From 80db7ec7aa953ff96a0d09ab5cca37eb6f0824fa Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Tue, 28 Jun 2022 14:19:21 +0200
Subject: [PATCH] Add wireguard peers between boeing and routeur-ft/thot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 host_vars/boeing.adm.crans.org.yml            | 21 +++++++++++++--
 host_vars/routeur-ft.adm.crans.org.yml        | 23 ++++++++++++++++
 host_vars/routeur-thot.adm.crans.org.yml      | 23 ++++++++++++++++
 host_vars/sputnik.adm.crans.org.yml           |  3 ++-
 hosts                                         |  2 ++
 roles/wireguard/tasks/main.yml                |  1 -
 .../templates/wireguard/tunnel.conf.j2        | 26 +++++++++++++++++--
 7 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/host_vars/boeing.adm.crans.org.yml b/host_vars/boeing.adm.crans.org.yml
index e7a38043..e945734b 100644
--- a/host_vars/boeing.adm.crans.org.yml
+++ b/host_vars/boeing.adm.crans.org.yml
@@ -8,14 +8,31 @@ loc_wireguard:
     - name: "sputnik"
       listen_port: 51820
       private_key: "{{ vault.wireguard.boeing.privkey }}"
+      table: "off"
       peers:
         - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
           allowed_ips:
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
             - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
           endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
-      post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
-      post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18"
+        - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+        - public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
 
 loc_service_proxy:
   config:
diff --git a/host_vars/routeur-ft.adm.crans.org.yml b/host_vars/routeur-ft.adm.crans.org.yml
index ecd69b9f..7b5b403f 100644
--- a/host_vars/routeur-ft.adm.crans.org.yml
+++ b/host_vars/routeur-ft.adm.crans.org.yml
@@ -3,6 +3,29 @@ interfaces:
   adm: ens18
   auto: ens19
 
+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
   config:
     ldap:
diff --git a/host_vars/routeur-thot.adm.crans.org.yml b/host_vars/routeur-thot.adm.crans.org.yml
index 3d46351a..d5c81610 100644
--- a/host_vars/routeur-thot.adm.crans.org.yml
+++ b/host_vars/routeur-thot.adm.crans.org.yml
@@ -3,6 +3,29 @@ interfaces:
   adm: ens18
   auto: ens19
 
+loc_wireguard:
+  tunnels:
+    - name: "wg0"
+      listen_port: 51820
+      private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
+      table: "off"
+      peers:
+        - public_key: "{{ vault.wireguard.boeing.pubkey }}"
+          allowed_ips:
+            - "{{ query('ldap', 'network', 'adm') }}"
+            - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
+          endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
+          persistent_keepalive: 25
+      post_up:
+        - "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
+        - "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
+        - "ip route add 172.16.10.1 dev wg0 proto proxy"
+        - "python3 /var/local/services/proxy/proxy.py --alter"
+      pre_down:
+        - "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
+        - "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
+        - "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
+
 loc_service_proxy:
   config:
     ldap:
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index f9bd8666..356ff00d 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -22,7 +22,8 @@ loc_wireguard:
             - "{{ query('ldap', 'network', 'adm') }}"
             - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
           endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
-      post_up: "/sbin/ip link set sputnik alias adm"
+      post_up:
+        - "/sbin/ip link set sputnik alias adm"
 
 loc_slapd:
   ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"
diff --git a/hosts b/hosts
index 110bedc9..3f3f03b3 100644
--- a/hosts
+++ b/hosts
@@ -269,6 +269,8 @@ sputnik.adm.crans.org
 
 [wireguard]
 boeing.adm.crans.org
+routeur-ft.adm.crans.org
+#routeur-thot.adm.crans.org
 sputnik.adm.crans.org
 
 [crans_routeurs:children]
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index c9f9d293..905cbfce 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -5,7 +5,6 @@
     name:
       - wireguard
       - resolvconf
-      - linux-headers-amd64
   register: apt_result
   retries: 3
   until: apt_result is succeeded
diff --git a/roles/wireguard/templates/wireguard/tunnel.conf.j2 b/roles/wireguard/templates/wireguard/tunnel.conf.j2
index e8682637..17aacb31 100644
--- a/roles/wireguard/templates/wireguard/tunnel.conf.j2
+++ b/roles/wireguard/templates/wireguard/tunnel.conf.j2
@@ -8,18 +8,40 @@ Address = {{ item.addresses | join(", ") }}
 ListenPort = {{ item.listen_port }}
 {% endif %}
 PrivateKey = {{ item.private_key }}
+{% if item.table is defined %}
+Table = {{ item.table }}
+{% endif %}
 
+{% if item.pre_up is defined %}
+{% for command in item.pre_up %}
+PreUp = {{ command }}
+{% endfor %}
+{% endif %}
 {% if item.post_up is defined %}
-PostUp = {{ item.post_up }}
+{% for command in item.post_up %}
+PostUp = {{ command }}
+{% endfor %}
+{% endif %}
+{% if item.pre_down is defined %}
+{% for command in item.pre_down %}
+PreDown = {{ command }}
+{% endfor %}
 {% endif %}
 {% if item.post_down is defined %}
-PostDown = {{ item.post_down }}
+{% for command in item.post_down %}
+PostDown = {{ command }}
+{% endfor %}
 {% endif %}
 
 {% for peer in item.peers %}
 [Peer]
 PublicKey = {{ peer.public_key }}
 AllowedIPs = {{ peer.allowed_ips | join(", ") }}
+{% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
 
 {% endfor -%}