This repository holds the Ansible playbook to deploy a ffsh gateway in the standard configuration. It is based on https://docs.freifunk-suedholstein.de/de/1.5/gateway.html but changes were made where it was plausible.
- Clone the repository.
- Ansible installed
As the login is done via ssh make sure that the ssh key is registered at your identity manager ssh-add $keyfile.
That way Ansible will be able to automatically detect the right ssh key and connect to the server.
If you want to deploy to a new gateway you need to add it to the hosts.yml file in the repo, just compare it to brunsbach and add your own details.
If you set enable_wireguard_exit to true ansible will deploy wireguard and attempt to generate a mullvad config.
This ansible script uses wg-conf-gen to generate a Mullvad wireguard configurration.
The python script will call the Mullvad API with the details you provide in host_vars (see below).
It will select a random gateway based on country and city.
You also need to supply your fastd secret as an encrypted secret, you get the password via the NOC Team.
To create a new fastd secret, execute the following, this will ask you for a password and open an editor.
ansible-vault create --vault-id fastd_key@prompt host_vars/$gatewayname.ymlThe config has the following options.
| option | comment |
|---|---|
| fastd_secret | fastd secret key |
| wg_device | Optional but you can put the name here that was generated by mullvad |
| wg_pk | Wireguard private key provided by mullvad |
| wg_address | ipV4 and ipV6 address provided by mullvad |
| wg_country | Country supported by mullvad |
| wg_city | A City that mullvad has in your selected country |
| ffshmon_mail | The email that should be used to send alerts if the wireguard tunnel is down |
| ffshmon_pw | The password for the email |
For available country and city check here: https://mullvad.net/de/servers
Example config:
fastd_secret: 1234df132fssd...
wg_device: Mellow Pony
wg_pk: aDfkfdsgnn1232345...
wg_address: 1.2.3.4/32,fxx...../128
wg_country: Netherlands
wg_city: Amsterdam
ffshmon_mail: wg-mon@freifunk-suedholstein.de
ffshmon_pw: secretpasswordsave and close the editor, done you added your secret :)
You can change the content any time by
ansible-vault edit --vault-id fastd_key@prompt host_vars/$gatewayname.ymlRun playbook on all gateways listed in hosts:
ansible-playbook --vault-id=fastd_key@prompt setup.ymlRun playbook on one host
ansible-playbook --vault-id=fastd_key@prompt setup.yml --limit $hostnameRun only the roles with the specific tag, to see which role is attached to which tag open setup.yaml:
ansible-playbook --vault-id=fastd_key@prompt setup.yml --tags "ssh keys"These can also be combined:
ansible-playbook --vault-id=fastd_key@prompt setup.yml --limit $hostname --tags "oh-my-zsh"