From 884e6f8d096fcaacf96cb94703886ee177f7d066 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Tue, 11 Aug 2020 14:05:24 +0200 Subject: [PATCH 01/16] [dns] handle LDAP zones --- lookup_plugins/ldap.py | 11 +++++++++++ lookup_plugins/re2oapi.py | 8 ++++++++ plays/dns.yml | 4 ++-- roles/bind-authoritative/tasks/main.yml | 2 +- roles/dns/tasks/main.yml | 12 ++++++++++++ 5 files changed, 34 insertions(+), 3 deletions(-) diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py index 87cee458..1d223ea5 100644 --- a/lookup_plugins/ldap.py +++ b/lookup_plugins/ldap.py @@ -87,6 +87,17 @@ class LookupModule(LookupBase): result = self.base.result(query_id) result = result[1][0][1] return [str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))] + elif terms[0] == 'zones': + query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork") + result = self.base.result(query_id) + res = [] + for _, network in result[1]: + network = network['cn'][0].decode('utf-8') + if network == 'srv': + res.append('crans.org') + else: + res.append(f"{network}.crans.org") + result = res elif terms[0] == 'vlanid': network = terms[1] query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork") diff --git a/lookup_plugins/re2oapi.py b/lookup_plugins/re2oapi.py index 7202b30a..cfcc2757 100644 --- a/lookup_plugins/re2oapi.py +++ b/lookup_plugins/re2oapi.py @@ -638,6 +638,14 @@ class LookupModule(LookupBase): def _getreverse(self, api_client): display.v("Getting dns reverse zones") + return [ + '76.230.185.in-addr.arpa', + '77.230.185.in-addr.arpa', + '78.230.185.in-addr.arpa', + '79.230.185.in-addr.arpa', + '0.0.7.0.c.0.a.2.ip6.arpa', + ] + zones, res = None, None if self._is_cached('dnsreverse'): diff --git a/plays/dns.yml b/plays/dns.yml index aa9b0a56..dd5f2a5a 100755 --- a/plays/dns.yml +++ b/plays/dns.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy recursive DNS cache server -- hosts: odlyd.adm.crans.org +- hosts: routeur-sam.adm.crans.org,routeur-daniel.adm.crans.org roles: ["bind-recursive"] # Deploy authoritative DNS server @@ -12,7 +12,7 @@ bind: masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}" - zones: "{{ lookup('re2oapi', 'dnszones') }}" + zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}" reverse: "{{ lookup('re2oapi', 'dnsreverse') }}" roles: ["bind-authoritative"] diff --git a/roles/bind-authoritative/tasks/main.yml b/roles/bind-authoritative/tasks/main.yml index b5bbb4a8..40fe1963 100644 --- a/roles/bind-authoritative/tasks/main.yml +++ b/roles/bind-authoritative/tasks/main.yml @@ -17,7 +17,7 @@ - name: Is this the master? set_fact: - is_master: "{{ ansible_all_ipv4_addresses | intersect(masters_ipv4) | length > 0 }}" + is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}" cacheable: true - name: Deploy Bind9 configuration diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 1c1e16d8..eb3d9958 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,4 +1,16 @@ --- +- name: Install dns dependencies + apt: + update_cache: true + install_recommends: false + name: + - python3-iso8601 + - python3-jinja2 + - python3-ldap + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Create dns directory file: path: /var/local/dns From 2a191b0622e9893ed120e4460498923df1dc6dbb Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 16 Aug 2020 17:03:28 +0200 Subject: [PATCH 02/16] [dhcp][keepalived] Enables dhcp on adh and infra --- group_vars/dhcp.yml | 23 ++++++++++++++++++- group_vars/keepalived.yml | 3 +++ .../templates/dhcp/dhcpd.conf.j2 | 2 ++ .../templates/keepalived/keepalived.conf.j2 | 6 ++--- 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/group_vars/dhcp.yml b/group_vars/dhcp.yml index f8e16fa9..b4db9d9d 100644 --- a/group_vars/dhcp.yml +++ b/group_vars/dhcp.yml @@ -16,7 +16,28 @@ dhcp: domain_name: "adh-nat.crans.org" domain_search: "adh-nat.crans.org" options: [] - lease_file: "/tmp/dhcp.list" + lease_file: "/tmp/adh-nat-dhcp.list" + - network: "185.230.78.0/24" + deny_unknown: True + vlan: "adh" + default_lease_time: "600" + max_lease_time: "7200" + routers: "185.230.78.99" + dns: ["185.230.78.99"] + domain_name: "adh.crans.org" + domain_search: "adh.crans.org" + options: [] + lease_file: "/tmp/adh-dhcp.list" + - network: "172.16.32.0/22" + deny_unknown: True + vlan: "infra" + default_lease_time: "600" + max_lease_time: "7200" + dns: ["172.16.32.99"] + domain_name: "infra.crans.org" + domain_search: "infra.crans.org" + options: [] + lease_file: "/tmp/infra-dhcp.list" re2o: server: re2o.adm.crans.org diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index 09db9c26..68cea95a 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -11,6 +11,9 @@ glob_keepalived: ipv6: no notify: /usr/scripts/notify-dhcp zones: + - vlan: adh + ipv4: 185.230.78.99/24 + brd: true - vlan: adh-nat ipv4: 100.64.0.99/16 brd: true diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 427cce50..2a52f3d6 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -45,7 +45,9 @@ subnet {{ subnet.network | ipaddr('network') }} netmask {{ subnet.network | ipad {% endif %} option subnet-mask {{ subnet.network | ipaddr('netmask') }}; option broadcast-address {{ subnet.network | ipaddr('broadcast') }}; +{% if subnet.routers is defined %} option routers {{ subnet.routers }}; +{% endif %} option domain-name-servers {{ subnet.dns | join(", ") }}; option domain-name "{{ subnet.domain_name }}"; option domain-search "{{ subnet.domain_search }}"; diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index 97c93c53..f3dbc3cc 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -26,11 +26,11 @@ vrrp_instance {{ instance.tag }}4 { virtual_ipaddress { {% for zone in keepalived.pool[instance.name].zones %} - {% if zone.brd %} +{% if zone.brd %} {{ zone.ipv4 }} brd {{ zone.ipv4 | ipaddr('broadcast') }} dev {{ interfaces[zone.vlan] }} scope global - {% else %} +{% else %} {{ zone.ipv4 }} dev {{ interfaces[zone.vlan] }} scope global - {% endif %} +{% endif %} {% endfor %} } } From e7b5f7e6123403e1fb0836783253aa1fa2f719f8 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Wed, 19 Aug 2020 13:47:29 +0200 Subject: [PATCH 03/16] Add monitoring server for newinfra --- hosts | 1 + plays/monitoring.yml | 7 +----- roles/smartd-hp-smartarray/handlers/main.yml | 5 ----- roles/smartd-hp-smartarray/tasks/main.yml | 23 -------------------- 4 files changed, 2 insertions(+), 34 deletions(-) delete mode 100644 roles/smartd-hp-smartarray/handlers/main.yml delete mode 100644 roles/smartd-hp-smartarray/tasks/main.yml diff --git a/hosts b/hosts index 7cd1edd4..0d5280dc 100644 --- a/hosts +++ b/hosts @@ -79,6 +79,7 @@ belenios # on changera plus tard re2o-ldap.adm.crans.org gitlab-ci.adm.crans.org hodaur.adm.crans.org +monitoring.adm.crans.org [ovh_physical] sputnik.adm.crans.org diff --git a/plays/monitoring.yml b/plays/monitoring.yml index e5b1cbff..6d90a5bc 100755 --- a/plays/monitoring.yml +++ b/plays/monitoring.yml @@ -1,7 +1,7 @@ #!/usr/bin/env ansible-playbook --- # Deploy Prometheus and Grafana on monitoring server -- hosts: fyre.adm.crans.org +- hosts: monitoring.adm.crans.org vars: # Prometheus targets.json prometheus: @@ -72,11 +72,6 @@ adm_ipv4: "{{ ansible_all_ipv4_addresses | ipaddr(adm_subnet) | first }}" roles: ["prometheus-apache-exporter"] -# Configure HP RAID monitoring -# You can list SCSI drives with `lsscsi -g` -- hosts: fyre.adm.crans.org,gateau.adm.crans.org - roles: ["smartd-hp-smartarray"] - # Monitor mailq with a special text exporter - hosts: redisdead.adm.crans.org roles: ["prometheus-node-exporter-postfix"] diff --git a/roles/smartd-hp-smartarray/handlers/main.yml b/roles/smartd-hp-smartarray/handlers/main.yml deleted file mode 100644 index 98985f1c..00000000 --- a/roles/smartd-hp-smartarray/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Restart smartd - service: - name: smartd - state: restarted diff --git a/roles/smartd-hp-smartarray/tasks/main.yml b/roles/smartd-hp-smartarray/tasks/main.yml deleted file mode 100644 index f9ba1ce7..00000000 --- a/roles/smartd-hp-smartarray/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Install smartd - apt: - update_cache: true - name: smartmontools - register: apt_result - retries: 3 - until: apt_result is succeeded - -- name: Disable smartd autodiscovery - lineinfile: - path: /etc/smartd.conf - regexp: '(?i)^(DEVICESCAN.*)' - line: '#\1' - backrefs: true - notify: Restart smartd - -- name: Monitor local HP SmartArray - lineinfile: - path: /etc/smartd.conf - regexp: '^/dev/sg0' - line: /dev/sg0 -a -d cciss,0 -m root - notify: Restart smartd From 1a2890936b6fb30ba3ca3b2dcb6fc2925cd9aa07 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 14:04:18 +0200 Subject: [PATCH 04/16] [openssh] Permit root login --- roles/openssh/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/openssh/tasks/main.yml b/roles/openssh/tasks/main.yml index 575af6bd..398c3264 100644 --- a/roles/openssh/tasks/main.yml +++ b/roles/openssh/tasks/main.yml @@ -2,8 +2,8 @@ - name: Filter SSH on groups lineinfile: dest: /etc/ssh/sshd_config - regexp: ^AllowGroups - line: "AllowGroups {{ ssh_allow_groups }}" + regexp: ^#?PermitRootLogin + line: "PermitRootLogin yes" state: present notify: Restart sshd service From 94ae57f24eb1c91e8dd63989cfbf95b84ecb9940 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 14:05:22 +0200 Subject: [PATCH 05/16] [openssh] Apply openssh role at the end of root.yml --- plays/root.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plays/root.yml b/plays/root.yml index a958296b..6e9cfe3f 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -46,3 +46,7 @@ roles: - ldap-client - home-nounous + +- hosts: server + roles: + - openssh From 0afa1c67d89eefa4dbf583ae4d3524c86681789b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 14:19:22 +0200 Subject: [PATCH 06/16] [openssh] Do not apply openssh on virtualizers --- group_vars/{slapd.yml => ldap_server.yml} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename group_vars/{slapd.yml => ldap_server.yml} (54%) diff --git a/group_vars/slapd.yml b/group_vars/ldap_server.yml similarity index 54% rename from group_vars/slapd.yml rename to group_vars/ldap_server.yml index 19292dcf..8818e0c1 100644 --- a/group_vars/slapd.yml +++ b/group_vars/ldap_server.yml @@ -3,4 +3,5 @@ glob_slapd: master_ip: 172.16.10.1 replication_credentials: "{{ vault_ldap_replication_credentials }}" - + private_key: "{{ vault_ldap_private_key }}" + certificate: "{{ vault_ldap_certificate }}" From b500cc128c6ee9650eeb3846861f25b4be2bc02e Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 14:21:52 +0200 Subject: [PATCH 07/16] [slapd] Move variables to group_vars --- hosts | 3 +-- plays/root.yml | 4 ++-- roles/slapd/templates/ldap/ldap.key.j2 | 2 +- roles/slapd/templates/ldap/ldap.pem.j2 | 2 +- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/hosts b/hosts index 0d5280dc..039f1ec3 100644 --- a/hosts +++ b/hosts @@ -44,7 +44,7 @@ sam.adm.crans.org daniel.adm.crans.org jack.adm.crans.org -[slapd] +[ldap_server] tealc.adm.crans.org sam.adm.crans.org daniel.adm.crans.org @@ -58,7 +58,6 @@ routeur-daniel.adm.crans.org routeur-sam.adm.crans.org routeur-daniel.adm.crans.org - [crans_routeurs:children] dhcp keepalived diff --git a/plays/root.yml b/plays/root.yml index 6e9cfe3f..08e7bc62 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -31,7 +31,7 @@ - qemu-guest-agent - serial-tty -- hosts: slapd +- hosts: ldap_server vars: slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}' ldap: @@ -47,6 +47,6 @@ - ldap-client - home-nounous -- hosts: server +- hosts: server,!virtu roles: - openssh diff --git a/roles/slapd/templates/ldap/ldap.key.j2 b/roles/slapd/templates/ldap/ldap.key.j2 index 926db60f..e165a54d 100644 --- a/roles/slapd/templates/ldap/ldap.key.j2 +++ b/roles/slapd/templates/ldap/ldap.key.j2 @@ -1 +1 @@ -{{ ldap.private_key }} +{{ slapd.private_key }} diff --git a/roles/slapd/templates/ldap/ldap.pem.j2 b/roles/slapd/templates/ldap/ldap.pem.j2 index ed4f7a5c..cabc323d 100644 --- a/roles/slapd/templates/ldap/ldap.pem.j2 +++ b/roles/slapd/templates/ldap/ldap.pem.j2 @@ -1 +1 @@ -{{ ldap.certificate }} +{{ slapd.certificate }} From 83d52d6c85cff8dd91d3ed6c6afd5947c5ded851 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 16:05:50 +0200 Subject: [PATCH 08/16] [firewall] Deploy firewall on gulp --- host_vars/gulp.adm.crans.org.yml | 3 +++ host_vars/routeur-daniel.adm.crans.org.yml | 2 ++ host_vars/routeur-sam.adm.crans.org.yml | 2 ++ hosts | 1 + plays/firewall.yml | 4 ++-- roles/firewall/tasks/main.yml | 1 + 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/host_vars/gulp.adm.crans.org.yml b/host_vars/gulp.adm.crans.org.yml index 6289c701..cc5c83dd 100644 --- a/host_vars/gulp.adm.crans.org.yml +++ b/host_vars/gulp.adm.crans.org.yml @@ -7,6 +7,9 @@ interfaces: wifi_new: ens1f0.22 zayo: ens1f0.26 +firewall: + version: gulp + loc_keepalived: instances: - name: router diff --git a/host_vars/routeur-daniel.adm.crans.org.yml b/host_vars/routeur-daniel.adm.crans.org.yml index 284bf31a..c3d4db4a 100644 --- a/host_vars/routeur-daniel.adm.crans.org.yml +++ b/host_vars/routeur-daniel.adm.crans.org.yml @@ -7,6 +7,8 @@ interfaces: adh: ens22 adh_nat: ens23 +firewall: + version: HEAD loc_keepalived: instances: diff --git a/host_vars/routeur-sam.adm.crans.org.yml b/host_vars/routeur-sam.adm.crans.org.yml index 9c76a958..ea5639d5 100644 --- a/host_vars/routeur-sam.adm.crans.org.yml +++ b/host_vars/routeur-sam.adm.crans.org.yml @@ -8,6 +8,8 @@ interfaces: adh_nat: ens23 srv_old: ens1 +firewall: + version: HEAD loc_keepalived: instances: diff --git a/hosts b/hosts index 0d5280dc..a4c03b0c 100644 --- a/hosts +++ b/hosts @@ -69,6 +69,7 @@ tealc.adm.crans.org sam.adm.crans.org daniel.adm.crans.org jack.adm.crans.org +gulp.adm.crans.org [crans_vm] voyager.adm.crans.org diff --git a/plays/firewall.yml b/plays/firewall.yml index 720c2f97..75a2f071 100755 --- a/plays/firewall.yml +++ b/plays/firewall.yml @@ -10,7 +10,7 @@ - arp-proxy # Deploy firewall -- hosts: crans_routeurs +- hosts: crans_routeurs,gulp.adm.crans.org vars: re2o: server: re2o.adm.crans.org @@ -20,7 +20,7 @@ - firewall # Deploy BGP server configuration on IPv4 routers -- hosts: crans_routeurs +- hosts: crans_routeurs,gulp.adm.crans.org vars: zebra: password: "{{ vault_zebra_password }}" diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index b5801290..1d4879ec 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -31,6 +31,7 @@ - name: Clone firewall repository git: repo: 'http://gitlab.adm.crans.org/nounous/firewall.git' + version: "{{ firewall.version }}" dest: /var/local/firewall umask: '002' From b76d538ad684edadaf479189dc590386c46055a2 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 17:49:07 +0200 Subject: [PATCH 09/16] [nftables] Install and enable nftables on routers --- plays/firewall.yml | 5 +++-- roles/nftables/tasks/main.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 roles/nftables/tasks/main.yml diff --git a/plays/firewall.yml b/plays/firewall.yml index 75a2f071..c2976feb 100755 --- a/plays/firewall.yml +++ b/plays/firewall.yml @@ -4,13 +4,14 @@ - hosts: crans_routeurs roles: - sysctl-forwarding + - nftables - hosts: routeur-sam.adm.crans.org roles: - arp-proxy # Deploy firewall -- hosts: crans_routeurs,gulp.adm.crans.org +- hosts: crans_routeurs vars: re2o: server: re2o.adm.crans.org @@ -20,7 +21,7 @@ - firewall # Deploy BGP server configuration on IPv4 routers -- hosts: crans_routeurs,gulp.adm.crans.org +- hosts: crans_routeurs vars: zebra: password: "{{ vault_zebra_password }}" diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml new file mode 100644 index 00000000..8a5506a5 --- /dev/null +++ b/roles/nftables/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Install nftables + apt: + name: nftables + state: present + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Enable and start nftables + systemd: + name: nftables + enabled: true + state: started From fb08fbf7c98047bce1167fdfca6afc1d7ffa731e Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Wed, 19 Aug 2020 19:02:00 +0200 Subject: [PATCH 10/16] [radvd] Install radvd on routers --- plays/firewall.yml | 18 ++++++++++++++++++ roles/radvd/handlers/main.yml | 5 +++++ roles/radvd/tasks/main.yml | 18 ++++++++++++++++++ roles/radvd/templates/radvd.conf.j2 | 19 +++++++++++++++++++ 4 files changed, 60 insertions(+) create mode 100644 roles/radvd/handlers/main.yml create mode 100644 roles/radvd/tasks/main.yml create mode 100644 roles/radvd/templates/radvd.conf.j2 diff --git a/plays/firewall.yml b/plays/firewall.yml index c2976feb..24e1ff68 100755 --- a/plays/firewall.yml +++ b/plays/firewall.yml @@ -10,6 +10,24 @@ roles: - arp-proxy +- hosts: crans_routeurs + vars: + subnets: + - name: infra + prefix: fd00:0:0:11::/64 + dns: + - fd00::11:0:ff:fe00:9911 + - name: adh + prefix: 2a0c:700:12::/64 + dns: + - 2a0c:700:12::ff:fe00:9912 + - name: adh_nat + prefix: 2a0c:700:13::/64 + dns: + - 2a0c:700:13::ff:fe00:9913 + roles: + - radvd + # Deploy firewall - hosts: crans_routeurs vars: diff --git a/roles/radvd/handlers/main.yml b/roles/radvd/handlers/main.yml new file mode 100644 index 00000000..39552d74 --- /dev/null +++ b/roles/radvd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart radvd service + service: + name: radvd + state: restarted diff --git a/roles/radvd/tasks/main.yml b/roles/radvd/tasks/main.yml new file mode 100644 index 00000000..65715038 --- /dev/null +++ b/roles/radvd/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Install radvd + apt: + name: radvd + state: present + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Deploy radvd configuration + template: + src: radvd.conf.j2 + dest: /etc/radvd.conf + mode: 0644 + owner: root + group: root + notify: Restart radvd service diff --git a/roles/radvd/templates/radvd.conf.j2 b/roles/radvd/templates/radvd.conf.j2 new file mode 100644 index 00000000..a13cef0b --- /dev/null +++ b/roles/radvd/templates/radvd.conf.j2 @@ -0,0 +1,19 @@ +{% for subnet in subnets %} +interface {{ interfaces[subnet.name] }} { + AdvSendAdvert on; + AdvDefaultPreference high; + MaxRtrAdvInterval 30; + + prefix {{ subnet.prefix }} { + AdvRouterAddr on; + }; + + # La zone DNS + DNSSL {{ subnet.name | replace('_', '-') }}.crans.org {}; + + # Les DNS récursifs +{% for dns in subnet.dns %} + RDNSS {{ dns }} {}; +{% endfor %} +}; +{% endfor %} From 589c7d7ac7971c0c1d8447c079d51fe2ffc9b79f Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Thu, 20 Aug 2020 02:46:32 +0200 Subject: [PATCH 11/16] [quagga] Working config for IPv4 and IPv6 --- roles/quagga/templates/quagga/bgpd.conf.j2 | 10 +++++----- roles/quagga/templates/quagga/zebra.conf.j2 | 3 --- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/roles/quagga/templates/quagga/bgpd.conf.j2 b/roles/quagga/templates/quagga/bgpd.conf.j2 index cde7878b..2f5117a0 100644 --- a/roles/quagga/templates/quagga/bgpd.conf.j2 +++ b/roles/quagga/templates/quagga/bgpd.conf.j2 @@ -5,12 +5,12 @@ router bgp {{ bgp.as }} bgp router-id {{ bgp.router_id_v4 }} network {{ bgp.network_v4 }} neighbor {{ bgp.neighbor_v4 }} remote-as {{ bgp.remote_as }} -! -router bgp {{ bgp.as }} - no synchronization - bgp router-id {{ bgp.router_id_v6 }} - network {{ bgp.network_v6 }} neighbor {{ bgp.neighbor_v6 }} remote-as {{ bgp.remote_as }} +! + address-family ipv6 + network {{ bgp.network_v6 }} + neighbor {{ bgp.neighbor_v6 }} activate + exit-address-family ! log file /var/log/quagga/bgpd.log log stdout diff --git a/roles/quagga/templates/quagga/zebra.conf.j2 b/roles/quagga/templates/quagga/zebra.conf.j2 index 1f3a31ca..c97c4bb5 100644 --- a/roles/quagga/templates/quagga/zebra.conf.j2 +++ b/roles/quagga/templates/quagga/zebra.conf.j2 @@ -8,7 +8,4 @@ log file /var/log/quagga/zebra.log interface lo -!Table Zayo -table 26 - line vty From 212433f736581a552762ad4ce5a1c39a55bffeb6 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Thu, 20 Aug 2020 18:24:29 +0200 Subject: [PATCH 12/16] [keepalived] Add IPv6 --- group_vars/keepalived.yml | 9 ++++++--- roles/keepalived/templates/keepalived/keepalived.conf.j2 | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/group_vars/keepalived.yml b/group_vars/keepalived.yml index 68cea95a..2b4fbd40 100644 --- a/group_vars/keepalived.yml +++ b/group_vars/keepalived.yml @@ -8,20 +8,23 @@ glob_keepalived: dhcp: password: "plopisverysecure" id: 60 - ipv6: no + ipv6: yes notify: /usr/scripts/notify-dhcp zones: - vlan: adh ipv4: 185.230.78.99/24 brd: true - - vlan: adh-nat + ipv6: 2a0c:700:12::ff:fe00:9912/48 + - vlan: adh_nat ipv4: 100.64.0.99/16 brd: true + ipv6: 2a0c:700:13::ff:fe00:9913/48 radius: password: 'plopisverysecure' id: 61 - ipv6: no + ipv6: yes zones: - vlan: infra ipv4: 172.16.32.99/22 brd: true + ipv6: fd00::11:0:ff:fe00:9911/64 diff --git a/roles/keepalived/templates/keepalived/keepalived.conf.j2 b/roles/keepalived/templates/keepalived/keepalived.conf.j2 index f3dbc3cc..ee797434 100644 --- a/roles/keepalived/templates/keepalived/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived/keepalived.conf.j2 @@ -41,7 +41,7 @@ vrrp_instance {{ instance.tag }}6 { priority {{ instance.priority }} smtp_alert - interface {{ keepalived.pool[instance.name].administration }} + interface {{ interfaces.adm }} virtual_router_id {{ keepalived.pool[instance.name].id }} advert_int 2 authentication { From 53d457afd7604d1af559ada26df7e092ed0b8d29 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 22 Aug 2020 09:21:10 +0200 Subject: [PATCH 13/16] [bind-authoritative] Query LDAP for IPs --- plays/dns.yml | 10 +++--- roles/bind-authoritative/tasks/main.yml | 8 ----- .../templates/bind/named.conf.local.j2 | 34 ++++++++----------- .../templates/bind/named.conf.options.j2 | 10 +++--- 4 files changed, 24 insertions(+), 38 deletions(-) diff --git a/plays/dns.yml b/plays/dns.yml index dd5f2a5a..b261acaa 100755 --- a/plays/dns.yml +++ b/plays/dns.yml @@ -2,7 +2,8 @@ --- # Deploy recursive DNS cache server - hosts: routeur-sam.adm.crans.org,routeur-daniel.adm.crans.org - roles: ["bind-recursive"] + roles: + - bind-recursive # Deploy authoritative DNS server - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org @@ -10,11 +11,12 @@ certbot_dns_secret: "{{ vault_certbot_dns_secret }}" certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}" bind: - masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" - slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}" + masters: "{{ query('ldap', 'role', 'dns-primary') }}" + slaves: "{{ query('ldap', 'role', 'dns-secondary') }}" zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}" reverse: "{{ lookup('re2oapi', 'dnsreverse') }}" - roles: ["bind-authoritative"] + roles: + - bind-authoritative - hosts: silice.adm.crans.org vars: diff --git a/roles/bind-authoritative/tasks/main.yml b/roles/bind-authoritative/tasks/main.yml index 40fe1963..1191b44c 100644 --- a/roles/bind-authoritative/tasks/main.yml +++ b/roles/bind-authoritative/tasks/main.yml @@ -7,14 +7,6 @@ retries: 3 until: apt_result is succeeded -- name: Lookup DNS servers - set_fact: - masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}" - masters_ipv6: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}" - slaves_ipv4: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}" - slaves_ipv6: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}" - cacheable: true - - name: Is this the master? set_fact: is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}" diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2 index 9d76d8e8..ab367594 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.local.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2 @@ -27,11 +27,10 @@ zone "_acme-challenge.crans.org" { {% else %} type slave; masters { -{% for ip in masters_ipv4 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor -%} -{% for ip in masters_ipv6 %} - {{ ip }}; {% endfor %} }; notify no; @@ -50,11 +49,10 @@ zone "_acme-challenge.adm.crans.org" { {% else %} type slave; masters { -{% for ip in masters_ipv4 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor -%} -{% for ip in masters_ipv6 %} - {{ ip }}; {% endfor %} }; notify no; @@ -72,11 +70,10 @@ zone "_acme-challenge.crans.fr" { {% else %} type slave; masters { -{% for ip in masters_ipv4 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor -%} -{% for ip in masters_ipv6 %} - {{ ip }}; {% endfor %} }; notify no; @@ -94,11 +91,10 @@ zone "_acme-challenge.crans.eu" { {% else %} type slave; masters { -{% for ip in masters_ipv4 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor -%} -{% for ip in masters_ipv6 %} - {{ ip }}; {% endfor %} }; notify no; @@ -118,11 +114,10 @@ zone "{{ zone }}" { type slave; file "bak.{{ zone }}"; masters { -{% for ip in masters_ipv4 %} - {{ ip }}; -{% endfor %} -{% for ip in masters_ipv6 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; +{% endfor -%} {% endfor %} }; notify no; @@ -143,11 +138,10 @@ zone "{{ zone }}" { type slave; file "bak.{{ zone }}"; masters { -{% for ip in masters_ipv4 %} - {{ ip }}; -{% endfor %} -{% for ip in masters_ipv6 %} +{% for host in bind.masters %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; +{% endfor -%} {% endfor %} }; notify no; diff --git a/roles/bind-authoritative/templates/bind/named.conf.options.j2 b/roles/bind-authoritative/templates/bind/named.conf.options.j2 index 90f9eddb..f76d7e20 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.options.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2 @@ -32,20 +32,18 @@ options { {% if is_master %} allow-transfer { -{% for ip in slaves_ipv4 %} +{% for host in bind.slaves %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor %} -{% for ip in slaves_ipv6 %} - {{ ip }}; {% endfor %} }; also-notify { -{% for ip in slaves_ipv4 %} +{% for host in bind.slaves %} +{% for ip in query('ldap', 'ip', host, 'adm') %} {{ ip }}; {% endfor %} -{% for ip in slaves_ipv6 %} - {{ ip }}; {% endfor %} }; {% else %} From b1bb0b68e50b6128b42772f974d9db16593c3388 Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sat, 22 Aug 2020 15:06:19 +0200 Subject: [PATCH 14/16] [logall] Sort and rotate routing logs --- plays/firewall.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/plays/firewall.yml b/plays/firewall.yml index 24e1ff68..3506856d 100755 --- a/plays/firewall.yml +++ b/plays/firewall.yml @@ -4,6 +4,7 @@ - hosts: crans_routeurs roles: - sysctl-forwarding + - logall - nftables - hosts: routeur-sam.adm.crans.org From 9ad954a0c35b3a179de82f3aa7a06c5738f0cb4b Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 23 Aug 2020 11:41:39 +0200 Subject: [PATCH 15/16] [bind-recursive] Deploy configuration --- lookup_plugins/ldap.py | 4 +-- roles/bind-recursive/handlers/main.yml | 5 +++ roles/bind-recursive/tasks/main.yml | 14 ++++++++ .../bind-recursive/templates/bind/db.infra.j2 | 24 +++++++++++++ .../templates/bind/named.conf.acl.j2 | 31 +++++++++++++++++ .../bind/named.conf.default-zones.j2 | 34 +++++++++++++++++++ .../templates/bind/named.conf.j2 | 14 ++++++++ .../templates/bind/named.conf.local.j2 | 15 ++++++++ .../templates/bind/named.conf.options.j2 | 26 ++++++++++++++ 9 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 roles/bind-recursive/handlers/main.yml create mode 100644 roles/bind-recursive/templates/bind/db.infra.j2 create mode 100644 roles/bind-recursive/templates/bind/named.conf.acl.j2 create mode 100644 roles/bind-recursive/templates/bind/named.conf.default-zones.j2 create mode 100644 roles/bind-recursive/templates/bind/named.conf.j2 create mode 100644 roles/bind-recursive/templates/bind/named.conf.local.j2 create mode 100644 roles/bind-recursive/templates/bind/named.conf.options.j2 diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py index 05a5493d..3174e79e 100644 --- a/lookup_plugins/ldap.py +++ b/lookup_plugins/ldap.py @@ -98,12 +98,12 @@ class LookupModule(LookupBase): result = self.base.result(query_id) result = result[1][0][1] result = [res.decode('utf-8') for res in result[attr]] - elif terms[0] == 'networks': + elif terms[0] == 'network': network = terms[1] query_id = self.base.search(f"cn={network},ou=networks,{self.base_dn}", ldap.SCOPE_BASE, "objectClass=ipNetwork") result = self.base.result(query_id) result = result[1][0][1] - return [str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8'))))] + return str(ipaddress.ip_network('{}/{}'.format(result['ipNetworkNumber'][0].decode('utf-8'), result['ipNetmaskNumber'][0].decode('utf-8')))) elif terms[0] == 'zones': query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, "objectClass=ipNetwork") result = self.base.result(query_id) diff --git a/roles/bind-recursive/handlers/main.yml b/roles/bind-recursive/handlers/main.yml new file mode 100644 index 00000000..c6741672 --- /dev/null +++ b/roles/bind-recursive/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload bind9 + systemd: + name: bind9 + state: reloaded diff --git a/roles/bind-recursive/tasks/main.yml b/roles/bind-recursive/tasks/main.yml index 0c962a8b..e45f12c2 100644 --- a/roles/bind-recursive/tasks/main.yml +++ b/roles/bind-recursive/tasks/main.yml @@ -6,3 +6,17 @@ register: apt_result retries: 3 until: apt_result is succeeded + +- name: Deploy Bind9 configuration + template: + src: bind/{{ item }}.j2 + dest: /etc/bind/{{ item }} + mode: 0644 + loop: + - named.conf + - named.conf.acl + # - named.conf.options + - named.conf.local + - named.conf.default-zones + - db.infra + notify: Reload bind9 diff --git a/roles/bind-recursive/templates/bind/db.infra.j2 b/roles/bind-recursive/templates/bind/db.infra.j2 new file mode 100644 index 00000000..2e926ac6 --- /dev/null +++ b/roles/bind-recursive/templates/bind/db.infra.j2 @@ -0,0 +1,24 @@ +{{ ansible_header | comment(decoration='; ') }} + +$TTL 0 + +@ IN SOA silice.crans.org root.crans.org ( + 0 ; serial + 3600 ; refresh (1hr) + 1800 ; retry (30mn) + 604800 ; expire (7dy) + 0 ; TTL (0s) + ) + +@ IN NS passerelle.infra.crans.org +passerelle.infra.crans.org IN A {{ (query('ldap', 'ip', 'passerelle', 'infra') | ipv4)[0] }} + +* IN CNAME crans.org +*.org IN CNAME crans.org +*.fr IN CNAME crans.org +*.com IN CNAME crans.org + +intranet.crans.org IN A 172.16.32.156 ; (query('ldap', 'ip', 'intranet', 'infra') | ipv4)[0] +intranet.infra.crans.org IN A 172.16.32.156 + +unifi.infra.crans.org IN A {{ (query('ldap', 'ip', 'unifi', 'infra') | ipv4)[0] }} diff --git a/roles/bind-recursive/templates/bind/named.conf.acl.j2 b/roles/bind-recursive/templates/bind/named.conf.acl.j2 new file mode 100644 index 00000000..25f1ec43 --- /dev/null +++ b/roles/bind-recursive/templates/bind/named.conf.acl.j2 @@ -0,0 +1,31 @@ +{{ ansible_header | comment(decoration='// ') }} + +acl "srv" { + {{ query('ldap', 'network', 'srv') }}; + 2a0c:700:{{ query('ldap', 'vlanid', 'srv') }}::/48; +}; + +acl "srv-nat" { + {{ query('ldap', 'network', 'srv-nat') }}; + 2a0c:700:{{ query('ldap', 'vlanid', 'srv-nat') }}::/48; +}; + +acl "adm" { + {{ query('ldap', 'network', 'adm') }}; + fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64; +}; + +acl "infra" { + {{ query('ldap', 'network', 'infra') }}; + fd00:0:0:{{ query('ldap', 'vlanid', 'infra') }}::/64; +}; + +acl "adh" { + {{ query('ldap', 'network', 'adh') }}; + 2a0c:700:{{ query('ldap', 'vlanid', 'adh') }}::/48; +}; + +acl "adh-nat" { + {{ query('ldap', 'network', 'adh-nat') }}; + 2a0c:700:{{ query('ldap', 'vlanid', 'adh-nat') }}::/48; +}; diff --git a/roles/bind-recursive/templates/bind/named.conf.default-zones.j2 b/roles/bind-recursive/templates/bind/named.conf.default-zones.j2 new file mode 100644 index 00000000..6a919236 --- /dev/null +++ b/roles/bind-recursive/templates/bind/named.conf.default-zones.j2 @@ -0,0 +1,34 @@ +{{ ansible_header | comment(decoration='// ') }} + +view "default" { + match-clients { any; }; + + // prime the server with knowledge of the root servers + zone "." { + type hint; + file "/usr/share/dns/root.hints"; + }; + + // be authoritative for the localhost forward and reverse zones, and for + // broadcast zones as per RFC 1912 + + zone "localhost" { + type master; + file "/etc/bind/db.local"; + }; + + zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; + }; + + zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; + }; + + zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; + }; +}; diff --git a/roles/bind-recursive/templates/bind/named.conf.j2 b/roles/bind-recursive/templates/bind/named.conf.j2 new file mode 100644 index 00000000..5edbf974 --- /dev/null +++ b/roles/bind-recursive/templates/bind/named.conf.j2 @@ -0,0 +1,14 @@ +{{ ansible_header | comment(decoration='// ') }} + +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.acl"; +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/roles/bind-recursive/templates/bind/named.conf.local.j2 b/roles/bind-recursive/templates/bind/named.conf.local.j2 new file mode 100644 index 00000000..101fade7 --- /dev/null +++ b/roles/bind-recursive/templates/bind/named.conf.local.j2 @@ -0,0 +1,15 @@ +{{ ansible_header | comment(decoration='// ') }} + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +view "infra" { + match-clients { infra; }; + recursion no; + + zone "." { + type master; + file "/etc/bind/db.infra"; + }; +}; diff --git a/roles/bind-recursive/templates/bind/named.conf.options.j2 b/roles/bind-recursive/templates/bind/named.conf.options.j2 new file mode 100644 index 00000000..93497100 --- /dev/null +++ b/roles/bind-recursive/templates/bind/named.conf.options.j2 @@ -0,0 +1,26 @@ +{{ ansible_header | comment(decoration='// ') }} + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + listen-on-v6 { any; }; +}; From d0b023c6d5176d271bf8e4ee1c8217b469ed938e Mon Sep 17 00:00:00 2001 From: Benjamin Graillot Date: Sun, 23 Aug 2020 19:48:30 +0200 Subject: [PATCH 16/16] [wireguard] Deploy wireguard on boeing --- hosts | 1 + roles/wireguard/templates/wireguard/sputnik.conf.j2 | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/hosts b/hosts index f5d61c09..22b567d8 100644 --- a/hosts +++ b/hosts @@ -80,6 +80,7 @@ re2o-ldap.adm.crans.org gitlab-ci.adm.crans.org hodaur.adm.crans.org monitoring.adm.crans.org +boeing.adm.crans.org [ovh_physical] sputnik.adm.crans.org diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2 index 7e921c89..4f0ec94a 100644 --- a/roles/wireguard/templates/wireguard/sputnik.conf.j2 +++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2 @@ -9,20 +9,20 @@ PostUp = /sbin/ip link set sputnik alias adm [Peer] PublicKey = {{ wireguard.peer_public_key }} -AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64 -Endpoint = 138.231.136.131:51820 +AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64 +Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820 {% else %} [Interface] Address = 172.31.0.1/30, fd0c:700:0:8::1/64 ListenPort = 51820 PrivateKey = {{ wireguard.private_key }} -PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE -PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE +# PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE +# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE [Peer] PublicKey = {{ wireguard.peer_public_key }} AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128 -Endpoint = 46.105.102.188:51820 +Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820 {% endif %}