diff options
Diffstat (limited to 'inventory')
-rw-r--r-- | inventory/group_vars/chaos_at_home/network.yml | 11 | ||||
-rw-r--r-- | inventory/group_vars/chaos_at_home_vpn_extern/main.yml | 45 | ||||
-rw-r--r-- | inventory/host_vars/ch-jump.yml | 6 | ||||
-rw-r--r-- | inventory/host_vars/ch-router.yml | 126 | ||||
-rw-r--r-- | inventory/hosts.ini | 4 |
5 files changed, 185 insertions, 7 deletions
diff --git a/inventory/group_vars/chaos_at_home/network.yml b/inventory/group_vars/chaos_at_home/network.yml index 31a2b6fd..8cfb0a98 100644 --- a/inventory/group_vars/chaos_at_home/network.yml +++ b/inventory/group_vars/chaos_at_home/network.yml @@ -7,9 +7,12 @@ network_zones: dns: - 192.168.28.254 dhcp: - start: 1 + start: 100 limit: 199 offsets: + ch-auth: 88 + ch-prometheus: 99 + ch-prometheus-old: 250 ch-gw-lan: 254 wifi: ssid: "chaos at home" @@ -37,14 +40,16 @@ network_zones: offsets: ch-jump: 22 ch-gw-lan: 28 - web: 80 - mail: 143 + ch-stats: 10 + ch-web: 80 + ch-mail: 143 ch-router: 254 mgmt: vlan: 42 prefix: 192.168.42.0/24 offsets: + ch-jump: 22 ch-sw0: 200 ch-sw1: 201 ch-ap0: 220 diff --git a/inventory/group_vars/chaos_at_home_vpn_extern/main.yml b/inventory/group_vars/chaos_at_home_vpn_extern/main.yml new file mode 100644 index 00000000..2ada0a35 --- /dev/null +++ b/inventory/group_vars/chaos_at_home_vpn_extern/main.yml @@ -0,0 +1,45 @@ +--- +openvpn_ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIG8TCCBNmgAwIBAgIJAOGcXf3qnvfBMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYD + VQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQK + Ew1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNoYW9z + IGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2Fk + bWluQGNoYW9zLWF0LWhvbWUub3JnMB4XDTE1MDUwMjAxMDQ0NFoXDTI1MDQyOTAx + MDQ0NFowgasxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcT + BEdyYXoxFjAUBgNVBAoTDWNoYW9zIGF0IGhvbWUxDzANBgNVBAsTBnN5c29wczEZ + MBcGA1UEAxMQY2hhb3MgYXQgaG9tZSBDQTEQMA4GA1UEKRMHRWFzeVJTQTEmMCQG + CSqGSIb3DQEJARYXYWRtaW5AY2hhb3MtYXQtaG9tZS5vcmcwggIiMA0GCSqGSIb3 + DQEBAQUAA4ICDwAwggIKAoICAQCz+MrezJ744nzWHV1LqjnWOtthbHQ4bNv3odbu + bOJlyL3HLIzmJ4lRLvgDPpZKQP46XlvxNsDbwMlLCXgiaKZh3Y/WhM1wixE0t4SK + 132S2jDa1rIP4x37G/na7Q/QLPSkB7qCzo7herYizFU5FmGLxIIMUEYDQ8ryEkrl + ZZ5YG583gLX4prJ6gyeP8gyitA6VK+zGoAzjA7+gpQqM7HdtQtHWYKpuaPnqL8G0 + nCBCNyZVPLDRaYzT1RP6uittotXwBZ5+2ox1EubG3u+Insk11ydTmRubodB+DLaq + QRpzj2zbInd9s2FDZonSOhzLiRwg2Hkshs+NKTIf1K3eD6q6ts/83hdmYWPT/uAD + e7l0Py1FRc/5cQwPxdGGzo/q604oAyXEeXwHzrrVIZF1SrC33wTDtCn5PqLL/92t + E3sCyCAQNuGP4bLL8tMYOvzYuhurPzFlV/ijpDXc+GWdpeAf00g8m1ZLBFUuFLAy + Ymx/zgN7WOheBPqJSrt/l00k+FjSi3A++iGYFD9ro52jfDctV6j//Qv5HhEDgOi4 + UtvC3A02bb44IB7255pC1cZ8VCe7VGHIV40DwHt1103jRhDflicP9mDgicP2YquF + bM3aSjmxkhx1lkUUfbJpHRdiIcjaSazhWwUGIYCV5dDNqs/bwSuWXp5TXuUd5YLR + pIDaaQIDAQABo4IBFDCCARAwHQYDVR0OBBYEFOBTIefcIZSf3fW3IMVZWhzv6B8F + MIHgBgNVHSMEgdgwgdWAFOBTIefcIZSf3fW3IMVZWhzv6B8FoYGxpIGuMIGrMQsw + CQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYD + VQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxGTAXBgNVBAMTEGNo + YW9zIGF0IGhvbWUgQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEW + F2FkbWluQGNoYW9zLWF0LWhvbWUub3JnggkA4Zxd/eqe98EwDAYDVR0TBAUwAwEB + /zANBgkqhkiG9w0BAQsFAAOCAgEAJRsbExbfH/8EwAFwRlzXQaBocQvEISvnI50e + LDNv8uqWEdxQRXflD9BwzSivVeV5iNqspzwDETMTkj+ZDHA/gHJogR3Tl3jupQ2H + S0GBSfzv/2LeOGM88WfvOqLix9aKRhBvKPgzvm0ythD5+BA+pHoO/Hi6QxZQosMU + zBMcYZwASoOGn7jDDaXAtymyMl9SYHASPc15i3tYUHQrnZHl0vunJS6yTCHcOxOw + bd7ZNSyvLWF4mymE7tFFXtQ0g6mFX41wyRX0YAXYnV6qHGaFg81PO9wwSYRE90eq + nalqFM+8Q8G+avVlpbVN956S/SxaJzZZMrwBFOWgf09epO6ULjKQ2efoYQhCUHJo + xx3KkZhYIlqYlQ67cOlKHry4rNIZissUHFrVSYtsQG+F2PvIgmY5sefCNWujUj3m + 9R5o9p1ox4SNt0XuIh92xLLv9AKhSKaI0eMh07hZFT1RnoO6I35QPtVI7bqx8ryT + Hgd5pnSvdySd1JUDS8D/W0BTkPmDhjMad4GNAGpKhvNumZqOFTw3IeSN+oWWMhYt + z4mYklW/xDdkbFHoaZK0FFlJl6aM+qGNoOarRx1XlA+jT5GQl5ZbIVDENfRJBEt4 + 63sa1VvytDA7qx61roJ2jnZPZPnxbSGCgljEbgjb0LKSddOFx+sgqzc1c8KgmOlf + 6XrTyAc= + -----END CERTIFICATE----- + +openvpn_dhparams: "{{ vault_openvpn_dhparams }}" +openvpn_ta_key: "{{ vault_openvpn_ta_key }}" diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml index b46120f1..94b55319 100644 --- a/inventory/host_vars/ch-jump.yml +++ b/inventory/host_vars/ch-jump.yml @@ -14,7 +14,9 @@ install: size: 10g interfaces: - bridge: br-svc - name: primary0 + name: svc0 + - bridge: br-mgmt + name: mgmt0 autostart: True network: @@ -23,7 +25,7 @@ network: systemd_link: interfaces: "{{ install.interfaces }}" primary: - interface: primary0 + interface: svc0 ip: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}" mask: "{{ network_zones.svc.prefix | ipaddr('netmask') }}" gateway: "{{ network_zones.svc.gw }}" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index fe313d87..a4d8c2c7 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -27,9 +27,75 @@ openwrt_packages_add: - usbutils - kmod-ipt-nat - kmod-ipt-conntrack - + - openvpn openwrt_mixin: + /etc/openvpn/ca.crt: + content: "{{ openvpn_ca_certificate }}" + + /etc/openvpn/dhparams: + mode: "0600" + content: "{{ openvpn_dhparams }}" + + /etc/openvpn/ta.key: + mode: "0600" + content: "{{ openvpn_ta_key }}" + + /etc/openvpn/server.crt: + content: | + -----BEGIN CERTIFICATE----- + MIIHXDCCBUSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMCQVQx + DzANBgNVBAgTBlN0eXJpYTENMAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3Mg + YXQgaG9tZTEPMA0GA1UECxMGc3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21l + IENBMRAwDgYDVQQpEwdFYXN5UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFv + cy1hdC1ob21lLm9yZzAeFw0xNTA1MDIwMTU3NDZaFw0yNTA0MjkwMTU3NDZaMIGi + MQswCQYDVQQGEwJBVDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYw + FAYDVQQKEw1jaGFvcyBhdCBob21lMQ8wDQYDVQQLEwZzeXNvcHMxEDAOBgNVBAMT + B3BhbmRvcmExEDAOBgNVBCkTB0Vhc3lSU0ExJjAkBgkqhkiG9w0BCQEWF2FkbWlu + QGNoYW9zLWF0LWhvbWUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEAvwp3VeAZ2+uWLv0ePQ+I8T+0JMQkCdpv2Hn8gEQyUe4ubPtR6SE7455mXtGS + WA67M9uHmX6jleQmap7VQPweBy5UD6ge5q39oJMB5G2wug2/QRcgTZVF1r14ZEmk + mI31fQBHI/8M3gtMGzB5q0ohsaOuNSEyQir/CBDlDoyOzcVKRC3hQ4DVqD1Trp2M + +bxINC9jcQUQd/U5+Ui51tlSBMs/M+0gAlD0kypgcQNZcDDsLW+iTF79/XMweowp + bRDv8GbabL1E5kMYL1Ii0vNV6xmjbiyI/tX4DMyKa5d2LI80X932U/ILyq01GVhq + bhribfZzqfJhC7zAc09zw2NfQ2F6ZAAcTMmCK/GFTpKWgBufRl7gr93f3mNDzVP4 + 9KDvQa62CUKEy7ELwxpAEyAlGEkym2Nw+SfiAy2W2uHrpV5UF4uVs58MKUnq3Ktw + O04comiuLnXkY9/7USrMngnuJdxcwd6kEXuk6WUZGHWhgGkdP6Ww5DE2HNicSHnT + 2gJFOkvvyXO5G7rmndJgK4dlsDuTdax6obIVyVEn20L8sLhuzQwfg1Z+1rnvkZVC + 0n9gYp104e36HrAhX5xYwkZ2sn1Rls/PU94ciH/7TjCXOxdOLcXw4yo2btsGNtli + 9I/tjPn5GHgLWa8VCGdGBsij7XP2AqPFGnzqS2lFi28YxukCAwEAAaOCAZAwggGM + MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVF + YXN5LVJTQSBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBR/ + DVVuzBz4Tb2mji2hC3IeOR5t7jCB4AYDVR0jBIHYMIHVgBTgUyHn3CGUn931tyDF + WVoc7+gfBaGBsaSBrjCBqzELMAkGA1UEBhMCQVQxDzANBgNVBAgTBlN0eXJpYTEN + MAsGA1UEBxMER3JhejEWMBQGA1UEChMNY2hhb3MgYXQgaG9tZTEPMA0GA1UECxMG + c3lzb3BzMRkwFwYDVQQDExBjaGFvcyBhdCBob21lIENBMRAwDgYDVQQpEwdFYXN5 + UlNBMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBjaGFvcy1hdC1ob21lLm9yZ4IJAOGc + Xf3qnvfBMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDASBgNVHREE + CzAJggdwYW5kb3JhMA0GCSqGSIb3DQEBCwUAA4ICAQBTa8rgGfdlmKOhrzZEPUCZ + eAEICIpI1GnrHNLNAmbM4OIEO8lNPEVcsalqJSvFXaRh5lRBd4zGDhE2sehL13sX + ceeZTh4Ss6xBguHWh3ZCLcZimqbritAF9zl53Aer6AeCw0lYTlgFVgZBPU9X4UXV + mKqrmuorOy34vN/slRcsACrlWXonYAIrhSf6KPnTfmewp7c9LG2M8PBab05QC2tt + NYy9lKN6bf6e16lTREInQcf6t29OihbgWeOur4EdFg5QuckYDvr/fbbK1D2tVFjR + 9p8jgb7gJfvbqSc9oA6RoLQCr5mpTZeYrJWoCGlT943sXwTemPSL9NcDq/hr0RDY + uYUGWWR7uKi4RwGt1S5TvpEsE0p1KeiEpytInC4crWUeX5eU5oHqEmwbKFTkzTXM + yTj6EL4hTK5nHCGPYgY6umnPnTEc/Z7/kB9GPV4dOqu8qCWL+82+4y5PPSw/6H9B + BY5WYFlE66aYHpRvAseN7HKU1lqcX09rx6vTjVKtBilga3m44pOxPPgI9FN6XYQl + r43j0QX7FStrSTBkU7QgkXimU7jxJF7PczAhwQW8+Eyk2T2C9o8/w6T27UqMVByB + xnw1Z7IOVbenP1JUpX+xKvweCFjkcdGHF+bQ3ufWmo3MIwsapKC1859E37ENqWaF + 8ucdxgsmNPJk/dyj/4vqxQ== + -----END CERTIFICATE----- + + /etc/openvpn/server.key: + mode: "0600" + content: "{{ vault_openvpn_key }}" + + /etc/openvpn/ipp.txt: + mode: "0444" + content: | + pan,192.168.8.4 + mimas,192.168.8.8 + /etc/dropbear/authorized_keys: content: "{{ ssh_keys_root | join('\n') }}\n" @@ -72,15 +138,32 @@ openwrt_mixin: iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + ## VPN Traffic + iptables -A FORWARD -i extern0 -s 192.168.8.0/24 -o "$SVC_IF" -j ACCEPT + iptables -A FORWARD -i "$SVC_IF" -o extern0 -d 192.168.8.0/24 -j ACCEPT + + ## WAN Traffic # iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT + iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" + iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 80 -j ACCEPT + iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 443 -j ACCEPT + + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 143 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}:144" + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" + iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 144 -j ACCEPT + iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 993 -j ACCEPT + + ## LAN Traffic # @@ -105,6 +188,7 @@ openwrt_mixin: iptables -F INPUT iptables -P FORWARD ACCEPT iptables -F FORWARD + iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING } @@ -141,6 +225,39 @@ openwrt_uci: RootPasswordAuth: 'off' Port: '{{ ansible_port | default(22) }}' + openvpn: + - name: openvpn 'extern' + options: + enabled: '1' + port: '1194' + proto: 'udp' + dev_type: 'tun' + dev: 'extern0' + + server: '192.168.8.0 255.255.255.0' + client_to_client: '1' + ifconfig_pool_persist: '/etc/openvpn/ipp.txt' + push: + - 'route 192.168.28.0 255.255.255.0' + - 'route 192.168.32.0 255.255.255.0' + + tls_auth: '/etc/openvpn/ta.key 0' + ca: '/etc/openvpn/ca.crt' + cert: '/etc/openvpn/server.crt' + key: '/etc/openvpn/server.key' + dh: '/etc/openvpn/dhparams' + + tls_cipher: 'DHE-RSA-AES256-SHA' + cipher: 'AES-256-CBC' + auth: 'SHA256' + comp_lzo: 'yes' + + keepalive: '10 120' + persist_key: '1' + persist_tun: '1' + user: 'nobody' + verb: '3' + network: - name: globals 'globals' options: @@ -176,6 +293,13 @@ openwrt_uci: ipaddr: "{{ network_zones.mgmt.prefix | ipaddr(network_zones.mgmt.offsets[inventory_hostname]) | ipaddr('address') }}" netmask: "{{ network_zones.mgmt.prefix | ipaddr('netmask') }}" + - name: route 'lan' + options: + interface: svc + target: "{{ network_zones.lan.prefix | ipaddr('network') }}" + netmask: "{{ network_zones.lan.prefix | ipaddr('netmask') }}" + gateway: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ipaddr('address') }}" + virsh_domxml: | <domain type='kvm'> diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 048283a9..ac336af2 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -45,7 +45,9 @@ ch-sw1 host_name=sw1 ch-ap0 host_name=ap0 ch-ap1 host_name=ap1 - +[chaos_at_home_vpn_extern] +ch-router +ch-pan [realraum:vars] host_domain=realraum.at |