From cd609d01e04d866b58433013a279a03ae587e96e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Bastian?= <contact@tobast.fr>
Date: Wed, 5 Mar 2025 20:13:17 +0100
Subject: [PATCH] Initiate wireguard tunnel between routers

---
 roles/wireguard/README.md                      |  5 +++++
 roles/wireguard/defaults/main.yml              |  2 ++
 roles/wireguard/templates/wireguard/wg.conf.j2 |  7 +++++--
 roles/wireguard_edge_tunnels/README.md         |  4 ++++
 roles/wireguard_edge_tunnels/tasks/main.yml    | 14 ++++++++++++++
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/roles/wireguard/README.md b/roles/wireguard/README.md
index 03cb5f1..ff261d9 100644
--- a/roles/wireguard/README.md
+++ b/roles/wireguard/README.md
@@ -14,6 +14,10 @@ Définit un réseau Wireguard avec les pairs définis.
   `false`.
 * `wg_peers`: liste des pairs wireguard à configurer (également configurés par
   ce rôle). Chaque entrée de cette liste est le nom du pair dans l'inventaire ;
+* `wg_peers_addr_var`: hostvar ansible définissant l'adresse d'un pair de
+  `wg_peers`. Utile lorsque ce rôle est importé avec la variable `wg_addr`
+  définie à l'import, par exemple pour créer plus d'un tunnel par machine. Par
+  défaut, vaut `wg_addr`.
 * `wg_extra_hosts`: liste des pairs wireguard à configurer qui ne sont pas
   gérés par ce rôle ansible. Chaque entrée de cette liste est un dictionnaire
   contenant :
@@ -23,5 +27,6 @@ Définit un réseau Wireguard avec les pairs définis.
   * `endpoint`: optionnel. Adresse à laquelle cette machine peut être jointe
     pour initier la connexion wireguard.
   * `allowed_ips`: list of further IP ranges to allow
+* `wg_globally_allowed_ips`: list of further IP ranges to allow for all peers
 * `wg_add_routes`: whether routes should be added by wg-quick to the kernel
   routing table. Defaults to true.
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index c07d119..f8f6307 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -3,3 +3,5 @@ wg_port: 51810
 wg_keepalive: false
 wg_extra_hosts: []
 wg_add_routes: true
+wg_globally_allowed_ips: []
+wg_peers_addr_var: wg_addr
diff --git a/roles/wireguard/templates/wireguard/wg.conf.j2 b/roles/wireguard/templates/wireguard/wg.conf.j2
index 6f9a245..638790e 100644
--- a/roles/wireguard/templates/wireguard/wg.conf.j2
+++ b/roles/wireguard/templates/wireguard/wg.conf.j2
@@ -10,7 +10,8 @@ Table = {% if wg_add_routes %}auto{% else %}off{% endif %}
 [Peer]
 PublicKey = {{ hostvars[peer].wg_public_key }}
 Endpoint = {{ hostvars[peer].inventory_hostname}}:{{ wg_port }}
-AllowedIPs = {{ hostvars[peer].wg_addr | ipaddr('address') }}/128
+AllowedIPs = {{ hostvars[peer][wg_peers_addr_var] | ipaddr('address') }}/128
+{%- for range in wg_globally_allowed_ips %}, {{ range }}{% endfor %}
 {% if wg_keepalive -%}
 PersistentKeepalive = 25
 {%- endif %}
@@ -21,7 +22,9 @@ PersistentKeepalive = 25
 # {{ peer['host'] }}
 [Peer]
 PublicKey = {{ peer['pk'] }}
-AllowedIPs = {{ peer['hostaddr'] }}/128{% for range in peer['allowed_ips'] %}, {{ range }}{% endfor %}
+AllowedIPs = {{ peer['hostaddr'] }}/128
+{%- for range in peer['allowed_ips'] %}, {{ range }}{% endfor %}
+{%- for range in wg_globally_allowed_ips %}, {{ range }}{% endfor %}
 
 {% if 'endpoint' in peer %}
 Endpoint = {{ peer['endpoint'] }}
diff --git a/roles/wireguard_edge_tunnels/README.md b/roles/wireguard_edge_tunnels/README.md
index 38ed4cd..7974a3b 100644
--- a/roles/wireguard_edge_tunnels/README.md
+++ b/roles/wireguard_edge_tunnels/README.md
@@ -6,3 +6,7 @@ Establish tunnels towards BGP peers at edge routers.
 
 * `bgp_peers`: list of the BGP peers of this router. See README of role
   `bgp_edge`.
+* `edge_neighbours`: list of ansible hostname of peers (within our AS) that
+  are edge neighbours. This definition MUST be symmetric, double check that.
+* `edge_ll_ip6`: link-local IPv6 address to use for this host across the
+  edge-neighbouring tunnel.
diff --git a/roles/wireguard_edge_tunnels/tasks/main.yml b/roles/wireguard_edge_tunnels/tasks/main.yml
index f970f11..2cfea21 100644
--- a/roles/wireguard_edge_tunnels/tasks/main.yml
+++ b/roles/wireguard_edge_tunnels/tasks/main.yml
@@ -11,6 +11,20 @@
     owner: root
     mode: 0700
 
+- name: Create edge neighbours tunnels
+  include_role:
+    name: wireguard
+  vars:
+    wg_if_name: "wg-dn42-edge"
+    wg_port: "20000"
+    wg_addr: "{{ edge_ll_ip6 }}/64"
+    wg_peers: "{{ edge_neighbours }}"
+    wg_peers_addr_var: edge_ll_ip6
+    wg_extra_hosts: []
+    wg_globally_allowed_ips:
+      - 'fd00::/8'
+    wg_add_routes: false
+
 - name: Create Wireguard peering keypair
   block:
     - name: Generate keypair