bundlewrap/nodes/home/router.py
Franziska Kunsmann bd10dc578f
Some checks failed
kunsi/bundlewrap/pipeline/head There was a failure building this commit
bundles/pppd: refactor check_dyndns_update
We don't care about what the DNS provider said when updating the ip
address. The only thing we care about is wether the current external ip
of the system matches the resolved ip address.
2021-08-14 08:00:43 +02:00

245 lines
9.3 KiB
Python

nodes['home.router'] = {
'hostname': '172.19.138.1',
'bundles': {
'dhcpd',
'nginx',
'openvpn-client',
'pppd',
'radvd',
'unbound',
'vnstat',
'wide-dhcp6c',
'wireguard',
},
'groups': {
'debian-bullseye',
},
'metadata': {
'interfaces': {
'enp1s0.23': {
'ips': {
'172.19.139.1/24',
},
},
'enp1s0.42': {
'ips': {
'172.19.138.1/24',
},
},
'enp1s0.100': {
'ignore': True,
},
},
'apt': {
'packages': {
# for telegraf
'snmp': {},
'snmp-mibs-downloader': {},
},
# XXX remove this once nginx.org has packages for debian bullseye
'repos': {
'nginx': {
'items': atomic({
'deb http://nginx.org/packages/debian buster nginx',
}),
},
},
},
'backups': {
'exclude_from_backups': True,
},
'cron': {
# Our internet provider resets the connection if you're
# connected longer than 24 hours. We install this cronjob
# to make sure we don't get disconnected randomly during the
# day.
'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status',
},
'dhcpd': {
'subnets': {
'enp1s0.23': {
'range_lower': '172.19.139.200',
'range_higher': '172.19.139.250',
'subnet': '172.19.139.0/24',
'options': {
'broadcast-address': '172.19.139.255',
'domain-name-servers': '172.19.139.1',
'routers': '172.19.139.1',
'subnet-mask': '255.255.255.0',
},
},
'enp1s0.42': {
'range_lower': '172.19.138.100',
'range_higher': '172.19.138.250',
'subnet': '172.19.138.0/24',
'options': {
'broadcast-address': '172.19.138.255',
'domain-name': 'franzi-home.kunbox.net',
'domain-name-servers': '172.19.138.1',
'domain-search': 'home.kunbox.net',
'routers': '172.19.138.1',
'subnet-mask': '255.255.255.0',
},
},
},
},
'icinga_options': {
# override group default
'also_affected_by': atomic({
'home.nas',
'ovh.wireguard',
}),
# disabled on group level
'vars.notification.sms': True
},
'nftables': {
'rules': {
'forward': {
'router': [
# This is a router. Allow forwarding traffic for internal networks.
'ct state { related, established } accept',
'iif enp1s0.23 oif ppp0 accept',
'iif enp1s0.42 accept',
# yaaaaay, IPv6! No NAT!
'ip6 nexthdr ipv6-icmp accept',
'tcp dport 22 accept',
],
},
'nat_prerouting': [
'tcp dport 2022 dnat 172.19.138.20:22',
],
'nat_postrouting': [
'oif tun0 masquerade',
],
},
},
'nginx': {
'restrict-to': {
'172.19.136.0/25',
'172.19.138.0/24',
},
'vhosts': {
'vnstat': {
'domain': 'router.home.kunbox.net',
'ssl': '_.home.kunbox.net',
},
},
},
'openvpn-client': {
'configs': {
'c3voc',
},
},
'radvd': {
'interfaces': {
'enp1s0.23': {},
'enp1s0.42': {},
},
},
'postfix': {
'mynetworks': {
'172.19.138.0/24',
},
},
'pppd': {
'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='),
'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='),
'interface': 'enp1s0.100',
'dyndns': {
'domain': 'franzi-home.kunbox.net',
'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}',
'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
},
},
'unbound': {
'restrict-to': {
'172.19.138.0/23',
},
},
'telegraf': {
'input_plugins': {
'builtin': {
'snmp': [
{
'agents': ['udp://172.19.138.2'],
'agent_host_tag': 'host',
'table': [{'oid': 'IF-MIB::ifTable'}],
'interval': '10s',
},
{
'agents': ['udp://172.19.138.3'],
'agent_host_tag': 'host',
'field': [
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.3.0', 'name': 'battery_runtime_to_empty'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.4.0', 'name': 'battery_capacity'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.5.0', 'name': 'battery_voltage', 'conversion': 'float(1)'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.6.0', 'name': 'battery_current', 'conversion': 'float(1)'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.2.1', 'name': 'input_frequency', 'conversion': 'float(1)'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.3.1', 'name': 'input_voltage'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.2.0', 'name': 'output_frequency', 'conversion': 'float(1)'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.2.1', 'name': 'output_voltage'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.3.1', 'name': 'output_frequency', 'conversion': 'float(1)'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.4.1', 'name': 'output_watts'},
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.5.1', 'name': 'output_percent'},
],
'interval': '10s',
},
{
'agents': ['udp://172.19.138.41'],
'agent_host_tag': 'host',
'table': [{'oid': 'IF-MIB::ifTable'}],
},
],
},
},
},
'users': {
'f2k1de': {
'ssh_pubkey': {
'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e',
'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up',
},
},
'fkunsmann': {
'sudo_commands': {
'ALL',
},
},
},
'sysctl': {
'options': {
'net.ipv4.ip_forward': '1',
'net.ipv6.conf.all.forwarding': '1',
},
},
'vnstat': {
'generate-web-dashboard': True,
'interface': 'enp1s0.100',
},
'vm': {
'cpu': 2,
'ram': 2,
},
'wide-dhcp6c': {
'source': 'ppp0',
'targets': {
'enp1s0.23': '2',
'enp1s0.42': '1',
},
},
'wireguard': {
'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
'my_ip': '172.19.136.2/22',
'peers': {
'ovh.wireguard': {},
},
'subnets': {
'172.19.138.0/24',
'172.19.139.0/24',
},
},
},
}