Merge branch 'sputnik' into 'newinfra'

[wireguard] Use nftables on boeing

See merge request nounous/ansible!77

plays/wireguard.yml

@@ -8,7 +8,8 @@
       sputnik: true
       private_key: "{{ vault_wireguard_sputnik_private_key }}"
       peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard
 
 - hosts: boeing.adm.crans.org
   vars:
@@ -19,4 +20,5 @@
       if: ens20
       private_key: "{{ vault_wireguard_boeing_private_key }}"
       peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard

roles/wireguard/tasks/main.yml

@@ -46,3 +46,29 @@
     name: wg-quick@sputnik
     state: started
     enabled: true
+
+- name: Install nftables
+  apt:
+    name: nftables
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+  when: not wireguard.sputnik
+
+- name: Deploy nftables.conf
+  template:
+    src: nftables.conf
+    dest: /etc/nftables.conf
+    mode: 0644
+    owner: root
+    group: root
+  when: not wireguard.sputnik
+
+- name: Enable and start nftables
+  systemd:
+    name: nftables
+    enabled: true
+    state: started
+  when: not wireguard.sputnik

roles/wireguard/templates/nftables.conf

@@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+	}
+}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain forward {
+		type filter hook forward priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}

roles/wireguard/templates/wireguard/sputnik.conf.j2

@@ -17,8 +17,8 @@ Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
 
-# PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
+PostUp =   ifup   {{ wireguard.if }}; systemctl start nftables
-# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}