icvpn: init

icvpn/files/config

+# Local Community Name (as seen in icvpn-meta)
+export LOCAL_COMMUNITY=frankfurt
+
+# Repositories
+export LIB_DIR=/var/lib/icvpn
+export ICVPN_META=$LIB_DIR/meta
+export ICVPN_META_REMOTE=https://github.com/freifunk/icvpn-meta.git
+
+export ICVPN_SCRIPTS=$LIB_DIR/scripts
+export ICVPN_SCRIPTS_REMOTE=https://github.com/freifunk/icvpn-scripts.git
+
+# Tinc
+export TINC_NETWORK=icvpn
+
+# Bird
+export BIRD_ROOT=/etc/bird
+export BIRD4_ROA=$BIRD_ROOT/bird.d/15-roa-icvpn.conf
+export BIRD4_PEERS=$BIRD_ROOT/bird.d/50-peers-icvpn.conf
+export BIRD6_ROA=$BIRD_ROOT/bird6.d/15-roa-icvpn.conf
+export BIRD6_PEERS=$BIRD_ROOT/bird6.d/50-peers-icvpn.conf
+export BIRD_BGP_TEMPLATE=tpl_bgp_icvpn
+export BIRD_PASSIVE_TIMEOUT=2
+export BIRD_ROA_TABLE_NAME=roa_icvpn
+
+# Unbound
+export UNBOUND_ROOT=/etc/unbound
+export UNBOUND_CONFIG=$UNBOUND_ROOT/unbound.conf.d/icvpn.conf
+

icvpn/files/ferm.conf.j2

+domain (ip ip6) {
+        table filter {
+                chain FORWARD {
+                        outerface icvpn ACCEPT;
+                        interface icvpn ACCEPT;
+                }
+        }
+}

icvpn/files/icvpn-bgp.cron

+*/15 * * * * root /usr/local/sbin/icvpn-mkbgp

icvpn/files/icvpn-dns.cron

+5-55/10 * * * * root /usr/sbin/icvpn-mkdns

icvpn/files/icvpn-mkbgp

+#!/bin/bash
+
+[ "$(whoami)" != 'root' ] && (
+	echo "can only be executed as root user"
+	exit 1
+)
+
+PATH=/usr/sbin:$PATH
+
+# source configuration
+. /var/lib/icvpn/config
+
+
+update_roa() (
+	$ICVPN_SCRIPTS/mkroa -4 -m 24 -f bird -x frankfurt -s $ICVPN_META --bird-table-name $BIRD_ROA_TABLE_NAME > $BIRD4_ROA
+	$ICVPN_SCRIPTS/mkroa -6 -m 64 -f bird -x frankfurt -s $ICVPN_META --bird-table-name $BIRD_ROA_TABLE_NAME > $BIRD6_ROA
+)
+
+update_bgp_peers() (
+	if [ -e $BIRD4_PEERS ]; then
+		CHECKSUM=$(sha1sum $BIRD4_PEERS)
+	else
+		CHECKSUM=0
+	fi
+	$ICVPN_SCRIPTS/mkbgp -4 -f bird -p icvpn_ -s $ICVPN_META -x $LOCAL_COMMUNITY -d $BIRD_BGP_TEMPLATE -P $BIRD_PASSIVE_TIMEOUT > $BIRD4_PEERS
+	if [ "$(sha1sum $BIRD4_PEERS)" != "$CHECKSUM" ]; then
+		birdc configure check
+		birdc configure
+	fi
+)
+
+update_bgp6_peers() (
+	if [ -e $BIRD6_PEERS ]; then
+		CHECKSUM=$(sha1sum $BIRD6_PEERS)
+	else
+		CHECKSUM=0
+	fi
+	$ICVPN_SCRIPTS/mkbgp -6 -f bird -p icvpn_ -s $ICVPN_META -x $LOCAL_COMMUNITY -d $BIRD_BGP_TEMPLATE -P $BIRD_PASSIVE_TIMEOUT > $BIRD6_PEERS
+	if [ "$(sha1sum $BIRD6_PEERS)" != "$CHECKSUM" ]; then
+		birdc6 configure check
+		birdc6 configure
+	fi
+)
+
+
+set -ex
+
+# tinc vpn
+cd /etc/tinc/$TINC_NETWORK/
+git remote update >/dev/null
+
+if [ $FORCE_VPN ] || [ $(git rev-parse HEAD) != $(git rev-parse @{u}) ]; then
+	echo "icvpn: update available"
+	git pull origin master
+	# post-merge hook handles configuration update
+fi
+
+# icvpn-meta
+cd $ICVPN_META
+git fetch > /dev/null
+
+if [ $FORCE_META ] || [ $(git rev-parse HEAD) != $(git rev-parse @{u}) ]; then
+	echo "icvpn-meta: regenerating bgp peers"
+	git pull origin master
+	update_roa
+fi
+
+# update peers on every run to check whether we need to set/unset passive on peers
+update_bgp_peers
+update_bgp6_peers
+

icvpn/files/icvpn-mkdns

+#!/bin/bash
+
+[ "$(whoami)" != 'root' ] && (
+	echo "can only be executed as root user"
+	exit 1
+)
+
+PATH=/usr/sbin:$PATH
+
+# source configuration
+. /var/lib/icvpn/config
+
+
+update_unbound() (
+	$ICVPN_SCRIPTS/mkdns -f unbound -s $ICVPN_META -x chaosvpn > $UNBOUND_CONFIG
+	unbound-checkconf
+	unbound-control reload
+)
+
+
+set -ex
+
+# tinc vpn
+
+# icvpn-meta
+cd $ICVPN_META
+git remote update >/dev/null
+
+if [ $FORCE_META ] || [ $(git rev-parse HEAD) != $(git rev-parse @{u}) ]; then
+	echo "icvpn-meta: update available"
+	git pull origin master
+	update_unbound
+fi
+
+

icvpn/init.sls

+icvpn-dependencies:
+  pkg.installed:
+    - pkgs:
+      - python3-yaml
+      - python3-requests
+      - python3-prettytable
+      - python3-jinja2
+
+/var/lib/icvpn:
+  file.directory
+
+icvpn-meta:
+  git.latest:
+    - name: https://github.com/freifunk/icvpn-meta.git
+    - target: /var/lib/icvpn/meta
+
+icvpn-scripts:
+  git.latest:
+    - name: https://github.com/freifunk/icvpn-scripts.git
+    - target: /var/lib/icvpn/scripts
+
+/var/lib/icvpn/config:
+  file.managed:
+    - source: salt://icvpn/files/config
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+      - file: /var/lib/icvpn
+
+{% if grains['id'].startswith('icvpn') %}
+/usr/local/sbin/icvpn-mkbgp:
+  file.managed:
+    - source: salt://icvpn/files/icvpn-mkbgp
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /var/lib/icvpn/config
+
+/etc/cron.d/icvpn-bgp:
+  file.managed:
+    - source: salt://icvpn/files/icvpn-bgp.cron
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+      - file: /usr/local/sbin/icvpn-mkbgp
+
+/etc/ferm/conf.d/40-icvpn.conf:
+  file.managed:
+    - source: salt://icvpn/files/ferm.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+       - pkg: ferm
+
+include:
+  - tinc
+  - tinc.icvpn
+  - bird
+  - bird.icvpn
+{% elif grains['id'].startswith('ns') %}
+/usr/local/sbin/icvpn-mkdns:
+  file.managed:
+    - source: salt://icvpn/files/icvpn-mkdns
+    - user: root
+    - group: root
+    - mode: 700
+    - require:
+      - file: /var/lib/icvpn/config
+
+/etc/cron.d/icvpn-dns:
+  file.managed:
+    - source: salt://icvpn/files/icvpn-dns.cron
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+      - file: /usr/local/sbin/icvpn-mkdns
+
+icvpn-mkdns:
+  cmd.run:
+    - name: /usr/local/sbin/icvpn-mkdns
+    - require:
+      - file: /usr/local/sbin/icvpn-mkdns
+      - git: icvpn-meta
+      - git: icvpn-scripts
+      - pkg: icvpn-dependencies
+    - onchanges:
+      - git: icvpn-meta
+      - git: icvpn-scripts
+{% endif %}

top.sls

@@ -51,6 +51,7 @@ base:
     - bird
     - tinc
     - tinc.icvpn
+    - icvpn
     - kernel.sysctl
     - network
   'roles:dn42':