freifunk/puppet-ff_gw
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

add tinc config for IC vpn

Browse source
This commit is contained in:
Martin Schütte 2014-05-19 21:36:20 +02:00
parent 2f716a1d6e
commit ed0e497765
3 changed files with 110 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -95,6 +95,13 @@ class { 'ff_gw':
dhcprange_start => '10.112.30.2', dhcprange_start => '10.112.30.2',
dhcprange_end => '10.112.31.254', dhcprange_end => '10.112.31.254',
# only for inter-city VPN hosts
gw_do_ic_peering => true,
tinc_name => 'hamburg01',
tinc_keyfile => '/etc/tinc/rsa_key.priv',
ic_vpn_ip4 => '10.207.X.Y',
ic_vpn_ip6 => 'fec0::a:cf:X:Y',
# secret credentials for fastd and vpn # secret credentials for fastd and vpn
secret_key => '...', secret_key => '...',
vpn_ca_crt => '-----BEGIN CERTIFICATE----- vpn_ca_crt => '-----BEGIN CERTIFICATE-----

58
manifests/init.pp
View file

@ -1,4 +1,4 @@
class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false) { class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key, $vpn_ca_crt, $vpn_usr_crt, $vpn_usr_key, $dhcprange_start, $dhcprange_end, $gw_do_ic_peering = false, $tinc_name, $tinc_keyfile, $ic_vpn_ip4, $ic_vpn_ip6) {
class { 'ff_gw::software': } class { 'ff_gw::software': }
-> ->
class { 'ff_gw::fastd': class { 'ff_gw::fastd':
@ -19,8 +19,8 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
} }
-> ->
class { 'ff_gw::vpn': class { 'ff_gw::vpn':
usr_crt => $vpn_usr_crt, usr_crt => $vpn_usr_crt,
usr_key => $vpn_usr_key, usr_key => $vpn_usr_key,
ca_crt => $vpn_ca_crt, ca_crt => $vpn_ca_crt,
} }
-> ->
@ -36,6 +36,15 @@ class ff_gw($ff_net, $ff_mesh_net, $ff_as, $mesh_mac, $gw_ipv4, $gw_ipv6, $secre
own_ipv6 => $gw_ipv6, own_ipv6 => $gw_ipv6,
gw_do_ic_peering => $gw_do_ic_peering, gw_do_ic_peering => $gw_do_ic_peering,
} }
if $gw_do_ic_peering {
class { 'ff_gw::tinc':
tinc_name => $tinc_name,
tinc_keyfile => $tinc_keyfile,
ic_vpn_ip4 => $ic_vpn_ip4,
ic_vpn_ip4 => $ic_vpn_ip6
}
}
} }
class ff_gw::software { class ff_gw::software {
@ -69,6 +78,7 @@ class ff_gw::fastd($mesh_mac, $gw_ipv4, $gw_ipv6, $secret_key) {
content => template('ff_gw/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb'); content => template('ff_gw/etc/fastd/ffhh-mesh-vpn/fastd.conf.erb');
'/etc/fastd/ffhh-mesh-vpn/secret.conf': '/etc/fastd/ffhh-mesh-vpn/secret.conf':
ensure => file, ensure => file,
mode => '0600',
content => inline_template('secret "<%= @secret_key %>";'); content => inline_template('secret "<%= @secret_key %>";');
'/root/bin': '/root/bin':
ensure => directory; ensure => directory;
@ -462,3 +472,45 @@ class ff_gw::bird($ff_net, $ff_mesh_net, $ff_as, $own_ipv4, $own_ipv6, $gw_do_ic
require => Service['openvpn'], require => Service['openvpn'],
} }
} }
class ff_gw::tinc($tinc_name, $tinc_keyfile = '/etc/tinc/rsa_key.priv', $ic_vpn_ip4, $ic_vpn_ip6, $version = 'present') {
package {
'tinc':
ensure => $version,
}
->
vcsrepo { '/etc/tinc/icvpn':
ensure => present,
provider => git,
source => 'https://github.com/freifunk/icvpn',
}
->
file {
'/etc/tinc/icvpn/tinc.conf':
ensure => file,
content => template('ff_gw/etc/tinc/icvpn/tinc.conf.erb');
'/etc/tinc/icvpn/tinc-up':
ensure => file,
mode => '0755';
content => inline_template('#!/bin/sh
/sbin/ip link set dev $INTERFACE up
/sbin/ip addr add dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
/sbin/ip -6 addr add dev $INTERFACE <%= @ic_vpn_ip6 %>/96 preferred_lft 0
');
'/etc/tinc/icvpn/tinc-down':
ensure => file,
mode => '0755';
content => inline_template('#!/bin/sh
/sbin/ip addr del dev $INTERFACE <%= @ic_vpn_ip4 %>/16 broadcast 10.207.255.255
/sbin/ip -6 addr del dev $INTERFACE <%= @ic_vpn_ip6 %>/96
/sbin/ip link set dev $INTERFACE down
');
}
~>
service {
'tinc':
ensure => running,
enable => true,
require => Service['openvpn'],
}
}

48
templates/etc/tinc/icvpn/tinc.conf.erb Normal file
View file

@ -0,0 +1,48 @@
Name = <%= @tinc_name %>
PrivateKeyFile = <%= @tinc_keyfile %>
Mode = Switch
PingTimeout = 30
Port = 656
Hostnames = yes
ConnectTo = augsburg1
ConnectTo = augsburg2
ConnectTo = bayreuth1
ConnectTo = berlin1
ConnectTo = bielefeld1
ConnectTo = bielefeld2
ConnectTo = bremen2
ConnectTo = chemnitz1
ConnectTo = diac24_sbc
ConnectTo = diac24_sbz
ConnectTo = dresden1
ConnectTo = ffhallevpn1
ConnectTo = franken1
ConnectTo = franken2
ConnectTo = franken3
ConnectTo = franken_ro1
ConnectTo = Frankfurt1
ConnectTo = freiburg1
ConnectTo = gronau1
ConnectTo = gronau2
ConnectTo = halle1
ConnectTo = halle2
ConnectTo = jena1
ConnectTo = jena2
ConnectTo = kiel1
ConnectTo = kiel13
ConnectTo = kiel3
ConnectTo = kiel4
ConnectTo = koeln1
ConnectTo = leipzig1
ConnectTo = leipzig2
ConnectTo = ljubljana1
ConnectTo = luebeck1
ConnectTo = luebeck2
ConnectTo = mainz1
ConnectTo = nrw2
ConnectTo = oldenburg1
ConnectTo = weimar1
ConnectTo = weimar2
ConnectTo = wermelskirchen1