diff --git a/group_vars/wireguard.yml b/group_vars/wireguard.yml
new file mode 100644
index 0000000000000000000000000000000000000000..de1acd8d8f7ca682d4dc40e088884f02f3e4d471
--- /dev/null
+++ b/group_vars/wireguard.yml
@@ -0,0 +1,3 @@
+---
+glob_wireguard:
+ tunnels: {}
diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index dc2ef382536ce2912c33dbdad1d09963f3874234..243827a29990d25df4a07c918bc39a49e8fe67ba 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -1,3 +1,17 @@
---
interfaces:
adm: ens18
+
+loc_wireguard:
+ tunnels:
+ - name: "sputnik"
+ listen_port: 51820
+ private_key: "{{ vault.wireguard_boeing_private_key }}"
+ peers:
+ - public_key: "{{ vault.wireguard_sputnik_public_key }}"
+ allowed_ips:
+ - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
+ - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
+ endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
+ post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+ post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index 53e020ec0ced04b91174af9f29d66d3f4ff95e28..87e91cc5cff2e8a6a17acb279bb3f3efb54d18dc 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -8,6 +8,22 @@ postfix:
dkim: true
titanic: false
+loc_wireguard:
+ tunnels:
+ - name: "sputnik"
+ addresses:
+ - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/24"
+ - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/64"
+ listen_port: 51820
+ private_key: "{{ vault.wireguard_sputnik_private_key }}"
+ peers:
+ - public_key: "{{ vault.wireguard_boeing_public_key }}"
+ allowed_ips:
+ - "{{ query('ldap', 'network', 'adm') }}"
+ - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+ endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+ post_up: "/sbin/ip link set sputnik alias adm"
+
to_backup:
- {
name: "var",
diff --git a/host_vars/terenez.cachan-adm.crans.org.yml b/host_vars/terenez.cachan-adm.crans.org.yml
index e95fa59b444487bac1b485b31235d0ca6a6b2139..ec52e13dc79ef96baa59792fdf8c120694f112a3 100644
--- a/host_vars/terenez.cachan-adm.crans.org.yml
+++ b/host_vars/terenez.cachan-adm.crans.org.yml
@@ -17,3 +17,19 @@ loc_network_interfaces:
- name: infra
id: 11
dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
+
+loc_wireguard:
+ tunnels:
+ - name: "gulp"
+ addresses:
+ - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/24"
+ - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/64"
+ listen_port: 51820
+ private_key: "{{ vault.wireguard_terenez_private_key }}"
+ peers:
+ - public_key: "{{ vault.wireguard_vol447_public_key }}"
+ allowed_ips:
+ - "{{ query('ldap', 'network', 'adm') }}"
+ - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+ endpoint: "{{ query('ldap', 'ip', 'vol447', 'srv') | ipv4 | first }}:51820"
+ post_up: "/sbin/ip link set gulp alias adm"
diff --git a/host_vars/vol447.adm.crans.org b/host_vars/vol447.adm.crans.org
deleted file mode 100644
index 7c2ddb6cba503b602ef0426fa00b7b614be32089..0000000000000000000000000000000000000000
--- a/host_vars/vol447.adm.crans.org
+++ /dev/null
@@ -1,3 +0,0 @@
-interfaces:
- adm: ens18
- srv: ens19
diff --git a/host_vars/vol447.adm.crans.org.yml b/host_vars/vol447.adm.crans.org.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2aac889006e8124addb1ba4f1bfc18aaa81adde9
--- /dev/null
+++ b/host_vars/vol447.adm.crans.org.yml
@@ -0,0 +1,18 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+
+loc_wireguard:
+ tunnels:
+ - name: "gulp"
+ listen_port: 51820
+ private_key: "{{ vault.wireguard_vol447_private_key }}"
+ peers:
+ - public_key: "{{ vault.wireguard_terenez_public_key }}"
+ allowed_ips:
+ - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/32"
+ - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/128"
+ endpoint: "{{ query('ldap', 'ip', 'terenez', 'cachan-srv') | ipv4 | first }}:51820"
+ post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
+ post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
diff --git a/hosts b/hosts
index 8e124fc6042306f7ac6a5b7adf499ef73ad87fb9..ee5d8159bbe0b96a96552ea73bddbd7ae68eeac1 100644
--- a/hosts
+++ b/hosts
@@ -253,6 +253,12 @@ ptf.adm.crans.org
kiwi.adm.crans.org
sputnik.adm.crans.org
+[wireguard]
+boeing.adm.crans.org
+sputnik.adm.crans.org
+terenez.cachan-adm.crans.org
+vol447.adm.crans.org
+
[cachan:children]
cachan_physical
cachan_vm
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index 8d530d6c278b60a858d8e6b92e7cb7768eadd509..7a21afc65ed03cb72d91a5d54e287837ae82eb5a 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -1,24 +1,8 @@
#!/usr/bin/env ansible-playbook
---
# Deploy tunnel
-- hosts: sputnik.adm.crans.org
+- hosts: wireguard
vars:
- debian_mirror: http://mirror.crans.org/debian
- wireguard:
- sputnik: true
- private_key: "{{ vault.wireguard_sputnik_private_key }}"
- peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
- roles:
- - wireguard
-
-- hosts: boeing.adm.crans.org
- vars:
- # Debian mirror on adm
- debian_mirror: http://mirror.adm.crans.org/debian
- wireguard:
- sputnik: false
- if: ens18
- private_key: "{{ vault.wireguard_boeing_private_key }}"
- peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
+ wireguard: "{{ glob_wireguard | default({}) | combine(loc_wireguard | default({})) }}"
roles:
- wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 1879f76ba3bc0dbe253eb362f1d1882a5861a2ab..c9f9d293ae7df7f2a11122b725ffeb9b82cd0f3b 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -25,14 +25,16 @@
- name: Deploy wireguard configuration
template:
- src: wireguard/sputnik.conf.j2
- dest: /etc/wireguard/sputnik.conf
+ src: wireguard/tunnel.conf.j2
+ dest: "/etc/wireguard/{{ item.name }}.conf"
mode: 0700
owner: root
group: root
+ loop: "{{ wireguard.tunnels }}"
- name: Enable and start wireguard service
systemd:
- name: wg-quick@sputnik
+ name: "wg-quick@{{ item.name }}"
state: started
enabled: true
+ loop: "{{ wireguard.tunnels }}"
diff --git a/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2 b/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
deleted file mode 100644
index 4ffc0b66ca37dbe71499ec645369d4019a27c8a0..0000000000000000000000000000000000000000
--- a/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{{ ansible_header | comment }}
-
-Package: *
-Pin: release a=unstable
-Pin-Priority: 90
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
deleted file mode 100644
index e1ed981a1d19ddf2c8519ecc428ac325d29960d4..0000000000000000000000000000000000000000
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-{{ ansible_header | comment }}
-{% if wireguard.sputnik %}
-[Interface]
-Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
-ListenPort = 51820
-PrivateKey = {{ wireguard.private_key }}
-
-PostUp = /sbin/ip link set sputnik alias adm
-
-[Peer]
-PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
-Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0]Â }}:51820
-{% else %}
-[Interface]
-ListenPort = 51820
-PrivateKey = {{ wireguard.private_key }}
-
-PostUp = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
-PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
-
-[Peer]
-PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
-Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
-{% endif %}
-
diff --git a/roles/wireguard/templates/wireguard/tunnel.conf.j2 b/roles/wireguard/templates/wireguard/tunnel.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e8682637b0642465d732d66dc8d9452286ebac05
--- /dev/null
+++ b/roles/wireguard/templates/wireguard/tunnel.conf.j2
@@ -0,0 +1,25 @@
+{{ ansible_header | comment }}
+
+[Interface]
+{% if item.addresses is defined %}
+Address = {{ item.addresses | join(", ") }}
+{% endif %}
+{% if item.listen_port is defined %}
+ListenPort = {{ item.listen_port }}
+{% endif %}
+PrivateKey = {{ item.private_key }}
+
+{% if item.post_up is defined %}
+PostUp = {{ item.post_up }}
+{% endif %}
+{% if item.post_down is defined %}
+PostDown = {{ item.post_down }}
+{% endif %}
+
+{% for peer in item.peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+AllowedIPs = {{ peer.allowed_ips | join(", ") }}
+Endpoint = {{ peer.endpoint }}
+
+{% endfor -%}