From 0c78905bb2a991fc50c97df54a9d46e60ac3ea84 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 23:08:08 +0200
Subject: [PATCH 1/5] [thot] Fix slapd IP

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/thot.adm.crans.org.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/host_vars/thot.adm.crans.org.yml b/host_vars/thot.adm.crans.org.yml
index efe08b40..0279d897 100644
--- a/host_vars/thot.adm.crans.org.yml
+++ b/host_vars/thot.adm.crans.org.yml
@@ -6,6 +6,6 @@ loc_borg:
     - /var
 
 loc_slapd:
-  ip: "{{ query('ldap', 'ip', 'ft', 'adm') | ipv4 | first }}"
+  ip: "{{ query('ldap', 'ip', 'thot', 'adm') | ipv4 | first }}"
   replica: true
   replica_rid: 5
-- 
GitLab


From 66269841a77b3f1d88f4fca4370c924aa5a45aa4 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 23:10:21 +0200
Subject: [PATCH 2/5] Create 3 different Wireguard tunnels

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/boeing.adm.crans.org.yml       | 40 +++++++++++++++++++-----
 host_vars/routeur-ft.adm.crans.org.yml   | 18 +++++------
 host_vars/routeur-thot.adm.crans.org.yml | 19 +++++------
 host_vars/sputnik.adm.crans.org.yml      |  2 +-
 4 files changed, 53 insertions(+), 26 deletions(-)

diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index e945734b..dad7adac 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -7,7 +7,7 @@ loc_wireguard:
   tunnels:
     - name: "sputnik"
       listen_port: 51820
-      private_key: "{{ vault.wireguard.boeing.privkey }}"
+      private_key: "{{ vault.wireguard.boeing.sputnik.privkey }}"
       table: "off"
       peers:
         - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
@@ -15,23 +15,49 @@ loc_wireguard:
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
           endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
+      post_up:
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+    - name: "viarezo"
+      listen_port: 51821
+      private_key: "{{ vault.wireguard.boeing.viarezo.privkey }}"
+      table: "off"
+      peers:
         - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+    - name: "aurore"
+      listen_port: 51822
+      private_key: "{{ vault.wireguard.boeing.aurore.privkey }}"
+      table: "off"
+      peers:
         - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           persistent_keepalive: 25
       post_up:
-        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1"
-        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
         - "python3 /var/local/services/proxy/proxy.py --alter"
       pre_down:
-        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0"
-        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
         - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
 
 loc_service_proxy:
@@ -42,6 +68,6 @@ loc_service_proxy:
     filter: "adm.crans.org"
     proxy:
       default: "ens18"
-      viarezo: "sputnik"
-      aurore: "sputnik"
+      viarezo: "viarezo"
+      aurore: "aurore"
       ovh: "sputnik"
diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml
index 7b5b403f..dfabbc24 100644
--- a/host_vars/routeur-ft.adm.crans.org.yml
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@@ -5,25 +5,25 @@ interfaces:
 
 loc_wireguard:
   tunnels:
-    - name: "wg0"
+    - name: "boeing"
       listen_port: 51820
       private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
       table: "off"
       peers:
-        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+        - public_key: "{{ vault.wireguard.boeing.viarezo.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51821"
           persistent_keepalive: 25
       post_up:
-        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
-        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
-        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev %i proto proxy"
         - "python3 /var/local/services/proxy/proxy.py --alter"
       pre_down:
-        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
-        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
         - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
 
 loc_service_proxy:
@@ -33,5 +33,5 @@ loc_service_proxy:
     protocol: "proxy"
     filter: "adm.crans.org"
     proxy:
-      default: "wg0"
+      default: "boeing"
       viarezo: "ens18"
diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml
index d5c81610..3bd9c1c5 100644
--- a/host_vars/routeur-thot.adm.crans.org.yml
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@@ -5,27 +5,28 @@ interfaces:
 
 loc_wireguard:
   tunnels:
-    - name: "wg0"
+    - name: "boeing"
       listen_port: 51820
       private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
       table: "off"
       peers:
-        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+        - public_key: "{{ vault.wireguard.boeing.aurore.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51822"
           persistent_keepalive: 25
       post_up:
-        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
-        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
-        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev %i proto proxy"
         - "python3 /var/local/services/proxy/proxy.py --alter"
       pre_down:
-        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
-        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "sysctl -w net.ipv4.conf.%i.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.%i.proxy_ndp=0"
         - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
 
+
 loc_service_proxy:
   config:
     ldap:
@@ -33,5 +34,5 @@ loc_service_proxy:
     protocol: "proxy"
     filter: "adm.crans.org"
     proxy:
-      default: "wg0"
+      default: "boeing"
       aurore: "ens18"
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index 356ff00d..5416e20b 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -17,7 +17,7 @@ loc_wireguard:
       listen_port: 51820
       private_key: "{{ vault.wireguard.sputnik.privkey }}"
       peers:
-        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+        - public_key: "{{ vault.wireguard.boeing.sputnik.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
-- 
GitLab


From 4fe189f2488e553c385da72f5ed38d848e5e5ab8 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 23:12:03 +0200
Subject: [PATCH 3/5] [proxy] Enable IP forwarding and ARP and NDP proxies

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/arpproxy.yml       |  2 ++
 plays/arpproxy.yml            |  1 +
 roles/arpproxy/tasks/main.yml | 22 ++++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 roles/arpproxy/tasks/main.yml

diff --git a/group_vars/arpproxy.yml b/group_vars/arpproxy.yml
index 172e0743..f5db4b2a 100644
--- a/group_vars/arpproxy.yml
+++ b/group_vars/arpproxy.yml
@@ -9,3 +9,5 @@ glob_service_proxy:
   cron:
     frequency: "* * * * *"
     options: "--alter"
+  proto_id: 201
+  main_interface: ens18
diff --git a/plays/arpproxy.yml b/plays/arpproxy.yml
index ddc4fdd2..dc6fd820 100755
--- a/plays/arpproxy.yml
+++ b/plays/arpproxy.yml
@@ -5,3 +5,4 @@
     service: "{{ glob_service_proxy | default({}) | combine(loc_service_proxy | default({})) }}"
   roles:
     - service
+    - arpproxy
diff --git a/roles/arpproxy/tasks/main.yml b/roles/arpproxy/tasks/main.yml
new file mode 100644
index 00000000..0f514893
--- /dev/null
+++ b/roles/arpproxy/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Register proto proxy
+  lineinfile:
+    path: /etc/iproute2/rt_protos.d/proxy.conf
+    regexp: "^\\d+ proxy$"
+    line: "{{ service.proto_id }} {{ service.config.protocol }}"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable IP forward and ARP and NDP proxies
+  sysctl:
+    name: "{{ item.name }}"
+    value: "1"
+    sysctl_file: "/etc/sysctl.d/{{ item.file }}.conf"
+    sysctl_set: true
+    reload: true
+  loop:
+    - {name: "net.ipv4.ip_forward", file: "10-forwarding"}
+    - {name: "net.ipv6.conf.all.forwarding", file: "10-forwarding"}
+    - {name: "net.ipv4.conf.{{ service.main_interface }}.proxy_arp", file: "11-proxy-{{ service.main_interface }}"}
+    - {name: "net.ipv6.conf.{{ service.main_interface }}.proxy_ndp", file: "11-proxy-{{ service.main_interface }}"}
-- 
GitLab


From e97a7663134af41963f082d6c5baae1a03265581 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 23:13:44 +0200
Subject: [PATCH 4/5] Add thot servers

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 hosts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/hosts b/hosts
index 3f3f03b3..a934adcb 100644
--- a/hosts
+++ b/hosts
@@ -6,7 +6,7 @@ zamok.adm.crans.org
 [arpproxy]
 boeing.adm.crans.org
 routeur-ft.adm.crans.org
-#routeur-thot.adm.crans.org
+routeur-thot.adm.crans.org
 
 [autoconfig]
 hodaur.adm.crans.org
@@ -16,7 +16,7 @@ cameron.adm.crans.org
 
 [backups]
 backup-ft.adm.crans.org
-#backup-thot.adm.crans.org
+backup-thot.adm.crans.org
 
 [baie]
 cameron.adm.crans.org
@@ -270,7 +270,7 @@ sputnik.adm.crans.org
 [wireguard]
 boeing.adm.crans.org
 routeur-ft.adm.crans.org
-#routeur-thot.adm.crans.org
+routeur-thot.adm.crans.org
 sputnik.adm.crans.org
 
 [crans_routeurs:children]
@@ -341,8 +341,8 @@ viarezo_vm
 thot.adm.crans.org
 
 [aurore_vm]
-#backup-thot.adm.crans.org
-#routeur-thot.adm.crans.org
+backup-thot.adm.crans.org
+routeur-thot.adm.crans.org
 
 [aurore:children]
 aurore_physical
@@ -357,6 +357,7 @@ ceph-storage-b.adm.crans.org
 tilque.adm.crans.org
 
 [crans_vm:children]
+aurore_vm
 forget_me
 routeurs_vm
 viarezo_vm
-- 
GitLab


From 4ef3f912a949357a74c804a06fa966c242340758 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 23:25:20 +0200
Subject: [PATCH 5/5] Add missing YAML header

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/virtu_adh.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/group_vars/virtu_adh.yml b/group_vars/virtu_adh.yml
index d3a5f3e9..8c780d09 100644
--- a/group_vars/virtu_adh.yml
+++ b/group_vars/virtu_adh.yml
@@ -1,3 +1,4 @@
+---
 glob_service_proxmox_user:
   git:
     remote: https://gitlab.adm.crans.org/nounous/proxmox-user.git
-- 
GitLab