bundlewrap/nodes/home/router.py

149 lines
5.4 KiB
Python
Raw Normal View History

2020-11-13 22:57:12 +00:00
from bundlewrap.metadata import atomic
2020-11-13 17:47:40 +00:00
nodes['home.router'] = {
2020-11-13 22:57:12 +00:00
'hostname': '172.19.138.1',
2020-11-13 20:41:24 +00:00
'bundles': {
'iptables',
'netdata',
'nginx',
2020-11-13 20:41:24 +00:00
'pppd',
'radvd',
'dhcpd',
'vnstat',
'wide-dhcp6c',
'wireguard',
2020-11-13 20:41:24 +00:00
},
2020-11-21 09:55:09 +00:00
'groups': {
'debian-buster',
},
2020-11-13 17:47:40 +00:00
'metadata': {
'interfaces': {
'enp1s0.23': {
'ips': {
2020-11-13 22:57:12 +00:00
'172.19.139.1/24',
2020-11-13 17:47:40 +00:00
},
},
'enp1s0.42': {
'ips': {
2020-11-13 22:57:12 +00:00
'172.19.138.1/24',
2020-11-13 17:47:40 +00:00
},
},
2020-11-13 20:41:24 +00:00
'enp1s0.100': {
'ignore': True,
},
2020-11-13 17:47:40 +00:00
},
'backups': {
'exclude_from_backups': True,
},
'cron': {
# Our internet provider resets the connection if you're
# connected longer than 24 hours. We install this cronjob
# to make sure we don't get disconnected randomly during the
# day.
'restart_pppd': '23 2 * * * root systemctl restart pppoe',
},
'iptables': {
'custom_rules': [
# This is a router. Allow forwarding traffic for all internal networks.
'iptables_both -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT',
'iptables_both -A FORWARD -i enp1s0.23 -o enp1s0.42 -j REJECT',
'iptables_both -A FORWARD -i enp1s0.23 -j ACCEPT',
'iptables_both -A FORWARD -i enp1s0.42 -j ACCEPT',
# External port 2022 should be home.nas
'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
],
},
2020-11-13 22:57:12 +00:00
'nameservers': atomic({
'9.9.9.10',
}),
'netdata': {
'restrict-to-interfaces': {
'enp1s0.42',
},
},
'nginx': {
'use_ssl_for_all_connections': False,
'restrict-to-interfaces': {
'enp1s0.42',
},
},
'radvd': {
'integrate-with-pppd': True,
'interfaces': {
'enp1s0.42': {
'rdnss': {
'2001:4860:4860::8888',
'2001:4860:4860::8844',
},
},
},
},
2020-11-13 20:41:24 +00:00
'pppd': {
'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='),
'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='),
'interface': 'enp1s0.100',
2020-11-14 11:46:19 +00:00
'dyndns': {
'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}',
'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
},
2020-11-13 20:41:24 +00:00
},
'dhcpd': {
'subnets': {
'home': {
'subnet': '172.19.138.0',
'netmask': '255.255.255.0',
'range_lower': '172.19.138.100',
'range_higher': '172.19.138.250',
'interface': 'enp1s0.42',
'options': {
'routers': '172.19.138.1',
'domain-name-servers': '8.8.8.8, 8.8.4.4',
'domain-name': 'franzi-home.kunbox.net',
'broadcast-address': '172.19.138.255',
'subnet-mask': '255.255.255.0',
},
},
},
},
'users': {
'f2k1de': {
'ssh_pubkey': {
'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e',
'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up',
},
},
},
'vnstat': {
'generate-web-dashboard': True,
'interface': 'enp1s0.100',
},
2020-11-13 17:47:40 +00:00
'vm': {
'cpu': 2,
'ram': 2,
},
'wide-dhcp6c': {
'integrate-with-pppd': True,
'source': 'ppp0',
'targets': {
'enp1s0.42': '1',
},
},
'wireguard': {
# TODO autogenerate?
'my_ip': '172.19.137.2/32',
'subnets': {
'172.19.138.0/24',
'172.19.139.0/24',
},
'peers': {
'ovh.wireguard': {
'do_not_initiate_a_connection_from_your_side': True,
},
},
},
2020-11-13 17:47:40 +00:00
},
}