From 7ded2c6b3b9a1b17b1124f3a1df56a7f5fa97eec Mon Sep 17 00:00:00 2001
From: Sophie Schiller <sophie.schiller01@gmail.com>
Date: Wed, 16 Apr 2025 22:41:20 +0200
Subject: [PATCH 1/3] hetzner-dyndns: add rudimentary dyndns

---
 bundles/hetzner-dyndns/items.py    |  6 ++++++
 bundles/hetzner-dyndns/metadata.py | 26 ++++++++++++++++++++++++++
 nodes/sophie/vmhost.py             |  6 ++++++
 3 files changed, 38 insertions(+)
 create mode 100644 bundles/hetzner-dyndns/items.py
 create mode 100644 bundles/hetzner-dyndns/metadata.py

diff --git a/bundles/hetzner-dyndns/items.py b/bundles/hetzner-dyndns/items.py
new file mode 100644
index 0000000..d278949
--- /dev/null
+++ b/bundles/hetzner-dyndns/items.py
@@ -0,0 +1,6 @@
+directories['/opt/hetzner-dyndns/src'] = {}
+
+git_deploy['/opt/hetzner-dyndns/src'] = {
+    'repo': 'https://git.franzi.business/sophie/hetzner-dyndns.git',
+    'rev': 'main',
+}
diff --git a/bundles/hetzner-dyndns/metadata.py b/bundles/hetzner-dyndns/metadata.py
new file mode 100644
index 0000000..a5369f6
--- /dev/null
+++ b/bundles/hetzner-dyndns/metadata.py
@@ -0,0 +1,26 @@
+defaults = {
+    'systemd-timers': {
+        'timers': {
+            'hetzner-dyndns-update': {
+                'when': 'hourly',
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'systemd-timers/timers/hetzner-dyndns-update',
+)
+def command_template(metadata):
+    empty_command = f'/usr/bin/python3 /opt/hetzner-dyndns/src/hetzner-api-dyndns.py --api_key {{}} --zone {node.metadata.get('hetzner-dyndns/zone')} --record {node.metadata.get('hetzner-dyndns/record')}'
+
+    return {
+        'systemd-timers': {
+            'timers': {
+                'hetzner-dyndns-update': {
+                    'command': node.metadata.get('hetzner-dyndns/api_key').format_into(empty_command),
+                },
+            },
+        },
+    }
diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py
index aca520c..95abe56 100644
--- a/nodes/sophie/vmhost.py
+++ b/nodes/sophie/vmhost.py
@@ -8,6 +8,7 @@ nodes['sophie.vmhost'] = {
         'smartd',
         'vmhost',
         'zfs',
+        'hetzner-dyndns'
     },
     'groups': {
         'debian-bookworm',
@@ -21,6 +22,11 @@ nodes['sophie.vmhost'] = {
         'groups': {
             'nas': {},
         },
+        'hetzner-dyndns': {
+            'zone': 'sophies-kitchen.eu',
+            'record': 'home.router',
+            'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'),
+        },
         'interfaces': {
             'br1': {
                 'ips': {
-- 
2.39.5


From 380eb02a6d93eb7bb96a3cffbd4be835183b0ef5 Mon Sep 17 00:00:00 2001
From: Sophie Schiller <sophie.schiller01@gmail.com>
Date: Thu, 17 Apr 2025 21:39:13 +0200
Subject: [PATCH 2/3] sophie's wireguard to home

---
 nodes/sophie/vmhost.py | 45 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py
index 95abe56..08a7cd2 100644
--- a/nodes/sophie/vmhost.py
+++ b/nodes/sophie/vmhost.py
@@ -2,13 +2,14 @@ nodes['sophie.vmhost'] = {
     'hostname': '172.19.164.2',
     'bundles': {
         'backup-client',
+        'hetzner-dyndns',
         'lm-sensors',
-        'nfs-server',
         'mosquitto',
+        'nfs-server',
         'smartd',
         'vmhost',
+        'wireguard',
         'zfs',
-        'hetzner-dyndns'
     },
     'groups': {
         'debian-bookworm',
@@ -24,7 +25,7 @@ nodes['sophie.vmhost'] = {
         },
         'hetzner-dyndns': {
             'zone': 'sophies-kitchen.eu',
-            'record': 'home.router',
+            'record': 'router.home',
             'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'),
         },
         'interfaces': {
@@ -72,6 +73,21 @@ nodes['sophie.vmhost'] = {
                 },
             },
         },
+        'nftables': {
+            'forward': {
+                '50-router': [
+                    'ct state { related, established } accept',
+                    'oifname br1 accept',
+                ],
+            },
+            'input': {
+                '50-wireguard': [
+                    'udp dport 1194 accept',
+                    'udp dport 10348 accept',
+                    'udp dport 10349 accept',
+                ],
+            },
+        },
         'smartd': {
             'disks': {
                 '/dev/nvme0',
@@ -115,6 +131,29 @@ nodes['sophie.vmhost'] = {
                 },
             },
         },
+        'wireguard': {
+            'snat_ip': '172.19.137.2',
+            'peers': {
+                'thinkpad': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.64',
+                    'my_port': 10348,
+                    'their_ip': '172.19.165.65',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+                'smartphone': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.66',
+                    'my_port': 10349,
+                    'their_ip': '172.19.165.67',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+            },
+        },
         'zfs': {
             'pools': {
                 'storage': {
-- 
2.39.5


From 6a57a26d3dadc63d238505f4b65b0b05e4720dfe Mon Sep 17 00:00:00 2001
From: Sophie Schiller <sophie.schiller01@gmail.com>
Date: Thu, 17 Apr 2025 22:25:32 +0200
Subject: [PATCH 3/3] sophie.vmhost: vpn credentials for smartphone

---
 nodes/sophie/vmhost.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py
index 08a7cd2..092e0b2 100644
--- a/nodes/sophie/vmhost.py
+++ b/nodes/sophie/vmhost.py
@@ -97,6 +97,12 @@ nodes['sophie.vmhost'] = {
                 '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP',
             },
         },
+        'sysctl': {
+            'options': {
+                'net.ipv4.conf.all.forwarding': '1',
+                'net.ipv6.conf.all.forwarding': '1',
+            },
+        },
         'systemd-networkd': {
             'bridges': {
                 'br0': {
@@ -150,7 +156,7 @@ nodes['sophie.vmhost'] = {
                     'my_port': 10349,
                     'their_ip': '172.19.165.67',
                     'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
-                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAWD96YcEFsLzfOCzjS_4Hg7xX516OZ5RD_qFPSEZliaYSRMhY3uyNDtQ--e0dzEwdFHK_xGT3F7jQzYAvftH4iFtk9y3n3FNFVPxqsWckX4cJIX7ZZszbQCq8sfZZXGUR0C9'),
                 },
             },
         },
-- 
2.39.5