From 7e5f0ad73ed53e0318e3ecc51525a015eb3c776b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sun, 26 Jan 2020 11:09:39 +0100
Subject: [PATCH] [wireguard] Deploy configuration and activate service

---
 network.yml                                   | 17 +++++++++++-
 roles/wireguard/tasks/main.yml                | 21 +++++++++++++++
 .../templates/wireguard/sputnik.conf.j2       | 26 +++++++++++++++++++
 3 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 roles/wireguard/templates/wireguard/sputnik.conf.j2

diff --git a/network.yml b/network.yml
index c1fb6c8b..7d989ee5 100644
--- a/network.yml
+++ b/network.yml
@@ -1,9 +1,24 @@
 ---
 # Deploy tunnel
-- hosts: boeing.adm.crans.org,sputnik.adm.crans.org
+- hosts: sputnik.adm.crans.org
+  vars:
+    debian_mirror: http://mirror.crans.org/debian
+    wireguard:
+      sputnik: true
+      private_key: "{{ vault_wireguard_sputnik_private_key }}"
+      peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
+  roles:
+    - wireguard
+
+- hosts: boeing.adm.crans.org
   vars:
     # Debian mirror on adm
     debian_mirror: http://mirror.adm.crans.org/debian
+    wireguard:
+      sputnik: false
+      if: ens20
+      private_key: "{{ vault_wireguard_boeing_private_key }}"
+      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
   roles:
     - wireguard
 
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index db882540..06b08d14 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -25,3 +25,24 @@
     src: update-motd.d/05-service.j2
     dest: /etc/update-motd.d/05-wireguard
     mode: 0755
+
+- name: Ensure wireguard directory is present
+  file:
+    path: /etc/wireguard
+    mode: 0700
+    owner: root
+    group: root
+
+- name: Deploy wireguard configuration
+  template:
+    src: wireguard/sputnik.conf.j2
+    dest: /etc/wireguard/sputnik.conf
+    mode: 0700
+    owner: root
+    group: root
+
+- name: Enable and start wireguard service
+  systemd:
+    name: wg-quick@sputnik
+    state: started
+    enabled: true
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
new file mode 100644
index 00000000..2d657b47
--- /dev/null
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+{% if wireguard.sputnik %}
+[Interface]
+Address = 172.31.0.2/30, fd0c:700:0:8::2/64
+ListenPort = 51820
+PrivateKey = {{ wireguard.private_key }}
+
+[Peer]
+PublicKey = {{ wireguard.peer_public_key }}
+AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
+Endpoint = 138.231.136.131:51820
+{% else %}
+[Interface]
+Address = 172.31.0.1/30, fd0c:700:0:8::1/64
+ListenPort = 51820
+PrivateKey = {{ wireguard.private_key }}
+
+PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
+PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard.peer_public_key }}
+AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
+Endpoint = 46.105.102.188:51820
+{% endif %}
+