From 0f6cabbae37d2750a1841d2e1abd07eca064af29 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 20 Nov 2022 23:30:00 +0100
Subject: add wireguard-based remote vpn connections to ch-(pan|mimas)

---
 inventory/host_vars/ch-router.yml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

(limited to 'inventory/host_vars/ch-router.yml')

diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index 794ae485..ce4ed984 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -163,8 +163,9 @@ openwrt_mixin:
       define prefix_mgmt = {{ network_zones.mgmt.prefix }}
       define prefix_openvpn = 192.168.8.0/24
       define prefix_remote = 192.168.51.0/24
+      define prefix_svc = {{ network_zones.svc.prefix }}
       define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} }
-
+      define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}
 
       table inet global {
         ## INPUT
@@ -213,8 +214,8 @@ openwrt_mixin:
           iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept
           iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept
           iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept
-          iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept
-          iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections
+          iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept
+          iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept
       {% for name, svc in network_services.items() %}
           iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}"
       {% endfor %}
@@ -362,24 +363,24 @@ openwrt_uci:
         - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
         nohostroute: 1
 
-    - name: wireguard_remote 'ch-pan'
+    - name: wireguard_remote 'pan'
       options:
-        public_key: "" ## TODO
+        public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw="
         # preshared_key: ""
         endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}"
         endpoint_port: 51820
         allowed_ips:
-        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}"
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}"
         persistent_keepalive: 60
 
-    - name: wireguard_remote 'ch-mimas'
+    - name: wireguard_remote 'mimas'
       options:
-        public_key: "" ## TODO
+        public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g="
         # preshared_key: ""
         endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}"
         endpoint_port: 51820
         allowed_ips:
-        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}"
+        - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}"
         persistent_keepalive: 60
 
   sqm:
-- 
cgit v1.2.3