation list CRL
# shell:
# register: ca_cert_crl
- name: Certification Authority - Webserver - Generate index.html
template:
src: authority.html.j2
dest: "/home/antennine/ca/index.html"
- name: Certification Authority - Webserver - Copy files
copy:
src: ./ca/
dest: /home/antennine/ca/
- name: Certification Authority - Webserver - Webserver
include_role:
name: ../roles/stable/nginx
tasks_from: main

View file

@ -0,0 +1,16 @@
---
- name: Certification Authority
include_tasks: authority.yml
when: not skip_certification_authority
- name: Server Certificate
include_tasks: server.yml
when: not skip_server_certificate
- name: Certification Authority - Webserver
include_tasks: authority_webserver.yml
when: not skip_certification_authority_webserver
- name: Server Certificate - Webserver
include_tasks: server_webserver.yml
when: not skip_server_certificate_webserver

View file

@ -0,0 +1,42 @@
---
- name: Server Certificate - Make certificates directory
file:
path: "{{ server_cert_dir }}"
state: directory
- name: Server Certificate - Check if private key is already present
stat:
path: "{{ server_cert_dir }}/{{ server_cert_name }}.key"
register: server_cert_key
- name: Server Certificate - Generate the private key
shell: openssl genrsa -out {{ server_cert_name }}.key 4096
args:
chdir: "{{ server_cert_dir }}"
when: not server_cert_key.stat.exists
- name: Server Certificate - Generate the server configuration file
template:
src: server.conf.j2
dest: "{{ server_cert_dir }}/{{ server_cert_name }}.conf"
- name: Server Certificate - Create the certificate signin request
shell: openssl req -new -key {{ server_cert_name }}.key -days {{ server_cert_days }} -out {{ server_cert_name }}.csr -config {{ server_cert_name }}.conf
args:
chdir: "{{ server_cert_dir }}"
- name: Server Certificate - Create the X509 V3 extension config file to define SAN
template:
src: server.ext.j2
dest: "{{ server_cert_dir }}/{{ server_cert_name }}.ext"
- name: Server Certificate - Sign the certificate with x509 V3 extensions
shell: openssl x509 -req \
-in {{ server_cert_name }}.csr \
-CA {{ ca_cert_dir }}/{{ ca_cert_name }}.pem -CAkey {{ ca_cert_dir }}/{{ ca_cert_name }}.key -CAcreateserial \
-passin pass:"{{ ca_cert_key_pass }}" \
-out {{ server_cert_name }}.crt \
-days {{ server_cert_days }} -sha256 \
-extfile {{ server_cert_name }}.ext
args:
chdir: "{{ server_cert_dir }}"

View file

@ -0,0 +1,20 @@
---
- name: Server Certificate - Webserver - Ensure webserver certs dir exists
file:
path: /etc/nginx/certs/{{ server_cert_name }}/
state: directory
- name: Server Certificate - Webserver - Copy server key
copy:
src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.key
dest: /etc/nginx/certs/{{ server_cert_name }}/
remote_src: true
- name: Server Certificate - Webserver - Copy server certificate
copy:
src: /etc/certs/{{ server_cert_name }}/{{ server_cert_name }}.crt
dest: /etc/nginx/certs/{{ server_cert_name }}/
remote_src: true
- name: Server Certificate - Webserver - Restart Nginx
shell: systemctl restart nginx

View file

@ -0,0 +1,14 @@
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = {{ ca_distinguished_name['C'] }}
ST = {{ ca_distinguished_name['ST'] }}
L = {{ ca_distinguished_name['L'] }}
O = {{ ca_distinguished_name['O'] }}
OU = {{ ca_distinguished_name['OU'] }}
emailAddress = {{ ca_distinguished_name['emailAddress'] }}
CN = {{ ca_distinguished_name['CN'] }}

View file

@ -0,0 +1,140 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Certificati di Antennine</title>
<link rel="shortcut icon" href="images/green_lock.png" type="image/png" />
<link rel="stylesheet" href="vendor/imagebox.min.css" />
<script src="vendor/imagebox.min.js"></script>
</head>
<style>
:root{font-size:14px;font-family:sans-serif}
body{padding-top:3rem;background:#efefef}
body > a {position:fixed;max-width:10rem;top:1rem;right:1rem}
h2{margin:4rem 0 1rem}
h3{margin:0 0 1rem}
img{max-width:90vw}
figure{margin:1rem}
figure img{padding:1rem 0}
.site-name{flex-wrap:nowrap}
.site-logo{width:2rem;height:2rem;padding:1rem 1rem 1rem 0}
code {background:#333;color:#fff;padding:0.6rem;border-radius:3px;display:block;overflow-x:scroll}
article,figure div{display:flex;flex-wrap:wrap}
article:first-of-type{align-items:center}
@media screen and (min-width:640px)
{
body{padding:1rem}
figure,figure img{max-width: 400px}
figure div img{max-width: calc(200px - 1rem);margin: 0 0.5rem}
}
</style>
<body>
<a href="https://openssl.org">
<img alt="Openssl logo" src="/images/openssl_logo.svg">
</a>
<main>
<article class="site-name">
<img class="site-logo" alt="Openssl logo" src="/images/green_lock.png">
<h1>Certificati di {{ ca_distinguished_name['O'] }}</h1>
</article>
<div>
<p>In questa pagina si trovano i certificati e le informazioni riguardanti la
Certification Authority di {{ ca_distinguished_name['O'] }}.</p>
<p>Il certificato è disponibile:
<ul>
<!-- <li>in formato <a href="certs/{{ ca_cert_name }}.der">DER</a></li> -->
<li>in formato <a href="certs/{{ ca_cert_name }}.pem">PEM</a></li>
<!-- <li>in formato <a href="certs/{{ ca_cert_name }}.txt">testo</a></li> -->
</ul>
<!-- <p>La Certification Revocation List è reperibile all'indirizzo
<a href="https://{{ static_services[0]['server_name'] }}/crl.pem">https://{{ static_services[0]['server_name'] }}/crl.pem</a>.</p> -->
</div>
<h2>Verifica</h2>
<div>
<p>Dopo aver scaricato il certificato, verificare la fingerprint tramite il comando di openssl:</p>
<code>$ openssl x509 -sha1 -in {{ ca_cert_name }}.pem -noout -fingerprint</code>
<p>Che deve resitituire questo risultato:</p>
<code>{{ ca_cert_sha1.stdout }}</code>
</div>
<h2>Installazione su sistema Linux</h2>
<article>
<figure>
<figcaption>
<h3>Firefox</h3>
<p>Andare in <a href="about:preferences#privacy">about:preferences#privacy</a></p>
<p>Ed importare il certificato nella sezione <b>Authorities</b></p>
</figcaption>
<img data-imagebox alt="Screenshot installazione su Firefox" src="./images/linux_firefox.jpg">
</figure>
<figure>
<figcaption>
<h3>Chromium</h3>
<p>Andare in <a href="chrome://settings/certificates">chrome://settings/certificates</a></p>
<p>Ed importare il certificato nella sezione <b>Authorities</b></p>
</figcaption>
<img data-imagebox alt="Screenshot installazione su Chromium" src="./images/linux_chromium.jpg">
</figure>
<figure>
<h3>Linux system-wide (Debian, Ubuntu)</h3>
<p>Per installare la CA system-wide su Linux usare i seguenti passi:</p>
<p>Mettere una copia del certificato in formato PEM in <b>/usr/share/ca-certificates/</b></p>
<code># cp ~/Downloads/antennineCA.pem /usr/share/ca-certificates/</code>
<p>Aggiungere il nome del file del certificato (senza directory) alla fine di <b>/etc/ca-certificates.conf</b></p>
<code># echo {{ ca_cert_name }}.pem >> /etc/ca-certificates.conf</code>
<p>Installare il certificato</p>
<code># update-ca-certificates --verbose</code>
</figure>
</article>
<h2>Installazione su sistema Android</h2>
<p>Nota: su Android è necessario installare la CA su tutto il sistema (system-wide).</p>
<p>Firefox inoltre richiede di abilitare l'utilizzo dei certificati installati dall'utente.</p>
<article>
<figure>
<figcaption>
<h3>Android system-wide</h3>
<p>Andare in <b>Settings</b> e ricercare la sezione dei certificati</p>
<p>Installare il certificato che verrà inserito nella sezione <b>User</b> e non <b>System</b></p>
<p>Ora sui browsers Chrome, Brave, ecc. sarà possibile navigare col protocollo sicuro <b>https://</b></p>
</figcaption>
<div>
<img data-imagebox alt="Screenshot installazione su Android" src="./images/android-12_settings_ca-install.jpg">
<img data-imagebox alt="Screenshot installazione su Android" src="./images/android-12_settings_ca-installed.jpg">
</div>
</figure>
<figure>
<figcaption>
<h3>Firefox</h3>
<p>Andare in <b>Settings</b> e poi in <b>About Firefox</b></p>
<p>Toccare 7 volte il logo di Firefox per abilitare i <b>Secret Settings</b></p>
<p>Andare in <b>Settings</b> e poi in <b>Secret Settings</b>, e abilitare <b>Use third party CA certificates</b></p>
</figcaption>
<div>
<img data-imagebox alt="Screenshot installazione su Firefox Android" src="./images/android-12_firefox_ca-enable.jpg">
<img data-imagebox alt="Screenshot installazione su Firefox Android" src="./images/android-12_firefox_ca-enabled.jpg">
</div>
</figure>
<figure>
<h3>Firefox Beta, Firefox Nightly, IceCatMobile</h3>
<p>In altre versioni derivate da Firefox ricercare about:config</p>
<p>Andare in <a href="about:config">about:config</a> e impostare:</p>
<p><b>security.enterprise_roots.enabled = true</b></p>
</figure>
</article>
</main>
</body>
</html>

View file

@ -0,0 +1,14 @@
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = {{ server_distinguished_name['C'] }}
ST = {{ server_distinguished_name['ST'] }}
L = {{ server_distinguished_name['L'] }}
O = {{ server_distinguished_name['O'] }}
OU = {{ server_distinguished_name['OU'] }}
emailAddress = {{ server_distinguished_name['emailAddress'] }}
CN = {{ server_distinguished_name['CN'] }}

View file

@ -0,0 +1,26 @@
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = ada
# wildcard
DNS.2 = test.ada
DNS.3 = *.test.ada
DNS.4 = infra.ada
DNS.5 = *.infra.ada
# common
DNS.6 = info.ada
DNS.7 = doc.ada
DNS.8 = ca.ada
# network
DNS.9 = panorama.ada
DNS.10 = mappe.ada
DNS.11 = librespeed.ada
DNS.12 = nodi.ada
DNS.13 = torrent.ada
DNS.14 = firmware.ada

View file

@ -0,0 +1,36 @@
skip_certification_authority: false
skip_certification_authority_webserver: false
skip_server_certificate: false
skip_server_certificate_webserver: false
ca_cert_dir: /etc/certs/
ca_cert_name: antennineCA
ca_cert_days: 3650 # ten years
ca_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/antennineCA.key', errors='strict') | default(omit) }}"
ca_distinguished_name:
C: IT
ST: Emilia-Romagna
L: Prunarolo
O: Antennine
OU: antennine.noblogs.org
emailAddress: eno@burdig.one
CN: Antennine CA
with_ssl: true
static_services:
- ca:
server_name: ca.ada
server_root: /home/antennine/ca/
server_cert_dir: /etc/certs/ada
server_cert_name: ada
server_cert_days: 1095 # 3 years
server_cert_key_pass: "{{ lookup('passwordstore', 'chiavi_antennine/openssl/ada.key', errors='strict') | default(omit) }}"
server_distinguished_name:
C: IT
ST: Emilia-Romagna
L: Prunarolo
O: Antennine
OU: antennine.noblogs.org
emailAddress: eno@burdig.one
CN: Ada

View file

@ -1,8 +1,8 @@
---
openwrt_version: "21.02.3"
openwrt_version: "{{openwrt_release['old_stable']}}"
libremesh_version: "librerouteros"
libremesh_profile: valsamoggia.ninux.org
libremesh_profile_device: vs-ninux-generic-no-luci
libremesh_profile_device: vs-ninux-generic
skip_preflight: false
skip_openwrt_install: false
@ -12,7 +12,6 @@ skip_configure_clean: true
skip_webserver_update: false
with_wireguard: true
with_luci: false
# webserver index
webui_path: /opt/openwrt-lime-firmware_test

View file

@ -2,7 +2,7 @@
openwrt_version: "21.02.3"
libremesh_version: "librerouteros"
libremesh_profile: valsamoggia.ninux.org
libremesh_profile_device: vs-ninux-generic-no-luci
libremesh_profile_device: vs-ninux-generic
skip_preflight: false
skip_openwrt_install: false

7
vars/build/openwrt.yml Normal file
View file

@ -0,0 +1,7 @@
openwrt_release:
stable: 22.03.2 # 17. October 2022
old_stable: 21.02.5 # 17. October 2022
openwrt_release_archive:
19: 19.07.10 #
18: 18.06 #

View file

@ -6,14 +6,13 @@ openwrt_devices:
# override
openwrt_version: 21.02.3
libremesh_profile_device: vs-ninux-generic-no-luci
libremesh_profile_device: vs-ninux-generic
# configs
skip_configure_clean: true
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_luci-proto-ppp is not set
# CONFIG_PACKAGE_luci is not set
@ -25,14 +24,3 @@ target_configs: |
# CONFIG_PACKAGE_ATH_DFS is not set
# CONFIG_ATH_USER_REGD is not set
CONFIG_PACKAGE_kmod-mt7603=y
# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_luci-proto-ppp is not set
# CONFIG_PACKAGE_luci is not set
# CONFIG_PACKAGE_wpad-basic=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y

View file

@ -1,34 +0,0 @@
# ath79_generic
openwrt_target: ath79
openwrt_subtarget: generic
openwrt_devices:
- tplink_cpe510-v3
# override
openwrt_version: 22.03.1
libremesh_profile_device: vs-ninux-generic-no-luci
# configs
skip_configure_clean: true
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_luci-proto-ppp is not set
# CONFIG_PACKAGE_luci is not set
CONFIG_PACKAGE_babeld-auto-gw-mode=y
CONFIG_PACKAGE_ubus-lime-batman-adv=y
CONFIG_PACKAGE_wpad-basic=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
# CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_luci-proto-ppp is not set
# CONFIG_PACKAGE_luci is not set
# CONFIG_PACKAGE_wpad-basic=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y

View file

@ -14,7 +14,6 @@ libremesh_profile_device: vs-ninux-generic
# configs
skip_configure_clean: true
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
# CONFIG_PACKAGE_kmod-ppp is not set
@ -24,6 +23,7 @@ target_configs: |
CONFIG_PACKAGE_ATH_DEBUG=y
CONFIG_PACKAGE_ATH_DYNACK=y
CONFIG_PACKAGE_ATH_SPECTRAL=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_prometheus-node-exporter-lua-location-latlon=y
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-params=y
CONFIG_PACKAGE_prometheus-node-exporter-lua-wifi-stations-extra=y

View file

@ -5,15 +5,15 @@ openwrt_devices:
- tplink_cpe510-v3
# override
openwrt_version: 21.02.3
libremesh_profile_device: vs-ninux-generic-no-luci
openwrt_version: "{{openwrt_release['old_stable']}}"
libremesh_profile_device: vs-ninux-generic
# configs
skip_configure_clean: true
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic-no-luci=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
# CONFIG_PACKAGE_kmod-ppp is not set
# CONFIG_PACKAGE_luci-proto-ppp is not set
# CONFIG_PACKAGE_luci is not set

View file

@ -0,0 +1,28 @@
# ath79_generic
openwrt_target: ath79
openwrt_subtarget: generic
openwrt_devices:
- tplink_cpe510-v3
# override
openwrt_version: "{{openwrt_release['stable']}}"
libremesh_profile_device: vs-ninux-generic
# configs
skip_configure_clean: false
# test commenting
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_babeld-auto-gw-mode=y
CONFIG_PACKAGE_ubus-lime-batman-adv=y
CONFIG_PACKAGE_wpad-basic=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
unstable_defaults: |
CONFIG_PACKAGE_rssileds=y

View file

@ -0,0 +1,27 @@
# mt7620 _generic
openwrt_target: ramips
openwrt_subtarget: mt7620
openwrt_devices:
- asus_rt-ac51u
# override
openwrt_version: "{{openwrt_release['stable']}}"
libremesh_profile_device: vs-ninux-generic
# configs
skip_configure_clean: false
target_configs: |
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt22=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-fix-openwrt21=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-ninux-generic=y
CONFIG_PACKAGE_profile-valsamoggia.ninux.org-vs-test=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_babeld-auto-gw-mode=y
CONFIG_PACKAGE_ubus-lime-batman-adv=y
CONFIG_PACKAGE_wpad-basic=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_wpad-mesh-wolfssl=y
unstable_defaults: |
CONFIG_DRIVER_11AC_SUPPORT=y

View file

@ -2,7 +2,7 @@
openwrt_version: "21.02.3"
libremesh_version: "librerouteros"
libremesh_profile: valsamoggia.ninux.org
libremesh_profile_device: vs-ninux-generic-no-luci
libremesh_profile_device: vs-ninux-generic
skip_preflight: false
skip_openwrt_install: false

View file

@ -1,5 +1,5 @@
wireguard_server_public_ip: 13.13.13.13
wireguard_server_public_ip: <redacted>
wireguard_server_PublicKey: '<redacted>'
wireguard_server_wg0_port: 51820