add wireguard-based remote vpn connections to ch-(pan|mimas)

1 files changed, 23 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml
index 9f18ed93..5beabb31 100644
--- a/inventory/host_vars/ch-pan.yml
+++ b/inventory/host_vars/ch-pan.yml
@@ -41,6 +41,29 @@ sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}"
 ntp_variant: systemd-timesyncd
 
 
+wireguard_p2p_interface:
+  name: remote0
+  description: connection to chaos-at-home internal services
+  listen_port: 51820
+  addresses:
+  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+  static_routes:
+  - dest: "{{ network_zones.svc.prefix }}"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+
+wireguard_p2p_peers:
+  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
+    endpoint:
+      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+      port: 51820
+    allowed_ips:
+    - "{{ network_zones.remote.prefix }}"
+    - "{{ network_zones.svc.prefix }}"
+    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+
+
 nginx_server_names_hash_bucket_size: 64
 acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"