From d0b023c6d5176d271bf8e4ee1c8217b469ed938e Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 23 Aug 2020 19:48:30 +0200
Subject: [PATCH] [wireguard] Deploy wireguard on boeing

---
 hosts                                               |  1 +
 roles/wireguard/templates/wireguard/sputnik.conf.j2 | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/hosts b/hosts
index f5d61c09..22b567d8 100644
--- a/hosts
+++ b/hosts
@@ -80,6 +80,7 @@ re2o-ldap.adm.crans.org
 gitlab-ci.adm.crans.org
 hodaur.adm.crans.org
 monitoring.adm.crans.org
+boeing.adm.crans.org
 
 [ovh_physical]
 sputnik.adm.crans.org
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
index 7e921c89..4f0ec94a 100644
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@@ -9,20 +9,20 @@ PostUp = /sbin/ip link set sputnik alias adm
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
-Endpoint = 138.231.136.131:51820
+AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
+Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0]Â }}:51820
 {% else %}
 [Interface]
 Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
 
-PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
-PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+# PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
+# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
 AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
-Endpoint = 46.105.102.188:51820
+Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
 {% endif %}
 
-- 
GitLab