1 changed files with 42 additions and 3 deletions
--- a/nodes/sophie/vmhost.py
+++ b/nodes/sophie/vmhost.py
@ -2,13 +2,14 @@ nodes['sophie.vmhost'] = {
    'hostname': '172.19.164.2',
    'bundles': {
        'backup-client',
+        'hetzner-dyndns',
        'lm-sensors',
-        'nfs-server',
        'mosquitto',
+        'nfs-server',
        'smartd',
        'vmhost',
+        'wireguard',
        'zfs',
-        'hetzner-dyndns'
    },
    'groups': {
        'debian-bookworm',
@ -24,7 +25,7 @@ nodes['sophie.vmhost'] = {
        },
        'hetzner-dyndns': {
            'zone': 'sophies-kitchen.eu',
-            'record': 'home.router',
+            'record': 'router.home',
            'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'),
        },
        'interfaces': {
@ -72,6 +73,21 @@ nodes['sophie.vmhost'] = {
                },
            },
        },
+        'nftables': {
+            'forward': {
+                '50-router': [
+                    'ct state { related, established } accept',
+                    'oifname br1 accept',
+                ],
+            },
+            'input': {
+                '50-wireguard': [
+                    'udp dport 1194 accept',
+                    'udp dport 10348 accept',
+                    'udp dport 10349 accept',
+                ],
+            },
+        },
        'smartd': {
            'disks': {
                '/dev/nvme0',
@ -115,6 +131,29 @@ nodes['sophie.vmhost'] = {
                },
            },
        },
+        'wireguard': {
+            'snat_ip': '172.19.137.2',
+            'peers': {
+                'thinkpad': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.64',
+                    'my_port': 10348,
+                    'their_ip': '172.19.165.65',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+                'smartphone': {
+                    'endpoint': None,
+                    'exclude_from_monitoring': True,
+                    'my_ip': '172.19.165.66',
+                    'my_port': 10349,
+                    'their_ip': '172.19.165.67',
+                    'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
+                    'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
+                },
+            },
+        },
        'zfs': {
            'pools': {
                'storage': {