From 53136f85f3fc6659b1483a7752150cb5f9c04309 Mon Sep 17 00:00:00 2001
From: Paul Maruhn <paulmaruhn@posteo.de>
Date: Sun, 22 Nov 2020 03:52:04 +0100
Subject: [PATCH] refactor mesh-vpn setup with ansible-vault
---
ansible.cfg | 1 +
host_vars/huextertor.yml | 58 +++++++++++++
.../update-ffhl-mesh-vpn.service | 0
.../update-ffhl-mesh-vpn.timer | 0
roles/base/files/post-merge/ffhl-dns | 5 --
roles/base/files/post-merge/ffhl-mesh-vpn | 8 --
roles/base/tasks/fastd.yml | 44 ----------
roles/base/tasks/ffhl-peers.yml | 3 -
roles/base/tasks/main.yml | 32 +++++---
roles/base/tasks/mesh-vpn.yml | 81 +++++++++++++++++++
.../{fastd/ffhl_mesh_gwvpn => gwvpn}/fastd-up | 0
.../ffhl_mesh_vpn => mesh-vpn}/fastd-up | 2 +-
roles/base/templates/mesh-vpn/fastd.conf | 15 ++++
.../templates/mesh-vpn/peers-post-merge.sh | 7 ++
14 files changed, 184 insertions(+), 72 deletions(-)
rename roles/base/files/{etc/systemd/system => mesh-vpn}/update-ffhl-mesh-vpn.service (100%)
rename roles/base/files/{etc/systemd/system => mesh-vpn}/update-ffhl-mesh-vpn.timer (100%)
delete mode 100755 roles/base/files/post-merge/ffhl-dns
delete mode 100755 roles/base/files/post-merge/ffhl-mesh-vpn
delete mode 100644 roles/base/tasks/fastd.yml
delete mode 100644 roles/base/tasks/ffhl-peers.yml
create mode 100644 roles/base/tasks/mesh-vpn.yml
rename roles/base/templates/{fastd/ffhl_mesh_gwvpn => gwvpn}/fastd-up (100%)
rename roles/base/templates/{fastd/ffhl_mesh_vpn => mesh-vpn}/fastd-up (53%)
create mode 100644 roles/base/templates/mesh-vpn/fastd.conf
create mode 100755 roles/base/templates/mesh-vpn/peers-post-merge.sh
diff --git a/ansible.cfg b/ansible.cfg
index 2bda97c..16189f8 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,5 +1,6 @@
[defaults]
inventory=hosts.yml
+vault_password_file=vault-password.txt
[ssh_connection]
pipelining = True
diff --git a/host_vars/huextertor.yml b/host_vars/huextertor.yml
index 489d4ed..674fdd9 100644
--- a/host_vars/huextertor.yml
+++ b/host_vars/huextertor.yml
@@ -12,5 +12,63 @@ dhcpd_end: 10.130.31.254
# edit this before deploying on final servers!!!
exit_iface: eth0
+mesh_vpn_instances:
+ - name: ffhl_mesh_vpn0
+ secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 31313634356537373335386363383332333638306231363038613335373662333862663865666166
+ 3236353235366531363539633839633264323664346265610a663663616532663036643632306466
+ 37323463303436353962636363306638613766643035363536343533343663323539346462333364
+ 3538383862613831390a633335636437653637323166643466623232383139396365373931613537
+ 30386463336264333839666338313564363537313530343032393837306166666533383939383432
+ 63333938633032656163303530386162633437363836656432343733393938613166663263366462
+ 65376431653666623637663661663232306531363563376162366466613438323937346265333334
+ 63633632346535636235
+ mac: de:ad:ca:fe:bb:00
+ mtu: 1280
+ port: 10010
+ - name: ffhl_mesh_vpn1
+ secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 32323937323466333837383661666237353461303333373238356466353164383661663535323966
+ 3532383666333062643062613738366538323166326131310a623334383733363361303636656364
+ 38336531333063333264663066346135396362343861613431653136323064653064363064663833
+ 3561313737663638620a646333363935326231633366393666653939303635666561653034363662
+ 30653834333933343435656231376165366361386333643439383263323065626131633638396138
+ 65306531666137623361313466616637386339643462303638386264356461656135363561373830
+ 39326436623931626566616337343635356236383234643764313635316230623230396634363535
+ 62316430346462303631
+ mac: de:ad:ca:fe:bb:01
+ mtu: 1280
+ port: 10011
+ - name: ffhl_mesh_vpn2
+ secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 33333830353630346430313339666130663030376234653563623734383234316664633930346363
+ 3639616661633366633564663738396239323539333732330a633832373232356632306438346131
+ 35323264303030306266393833306464653462643733356439353734333137343131363366616135
+ 3461326537333635640a393037643032323635326639326138346661656365386233363231663139
+ 63346638393738323661353237393939646465363465643637666634383132613138643732386366
+ 31353366303738613538353132633865333561396530313762376363356236323864303764363337
+ 64393734633332633065393765393738353931616436323230356564306339626563396239323334
+ 61346632643334663430
+ mac: de:ad:ca:fe:bb:02
+ mtu: 1280
+ port: 10012
+ - name: ffhl_mesh_vpn3
+ secret: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 31373436343739313432366464343066633331383930323136376362373562343939653630656232
+ 3937386265393437313266306533613731386532313438660a316564336432623532316134613966
+ 65343737363336366362663162653364333464666333656233316439633763653564333434353862
+ 3736376461383137610a646464316563306138616337623036653331396362653064323664656337
+ 32313038316133656664363330643934333935313961383038343333386165383634613565316662
+ 39313233373164386565643762643639643838373432633164663339616636346539353936323434
+ 34343563373738656565383431313230616433393637656666633266376266333162323536323033
+ 63333438613766313465
+ mtu: 1312
+ port: 10013
+ mac: de:ad:ca:fe:bb:03
+
units_enable:
- batman.service
diff --git a/roles/base/files/etc/systemd/system/update-ffhl-mesh-vpn.service b/roles/base/files/mesh-vpn/update-ffhl-mesh-vpn.service
similarity index 100%
rename from roles/base/files/etc/systemd/system/update-ffhl-mesh-vpn.service
rename to roles/base/files/mesh-vpn/update-ffhl-mesh-vpn.service
diff --git a/roles/base/files/etc/systemd/system/update-ffhl-mesh-vpn.timer b/roles/base/files/mesh-vpn/update-ffhl-mesh-vpn.timer
similarity index 100%
rename from roles/base/files/etc/systemd/system/update-ffhl-mesh-vpn.timer
rename to roles/base/files/mesh-vpn/update-ffhl-mesh-vpn.timer
diff --git a/roles/base/files/post-merge/ffhl-dns b/roles/base/files/post-merge/ffhl-dns
deleted file mode 100755
index e5419ba..0000000
--- a/roles/base/files/post-merge/ffhl-dns
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-systemctl reload bind9.service
-
-exit 0
diff --git a/roles/base/files/post-merge/ffhl-mesh-vpn b/roles/base/files/post-merge/ffhl-mesh-vpn
deleted file mode 100755
index a33c05c..0000000
--- a/roles/base/files/post-merge/ffhl-mesh-vpn
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-systemctl reload 'fastd@ffhl_mesh_vpn0.service'
-systemctl reload 'fastd@ffhl_mesh_vpn1.service'
-systemctl reload 'fastd@ffhl_mesh_vpn2.service'
-systemctl reload 'fastd@ffhl_mesh_vpn3.service'
-
-exit 0
diff --git a/roles/base/tasks/fastd.yml b/roles/base/tasks/fastd.yml
deleted file mode 100644
index 0edcf99..0000000
--- a/roles/base/tasks/fastd.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-- user: name=fastd system=yes home=/etc/fastd
-
-
-- template:
- src: fastd/{{ item }}/fastd-up
- dest: /etc/fastd/{{ item }}/fastd-up
- owner: fastd
- mode: '0744'
-
-- name: generate fastd key
- shell:
- cmd: fastd --generate-key | awk '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/{{ item }}/secret.conf
- creates: /etc/fastd/{{ item }}/secret.conf
-
-
-- name: generate peer file
- shell:
- cmd: fastd --show-key -c /etc/fastd/{{ item }}/fastd.conf | awk '/Public/ {print "key \"" $2 "\"; " }' > /etc/fastd/{{ item }}/peer.conf
-
-
-- systemd:
- enabled: yes
- name: fastd@{{ item }}
-
-
-- fetch:
- src: /etc/fastd/{{ item }}/peer.conf
- dest: artifacts/
-
-
-
-
- #
- # - template:
- # src: fastd/ffhl_mesh_vpn/fastd-up
- # dest: /etc/fastd/ffhl_mesh_vpn/fastd-up
- # owner: fastd
- # mode: 0744
- #
- # - name: generate fastd key
- # command: fastd --generate-key | awk -e '/Secret/ {print "secret \"" $2 "\";" }' > /etc/fastd/ffhl_mesh_vpn/secret.conf
- # args:
- # creates: /etc/fastd/ffhl_mesh_vpn/secret.conf
diff --git a/roles/base/tasks/ffhl-peers.yml b/roles/base/tasks/ffhl-peers.yml
deleted file mode 100644
index dc14849..0000000
--- a/roles/base/tasks/ffhl-peers.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- git: repo=git@git.luebeck.freifunk.net:FreifunkLuebeck/fastd-keys.git dest=/var/local/ffhl-mesh-vpn-peers accept_hostkey=True
-- copy: src=post-merge/ffhl-mesh-vpn dest=/etc/fastd/ffhl_mesh_vpn/peers/.git/hooks/post-merge mode=a+x
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 9ee6533..a216c50 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -39,7 +39,7 @@
- name: template iptables
- tags: [iptables]
+ tags: [iptables, networking]
block:
- template: src=iptables/rules.v4 dest=/etc/iptables/rules.v4
- template: src=iptables/rules.v6 dest=/etc/iptables/rules.v6
@@ -51,29 +51,39 @@
# sometimes disabled (dunno why)
- name: enable systemd-networkd
- command: systemctl enable systemd-networkd
+ tags: [networking]
+ systemd:
+ enabled: yes
+ name: systemd-networkd
-- name: create fastd configs
- include_tasks: fastd.yml
- loop:
- - ffhl_mesh_vpn0
- - ffhl_mesh_vpn1
- - ffhl_mesh_gwvpn
+- name: mesh-vpn
+ tags: [debug, fastd, mesh-vpn]
+ include: mesh-vpn.yml
+
+# - name: create fastd configs
+# tags: ['debug', 'fastd']
+# include: fastd.yml
+# loop: "{{ fastd_instances }}"
+
- name: reload systemd
- command: systemctl daemon-reload
+ systemd:
+ daemon_reload: yes
- include: radvd.yml
- include: dhcpd.yml
- include: powerdns.yml
tags: [powerdns]
-- lineinfile: dest=/etc/iproute2/rt_tables line="42\tfreifunk"
+- name: add freifunk routing table
+ tags: [networking]
+ lineinfile:
+ dest: /etc/iproute2/rt_tables
+ line: "42\tfreifunk"
- include: bird.yml
tags:
- bird
-- include: ffhl-peers.yml
- include: units.yml
diff --git a/roles/base/tasks/mesh-vpn.yml b/roles/base/tasks/mesh-vpn.yml
new file mode 100644
index 0000000..d310bce
--- /dev/null
+++ b/roles/base/tasks/mesh-vpn.yml
@@ -0,0 +1,81 @@
+---
+- name: create fastd user
+ user:
+ name: fastd
+ system: yes
+ home: /etc/fastd
+
+- name: create fastd config dirs
+ tags: ['debug', 'fastd', 'mesh-vpn']
+ loop: "{{ mesh_vpn_instances }}"
+ file:
+ path: /etc/fastd/{{ item.name }}
+ state: directory
+
+- name: copy fastd config templates
+ tags: ['debug', 'fastd', 'mesh-vpn']
+ loop: "{{ mesh_vpn_instances }}"
+ template:
+ src: mesh-vpn/fastd.conf
+ dest: /etc/fastd/{{ item.name }}/fastd.conf
+ mode: '0644'
+
+- name: create fastd-up script
+ tags: ['debug']
+ loop: "{{ mesh_vpn_instances }}"
+ template:
+ src: mesh-vpn/fastd-up
+ dest: /etc/fastd/{{ item.name }}/fastd-up
+ mode: '0744'
+
+
+# configure peers git
+- name: clone fastd-keys repo
+ tags: [fastd, mesh-vpn]
+ git:
+ repo: git@git.luebeck.freifunk.net:FreifunkLuebeck/fastd-keys.git
+ dest: /var/local/ffhl-mesh-vpn-peers
+ accept_hostkey: yes
+
+- name: add post-merge hook
+ template:
+ src: mesh-vpn/peers-post-merge.sh
+ dest: /var/local/ffhl-mesh-vpn-peers/.git/hooks/post-merge
+ mode: a+x
+
+- name: install mesh-vpn peer update service
+ copy:
+ src: mesh-vpn/
+ dest: /etc/systemd/system/
+ owner: root
+
+
+
+# enable services
+
+- name: enable fastd instances
+ loop: "{{ mesh_vpn_instances }}"
+ systemd:
+ enabled: yes
+ state: restarted
+ name: fastd@{{ item.name }}
+
+- name: enable mesh-vpn peer update job
+ systemd:
+ name: update-ffhl-mesh-vpn.timer
+ enabled: yes
+ state: started
+
+
+# download public keys to our local machine
+- name: create public key files
+ loop: "{{ mesh_vpn_instances }}"
+ shell:
+ cmd: fastd --show-key -c /etc/fastd/{{ item.name }}/fastd.conf > /etc/fastd/{{ item.name }}/pubkey.key
+
+- name: fetch public keys
+ loop: "{{ mesh_vpn_instances }}"
+ tags: [debug, fastd, mesh-vpn]
+ fetch:
+ src: /etc/fastd/{{ item.name }}/pubkey.key
+ dest: artifacts/
diff --git a/roles/base/templates/fastd/ffhl_mesh_gwvpn/fastd-up b/roles/base/templates/gwvpn/fastd-up
similarity index 100%
rename from roles/base/templates/fastd/ffhl_mesh_gwvpn/fastd-up
rename to roles/base/templates/gwvpn/fastd-up
diff --git a/roles/base/templates/fastd/ffhl_mesh_vpn/fastd-up b/roles/base/templates/mesh-vpn/fastd-up
similarity index 53%
rename from roles/base/templates/fastd/ffhl_mesh_vpn/fastd-up
rename to roles/base/templates/mesh-vpn/fastd-up
index 67d52a0..7d99b57 100644
--- a/roles/base/templates/fastd/ffhl_mesh_vpn/fastd-up
+++ b/roles/base/templates/mesh-vpn/fastd-up
@@ -1,5 +1,5 @@
#!/bin/bash
-ip link set address {{ fastd_mesh_mac }} dev $INTERFACE
+ip link set address {{ item.mac }} dev $INTERFACE
ip link set up $INTERFACE
batctl if add $INTERFACE
diff --git a/roles/base/templates/mesh-vpn/fastd.conf b/roles/base/templates/mesh-vpn/fastd.conf
new file mode 100644
index 0000000..23704c4
--- /dev/null
+++ b/roles/base/templates/mesh-vpn/fastd.conf
@@ -0,0 +1,15 @@
+log to syslog level debug;
+bind any:{{ item.port }};
+mtu {{ item.mtu | default('1280')}};
+interface "{{ item.name }}";
+secret "{{ item.secret }}";
+
+user "fastd";
+method "null";
+method "salsa2012+umac";
+hide ip addresses yes;
+hide mac addresses yes;
+status socket "/run/fastd/{{ item.name }}.sock";
+on up "./fastd-up";
+
+include peers from "/var/local/ffhl-mesh-vpn-peers";
diff --git a/roles/base/templates/mesh-vpn/peers-post-merge.sh b/roles/base/templates/mesh-vpn/peers-post-merge.sh
new file mode 100755
index 0000000..f7b0465
--- /dev/null
+++ b/roles/base/templates/mesh-vpn/peers-post-merge.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+{% for instance in mesh_vpn_instances %}
+systemctl reload 'fastd@{{ instance.name }}.service'
+{% endfor %}
+
+exit 0
--
GitLab