Merge branch 'wireguard' into 'newinfra'

[wireguard] Also NAT IPv6

See merge request !78

roles/wireguard/templates/nftables.conf

@@ -2,17 +2,31 @@
 
 flush ruleset
 
-{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+{% set sputnik_ip = (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] %}
 table ip nat {
 	chain prerouting {
 		type nat hook prerouting priority 0; policy accept;
-		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+		ip daddr {{ sputnik_ip }} dnat to 172.31.0.2
 	}
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
-		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
-		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol icmp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat to {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat to {{ sputnik_ip }}
+	}
+}
+
+{% set sputnik_ip6 = (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] %}
+table ip6 nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip6 daddr {{ sputnik_ip6 }} dnat to fd0c:700:0:8::2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr icmpv6 snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr tcp snat to {{ sputnik_ip6 }}
+		ip6 saddr fd0c:700:0:8::2 ip6 nexthdr udp snat to {{ sputnik_ip6 }}
 	}
 }