fastd config differ for gates and for other meshing servers

2016-10-12 20:24:56 +02:00 · 2016-10-12 20:24:56 +02:00 · 40fe1d7fb5
commit 40fe1d7fb5
parent 1a96ad9ef7
9 changed files with 179 additions and 56 deletions
--- a/inventory/group_vars/gates
+++ b/inventory/group_vars/gates
@ -0,0 +1,3 @@
 ---
 fastd_config: 'gate'
--- a/inventory/group_vars/meshing-only-srv
+++ b/inventory/group_vars/meshing-only-srv
@ -0,0 +1,3 @@
 ---
 fastd_config: 'meshing-only'
--- a/inventory/host_vars/local-test-vm.ffmwu.local
+++ b/inventory/host_vars/local-test-vm.ffmwu.local
@ -2,4 +2,5 @@
 # communities inherited as mz, wi
 fastd_config: 'meshing-only'
 fastd_alias: TST_local-vm
--- a/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-g.yml
+++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-g.yml
@ -0,0 +1,15 @@
 ---
 # this file included by mwu-m-fastd-com.yml, which is included in a loop,
 # called seperately for each community
 # => configure fastd for one community here
 # hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
 #- debug: var=mf_com
 #- debug: var=f_ssh_keyfile
 - set_fact:
    mf_com_repo: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
    mf_com_templ: "fastd.conf-gate"
 - include: mwu-m-fastd-com-r.yml
--- a/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-o.yml
+++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-o.yml
@ -0,0 +1,34 @@
 ---
 # this file included by mwu-m-fastd-com.yml, which is included in a loop,
 # called seperately for each community
 # => configure fastd for one community here
 # hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
 #- debug: var=mf_com
 #- debug: var=f_ssh_keyfile
 - name: prepare secure temp dir
  command: mktemp -d --tmpdir ansible-tmp-mf{{mf_com.abbreviation}}.XXXXXXXXXX
  register: tmpdir
 - set_fact:
    mf_com_repo: "{{tmpdir.stdout}}"
    mf_com_templ: "fastd.conf-meshing"
 - include: mwu-m-fastd-com-r.yml
 - name: git add new public key
  command: git add servers
           chdir="{{mf_com_repo}}"
 - name: git commit new public key
  command: git commit -m "add {{ansible_hostname}}"
           chdir="{{mf_com_repo}}"
 - name: git push new public key
  command: git push
           chdir="{{mf_com_repo}}"
 - name: clean up
  file: path="{{mf_com_repo}}" state=absent
--- a/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-r.yml
+++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com-r.yml
@ -0,0 +1,73 @@
 ---
 # hash describing community expected as "mf_com";
 # also expected: "f_ssh_keyfile" and "mf_com_repo"
 - name: clone key repo - {{mf_com.abbreviation}}
  git:
    dest: "{{mf_com_repo}}"
    key_file: "{{f_ssh_keyfile.stdout}}"
    repo: "ssh://git@github.com/{{mf_com.repo}}"
    update: no
    accept_hostkey: yes
  # the following is a crude but functional work-around the problem that
  # the git module wouldn't clone the repo with the ssh-config-entry
  # in the url, but git wouldn't push without it (due to missing
  # connection to the ssh key)
 - name: change git url to pushable
  git_config:
    repo: "{{mf_com_repo}}"
    scope: local
    name: "remote.origin.url"
    value: "ssh://github_mwu/{{mf_com.repo}}"
 - name: generate fastd key pair - {{mf_com.abbreviation}}
  command: fastd --generate-key
           creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
  register: f_key_pair
 - block:
 #  - debug: var=f_key_pair
  - name: write out fastd secret key - {{mf_com.abbreviation}}
    lineinfile:
      backup: yes
      create: yes
      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
      insertbefore: BOF
      line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
      mode: 0400
      regexp: '^secret ".*";'
      state : present
  - name: write out fastd public key - {{mf_com.abbreviation}}
    lineinfile:
      create: yes
      dest: "{{mf_com_repo}}/servers/{{fastd_alias}}"
      insertbefore: BOF
      line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
      mode: 0440
      regexp: '^key ".*";'
      state : present
    register: f_pub_key
    ignore_errors: True
  - name: delete secret in case of public failure - {{mf_com.abbreviation}}
    file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
    when: f_pub_key.failed is defined
  - fail: msg="FAILED writing fastd key pair"
    when: f_pub_key.failed is defined
  when: f_key_pair.changed
  # end of block
 - name: template out fastd.conf - {{mf_com.abbreviation}}
  template:
    backup: yes
    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
    mode: 0640
    src: "{{mf_com_templ}}"
    validate: 'fastd --verify-config -c %s'
--- a/roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml
+++ b/roles/ffmwu-meshing/tasks/mwu-m-fastd-com.yml
@ -1,6 +1,7 @@
 ---
 # this file included in a loop, called seperately for each community
 # => configure fastd for one community here
 #    make a difference between gates an meshing-only servers
 # hash describing community expected as "mf_com"; also expected: "f_ssh_keyfile"
 - name: ensure fastd config dir - {{mf_com.abbreviation}}
@ -11,60 +12,10 @@
 #- debug: var=f_ssh_keyfile
- name: clone key repo - {{mf_com.abbreviation}}
+- name: include either gate ...
-  git:
+  include: mwu-m-fastd-com-g.yml
-    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers"
+  when: fastd_config == 'gate'
    key_file: "{{f_ssh_keyfile.stdout}}"
    repo: "ssh://git@github.com/{{mf_com.repo}}"
    update: no
    accept_hostkey: yes
- name: generate fastd key pair - {{mf_com.abbreviation}}
+- name: ... or meshing-only style
-  command: fastd --generate-key
+  include: mwu-m-fastd-com-o.yml
-           creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
+  when: fastd_config == 'meshing-only'
  register: f_key_pair
 - block:
 #  - debug: var=f_key_pair
  - name: write out fastd secret key - {{mf_com.abbreviation}}
    lineinfile:
      backup: yes
      create: yes
      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
      insertbefore: BOF
      line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
      mode: 0400
      regexp: '^secret ".*";'
      state : present
  - name: write out fastd public key - {{mf_com.abbreviation}}
    lineinfile:
      create: yes
      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/peers/servers/{{fastd_alias}}"
      insertbefore: BOF
      line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
      mode: 0440
      regexp: '^key ".*";'
      state : present
    register: f_pub_key
    ignore_errors: True
  - name: delete secret in case of public failure - {{mf_com.abbreviation}}
    file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
    when: f_pub_key.failed is defined
  - fail: msg="FAILED writing fastd key pair"
    when: f_pub_key.failed is defined
  when: f_key_pair.changed
  # end of block
 - name: template out fastd.conf - {{mf_com.abbreviation}}
  template:
    backup: yes
    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
    mode: 0640
    src: fastd.conf
    validate: 'fastd --verify-config -c %s'
--- a/roles/ffmwu-meshing/templates/fastd.conf-gate
+++ b/roles/ffmwu-meshing/templates/fastd.conf-gate
--- a/roles/ffmwu-meshing/templates/fastd.conf-meshing
+++ b/roles/ffmwu-meshing/templates/fastd.conf-meshing
@ -0,0 +1,43 @@
 # fastd.conf
 # from https://github.com/freifunk-mwu/ansible-ffmwu.git
 log level warn;
 hide ip addresses yes;
 hide mac addresses yes;
 interface "{{mf_com.abbreviation}}VPN";
 method "salsa2012+umac";	# new method (faster)
 # Bind to v4 and v6 interfaces
 bind {{ansible_default_ipv4.address}}:{{mf_com.fastd_port}};
 {% if ansible_default_ipv6.address is defined %}
 bind [{{ansible_default_ipv6.address}}]:{{mf_com.fastd_port}};
 {% endif %}
 include "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf";
 mtu 1406; # 1492 - IPv4/IPv6 Header - fastd Header...
 secure handshakes yes;
 mode tap;
 peer group "mesh_vpn_backbone" {
    peer limit 4;
    peer "gw_ingwer" {
        key "9b74e90fd68df749e45718eced65268260872e4cf74369b9bf9e9fb42411efe9";
        remote ipv6 "ingwer.freifunk-mwu.de" port {{mf_com.fastd_port}};
    }
    peer "gw_lotuswurzel" {
        key "d73479cc97a87ffd4b256a873e505f3264408ed077b248358c52e8dc82bbfc07";
        remote ipv6 "lotuswurzel.freifunk-mwu.de" port {{mf_com.fastd_port}};
    }
    peer "gw_spinat" {
        key "9e59a202eccabe1aac37d8000e762ecb05e17b3e521f7a54ab693af66e4adfb7";
        remote ipv6 "spinat.freifunk-mwu.de" port {{mf_com.fastd_port}};
    }
    peer "gw_wasserfloh" {
        key "9c00e0534a9dc5232e9bfacb304261f21f24604ad233b648bf52d6b40ca60884";
        remote ipv6 "wasserfloh.freifunk-mwu.de" port {{mf_com.fastd_port}};
    }
 }
 status socket "/var/run/fastd-{{mf_com.abbreviation}}.status";