--- ssh_users_root: - equinox - datacop network_mgmt_zone: "{{ network_zones.mgmt }}" wireguard_keys: gwhetzner: pub: "fqaKDJbSj6V0H98d78d/lnFLolefgp6zDPH9bN4+zUY=" priv: "{{ vault_wireguard_priv_keys.gwhetzner }}" wireguard_gateway_tunnels: wg-emc: priv_key: "{{ wireguard_keys.gwhetzner.priv }}" addresses: - 192.168.254.6/30 default_gateway: inner: 192.168.254.5 peers: - pub_key: "{{ hostvars['ele-gwhetzner'].wireguard_keys.emc.pub }}" endpoint: host: 178.63.180.138 # TODO: fix this variable "{{ hostvars['ele-gwhetzner'].external_ip }}" port: 51821 keepalive_interval: 15 allowed_ips: - 0.0.0.0/0 openwrt_network_external: - name: interface 'wanmur' options: device: 'eth5' proto: static ipaddr: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" netmask: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr('netmask') }}" accept_ra: 0 - name: rule options: priority: 41050 src: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" lookup: 105 - name: rule options: priority: 41051 mark: 105 lookup: 105 - name: route 'murdefault' options: interface: 'wanmur' table: 105 target: '0.0.0.0/0' gateway: "{{ network_zones.murat_transfer.prefix | ansible.utils.ipaddr(network_zones.murat_transfer.offsets['ele-mur']) | ansible.utils.ipaddr('address') }}" - name: interface 'wanlte' options: device: 'eth4' proto: static ipaddr: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" netmask: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr('netmask') }}" accept_ra: 0 - name: rule options: priority: 41040 src: "{{ network_zones.datacop_lte.prefix | ansible.utils.ipaddr(network_zones.datacop_lte.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}/32" lookup: 104 - name: rule options: priority: 41041 mark: 104 lookup: 104 - name: route 'ltedefault' options: interface: 'wanlte' table: 104 target: '0.0.0.0/0' gateway: "{{ network_zones.datacop_lte.gateway }}" - name: rule options: priority: 50000 lookup: 105 network_internal_zone_names__wanmur: - lan - guest - mixer - infoscreens network_internal_zone_names__wanlte: [] network_internal_zone_names__wgemc: - emc network_internal_zone_names: "{{ network_internal_zone_names__wanmur + network_internal_zone_names__wanlte + network_internal_zone_names__wgemc }}" openwrt_network_internal: "{{ openwrt_network_internal_yaml | from_yaml }}" openwrt_network_internal_yaml: | {% for zone_name in network_internal_zone_names %} - name: "interface '{{ zone_name }}'" options: device: "eth0.{{ network_zones[zone_name].vlan }}" proto: static ipaddr: "{{ network_zones[zone_name].gateway }}" netmask: "{{ network_zones[zone_name].prefix | ansible.utils.ipaddr('netmask') }}" accept_ra: 0 {% endfor %} openwrt_network_base: - name: globals 'globals' options: ula_prefix: "fc{{ '%02x:%04x:%04x' | format((255 | random(seed=inventory_hostname + '0')), (65535 | random(seed=inventory_hostname + '1')), (65535 | random(seed=inventory_hostname + '2'))) }}::/48" - name: interface 'loopback' options: device: lo proto: static ipaddr: 127.0.0.1 netmask: 255.0.0.0 - name: interface 'mgmt' options: device: "eth0.{{ network_mgmt_zone.vlan }}" proto: static ipaddr: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" netmask: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr('netmask') }}" accept_ra: 0 openwrt_dhcp_external: - name: dhcp 'wanmur' options: interface: 'wanmur' ignore: '1' - name: dhcp 'wanlte' options: interface: 'wanlte' ignore: '1' openwrt_dhcp_internal: "{{ openwrt_dhcp_internal_yaml | from_yaml }}" openwrt_dhcp_internal_yaml: | {% for zone_name in network_internal_zone_names %} - name: "dhcp '{{ zone_name }}'" options: interface: "{{ zone_name }}" {% if 'dhcp' in network_zones[zone_name] %} start: {{ network_zones[zone_name].dhcp.start }} limit: {{ network_zones[zone_name].dhcp.limit }} leasetime: {{ network_zones[zone_name].dhcp.leasetime | default('12h') }} dhcpv6: 'disabled' ra: 'disabled' {% else %} ignore: '1' {% endif %} {% endfor %} openwrt_dhcp_base: - name: dnsmasq options: domainneeded: '1' boguspriv: '0' filterwin2k: '0' localise_queries: '1' rebind_protection: '0' rebind_localhost: '1' local: '/lan/' domain: 'lan' expandhosts: '1' nonegcache: '0' authoritative: '1' readethers: '1' leasefile: '/tmp/dhcp.leases' resolvfile: '/tmp/resolv.conf.auto' localservice: '1' server: - 1.1.1.1 - name: odhcpd 'odhcpd' options: maindhcp: '0' leasefile: '/tmp/hosts/odhcpd' leasetrigger: '/usr/sbin/odhcpd-update' - name: dhcp 'mgmt' options: interface: 'mgmt' ignore: '1' openwrt_arch: x86 openwrt_target: 64 openwrt_profile: generic openwrt_output_image_suffixes: - "{{ openwrt_profile }}-ext4-combined.img.gz" openwrt_packages_remove: - ppp - ppp-mod-pppoe - firewall - odhcpd-ipv6only openwrt_packages_add: - kmod-ipt-nat - kmod-ipt-conntrack - haveged - htop - ip - less - nano - tcpdump-mini - iperf - iperf3 - mtr - iptraf-ng - qos-scripts - wireguard - prometheus-node-exporter-lua - prometheus-node-exporter-lua-nat_traffic - prometheus-node-exporter-lua-netstat - prometheus-node-exporter-lua-openwrt openwrt_mixin: /etc/dropbear/authorized_keys: content: "{{ ssh_keys_root | join('\n') }}\n" /etc/htoprc: file: "{{ global_files_dir }}/common/htoprc" /etc/wireguard/wg-emc.priv: content: "{{ wireguard_gateway_tunnels['wg-emc'].priv_key }}\n" mode: "0600" /etc/rc.d/S21network-wgemc: link: "../init.d/network-wgemc" /etc/rc.d/K91network-wgemc: link: "../init.d/network-wgemc" /etc/init.d/network-wgemc: mode: "0755" content: | #!/bin/sh /etc/rc.common START=21 STOP=91 start() { ip link add dev wg-emc type wireguard wg set wg-emc fwmark 105 private-key /etc/wireguard/wg-emc.priv {% for peer in wireguard_gateway_tunnels['wg-emc'].peers %} wg set wg-emc peer {{ peer.pub_key }} endpoint {{ peer.endpoint.host }}:{{ peer.endpoint.port }} persistent-keepalive {{ peer.keepalive_interval }} allowed-ips {{ peer.allowed_ips | join(',') }} {% endfor %} {% for addr in wireguard_gateway_tunnels['wg-emc'].addresses %} ip addr add dev wg-emc {{ addr }} {% endfor %} ip link set up dev wg-emc ip route add default via {{ wireguard_gateway_tunnels['wg-emc'].default_gateway.inner }} table 200 proto static } stop() { ip link del dev wg-emc } /etc/rc.d/S22network-fw: link: "../init.d/network-fw" /etc/rc.d/K92network-fw: link: "../init.d/network-fw" /etc/init.d/network-fw: mode: "0755" content: | #!/bin/sh /etc/rc.common START=22 STOP=91 start() { ### management MGMT_IF=$(uci get network.mgmt.device) MGMT_IPADDR=$(uci get network.mgmt.ipaddr) MGMT_NETMASK=$(uci get network.mgmt.netmask) iptables -A INPUT -i lo -d 127.0.0.0/8 -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT ### external zones # mur iptables -A INPUT -i "eth5" -p icmp -j ACCEPT iptables -A INPUT -i "eth5" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "eth5" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # LTE iptables -A INPUT -i "eth4" -p icmp -j ACCEPT iptables -A INPUT -i "eth4" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "eth4" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Wireguard EMC iptables -A INPUT -i "wg-emc" -p icmp -j ACCEPT iptables -A INPUT -i "wg-emc" -p tcp --dport {{ ansible_port }} -j ACCEPT iptables -A INPUT -i "wg-emc" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o "wg-emc" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ### internal zones {% for zone_name in network_internal_zone_names %} # {{ zone_name }} {% if 'dhcp' in network_zones[zone_name] %} iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 67 --sport 68 -j ACCEPT {% endif %} {% if 'dhcp' in network_zones[zone_name] or network_zones[zone_name].gateway in network_zones[zone_name].dns %} iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p udp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p tcp --dport 53 -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT {% endif %} iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -p icmp -d "{{ network_zones[zone_name].gateway }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT iptables -A INPUT -i "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT {% if zone_name in network_internal_zone_names__wanmur %} {% set ext_interface = "eth5" %} {% set rt_table = "105" %} {% elif zone_name in network_internal_zone_names__wanlte %} {% set ext_interface = "eth4" %} {% set rt_table = "104" %} {% elif zone_name in network_internal_zone_names__wgemc %} {% set ext_interface = "wg-emc" %} {% set rt_table = "200" %} {% endif %} iptables -A FORWARD -i "eth0.{{ network_zones[zone_name].vlan }}" -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j ACCEPT iptables -A FORWARD -i "{{ ext_interface }}" -o "eth0.{{ network_zones[zone_name].vlan }}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o "{{ ext_interface }}" -s "{{ network_zones[zone_name].prefix }}" -j MASQUERADE ip rule add pref {{ loop.index + 33000 }} iif "eth0.{{ network_zones[zone_name].vlan }}" lookup {{ rt_table }} {% endfor %} ### iptables -P INPUT DROP iptables -P FORWARD DROP } stop() { iptables -P INPUT ACCEPT iptables -F INPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F POSTROUTING {% for zone_name in network_internal_zone_names %} ip rule del pref {{ loop.index + 33000 }} {% endfor %} } openwrt_uci: system: - name: system options: hostname: '{{ host_name }}' timezone: 'CET-1CEST,M3.5.0,M10.5.0/3' ttylogin: '0' log_size: '64' urandom_seed: '0' - name: timeserver 'ntp' options: enabled: '1' enable_server: '0' server: - '0.lede.pool.ntp.org' - '1.lede.pool.ntp.org' - '2.lede.pool.ntp.org' - '3.lede.pool.ntp.org' dropbear: - name: dropbear options: PasswordAuth: 'off' RootPasswordAuth: 'off' Port: '{{ ansible_port }}' prometheus-node-exporter-lua: - name: prometheus-node-exporter-lua 'main' options: listen_interface: 'mgmt' listen_ipv6: '0' listen_port: '9100' dhcp: "{{ openwrt_dhcp_base + openwrt_dhcp_internal + openwrt_dhcp_external }}" network: "{{ openwrt_network_base + openwrt_network_internal + openwrt_network_external }}" prometheus_scrape_endpoint: "{{ network_mgmt_zone.prefix | ansible.utils.ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:9100" prometheus_exporters_default: - openwrt