From c77ae7f4c397c9ba791f59d3a3d417eb46cfc9e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= <yberreby@protonmail.ch>
Date: Thu, 7 May 2020 19:24:02 +0200
Subject: [PATCH] aurore-firewall: initial setup

group_vars: add apartment_block_id var
dhcp: move vars to role
---
 group_vars/edc/main.yml                       |  1 +
 group_vars/fleming/main.yml                   |  1 +
 group_vars/georgesand/main.yml                |  3 +
 group_vars/pacaterie/main.yml                 |  1 +
 network.yml                                   |  5 +-
 roles/aurore-firewall/tasks/main.yml          | 18 ++++++
 .../templates/firewall_config.py              | 64 +++++++++++++++++++
 .../isc-dhcp-server/vars/main.yml             |  0
 8 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 group_vars/georgesand/main.yml
 create mode 100644 roles/aurore-firewall/tasks/main.yml
 create mode 100644 roles/aurore-firewall/templates/firewall_config.py
 rename group_vars/dhcp/vars.yml => roles/isc-dhcp-server/vars/main.yml (100%)

diff --git a/group_vars/edc/main.yml b/group_vars/edc/main.yml
index 48f10cd..d6cc8d4 100644
--- a/group_vars/edc/main.yml
+++ b/group_vars/edc/main.yml
@@ -1,5 +1,6 @@
 ---
 apartment_block: edc
+apartment_block_id: 4
 
 subnet_ids:
   ap: 144
diff --git a/group_vars/fleming/main.yml b/group_vars/fleming/main.yml
index f0d1f8f..93abe36 100644
--- a/group_vars/fleming/main.yml
+++ b/group_vars/fleming/main.yml
@@ -1,5 +1,6 @@
 ---
 apartment_block: fleming
+apartment_block_id: 1
 
 subnet_ids:
   ap: 141
diff --git a/group_vars/georgesand/main.yml b/group_vars/georgesand/main.yml
new file mode 100644
index 0000000..0d233a5
--- /dev/null
+++ b/group_vars/georgesand/main.yml
@@ -0,0 +1,3 @@
+---
+apartment_block: gs
+apartment_block_id: 5
diff --git a/group_vars/pacaterie/main.yml b/group_vars/pacaterie/main.yml
index 043d26d..e51113e 100644
--- a/group_vars/pacaterie/main.yml
+++ b/group_vars/pacaterie/main.yml
@@ -1,5 +1,6 @@
 ---
 apartment_block: pacaterie
+apartment_block_id: 2
 
 subnet_ids:
   ap: 142
diff --git a/network.yml b/network.yml
index a83b2d9..e8abe02 100755
--- a/network.yml
+++ b/network.yml
@@ -15,12 +15,15 @@
     - isc-dhcp-server
 
 
-
 # Deploy unbound DNS server (recursive).
 - hosts: recursive_dns
   roles:
     - unbound
 
+- hosts: routeur-*.adm.auro.re
+  roles:
+    - aurore-firewall
+
 
 # WIP: Deploy authoritative DNS servers
 # - hosts: authoritative_dns
diff --git a/roles/aurore-firewall/tasks/main.yml b/roles/aurore-firewall/tasks/main.yml
new file mode 100644
index 0000000..a6bb7e7
--- /dev/null
+++ b/roles/aurore-firewall/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Configure aurore-firewall
+  template:
+    src: firewall_config.py
+    dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
+    mode: 0644
+
+- name: Install corresponding re2o service
+  import_role:
+    name: re2o-service
+  vars:
+    service_repo: https://gitlab.federez.net/re2o/aurore-firewall.git
+    service_name: aurore-firewall
+    service_version: master
+    service_config:
+      hostname: re2o.auro.re
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"
diff --git a/roles/aurore-firewall/templates/firewall_config.py b/roles/aurore-firewall/templates/firewall_config.py
new file mode 100644
index 0000000..d782cdb
--- /dev/null
+++ b/roles/aurore-firewall/templates/firewall_config.py
@@ -0,0 +1,64 @@
+# -*- mode: python; coding: utf-8 -*-
+# 
+# {{ ansible_managed }}
+# 
+# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
+# se veut agnostique au réseau considéré, de manière à être installable en
+# quelques clics.
+#
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+### Give me a role
+
+role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['ens20', 'ens21'],
+    'sortie' : ['ens19'],
+    'admin' : ['ens18']
+}
+
+
+### Specify nat settings: name, interfaces with range, and global range for nat
+### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
+### contain /16 range
+
+nat = [
+    {
+        'name' : 'Wifi',
+        'interfaces_ip_to_nat' : {
+            'ens19' : '45.66.109.0/24',
+        },
+        'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16',
+        'extra_nat' : {}
+    },
+    {
+        'name' : 'Filaire',
+        'interfaces_ip_to_nat' : {
+            'ens19' : '45.66.108.0/24',
+        },
+        'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
+        'extra_nat' : {
+            '10.129.{{ apartment_block_id }}.240' : '45.66.108.25{{ apartment_block_id }}'
+        }
+    }
+]
diff --git a/group_vars/dhcp/vars.yml b/roles/isc-dhcp-server/vars/main.yml
similarity index 100%
rename from group_vars/dhcp/vars.yml
rename to roles/isc-dhcp-server/vars/main.yml