Add fastd role and depoly to test gateway

README.md

@@ -2,7 +2,11 @@ Ansible Freifunk Regensburg
 ===========================
 
 ## Running Ansible
-`ansible-playbook --ask-vault-pass -i hosts site.yml`
+To deploy all defined roles on all servers simple run `ansible-playbook --ask-vault-pass -i hosts site.yml`
 
 
 TBA
+
+## Notes
+
+Some roles are derived from https://github.com/FreifunkBremen/ansible/

host_vars/gw11.regensburg.freifunk.net

@@ -0,0 +1,3 @@
+---
+
+site_code: ffrgb_stadt

host_vars/gw21.regensburg.freifunk.net

@@ -0,0 +1,3 @@
+---
+
+site_code: ffrgb_umland

host_vars/gw31.regensburg.freifunk.net

@@ -0,0 +1,3 @@
+---
+
+site_code: ffrgb_test

library/fastd_key

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+EXAMPLES = '''
+# Generates a fastd key
+- fastd_key: path=/etc/fastd/site/secret.conf
+'''
+
+from ansible.module_utils.basic import *
+import os
+
+if __name__ == '__main__':
+  module = AnsibleModule(
+    argument_spec={
+      'path': {'required': True, 'type': 'str'},
+    }
+  )
+
+  path = module.params['path']
+  changed = False
+
+  # file does not exist or is empty?
+  if not os.path.isfile(path) or os.stat(path).st_size == 0:
+    # create file with restrictive permissions
+    with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0600), 'w') as handle:
+      # generate fastd secret
+      secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
+      handle.write('secret "%s";\n' % secret)
+
+    changed = True
+
+  module.exit_json(changed=changed)

roles/fastd/defaults/main.yml

@@ -0,0 +1,9 @@
+batman_interface: bat-{{ site_code }}
+
+fastd_anonymous: true
+fastd_bind: any
+fastd_instance: "{{ site_code }}"
+fastd_interface: vpn-{{ site_code }}
+fastd_mtu: 1280
+fastd_peers_limit: -1
+fastd_port: 50000

roles/fastd/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Restart fastd
+  service: name=fastd@{{ site_code }} state=restarted
+
+- name: Reload systemd
+  command: systemctl daemon-reload

roles/fastd/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Enable backports
+  apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
+
+- name: Install fastd
+  apt: name=fastd default_release=jessie-backports state=latest
+
+- name: Install haveged (to create entropy)
+  apt: name=haveged
+
+- name: Copy systemd unit file
+  command: /bin/cp /lib/systemd/system/fastd@.service /etc/systemd/system/fastd@.service creates=/etc/systemd/system/fastd@.service
+
+- name: Fix systemd unit for fastd
+  lineinfile:
+    dest: /etc/systemd/system/fastd@.service
+    line: "ExecStopPost=/bin/rm -f /run/fastd-%I.sock"
+    regexp: "^ExecStopPost="
+    insertafter: "^ExecReload="
+  notify:
+  - Reload systemd
+  - Restart fastd
+
+- name: Create directories
+  file: path=/etc/fastd/{{ fastd_instance }}/peers state=directory
+
+- name: Configure fastd
+  template: src=fastd.conf.j2 dest=/etc/fastd/{{ fastd_instance }}/fastd.conf
+  notify: Restart fastd
+
+- name: Generate fastd secret
+  fastd_key: path=/etc/fastd/{{ site_code }}/secret.conf
+  notify: Restart fastd

roles/fastd/templates/fastd.conf.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+log to syslog level warn;
+hide ip addresses yes;
+status socket "/run/fastd-{{ fastd_instance }}.sock";
+
+interface "{{ fastd_interface }}";
+
+method "salsa2012+umac";
+method "xsalsa20-poly1305";
+
+secure handshakes yes;
+
+bind {{ fastd_bind }}:{{ fastd_port }};
+
+include "secret.conf";
+
+mtu {{ fastd_mtu }};
+
+{% if fastd_peers_limit > -1 %}
+peer limit {{ fastd_peers_limit }};
+{% endif %}
+
+on up "ifup --allow hotplug {{ fastd_interface }}";
+on down "ifdown --allow hotplug {{ fastd_interface }}";
+
+{% if fastd_anonymous %}
+on verify "/etc/fastd/{{ site_code }}/blacklist.sh /opt/{{ site_code }}/vpn-blacklist/blacklist.json";
+{% endif %}
+
+include peers from "peers";

site.yml

@@ -6,6 +6,11 @@
   - common
   - ntp
 
+- name: Setup gateway servers
+  hosts: gw31.regensburg.freifunk.net
+  roles:
+  - fastd
+
 - name: Setup confluence server
   hosts: confluence.regensburg.freifunk.net
   roles: