service-fastd-mesh: use fastd-limiter and "on verify" to limit peers
This commit is contained in:
Julian Labus
parent
ecdcb4c294
commit
b2373c17ac
|
|
@ -6,59 +6,15 @@
|
|||
mode: 0755
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
|
||||
- name: create fastd peer mesh directories
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: admin
|
||||
group: admin
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
|
||||
- name: clone fastd peer mesh repos
|
||||
git:
|
||||
repo: "{{ item.1.peers.repo }}"
|
||||
dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peers"
|
||||
version: "{{ item.1.peers.version }}"
|
||||
update: no
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
become: false
|
||||
|
||||
- name: template fastd mesh config
|
||||
template:
|
||||
src: fastd-mesh.conf.j2
|
||||
dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/fastd.conf"
|
||||
mode: 0640
|
||||
notify: restart fastd mesh instances
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
tags: debug
|
||||
|
||||
- name: write fastd mesh secret
|
||||
template:
|
||||
src: fastd-secret.conf.j2
|
||||
dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/secret.conf"
|
||||
notify: restart fastd mesh instances
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
|
||||
- name: copy peer_limit.conf if not exist
|
||||
copy:
|
||||
src: peer_limit.conf
|
||||
dest: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
|
||||
owner: admin
|
||||
group: admin
|
||||
mode: 0640
|
||||
force: no
|
||||
notify: restart fastd mesh instances
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
|
||||
- name: set file attributes for peer_limit.conf
|
||||
file:
|
||||
path: "/etc/fastd/{{ item.0.id }}vpn-{{ item.1.mtu }}/peer_limit.conf"
|
||||
mode: 0640
|
||||
owner: admin
|
||||
group: admin
|
||||
notify: restart fastd mesh instances
|
||||
loop: "{{ meshes | subelements('fastd.nodes.instances') }}"
|
||||
|
||||
- name: install redis-server
|
||||
apt:
|
||||
name: redis-server
|
||||
|
|
@ -125,40 +81,6 @@
|
|||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: create fastd_status.json file
|
||||
file:
|
||||
path: /var/www/html/fastd_status.json
|
||||
state: touch
|
||||
owner: admin
|
||||
group: admin
|
||||
mode: 0644
|
||||
|
||||
- name: write configuration for fastd-peer-limit-update script
|
||||
template:
|
||||
src: fastd_peer_limit_config.yaml.j2
|
||||
dest: /home/admin/.ffmwu-config/fastd_peer_limit_config.yaml
|
||||
owner: admin
|
||||
group: admin
|
||||
mode: 0644
|
||||
|
||||
- name: write systemd unit fastd-peer-limit-update.service
|
||||
template:
|
||||
src: fastd-peer-limit-update.service.j2
|
||||
dest: /etc/systemd/system/fastd-peer-limit-update.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write systemd timer fastd-peer-limit-update.timer
|
||||
template:
|
||||
src: fastd-peer-limit-update.timer.j2
|
||||
dest: /etc/systemd/system/fastd-peer-limit-update.timer
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: configure systemd timers for fastd-mesh instance
|
||||
systemd:
|
||||
name: "{{ item }}.timer"
|
||||
|
|
|
|||
|
|
@ -16,14 +16,12 @@ interface "{{ item.0.id }}vpn-{{ item.1.mtu }}";
|
|||
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
|
||||
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:10{{ item.1.id }}{{ '%02d' % item.0.domain_number }};
|
||||
|
||||
include "secret.conf";
|
||||
mtu {{ item.1.mtu }};
|
||||
secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}";
|
||||
|
||||
peer group "vpn_nodes" {
|
||||
include "peer_limit.conf";
|
||||
include peers from "peers";
|
||||
}
|
||||
mtu {{ item.1.mtu }};
|
||||
|
||||
on up "/bin/systemctl reload networking";
|
||||
|
||||
on verify "{{ gopath }}/bin/fastd-limiter verify $PEER_KEY";
|
||||
|
||||
status socket "/var/run/fastd-{{ item.0.id }}vpn-{{ item.1.mtu }}.status";
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
[Unit]
|
||||
Description=Update fastd peer limits
|
||||
|
||||
[Service]
|
||||
ExecStart=/home/admin/clones/backend-scripts/limit_fastd_peers_gw.py
|
||||
User=admin
|
||||
Group=admin
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
[Unit]
|
||||
Description=Timer which schedules fastd-peer-limit-update.service
|
||||
|
||||
[Timer]
|
||||
OnBootSec=5min
|
||||
OnUnitActiveSec=5min
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
secret "{{ lookup('passwordstore', item.1.pass + '/' + inventory_hostname_short + ' subkey=secret') }}";
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
ansible_gate: True
|
||||
additional: 8
|
||||
fastd_instances:
|
||||
{% for mesh in meshes %}
|
||||
{% for instance in mesh.fastd.nodes.instances %}
|
||||
- {{ mesh.id }}vpn-{{ instance.mtu }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
cronlog: '/home/admin/.cronlog/limit.%s.log'
|
||||
fastd_config: '/etc/fastd/%s/peer_limit.conf'
|
||||
fastd_status: '/usr/local/bin/fastd-status'
|
||||
gateways:
|
||||
{% for gateway in groups['ffmwu-gateways'] %}
|
||||
- {{ gateway.rsplit('.freifunk-mwu.de')[0] }}
|
||||
{% endfor %}
|
||||
restart_max: 43200
|
||||
stat: 'fastd_status.json'
|
||||
stat_ext: 'http://%s.freifunk-mwu.de/%s'
|
||||
stat_local: '/var/www/html/%s'
|
||||
remote_fetch_timeout: 10
|
||||
remote_data_timeout: 900
|
||||
Loading…
Reference in a new issue