diff --git a/README.md b/README.md index 2237f24..d5b0ede 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,11 @@ Ansible Freifunk Regensburg =========================== ## Running Ansible -`ansible-playbook --ask-vault-pass -i hosts site.yml` +To deploy all defined roles on all servers simple run `ansible-playbook --ask-vault-pass -i hosts site.yml` TBA + +## Notes + +Some roles are derived from https://github.com/FreifunkBremen/ansible/ diff --git a/host_vars/gw11.regensburg.freifunk.net b/host_vars/gw11.regensburg.freifunk.net new file mode 100644 index 0000000..502df82 --- /dev/null +++ b/host_vars/gw11.regensburg.freifunk.net @@ -0,0 +1,3 @@ +--- + +site_code: ffrgb_stadt diff --git a/host_vars/gw21.regensburg.freifunk.net b/host_vars/gw21.regensburg.freifunk.net new file mode 100644 index 0000000..eb29900 --- /dev/null +++ b/host_vars/gw21.regensburg.freifunk.net @@ -0,0 +1,3 @@ +--- + +site_code: ffrgb_umland diff --git a/host_vars/gw31.regensburg.freifunk.net b/host_vars/gw31.regensburg.freifunk.net new file mode 100644 index 0000000..ec6b34a --- /dev/null +++ b/host_vars/gw31.regensburg.freifunk.net @@ -0,0 +1,3 @@ +--- + +site_code: ffrgb_test diff --git a/library/fastd_key b/library/fastd_key new file mode 100644 index 0000000..6113d8b --- /dev/null +++ b/library/fastd_key @@ -0,0 +1,31 @@ +#!/usr/bin/env python + +EXAMPLES = ''' +# Generates a fastd key +- fastd_key: path=/etc/fastd/site/secret.conf +''' + +from ansible.module_utils.basic import * +import os + +if __name__ == '__main__': + module = AnsibleModule( + argument_spec={ + 'path': {'required': True, 'type': 'str'}, + } + ) + + path = module.params['path'] + changed = False + + # file does not exist or is empty? + if not os.path.isfile(path) or os.stat(path).st_size == 0: + # create file with restrictive permissions + with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0600), 'w') as handle: + # generate fastd secret + secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip() + handle.write('secret "%s";\n' % secret) + + changed = True + + module.exit_json(changed=changed) diff --git a/roles/fastd/defaults/main.yml b/roles/fastd/defaults/main.yml new file mode 100644 index 0000000..9179c53 --- /dev/null +++ b/roles/fastd/defaults/main.yml @@ -0,0 +1,9 @@ +batman_interface: bat-{{ site_code }} + +fastd_anonymous: true +fastd_bind: any +fastd_instance: "{{ site_code }}" +fastd_interface: vpn-{{ site_code }} +fastd_mtu: 1280 +fastd_peers_limit: -1 +fastd_port: 50000 diff --git a/roles/fastd/handlers/main.yml b/roles/fastd/handlers/main.yml new file mode 100644 index 0000000..0e447ca --- /dev/null +++ b/roles/fastd/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart fastd + service: name=fastd@{{ site_code }} state=restarted + +- name: Reload systemd + command: systemctl daemon-reload diff --git a/roles/fastd/tasks/main.yml b/roles/fastd/tasks/main.yml new file mode 100644 index 0000000..fb1e676 --- /dev/null +++ b/roles/fastd/tasks/main.yml @@ -0,0 +1,34 @@ +--- + +- name: Enable backports + apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present + +- name: Install fastd + apt: name=fastd default_release=jessie-backports state=latest + +- name: Install haveged (to create entropy) + apt: name=haveged + +- name: Copy systemd unit file + command: /bin/cp /lib/systemd/system/fastd@.service /etc/systemd/system/fastd@.service creates=/etc/systemd/system/fastd@.service + +- name: Fix systemd unit for fastd + lineinfile: + dest: /etc/systemd/system/fastd@.service + line: "ExecStopPost=/bin/rm -f /run/fastd-%I.sock" + regexp: "^ExecStopPost=" + insertafter: "^ExecReload=" + notify: + - Reload systemd + - Restart fastd + +- name: Create directories + file: path=/etc/fastd/{{ fastd_instance }}/peers state=directory + +- name: Configure fastd + template: src=fastd.conf.j2 dest=/etc/fastd/{{ fastd_instance }}/fastd.conf + notify: Restart fastd + +- name: Generate fastd secret + fastd_key: path=/etc/fastd/{{ site_code }}/secret.conf + notify: Restart fastd diff --git a/roles/fastd/templates/fastd.conf.j2 b/roles/fastd/templates/fastd.conf.j2 new file mode 100644 index 0000000..a341482 --- /dev/null +++ b/roles/fastd/templates/fastd.conf.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} + +log to syslog level warn; +hide ip addresses yes; +status socket "/run/fastd-{{ fastd_instance }}.sock"; + +interface "{{ fastd_interface }}"; + +method "salsa2012+umac"; +method "xsalsa20-poly1305"; + +secure handshakes yes; + +bind {{ fastd_bind }}:{{ fastd_port }}; + +include "secret.conf"; + +mtu {{ fastd_mtu }}; + +{% if fastd_peers_limit > -1 %} +peer limit {{ fastd_peers_limit }}; +{% endif %} + +on up "ifup --allow hotplug {{ fastd_interface }}"; +on down "ifdown --allow hotplug {{ fastd_interface }}"; + +{% if fastd_anonymous %} +on verify "/etc/fastd/{{ site_code }}/blacklist.sh /opt/{{ site_code }}/vpn-blacklist/blacklist.json"; +{% endif %} + +include peers from "peers"; diff --git a/site.yml b/site.yml index 1a3fd81..8953774 100644 --- a/site.yml +++ b/site.yml @@ -6,6 +6,11 @@ - common - ntp +- name: Setup gateway servers + hosts: gw31.regensburg.freifunk.net + roles: + - fastd + - name: Setup confluence server hosts: confluence.regensburg.freifunk.net roles: