Custom peervpn role

roles/peervpn/templates/etc/peervpn/peervpn.conf.j2

@@ -0,0 +1,259 @@
+## ******************************
+## * PeerVPN configuration file *
+## ******************************
+
+
+
+## Option:       networkname <name>
+## Description:  Specifies the virtual network name. PeerVPN will
+##               only accept peers that use the same network name.
+##               The default name is "PEERVPN".
+## Example:      networkname PEERVPN
+
+{% if peervpn_conf_networkname is defined %}
+networkname {{peervpn_conf_networkname}}
+{% endif %}
+
+
+## Option:       psk <password>
+## Description:  Specifies the PSK for the network. It can be a
+##               password that is up to 512 characters long.
+##               It is recommended to use a minimum of 8 characters.
+##               If unspecified, the PSK will be set to "default".
+## Example:      psk mytopsecretpassword
+
+{% if peervpn_conf_psk is defined %}
+psk {{peervpn_conf_psk}}
+{% endif %}
+
+
+## Option:       initpeers <hostname> <port> [<hostname> <port>]*
+## Description:  Specifies a list of peers that PeerVPN should
+##               connect to initially. When the connection to the
+##               network is lost, PeerVPN will try to reconnect to
+##               these peers.
+## Example:      initpeers 10.8.6.4 1234
+##               initpeers 2001:DB8:1337::1 5678
+##               initpeers 10.8.6.4 1234 10.12.10.8 6420
+##               initpeers example.com 7000
+##               initpeers example.com 7000 example.net 7000 example.org 7000
+
+{% if peervpn_conf_initpeers is defined %}
+initpeers {{peervpn_conf_initpeers}}
+{% endif %}
+
+
+## Option:       enabletunneling <yes|no>
+## Description:  Enables ethernet tunneling using a TAP device. This
+##               should be disabled if this node is intended solely
+##               for assisting peer discovery and/or relaying.
+##               Defaults to "yes".
+## Example:      enabletunneling yes
+
+{% if peervpn_conf_enabletunneling is defined %}
+enabletunneling {{peervpn_conf_enabletunneling}}
+{% endif %}
+
+
+## Option:       interface <name>
+## Description:  Specifies the name of the TAP device that should be
+##               used for ethernet tunneling.
+##               Note: On some operating systems (e.g. FreeBSD), TAP
+##               device names must start with the string "tap".              
+## Example:      interface tap0
+##               interface peervpn0
+
+{% if peervpn_conf_interface is defined %}
+interface {{peervpn_conf_interface}}
+{% endif %}
+
+
+## Option:       ifconfig4 <address>/<prefixlen>
+## Description:  Defines the IPv4 address and the prefix length that
+##               should be assigned to the TAP device.
+## Example:      ifconfig4 10.1.2.3/24
+##               ifconfig4 172.16.17.18/24
+
+{% if peervpn_conf_ifconfig4 is defined %}
+ifconfig4 {{peervpn_conf_ifconfig4}}
+{% endif %}
+
+
+## Option:       ifconfig6 <address>/<prefixlen>
+## Description:  Defines the IPv6 address and the prefix length that
+##               should be assigned to the TAP device.
+## Example:      ifconfig6 2001:db8:1:2::3/64
+##               ifconfig6 fc00:db8:1:2::3/64
+
+{% if peervpn_conf_ifconfig6 is defined %}
+ifconfig6 {{peervpn_conf_ifconfig6}}
+{% endif %}
+
+
+## Option:       upcmd <command>
+## Description:  Defines a shell command that will be executed after
+##               the TAP device has been opened.
+## Example:      upcmd echo virtual interface is up
+
+{% if peervpn_conf_upcmd is defined %}
+upcmd {{peervpn_conf_upcmd}}
+{% endif %}
+
+
+## Option:       local <address>
+## Description:  Specifies which local address PeerVPN should use.
+##               If unspecified, PeerVPN will listen on all available
+##               addresses.
+## Example:      local 0.0.0.0
+##               local 192.168.12.34
+##               local ::
+
+{% if peervpn_conf_local is defined %}
+local {{peervpn_conf_local}}
+{% endif %}
+
+
+## Option:       port <portnumber>
+## Description:  Specifies which UDP port PeerVPN should use.
+##               If unspecified, the port number will be selected
+##               automatically.
+## Example:      port 7000
+
+{% if peervpn_conf_port is defined %}
+port {{peervpn_conf_port}}
+{% endif %}
+
+
+## Option:       sockmark <0|1..N>
+## Description:  If set to a value that is greater than zero, packets
+##               generated by the PeerVPN process will be marked
+##               internally with the specified value. This feature is
+##               currently only available in Linux, and can be used
+##               in combination with iproute2 for policy routing
+##               setups (e.g. "ip rule add fwmark <1..N> [...]").
+##               Defaults to "0" (disabled).
+## Example:      sockmark 42
+
+{% if peervpn_conf_sockmark is defined %}
+sockmark {{peervpn_conf_sockmark}}
+{% endif %}
+
+
+## Option:       enableipv4 <yes|no>
+## Description:  Enables IPv4 sockets.
+##               Defaults to "yes".
+## Example:      enableipv4 yes
+
+{% if peervpn_conf_enableipv4 is defined %}
+enableipv4 {{peervpn_conf_enableipv4}}
+{% endif %}
+
+
+## Option:       enableipv6 <yes|no>
+## Description:  Enables IPv6 sockets.
+##               Defaults to "yes".
+## Example:      enableipv6 yes
+
+{% if peervpn_conf_enableipv6 is defined %}
+enableipv6 {{peervpn_conf_enableipv6}}
+{% endif %}
+
+## Option:       enablenat64clat <yes|no>
+## Description:  Enables NAT64 CLAT support.
+##               If this is enabled and there is no native IPv4
+##               connectivity, PeerVPN will attempt to contact IPv4
+##               peers using NAT64 packets via a IPv6 socket instead.
+##               This requires a NAT64 gateway which will translate
+##               packets going to the 64:ff9b::/96 prefix.
+##               Defaults to "no".
+## Example:      enablenat64clat yes
+
+{% if peervpn_conf_enablenat64clat is defined %}
+enablenat64clat {{peervpn_conf_enablenat64clat}} 
+{% endif %}
+
+
+## Option:       enablendpcache <yes|no>
+## Description:  Enables caching of tunneled IPv6 NDP messages. This
+##               can improve performance by reducing the amount of
+##               NDP multicast messages that need to be sent.
+##               Defaults to "no".
+## Example:      enablendpcache yes
+
+{% if peervpn_conf_enablendpcache is defined %}
+enablendpcache {{peervpn_conf_enablendpcache}}
+{% endif %}
+
+
+## Option:       enablerelay <yes|no>
+## Description:  Allows other nodes in the network to relay their
+##               traffic through this node if they cannot establish a
+##               direct connection to each other.
+##               Defaults to "no".
+## Example:      enablerelay yes
+
+{% if peervpn_conf_enablerelay is defined %}
+enablerelay {{peervpn_conf_enablerelay}}
+{% endif %}
+
+
+## Option:       engine <name> [<name>]*
+## Description:  Specifies one or more OpenSSL engines that should be
+##               loaded to provide hardware crypto acceleration.
+## Example:      engine padlock
+
+{% if peervpn_conf_engine is defined %}
+engine {{peervpn_conf_engine}}
+{% endif %}
+
+
+## Option:       enableprivdrop <yes|no>
+## Description:  If enabled, the PeerVPN process will automatically
+##               try to drop its privileges after finishing its
+##               initialization. If a certain configuration is
+##               desired, the options "user", "group" and "chroot"
+##               should be set too.
+## Example:      enableprivdrop yes
+
+{% if peervpn_conf_enableprivdrop is defined %}
+enableprivdrop {{peervpn_conf_enableprivdrop}}
+{% endif %}
+
+
+## Option:       user <username>
+## Description:  Specifies the UNIX username that the PeerVPN process
+##               will switch to after initialization. This is useful
+##               if PeerVPN is started with root privileges (which is
+##               necessary for TAP device initialization). An
+##               username with minimal rights should be selected.
+## Example:      user nobody
+
+{% if peervpn_conf_user is defined %}
+user {{peervpn_conf_user}}
+{% endif %}
+
+
+## Option:       group <groupname>
+## Description:  Specifies the UNIX group that the PeerVPN process
+##               will switch to after initialization.
+## Example:      group nogroup
+
+{% if peervpn_conf_group is defined %}
+group {{peervpn_conf_group}}
+{% endif %}
+
+
+## Option:       chroot <directory>
+## Description:  Specifies the directory that the PeerVPN process
+##               will chroot to after initialization.
+##               Note: Currently, DNS queries will not work anymore
+##               if this option is enabled. The "initpeers" option
+##               should only contain IP addresses in this case, not
+##               domain names.
+##               If unspecified, no chroot will be done.
+## Example:      chroot /var/empty
+
+{% if peervpn_conf_chroot is defined %}
+chroot {{peervpn_conf_chroot}}
+{% endif %}
+

roles/peervpn/templates/etc/systemd/system/peervpn.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=PeerVPN network service
+Wants=network-online.target
+After=network-online.target
+ConditionPathExists=/etc/peervpn/peervpn.conf
+
+[Service]
+Type=simple
+ExecStart={{peervpn_dest}}/peervpn /etc/peervpn/peervpn.conf
+Restart=always
+
+[Install]
+WantedBy=multi-user.target