tinc: init

57a4d1e7 · skorpy · c30f886a · 57a4d1e7 · 57a4d1e7 · 57a4d1e7
Commit 57a4d1e7 authored 7 years ago by skorpy
--- a/tinc/files/ferm.conf.j2
+++ b/tinc/files/ferm.conf.j2
+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      interface ens5 proto (udp tcp) dport {{ port }} ACCEPT;
+    }
+  }
+}
--- a/tinc/files/icvpn-up.j2
+++ b/tinc/files/icvpn-up.j2
+{%- set icvpn = pillar['icvpn'] -%}
+
+#!/bin/sh
+
+ip link set up dev $INTERFACE
+ip -4 addr add {{ icvpn['ip4'] }} dev $INTERFACE
+ip -6 addr add {{ icvpn['ip6'] }} dev $INTERFACE
--- a/tinc/files/tinc-icvpn.conf.j2
+++ b/tinc/files/tinc-icvpn.conf.j2
+{%- set icvpn = pillar['icvpn'] -%}
+
+Name = {{ icvpn['name'] }}
+Mode = Switch
+
+PingTimeout = 30
+
+Forwarding = off
+
+{% for host in grains['ip_interfaces']['ens5'] %}
+{% if not host.startswith('fe80') %}BindToAddress = {{ host }}{% endif %}
+{% endfor %}
+
--- a/tinc/icvpn.sls
+++ b/tinc/icvpn.sls
+icvpn:
+  git.latest:
+    - name: https://github.com/freifunk/icvpn.git
+    - target: /etc/tinc/icvpn
+
+/etc/tinc/icvpn/rsa_key.priv:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0600
+    - contents: |
+        {{ pillar['icvpn']['rsa_key'] | indent(8) }}
+
+/etc/tinc/icvpn/ed25519_key.priv:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0600
+    - contents: |
+        {{ pillar['icvpn']['ed25519_key'] | indent(8) }}
+
+/etc/tinc/icvpn/tinc.conf:
+  file.managed:
+    - source: salt://tinc/files/tinc-icvpn.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+
+/etc/tinc/icvpn/tinc-up:
+  file.managed:
+    - source: salt://tinc/files/icvpn-up.j2
+    - user: root
+    - group: root
+    - mode: 755
+    - template: jinja
+
+/etc/tinc/icvpn/.git/hooks/post-merge:
+  file.symlink:
+    - target: /etc/tinc/icvpn/scripts/post-merge
+  cmd.script:
+    - shell: /bin/bash
+    - cwd: /etc/tinc/icvpn
+    - require:
+      - file: /etc/tinc/icvpn/tinc.conf
+    - onchanges:
+      - git: icvpn
+
+/etc/ferm/conf.d/40-tinc-icvpn.conf:
+  file.managed:
+    - source: salt://tinc/files/ferm.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - context:
+      port: {{ pillar['icvpn']['port'] }}
+
+tinc.service:
+  service.running:
+    - enable: True
+
+tinc@icvpn:
+  service.running:
+    - enable: True
+    - require:
+      - pkg: tinc
+    - watch:
+      - file: /etc/tinc/icvpn/tinc.conf
--- a/tinc/init.sls
+++ b/tinc/init.sls
+{% if grains['oscodename'] == 'stretch' %}
+debian-experimental:
+  pkgrepo.managed:
+    - name: deb http://deb.debian.org/debian experimental main
+    - file: /etc/apt/sources.list.d/experimental.list
+    - clean_file: True
+    - require:
+      - file: /etc/apt/preferences.d/tinc
+
+/etc/apt/preferences.d/tinc:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - contents: |
+        Package: tinc
+        Pin: release a=experimental
+        Pin-Priority: 800
+
+tinc:
+  pkg.installed:
+    - fromrepo: experimental
+
+{% else %}
+tinc:
+  pkg.installed
+
+{% endif %}