Franziska Kunsmann
e5c49ab172
All checks were successful
bundlewrap/pipeline/head This commit looks good
231 lines
9 KiB
Python
231 lines
9 KiB
Python
nodes['home.router'] = {
|
|
'hostname': '172.19.138.1',
|
|
'bundles': {
|
|
'dhcpd',
|
|
'netdata',
|
|
'nginx',
|
|
'openvpn-client',
|
|
'pppd',
|
|
'radvd',
|
|
'unbound',
|
|
'vnstat',
|
|
'wide-dhcp6c',
|
|
'wireguard',
|
|
},
|
|
'groups': {
|
|
'debian-bullseye',
|
|
},
|
|
'metadata': {
|
|
'interfaces': {
|
|
'enp1s0.23': {
|
|
'ips': {
|
|
'172.19.139.1/24',
|
|
},
|
|
},
|
|
'enp1s0.42': {
|
|
'ips': {
|
|
'172.19.138.1/24',
|
|
},
|
|
},
|
|
'enp1s0.100': {
|
|
'ignore': True,
|
|
},
|
|
},
|
|
'apt': {
|
|
'packages': {
|
|
# for telegraf
|
|
'snmp': {},
|
|
'snmp-mibs-downloader': {},
|
|
},
|
|
},
|
|
'backups': {
|
|
'exclude_from_backups': True,
|
|
},
|
|
'cron': {
|
|
# Our internet provider resets the connection if you're
|
|
# connected longer than 24 hours. We install this cronjob
|
|
# to make sure we don't get disconnected randomly during the
|
|
# day.
|
|
'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status',
|
|
},
|
|
'dhcpd': {
|
|
'subnets': {
|
|
'enp1s0.23': {
|
|
'range_lower': '172.19.139.200',
|
|
'range_higher': '172.19.139.250',
|
|
'subnet': '172.19.139.0/24',
|
|
'options': {
|
|
'broadcast-address': '172.19.139.255',
|
|
'domain-name-servers': '172.19.139.1',
|
|
'routers': '172.19.139.1',
|
|
'subnet-mask': '255.255.255.0',
|
|
},
|
|
},
|
|
'enp1s0.42': {
|
|
'range_lower': '172.19.138.100',
|
|
'range_higher': '172.19.138.250',
|
|
'subnet': '172.19.138.0/24',
|
|
'options': {
|
|
'broadcast-address': '172.19.138.255',
|
|
'domain-name': 'franzi-home.kunbox.net',
|
|
'domain-name-servers': '172.19.138.1',
|
|
'domain-search': 'home.kunbox.net',
|
|
'routers': '172.19.138.1',
|
|
'subnet-mask': '255.255.255.0',
|
|
},
|
|
},
|
|
},
|
|
},
|
|
'icinga_options': {
|
|
'also_affected_by': {
|
|
'home.nas',
|
|
'ovh.wireguard',
|
|
},
|
|
# disabled on group level
|
|
'vars.notification.sms': True
|
|
},
|
|
|
|
'iptables': {
|
|
'custom_rules': [
|
|
# This is a router. Allow forwarding traffic for internal networks.
|
|
'iptables_both -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT',
|
|
'iptables_both -A FORWARD -i enp1s0.23 -o ppp0 -j ACCEPT',
|
|
'iptables_both -A FORWARD -i enp1s0.42 -j ACCEPT',
|
|
|
|
# External port 2022 should be home.nas
|
|
'iptables -t nat -A PREROUTING -p tcp --dport 2022 -j DNAT --to 172.19.138.20:22',
|
|
'iptables -A FORWARD -p tcp -d 172.19.138.20 --dport 22 -j ACCEPT',
|
|
|
|
# use MASQUERADE for tun0 (c3voc)
|
|
'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE',
|
|
|
|
# yaaaaay, IPv6! No NAT!
|
|
'ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT',
|
|
'ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT',
|
|
],
|
|
},
|
|
'netdata': {
|
|
'restrict-to': {
|
|
'172.19.136.0/25',
|
|
'172.19.138.0/24',
|
|
},
|
|
},
|
|
'nginx': {
|
|
'restrict-to': {
|
|
'172.19.136.0/25',
|
|
'172.19.138.0/24',
|
|
},
|
|
'vhosts': {
|
|
'vnstat': {
|
|
'ssl': False,
|
|
},
|
|
},
|
|
},
|
|
'openvpn-client': {
|
|
'configs': {
|
|
'c3voc',
|
|
},
|
|
},
|
|
'radvd': {
|
|
'interfaces': {
|
|
'enp1s0.23': {},
|
|
'enp1s0.42': {},
|
|
},
|
|
},
|
|
'postfix': {
|
|
'mynetworks': {
|
|
'172.19.138.0/24',
|
|
},
|
|
},
|
|
'pppd': {
|
|
'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='),
|
|
'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='),
|
|
'interface': 'enp1s0.100',
|
|
'dyndns': {
|
|
'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}',
|
|
'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
|
|
'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
|
|
},
|
|
},
|
|
'unbound': {
|
|
'restrict-to': {
|
|
'172.19.138.0/23',
|
|
},
|
|
},
|
|
'telegraf': {
|
|
'input_plugins': {
|
|
'builtin': {
|
|
'snmp': [
|
|
{
|
|
'agents': ['udp://172.19.138.2'],
|
|
'agent_host_tag': 'host',
|
|
'table': [{'oid': 'IF-MIB::ifTable'}],
|
|
},
|
|
{
|
|
'agents': ['udp://172.19.138.3'],
|
|
'agent_host_tag': 'host',
|
|
'field': [
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.3.0', 'name': 'battery_runtime_to_empty'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.4.0', 'name': 'battery_capacity'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.5.0', 'name': 'battery_voltage', 'conversion': 'float(1)'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.2.6.0', 'name': 'battery_current', 'conversion': 'float(1)'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.2.1', 'name': 'input_frequency', 'conversion': 'float(1)'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.3.3.1.3.1', 'name': 'input_voltage'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.2.0', 'name': 'output_frequency', 'conversion': 'float(1)'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.2.1', 'name': 'output_voltage'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.3.1', 'name': 'output_frequency', 'conversion': 'float(1)'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.4.1', 'name': 'output_watts'},
|
|
{'oid': 'SNMPv2-SMI::mib-2.33.1.4.4.1.5.1', 'name': 'output_percent'},
|
|
],
|
|
},
|
|
{
|
|
'agents': ['udp://172.19.138.41'],
|
|
'agent_host_tag': 'host',
|
|
'table': [{'oid': 'IF-MIB::ifTable'}],
|
|
},
|
|
],
|
|
},
|
|
},
|
|
},
|
|
'users': {
|
|
'f2k1de': {
|
|
'ssh_pubkey': {
|
|
'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e',
|
|
'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up',
|
|
},
|
|
},
|
|
'kunsi': {
|
|
'ssh_pubkey': {
|
|
# work laptop
|
|
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA',
|
|
},
|
|
},
|
|
},
|
|
'vnstat': {
|
|
'generate-web-dashboard': True,
|
|
'interface': 'enp1s0.100',
|
|
},
|
|
'vm': {
|
|
'cpu': 2,
|
|
'ram': 2,
|
|
},
|
|
'wide-dhcp6c': {
|
|
'source': 'ppp0',
|
|
'targets': {
|
|
'enp1s0.23': '2',
|
|
'enp1s0.42': '1',
|
|
},
|
|
},
|
|
'wireguard': {
|
|
'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
|
|
'my_ip': '172.19.136.2/22',
|
|
'peers': {
|
|
'ovh.wireguard': {},
|
|
},
|
|
'subnets': {
|
|
'172.19.138.0/24',
|
|
'172.19.139.0/24',
|
|
},
|
|
},
|
|
},
|
|
}
|