From a895214d8fe4b515fbef15a7f919c5177543ac56 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 29 Feb 2020 03:29:26 +0100
Subject: wireguard gateway works now (it is quite ugly though)

---
 roles/elevate/media/templates/firewall/elevate-festival.sh.j2  |  5 +++--
 roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 | 10 ++--------
 2 files changed, 5 insertions(+), 10 deletions(-)

(limited to 'roles/elevate/media')

diff --git a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2 b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
index 987117c8..fea33cc2 100644
--- a/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
+++ b/roles/elevate/media/templates/firewall/elevate-festival.sh.j2
@@ -19,8 +19,8 @@ LAN_IF="{{ network.primary.interface }}"
 LAN_IPADDR="{{ network.primary.ip }}"
 LAN_NETMASK="{{ network.primary.mask }}"
 
-EXT_IF="{{ network.primary.interface }}.{{ network_zones.ccinet.vlan }}"
-EXT_IPADDR="{{ network_zones.ccinet.prefix | ipaddr(network_zones.ccinet.offsets[inventory_hostname]) | ipaddr('address') }}"
+EXT_IF="wg-gwhetzner"
+EXT_IPADDR="192.168.254.2"
 
 EXT_SERVICES_TCP="80 443 22000"
 EXT_SERVICES_UDP=""
@@ -34,6 +34,7 @@ ipv4_up() {
   $FILTER -A INPUT -i lo -j ACCEPT
 
   $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -s "$LAN_IPADDR/$LAN_NETMASK" -j ACCEPT
+  $FILTER -A INPUT -i "$LAN_IF" -d "$LAN_IPADDR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
   $FILTER -A INPUT -i "$EXT_IF" -d "$EXT_IPADDR" -p icmp -j ACCEPT
   for port in $EXT_SERVICES_TCP; do
diff --git a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2 b/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2
index 3c2bbb78..3bd97cb6 100644
--- a/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2
+++ b/roles/elevate/media/templates/netplan/elevate-festival.yaml.j2
@@ -4,14 +4,8 @@ network:
   ethernets:
     {{ network.primary.interface }}:
       addresses: [ {{ (network.primary.ip + '/' + network.primary.mask) | ipaddr('address/prefix') }} ]
-      accept-ra: false
-  vlans:
-    {{ network.primary.interface }}.{{ network_zones.ccinet.vlan }}:
-      id: {{ network_zones.ccinet.vlan }}
-      link: {{ network.primary.interface }}
-      addresses: [ {{ network_zones.ccinet.prefix | ipaddr(network_zones.ccinet.offsets[inventory_hostname]) | ipaddr('address/prefix') }} ]
-      gateway4: {{ network_zones.ccinet.gateway }}
+      gateway4: {{ network.primary.gateway }}
       accept-ra: false
       nameservers:
         search: [ {{ network.domain }} ]
-        addresses: {{ network_zones.ccinet.dns | to_json }}
+        addresses: {{ network.nameservers | to_json }}
-- 
cgit v1.2.3