From 70d335e1b8fb855eb0c9244854575ec02e016bd5 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Sat, 26 Jun 2021 01:04:37 +0200
Subject: [PATCH] [wireguard] Refactor role

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/wireguard.yml                      |  3 +++
 host_vars/boeing.adm.crans.org.yml            | 14 ++++++++++
 host_vars/sputnik.adm.crans.org.yml           | 16 +++++++++++
 host_vars/terenez.cachan-adm.crans.org.yml    | 16 +++++++++++
 host_vars/vol447.adm.crans.org                |  3 ---
 host_vars/vol447.adm.crans.org.yml            | 18 +++++++++++++
 hosts                                         |  6 +++++
 plays/wireguard.yml                           | 20 ++------------
 roles/wireguard/tasks/main.yml                |  8 +++---
 .../apt/preferences.d/limit-unstable.j2       |  5 ----
 .../templates/wireguard/sputnik.conf.j2       | 27 -------------------
 .../templates/wireguard/tunnel.conf.j2        | 25 +++++++++++++++++
 12 files changed, 105 insertions(+), 56 deletions(-)
 create mode 100644 group_vars/wireguard.yml
 delete mode 100644 host_vars/vol447.adm.crans.org
 create mode 100644 host_vars/vol447.adm.crans.org.yml
 delete mode 100644 roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
 delete mode 100644 roles/wireguard/templates/wireguard/sputnik.conf.j2
 create mode 100644 roles/wireguard/templates/wireguard/tunnel.conf.j2

diff --git a/group_vars/wireguard.yml b/group_vars/wireguard.yml
new file mode 100644
index 00000000..de1acd8d
--- /dev/null
+++ b/group_vars/wireguard.yml
@@ -0,0 +1,3 @@
+---
+glob_wireguard:
+  tunnels: {}
diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index dc2ef382..243827a2 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -1,3 +1,17 @@
 ---
 interfaces:
   adm: ens18
+
+loc_wireguard:
+  tunnels:
+    - name: "sputnik"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard_boeing_private_key }}"
+      peers:
+        - public_key: "{{ vault.wireguard_sputnik_public_key }}"
+          allowed_ips:
+            - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
+            - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
+          endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
+      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index 53e020ec..87e91cc5 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -8,6 +8,22 @@ postfix:
   dkim: true
   titanic: false
 
+loc_wireguard:
+  tunnels:
+    - name: "sputnik"
+      addresses:
+        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/24"
+        - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/64"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard_sputnik_private_key }}"
+      peers:
+        - public_key: "{{ vault.wireguard_boeing_public_key }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+      post_up: "/sbin/ip link set sputnik alias adm"
+
 to_backup:
   - {
   name: "var",
diff --git a/host_vars/terenez.cachan-adm.crans.org.yml b/host_vars/terenez.cachan-adm.crans.org.yml
index e95fa59b..ec52e13d 100644
--- a/host_vars/terenez.cachan-adm.crans.org.yml
+++ b/host_vars/terenez.cachan-adm.crans.org.yml
@@ -17,3 +17,19 @@ loc_network_interfaces:
     - name: infra
       id: 11
       dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
+
+loc_wireguard:
+  tunnels:
+    - name: "gulp"
+      addresses:
+        - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/24"
+        - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/64"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard_terenez_private_key }}"
+      peers:
+        - public_key: "{{ vault.wireguard_vol447_public_key }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'vol447', 'srv') | ipv4 | firstÂ }}:51820"
+      post_up: "/sbin/ip link set gulp alias adm"
diff --git a/host_vars/vol447.adm.crans.org b/host_vars/vol447.adm.crans.org
deleted file mode 100644
index 7c2ddb6c..00000000
--- a/host_vars/vol447.adm.crans.org
+++ /dev/null
@@ -1,3 +0,0 @@
-interfaces:
-  adm: ens18
-  srv: ens19
diff --git a/host_vars/vol447.adm.crans.org.yml b/host_vars/vol447.adm.crans.org.yml
new file mode 100644
index 00000000..2aac8890
--- /dev/null
+++ b/host_vars/vol447.adm.crans.org.yml
@@ -0,0 +1,18 @@
+---
+interfaces:
+  adm: ens18
+  srv: ens19
+
+loc_wireguard:
+  tunnels:
+    - name: "gulp"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard_vol447_private_key }}"
+      peers:
+        - public_key: "{{ vault.wireguard_terenez_public_key }}"
+          allowed_ips:
+            - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/32"
+            - "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/128"
+          endpoint: "{{ query('ldap', 'ip', 'terenez', 'cachan-srv') | ipv4 | first }}:51820"
+      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
+      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
diff --git a/hosts b/hosts
index 8e124fc6..ee5d8159 100644
--- a/hosts
+++ b/hosts
@@ -253,6 +253,12 @@ ptf.adm.crans.org
 kiwi.adm.crans.org
 sputnik.adm.crans.org
 
+[wireguard]
+boeing.adm.crans.org
+sputnik.adm.crans.org
+terenez.cachan-adm.crans.org
+vol447.adm.crans.org
+
 [cachan:children]
 cachan_physical
 cachan_vm
diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index 8d530d6c..7a21afc6 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -1,24 +1,8 @@
 #!/usr/bin/env ansible-playbook
 ---
 # Deploy tunnel
-- hosts: sputnik.adm.crans.org
+- hosts: wireguard
   vars:
-    debian_mirror: http://mirror.crans.org/debian
-    wireguard:
-      sputnik: true
-      private_key: "{{ vault.wireguard_sputnik_private_key }}"
-      peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
-  roles:
-    - wireguard
-
-- hosts: boeing.adm.crans.org
-  vars:
-    # Debian mirror on adm
-    debian_mirror: http://mirror.adm.crans.org/debian
-    wireguard:
-      sputnik: false
-      if: ens18
-      private_key: "{{ vault.wireguard_boeing_private_key }}"
-      peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
+    wireguard: "{{ glob_wireguard | default({}) | combine(loc_wireguard | default({})) }}"
   roles:
     - wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 1879f76b..c9f9d293 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -25,14 +25,16 @@
 
 - name: Deploy wireguard configuration
   template:
-    src: wireguard/sputnik.conf.j2
-    dest: /etc/wireguard/sputnik.conf
+    src: wireguard/tunnel.conf.j2
+    dest: "/etc/wireguard/{{ item.name }}.conf"
     mode: 0700
     owner: root
     group: root
+  loop: "{{ wireguard.tunnels }}"
 
 - name: Enable and start wireguard service
   systemd:
-    name: wg-quick@sputnik
+    name: "wg-quick@{{ item.name }}"
     state: started
     enabled: true
+  loop: "{{ wireguard.tunnels }}"
diff --git a/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2 b/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
deleted file mode 100644
index 4ffc0b66..00000000
--- a/roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{{ ansible_header | comment }}
-
-Package: *
-Pin: release a=unstable
-Pin-Priority: 90
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
deleted file mode 100644
index e1ed981a..00000000
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-{{ ansible_header | comment }}
-{% if wireguard.sputnik %}
-[Interface]
-Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
-ListenPort = 51820
-PrivateKey = {{ wireguard.private_key }}
-
-PostUp = /sbin/ip link set sputnik alias adm
-
-[Peer]
-PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
-Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0]Â }}:51820
-{% else %}
-[Interface]
-ListenPort = 51820
-PrivateKey = {{ wireguard.private_key }}
-
-PostUp =   sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
-PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
-
-[Peer]
-PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
-Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
-{% endif %}
-
diff --git a/roles/wireguard/templates/wireguard/tunnel.conf.j2 b/roles/wireguard/templates/wireguard/tunnel.conf.j2
new file mode 100644
index 00000000..e8682637
--- /dev/null
+++ b/roles/wireguard/templates/wireguard/tunnel.conf.j2
@@ -0,0 +1,25 @@
+{{ ansible_header | comment }}
+
+[Interface]
+{% if item.addresses is defined %}
+Address = {{ item.addresses | join(", ") }}
+{% endif %}
+{% if item.listen_port is defined %}
+ListenPort = {{ item.listen_port }}
+{% endif %}
+PrivateKey = {{ item.private_key }}
+
+{% if item.post_up is defined %}
+PostUp = {{ item.post_up }}
+{% endif %}
+{% if item.post_down is defined %}
+PostDown = {{ item.post_down }}
+{% endif %}
+
+{% for peer in item.peers %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+AllowedIPs = {{ peer.allowed_ips | join(", ") }}
+Endpoint = {{ peer.endpoint }}
+
+{% endfor -%}
-- 
GitLab