From b7a455303f42911005c6e0f47a2864af613ffd6e Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 20 Feb 2024 18:10:17 +0100
Subject: ele-router: add vpn for mixer vlan

---
 inventory/host_vars/ele-router-hmtsaal.yml | 80 ++++++++++++++++++++++++++++--
 1 file changed, 75 insertions(+), 5 deletions(-)

(limited to 'inventory/host_vars/ele-router-hmtsaal.yml')

diff --git a/inventory/host_vars/ele-router-hmtsaal.yml b/inventory/host_vars/ele-router-hmtsaal.yml
index 9bb96ed3..5198e388 100644
--- a/inventory/host_vars/ele-router-hmtsaal.yml
+++ b/inventory/host_vars/ele-router-hmtsaal.yml
@@ -59,6 +59,20 @@ openwrt_network_base:
       netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}"
       accept_ra: 0
 
+  - name: device
+    options:
+      type: bridge
+      name: "br-mixer"
+      ports:
+      - "eth0.{{ network_zones.mixer.vlan }}"
+
+  - name: interface 'mixer'
+    options:
+      device: "br-mixer"
+      proto: static
+      ipaddr: "{{ network_zones.mixer.prefix | ansible.utils.ipaddr(network_zones.mixer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+      netmask: "{{ network_zones.mixer.prefix | ansible.utils.ipaddr('netmask') }}"
+      accept_ra: 0
 
 
 openwrt_dhcp_external:
@@ -119,6 +133,11 @@ openwrt_dhcp_base:
       interface: 'mgmt'
       ignore: '1'
 
+  - name: dhcp 'mixer'
+    options:
+      interface: 'mixer'
+      ignore: '1'
+
 
 openwrt_arch: x86
 openwrt_target: 64
@@ -175,13 +194,30 @@ openwrt_mixin:
       exit 0
 
   /etc/openvpn/mgmt-ca-cert.pem:
-    content: "{{ vault_ovpn_mgmt_ca_cert }}"
+    content: "{{ vault_ovpn_ca_cert }}"
 
   /etc/openvpn/mgmt-cert.pem:
-    content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] }}"
+    content: "{{ vault_ovpn_certs[inventory_hostname] }}"
 
   /etc/openvpn/mgmt-key.pem:
-    content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] }}"
+    content: "{{ vault_ovpn_keys[inventory_hostname] }}"
+    mode: '0400'
+
+  /etc/hotplug.d/openvpn/10-mixer:
+    content: |
+      #!/bin/sh
+      [ "$INSTANCE" != "mixer" ] && exit 0
+      [ "$ACTION" = "up" ] && ip link set up mtu "$3" dev "$2" master "br-mixer"
+      exit 0
+
+  /etc/openvpn/mixer-ca-cert.pem:
+    content: "{{ vault_ovpn_ca_cert }}"
+
+  /etc/openvpn/mixer-cert.pem:
+    content: "{{ vault_ovpn_certs[inventory_hostname] }}"
+
+  /etc/openvpn/mixer-key.pem:
+    content: "{{ vault_ovpn_keys[inventory_hostname] }}"
     mode: '0400'
 
   /etc/rc.d/S21nftables:
@@ -215,6 +251,8 @@ openwrt_mixin:
 
       define nic_mgmt = "br-mgmt"
       define prefix_mgmt = {{ network_mgmt_zone.prefix }}
+      define nic_mixer = "br-mixer"
+      define prefix_mixer = {{ network_zones.mixer.prefix }}
       {% for zone_name in network_internal_zone_names %}
 
       define nic_{{ zone_name }} = eth0.{{ network_zones[zone_name].vlan }}
@@ -227,7 +265,7 @@ openwrt_mixin:
           ip protocol icmp accept
           ip6 nexthdr ipv6-icmp accept
           tcp dport { {{ ansible_port }} } accept
-          udp dport { 1194 } accept
+          udp dport { 1194, 1195 } accept
         }
 
         chain input_internal {
@@ -237,10 +275,17 @@ openwrt_mixin:
           udp dport { bootps, domain, ntp } accept
         }
 
+        chain input_mixer {
+          ip protocol icmp accept
+          ip6 nexthdr ipv6-icmp accept
+          tcp dport { domain } accept
+          udp dport { domain, ntp } accept
+        }
+
         chain input {
           type filter hook input priority filter; policy drop;
           ct state vmap { established: accept, related: accept, invalid: drop }
-          iifname vmap { lo: accept, $nic_mgmt: accept{% for zone_name in network_internal_zone_names %}, $nic_{{ zone_name }}: jump input_internal {% endfor %}, $nic_citycom: jump input_external }
+          iifname vmap { lo: accept, $nic_mgmt: accept, $nic_mixer: jump input_mixer{% for zone_name in network_internal_zone_names %}, $nic_{{ zone_name }}: jump input_internal {% endfor %}, $nic_citycom: jump input_external }
         }
 
 
@@ -343,6 +388,31 @@ openwrt_uci:
         data_ciphers_fallback: 'AES-256-GCM'
         allow_compression: 'no'
 
+    - name: openvpn mixer
+      options:
+        enabled: '1'
+        port: '1195'
+        proto: 'udp'
+        dev: 'ovpn-mixer'
+        dev_type: 'tap'
+
+        server_bridge: 'nogw'
+        keepalive: '10 120'
+        persist_key: '1'
+        persist_tun: '1'
+        user: 'nobody'
+
+        tls_version_min: '1.3'
+        ca: '/etc/openvpn/mixer-ca-cert.pem'
+        cert: '/etc/openvpn/mixer-cert.pem'
+        key: '/etc/openvpn/mixer-key.pem'
+        dh: 'none'
+        remote_cert_tls: 'client'
+        data_ciphers:
+        - 'CHACHA20-POLY1305'
+        data_ciphers_fallback: 'AES-256-GCM'
+        allow_compression: 'no'
+
 
 prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100"
 prometheus_exporters_default:
-- 
cgit v1.2.3