prepare wireguard tunnel for emc

author: Christian Pointner <equinox@spreadspace.org> 2020-02-29 04:55:38 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2020-02-29 04:55:38 +0100
commit: b399a54c2363ff717b1a92732e42e82f73cd958d (patch)
tree: 74bbcc77e0e14277f3bcbfe6ee6a5bb4413df8a0
parent: ele-media fix firewall rules (ssh port) (diff)
5 files changed, 77 insertions, 14 deletions
diff --git a/dan/host_vars/ele-gwhetzner.yml b/dan/host_vars/ele-gwhetzner.yml
index 4fc98f53..a2b6d67a 100644
--- a/dan/host_vars/ele-gwhetzner.yml
+++ b/dan/host_vars/ele-gwhetzner.yml
@@ -1,10 +1,13 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-62393830326163353339343132303631303230383938316134343732313339346532383339323064
-3361613830343332303664393438633161326233303537630a353465313033386630663731363865
-63346563343632366639323165663331393335356266383533316165356335356132343534623934
-6336396437393931350a303737353861613264303733363662336461386666376531356538356563
-35383636343538316337313132326566326564386131376563666235396235393236643366613232
-66366530653965336265623636616233643738373465386331626330396563303134313061653838
-37303039343364376633373931663031383638326132616336623636306162373462653138666464
-39623737613464313432326131666135353261333864323436353130626636393764393433326166
-3133
+63613763393832643163353733663563356666323338356338323465626566383934623265316335
+3931633335623561653232363531303533353363393030300a353732336235323137643937313939
+62396430653465366139623464633632366331623738376262323932316632633431393561633464
+3863383033633766630a373737373937646563653632613035303261376163376365396237623538
+36643138353435656265303639663035326330626534326264306263353663656231653362626235
+61613337303863336664303266303831366135376264336239353565633739636136356263636539
+32666637613536613036316636656134666261333561313230613136313939396636303064633731
+35386232386235666264326239353736303163643264313737613436356265366366613031393439
+36643038353862323361613138363165323431656132396638346539643932623663303366333365
+62353865356537333263393566623762666563333131323664346462306532613263323263643837
+61643265666366393237626266316439356331333438646462643730353137333433623031306631
+38326131363565326232
diff --git a/dan/host_vars/ele-router.yml b/dan/host_vars/ele-router.yml
new file mode 100644
index 00000000..2730423b
--- /dev/null
+++ b/dan/host_vars/ele-router.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+39333736323632303766653165323636316234343764663335303762663366626362303131376536
+3938396235396230633731613838363931323339633235360a636130306165643239333531613939
+35353134393133366236383465653161646464366539366136303833656433393332633137333766
+3730353830613236360a653135653266616638656565323230306566646465666339366361663635
+35383031326436623030633566636163343764353435376633313937363265396534356562666330
+65303234306463383538333462363166323761333433613765366163366265333035383162663061
+39626436643839343561663166646539343135363163346338313964623038376463613762343338
+31316139313531303965326635663962303864386561333864356435383463623235663862346632
+3463
diff --git a/inventory/group_vars/elevate-festival/main.yml b/inventory/group_vars/elevate-festival/main.yml
index 013aef69..30d9ee4a 100644
--- a/inventory/group_vars/elevate-festival/main.yml
+++ b/inventory/group_vars/elevate-festival/main.yml
@@ -20,11 +20,26 @@ network_zones:
       datacop: 249
       equinox-t450s: 250
       ele-laptop: 251
+      ele-router: 254
     wifi:
       ssid: "elevate Staff"
       encryption: "psk2"
       key: "{{ vault_wifi_keys.lan }}"
 
+  emc:
+    vlan: 20
+    prefix: 192.168.20.0/24
+    gateway: 192.168.20.254
+    dns:
+      - 192.168.20.254
+    dhcp:
+      start: 1
+      limit: 199
+    offsets:
+      equinox-t450s: 250
+      ele-laptop: 251
+      ele-router: 254
+
   guest:
     vlan: 23
     prefix: 192.168.23.0/24
@@ -35,6 +50,9 @@ network_zones:
       start: 1
       limit: 250
       leasetime: 2h
+    offsets:
+      equinox-t450s: 250
+      ele-router: 254
     wifi:
       ssid: "elevate Public"
       encryption: "psk2"
@@ -107,6 +125,9 @@ network_zones:
   mixer:
     vlan: 48
     prefix: 192.168.48.0/24
+    gateway: 192.168.48.254
+    dns:
+      - 192.168.48.254
     offsets:
       kuschelbaer: 48
       atem-datacop: 90
@@ -121,9 +142,7 @@ network_zones:
       x32core: 216
       datacop: 249
       equinox-t450s: 250
-    gateway: 192.168.48.254
-    dns:
-      - 192.168.48.254
+      ele-router: 254
 
   infoscreens:
     vlan: 73
@@ -134,6 +153,9 @@ network_zones:
     dhcp:
       start: 100
       limit: 199
+    offsets:
+      equinox-t450s: 250
+      ele-router: 254
     wifi:
       ssid: "elevate Infoscreens"
       encryption: "psk2"
diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml
index f68ff783..3575c943 100644
--- a/inventory/host_vars/ele-gwhetzner.yml
+++ b/inventory/host_vars/ele-gwhetzner.yml
@@ -37,6 +37,9 @@ wireguard_keys:
   elemedia:
     pub: "1GdTR5ehIcSVvwdWWsKitRjzcm1gY3Z9ASzJAuN7VH0="
     priv: "{{ vault_wireguard_priv_keys.elemedia }}"
+  emc:
+    pub: "xgBLLDTRrVxUG0BEr0gNQ6ofkXSRDQR7OXilxCCwtxs="
+    priv: "{{ vault_wireguard_priv_keys.elemedia }}"
 
 wireguard_gateway_tunnels:
   wg-elemedia:
@@ -52,7 +55,26 @@ wireguard_gateway_tunnels:
       tcp_ports:
         80: 192.168.254.2:80
         443: 192.168.254.2:443
+        322: 192.168.254.2:222
     peers:
     - pub_key: "{{ hostvars['ele-media'].wireguard_keys.gwhetzner.pub }}"
       allowed_ips:
         - 192.168.254.2/32
+  wg-emc:
+    description: Elevate Media Channel
+    priv_key: "{{ wireguard_keys.emc.priv }}"
+    listen_port: 51821
+    addresses:
+    - 192.168.254.5/30
+    ip_snat:
+      interface: "{{ network.primary.interface }}"
+      to: "{{ network.primary.overlay }}"
+    port_forwardings:
+    - dest: "{{ network.primary.overlay }}"
+      tcp_ports:
+        422: 192.168.254.6:222
+    peers:
+    - pub_key: "{{ hostvars['ele-router'].wireguard_keys.gwhetzner.pub }}"
+      allowed_ips:
+        - 192.168.254.6/32
+        - 192.168.20.0/24
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 4a552d7f..72cb2b14 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -1,4 +1,10 @@
 ---
+wireguard_keys:
+  gwhetzner:
+    pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY="
+    priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
+
+
 network_mgmt_zone: "{{ network_zones.mgmt }}"
 network_internal_zone_names:
   - lan
@@ -12,7 +18,7 @@ openwrt_network_external:
     options:
       device: 'switch0'
       ## for some reason vlan-id 502 does not work. why??
-      vlan: '{{ network_zones.forum_a1.vlan }}'
+      #vlan: '{{ network_zones.forum_a1.vlan }}'
       vlan: '1'
       ports: '4 6t'
 
@@ -49,7 +55,7 @@ openwrt_network_external:
   - name: interface 'wanff'
     options:
       ## for some reason vlan-id 502 does not work. why??
-      #fname: 'eth0.{{ network_zones.funkfeuer.vlan }}'
+      #ifname: 'eth0.{{ network_zones.funkfeuer.vlan }}'
       ifname: 'eth0.2'
       proto: static
       ipaddr: "{{ network_zones.funkfeuer.prefix | ipaddr(network_zones.funkfeuer.offsets[inventory_hostname]) | ipaddr('address') }}"
author	Christian Pointner <equinox@spreadspace.org>	2020-02-29 04:55:38 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2020-02-29 04:55:38 +0100
commit	b399a54c2363ff717b1a92732e42e82f73cd958d (patch)
tree	74bbcc77e0e14277f3bcbfe6ee6a5bb4413df8a0
parent	ele-media fix firewall rules (ssh port) (diff)