Merge branch 'split-meshvpn' into 'master'

split meshvpn role

See merge request !37

.ansible-lint

@@ -2,3 +2,4 @@ skip_list:
   - 208
   - 301
   - 305
+  - 701

group_vars/all.yml

@@ -3,6 +3,7 @@ radvd_prefixes:
   - 2001:67c:2d50::/64
 dhcpd_subnet: 10.130.0.0
 dhcpd_netmask: 255.255.0.0
+dhcpd_domain: ffhl.de
 ipv4_subnet: 10.130.0.0/16
 ipv6_subnet: 2001:67c:2d50::/48
 

playbook.yml

@@ -3,6 +3,8 @@
   become: yes
   roles:
     - base
+    - role: meshvpn
+      tags: [meshvpn]
     - ffhl_nameserver
 
 - hosts: kaisertor

roles/meshvpn/files/network/10-ffhl-mesh.network

+[Match]
+Name=ffhl_mesh_*
+
+[Network]
+LinkLocalAddressing=no
+IPv6AcceptRA=no
+DHCP=no
+
+[Link]
+ARP=no

roles/meshvpn/files/systemd/update-ffhl-mesh-vpn.service

+[Service]
+Type=oneshot
+#WorkingDirectory=/var/local/ffhl-mesh-vpn-peers
+ExecStart=/usr/local/lib/ffhl/update-meshvpn-keys.sh

roles/meshvpn/files/systemd/update-ffhl-mesh-vpn.timer

+[Timer]
+OnCalendar=*:00/15
+
+[Install]
+WantedBy=multi-user.target

roles/meshvpn/meta/main.yml

+---
+
+dependencies:
+  - role: base

roles/meshvpn/tasks/base.yml

+---
+
+- name: copy base configs
+  tags: [base, etc, apt]
+  copy:
+    src: etc/
+    dest: /etc
+
+
+- name: install packages
+  apt:
+    autoremove: yes
+    update_cache: yes
+    state: present
+    name:
+      # necessary packets
+      - batctl
+      - fastd
+      - iproute2
+      - isc-dhcp-server
+      - radvd
+
+- name: load batman-adv
+  modprobe:
+    name: batman-adv
+    state: present
+
+
+# install prometheus-fastd-exporter
+- name: install prometheus-fastd-exporter
+  tags: [prometheus-fastd-exporter, fastd]
+  block:
+  - name: download prometheus-fastd-exporter
+    get_url:
+      url: https://freifunk-luebeck.pages.chaotikum.org/prometheus-fastd-exporter/prometheus-fastd-exporter.deb
+      dest: /tmp/prometheus-fastd-exporter.deb
+  - name: install prometheus-fastd-exporter
+    command: dpkg -i --force-confold /tmp/prometheus-fastd-exporter.deb
+  - name: reload systemd
+    systemd:
+      daemon_reload: yes
+  - name: enable prometheus-fastd-exporter
+    systemd:
+      state: restarted
+      enabled: yes
+      name: prometheus-fastd-exporter

roles/meshvpn/tasks/dhcpd.yml

+---
+
+- name: process dhcpd templates
+  template:
+    src: dhcpd/dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+
+- name: tell dhcpd what interfaces it should listen
+  lineinfile:
+    path: /etc/default/isc-dhcp-server
+    regexp: '^INTERFACESv4='
+    line: INTERFACESv4="ffhl"
+
+- name: restart dhcpd
+  systemd:
+    state: restarted
+    name: isc-dhcp-server.service

roles/meshvpn/tasks/main.yml

+---
+
+- name: preapare base
+  import_tasks: base.yml
+  tags: [software, base, apt]
+
+- name: copy network configs
+  tags: [networl]
+  import_tasks: network.yml
+
+- name: mesh-vpn
+  tags: [fastd]
+  import_tasks: meshvpn.yml
+
+- import_tasks: radvd.yml
+  tags: [radvd]
+
+- import_tasks: dhcpd.yml
+  tags: [dhcp]

roles/meshvpn/tasks/meshvpn.yml

+---
+- name: create fastd user
+  user:
+    name: fastd
+    system: yes
+    home: /etc/fastd
+
+- name: create fastd config dirs
+  loop: "{{ mesh_vpn_instances }}"
+  file:
+    path: /etc/fastd/{{ item.name }}
+    state: directory
+
+- name: copy fastd config templates
+  loop: "{{ mesh_vpn_instances }}"
+  template:
+    src: mesh-vpn/fastd.conf
+    dest: /etc/fastd/{{ item.name }}/fastd.conf
+    mode: '0640'
+
+
+- name: create fastd-up script
+  loop: "{{ mesh_vpn_instances }}"
+  template:
+    src: mesh-vpn/fastd-up
+    dest: /etc/fastd/{{ item.name }}/fastd-up
+    mode: 0755
+
+
+# configure peers git
+# add update script
+- name: copy update script
+  template:
+    src: mesh-vpn/update-meshvpn-keys.sh
+    dest: /usr/local/lib/ffhl/
+    mode: 0775
+
+- name: install mesh-vpn peer update service
+  copy:
+    src: systemd/
+    dest: /etc/systemd/system/
+    owner: root
+
+
+- name: run meshvpn-keys update script
+  command: /usr/local/lib/ffhl/update-meshvpn-keys.sh
+
+
+- name: enable meshvpn peer update job
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    state: started
+    name: update-ffhl-mesh-vpn.timer
+
+
+# enable fastd instances
+- name: enable fastd instances
+  loop: "{{ mesh_vpn_instances }}"
+  systemd:
+    enabled: yes
+    daemon-reload: yes
+    state: restarted
+    name: fastd@{{ item.name }}
+
+
+# download public keys to our local machine
+- name: create public key files
+  loop: "{{ mesh_vpn_instances }}"
+  shell:
+    cmd: fastd --show-key -c /etc/fastd/{{ item.name }}/fastd.conf > /etc/fastd/{{ item.name }}/pubkey.key
+
+- name: fetch public keys
+  loop: "{{ mesh_vpn_instances }}"
+  fetch:
+    src: /etc/fastd/{{ item.name }}/pubkey.key
+    dest: artifacts/

roles/meshvpn/tasks/network.yml

+---
+
+- name: copy static network configs
+  copy:
+    src: network/
+    dest: /etc/systemd/network/

roles/meshvpn/tasks/radvd.yml

+---
+- name: radvd templates
+  template:
+    src: radvd/radvd.conf.j2
+    dest: /etc/radvd.conf
+
+- name: restart radvd
+  systemd:
+    state: restarted
+    enabled: yes
+    name: radvd

roles/meshvpn/templates/dhcpd/dhcpd.conf.j2

+authoritative;
+default-lease-time 600;
+max-lease-time 600;
+
+subnet {{ dhcpd_subnet }} netmask {{ dhcpd_netmask }} {
+    range {{ dhcpd_start }} {{ dhcpd_end }};
+
+    option subnet-mask 255.255.0.0;
+    option domain-name "{{ dhcpd_domain }}";
+    option routers {{ ip4 }};
+    option domain-name-servers {{ ip4 }};
+}

roles/meshvpn/templates/mesh-vpn/fastd-up

+#!/bin/bash
+set -e
+
+ip link set address {{ item.mac }} dev $INTERFACE
+ip link set up $INTERFACE
+# for some reason it seems that adding the interface too fast
+# to bat0 will cause batman_adv to remove them because they are 'deactivated'
+sleep 5
+echo "Adding interface $INTERFACE to bat0"
+ip link add bat0 type batadv || true
+batctl if add $INTERFACE
+batctl gw_mode server 50000/25000
+batctl network_coding disable

roles/meshvpn/templates/mesh-vpn/fastd.conf

+log to syslog level debug;
+bind any:{{ item.port }};
+mtu {{ item.mtu | default('1280')}};
+interface "{{ item.name }}";
+secret "{{ item.secret }}";
+
+user "fastd";
+method "null";
+method "salsa2012+umac";
+hide ip addresses yes;
+hide mac addresses yes;
+status socket "/run/fastd/{{ item.name }}.sock";
+on up "./fastd-up";
+
+peer limit 100;
+include peers from "/var/local/ffhl-meshvpn-peers";

roles/meshvpn/templates/mesh-vpn/update-meshvpn-keys.sh

+#!/bin/bash
+set -e
+
+DIR=$(mktemp -d)
+DEST="/var/local/ffhl-meshvpn-peers"
+REPO="{{ fastd_keys_repo }}"
+
+mkdir -p "$DEST"
+git clone "$REPO" "$DIR"
+git --git-dir="$DIR/.git" --work-tree="$DEST" reset --hard
+
+rm -rf "$DIR"
+
+{% for instance in mesh_vpn_instances %}
+if [ systemctl is-active fastd@{{ instance.name }} ]; then
+	systemctl reload 'fastd@{{ instance.name }}.service'
+fi
+{% endfor %}

roles/meshvpn/templates/radvd/radvd.conf.j2

+interface ffhl
+{
+	AdvSendAdvert on;
+	IgnoreIfMissing on;
+	MaxRtrAdvInterval 200;
+	AdvDefaultLifetime 900;
+
+{% for prefix in radvd_prefixes %}
+	prefix {{ prefix }} {
+	};
+{% endfor %}
+
+	RDNSS {{ ip6 }} {
+	};
+};