diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-03-11 02:20:16 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-03-11 02:20:16 +0100 |
| commit | 85c0af05e5322d9b110379199978d05f011e60b2 (patch) | |
| tree | c245005b304e669b9efde9f5613aa095a9cd4e67 /inventory/host_vars/ele-router-orpheum.yml | |
| parent | ele-media: install ntfs and upgrade nextcloud (diff) | |
ele-router: add openvpn tunnel for mgmt vlan
Diffstat (limited to 'inventory/host_vars/ele-router-orpheum.yml')
| -rw-r--r-- | inventory/host_vars/ele-router-orpheum.yml | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/inventory/host_vars/ele-router-orpheum.yml b/inventory/host_vars/ele-router-orpheum.yml index 6dfe2db9..867f29be 100644 --- a/inventory/host_vars/ele-router-orpheum.yml +++ b/inventory/host_vars/ele-router-orpheum.yml @@ -147,6 +147,7 @@ openwrt_packages_add: - mtr - iptraf-ng - sqm-scripts + - openvpn-openssl - prometheus-node-exporter-lua - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat @@ -160,6 +161,23 @@ openwrt_mixin: /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" + /etc/hotplug.d/openvpn/10-mgmt: + content: | + #!/bin/sh + [ "$INSTANCE" != "mgmt" ] && exit 0 + [ "$ACTION" = "up" ] && ip link set up mtu "$3" dev "$2" master "br-mgmt" + exit 0 + + /etc/openvpn/mgmt-ca-cert.pem: + content: "{{ vault_ovpn_mgmt_ca_cert }}" + + /etc/openvpn/mgmt-cert.pem: + content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] }}" + + /etc/openvpn/mgmt-key.pem: + content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] }}" + mode: '0400' + /etc/rc.d/S21nftables: link: "../init.d/nftables" @@ -203,6 +221,7 @@ openwrt_mixin: ip protocol icmp accept ip6 nexthdr ipv6-icmp accept tcp dport { {{ ansible_port }} } accept + udp dport { 1194 } accept } chain input_internal { @@ -292,6 +311,34 @@ openwrt_uci: linklayer: 'ethernet' overhead: '44 mpu 84' + openvpn: + - name: openvpn mgmt + options: + enabled: '1' + port: '1194' + proto: 'udp' + dev: 'ovpn-mgmt' + dev_type: 'tap' + remote: + - "{{ network_zones.cc_hmtsaal.prefix | ansible.utils.ipaddr(network_zones.cc_hmtsaal.offsets['ele-router-hmtsaal']) | ansible.utils.ipaddr('address') }} 1194" + + client: '1' + keepalive: '10 120' + persist_key: '1' + persist_tun: '1' + user: 'nobody' + + tls_version_min: '1.3' + ca: '/etc/openvpn/mgmt-ca-cert.pem' + cert: '/etc/openvpn/mgmt-cert.pem' + key: '/etc/openvpn/mgmt-key.pem' + remote_cert_tls: 'server' + data_ciphers: + - 'CHACHA20-POLY1305' + data_ciphers_fallback: 'AES-256-GCM' + allow_compression: 'no' + + prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" prometheus_exporters_default: - openwrt |