Add fastd role and depoly to test gateway

This commit is contained in:
Markus 2017-03-26 21:33:16 +02:00
parent 07be015aac
commit 16982a5bd0
10 changed files with 131 additions and 1 deletions

View File

@ -2,7 +2,11 @@ Ansible Freifunk Regensburg
=========================== ===========================
## Running Ansible ## Running Ansible
`ansible-playbook --ask-vault-pass -i hosts site.yml` To deploy all defined roles on all servers simple run `ansible-playbook --ask-vault-pass -i hosts site.yml`
TBA TBA
## Notes
Some roles are derived from https://github.com/FreifunkBremen/ansible/

View File

@ -0,0 +1,3 @@
---
site_code: ffrgb_stadt

View File

@ -0,0 +1,3 @@
---
site_code: ffrgb_umland

View File

@ -0,0 +1,3 @@
---
site_code: ffrgb_test

31
library/fastd_key Normal file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env python
EXAMPLES = '''
# Generates a fastd key
- fastd_key: path=/etc/fastd/site/secret.conf
'''
from ansible.module_utils.basic import *
import os
if __name__ == '__main__':
module = AnsibleModule(
argument_spec={
'path': {'required': True, 'type': 'str'},
}
)
path = module.params['path']
changed = False
# file does not exist or is empty?
if not os.path.isfile(path) or os.stat(path).st_size == 0:
# create file with restrictive permissions
with os.fdopen(os.open(path, os.O_WRONLY | os.O_CREAT, 0600), 'w') as handle:
# generate fastd secret
secret = subprocess.check_output(["fastd", "--machine-readable", "--generate-key"]).strip()
handle.write('secret "%s";\n' % secret)
changed = True
module.exit_json(changed=changed)

View File

@ -0,0 +1,9 @@
batman_interface: bat-{{ site_code }}
fastd_anonymous: true
fastd_bind: any
fastd_instance: "{{ site_code }}"
fastd_interface: vpn-{{ site_code }}
fastd_mtu: 1280
fastd_peers_limit: -1
fastd_port: 50000

View File

@ -0,0 +1,7 @@
---
- name: Restart fastd
service: name=fastd@{{ site_code }} state=restarted
- name: Reload systemd
command: systemctl daemon-reload

View File

@ -0,0 +1,34 @@
---
- name: Enable backports
apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
- name: Install fastd
apt: name=fastd default_release=jessie-backports state=latest
- name: Install haveged (to create entropy)
apt: name=haveged
- name: Copy systemd unit file
command: /bin/cp /lib/systemd/system/fastd@.service /etc/systemd/system/fastd@.service creates=/etc/systemd/system/fastd@.service
- name: Fix systemd unit for fastd
lineinfile:
dest: /etc/systemd/system/fastd@.service
line: "ExecStopPost=/bin/rm -f /run/fastd-%I.sock"
regexp: "^ExecStopPost="
insertafter: "^ExecReload="
notify:
- Reload systemd
- Restart fastd
- name: Create directories
file: path=/etc/fastd/{{ fastd_instance }}/peers state=directory
- name: Configure fastd
template: src=fastd.conf.j2 dest=/etc/fastd/{{ fastd_instance }}/fastd.conf
notify: Restart fastd
- name: Generate fastd secret
fastd_key: path=/etc/fastd/{{ site_code }}/secret.conf
notify: Restart fastd

View File

@ -0,0 +1,31 @@
# {{ ansible_managed }}
log to syslog level warn;
hide ip addresses yes;
status socket "/run/fastd-{{ fastd_instance }}.sock";
interface "{{ fastd_interface }}";
method "salsa2012+umac";
method "xsalsa20-poly1305";
secure handshakes yes;
bind {{ fastd_bind }}:{{ fastd_port }};
include "secret.conf";
mtu {{ fastd_mtu }};
{% if fastd_peers_limit > -1 %}
peer limit {{ fastd_peers_limit }};
{% endif %}
on up "ifup --allow hotplug {{ fastd_interface }}";
on down "ifdown --allow hotplug {{ fastd_interface }}";
{% if fastd_anonymous %}
on verify "/etc/fastd/{{ site_code }}/blacklist.sh /opt/{{ site_code }}/vpn-blacklist/blacklist.json";
{% endif %}
include peers from "peers";

View File

@ -6,6 +6,11 @@
- common - common
- ntp - ntp
- name: Setup gateway servers
hosts: gw31.regensburg.freifunk.net
roles:
- fastd
- name: Setup confluence server - name: Setup confluence server
hosts: confluence.regensburg.freifunk.net hosts: confluence.regensburg.freifunk.net
roles: roles: