Merge branch 'master' into gwgroup

.gitignore

@@ -114,5 +114,7 @@ dist
 
 *.retry
 wgfrp-setconf.conf.j2
+certs
+babeld-reload.conf.j2
 
 __pycache__

ansible/ansible.cfg

@@ -3,3 +3,4 @@ host_key_checking = False
 strategy_plugins = mitogen-0.2.9/ansible_mitogen/plugins/strategy
 strategy = mitogen_free
 inventory = ../result/inventory.yaml
+forks = 12

ansible/babeld.conf.j2

+# MyCard babeld
+
+# debug 1
+# router-id 00:00:00:00:00:00:00:03
+redistribute local ip 10.198.0.0/24
+{% for subnet in localSubnets %}
+redistribute ip {{subnet}}
+{% endfor %}
+redistribute local deny
+reflect-kernel-metric true
+local-port-readwrite 33123
+
+{% for connection in connections %}
+{% if connection.protocol != "null" and not (connection.protocol == "oc" and connection.ocType == "server") and connection.remoteLocalAddress != address %}
+{% if connection.inbound %}
+interface {{connection.name}} type tunnel rxcost {{connection.metric}} faraway true link-quality true
+{% else %}
+interface {{connection.name}} type tunnel rxcost 50000 faraway true link-quality true
+{% endif %}
+{% endif %}
+{% endfor %}
+
+{% for interface in lanInterfaces %}
+interface {{interface}}
+{% endfor %}

ansible/bird.conf.j2

 # MyCard bird
-# Force change in 12.12
+# Force change in 12.14
 
 log stderr all;
 router id {{address}};
 
-protocol device {
-}
-#protocol direct {
-#  disabled;
-#  ipv4;
-#  ipv6;
-#}
-
-{% for interface in lanInterfaces %}
-protocol direct {
-  ipv4;
-  ipv6;
-  interface "{{interface}}";
-}
-{% endfor %}
+protocol device {}
 
 protocol kernel {
   learn;
   ipv4 {
+<<<<<<< HEAD
     import where net = 0.0.0.0/0;
     export where net != 0.0.0.0/0;
   };
   #ipv6 { export all; };
+=======
+    import all;
+  };
+>>>>>>> master
 }
 
 
@@ -44,54 +35,7 @@ protocol kernel {
     table {{plan.name}};
     export all;
   };
+  persist;
   kernel table {{plan.destMark}};
 }
 {% endfor %}
-
-protocol ospf v2 {
-  ipv4 {
-    import all;
-    export all; # where source ~ [ RTS_DEVICE, RTS_STATIC ];
-  };
-  area 0 {
-    networks {
-{% for subnet in routeLists.mycard %}
-      {{subnet}};
-{% endfor %}
-    };
-#    interface "eth*" {
-#      type broadcast;    # Detected by default
-#      cost 10;    # Interface metric
-#      hello 5;    # Default hello perid 10 is too long
-#    };
-{% for connection in connections %}
-{% if connection.protocol != "null" and connection.remoteLocalAddress != address %}
-    interface "{{connection.name}}" {
-      type ptmp;
-{% if connection.outbound %}
-      cost {{connection.metric}};
-{% else %}
-      cost 50000;
-{% endif %}
-      hello 5;
-      authentication cryptographic;
-      password "{{ospfToken}}";
-    };
-{% endif %}
-{% endfor %}
-
-{% for interface in lanInterfaces %}
-    interface "{{interface}}" {
-      type broadcast;
-      cost 1;
-      hello 5;
-      authentication cryptographic;
-      password "{{ospfToken}}";
-    };
-{% endfor %}
-
-    interface "dummy0" {
-      stub;      # Stub interface, just propagate it
-    };
-  };
-}

ansible/configure.yaml

 ---
 - hosts: wg
-  vars:
-    services: []
   tasks:
+    - name: load vars
+      include_vars:
+        file: '../result/{{item}}.yaml'
+      with_items:
+        - global-vars
+        - vars-{{inventory_hostname_short}}
     - name: directory
       file:
         path: '{{ansible_user_dir}}/nextgen-network/{{item}}'
@@ -24,17 +28,43 @@
         - utility
         - switch-rules-up
         - switch-rules-down
+        - ocserv-postup
+        - ocserv-predown
       notify: reload_switch_rules
     - name: ipset files
       template:
         src: scripts/ipset.j2
         dest: '{{ansible_user_dir}}/nextgen-network/ipsets/{{item}}.ipset'
       with_items: '{{routeListNames}}'
+      notify: reload_chnroute
     - name: global-postup
       become: true
       shell: '{{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh'
       args:
         creates: /tmp/mycard_global_postup_done
+    - name: global-postup systemd
+      become: true
+      copy:
+        content: |
+          [Unit]
+          Description=MyCard Network Global Setup
+          Before=network-online.target
+          After=network-pre.target
+
+          [Service]
+          Type=oneshot
+          ExecStart={{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh
+
+          [Install]
+          WantedBy=multi-user.target
+        dest: /etc/systemd/system/railgun-global-setup.service
+      register: global_systemd_result
+    - name: global-postup systemd enable
+      become: true
+      systemd:
+        name: railgun-global-setup
+        enabled: true
+        daemon_reload: '{{global_systemd_result.changed}}'
     - name: mycard ipset create
       become: true
       shell: 'ipset create mycard hash:net maxelem 1000000 || true'
@@ -50,54 +80,125 @@
       become: true
       shell: 'ip -4 rule add pref 81 to {{item}} lookup main || true'
       with_items: '{{routeLists.mycard}}'
+    - name: ocserv pre-configure
+      include_tasks: 'protocols/oc/ocserv-pre.yaml'
+      when: ocservNeeded and not noBird
+    - name: disable bug self-link
+      become: true
+      ignore_errors: true
+      systemd:
+        name: 'wg-quick@{{item}}'
+        state: stopped
+        enabled: false
+        masked: true
+      with_items:
+        - mc-{{inventory_hostname_short}}
+        - mci{{inventory_hostname_short}}
 # 为了提高测试时候的性能，不改动wg的时候注释掉这段
     - name: 'clean up null connections first'
       include_tasks: 'protocols/{{item.protocol}}/configure.yaml'
       vars:
         conn: '{{item}}'
       with_items: '{{ connections }}'
-      when: "not noUpdateLinks and item.protocol == 'null'"
+      when: "not noUpdateLinks and item.protocol == 'null' and not item.noUpdate"
     - name: 'loop through list from a variable'
       include_tasks: 'protocols/{{item.protocol}}/configure.yaml'
       vars:
         conn: '{{item}}'
       with_items: '{{ connections }}'
-      when: "not noUpdateLinks and item.protocol != 'null'"
+      when: "not noUpdateLinks and item.protocol != 'null' and not item.noUpdate"
 # end
     - name: services conf
       copy:
         content: '{{dockerServices | to_yaml}}'
         dest: '{{ansible_user_dir}}/nextgen-network/services/docker-compose.yml'
+      when: not noBird
     - name: bird conf
       template:
         src: bird.conf.j2
         dest: '{{ansible_user_dir}}/nextgen-network/services/bird.conf'
       notify: restart_bird
+      when: not noBird
+    - name: babeld conf
+      template:
+        src: babeld.conf.j2
+        dest: '{{ansible_user_dir}}/nextgen-network/services/babeld.conf'
+      #notify: restart_babeld
+      when: not noBird
+    - name: babeld reload conf
+      template:
+        src: babeld-reload.conf.j2
+        dest: /tmp/babeld-reload.conf
+      notify: reload_babeld
     - name: frps conf
       template:
         src: protocols/wgfrp/frps.ini.j2
         dest: '{{ansible_user_dir}}/nextgen-network/services/frps.ini'
-      when: frpsNeeded
+      when: frpsNeeded and not noBird
       notify: restart_frps
     - name: start services
       docker_compose:
         project_src: '{{ansible_user_dir}}/nextgen-network/services'
         remove_orphans: true
         # pull: true
+      when: not noBird
+    - name: systemd bird
+      become: true
+      template:
+        src: bird.conf.j2
+        dest: '/etc/bird/bird.conf'
+      notify: restart_bird_systemd
+      when: systemBird
+    - name: enable systemd bird
+      become: true
+      systemd:
+        name: bird
+        state: started
+        enabled: true
+        masked: false
+      when: systemBird
+    - name: systemd babeld conf
+      become: true
+      template:
+        src: babeld.conf.j2
+        dest: '/etc/babeld.conf'
+      #notify: restart_babeld_systemd
+      when: systemBird
+    - name: enable systemd babeld
+      become: true
+      systemd:
+        name: babeld
+        state: started
+        enabled: true
+        masked: false
+      when: systemBird
   handlers:
     - name: reload_switch_rules
       become: true
       shell: '{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-down.sh ; {{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh'
     - name: restart_bird
-      shell: 'docker-compose exec bird birdc configure'
-      args:
-        chdir: '{{ansible_user_dir}}/nextgen-network/services'
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - bird
+      when: not noBird
+    - name: restart_babeld # ocserv would be always restarted whenever key changes..
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - babeld
+      when: not noBird
+    - name: reload_babeld
+      shell: cat /tmp/babeld-reload.conf | timeout 1 nc ::1 33123 || true
     - name: restart_frps
       docker_compose:
         project_src: '{{ansible_user_dir}}/nextgen-network/services'
         restarted: true
         services:
           - frps
+      when: not noBird
     - name: restart_frpc
       docker_compose:
         project_src: '{{ansible_user_dir}}/nextgen-network/services'
@@ -105,4 +206,35 @@
         services:
           - frpc-{{item.name}}
       with_items: '{{connections}}'
-      when: 'item.protocol == "wgfrp" and item.frpType == "frpc"'
+      when: 'item.protocol == "wgfrp" and item.frpType == "frpc" and not noBird and not item.noUpdate'
+    - name: restart_ocserv
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - ocserv
+      when: not noBird
+    - name: restart_openconnect
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - openconnect-{{item.name}}
+      with_items: '{{connections}}'
+      when: 'item.protocol == "oc" and item.ocType == "client" and not noBird and not item.noUpdate'
+    - name: restart_bird_systemd
+      become: true
+      systemd:
+        name: bird
+        state: restarted
+    - name: restart_babeld_systemd
+      become: true
+      systemd:
+        name: babeld
+        state: restarted
+      when: systemBird
+    - name: reload_chnroute
+      become: true
+      shell: |
+        ipset flush chnrouter
+        sed '/^create chnrouter hash:net family inet$/d' {{ansible_user_dir}}/nextgen-network/ipsets/chnrouter.ipset | ipset restore

ansible/install.yaml

@@ -11,3 +11,33 @@
         - fatedier/frps:v0.34.2
         - fatedier/frpc:v0.34.2
         - git-registry.mycard.moe/nanahira/docker-bird
+        - git-registry.mycard.moe/railgun/babeld
+        - git-registry.mycard.moe/nanahira/docker-ocserv
+        - git-registry.mycard.moe/railgun/openconnect
+      when: not noBird
+    - name: unstable source
+      become: true
+      copy:
+        content: | 
+          deb http://mirrors.tuna.tsinghua.edu.cn/debian unstable main contrib non-free
+        dest: /etc/apt/sources.list.d/unstable.list
+      when: systemBird and ansible_distribution == 'Debian' and ansible_distribution_release != 'sid'
+    - name: unstable pref 90
+      become: true
+      copy:
+        content: | 
+          Package: *
+          Pin: release a=unstable
+          Pin-Priority: 90
+        dest: /etc/apt/preferences.d/limit-unstable
+      when: systemBird and ansible_distribution == 'Debian' and ansible_distribution_release != 'sid'
+    - name: netcat-openbsd
+      become: true
+      apt:
+        update_cache: true
+        name: netcat-openbsd
+    - name: install packages for systemd things
+      become: true
+      apt:
+        name: babeld,bird2
+      when: systemBird

ansible/migrate-chnroute.yaml

+- hosts: wg
+  remote_user: root
+  tasks:
+    - name: load vars
+      include_vars:
+        file: '../result/{{item}}.yaml'
+      with_items:
+        - global-vars
+        - vars-{{inventory_hostname_short}}
+    - name: post scripts
+      template:
+        src: scripts/{{item}}.sh.j2
+        dest: '{{ansible_user_dir}}/nextgen-network/scripts/{{item}}.sh'
+        mode: a+x
+      with_items:
+        - postup
+        - predown
+        - global-postup
+        - utility
+        - switch-rules-up
+        - switch-rules-down
+        - ocserv-postup
+        - ocserv-predown
+    - name: chnroute
+      become: true
+      shell: |
+        ipset restore -f {{ansible_user_dir}}/nextgen-network/ipsets/chnrouter.ipset || true
+    - name: reload_switch_rules
+      become: true
+      shell: '{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-down.sh ; {{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh'

ansible/migrate-ocserv-predown.yaml

+---
+- hosts: wg
+  tasks:
+    - name: ocserv predown
+      template:
+        src: scripts/ocserv-predown-old.sh.j2
+        dest: '{{ansible_user_dir}}/nextgen-network/scripts/ocserv-predown.sh'
+        mode: a+x

ansible/migrate-systemd.yaml

+---
+- hosts: wg
+  vars:
+    services: []
+  tasks:
+    - name: global-postup systemd
+      become: true
+      copy:
+        content: |
+          [Unit]
+          Description=MyCard Network Global Setup
+          Before=network-online.target
+          After=network-pre.target
+
+          [Service]
+          Type=oneshot
+          ExecStart={{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh
+
+          [Install]
+          WantedBy=multi-user.target
+        dest: /etc/systemd/system/railgun-global-setup.service
+      register: global_systemd_result
+    - name: global-postup systemd disable
+      become: true
+      systemd:
+        name: railgun-global-setup
+        enabled: false
+        daemon_reload: true
+    - name: global-postup systemd enable
+      become: true
+      systemd:
+        name: railgun-global-setup
+        enabled: true
+        daemon_reload: true
+    - name: remove a rubbish
+      file:
+        path: /etc/systemd/system/mutli-user.target.wants
+        state: absent

ansible/protocols/oc/configure-client.yaml

+- name: up script directory
+  file:
+    path: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/post-connect.d'
+    state: directory
+    recurse: true
+- name: down script directory
+  file:
+    path: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/disconnect.d'
+    state: directory
+    recurse: true
+- name: up script
+  template:
+    src: ./openconnect-post-scripts/post-connect.sh.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/post-connect.d/mycard-network-nextgen.sh'
+    mode: 0755
+  notify: restart_openconnect
+- name: down script
+  template:
+    src: ./openconnect-post-scripts/disconnect.sh.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/client-scripts/{{conn.name}}/disconnect.d/mycard-network-nextgen.sh'
+    mode: 0755
+  notify: restart_openconnect

ansible/protocols/oc/configure-server.yaml

+- name: per-user config
+  template:
+    src: ./ocserv-per-user.conf.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/config-per-user/{{conn.name}}'
+  notify: restart_ocserv
+- name: per-user env
+  template:
+    src: ./ocserv-user-env.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/env-per-user/{{conn.name}}'
+  notify: restart_ocserv

ansible/protocols/oc/configure.yaml

+- name: '{{conn.name}}: stop wireguard'
+  become: true
+  ignore_errors: true
+  systemd:
+    name: 'wg-quick@{{conn.name}}'
+    state: stopped
+    enabled: no
+- name: '{{conn.name}}: tasks for {{conn.ocType}}'
+  include_tasks: './configure-{{conn.ocType}}.yaml'

ansible/protocols/oc/ocserv-per-user.conf.j2

+explicit-ipv4 = {{conn.remoteLocalAddress}}
+route = {{conn.localPeerAddress}}/32
+mtu = {{conn.mtu}}

ansible/protocols/oc/ocserv-pre.yaml

+- name: directories
+  file:
+    name: '{{ansible_user_dir}}/nextgen-network/services/ocserv/{{item}}'
+    recurse: true
+    state: directory
+  with_items:
+    - config-per-user
+    - env-per-user
+    - certs
+- name: ocserv.conf
+  template:
+    src: ./ocserv.conf.j2
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/ocserv.conf'
+  notify: restart_ocserv
+- name: ocpasswd
+  copy:
+    content: |
+      {% for line in ocpasswdLines %}
+      {{line}}
+      {% endfor %}
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/ocpasswd'
+  notify: restart_ocserv
+- name: ocserv certs
+  synchronize:
+    src: ../certs/{{ocservCert}}/
+    dest: '{{ansible_user_dir}}/nextgen-network/services/ocserv/certs/{{ocservCert}}'
+    delete: yes
+    copy_links: yes
+    verify_host: no
+    recursive: yes
+    checksum: yes
+    archive: no
+  notify: restart_ocserv

ansible/protocols/oc/ocserv-user-env.j2

+# export dev=
+export localAddress={{address}}
+export remoteLocalAddress={{conn.remoteLocalAddress}}
+export localPeerAddress={{conn.localPeerAddress}}
+export remotePeerAddress={{conn.remotePeerAddress}}
+export localPeerAddress6={{conn.localPeerAddress6}}
+export remotePeerAddress6={{conn.remotePeerAddress6}}
+export localRubbishAddress=10.199.{{id}}.1
+export remoteNextMark={{conn.remoteNextMark}}
+export inbound={{conn.inbound}}
+export outbound={{conn.outbound}}
+export mtu={{conn.mtu|int - 58}}
+{% if conn.inbound %}
+export metric={{conn.metric}}
+{% else %}
+export metric=50000
+{% endif %}

ansible/protocols/oc/ocserv.conf.j2

+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
+listen-host-is-dyndns = true
+tcp-port = {{ocservPort}}
+udp-port = {{ocservPort}}
+run-as-user = nobody
+run-as-group = daemon
+socket-file = /run/ocserv.socket
+server-cert = /etc/ssl/certs/{{ocservCert}}/fullchain.pem
+server-key = /etc/ssl/certs/{{ocservCert}}/privkey.pem
+dh-params = /etc/ssl/certs/{{ocservCert}}/dhparam.pem
+isolate-workers = true
+server-stats-reset-time = 604800
+keepalive = 300
+dpd = 60
+mobile-dpd = 300
+switch-to-tcp-timeout = 25
+try-mtu-discovery = false
+cert-user-oid = 0.9.2342.19200300.100.1.1
+compression = true
+no-compress-limit = 256
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE"
+match-tls-dtls-ciphers = false
+auth-timeout = 240
+idle-timeout = 1200
+mobile-idle-timeout = 1800
+max-ban-score = 80
+ban-reset-time = 300
+cookie-timeout = 604800
+deny-roaming = false
+rekey-time = 172800
+rekey-method = ssl
+connect-script = {{ansible_user_dir}}/nextgen-network/scripts/ocserv-postup.sh
+disconnect-script = {{ansible_user_dir}}/nextgen-network/scripts/ocserv-predown.sh
+use-occtl = true
+pid-file = /run/ocserv.pid
+predictable-ips = true
+ipv4-network = 10.199.{{id}}.1/24
+ping-leases = false
+device = mcoc
+config-per-user = /etc/ocserv/config-per-user/
+cisco-client-compat = false
+dtls-legacy = true

ansible/protocols/oc/openconnect-post-scripts/disconnect.sh.j2

+#!/bin/bash
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+
+true

ansible/protocols/oc/openconnect-post-scripts/post-connect.sh.j2

+#!/bin/bash
+# Force reload at 12.23
+
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+
+true

ansible/protocols/wg/wg.conf.j2

@@ -8,8 +8,8 @@ FwMark = {{conn.localGatewayMark}}
 
 MTU = {{conn.mtu|int - 80}}
 Table = off
-PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
-PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
 
 [Peer]
 PublicKey = {{conn.wgPublicKey}}
@@ -19,4 +19,4 @@ Endpoint = {{conn.remoteAddress}}:{{conn.remotePort}}
 PersistentKeepalive = 1
 {% endif %}
 
-# forced change 12.12
+# forced change 12.23

ansible/protocols/wgfrp/wgfrp.conf.j2

@@ -6,8 +6,8 @@ ListenPort = {{conn.localPort}}
 {% endif %}
 MTU = {{conn.mtu|int - 80}}
 Table = off
-PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
-PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} link6Address={{conn.link6Address}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
 [Peer]
 PublicKey = {{conn.wgPublicKey}}
 AllowedIPs = 0.0.0.0/0, ::/0

ansible/restart-babeld.yaml

+---
+- hosts: wg
+  tasks:
+    - name: load vars
+      include_vars:
+        file: '../result/{{item}}.yaml'
+      with_items:
+        # - global-vars
+        - vars-{{inventory_hostname_short}}
+    - name: restart_babeld_systemd
+      become: true
+      systemd:
+        name: babeld
+        state: restarted
+      when: systemBird
+    - name: restart_babeld # ocserv would be always restarted whenever key changes..
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - babeld
+      when: not noBird
+    - name: restart ocserv
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services:
+          - ocserv
+      when: ocservNeeded and not noBird

ansible/scripts/global-postup.sh.j2

 #!/usr/bin/env bash
+# Forced update 12.24
 source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 
 echo "running" > /tmp/mycard_global_postup_done
@@ -14,6 +15,11 @@ ipset add localnet {{subnet}} || true
 ip rule add pref 81 to {{subnet}} lookup main || true
 {% endfor %}
 
+# MASQ interfaces
+{% for interface in masqInterfaces %}
+iptables -t nat -A POSTROUTING -o {{interface}} -j MASQUERADE
+{% endfor %}
+
 # chain for wg origin
 iptables -t mangle -N NEXTGEN_ORIGIN
 iptables -t mangle -I PREROUTING -m mark --mark 0x0 ! -p ospf -j NEXTGEN_ORIGIN

ansible/scripts/ocserv-postup.sh.j2

+#!/bin/bash
+
+export dev="$DEVICE"
+source /etc/ocserv/env-per-user/$USERNAME
+
+NEW_DEVICE="$USERNAME"
+#ip link set $DEVICE down
+#ip link set $DEVICE name $NEW_DEVICE
+#ip link set $NEW_DEVICE up
+#ip link property add altname $DEVICE dev $NEW_DEVICE
+#ip link set $NEW_DEVICE alias $DEVICE
+ip link property add altname $NEW_DEVICE dev $DEVICE
+ip link set $DEVICE alias $NEW_DEVICE
+
+ip addr add "$localAddress/32" dev "$dev"
+ip route del "$remoteLocalAddress" dev "$dev" proto kernel scope link src "$localRubbishAddress"
+ip addr del "$localRubbishAddress" dev "$dev"
+
+{{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+{{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+
+echo -e "interface $dev type tunnel rxcost $metric faraway true rtt-max 500 \nquit" | nc ::1 33123
+
+true

ansible/scripts/ocserv-predown-old.sh.j2

+#!/bin/bash
+# This script is for old thing only. Will not be used in MyCard Network Gen 2.5
+
+export dev="$DEVICE"
+source /etc/ocserv/env-per-user/$USERNAME
+
+{{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+
+true

ansible/scripts/ocserv-predown.sh.j2

+#!/bin/bash
+
+export dev="$DEVICE"
+source /etc/ocserv/env-per-user/$USERNAME
+
+{{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+
+true

ansible/scripts/postup.sh.j2

 #!/usr/bin/env bash
 source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
-wait_lock
+
 #set -e
 
 ip addr add "$localPeerAddress" peer "$remotePeerAddress" dev "$dev" scope link
-ip -6 addr add "$link6Address" dev "$dev" scope link
+ip addr add "$localPeerAddress6" peer "$remotePeerAddress6" dev "$dev" scope link
 
 if [ "$outbound" == True ] ; then
   ip route add default dev "$dev" table "$remoteNextMark"

ansible/scripts/switch-rules-up.sh.j2

 #!/bin/bash
 source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 
-## chnroute
+## route plans
 {% for plan in routePlans %}
+ip rule add pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}}
 interface_switch_chnroute -A u_{{plan.name}}_chnroute {{plan.destMark}}
-{% endfor %}
-{% for gw in gateways %}
-{% if gw.selectionMark > 0 %}
-interface_switch_chnroute -A u_{{gw.isp}}_chnroute {{gw.selectionMark}}
-{% endif %}
-{% endfor %}
-
-## all
-{% for plan in routePlans %}
 interface_switch -A u_{{plan.name}}_all {{plan.destMark}}
-{% endfor %}
-{% for gw in gateways %}
-{% if gw.selectionMark > 0 %}
-interface_switch -A u_{{gw.isp}}_all {{gw.selectionMark}}
-{% endif %}
-{% endfor %}
-
-## restore mark
-{% for plan in routePlans %}
-ip rule add pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}}
 restore_mark_switch -A {{plan.destMark}}
 {% endfor %}
+
+## local gateways
 {% for gw in gateways %}
 {% if gw.selectionMark > 0 %}
+interface_switch_chnroute -A u_{{gw.isp}}_chnroute {{gw.selectionMark}}
+interface_switch -A u_{{gw.isp}}_all {{gw.selectionMark}}
 restore_mark_switch -A {{gw.selectionMark}}
 {% endif %}
 {% endfor %}

lists/route_helper.py

@@ -18,10 +18,10 @@ def write_yaml_file(name, data):
 universe = IPSet(['0.0.0.0/0'])
 special = IPSet([line.strip() for line in open('special.txt')])
 chnroutes = IPSet([line.strip() for line in open('chnroutes.txt') if not line.startswith('#')])
-result = { 'chnroute_reverse': [] }
+result = { 'chnrouter': [] }
 
-chnroute_reverse = universe - special - chnroutes
-for route in chnroute_reverse.iter_cidrs():
-    result['chnroute_reverse'].append(str(route))
+chnrouter = universe - special - chnroutes
+for route in chnrouter.iter_cidrs():
+    result['chnrouter'].append(str(route))
 
 write_yaml_file("result.yaml", result)

package.json

@@ -4,7 +4,8 @@
   "description": "",
   "scripts": {
     "build": "tsc",
-    "start": "node build/inventory.js"
+    "start": "node build/inventory.js",
+    "all": "npm run build && npm start"
   },
   "dependencies": {
     "@types/ip": "^1.1.0",

update-all.sh

+#!/bin/bash
+
+./update.sh "$@"
+
+cd ansible
+ansible-playbook -i ../result/inventory.yaml "$@" restart-babeld.yaml
+cd ..

update.sh

@@ -28,4 +28,11 @@ _strip_wg_conf() {
 # _strip_wg_conf ./protocols/wg/wg.conf.j2 ./protocols/wg/wg-setconf.conf.j2
 _strip_wg_conf ./protocols/wgfrp/wgfrp.conf.j2 ./protocols/wgfrp/wgfrp-setconf.conf.j2
 
+sed -r '/^(#.*)?$/d;/^reflect-kernel-metric/d;/^local-port-readwrite/d;/^redistribute/d' babeld.conf.j2 > babeld-reload.conf.j2
+echo 'quit' >> babeld-reload.conf.j2
+
 ansible-playbook -i ../result/inventory.yaml "$@" configure.yaml
+cd ..
+
+rsync -4cavzP ./data/ nanahira@koishi.yuzurisa.com:~/nginx/railgun-data
+ssh -T nanahira@koishi.yuzurisa.com 'cd ~/nginx ; docker-compose restart railgun-enterprise'

upload.sh

+#!/bin/bash
+rsync -4cavzP ./data/ root@10.198.1.57:~/wg/data
+rsync -4cavzP ./data/ nanahira@koishi.yuzurisa.com:~/nginx/railgun-data
+ssh -T nanahira@koishi.yuzurisa.com 'cd ~/nginx ; docker-compose restart railgun-enterprise'