aurore-firewall: initial setup

group_vars: add apartment_block_id var
dhcp: move vars to role

group_vars/edc/main.yml

@@ -1,5 +1,6 @@
 ---
 apartment_block: edc
+apartment_block_id: 4
 
 subnet_ids:
   ap: 144

group_vars/fleming/main.yml

@@ -1,5 +1,6 @@
 ---
 apartment_block: fleming
+apartment_block_id: 1
 
 subnet_ids:
   ap: 141

group_vars/georgesand/main.yml

@@ -0,0 +1,3 @@
+---
+apartment_block: gs
+apartment_block_id: 5

group_vars/pacaterie/main.yml

@@ -1,5 +1,6 @@
 ---
 apartment_block: pacaterie
+apartment_block_id: 2
 
 subnet_ids:
   ap: 142

network.yml

@@ -15,12 +15,15 @@
     - isc-dhcp-server
 
 
-
 # Deploy unbound DNS server (recursive).
 - hosts: recursive_dns
   roles:
     - unbound
 
+- hosts: routeur-*.adm.auro.re
+  roles:
+    - aurore-firewall
+
 
 # WIP: Deploy authoritative DNS servers
 # - hosts: authoritative_dns

roles/aurore-firewall/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Configure aurore-firewall
+  template:
+    src: firewall_config.py
+    dest: /var/local/re2o-services/aurore-firewall/firewall_config.py
+    mode: 0644
+
+- name: Install corresponding re2o service
+  import_role:
+    name: re2o-service
+  vars:
+    service_repo: https://gitlab.federez.net/re2o/aurore-firewall.git
+    service_name: aurore-firewall
+    service_version: master
+    service_config:
+      hostname: re2o.auro.re
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"

roles/aurore-firewall/templates/firewall_config.py

@@ -0,0 +1,64 @@
+# -*- mode: python; coding: utf-8 -*-
+# 
+# {{ ansible_managed }}
+# 
+# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
+# se veut agnostique au réseau considéré, de manière à être installable en
+# quelques clics.
+#
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+### Give me a role
+
+role = ['''routeur{{ apartment_block_id }}{{ 'backup' if "backup" in inventory_hostname else '' }}''']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['ens20', 'ens21'],
+    'sortie' : ['ens19'],
+    'admin' : ['ens18']
+}
+
+
+### Specify nat settings: name, interfaces with range, and global range for nat
+### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
+### contain /16 range
+
+nat = [
+    {
+        'name' : 'Wifi',
+        'interfaces_ip_to_nat' : {
+            'ens19' : '45.66.109.0/24',
+        },
+        'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16',
+        'extra_nat' : {}
+    },
+    {
+        'name' : 'Filaire',
+        'interfaces_ip_to_nat' : {
+            'ens19' : '45.66.108.0/24',
+        },
+        'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
+        'extra_nat' : {
+            '10.129.{{ apartment_block_id }}.240' : '45.66.108.25{{ apartment_block_id }}'
+        }
+    }
+]