crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[wireguard] Refactor role 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-06-26 01:04:37 +02:00
parent fa8c430a53
commit 70d335e1b8
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
12 changed files with 105 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
group_vars/wireguard.yml 100644
View File

@ -0,0 +1,3 @@
---
glob_wireguard:
tunnels: {}

14
host_vars/boeing.adm.crans.org.yml
View File

@ -1,3 +1,17 @@
--- ---
interfaces: interfaces:
adm: ens18 adm: ens18
loc_wireguard:
tunnels:
- name: "sputnik"
listen_port: 51820
private_key: "{{ vault.wireguard_boeing_private_key }}"
peers:
- public_key: "{{ vault.wireguard_sputnik_public_key }}"
allowed_ips:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"

16
host_vars/sputnik.adm.crans.org.yml
View File

@ -8,6 +8,22 @@ postfix:
dkim: true dkim: true
titanic: false titanic: false
loc_wireguard:
tunnels:
- name: "sputnik"
addresses:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/24"
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/64"
listen_port: 51820
private_key: "{{ vault.wireguard_sputnik_private_key }}"
peers:
- public_key: "{{ vault.wireguard_boeing_public_key }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
post_up: "/sbin/ip link set sputnik alias adm"
to_backup: to_backup:
- { - {
name: "var", name: "var",

16
host_vars/terenez.cachan-adm.crans.org.yml
View File

@ -17,3 +17,19 @@ loc_network_interfaces:
- name: infra - name: infra
id: 11 id: 11
dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}" dns: "{{ query('ldap', 'ip', 'routeur-gulp', 'infra') | ipv4 | first }}"
loc_wireguard:
tunnels:
- name: "gulp"
addresses:
- "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/24"
- "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/64"
listen_port: 51820
private_key: "{{ vault.wireguard_terenez_private_key }}"
peers:
- public_key: "{{ vault.wireguard_vol447_public_key }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
endpoint: "{{ query('ldap', 'ip', 'vol447', 'srv') | ipv4 | first }}:51820"
post_up: "/sbin/ip link set gulp alias adm"

3
host_vars/vol447.adm.crans.org
View File

@ -1,3 +0,0 @@
interfaces:
adm: ens18
srv: ens19

18
host_vars/vol447.adm.crans.org.yml 100644
View File

@ -0,0 +1,18 @@
---
interfaces:
adm: ens18
srv: ens19
loc_wireguard:
tunnels:
- name: "gulp"
listen_port: 51820
private_key: "{{ vault.wireguard_vol447_private_key }}"
peers:
- public_key: "{{ vault.wireguard_terenez_public_key }}"
allowed_ips:
- "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}/32"
- "{{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'terenez', 'cachan-srv') | ipv4 | first }}:51820"
post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.gulp.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.gulp.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"
post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.gulp.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.gulp.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'terenez', 'adm') | ipv6 | first }} dev ens18"

6
hosts
View File

@ -253,6 +253,12 @@ ptf.adm.crans.org
kiwi.adm.crans.org kiwi.adm.crans.org
sputnik.adm.crans.org sputnik.adm.crans.org
[wireguard]
boeing.adm.crans.org
sputnik.adm.crans.org
terenez.cachan-adm.crans.org
vol447.adm.crans.org
[cachan:children] [cachan:children]
cachan_physical cachan_physical
cachan_vm cachan_vm

20
plays/wireguard.yml
View File

@ -1,24 +1,8 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy tunnel # Deploy tunnel
- hosts: sputnik.adm.crans.org - hosts: wireguard
vars: vars:
debian_mirror: http://mirror.crans.org/debian wireguard: "{{ glob_wireguard | default({}) | combine(loc_wireguard | default({})) }}"
wireguard:
sputnik: true
private_key: "{{ vault.wireguard_sputnik_private_key }}"
peer_public_key: "{{ vault.wireguard_boeing_public_key }}"
roles:
- wireguard
- hosts: boeing.adm.crans.org
vars:
# Debian mirror on adm
debian_mirror: http://mirror.adm.crans.org/debian
wireguard:
sputnik: false
if: ens18
private_key: "{{ vault.wireguard_boeing_private_key }}"
peer_public_key: "{{ vault.wireguard_sputnik_public_key }}"
roles: roles:
- wireguard - wireguard

8
roles/wireguard/tasks/main.yml
View File

@ -25,14 +25,16 @@
- name: Deploy wireguard configuration - name: Deploy wireguard configuration
template: template:
src: wireguard/sputnik.conf.j2 src: wireguard/tunnel.conf.j2
dest: /etc/wireguard/sputnik.conf dest: "/etc/wireguard/{{ item.name }}.conf"
mode: 0700 mode: 0700
owner: root owner: root
group: root group: root
loop: "{{ wireguard.tunnels }}"
- name: Enable and start wireguard service - name: Enable and start wireguard service
systemd: systemd:
name: wg-quick@sputnik name: "wg-quick@{{ item.name }}"
state: started state: started
enabled: true enabled: true
loop: "{{ wireguard.tunnels }}"

5
roles/wireguard/templates/apt/preferences.d/limit-unstable.j2
View File

@ -1,5 +0,0 @@
{{ ansible_header | comment }}
Package: *
Pin: release a=unstable
Pin-Priority: 90

27
roles/wireguard/templates/wireguard/sputnik.conf.j2
View File

@ -1,27 +0,0 @@
{{ ansible_header | comment }}
{% if wireguard.sputnik %}
[Interface]
Address = 172.16.10.32/24, fd00::10:0:ff:fe00:3210/64
ListenPort = 51820
PrivateKey = {{ wireguard.private_key }}
PostUp = /sbin/ip link set sputnik alias adm
[Peer]
PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = {{ query('ldap', 'network', 'adm') }}, fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64
Endpoint = {{ (query('ldap', 'ip', 'boeing', 'srv') | ipv4)[0] }}:51820
{% else %}
[Interface]
ListenPort = 51820
PrivateKey = {{ wireguard.private_key }}
PostUp = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
PostDown = sysctl -w net.ipv4.conf.{{ wireguard.if }}.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.{{ wireguard.if }}.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }} dev {{ wireguard.if }}
[Peer]
PublicKey = {{ wireguard.peer_public_key }}
AllowedIPs = {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv4)[0] }}/32, {{ (query('ldap', 'ip', 'sputnik', 'adm') | ipv6)[0] }}/128
Endpoint = {{ (query('ldap', 'ip', 'sputnik', 'srv') | ipv4)[0] }}:51820
{% endif %}

25
roles/wireguard/templates/wireguard/tunnel.conf.j2 100644
View File

@ -0,0 +1,25 @@
{{ ansible_header | comment }}
[Interface]
{% if item.addresses is defined %}
Address = {{ item.addresses | join(", ") }}
{% endif %}
{% if item.listen_port is defined %}
ListenPort = {{ item.listen_port }}
{% endif %}
PrivateKey = {{ item.private_key }}
{% if item.post_up is defined %}
PostUp = {{ item.post_up }}
{% endif %}
{% if item.post_down is defined %}
PostDown = {{ item.post_down }}
{% endif %}
{% for peer in item.peers %}
[Peer]
PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.allowed_ips | join(", ") }}
Endpoint = {{ peer.endpoint }}
{% endfor -%}