service-fastd-mesh: use fastd-limiter and "on verify" to limit peers

2019-04-09 12:50:32 +02:00 · 2019-04-09 12:50:32 +02:00 · b2373c17ac
commit b2373c17ac
parent ecdcb4c294
6 changed files with 5 additions and 135 deletions
--- a/roles/service-fastd-mesh/tasks/main.yml
+++ b/roles/service-fastd-mesh/tasks/main.yml
@ -6,59 +6,15 @@
    mode: 0755
  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"

- name: create fastd peer mesh directories
-  file:
-    path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
-    state: directory
-    mode: 0755
-    owner: admin
-    group: admin
-  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
-
- name: clone fastd peer mesh repos
-  git:
-    repo: "{{ item.1.peers.repo }}"
-    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
-    version: "{{ item.1.peers.version }}"
-    update: no
-  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
-  become: false
-
 - name: template fastd mesh config
  template:
    src: fastd-mesh.conf.j2
    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/fastd.conf"
+    mode: 0640
  notify: restart fastd mesh instances
  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
  tags: debug

- name: write fastd mesh secret
-  template:
-    src: fastd-secret.conf.j2
-    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/secret.conf"
-  notify: restart fastd mesh instances
-  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
-
- name: copy peer_limit.conf if not exist
-  copy:
-    src: peer_limit.conf
-    dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
-    owner: admin
-    group: admin
-    mode: 0640
-    force: no
-  notify: restart fastd mesh instances
-  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
-
- name: set file attributes for peer_limit.conf
-  file:
-    path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
-    mode: 0640
-    owner: admin
-    group: admin
-  notify: restart fastd mesh instances
-  loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
-
 - name: install redis-server
  apt:
    name: redis-server
@ -125,40 +81,6 @@
    mode: 0644
  notify: reload systemd

- name: create fastd_status.json file
-  file:
-    path: /var/www/html/fastd_status.json
-    state: touch
-    owner: admin
-    group: admin
-    mode: 0644
-
- name: write configuration for fastd-peer-limit-update script
-  template:
-    src: fastd_peer_limit_config.yaml.j2
-    dest: /home/admin/.ffmwu-config/fastd_peer_limit_config.yaml
-    owner: admin
-    group: admin
-    mode: 0644
-
- name: write systemd unit fastd-peer-limit-update.service
-  template:
-    src: fastd-peer-limit-update.service.j2
-    dest: /etc/systemd/system/fastd-peer-limit-update.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: reload systemd
-
- name: write systemd timer fastd-peer-limit-update.timer
-  template:
-    src: fastd-peer-limit-update.timer.j2
-    dest: /etc/systemd/system/fastd-peer-limit-update.timer
-    owner: root
-    group: root
-    mode: 0644
-  notify: reload systemd
-
 - name: configure systemd timers for fastd-mesh instance
  systemd:
    name: "{{ item }}.timer"
--- a/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2
+++ b/roles/service-fastd-mesh/templates/fastd-mesh.conf.j2
@ -16,14 +16,12 @@ interface "{{ item.0.id }}vpn-{{ item.1.mtu }}";
 bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
 bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};

-include "secret.conf";
-mtu {{ item.1.mtu }};
+secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}";

-peer group "vpn_nodes" {
-    include "peer_limit.conf";
-    include peers from "peers";
-}
+mtu {{ item.1.mtu }};

 on up "/bin/systemctl reload networking";

+on verify "{{ gopath }}/bin/fastd-limiter verify $PEER_KEY";
+
 status socket "/var/run/fastd-{{ item.0.id }}vpn-{{ item.1.mtu }}.status";
--- a/roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2
+++ b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.service.j2
@ -1,10 +0,0 @@
-#
-# {{ ansible_managed }}
-#
-[Unit]
-Description=Update fastd peer limits
-
-[Service]
-ExecStart=/home/admin/clones/backend-scripts/limit_fastd_peers_gw.py
-User=admin
-Group=admin
--- a/roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2
+++ b/roles/service-fastd-mesh/templates/fastd-peer-limit-update.timer.j2
@ -1,12 +0,0 @@
-#
-# {{ ansible_managed }}
-#
-[Unit]
-Description=Timer which schedules fastd-peer-limit-update.service
-
-[Timer]
-OnBootSec=5min
-OnUnitActiveSec=5min
-
-[Install]
-WantedBy=timers.target
--- a/roles/service-fastd-mesh/templates/fastd-secret.conf.j2
+++ b/roles/service-fastd-mesh/templates/fastd-secret.conf.j2
@ -1,4 +0,0 @@
-#
-# {{ ansible_managed }}
-#
-secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}";
--- a/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2
+++ b/roles/service-fastd-mesh/templates/fastd_peer_limit_config.yaml.j2
@ -1,24 +0,0 @@
-#
-# {{ ansible_managed }}
-#
-ansible_gate: True
-additional: 8
-fastd_instances:
-{% for mesh in meshes %}
-{% for instance in mesh.fastd.nodes.instances %}
-  - {{ mesh.id }}vpn-{{ instance.mtu }}
-{% endfor %}
-{% endfor %}
-cronlog: '/home/admin/.cronlog/limit.%s.log'
-fastd_config: '/etc/fastd/%s/peer_limit.conf'
-fastd_status: '/usr/local/bin/fastd-status'
-gateways:
-{% for gateway in groups['ffmwu-gateways'] %}
-  - {{ gateway.rsplit('.freifunk-mwu.de')[0] }}
-{% endfor %}
-restart_max: 43200
-stat: 'fastd_status.json'
-stat_ext: 'http://%s.freifunk-mwu.de/%s'
-stat_local: '/var/www/html/%s'
-remote_fetch_timeout: 10
-remote_data_timeout: 900