5 files changed, 103 insertions, 15 deletions

diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml
index 2bafafe1..32db8f65 100644
--- a/inventory/host_vars/ch-mimas.yml
+++ b/inventory/host_vars/ch-mimas.yml
@@ -47,6 +47,29 @@ zfs_sanoid_modules:
     process_children_only: yes
 
 
+wireguard_p2p_interface:
+  name: remote0
+  description: connection to chaos-at-home internal services
+  listen_port: 51820
+  addresses:
+  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+  static_routes:
+  - dest: "{{ network_zones.svc.prefix }}"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+
+wireguard_p2p_peers:
+  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
+    endpoint:
+      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+      port: 51820
+    allowed_ips:
+    - "{{ network_zones.remote.prefix }}"
+    - "{{ network_zones.svc.prefix }}"
+    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+
+
 bind_option_empty_zones_enable: no
 bind_option_allow_transfer: []
 bind_option_allow_recursion:
diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml
index 9f18ed93..5beabb31 100644
--- a/inventory/host_vars/ch-pan.yml
+++ b/inventory/host_vars/ch-pan.yml
@@ -41,6 +41,29 @@ sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}"
 ntp_variant: systemd-timesyncd
 
 
+wireguard_p2p_interface:
+  name: remote0
+  description: connection to chaos-at-home internal services
+  listen_port: 51820
+  addresses:
+  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+  static_routes:
+  - dest: "{{ network_zones.svc.prefix }}"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+
+wireguard_p2p_peers:
+  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
+    endpoint:
+      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
+      port: 51820
+    allowed_ips:
+    - "{{ network_zones.remote.prefix }}"
+    - "{{ network_zones.svc.prefix }}"
+    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
+
+
 nginx_server_names_hash_bucket_size: 64
 acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
 
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index c0165250..ce4ed984 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -45,6 +45,8 @@ openwrt_packages_add:
   - mtr
   - usbutils
   - openvpn-openssl
+  - kmod-wireguard
+  - wireguard-tools
   - iptraf-ng
   - prometheus-node-exporter-lua
   - prometheus-node-exporter-lua-nat_traffic
@@ -156,11 +158,14 @@ openwrt_mixin:
       define nic_mgmt = eth2
       define nic_internal = eth0
       define nic_openvpn = extern0
+      define nic_remote = remote
 
       define prefix_mgmt = {{ network_zones.mgmt.prefix }}
       define prefix_openvpn = 192.168.8.0/24
+      define prefix_remote = 192.168.51.0/24
+      define prefix_svc = {{ network_zones.svc.prefix }}
       define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
-
+      define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}
 
       table inet global {
         ## INPUT
@@ -180,7 +185,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
-          udp dport { openvpn } accept
+          udp dport { openvpn, 51820 } accept
         }
 
         chain input_openvpn {
@@ -189,10 +194,16 @@ openwrt_mixin:
           tcp dport { {{ ansible_port }} } accept
         }
 
+        chain input_remote {
+          ip saddr != $prefix_remote drop
+          ip protocol icmp accept
+          tcp dport { {{ ansible_port }} } accept
+        }
+
         chain input {
           type filter hook input priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
-          iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn }
+          iifname vmap { lo: accept, $nic_mgmt: jump input_mgmt, $nic_internal: jump input_internal, $nic_magenta: jump input_magenta, $nic_openvpn: jump input_openvpn, $nic_remote: jump input_remote }
         }
 
 
@@ -203,6 +214,8 @@ openwrt_mixin:
           iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
           iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
           iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
+          iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept
+          iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept
       {% for name, svc in network_services.items() %}
           iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}"
       {% endfor %}
@@ -341,6 +354,35 @@ openwrt_uci:
         netmask: "{{ network_zones.lan.prefix | ansible.utils.ipaddr('netmask') }}"
         gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
 
+    - name: interface 'remote'
+      options:
+        proto: wireguard
+        private_key: "{{ vault_wireguard_remote_private_key }}"
+        listen_port: 51820
+        addresses:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
+        nohostroute: 1
+
+    - name: wireguard_remote 'pan'
+      options:
+        public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw="
+        # preshared_key: ""
+        endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}"
+        endpoint_port: 51820
+        allowed_ips:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}"
+        persistent_keepalive: 60
+
+    - name: wireguard_remote 'mimas'
+      options:
+        public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g="
+        # preshared_key: ""
+        endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}"
+        endpoint_port: 51820
+        allowed_ips:
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}"
+        persistent_keepalive: 60
+
   sqm:
     - name: queue 'magenta'
       options:
diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml
index aa9cc7b3..d3faf0cf 100644
--- a/inventory/host_vars/ele-gwhetzner.yml
+++ b/inventory/host_vars/ele-gwhetzner.yml
@@ -87,7 +87,7 @@ wireguard_p2p_interface:
   addresses:
   - 192.168.123.1/30
 
-wireguard_p2p_peer:
-  pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE="
-  allowed_ips:
-    - 192.168.123.2/32
+wireguard_p2p_peers:
+  - pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE="
+    allowed_ips:
+      - 192.168.123.2/32
diff --git a/inventory/host_vars/s2-thetys.yml b/inventory/host_vars/s2-thetys.yml
index 689c124b..d373ff63 100644
--- a/inventory/host_vars/s2-thetys.yml
+++ b/inventory/host_vars/s2-thetys.yml
@@ -85,11 +85,11 @@ wireguard_p2p_interface:
   addresses:
   - 192.168.123.2/30
 
-wireguard_p2p_peer:
-  pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo="
-  keepalive_interval: 10
-  endpoint:
-    host: 178.63.180.138
-    port: 51920
-  allowed_ips:
-    - 192.168.123.1/32
+wireguard_p2p_peers:
+  - pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo="
+    keepalive_interval: 10
+    endpoint:
+      host: 178.63.180.138
+      port: 51920
+    allowed_ips:
+      - 192.168.123.1/32