# This file is managed by ansible, don't make changes here - they will be overwritten.
# Bind to a fixed address and port, IPv4 and IPv6
bind {{ansible_eth0.ipv4.address}}:{{fastd.port}} interface "eth0";

{% for v6 in ansible_eth0.ipv6 %}
{% if v6.scope == 'global' %}
bind [{{v6.address}}]:{{fastd.port}} interface "eth0";
{% endif %}
{% endfor %}

# Set the user, fastd will work as
user "nobody";

# Set the interface name
interface "mesh-vpn";

# Set the mode, the interface will work as
mode tap;

# Set the mtu of the interface (salsa2012 with ipv6 will need 1406)
mtu 1406;

# Set the methods (aes128-gcm preferred, salsa2012+umac preferred for nodes)
method "aes128-gcm";
method "salsa2012+umac";
method "salsa2012+gmac";

# Secret key generated by `fastd --generate-key`
include "secret.key";

# Log everything to syslog
log to syslog level debug;

# Include peers from our git-repos
include peers from "/etc/fastd/vpn/peers/";

# Status Socket
status socket "/tmp/fastd-status";

# Configure a shell command that is run on connection attempts by unknown peers (true means, all attempts are accepted)
# on verify "true";
on verify "
  /bin/bash /var/gateway-ffms/fastd/verify.sh $PEER_KEY
";

# Configure a shell command that is run when fastd comes up
on up "
  chmod ugo+rw /tmp/fastd-status
  ip link set dev $INTERFACE address de:ad:be:ef:43:{{server_id}}
  ip link set dev $INTERFACE up
  batctl if add $INTERFACE
{% if fastd.ip_rule_42 %}
  ip rule add from {{ffrl_nat_ip}} lookup 42
  ip -6 rule add from {{ff_network.v6_network}} lookup 42
{% endif %}
";