diff --git a/nodes/home/router.py b/nodes/home/router.py index cec4327..8040a50 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -1,6 +1,7 @@ nodes['home.router'] = { 'hostname': '172.19.138.1', 'bundles': { + 'bird', 'dhcpd', 'nginx', 'openvpn-client', @@ -49,6 +50,12 @@ nodes['home.router'] = { 'backups': { 'exclude_from_backups': True, }, + 'bird': { + 'static_routes': { + '172.19.138.0/24', + '172.19.139.0/24', + }, + }, 'cron': { # Our internet provider resets the connection if you're # connected longer than 24 hours. We install this cronjob @@ -210,12 +217,6 @@ nodes['home.router'] = { }, }, }, - 'sysctl': { - 'options': { - 'net.ipv4.ip_forward': '1', - 'net.ipv6.conf.all.forwarding': '1', - }, - }, 'vnstat': { 'generate-web-dashboard': True, 'interface': 'enp1s0.100', @@ -233,13 +234,10 @@ nodes['home.router'] = { }, 'wireguard': { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS - 'my_ip': '172.19.136.2/22', 'peers': { - 'ovh.wireguard': {}, - }, - 'subnets': { - '172.19.138.0/24', - '172.19.139.0/24', + 'ovh.wireguard': { + 'snat_to': '172.19.138.1', + }, }, }, }, diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 54229c6..2837438 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -1,6 +1,7 @@ nodes['htz-cloud.wireguard'] = { 'hostname': '162.55.54.226', 'bundles': { + 'bird', 'wireguard', }, 'groups': { @@ -30,14 +31,20 @@ nodes['htz-cloud.wireguard'] = { 'backups': { 'exclude_from_backups': True, }, + 'bird': { + 'static_routes': { + '172.19.137.0/24', + }, + }, 'vm': { 'cpu': 1, 'ram': 2, }, 'wireguard': { - 'my_ip': '172.19.136.4/22', 'peers': { - 'ovh.wireguard': {}, + 'ovh.wireguard': { + 'snat_to': '172.19.137.2', + }, }, 'subnets': { '172.19.137.0/24', diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index ce2de74..2b3ebca 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -1,5 +1,6 @@ nodes['ovh.icinga2'] = { 'bundles': { + 'bird', 'icinga2', 'php', 'postgresql', @@ -22,12 +23,22 @@ nodes['ovh.icinga2'] = { 'gateway4': '51.195.44.1', 'gateway6': '2001:41d0:701:1100::1' }, + 'dummy-snat': { + 'ips': { + '172.19.136.3', + }, + }, }, 'apt': { 'packages': { 'php-imagick': {}, }, }, + 'bird': { + 'static_routes': { + '172.19.136.3/32', + }, + }, 'icinga2': { 'api_users': { # Used with @@ -126,9 +137,10 @@ nodes['ovh.icinga2'] = { }, }, 'wireguard': { - 'my_ip': '172.19.136.3/22', 'peers': { - 'ovh.wireguard': {}, + 'ovh.wireguard': { + 'snat_to': '172.19.136.3', + }, }, }, 'zfs': { diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py index 7e86a9f..f33515d 100644 --- a/nodes/ovh/wireguard.py +++ b/nodes/ovh/wireguard.py @@ -1,5 +1,6 @@ nodes['ovh.wireguard'] = { 'bundles': { + 'bird', 'wireguard', }, 'groups': { @@ -23,34 +24,26 @@ nodes['ovh.wireguard'] = { 'cpu': 1, 'ram': 2, }, - 'sysctl': { - 'options': { - 'net.ipv4.ip_forward': '1', - 'net.ipv6.conf.all.forwarding': '1', - }, - }, 'wireguard': { - 'my_ip': '172.19.136.1/22', 'peers': { 'ovh.icinga2': {}, 'home.router': {}, 'htz-cloud.wireguard': {}, 'kunsi-oneplus3': { - 'ips': { - '172.19.136.100/32', - }, + 'their_ip': '172.19.136.100', + 'my_ip': '172.19.136.99', + 'my_port': 51819, 'psk': vault.decrypt('encrypt$gAAAAABgKYeeuPfokbk7lSbbJX-52kap5Cs3tdCHpezkKcExV-yLTHPjszIcAh1T9wW1BtGElRdZea7VTikV3qEu3bupiSqEW4l2lmD5cn2ERYRfuVCoYSkOlmEGokHUX7Nja4G_A2_x'), 'pubkey': vault.decrypt('encrypt$gAAAAABgKYdTqLG3DcB13QqQadUxyzIjvSxwgZQNjorQi-ADSLsNdDbhikSAGQnSmGelLB74V175awIIir768WEnpLJUKX6nt_i2BxOP3JazvKZSQECkiK8G-IRn8wWWgKarfmtqRwh6'), 'exclude_from_monitoring': True, }, - 'sophie-ejgwthink': { - 'ips': { - '172.19.136.101/32', - }, - 'psk': vault.decrypt('encrypt$gAAAAABggxrfc9m3t2k1uDLqwK-U6xnYUiL5xjtsdOK8zZhx7u2Jr2OBdbxy9V0h4O3PWuiEHnOGtAP-JdSxa9OFsi5EMcimiBqtCo56oIrwjmT57PpVqEKhWjB0vGVdJSKfU2ikHAVK'), - 'pubkey': vault.decrypt('encrypt$gAAAAABggxrfw8U3ckR8z7RxILjW4E8wOOsG8GSiVCOMem4UWMGhywWZYd8rRorapJknQrip0WyoniTWmh8INfvU_92uDIZM-0X2-VwpZn2e-Kv18GjUfxFzLbANghesONOq18gXli8Q'), - 'exclude_from_monitoring': True, - }, +# 'sophie-ejgwthink': { +# 'their_ip': '172.19.136.101', +# 'my_ip': '172.19.136.92', +# 'psk': vault.decrypt('encrypt$gAAAAABggxrfc9m3t2k1uDLqwK-U6xnYUiL5xjtsdOK8zZhx7u2Jr2OBdbxy9V0h4O3PWuiEHnOGtAP-JdSxa9OFsi5EMcimiBqtCo56oIrwjmT57PpVqEKhWjB0vGVdJSKfU2ikHAVK'), +# 'pubkey': vault.decrypt('encrypt$gAAAAABggxrfw8U3ckR8z7RxILjW4E8wOOsG8GSiVCOMem4UWMGhywWZYd8rRorapJknQrip0WyoniTWmh8INfvU_92uDIZM-0X2-VwpZn2e-Kv18GjUfxFzLbANghesONOq18gXli8Q'), +# 'exclude_from_monitoring': True, +# }, }, 'restrict-to': { '*',