Skip to content
Snippets Groups Projects
Unverified Commit 53136f85 authored by Paul's avatar Paul :turtle:
Browse files

refactor mesh-vpn setup with ansible-vault

parent c76fca3c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 184 additions and 72 deletions
ansible.cfg
+ 1
0
View file @ 53136f85
[defaults] [defaults]
inventory=hosts.yml inventory=hosts.yml
vault_password_file=vault-password.txt
[ssh_connection] [ssh_connection]
pipelining = True pipelining = True
host_vars/huextertor.yml
+ 58
0
View file @ 53136f85
...@@ -12,5 +12,63 @@ dhcpd_end: 10.130.31.254 ...@@ -12,5 +12,63 @@ dhcpd_end: 10.130.31.254
# edit this before deploying on final servers!!! # edit this before deploying on final servers!!!
exit_iface: eth0 exit_iface: eth0
mesh_vpn_instances:
- name: ffhl_mesh_vpn0
secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
31313634356537373335386363383332333638306231363038613335373662333862663865666166
3236353235366531363539633839633264323664346265610a663663616532663036643632306466
37323463303436353962636363306638613766643035363536343533343663323539346462333364
3538383862613831390a633335636437653637323166643466623232383139396365373931613537
30386463336264333839666338313564363537313530343032393837306166666533383939383432
63333938633032656163303530386162633437363836656432343733393938613166663263366462
65376431653666623637663661663232306531363563376162366466613438323937346265333334
63633632346535636235
mac: de:ad:ca:fe:bb:00
mtu: 1280
port: 10010
- name: ffhl_mesh_vpn1
secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
32323937323466333837383661666237353461303333373238356466353164383661663535323966
3532383666333062643062613738366538323166326131310a623334383733363361303636656364
38336531333063333264663066346135396362343861613431653136323064653064363064663833
3561313737663638620a646333363935326231633366393666653939303635666561653034363662
30653834333933343435656231376165366361386333643439383263323065626131633638396138
65306531666137623361313466616637386339643462303638386264356461656135363561373830
39326436623931626566616337343635356236383234643764313635316230623230396634363535
62316430346462303631
mac: de:ad:ca:fe:bb:01
mtu: 1280
port: 10011
- name: ffhl_mesh_vpn2
secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
33333830353630346430313339666130663030376234653563623734383234316664633930346363
3639616661633366633564663738396239323539333732330a633832373232356632306438346131
35323264303030306266393833306464653462643733356439353734333137343131363366616135
3461326537333635640a393037643032323635326639326138346661656365386233363231663139
63346638393738323661353237393939646465363465643637666634383132613138643732386366
31353366303738613538353132633865333561396530313762376363356236323864303764363337
64393734633332633065393765393738353931616436323230356564306339626563396239323334
61346632643334663430
mac: de:ad:ca:fe:bb:02
mtu: 1280
port: 10012
- name: ffhl_mesh_vpn3
secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
31373436343739313432366464343066633331383930323136376362373562343939653630656232
3937386265393437313266306533613731386532313438660a316564336432623532316134613966
65343737363336366362663162653364333464666333656233316439633763653564333434353862
3736376461383137610a646464316563306138616337623036653331396362653064323664656337
32313038316133656664363330643934333935313961383038343333386165383634613565316662
39313233373164386565643762643639643838373432633164663339616636346539353936323434
34343563373738656565383431313230616433393637656666633266376266333162323536323033
63333438613766313465
mtu: 1312
port: 10013
mac: de:ad:ca:fe:bb:03
units_enable: units_enable:
- batman.service - batman.service
roles/base/files/post-merge/ffhl-dns deleted 100755 → 0
+ 0
5
View file @ c76fca3c
#!/bin/sh
systemctl reload bind9.service
exit 0
roles/base/files/post-merge/ffhl-mesh-vpn deleted 100755 → 0
+ 0
8
View file @ c76fca3c
#!/bin/sh
systemctl reload 'fastd@ffhl_mesh_vpn0.service'
systemctl reload 'fastd@ffhl_mesh_vpn1.service'
systemctl reload 'fastd@ffhl_mesh_vpn2.service'
systemctl reload 'fastd@ffhl_mesh_vpn3.service'
exit 0
roles/base/tasks/fastd.yml deleted 100644 → 0
+ 0
44
View file @ c76fca3c
---
- user: name=fastd system=yes home=/etc/fastd
- template:
src: fastd/{{ item }}/fastd-up
dest: /etc/fastd/{{ item }}/fastd-up
owner: fastd
mode: '0744'
- name: generate fastd key
shell:
cmd: fastd --generate-key | awk '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/{{ item }}/secret.conf
creates: /etc/fastd/{{ item }}/secret.conf
- name: generate peer file
shell:
cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\"; " }' > /etc/fastd/{{ item }}/peer.conf
- systemd:
enabled: yes
name: fastd@{{ item }}
- fetch:
src: /etc/fastd/{{ item }}/peer.conf
dest: artifacts/
#
# - template:
# src: fastd/ffhl_mesh_vpn/fastd-up
# dest: /etc/fastd/ffhl_mesh_vpn/fastd-up
# owner: fastd
# mode: 0744
#
# - name: generate fastd key
# command: fastd --generate-key | awk -e '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/ffhl_mesh_vpn/secret.conf
# args:
# creates: /etc/fastd/ffhl_mesh_vpn/secret.conf
roles/base/tasks/ffhl-peers.yml deleted 100644 → 0
+ 0
3
View file @ c76fca3c
---
- git: repo=git@git.luebeck.freifunk.net:FreifunkLuebeck/fastd-keys.git dest=/var/local/ffhl-mesh-vpn-peers accept_hostkey=True
- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl_mesh_vpn/peers/.git/hooks/post-merge mode=a+x
roles/base/tasks/main.yml
+ 21
11
View file @ 53136f85
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
- name: template iptables - name: template iptables
tags: [iptables] tags: [iptables, networking]
block: block:
- template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4 - template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4
- template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6 - template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6
...@@ -51,29 +51,39 @@ ...@@ -51,29 +51,39 @@
# sometimes disabled (dunno why) # sometimes disabled (dunno why)
- name: enable systemd-networkd - name: enable systemd-networkd
command: systemctl enable systemd-networkd tags: [networking]
systemd:
enabled: yes
name: systemd-networkd
- name: create fastd configs - name: mesh-vpn
include_tasks: fastd.yml tags: [debug, fastd, mesh-vpn]
loop: include: mesh-vpn.yml
- ffhl_mesh_vpn0
- ffhl_mesh_vpn1 # - name: create fastd configs
- ffhl_mesh_gwvpn # tags: ['debug', 'fastd']
# include: fastd.yml
# loop: "{{ fastd_instances }}"
- name: reload systemd - name: reload systemd
command: systemctl daemon-reload systemd:
daemon_reload: yes
- include: radvd.yml - include: radvd.yml
- include: dhcpd.yml - include: dhcpd.yml
- include: powerdns.yml - include: powerdns.yml
tags: [powerdns] tags: [powerdns]
- lineinfile: dest=/etc/iproute2/rt_tables line="42\tfreifunk" - name: add freifunk routing table
tags: [networking]
lineinfile:
dest: /etc/iproute2/rt_tables
line: "42\tfreifunk"
- include: bird.yml - include: bird.yml
tags: tags:
- bird - bird
- include: ffhl-peers.yml
- include: units.yml - include: units.yml
roles/base/tasks/mesh-vpn.yml 0 → 100644
+ 81
0
View file @ 53136f85
---
- name: create fastd user
user:
name: fastd
system: yes
home: /etc/fastd
- name: create fastd config dirs
tags: ['debug', 'fastd', 'mesh-vpn']
loop: "{{ mesh_vpn_instances }}"
file:
path: /etc/fastd/{{ item.name }}
state: directory
- name: copy fastd config templates
tags: ['debug', 'fastd', 'mesh-vpn']
loop: "{{ mesh_vpn_instances }}"
template:
src: mesh-vpn/fastd.conf
dest: /etc/fastd/{{ item.name }}/fastd.conf
mode: '0644'
- name: create fastd-up script
tags: ['debug']
loop: "{{ mesh_vpn_instances }}"
template:
src: mesh-vpn/fastd-up
dest: /etc/fastd/{{ item.name }}/fastd-up
mode: '0744'
# configure peers git
- name: clone fastd-keys repo
tags: [fastd, mesh-vpn]
git:
repo: git@git.luebeck.freifunk.net:FreifunkLuebeck/fastd-keys.git
dest: /var/local/ffhl-mesh-vpn-peers
accept_hostkey: yes
- name: add post-merge hook
template:
src: mesh-vpn/peers-post-merge.sh
dest: /var/local/ffhl-mesh-vpn-peers/.git/hooks/post-merge
mode: a+x
- name: install mesh-vpn peer update service
copy:
src: mesh-vpn/
dest: /etc/systemd/system/
owner: root
# enable services
- name: enable fastd instances
loop: "{{ mesh_vpn_instances }}"
systemd:
enabled: yes
state: restarted
name: fastd@{{ item.name }}
- name: enable mesh-vpn peer update job
systemd:
name: update-ffhl-mesh-vpn.timer
enabled: yes
state: started
# download public keys to our local machine
- name: create public key files
loop: "{{ mesh_vpn_instances }}"
shell:
cmd: fastd --show-key -c /etc/fastd/{{ item.name }}/fastd.conf > /etc/fastd/{{ item.name }}/pubkey.key
- name: fetch public keys
loop: "{{ mesh_vpn_instances }}"
tags: [debug, fastd, mesh-vpn]
fetch:
src: /etc/fastd/{{ item.name }}/pubkey.key
dest: artifacts/
roles/base/templates/fastd/ffhl_mesh_vpn/fastd-up roles/base/templates/mesh-vpn/fastd-up
+ 1
1
View file @ 53136f85
#!/bin/bash #!/bin/bash
ip link set address {{ fastd_mesh_mac }} dev $INTERFACE ip link set address {{ item.mac }} dev $INTERFACE
ip link set up $INTERFACE ip link set up $INTERFACE
batctl if add $INTERFACE batctl if add $INTERFACE
roles/base/templates/mesh-vpn/fastd.conf 0 → 100644
+ 15
0
View file @ 53136f85
log to syslog level debug;
bind any:{{ item.port }};
mtu {{ item.mtu | default('1280')}};
interface "{{ item.name }}";
secret "{{ item.secret }}";
user "fastd";
method "null";
method "salsa2012+umac";
hide ip addresses yes;
hide mac addresses yes;
status socket "/run/fastd/{{ item.name }}.sock";
on up "./fastd-up";
include peers from "/var/local/ffhl-mesh-vpn-peers";
roles/base/templates/mesh-vpn/peers-post-merge.sh 0 → 100755
+ 7
0
View file @ 53136f85
#!/bin/sh
{% for instance in mesh_vpn_instances %}
systemctl reload 'fastd@{{ instance.name }}.service'
{% endfor %}
exit 0
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Hosted with love by Chaotikum e.V. Support us if you can