ansible/config/common.yaml

@@ -16,65 +16,59 @@ ospf:
 
 routers:
   "rtr1nlams1":
-    fqdn: rtr1.nlams1.as205079.net
+    fqdn: rtr1nlams1.as205079.net
     ipv4: 94.142.240.55
     ipv6: 2001:678:10ec:2201::1
-    gre_mtu: 1476
+    wg_ll: "fe80::2050:79:2"
-    gre_ll: "fe80::2050:79:2"
+    wg_pubkey: "xM7LBgiO6oDFqaUmCSStULYYUjG+XSMcNEefQnvLh3o="
-    site_name: "NLAMS1"
+    site_id: "02"
-    site_id: 2
+    rtr_id: "1"
-    graceful_shutdown: false
-    maintenance_mode: false
   "rtr1nlape1":
-    fqdn: rtr1.nlape1.as205079.net
+    fqdn: rtr1nlape1.as205079.net
     ipv4: 194.28.98.155
     ipv6: 2001:678:10ec:3201::1
-    gre_mtu: 1476
+    wg_ll: "fe80::2050:79:3"
-    gre_ll: "fe80::2050:79:3"
+    wg_pubkey: "OigyZlXZ72Z07pqcFSZKxm6VG4+h9XylblSvwNQB2Cc="
-    site_name: "NLAPE1"
+    site_id: "03"
-    site_id: 3
+    rtr_id: "1"
-    graceful_shutdown: false
-    maintenance_mode: false
   "rtr1nlwie1":
-    fqdn: rtr1.nlwie1.as205079.net
+    fqdn: rtr1nlwie1.as205079.net
     pub_ipv4: 86.94.191.237
     ipv4: 10.20.10.23 # router is behind NAT
     ipv6: 2001:678:10ec:1201::1
-    gre_mtu: 1468
+    wg_ll: "fe80::2050:79:1"
-    gre_ll: "fe80::2050:79:1"
+    wg_pubkey: "lsfXc9anjxMxdkP1vsRvBCR4SKIf8MMYT6kLrQFaq3Y="
-    site_name: "NLWIE1"
+    site_id: "01"
-    site_id: 1
+    rtr_id: "1"
-    graceful_shutdown: false
-    maintenance_mode: false
 
 ixp_map:
   bgpexch_amsterdam:
     pdb_id: 3822
     ipv6_prefix: 2a0e:8f01:1000:11::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1
   bgpexch_berlin:
     pdb_id: 4842
     ipv6_prefix: 2a0e:8f01:1000:13::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1
   bgpexch_dusseldorf:
     pdb_id: 3844
     ipv6_prefix: 2a0e:8f01:1000:46::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1
   bgpexch_frankfurt:
     pdb_id: 3829
     ipv6_prefix: 2a0e:8f01:1000:24::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1
   bgpexch_london:
     pdb_id: 3821
     ipv6_prefix: 2a0e:8f01:1000:10::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1
   locix:
     pdb_id: 2601
     ipv6_prefix: 2a0c:b641:700::/64
     present_on:
-      - rtr1.nlape1
+      - rtr1nlape1

ansible/config/rtr1.nlams1.as205079.net.yaml

@@ -16,27 +16,10 @@ routes:
     - "2001:678:10ec::/48" # My space
     - "2a02:898:424::/48" # ColoClue space
 
-# gre:
-#   tunnels:
-#     - name: "INT-RTR1NLAPE1"
-#       remote_endpoint: 194.28.98.155
-#       local_endpoint: 94.142.240.55
-#       local_ipv6: 2001:678:10ec:20e::1/64
-#       ttl: 255
-#       mtu: 1476
-#     - name: "INT-RTR1NLWIE1"
-#       remote_endpoint: 86.94.191.237
-#       local_endpoint: 94.142.240.55
-#       local_ipv6: 2001:678:10ec:20d::1/64
-#       ttl: 255
-#       mtu: 1468
-
 interfaces:
   - nic: "loop0"
     description: "Loopback interface"
     stub: true
-  - nic: "int-rtr1nlape1"
-  - nic: "int-rtr1nlwie1"
   - nic: "vmbr1"
     description: "NLAMS1 Servers"
     stub: true
@@ -68,8 +51,3 @@ peers:
     import: "RIPE::AS212855:AS-LUJE"
     export: "RIPE::AS205079:AS-MANS"
     peer_ipv6: "2a02:898:0:20::427:1"
-internal_peers:
-  - name: "RTR1APE1"
-    ip: "2001:678:10ec:3201::1"
-  - name: "RTR1WIE1"
-    ip: "2001:678:10ec:1201::1"

ansible/config/rtr1.nlape1.as205079.net.yaml

@@ -13,18 +13,6 @@ routes:
 
 gre:
   tunnels:
-    # - name: "INT-RTR1NLWIE1"
-    #   remote_endpoint: 86.94.191.237
-    #   local_endpoint: 194.28.98.155
-    #   local_ipv6: 2001:678:10ec:20f:0:0:0:1/112
-    #   ttl: 255
-    #   mtu: 1468
-    # - name: "INT-RTR1NLAMS1"
-    #   remote_endpoint: 94.142.240.55
-    #   local_endpoint: 194.28.98.155
-    #   local_ipv6: 2001:678:10ec:20e::2/64
-    #   ttl: 255
-    #   mtu: 1476
     - name: "ROUTE64-AMS1"
       remote_endpoint: 118.91.187.67
       local_endpoint: 194.28.98.155
@@ -90,8 +78,6 @@ interfaces:
   - nic: "ens19"
     description: "To Loc-IX"
     stub: true
-  - nic: "int-rtr1nlwie1"
-  - nic: "int-rtr1nlams1"
 
 rpki:
   run_routinator: true
@@ -121,12 +107,6 @@ transits:
   #   asn: 212895
   #   peer_ipv6: "2a11:6c7:f00:1be::1"
 
-internal_peers:
-  - name: "RTR1WIE1"
-    ip: "2001:678:10ec:1201::1"
-  - name: "RTR1AMS1"
-    ip: "2001:678:10ec:2201::1"
-
 peers:
   # LocIX route servers
   - name: "locix_rs_1"

ansible/config/rtr1.nlwie1.as205079.net.yaml

@@ -11,21 +11,6 @@ routes:
   6:
     - "2001:678:10ec::/48"
 
-# gre:
-#   tunnels: 
-#     - name: "INT-RTR1NLAPE1"
-#       remote_endpoint: 194.28.98.155
-#       local_endpoint: 10.20.10.23
-#       local_ipv6: 2001:678:10ec:20f:0:0:0:2/112
-#       ttl: 255
-#       mtu: 1468
-#     - name: "INT-RTR1NLAMS1"
-#       remote_endpoint: 94.142.240.55
-#       local_endpoint: 10.20.10.23
-#       local_ipv6: 2001:678:10ec:20d::2/64
-#       ttl: 255
-#       mtu: 1468
-
 interfaces:
   - nic: "loop0"
     description: "Loopback interface"
@@ -35,18 +20,10 @@ interfaces:
   - nic: "eth1"
     description: "nlwie1 servers"
     stub: true
-  - nic: "int-rtr1nlape1"
-  - nic: "int-rtr1nlams1"
   - nic: "wg0"
     description: "wireguard remote"
     stub: true
 
-internal_peers:
-  - name: "RTR1APE1"
-    ip: "2001:678:10ec:3201::1"
-  - name: "RTR1AMS1"
-    ip: "2001:678:10ec:2201::1"
-
 lg:
   version: 0.1.4
   agent:

ansible/playbook.yaml

@@ -8,7 +8,8 @@
     # - base
     # - sysctl
     # - dummy-interfaces
-    - gre
+    - wireguard
+    # - gre
     # - routinator
     - bird2
     # - lg-backend

ansible/roles/bird2/templates/bird.conf.j2

@@ -415,6 +415,17 @@ protocol ospf v3 {
     export none; # do not export anything to ospf, ospf will figure things out itself
   };
   area 0.0.0.0 {
+
+{% for router in routers if not router == shortname %}
+    interface "int-{{ router }}" {
+      cost {{ ospf.default_cost }};
+      type pointopoint;
+      neighbors {
+        {{ routers[router]['wg_ll'] }};
+      };
+    };
+{% endfor %}
+
 {% for interface in interfaces %}
 {% if 'description' in interface %}
     # desc: {{ interface.description }}
@@ -435,6 +446,7 @@ protocol ospf v3 {
 {% endif %}
     };
 {% endfor %}
+
   };
 }
 
@@ -464,13 +476,11 @@ template bgp peer {
 ### END TEMPLATES ###
 
 ### START INTERNAL PEERS ###
-{% if internal_peers is defined and internal_peers | length > 0 %}
+{% for router in routers if not router == shortname %}
-{% for peer in internal_peers | sort(attribute='name') %}
+protocol bgp 'int_{{ router }}' from internal_peer {
-protocol bgp 'internal_{{ peer.name }}' from internal_peer {
+  neighbor {{ routers[router]['ipv6'] }} as {{ asn }};
-  neighbor {{ peer.ip }} as {{ asn }};
 }
 {% endfor %}
-{% endif %}
 ### END INTERNAL PEERS ###
 
 ### START TRANSITS ###

ansible/roles/gre/tasks/main.yaml

@@ -1,10 +1,10 @@
-- name: "Ensure internal gre interfaces are present"
+# - name: "Ensure internal gre interfaces are present"
-  ansible.builtin.template:
+#   ansible.builtin.template:
-    src: internal_gre_interfaces.j2
+#     src: internal_gre_interfaces.j2
-    dest: /etc/network/interfaces.d/internal_gre_interfaces
+#     dest: /etc/network/interfaces.d/internal_gre_interfaces
-    mode: "0644"
+#     mode: "0644"
-  notify:
+#   notify:
-    - "Reload networking"
+#     - "Reload networking"
 
 - name: "Ensure extra gre interfaces are present"
   ansible.builtin.template:

ansible/roles/wireguard/handlers/main.yaml

@@ -0,0 +1,5 @@
+- name: "Reload networking"
+  ansible.builtin.command:
+    cmd: "ifreload -a"
+  register: ifreload_result
+  changed_when: ifreload_result.stdout != "" and "Reloading" in ifreload_result.stdout

ansible/roles/wireguard/tasks/main.yaml

@@ -0,0 +1,47 @@
+- name: "Ensure wireguard is installed"
+  ansible.builtin.apt:
+    update_cache: true
+    name:
+      - wireguard
+
+- name: "Ensure /etc/wireguard directory exists"
+  ansible.builtin.file:
+    path: "/etc/wireguard/"
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+
+- name: "Ensure wireguard private key is present"
+  ansible.builtin.shell:
+    cmd: "wg genkey > /etc/wireguard/privatekey"
+    creates: "/etc/wireguard/privatekey"
+
+- name: "Ensure proper permissions are set on wireguard private key"
+  ansible.builtin.file:
+    path: "/etc/wireguard/privatekey"
+    mode: '0640'
+    owner: root
+    group: systemd-network
+
+- name: "Ensure wireguard publickey file exists"
+  ansible.builtin.shell:
+    cmd: "wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey"
+    creates: "/etc/wireguard/publickey"
+
+- name: "Ensure internal wireguard interfaces are present"
+  ansible.builtin.template:
+    src: internal-wg-interface.j2
+    dest: /etc/wireguard/int-{{ item }}.conf
+    mode: "0640"
+  loop: "{{ routers.keys() | list }}"
+  when: item != shortname
+  register: if_changed
+
+- name: "Restart wg-quick units for changed interfaces"
+  ansible.builtin.systemd:
+    name: "wg-quick@int-{{ item.item }}"
+    state: restarted
+    enabled: true
+  loop: "{{ if_changed.results | selectattr('changed') | list }}"
+  when: if_changed is defined and if_changed.results | length > 0

ansible/roles/wireguard/templates/internal-wg-interface.j2

@@ -0,0 +1,12 @@
+[Interface]
+ListenPort = 52{{ routers[item]['site_id'] }}{{ routers[item]['rtr_id'] }}
+Address = {{ routers[shortname]['wg_ll'] }}/64
+Table = off
+MTU = 1500 # We fragment packets, this is intentional
+PostUp = wg set %i private-key /etc/wireguard/privatekey
+
+[Peer]
+PublicKey = {{ routers[item]['wg_pubkey'] }}
+Endpoint = {{ routers[item]['pub_ipv4'] | default(routers[item]['ipv4'] )}}:52{{ routers[shortname]['site_id']}}{{ routers[shortname]['rtr_id']}}
+AllowedIPs = ::/0
+PersistentKeepalive = 30