add wireguard-based remote vpn connections to ch-(pan|mimas)

1 files changed, 23 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml
index 2bafafe1..32db8f65 100644
--- a/inventory/host_vars/ch-mimas.yml
+++ b/inventory/host_vars/ch-mimas.yml
@@ -47,6 +47,29 @@ zfs_sanoid_modules:
     process_children_only: yes
 
 
+wireguard_p2p_interface:
+  name: remote0
+  description: connection to chaos-at-home internal services
+  listen_port: 51820
+  addresses:
+  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+  static_routes:
+  - dest: "{{ network_zones.svc.prefix }}"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+
+wireguard_p2p_peers:
+  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
+    endpoint:
+      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+      port: 51820
+    allowed_ips:
+    - "{{ network_zones.remote.prefix }}"
+    - "{{ network_zones.svc.prefix }}"
+    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+
+
 bind_option_empty_zones_enable: no
 bind_option_allow_transfer: []
 bind_option_allow_recursion: