crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add wireguard peers between boeing and routeur-ft/thot 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
linter
Yohann D'ANELLO 2022-06-28 14:19:21 +02:00
parent bac8ffdc72
commit 80db7ec7aa
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
7 changed files with 93 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
host_vars/boeing.adm.crans.org.yml
View File

@ -8,14 +8,31 @@ loc_wireguard:
- name: "sputnik" - name: "sputnik"
listen_port: 51820 listen_port: 51820
private_key: "{{ vault.wireguard.boeing.privkey }}" private_key: "{{ vault.wireguard.boeing.privkey }}"
table: "off"
peers: peers:
- public_key: "{{ vault.wireguard.sputnik.pubkey }}" - public_key: "{{ vault.wireguard.sputnik.pubkey }}"
allowed_ips: allowed_ips:
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}/32"
- "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128" - "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }}/128"
endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820" endpoint: "{{ query('ldap', 'ip', 'sputnik', 'srv') | ipv4 | first }}:51820"
post_up: "sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1; ip neigh add proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18" - public_key: "{{ vault.wireguard.routeur_ft.pubkey }}"
post_down: "sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0; ip neigh delete proxy {{ query('ldap', 'ip', 'sputnik', 'adm') | ipv6 | first }} dev ens18" allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
persistent_keepalive: 25
- public_key: "{{ vault.wireguard.routeur_thot.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.sputnik.proxy_arp=1"
- "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=1"
- "python3 /var/local/services/proxy/proxy.py --alter"
pre_down:
- "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.sputnik.proxy_arp=0"
- "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.sputnik.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
loc_service_proxy: loc_service_proxy:
config: config:

23
host_vars/routeur-ft.adm.crans.org.yml
View File

@ -3,6 +3,29 @@ interfaces:
adm: ens18 adm: ens18
auto: ens19 auto: ens19
loc_wireguard:
tunnels:
- name: "wg0"
listen_port: 51820
private_key: "{{ vault.wireguard.routeur_ft.privkey }}"
table: "off"
peers:
- public_key: "{{ vault.wireguard.boeing.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
- "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
- "ip route add 172.16.10.1 dev wg0 proto proxy"
- "python3 /var/local/services/proxy/proxy.py --alter"
pre_down:
- "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
- "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
loc_service_proxy: loc_service_proxy:
config: config:
ldap: ldap:

23
host_vars/routeur-thot.adm.crans.org.yml
View File

@ -3,6 +3,29 @@ interfaces:
adm: ens18 adm: ens18
auto: ens19 auto: ens19
loc_wireguard:
tunnels:
- name: "wg0"
listen_port: 51820
private_key: "{{ vault.wireguard.routeur_thot.privkey }}"
table: "off"
peers:
- public_key: "{{ vault.wireguard.boeing.pubkey }}"
allowed_ips:
- "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
persistent_keepalive: 25
post_up:
- "sysctl -w net.ipv4.conf.all.forwarding=1; sysctl -w net.ipv4.conf.ens18.proxy_arp=1; sysctl -w net.ipv4.conf.wg0.proxy_arp=1"
- "sysctl -w net.ipv6.conf.all.forwarding=1; sysctl -w net.ipv6.conf.ens18.proxy_ndp=1; sysctl -w net.ipv6.conf.wg0.proxy_ndp=1"
- "ip route add 172.16.10.1 dev wg0 proto proxy"
- "python3 /var/local/services/proxy/proxy.py --alter"
pre_down:
- "sysctl -w net.ipv4.conf.all.forwarding=0; sysctl -w net.ipv4.conf.ens18.proxy_arp=0; sysctl -w net.ipv4.conf.wg0.proxy_arp=0"
- "sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.conf.ens18.proxy_ndp=0; sysctl -w net.ipv6.conf.wg0.proxy_ndp=0"
- "ip route flush proto proxy; ip -6 route flush proto proxy; ip neigh flush proxy proto proxy"
loc_service_proxy: loc_service_proxy:
config: config:
ldap: ldap:

3
host_vars/sputnik.adm.crans.org.yml
View File

@ -22,7 +22,8 @@ loc_wireguard:
- "{{ query('ldap', 'network', 'adm') }}" - "{{ query('ldap', 'network', 'adm') }}"
- "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64" - "fd00:0:0:{{ query('ldap', 'vlanid', 'adm') }}::/64"
endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820" endpoint: "{{ query('ldap', 'ip', 'boeing', 'srv') | ipv4 | first }}:51820"
post_up: "/sbin/ip link set sputnik alias adm" post_up:
- "/sbin/ip link set sputnik alias adm"
loc_slapd: loc_slapd:
ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}" ip: "{{ query('ldap', 'ip', 'sputnik', 'adm') | ipv4 | first }}"

2
hosts
View File

@ -269,6 +269,8 @@ sputnik.adm.crans.org
[wireguard] [wireguard]
boeing.adm.crans.org boeing.adm.crans.org
routeur-ft.adm.crans.org
#routeur-thot.adm.crans.org
sputnik.adm.crans.org sputnik.adm.crans.org
[crans_routeurs:children] [crans_routeurs:children]

1
roles/wireguard/tasks/main.yml
View File

@ -5,7 +5,6 @@
name: name:
- wireguard - wireguard
- resolvconf - resolvconf
- linux-headers-amd64
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded

26
roles/wireguard/templates/wireguard/tunnel.conf.j2
View File

@ -8,18 +8,40 @@ Address = {{ item.addresses | join(", ") }}
ListenPort = {{ item.listen_port }} ListenPort = {{ item.listen_port }}
{% endif %} {% endif %}
PrivateKey = {{ item.private_key }} PrivateKey = {{ item.private_key }}
{% if item.table is defined %}
Table = {{ item.table }}
{% endif %}
{% if item.pre_up is defined %}
{% for command in item.pre_up %}
PreUp = {{ command }}
{% endfor %}
{% endif %}
{% if item.post_up is defined %} {% if item.post_up is defined %}
PostUp = {{ item.post_up }} {% for command in item.post_up %}
PostUp = {{ command }}
{% endfor %}
{% endif %}
{% if item.pre_down is defined %}
{% for command in item.pre_down %}
PreDown = {{ command }}
{% endfor %}
{% endif %} {% endif %}
{% if item.post_down is defined %} {% if item.post_down is defined %}
PostDown = {{ item.post_down }} {% for command in item.post_down %}
PostDown = {{ command }}
{% endfor %}
{% endif %} {% endif %}
{% for peer in item.peers %} {% for peer in item.peers %}
[Peer] [Peer]
PublicKey = {{ peer.public_key }} PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.allowed_ips | join(", ") }} AllowedIPs = {{ peer.allowed_ips | join(", ") }}
{% if peer.endpoint is defined %}
Endpoint = {{ peer.endpoint }} Endpoint = {{ peer.endpoint }}
{% endif %}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}
{% endfor -%} {% endfor -%}