diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2022-11-20 23:30:00 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2022-11-20 23:30:00 +0100 |
| commit | 0f6cabbae37d2750a1841d2e1abd07eca064af29 (patch) | |
| tree | f20a721e510a85da81428b2f7d9f46ae51614b05 /inventory/host_vars/ch-router.yml | |
| parent | wireguard roles: some more cleanups and fixes (diff) | |
add wireguard-based remote vpn connections to ch-(pan|mimas)
Diffstat (limited to 'inventory/host_vars/ch-router.yml')
| -rw-r--r-- | inventory/host_vars/ch-router.yml | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 794ae485..ce4ed984 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -163,8 +163,9 @@ openwrt_mixin: define prefix_mgmt = {{ network_zones.mgmt.prefix }} define prefix_openvpn = 192.168.8.0/24 define prefix_remote = 192.168.51.0/24 + define prefix_svc = {{ network_zones.svc.prefix }} define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } - + define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }} table inet global { ## INPUT @@ -213,8 +214,8 @@ openwrt_mixin: iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept - iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept - iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections + iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept + iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept {% for name, svc in network_services.items() %} iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}" {% endfor %} @@ -362,24 +363,24 @@ openwrt_uci: - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" nohostroute: 1 - - name: wireguard_remote 'ch-pan' + - name: wireguard_remote 'pan' options: - public_key: "" ## TODO + public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 - - name: wireguard_remote 'ch-mimas' + - name: wireguard_remote 'mimas' options: - public_key: "" ## TODO + public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 sqm: |