Add ffbs-mesh-vpn-parker #142
Conversation
|
Well, some of the |
| site_config_server = site.parker.config_server() | ||
| uci:section('parker', 'nodeconfig', 'nodeconfig', | ||
| { config_server = site_config_server } | ||
| ) | ||
| uci:save('parker') | ||
|
|
||
| site_config_pubkey = site.parker.config_pubkey() |
There was a problem hiding this comment.
it would be nice, if we can also add the pubkey to uci so that it's easier to override it on-demand.
| site_config_server = site.parker.config_server() | |
| uci:section('parker', 'nodeconfig', 'nodeconfig', | |
| { config_server = site_config_server } | |
| ) | |
| uci:save('parker') | |
| site_config_pubkey = site.parker.config_pubkey() | |
| local site_config_server = site.parker.config_server() | |
| local site_config_pubkey = site.parker.config_pubkey() | |
| uci:section('parker', 'nodeconfig', 'nodeconfig', | |
| { | |
| config_server = site_config_server, | |
| config_pubkey = site_config_pubkey | |
| } | |
| ) | |
| uci:save('parker') |
and you can delete the lines that write the file to disk afterwards.
There was a problem hiding this comment.
@grische can you verify that this has been resolved by SmithChart#5 ?
| config nodeconfig 'example' | ||
| option config_server 'config.community.example' |
There was a problem hiding this comment.
I think this should be
| config nodeconfig 'example' | |
| option config_server 'config.community.example' | |
| config nodeconfig 'nodeconfig' | |
| option config_server 'config.community.example' |
There was a problem hiding this comment.
@grische can you verify that this has been resolved by SmithChart#6 ?
| fi | ||
|
|
||
| pubkey=$(sed 's/+/%2B/g' /etc/parker/wg-pubkey) | ||
|
|
There was a problem hiding this comment.
follow-up of the above suggested change to move the pubkey to uci
| if ! { echo "untrusted comment: signify public key" && uci -q get parker.nodeconfig.config_pubkey; } > "${SIGN_PUB_KEY}"; then | |
| $LOGGER unable to read or write pubkey from uci | |
| fi |
Or maybe something more elegant 😉
I would probably also move the file from flash /etc to ram /tmp instead if it's being written on every service start.
There was a problem hiding this comment.
@grische can you verify that this has been resolved by SmithChart#5 ?
| continue; | ||
| fi | ||
|
|
||
| config_server=$(uci get parker.nodeconfig.config_server) |
There was a problem hiding this comment.
It would be nice if we can add a check here if this config exists, to transparently send a log message in case someone broke their UCI config.
Something like
| config_server=$(uci get parker.nodeconfig.config_server) | |
| if ! config_server=$(uci get parker.nodeconfig.config_server); then | |
| $LOGGER unable to get config_server from uci | |
| continue | |
| fi |
There was a problem hiding this comment.
@grische can you verify that this has been resolved by SmithChart#7 ?
|
|
||
| check_batman() { | ||
| # check if we have a functional batman-setup | ||
| if ip l | grep -q "bat0:"; then |
There was a problem hiding this comment.
For style, I would prefer having an early exit here instead of nesting the if's.
| if ip l | grep -q "bat0:"; then | |
| if ! ip l | grep -q "bat0:"; then | |
| $LOGGER ERROR: No BATMAN-interface found | |
| return 1 | |
| fi |
remove the neting and remove lines 23-26 (they have been moved up).
There was a problem hiding this comment.
@grische can you verify that this has been resolved by SmithChart#8 ?
|
Please see #139 (comment) |
This adds ffbs-parker-nodeconfig - a package of the *parker*-flavor of Gluon. Previously this package has been managed in https://gitli.stratum0.org/ffbs/ffbs-packages under the name `gluon-ffbsnext-nodeconfig`. Last commit-id: 4f83ee2f2571a2baa5493038da7c6fb3cc0b8016
This removes a hard-coded value. Previously, this scripts have only been used by Freifunk Braunschweig. There hard-coding was no issue. Now, with more communities wanting to try parker out, we have to fix those. The `ntp_servers` list has already been introduced by Gluon upstream. With this change we re-use this value here. This also means that the NTP-server for the nodes should be accessible for the clients as well.
This firewall rules make sure, that respondd is only accessible from inside the Freifunk network (client network or VPN) - but not from other interfaces (e.g. `br-wan`). While we were only using it for Freifunk Braunschweig the `src_ip` limitation did not really matter: Per definition these are the only IPv6 addresses on these interfaces anyway. But while preparing this tooling for a wider use we should rethink this decision. There is no need to limit access to a specific IPv6 range, as long as the requests are still coming from the inside.
This check was intended to check if the IPv6 address/routing configuration is sane. But it currently relies on a hard-coded value for ffbs, so it does not make sense to have it for all communities. Lately we did not see this diagnosis trigger, so it's probably safe to remove anyway. If we encounter problems later on we can still add a generic check.
SmithChart
force-pushed
the
ffbs-parker-nodeconfig
branch
from
db1097b to
35b7dc7
Compare
|
FTR: Appended commits from SmithChart#1 . Thx @maurerle Also added one change from me while I was on it. |
|
Wouldn't it be useful to also add the additional uci settings required for parker to one of the packages? Specifically: and adding instead of having this here: This would further reduce the required delta of gluon. |
Co-Authored-By: Jan Luebbe <[email protected]>
Co-Authored-By: Jan Luebbe <[email protected]>
ffbs-mesh-vpn-parker: reduce nesting in noderoute
ffbs-mesh-vpn-parker: check uci for config_server
ffbs-mesh-vpn-parker: fix default parker config
ffbs-mesh-vpn-parker: make sure wg-pubkey exists
ffbs-mesh-vpn-parker: move parker network rules into package
The mesh_respondd_siteprefix and mesh_respondd_extraprefix[0-9]+ rules do not make sense in the context of parker as there are no prefix4 and prefix6 attributes anymore. Based on ffbs/gluon-parker@2e53380#diff-70c0178fef0afe6aa581fdd24bcd19c5ad4f04874648698469f5f5896dc1b500L36-L43
Also moving the pubkey file to /tmp/ as it will be written every time that nodeconfig is run.
ffbs-mesh-vpn-parker: move parker pubkey to uci
ffbs-mesh-vpn-parker: delete firewall rules for the prefix6 site config
Do not get me wrong: This suggestion is totally right, but I would like to get forward to get this PR ready to merge at the moment. I would suggest to open an issue against https://github.com/ffbs/gluon-parker/issues and track this suggestion there. After we have got this merged once we can continue to work on reducing the delta of |
|
@SmithChart the suggestions should have been implemented already with the two PRs you merged today |
The name of the dependency has been changed during cleanup. So let's change the dependency here, too.
|
I think if we test the current packages with the latest https://github.com/ffbs/gluon-parker |
|
@maurerle For now it does not work on our side. It is building - but the firmware on the nodes does not work. On the bright side: The problem seems trivial: (On the other hand my automated tests are broken due to the changes in handling of the wg-key. So more error reports are to expect.) |
This is the core package of gluon-parker,
a Gluon fork that uses routing between the nodes
(aka. Router devices) and the infrastructure.
It is currently in use at Freifunk Braunschweig.
Other communities are interested in adopting it as well.
This package installs the
nodeconfigandnoderouteservices togetherwith a set of new firewall-rules.