From 76704b13eba225f323e139769b54b9cfb6ffa6c0 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Thu, 6 Apr 2023 22:01:42 +0200
Subject: [PATCH] add wg interface to access postgres

---
 configure/ansible.cfg                   |  1 +
 configure/atlas.yml                     |  5 +++--
 configure/inventory/host_vars/atlas.yml | 15 +++++++++++++++
 configure/util/secret-service-client.sh |  9 +++++++++
 4 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100755 configure/util/secret-service-client.sh

diff --git a/configure/ansible.cfg b/configure/ansible.cfg
index 1c0815a..0f3551c 100644
--- a/configure/ansible.cfg
+++ b/configure/ansible.cfg
@@ -1,6 +1,7 @@
 [defaults]
 inventory=inventory
 interpreter_python=/usr/bin/python3
+vault_password_file=util/secret-service-client.sh
 
 [diff]
 always = True
diff --git a/configure/atlas.yml b/configure/atlas.yml
index e5202a2..0345988 100644
--- a/configure/atlas.yml
+++ b/configure/atlas.yml
@@ -71,12 +71,11 @@
       databases: all
       method: trust
       users: terraform
-      address: "{{ item }}"
+      address: "10.42.0.0/24"
       create: true
     become: true
     become_user: postgres
     notify: restart postgres
-    with_items: ["192.168.0.0/16", "10.0.0.0/8"]
   - name: Open postgres port
     ini_file:
       path: /etc/postgresql/15/main/postgresql.conf
@@ -89,3 +88,5 @@
       src: dmz.conf
       dest: /etc/network/interfaces.d/dmz.conf
     notify: enable interfaces
+  roles:
+    - githubixx.ansible_role_wireguard
diff --git a/configure/inventory/host_vars/atlas.yml b/configure/inventory/host_vars/atlas.yml
index 7277b1f..ec99d6a 100644
--- a/configure/inventory/host_vars/atlas.yml
+++ b/configure/inventory/host_vars/atlas.yml
@@ -1 +1,16 @@
 storage_pools: [iso, disk, init]
+wireguard_addresses:
+  - "10.42.0.1/32"
+wireguard_endpoint: "atlas.lan"
+wireguard_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65666463346536363662353234666662376330396365656361636530663032366436653336383134
+          6463636362636530316434626561623866306165313638330a633761626361393963303933313738
+          30336535333761393663396534373363333465306232343238666538383039636138393661373839
+          3935626664326237310a386337306364663463663764376631336431363062656137376635366361
+          35393135626261626565333261316363633838353833666163666132363462636431626234383864
+          3039633631356339663234656233343635653236356235623532
+wireguard_unmanaged_peers:
+  pim:
+    public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
+    allowed_ips: "10.42.0.2/32"
diff --git a/configure/util/secret-service-client.sh b/configure/util/secret-service-client.sh
new file mode 100755
index 0000000..32d82a6
--- /dev/null
+++ b/configure/util/secret-service-client.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+pass=`secret-tool lookup ansible_vault atlas`
+retval=$?
+
+if [ $retval -ne 0 ]; then
+	read -s pass
+fi
+echo $pass