eae-am-deutschen-platz/playbook_provision_backbone.yml

---
- name: configure tunnel on eae-adp-jump01
  hosts: eae-adp-jump01
  tasks:
    - name: create wg0 interface file
      template:
        src: templates/hostname.wg0
        dest: /etc/hostname.wg0
        mode: 0600
      notify:
        - reload interfaces

    - name: create pf.wg0.conf file
      copy:
        src: files/pf.wg0.conf
        dest: /etc/pf.wg0.conf
        mode: 0600
      notify:
        - reload firewall

    - name: include pf.wg0.conf in pf.include.conf
      lineinfile:
        path: /etc/pf.include.conf
        line: 'include "/etc/pf.wg0.conf"'
      notify:
        - reload firewall

    - name: create ospfd.conf
      copy:
        src: files/ospfd.conf
        dest: /etc/ospfd.conf
        mode: 0600
        validate: "/usr/sbin/ospfd -n -f %s"
      notify:
        - restart ospfd

    - name: enable ospfd
      service:
        name: ospfd
        state: started
        enabled: yes

  handlers:
    - name: reload firewall
      command: pfctl -vf /etc/pf.conf

    - name: reload interfaces
      command: sh /etc/netstart

    - name: restart ospfd
      service:
        name: ospfd
        state: restart

- name: configure tunnel on gw-core01
  hosts: gw-core01
  gather_facts: no
  tasks:
    - name: create wg0 interface
      blockinfile:
        path: /etc/config/network
        content: |
          config interface 'wg0'
            option proto 'wireguard'
            option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
            option listen_port 51820
            option mtu 1350
            list addresses '10.84.254.1/31'

          config wireguard_wg0 'eap_adp_jump01'
            option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
            option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
            option endpoint_host '162.55.53.85'
            option endpoint_port '51820'
            option route_allowed_ips '0'
            option persistent_keepalive 15
            list allowed_ips '0.0.0.0/0'          
      notify:
        - restart network

    - name: configure frr (daemons)
      lineinfile:
        regexp: '^ospfd=.*$'
        line: 'ospfd=yes'
        path: /etc/frr/daemons
      notify:
        - restart frr

    - name: configure frr (frr.conf)
      copy:
        src: files/gw-core01_frr.conf
        dest: /etc/frr/frr.conf
      notify:
        - restart frr

  handlers:
    - name: restart network
      service:
        name: network
        state: restarted

    - name: restart frr
      service:
        name: frr
        state: restarted