fastd: Allow null cipher for node connections

  FFHO firmware 1.4.1 will add support for an opt-in setting to activate the
  null cipher for nodes connecting to our fastd VPN services.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

fastd/fastd.conf

@@ -1,6 +1,7 @@
 #
 # {{ site }} / {{ network }} FASTd configuration (Salt managed)
 #
+{%- set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
 {%- set meshif = "meshif" %}
 {%- if grains.oscodename != "buster" %}
   {%- set meshif = "-m" %}
@@ -14,10 +15,13 @@ interface "{{ site }}_{{ network }}";
 method "aes128-gcm";
 method "aes128-ctr+umac";
 {%- else %}
-#method "aes128-gcm";		# - Not supported by CPU on this machine
-#method "aes128-ctr+umac";	# - Not supported by CPU on this machine
+#method "aes128-gcm";		# Not supported by CPU on this machine
+#method "aes128-ctr+umac";	# Not supported by CPU on this machine
 {%- endif %}
 method "salsa2012+umac";
+{%- if network_type == 'nodes' and 'batman_gw' in node_config.get ('roles') %}
+method "null";			# Null-cipher for node VPNs
+{% endif %}
 
 {#- Calculating FASTd port depending on network_type #}
 {%- set port = -1 %}
@@ -49,7 +53,7 @@ on up "
 	ip link set $INTERFACE up
 
 	batctl {{ meshif }} {{ bat_iface }} if add $INTERFACE
-{%- if grains.oscodename == "buster" or 'batman-iface-penalty' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':tags', []) %}
+{%- if grains.oscodename == "buster" or 'batman-iface-penalty' in node_config.get ('tags', []) %}
 	# Make VPN more expensive than intra DC/DCI/WBBL links
 	batctl hardif $INTERFACE hop_penalty 50
 {%- endif %}