5 files changed, 185 insertions, 7 deletions

diff --git a/inventory/group_vars/chaos_at_home/network.yml b/inventory/group_vars/chaos_at_home/network.yml
index 31a2b6fd..8cfb0a98 100644
--- a/inventory/group_vars/chaos_at_home/network.yml
+++ b/inventory/group_vars/chaos_at_home/network.yml
@@ -7,9 +7,12 @@ network_zones:
     dns:
       - 192.168.28.254
     dhcp:
-      start: 1
+      start: 100
       limit: 199
     offsets:
+      ch-auth: 88
+      ch-prometheus: 99
+      ch-prometheus-old: 250
       ch-gw-lan: 254
     wifi:
       ssid: "chaos at home"
@@ -37,14 +40,16 @@ network_zones:
     offsets:
       ch-jump: 22
       ch-gw-lan: 28
-      web: 80
-      mail: 143
+      ch-stats: 10
+      ch-web: 80
+      ch-mail: 143
       ch-router: 254
 
   mgmt:
     vlan: 42
     prefix: 192.168.42.0/24
     offsets:
+      ch-jump: 22
       ch-sw0: 200
       ch-sw1: 201
       ch-ap0: 220
diff --git a/inventory/group_vars/chaos_at_home_vpn_extern/main.yml b/inventory/group_vars/chaos_at_home_vpn_extern/main.yml
new file mode 100644
index 00000000..2ada0a35
--- /dev/null
+++ b/inventory/group_vars/chaos_at_home_vpn_extern/main.yml
@@ -0,0 +1,45 @@
+---
+openvpn_ca_certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIG8TCCBNmgAwIBAgIJAOGcXf3qnvfBMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYD
+  VQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQK
+  Ew1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNoYW9z
+  IGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2Fk
+  bWluQGNoYW9zLWF0LWhvbWUub3JnMB4XDTE1MDUwMjAxMDQ0NFoXDTI1MDQyOTAx
+  MDQ0NFowgasxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT
+  BEdyYXoxFjAUBgNVBAoTDWNoYW9zIGF0IGhvbWUxDzANBgNVBAsTBnN5c29wczEZ
+  MBcGA1UEAxMQY2hhb3MgYXQgaG9tZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQG
+  CSqGSIb3DQEJARYXYWRtaW5AY2hhb3MtYXQtaG9tZS5vcmcwggIiMA0GCSqGSIb3
+  DQEBAQUAA4ICDwAwggIKAoICAQCz+MrezJ744nzWHV1LqjnWOtthbHQ4bNv3odbu
+  bOJlyL3HLIzmJ4lRLvgDPpZKQP46XlvxNsDbwMlLCXgiaKZh3Y/WhM1wixE0t4SK
+  132S2jDa1rIP4x37G/na7Q/QLPSkB7qCzo7herYizFU5FmGLxIIMUEYDQ8ryEkrl
+  ZZ5YG583gLX4prJ6gyeP8gyitA6VK+zGoAzjA7+gpQqM7HdtQtHWYKpuaPnqL8G0
+  nCBCNyZVPLDRaYzT1RP6uittotXwBZ5+2ox1EubG3u+Insk11ydTmRubodB+DLaq
+  QRpzj2zbInd9s2FDZonSOhzLiRwg2Hkshs+NKTIf1K3eD6q6ts/83hdmYWPT/uAD
+  e7l0Py1FRc/5cQwPxdGGzo/q604oAyXEeXwHzrrVIZF1SrC33wTDtCn5PqLL/92t
+  E3sCyCAQNuGP4bLL8tMYOvzYuhurPzFlV/ijpDXc+GWdpeAf00g8m1ZLBFUuFLAy
+  Ymx/zgN7WOheBPqJSrt/l00k+FjSi3A++iGYFD9ro52jfDctV6j//Qv5HhEDgOi4
+  UtvC3A02bb44IB7255pC1cZ8VCe7VGHIV40DwHt1103jRhDflicP9mDgicP2YquF
+  bM3aSjmxkhx1lkUUfbJpHRdiIcjaSazhWwUGIYCV5dDNqs/bwSuWXp5TXuUd5YLR
+  pIDaaQIDAQABo4IBFDCCARAwHQYDVR0OBBYEFOBTIefcIZSf3fW3IMVZWhzv6B8F
+  MIHgBgNVHSMEgdgwgdWAFOBTIefcIZSf3fW3IMVZWhzv6B8FoYGxpIGuMIGrMQsw
+  CQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYD
+  VQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNo
+  YW9zIGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEW
+  F2FkbWluQGNoYW9zLWF0LWhvbWUub3JnggkA4Zxd/eqe98EwDAYDVR0TBAUwAwEB
+  /zANBgkqhkiG9w0BAQsFAAOCAgEAJRsbExbfH/8EwAFwRlzXQaBocQvEISvnI50e
+  LDNv8uqWEdxQRXflD9BwzSivVeV5iNqspzwDETMTkj+ZDHA/gHJogR3Tl3jupQ2H
+  S0GBSfzv/2LeOGM88WfvOqLix9aKRhBvKPgzvm0ythD5+BA+pHoO/Hi6QxZQosMU
+  zBMcYZwASoOGn7jDDaXAtymyMl9SYHASPc15i3tYUHQrnZHl0vunJS6yTCHcOxOw
+  bd7ZNSyvLWF4mymE7tFFXtQ0g6mFX41wyRX0YAXYnV6qHGaFg81PO9wwSYRE90eq
+  nalqFM+8Q8G+avVlpbVN956S/SxaJzZZMrwBFOWgf09epO6ULjKQ2efoYQhCUHJo
+  xx3KkZhYIlqYlQ67cOlKHry4rNIZissUHFrVSYtsQG+F2PvIgmY5sefCNWujUj3m
+  9R5o9p1ox4SNt0XuIh92xLLv9AKhSKaI0eMh07hZFT1RnoO6I35QPtVI7bqx8ryT
+  Hgd5pnSvdySd1JUDS8D/W0BTkPmDhjMad4GNAGpKhvNumZqOFTw3IeSN+oWWMhYt
+  z4mYklW/xDdkbFHoaZK0FFlJl6aM+qGNoOarRx1XlA+jT5GQl5ZbIVDENfRJBEt4
+  63sa1VvytDA7qx61roJ2jnZPZPnxbSGCgljEbgjb0LKSddOFx+sgqzc1c8KgmOlf
+  6XrTyAc=
+  -----END CERTIFICATE-----
+
+openvpn_dhparams: "{{ vault_openvpn_dhparams }}"
+openvpn_ta_key: "{{ vault_openvpn_ta_key }}"
diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml
index b46120f1..94b55319 100644
--- a/inventory/host_vars/ch-jump.yml
+++ b/inventory/host_vars/ch-jump.yml
@@ -14,7 +14,9 @@ install:
         size: 10g
   interfaces:
   - bridge: br-svc
-    name: primary0
+    name: svc0
+  - bridge: br-mgmt
+    name: mgmt0
   autostart: True
 
 network:
@@ -23,7 +25,7 @@ network:
   systemd_link:
     interfaces: "{{ install.interfaces }}"
   primary:
-    interface: primary0
+    interface: svc0
     ip: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}"
     mask: "{{ network_zones.svc.prefix | ipaddr('netmask') }}"
     gateway: "{{ network_zones.svc.gw }}"
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index fe313d87..a4d8c2c7 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -27,9 +27,75 @@ openwrt_packages_add:
   - usbutils
   - kmod-ipt-nat
   - kmod-ipt-conntrack
-
+  - openvpn
 
 openwrt_mixin:
+  /etc/openvpn/ca.crt:
+    content: "{{ openvpn_ca_certificate }}"
+
+  /etc/openvpn/dhparams:
+    mode: "0600"
+    content: "{{ openvpn_dhparams }}"
+
+  /etc/openvpn/ta.key:
+    mode: "0600"
+    content: "{{ openvpn_ta_key }}"
+
+  /etc/openvpn/server.crt:
+    content: |
+      -----BEGIN CERTIFICATE-----
+      MIIHXDCCBUSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCQVQx
+      DzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3Mg
+      YXQgaG9tZTEPMA0GA1UECxMGc3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21l
+      IENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFv
+      cy1hdC1ob21lLm9yZzAeFw0xNTA1MDIwMTU3NDZaFw0yNTA0MjkwMTU3NDZaMIGi
+      MQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYw
+      FAYDVQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxEDAOBgNVBAMT
+      B3BhbmRvcmExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2FkbWlu
+      QGNoYW9zLWF0LWhvbWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+      AgEAvwp3VeAZ2+uWLv0ePQ+I8T+0JMQkCdpv2Hn8gEQyUe4ubPtR6SE7455mXtGS
+      WA67M9uHmX6jleQmap7VQPweBy5UD6ge5q39oJMB5G2wug2/QRcgTZVF1r14ZEmk
+      mI31fQBHI/8M3gtMGzB5q0ohsaOuNSEyQir/CBDlDoyOzcVKRC3hQ4DVqD1Trp2M
+      +bxINC9jcQUQd/U5+Ui51tlSBMs/M+0gAlD0kypgcQNZcDDsLW+iTF79/XMweowp
+      bRDv8GbabL1E5kMYL1Ii0vNV6xmjbiyI/tX4DMyKa5d2LI80X932U/ILyq01GVhq
+      bhribfZzqfJhC7zAc09zw2NfQ2F6ZAAcTMmCK/GFTpKWgBufRl7gr93f3mNDzVP4
+      9KDvQa62CUKEy7ELwxpAEyAlGEkym2Nw+SfiAy2W2uHrpV5UF4uVs58MKUnq3Ktw
+      O04comiuLnXkY9/7USrMngnuJdxcwd6kEXuk6WUZGHWhgGkdP6Ww5DE2HNicSHnT
+      2gJFOkvvyXO5G7rmndJgK4dlsDuTdax6obIVyVEn20L8sLhuzQwfg1Z+1rnvkZVC
+      0n9gYp104e36HrAhX5xYwkZ2sn1Rls/PU94ciH/7TjCXOxdOLcXw4yo2btsGNtli
+      9I/tjPn5GHgLWa8VCGdGBsij7XP2AqPFGnzqS2lFi28YxukCAwEAAaOCAZAwggGM
+      MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF
+      YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/
+      DVVuzBz4Tb2mji2hC3IeOR5t7jCB4AYDVR0jBIHYMIHVgBTgUyHn3CGUn931tyDF
+      WVoc7+gfBaGBsaSBrjCBqzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTEN
+      MAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3MgYXQgaG9tZTEPMA0GA1UECxMG
+      c3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21lIENBMRAwDgYDVQQpEwdFYXN5
+      UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFvcy1hdC1ob21lLm9yZ4IJAOGc
+      Xf3qnvfBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDASBgNVHREE
+      CzAJggdwYW5kb3JhMA0GCSqGSIb3DQEBCwUAA4ICAQBTa8rgGfdlmKOhrzZEPUCZ
+      eAEICIpI1GnrHNLNAmbM4OIEO8lNPEVcsalqJSvFXaRh5lRBd4zGDhE2sehL13sX
+      ceeZTh4Ss6xBguHWh3ZCLcZimqbritAF9zl53Aer6AeCw0lYTlgFVgZBPU9X4UXV
+      mKqrmuorOy34vN/slRcsACrlWXonYAIrhSf6KPnTfmewp7c9LG2M8PBab05QC2tt
+      NYy9lKN6bf6e16lTREInQcf6t29OihbgWeOur4EdFg5QuckYDvr/fbbK1D2tVFjR
+      9p8jgb7gJfvbqSc9oA6RoLQCr5mpTZeYrJWoCGlT943sXwTemPSL9NcDq/hr0RDY
+      uYUGWWR7uKi4RwGt1S5TvpEsE0p1KeiEpytInC4crWUeX5eU5oHqEmwbKFTkzTXM
+      yTj6EL4hTK5nHCGPYgY6umnPnTEc/Z7/kB9GPV4dOqu8qCWL+82+4y5PPSw/6H9B
+      BY5WYFlE66aYHpRvAseN7HKU1lqcX09rx6vTjVKtBilga3m44pOxPPgI9FN6XYQl
+      r43j0QX7FStrSTBkU7QgkXimU7jxJF7PczAhwQW8+Eyk2T2C9o8/w6T27UqMVByB
+      xnw1Z7IOVbenP1JUpX+xKvweCFjkcdGHF+bQ3ufWmo3MIwsapKC1859E37ENqWaF
+      8ucdxgsmNPJk/dyj/4vqxQ==
+      -----END CERTIFICATE-----
+
+  /etc/openvpn/server.key:
+    mode: "0600"
+    content: "{{ vault_openvpn_key }}"
+
+  /etc/openvpn/ipp.txt:
+    mode: "0444"
+    content: |
+      pan,192.168.8.4
+      mimas,192.168.8.8
+
   /etc/dropbear/authorized_keys:
     content: "{{ ssh_keys_root | join('\n') }}\n"
 
@@ -72,15 +138,32 @@ openwrt_mixin:
         iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
 
 
+        ## VPN Traffic
+        iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT
+        iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT
+
+
         ## WAN Traffic
         #
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
+        iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
         iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}"
         iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT
 
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}"
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 80 -j ACCEPT
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 443 -j ACCEPT
+
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 143 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}:144"
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 144 -j ACCEPT
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 993 -j ACCEPT
+
+
 
         ## LAN Traffic
         #
@@ -105,6 +188,7 @@ openwrt_mixin:
         iptables -F INPUT
         iptables -P FORWARD ACCEPT
         iptables -F FORWARD
+        iptables -t nat -F PREROUTING
         iptables -t nat -F POSTROUTING
       }
 
@@ -141,6 +225,39 @@ openwrt_uci:
         RootPasswordAuth: 'off'
         Port: '{{ ansible_port | default(22) }}'
 
+  openvpn:
+    - name: openvpn 'extern'
+      options:
+        enabled: '1'
+        port: '1194'
+        proto: 'udp'
+        dev_type: 'tun'
+        dev: 'extern0'
+
+        server: '192.168.8.0 255.255.255.0'
+        client_to_client: '1'
+        ifconfig_pool_persist: '/etc/openvpn/ipp.txt'
+        push:
+          - 'route 192.168.28.0 255.255.255.0'
+          - 'route 192.168.32.0 255.255.255.0'
+
+        tls_auth: '/etc/openvpn/ta.key 0'
+        ca: '/etc/openvpn/ca.crt'
+        cert: '/etc/openvpn/server.crt'
+        key: '/etc/openvpn/server.key'
+        dh: '/etc/openvpn/dhparams'
+
+        tls_cipher: 'DHE-RSA-AES256-SHA'
+        cipher: 'AES-256-CBC'
+        auth: 'SHA256'
+        comp_lzo: 'yes'
+
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+        verb: '3'
+
   network:
     - name: globals 'globals'
       options:
@@ -176,6 +293,13 @@ openwrt_uci:
         ipaddr: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}"
         netmask: "{{ network_zones.mgmt.prefix | ipaddr('netmask') }}"
 
+    - name: route 'lan'
+      options:
+        interface: svc
+        target: "{{ network_zones.lan.prefix | ipaddr('network') }}"
+        netmask: "{{ network_zones.lan.prefix | ipaddr('netmask') }}"
+        gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}"
+
 
 virsh_domxml: |
   <domain type='kvm'>
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 048283a9..ac336af2 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -45,7 +45,9 @@ ch-sw1 host_name=sw1
 ch-ap0 host_name=ap0
 ch-ap1 host_name=ap1
 
-
+[chaos_at_home_vpn_extern]
+ch-router
+ch-pan
 
 [realraum:vars]
 host_domain=realraum.at