Add vpn playbook

10 files changed, 165 insertions, 0 deletions

diff --git a/playbooks.d/vpn/description.txt b/playbooks.d/vpn/description.txt
new file mode 100644
index 0000000..0bad766
--- /dev/null
+++ b/playbooks.d/vpn/description.txt
@@ -0,0 +1 @@
+VPN through tinc
diff --git a/playbooks.d/vpn/etc/defaults b/playbooks.d/vpn/etc/defaults
new file mode 100644
index 0000000..3186527
--- /dev/null
+++ b/playbooks.d/vpn/etc/defaults
@@ -0,0 +1,6 @@
+app.tinc=tinc
+app.tincd=tincd
+
+pkg.tinc=tinc
+
+svc.tinc=tincd
diff --git a/playbooks.d/vpn/playbook.bash b/playbooks.d/vpn/playbook.bash
new file mode 100644
index 0000000..ad85772
--- /dev/null
+++ b/playbooks.d/vpn/playbook.bash
@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+playbook_add()
+{
+	local tinc="$(config "app.tinc")"
+	local tincd="$(config "app.tincd")"
+	local dir="$(config "fs.etcdir")/tinc/tyilnet"
+	local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")"
+	local ipv4="$(config "vpn.ipv4")"
+
+	if [[ -z "$ipv4" ]]
+	then
+		emerg "$BASHTARD_PLAYBOOK" "No IPv4 address set for ${BASHTARD_PLATFORM[fqdn]}"
+		return 2
+	fi
+
+	case "${BASHTARD_PLATFORM[key]}" in
+		freebsd) iptool=ifconfig ;;
+		*)       iptool=ip
+	esac
+
+	info "$BASHTARD_PLAYBOOK" "Installing tinc"
+	pkg install "tinc"
+
+	info "$BASHTARD_PLAYBOOK" "Creating tinc configuration at $dir"
+	mkdir -pv -- \
+		"$dir" \
+		"$dir/hosts"
+
+	file_template tinc.conf \
+		"name=$name" \
+		> "$dir/tinc.conf"
+
+	file_template "tinc-up-$iptool" \
+		"ip=$(config "vpn.ipv4")" \
+		> "$dir/tinc-up"
+
+	file_template "tinc-down-$iptool" \
+		"ip=$(config "vpn.ipv4")" \
+		> "$dir/tinc-down"
+
+	file_template "host" \
+		"ip4=$(config "vpn.ipv4")" \
+		> "$dir/hosts/$name"
+
+	chmod +x \
+		"$dir/tinc-up" \
+		"$dir/tinc-down"
+
+	info "$BASHTARD_PLAYBOOK" "Generating private keys"
+
+	case "$($tincd --version | awk '{ print $3 }' | head -n1)" in
+		1.0*)
+			$tincd -n tyilnet -K4096
+			;;
+		1.1*|*)
+			$tinc -n tyilnet generate-rsa-keys 4096
+			$tinc -n tyilnet generate-ed25519-keys
+			;;
+	esac
+
+	info "$BASHTARD_PLAYBOOK" "Adding new host to Bashtard configs"
+
+	cp -v -- \
+		"$dir/hosts/$name" \
+		"$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts/$name"
+
+	playbook_sync
+
+	info "$BASHTARD_PLAYBOOK" "Enabling VPN service"
+
+	case "${BASHTARD_PLATFORM[key]}" in
+		linux-gentoo)
+			if ! grep -Fq "NETWORK: tyilnet" /etc/conf.d/tinc.networks
+			then
+				printf "NETWORK: %s\n" "tyilnet" >> /etc/conf.d/tinc.networks
+			fi
+			;;
+	esac
+
+	svc enable "tinc"
+	svc start "tinc"
+}
+
+playbook_sync()
+{
+	local dir="$(config "fs.etcdir")/tinc/tyilnet"
+	local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")"
+	local host
+
+	info "$BASHTARD_PLAYBOOK" "Regenerating tinc hosts"
+	rm -fr -- "$dir/hosts"
+	mkdir -p -- "$dir/hosts"
+
+	for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts"/*
+	do
+		host="$(basename "$path")"
+
+		notice "$BASHTARD_PLAYBOOK" "Updating host $host"
+		file_template "hosts/$host" \
+			> "$dir/hosts/$host"
+	done
+
+	[[ "$BASHTARD_COMMAND" == "add" ]] && return
+
+	svc reload "tinc"
+}
+
+playbook_del()
+{
+	svc stop "tinc"
+	svc disable "tinc"
+
+	pkg uninstall "tinc"
+
+	rm -frv -- "$(config "fs.etcdir")/tinc/tyilnet"
+}
diff --git a/playbooks.d/vpn/share/host b/playbooks.d/vpn/share/host
new file mode 100644
index 0000000..c24d4ad
--- /dev/null
+++ b/playbooks.d/vpn/share/host
@@ -0,0 +1,2 @@
+Subnet = ${ip4}/32
+
diff --git a/playbooks.d/vpn/share/hosts/anoia_tyil_net b/playbooks.d/vpn/share/hosts/anoia_tyil_net
new file mode 100644
index 0000000..cf926de
--- /dev/null
+++ b/playbooks.d/vpn/share/hosts/anoia_tyil_net
@@ -0,0 +1,16 @@
+Subnet = 10.57.100.3/32
+
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEAwVFPAoKFpKt1G7Tb87vJCiCK4CrTSdYhPaDeRYy6ha0M9ETEzcSU
+xm/H31QwIBJ4PcKzuBaxd9rZMRFTgiehK3HSDm4I074uyKMdtqGphxnHeMCjViF8
+q4FWk0eLlr6dEUg3WMplgon7uS+Dx8T5a/ZV0Fbk7/7NRmLLSzZGZ3B8APLQrwqi
+O4jxmDnCSrQtLMo3qa0GnwytePwVSf7LzUKvWxwCW3Xht65V5qKTXTjK+faUDrJg
+QtHteGR9dSZkbja2S6LYOW2D09Bn3a4mrk2hEOc5exVAWs4KtKAuy0U8TJ8Nj5D/
+beFWFCQ0K1oBvxhkpa8Qv0mZQv3JXtbwoXL26TKV1vpo46RlDLj/sgHOijOnCR74
+i65gYAewzQ1cLLnCYzh1F1RrOQT2fvgLadJPFgZST6pfxVLJ6hMF8F93JUiJp06/
+Bs0gHUj5of4XOkPM0FXcgLdBRp75Yqc0+X3SgkZ3l6uypuyUFghWZbPgZNNQhDZC
+Hq5Osx9baaSuK3siB2HWmZ8zg+f2K8GoOmeSefeeT/g6yJdi6mqeQnlkd4gk0Zlj
+BUKL4WIB9jx7vtjLAJjJ9L215A4sxoAiFg1oKDi5bbpRDNkh0k43Ara/HC+uVDNa
+sdqfTnwvrtWE0sCDZisbbrIjVNzCJkw61aS4XZpDdpgGGatPhbDnscUCAwEAAQ==
+-----END RSA PUBLIC KEY-----
+Ed25519PublicKey = 29UZF4lSjPDGdOJa4ZNwHKDev9ylBIGqynL0RpgqZDJ
diff --git a/playbooks.d/vpn/share/tinc-down-ifconfig b/playbooks.d/vpn/share/tinc-down-ifconfig
new file mode 100644
index 0000000..6563f07
--- /dev/null
+++ b/playbooks.d/vpn/share/tinc-down-ifconfig
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+ifconfig "$INTERFACE" down
diff --git a/playbooks.d/vpn/share/tinc-down-ip b/playbooks.d/vpn/share/tinc-down-ip
new file mode 100644
index 0000000..800ebb3
--- /dev/null
+++ b/playbooks.d/vpn/share/tinc-down-ip
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+ip link set "$INTERFACE" down
diff --git a/playbooks.d/vpn/share/tinc-up-ifconfig b/playbooks.d/vpn/share/tinc-up-ifconfig
new file mode 100644
index 0000000..1aeeb6d
--- /dev/null
+++ b/playbooks.d/vpn/share/tinc-up-ifconfig
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+ifconfig "$INTERFACE" inet ${ip4} netmask 255.255.0.0
+ifconfig "$INTERFACE" inet ${ip6} netmask ffff:ffff:ffff::
diff --git a/playbooks.d/vpn/share/tinc-up-ip b/playbooks.d/vpn/share/tinc-up-ip
new file mode 100644
index 0000000..34ac3b4
--- /dev/null
+++ b/playbooks.d/vpn/share/tinc-up-ip
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+ip -4 addr add "${ip4}/16" dev "$INTERFACE"
+ip -6 addr add "${ip6}/48" dev "$INTERFACE"
+
+ip link set "$INTERFACE" up
diff --git a/playbooks.d/vpn/share/tinc.conf b/playbooks.d/vpn/share/tinc.conf
new file mode 100644
index 0000000..c0c0ecd
--- /dev/null
+++ b/playbooks.d/vpn/share/tinc.conf
@@ -0,0 +1,7 @@
+Name = ${name}
+
+ConnectTo = caeghi_tyil_net
+ConnectTo = faiwoo_tyil_net
+ConnectTo = gaeru_tyil_net
+ConnectTo = hurzak_tyil_net
+ConnectTo = tyil_email