FreifunkHochstift
/
ffho-salt-public


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495
							#
# {{ site }} / {{ network }} FASTd configuration (Salt managed)
#

log to syslog level info;

interface "{{ site }}_{{ network }}";

{%- if 'aes' in grains.cpu_flags and grains.oscodename not in [ "stretch" ] %}
method "aes128-gcm";
{%- else %}
#method "aes128-gcm";	# - Not supported by CPU on this machine 
{%- endif %}
method "salsa2012+umac";

{#- Calculating FASTd port depending on network_type #}
{%- set port = -1 %}
{%- if network_type == 'nodes' %}
  {%- set port = 10000 + site_no|int %}
{%- elif network_type == 'intergw' %}
  {%- set port = 11000 + site_no|int %}
{%- endif %}

{%- if network in ['nodes4', 'intergw'] %}
bind 0.0.0.0:{{ port }} interface "vrf_external";
{%- endif %}
{%- if network in ['nodes6', 'intergw'] %}
bind [::]:{{ port }} interface "vrf_external";
{%- endif %}

# Mark packets to make sure they are associated to VRF vrf_external.
# Specifying the interface and setsockopt() isn't enough for fastd.
packet mark 0x1023;

secret "{{ secret }}";
mtu 1406;

status socket "/var/run/fastd.{{ site }}_{{ network }}.sock";

on up "
	ip link set $INTERFACE down
	ip link set address {{ mac_address }} dev $INTERFACE
	ip link set $INTERFACE up

	batctl -m {{ bat_iface }} if add $INTERFACE
";

on down "
	batctl -m {{ bat_iface }} if del $INTERFACE
";

{%- if network_type == 'nodes' %}
#on establish    async "/usr/local/bin/ff_log_vpnpeer establish";
#on disestablish async "/usr/local/bin/ff_log_vpnpeer disestablish";

# Nur registrierte Peers -- ALT --
#include peers from "/etc/freifunk/peers";

on verify "/etc/fastd/verify-peer.sh $PEER_KEY $PEER_ADDRESS";

  {%- if peer_limit %}
peer limit {{ peer_limit }};
  {%- endif %}
{%- elif network_type == 'intergw' %}

#
# Set up Inter-Gw-VPN link to all nodes of this site
  {%- set node_is_gw = True if grains.id.startswith('gw') else False %}
  {%- for peer, peer_config in salt['pillar.get']('nodes').items ()|sort if peer != grains.id %}
    {%- if site not in peer_config.get ('sites', {}) %}{% continue %}{% endif %}
    {%- if 'fastd' not in peer_config %}{% continue %}{% endif %}

    {#- non gw nodes are only allowed to connect to gw peers #}
    {%- set peer_is_gw = True if peer.startswith('gw') else False %}
    {%- if not node_is_gw and not peer_is_gw %}{% continue %}{% endif %}

# Peer config for {{ peer }}
peer "{{ peer }}" {
	key "{{ peer_config.get('fastd', {}).get('intergw_pubkey') }}";
    {%- if peer_is_gw %}
      {%- set ips = salt['ffho_net.get_node_iface_ips'](peer_config, 'vrf_external') %}

      {#- set peer IPv4 address #}
      {%- for ipv4 in ips['v4'] %}
	remote {{ ipv4 }}:{{ port }};
      {%- endfor %}

      {#- set peer IPv6 address #}
      {%- for ipv6 in ips['v6'] %}
	remote [{{ ipv6 }}]:{{ port }};
      {%- endfor %}
    {%- endif %}
}
  {%- endfor %}
{%- endif %}