nodes['home.router'] = { 'hostname': '172.19.138.1', 'bundles': { 'bird', 'dhcpd', 'nginx', 'pppd', 'radvd', 'unbound', 'vnstat', 'wide-dhcp6c', 'wireguard', }, 'groups': { 'debian-bullseye', }, 'metadata': { 'interfaces': { 'enp1s0.23': { 'ips': { '172.19.139.1/24', }, }, 'enp1s0.42': { 'ips': { '172.19.138.1/24', }, }, 'enp1s0.100': { 'ignore': True, }, }, 'apt': { 'packages': { # for telegraf 'snmp': {}, 'snmp-mibs-downloader': {}, }, # XXX remove this once nginx.org has packages for debian bullseye 'repos': { 'nginx': { 'items': atomic({ 'deb http://nginx.org/packages/debian buster nginx', }), }, }, }, 'backups': { 'exclude_from_backups': True, }, 'bird': { 'static_routes': { '172.19.138.0/24', '172.19.139.0/24', }, }, 'cron': { # Our internet provider resets the connection if you're # connected longer than 24 hours. We install this cronjob # to make sure we don't get disconnected randomly during the # day. 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', }, 'dhcpd': { 'subnets': { 'enp1s0.23': { 'range_lower': '172.19.139.200', 'range_higher': '172.19.139.250', 'subnet': '172.19.139.0/24', 'options': { 'broadcast-address': '172.19.139.255', 'domain-name-servers': '172.19.139.1', 'routers': '172.19.139.1', 'subnet-mask': '255.255.255.0', }, }, 'enp1s0.42': { 'range_lower': '172.19.138.100', 'range_higher': '172.19.138.250', 'subnet': '172.19.138.0/24', 'options': { 'broadcast-address': '172.19.138.255', 'domain-name': 'franzi-home.kunbox.net', 'domain-name-servers': '172.19.138.1', 'domain-search': 'home.kunbox.net', 'routers': '172.19.138.1', 'subnet-mask': '255.255.255.0', }, }, }, }, 'hosts': { 'entries': { # Hackaround to force wireguard to only use IPv4 for # the connection to this system. '51.195.47.180': { 'wireguard.ovh.kunbox.net', }, }, }, 'icinga_options': { # override group default 'also_affected_by': atomic({ 'home.nas', 'ovh.wireguard', }), # disabled on group level # XXX reenable this once we can leave the house safely again #'vars.notification.sms': True }, 'nftables': { 'rules': { 'forward': { 'router': [ # This is a router. Allow forwarding traffic for internal networks. 'ct state { related, established } accept', 'iif enp1s0.23 oif ppp0 accept', 'iif enp1s0.42 accept', # yaaaaay, IPv6! No NAT! 'ip6 nexthdr ipv6-icmp accept', 'tcp dport 22 accept', ], }, 'nat_prerouting': { 'tcp dport 2022 dnat 172.19.138.20:22', }, }, }, 'nginx': { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', }, 'vhosts': { 'vnstat': { 'domain': 'router.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, }, }, 'radvd': { 'interfaces': { 'enp1s0.23': {}, 'enp1s0.42': {}, }, }, 'postfix': { 'mynetworks': { '172.19.138.0/24', }, }, 'pppd': { 'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='), 'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='), 'interface': 'enp1s0.100', 'dyndns': { 'domain': 'franzi-home.kunbox.net', 'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, }, 'unbound': { 'restrict-to': { '172.19.138.0/23', }, }, 'telegraf': { 'input_plugins': { 'builtin': { 'snmp': [ { 'agents': ['udp://172.19.138.2'], 'agent_host_tag': 'host', 'table': [{'oid': 'IF-MIB::ifTable'}], 'interval': '10s', }, { 'agents': ['udp://172.19.138.3'], 'agent_host_tag': 'host', 'field': [ {'oid': 'SNMPv2-SMI::mib-2.33.1.2.3.0', 'name': 'battery_runtime_to_empty'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.2.4.0', 'name': 'battery_capacity'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.2.5.0', 'name': 'battery_voltage', 'conversion': 'float(1)'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.2.6.0', 'name': 'battery_current', 'conversion': 'float(1)'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.2.1', 'name': 'input_frequency', 'conversion': 'float(1)'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.3.1', 'name': 'input_voltage'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.4.2.0', 'name': 'output_frequency', 'conversion': 'float(1)'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.2.1', 'name': 'output_voltage'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.3.1', 'name': 'output_frequency', 'conversion': 'float(1)'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.4.1', 'name': 'output_watts'}, {'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.5.1', 'name': 'output_percent'}, ], 'interval': '10s', }, { 'agents': ['udp://172.19.138.41'], 'agent_host_tag': 'host', 'table': [{'oid': 'IF-MIB::ifTable'}], }, ], }, }, }, 'users': { 'f2k1de': { 'ssh_pubkey': { 'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', 'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', }, }, 'fkunsmann': { 'sudo_commands': { 'ALL', }, }, }, 'vnstat': { 'generate-web-dashboard': True, 'interface': 'enp1s0.100', }, 'vm': { 'cpu': 2, 'ram': 2, }, 'wide-dhcp6c': { 'source': 'ppp0', 'targets': { 'enp1s0.23': '2', 'enp1s0.42': '1', }, }, 'wireguard': { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'peers': { 'ovh.wireguard': { 'health_check': True, 'snat_to': '172.19.138.1', }, }, }, }, }