Jafner/homelab
1
1
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jafner:16a577a1e7a3946fc78f73e3de105b1808ea5bdd
Branches Tags
Jafner:main
...
compare: Jafner:908a08629f8b083bf402509f93c5cda1a054dc97
Branches Tags
Jafner:main

3 Commits
16a577a1e7 ... 908a08629f

Author SHA1 Message Date
Joey Hafner
908a08629f Init new, split, commands-based configuration for wizard to ease automated deployment
All checks were successful
Deploy to Wizard / Deploy (push) Successful in 3s
Details
2024-02-14 10:37:43 -08:00
Joey Hafner
26e029535b Wipe old version of storing wizard config 2024-02-14 10:37:08 -08:00
Joey Hafner
b4d7d9335f Clean up deploy job naming 2024-02-14 10:36:48 -08:00
13 changed files with 316 additions and 846 deletions
Show Stats Expand all files Collapse all files

4
.gitea/workflows/deploy-to-druid.yml
View File

@ -6,10 +6,10 @@ on:
- 'druid/**'
jobs:
Deploy-to-Druid:
Deploy:
runs-on: druid
steps:
- name: Pull latest code onto Druid via SSH
- name: Pull latest code onto host via SSH
uses: appleboy/ssh-action@master
with:
host: ${{ vars.SSH_HOST_IP_DRUID }} # this is a LAN IP

4
.gitea/workflows/deploy-to-fighter.yml
View File

@ -6,10 +6,10 @@ on:
- 'fighter/**'
jobs:
Deploy-to-Fighter:
Deploy:
runs-on: fighter
steps:
- name: Pull latest code onto Fighter via SSH
- name: Pull latest code onto host via SSH
uses: appleboy/ssh-action@master
with:
host: ${{ vars.SSH_HOST_IP_FIGHTER }} # this is a LAN IP

4
.gitea/workflows/deploy-to-wizard.yml
View File

@ -6,10 +6,10 @@ on:
- 'wizard/**'
jobs:
Deploy-to-Wizard:
Deploy:
runs-on: fighter
steps:
- name: Pull latest code onto Wizard via SSH
- name: Pull latest code onto host via SSH
uses: appleboy/ssh-action@master
with:
host: ${{ vars.SSH_HOST_IP_WIZARD }} # this is a LAN IP

107
wizard/config/StrongCommission.conf
View File

@ -1,107 +0,0 @@
container {
name pihole {
description Pihole
environment PIHOLE_DNS_ {
value "1.1.1.1;8.8.8.8"
}
environment QUERY_LOGGING {
value false
}
environment TZ {
value America/Eastern
}
image pihole/pihole:latest
network pihole-net {
address 172.20.0.10
}
}
network pihole-net {
prefix 172.20.0.0/24
}
}
interfaces {
ethernet eth0 {
address dhcp
}
ethernet eth1 {
address 10.0.0.1/24
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 10.0.0.0/24
}
translation {
address masquerade
}
}
}
}
service {
dns {
forwarding {
allow-from 10.0.0.0/24
cache-size 0
listen-address 10.0.0.1
name-server 172.20.0.10
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password REDACTED
plaintext-password ""
}
}
}
name-server 1.1.1.1
name-server 8.8.8.8
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

693
wizard/config/config.boot
View File

@ -1,693 +0,0 @@
firewall {
global-options {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
group {
interface-group IG_LAN {
interface eth6
}
interface-group IG_WAN {
interface pppoe1
}
}
ipv4 {
forward {
filter {
default-action accept
rule 5 {
action jump
inbound-interface {
interface-name pppoe1
}
jump-target WAN_IN
}
rule 101 {
action accept
inbound-interface {
interface-group IG_LAN
}
outbound-interface {
interface-group IG_LAN
}
}
rule 106 {
action jump
inbound-interface {
interface-group IG_WAN
}
jump-target WAN_IN
outbound-interface {
interface-group IG_LAN
}
}
rule 111 {
action drop
description "zone_LAN default-action"
outbound-interface {
interface-group IG_LAN
}
}
rule 116 {
action accept
inbound-interface {
interface-group IG_WAN
}
outbound-interface {
interface-group IG_WAN
}
}
rule 121 {
action jump
inbound-interface {
interface-group IG_LAN
}
jump-target IN_WAN
outbound-interface {
interface-group IG_WAN
}
}
rule 126 {
action drop
description "zone_WAN default-action"
outbound-interface {
interface-group IG_WAN
}
}
}
}
input {
filter {
default-action accept
rule 5 {
action jump
inbound-interface {
interface-name pppoe1
}
jump-target WAN_LOCAL
}
rule 101 {
action jump
inbound-interface {
interface-group IG_LAN
}
jump-target IN_LOCAL
}
rule 106 {
action jump
inbound-interface {
interface-group IG_WAN
}
jump-target WAN_LOCAL
}
rule 111 {
action drop
}
}
}
name IN_LOCAL {
default-action accept
}
name IN_WAN {
default-action accept
}
name LOCAL_IN {
default-action accept
}
name LOCAL_WAN {
default-action accept
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 1000 {
action accept
description Plex
destination {
port 32400
}
protocol tcp_udp
state {
new enable
}
}
rule 1001 {
action accept
description BitTorrent
destination {
port 49500
}
protocol tcp_udp
state {
new enable
}
}
rule 1002 {
action accept
description WireGuard
destination {
port 53820-53829
}
protocol tcp_udp
state {
new enable
}
}
rule 1003 {
action accept
description Minecraft
destination {
port 25565
}
protocol tcp_udp
state {
new enable
}
}
rule 1005 {
action accept
description Web
destination {
port 443,80
}
protocol tcp_udp
state {
new enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
output {
filter {
default-action accept
rule 101 {
action jump
jump-target LOCAL_IN
outbound-interface {
interface-group IG_LAN
}
}
rule 106 {
action jump
jump-target LOCAL_WAN
outbound-interface {
interface-group IG_WAN
}
}
rule 111 {
action drop
}
}
}
}
ipv6 {
forward {
filter {
default-action accept
rule 101 {
action accept
inbound-interface {
interface-group IG_LAN
}
outbound-interface {
interface-group IG_LAN
}
}
rule 106 {
action drop
description "zone_LAN default-action"
outbound-interface {
interface-group IG_LAN
}
}
rule 111 {
action accept
inbound-interface {
interface-group IG_WAN
}
outbound-interface {
interface-group IG_WAN
}
}
rule 116 {
action drop
description "zone_WAN default-action"
outbound-interface {
interface-group IG_WAN
}
}
}
}
input {
filter {
default-action accept
rule 101 {
action drop
}
}
}
output {
filter {
default-action accept
rule 101 {
action drop
}
}
}
}
}
interfaces {
ethernet eth0 {
hw-id d4:3d:7e:94:6e:eb
}
ethernet eth5 {
address dhcp
hw-id 6c:b3:11:32:46:24
offload {
sg
tso
}
vif 201 {
}
}
ethernet eth6 {
address 192.168.1.1/24
description "Primary Switch"
duplex auto
hw-id 6c:b3:11:32:46:25
offload {
rps
sg
tso
}
speed auto
}
loopback lo {
}
pppoe pppoe1 {
authentication {
password ****************
username hafnerjoseph
}
ip {
adjust-mss 1452
}
mtu 1492
no-peer-dns
source-interface eth5.201
}
}
nat {
destination {
rule 1000 {
description Plex
destination {
port 32400
}
inbound-interface pppoe1
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1001 {
description BitTorrent
destination {
port 49500
}
inbound-interface pppoe1
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1002 {
description WireGuard
destination {
port 53820-53829
}
inbound-interface pppoe1
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1003 {
description Minecraft
destination {
port 25565
}
inbound-interface pppoe1
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1005 {
description Web
destination {
port 443,80
}
inbound-interface pppoe1
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1100 {
description "Plex (Hairpin NAT)"
destination {
address 174.21.57.251
port 32400
}
inbound-interface eth6
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1102 {
description "Wireguard (Hairpin NAT)"
destination {
address 174.21.57.251
port 53820-53829
}
inbound-interface eth6
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1103 {
description "Minecraft (Hairpin NAT)"
destination {
address 174.21.57.251
port 25565
}
inbound-interface eth6
protocol tcp_udp
translation {
address 192.168.1.23
}
}
rule 1105 {
description "Web (Hairpin NAT)"
destination {
address 174.21.57.251
port 80,443
}
inbound-interface eth6
protocol tcp_udp
translation {
address 192.168.1.23
}
}
}
source {
rule 99 {
description "Masquerade as public IP on internet"
outbound-interface pppoe1
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
rule 100 {
description "NAT Reflection"
destination {
address 192.168.1.0/24
}
outbound-interface eth6
protocol tcp_udp
source {
address 192.168.1.0/24
}
translation {
address masquerade
}
}
}
}
qos {
interface eth6 {
egress GIGABIT-FQCODEL
}
interface pppoe1 {
ingress LIMITER
}
policy {
fq-codel GIGABIT-FQCODEL {
codel-quantum 8000
flows 1024
queue-limit 800
}
limiter LIMITER {
default {
bandwidth 700mbit
burst 262.5mbit
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
domain-name local
domain-search local
name-server 192.168.1.32
subnet 192.168.1.0/24 {
default-router 192.168.1.1
lease 86400
range 1 {
start 192.168.1.100
stop 192.168.1.254
}
static-mapping U6-Lite {
ip-address 192.168.1.3
mac-address 78:45:58:67:87:14
}
static-mapping UAP-AC-LR {
ip-address 192.168.1.2
mac-address 18:e8:29:50:f7:5b
}
static-mapping joey-desktop {
ip-address 192.168.1.100
mac-address 04:92:26:DA:BA:C5
}
static-mapping joey-nas {
ip-address 192.168.1.10
mac-address 40:8d:5c:52:41:89
}
static-mapping joey-nas2 {
ip-address 192.168.1.11
mac-address 90:2b:34:37:ce:ea
}
static-mapping joey-server {
ip-address 192.168.1.23
mac-address 70:85:c2:9c:6a:16
}
static-mapping joey-server2 {
ip-address 192.168.1.24
mac-address 24:4b:fe:57:bc:85
}
static-mapping joey-server3 {
ip-address 192.168.1.25
mac-address 78:45:c4:05:4f:21
}
static-mapping joey-server4 {
ip-address 192.168.1.26
mac-address 90:2b:34:37:ce:e8
}
static-mapping pihole1 {
ip-address 192.168.1.21
mac-address b8:27:eb:3c:8e:bb
}
static-mapping pihole2 {
ip-address 192.168.1.22
mac-address b8:27:eb:ff:76:6e
}
static-mapping tasmota-1 {
ip-address 192.168.1.50
mac-address 3C:61:05:F6:44:1E
}
static-mapping tasmota-2 {
ip-address 192.168.1.51
mac-address 3c:61:05:f6:d7:d3
}
static-mapping tasmota-3 {
ip-address 192.168.1.52
mac-address 3c:61:05:f6:f0:62
}
static-mapping wyse1 {
ip-address 192.168.1.31
mac-address 6c:2b:59:37:89:40
}
static-mapping wyse2 {
ip-address 192.168.1.32
mac-address 6c:2b:59:37:9e:91
}
static-mapping wyse3 {
ip-address 192.168.1.33
mac-address 6c:2b:59:37:9e:00
}
}
}
}
dns {
forwarding {
allow-from 192.168.1.0/24
cache-size 1000000
listen-address 192.168.1.1
name-server 192.168.1.32 {
}
}
}
monitoring {
telegraf {
prometheus-client {
}
}
}
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time-a-wwv.nist.gov {
}
server time-b-wwv.nist.gov {
}
server time-c-wwv.nist.gov {
}
server time-d-wwv.nist.gov {
}
server time-e-wwv.nist.gov {
}
}
ssh {
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 200
}
conntrack {
expect-table-size 8192
hash-size 32768
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
table-size 262144
timeout {
tcp {
time-wait 15
}
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
banner {
}
user vyos {
authentication {
encrypted-password ****************
otp {
key ****************
rate-limit 3
rate-time 30
window-size 3
}
public-keys ed25519_jafner425@gmail.com {
key ****************
type ssh-ed25519
}
}
}
}
name-server 192.168.1.32
option {
performance latency
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
task-scheduler {
task update-nat-reflection {
executable {
path /home/vyos/ipupdate.sh
}
interval 5
}
}
time-zone America/Los_Angeles
}

16
wizard/config/configure.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
source /opt/vyatta/etc/functions/script-template
. firewall.sh
. interfaces.sh
. nat.sh
. qos.sh
. service.sh
. system.sh
exit

122
wizard/config/firewall.sh Normal file
View File

@ -0,0 +1,122 @@
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall group interface-group IG_LAN interface 'eth6'
set firewall group interface-group IG_WAN interface 'pppoe1'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'jump'
set firewall ipv4 forward filter rule 5 inbound-interface name 'pppoe1'
set firewall ipv4 forward filter rule 5 jump-target 'WAN_IN'
set firewall ipv4 forward filter rule 101 action 'accept'
set firewall ipv4 forward filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 106 action 'jump'
set firewall ipv4 forward filter rule 106 inbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 106 jump-target 'WAN_IN'
set firewall ipv4 forward filter rule 106 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 111 action 'drop'
set firewall ipv4 forward filter rule 111 description 'zone_LAN default-action'
set firewall ipv4 forward filter rule 111 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 116 action 'accept'
set firewall ipv4 forward filter rule 116 inbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 116 outbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 121 action 'jump'
set firewall ipv4 forward filter rule 121 inbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 121 jump-target 'IN_WAN'
set firewall ipv4 forward filter rule 121 outbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 126 action 'drop'
set firewall ipv4 forward filter rule 126 description 'zone_WAN default-action'
set firewall ipv4 forward filter rule 126 outbound-interface group 'IG_WAN'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface name 'pppoe1'
set firewall ipv4 input filter rule 5 jump-target 'WAN_LOCAL'
set firewall ipv4 input filter rule 101 action 'jump'
set firewall ipv4 input filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv4 input filter rule 101 jump-target 'IN_LOCAL'
set firewall ipv4 input filter rule 106 action 'jump'
set firewall ipv4 input filter rule 106 inbound-interface group 'IG_WAN'
set firewall ipv4 input filter rule 106 jump-target 'WAN_LOCAL'
set firewall ipv4 input filter rule 111 action 'drop'
set firewall ipv4 name IN_LOCAL default-action 'accept'
set firewall ipv4 name IN_WAN default-action 'accept'
set firewall ipv4 name LOCAL_IN default-action 'accept'
set firewall ipv4 name LOCAL_WAN default-action 'accept'
set firewall ipv4 name WAN_IN default-action 'drop'
set firewall ipv4 name WAN_IN description 'WAN to internal'
set firewall ipv4 name WAN_IN rule 10 action 'accept'
set firewall ipv4 name WAN_IN rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_IN rule 10 state 'established'
set firewall ipv4 name WAN_IN rule 10 state 'related'
set firewall ipv4 name WAN_IN rule 20 action 'drop'
set firewall ipv4 name WAN_IN rule 20 description 'Drop invalid state'
set firewall ipv4 name WAN_IN rule 20 state 'invalid'
set firewall ipv4 name WAN_IN rule 1000 action 'accept'
set firewall ipv4 name WAN_IN rule 1000 description 'Plex'
set firewall ipv4 name WAN_IN rule 1000 destination port '32400'
set firewall ipv4 name WAN_IN rule 1000 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1000 state 'new'
set firewall ipv4 name WAN_IN rule 1001 action 'accept'
set firewall ipv4 name WAN_IN rule 1001 description 'BitTorrent'
set firewall ipv4 name WAN_IN rule 1001 destination port '49500'
set firewall ipv4 name WAN_IN rule 1001 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1001 state 'new'
set firewall ipv4 name WAN_IN rule 1002 action 'accept'
set firewall ipv4 name WAN_IN rule 1002 description 'WireGuard'
set firewall ipv4 name WAN_IN rule 1002 destination port '53820-53829'
set firewall ipv4 name WAN_IN rule 1002 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1002 state 'new'
set firewall ipv4 name WAN_IN rule 1003 action 'accept'
set firewall ipv4 name WAN_IN rule 1003 description 'Minecraft'
set firewall ipv4 name WAN_IN rule 1003 destination port '25565'
set firewall ipv4 name WAN_IN rule 1003 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1003 state 'new'
set firewall ipv4 name WAN_IN rule 1005 action 'accept'
set firewall ipv4 name WAN_IN rule 1005 description 'Web'
set firewall ipv4 name WAN_IN rule 1005 destination port '443,80'
set firewall ipv4 name WAN_IN rule 1005 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1005 state 'new'
set firewall ipv4 name WAN_LOCAL default-action 'drop'
set firewall ipv4 name WAN_LOCAL description 'WAN to router'
set firewall ipv4 name WAN_LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_LOCAL rule 10 state 'established'
set firewall ipv4 name WAN_LOCAL rule 10 state 'related'
set firewall ipv4 name WAN_LOCAL rule 20 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 20 protocol 'icmp'
set firewall ipv4 name WAN_LOCAL rule 20 state 'new'
set firewall ipv4 name WAN_LOCAL rule 30 action 'drop'
set firewall ipv4 name WAN_LOCAL rule 30 description 'Drop invalid state'
set firewall ipv4 name WAN_LOCAL rule 30 state 'invalid'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 101 action 'jump'
set firewall ipv4 output filter rule 101 jump-target 'LOCAL_IN'
set firewall ipv4 output filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv4 output filter rule 106 action 'jump'
set firewall ipv4 output filter rule 106 jump-target 'LOCAL_WAN'
set firewall ipv4 output filter rule 106 outbound-interface group 'IG_WAN'
set firewall ipv4 output filter rule 111 action 'drop'
set firewall ipv6 forward filter default-action 'accept'
set firewall ipv6 forward filter rule 101 action 'accept'
set firewall ipv6 forward filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 106 action 'drop'
set firewall ipv6 forward filter rule 106 description 'zone_LAN default-action'
set firewall ipv6 forward filter rule 106 outbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 111 action 'accept'
set firewall ipv6 forward filter rule 111 inbound-interface group 'IG_WAN'
set firewall ipv6 forward filter rule 111 outbound-interface group 'IG_WAN'
set firewall ipv6 forward filter rule 116 action 'drop'
set firewall ipv6 forward filter rule 116 description 'zone_WAN default-action'
set firewall ipv6 forward filter rule 116 outbound-interface group 'IG_WAN'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter rule 101 action 'drop'
set firewall ipv6 output filter default-action 'accept'
set firewall ipv6 output filter rule 101 action 'drop'

21
wizard/config/interfaces.sh Normal file
View File

@ -0,0 +1,21 @@
set interfaces ethernet eth0 hw-id 'd4:3d:7e:94:6e:eb'
set interfaces ethernet eth5 address 'dhcp'
set interfaces ethernet eth5 hw-id '6c:b3:11:32:46:24'
set interfaces ethernet eth5 offload sg
set interfaces ethernet eth5 offload tso
set interfaces ethernet eth5 vif 201
set interfaces ethernet eth6 address '192.168.1.1/24'
set interfaces ethernet eth6 description 'Primary Switch'
set interfaces ethernet eth6 duplex 'auto'
set interfaces ethernet eth6 hw-id '6c:b3:11:32:46:25'
set interfaces ethernet eth6 offload rps
set interfaces ethernet eth6 offload sg
set interfaces ethernet eth6 offload tso
set interfaces ethernet eth6 speed 'auto'
set interfaces loopback lo
set interfaces pppoe pppoe1 authentication password $INTERFACES_PPPOE_PPPOE1_AUTHENTICATION_PASSWORD
set interfaces pppoe pppoe1 authentication username 'hafnerjoseph'
set interfaces pppoe pppoe1 ip adjust-mss '1452'
set interfaces pppoe pppoe1 mtu '1492'
set interfaces pppoe pppoe1 no-peer-dns
set interfaces pppoe pppoe1 source-interface 'eth5.201'

59
wizard/config/nat.sh Normal file
View File

@ -0,0 +1,59 @@
set nat destination rule 1000 description 'Plex'
set nat destination rule 1000 destination port '32400'
set nat destination rule 1000 inbound-interface name 'pppoe1'
set nat destination rule 1000 protocol 'tcp_udp'
set nat destination rule 1000 translation address '192.168.1.23'
set nat destination rule 1001 description 'BitTorrent'
set nat destination rule 1001 destination port '49500'
set nat destination rule 1001 inbound-interface name 'pppoe1'
set nat destination rule 1001 protocol 'tcp_udp'
set nat destination rule 1001 translation address '192.168.1.23'
set nat destination rule 1002 description 'WireGuard'
set nat destination rule 1002 destination port '53820-53829'
set nat destination rule 1002 inbound-interface name 'pppoe1'
set nat destination rule 1002 protocol 'tcp_udp'
set nat destination rule 1002 translation address '192.168.1.23'
set nat destination rule 1003 description 'Minecraft'
set nat destination rule 1003 destination port '25565'
set nat destination rule 1003 inbound-interface name 'pppoe1'
set nat destination rule 1003 protocol 'tcp_udp'
set nat destination rule 1003 translation address '192.168.1.23'
set nat destination rule 1005 description 'Web'
set nat destination rule 1005 destination port '443,80'
set nat destination rule 1005 inbound-interface name 'pppoe1'
set nat destination rule 1005 protocol 'tcp_udp'
set nat destination rule 1005 translation address '192.168.1.23'
set nat destination rule 1100 description 'Plex (Hairpin NAT)'
set nat destination rule 1100 destination address '174.21.35.181'
set nat destination rule 1100 destination port '32400'
set nat destination rule 1100 inbound-interface name 'eth6'
set nat destination rule 1100 protocol 'tcp_udp'
set nat destination rule 1100 translation address '192.168.1.23'
set nat destination rule 1102 description 'Wireguard (Hairpin NAT)'
set nat destination rule 1102 destination address '174.21.35.181'
set nat destination rule 1102 destination port '53820-53829'
set nat destination rule 1102 inbound-interface name 'eth6'
set nat destination rule 1102 protocol 'tcp_udp'
set nat destination rule 1102 translation address '192.168.1.23'
set nat destination rule 1103 description 'Minecraft (Hairpin NAT)'
set nat destination rule 1103 destination address '174.21.35.181'
set nat destination rule 1103 destination port '25565'
set nat destination rule 1103 inbound-interface name 'eth6'
set nat destination rule 1103 protocol 'tcp_udp'
set nat destination rule 1103 translation address '192.168.1.23'
set nat destination rule 1105 description 'Web (Hairpin NAT)'
set nat destination rule 1105 destination address '174.21.35.181'
set nat destination rule 1105 destination port '80,443'
set nat destination rule 1105 inbound-interface name 'eth6'
set nat destination rule 1105 protocol 'tcp_udp'
set nat destination rule 1105 translation address '192.168.1.23'
set nat source rule 99 description 'Masquerade as public IP on internet'
set nat source rule 99 outbound-interface name 'pppoe1'
set nat source rule 99 source address '192.168.1.0/24'
set nat source rule 99 translation address 'masquerade'
set nat source rule 100 description 'NAT Reflection'
set nat source rule 100 destination address '192.168.1.0/24'
set nat source rule 100 outbound-interface name 'eth6'
set nat source rule 100 protocol 'tcp_udp'
set nat source rule 100 source address '192.168.1.0/24'
set nat source rule 100 translation address 'masquerade'

40
wizard/config/pihole.md
View File

@ -1,40 +0,0 @@
Adding a Pihole container has hit a few roadblocks.
Here is the basic container configuration I attempted to use:
```
container name pihole {
cap-add net-admin
environment TZ {
value America/Los_Angeles
}
environment WEBPASSWORD {
value Raider8-Payable-Veto-Dictation
}
image pihole/pihole
memory 256
network default {
address 172.18.0.2
}
port dns {
destination 53
source 53
}
port webui {
destination 80
source 80
}
volume pihole_dnsmasq {
destination /etc/dnsmasq
source /home/vyos/container/pihole/dnsmasq
}
volume pihole_pihole {
destination /etc/pihole
source /home/vyos/container/pihole/pihole
}
}
network default {
prefix 172.18.0.0/16
}
```
With this configuration, we see the Pihole is failing to bring up the DNS service due to a port collision.

7
wizard/config/qos.sh Normal file
View File

@ -0,0 +1,7 @@
set qos interface eth6 egress 'GIGABIT-FQCODEL'
set qos interface pppoe1 ingress 'LIMITER'
set qos policy fq-codel GIGABIT-FQCODEL codel-quantum '8000'
set qos policy fq-codel GIGABIT-FQCODEL flows '1024'
set qos policy fq-codel GIGABIT-FQCODEL queue-limit '800'
set qos policy limiter LIMITER default bandwidth '700mbit'
set qos policy limiter LIMITER default burst '262.5mbit'

53
wizard/config/service.sh Normal file
View File

@ -0,0 +1,53 @@
set service dhcp-server shared-network-name LAN domain-name 'local'
set service dhcp-server shared-network-name LAN domain-search 'local'
set service dhcp-server shared-network-name LAN name-server '192.168.1.32'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 1 start '192.168.1.100'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 1 stop '192.168.1.254'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping U6-Lite ip-address '192.168.1.3'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping U6-Lite mac-address '78:45:58:67:87:14'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping UAP-AC-LR ip-address '192.168.1.2'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping UAP-AC-LR mac-address '18:e8:29:50:f7:5b'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-desktop ip-address '192.168.1.100'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-desktop mac-address '04:92:26:DA:BA:C5'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas ip-address '192.168.1.10'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas mac-address '40:8d:5c:52:41:89'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas2 ip-address '192.168.1.11'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-nas2 mac-address '90:2b:34:37:ce:ea'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server2 ip-address '192.168.1.24'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server2 mac-address '24:4b:fe:57:bc:85'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server3 ip-address '192.168.1.25'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server3 mac-address '78:45:c4:05:4f:21'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server4 ip-address '192.168.1.26'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping joey-server4 mac-address '90:2b:34:37:ce:e8'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole1 ip-address '192.168.1.21'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole1 mac-address 'b8:27:eb:3c:8e:bb'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole2 ip-address '192.168.1.22'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping pihole2 mac-address 'b8:27:eb:ff:76:6e'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-1 ip-address '192.168.1.50'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-1 mac-address '3C:61:05:F6:44:1E'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-2 ip-address '192.168.1.51'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-2 mac-address '3c:61:05:f6:d7:d3'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-3 ip-address '192.168.1.52'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping tasmota-3 mac-address '3c:61:05:f6:f0:62'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse1 ip-address '192.168.1.31'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse1 mac-address '6c:2b:59:37:89:40'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse2 ip-address '192.168.1.32'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse2 mac-address '6c:2b:59:37:9e:91'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse3 ip-address '192.168.1.33'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping wyse3 mac-address '6c:2b:59:37:9e:00'
set service dns forwarding allow-from '192.168.1.0/24'
set service dns forwarding cache-size '1000000'
set service dns forwarding listen-address '192.168.1.1'
set service dns forwarding name-server 192.168.1.32
set service monitoring telegraf prometheus-client
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server time-a-wwv.nist.gov
set service ntp server time-b-wwv.nist.gov
set service ntp server time-c-wwv.nist.gov
set service ntp server time-d-wwv.nist.gov
set service ntp server time-e-wwv.nist.gov
set service ssh disable-password-authentication
set service ssh port '22'

32
wizard/config/system.sh Normal file
View File

@ -0,0 +1,32 @@
set system config-management commit-revisions '200'
set system conntrack expect-table-size '8192'
set system conntrack hash-size '32768'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system conntrack table-size '262144'
set system conntrack timeout tcp time-wait '15'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login banner
set system login user vyos authentication encrypted-password $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_ENCRYPTEDPASSWORD
set system login user vyos authentication otp key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_OTP_KEY
set system login user vyos authentication otp rate-limit '3'
set system login user vyos authentication otp rate-time '30'
set system login user vyos authentication otp window-size '3'
set system login user vyos authentication public-keys deploy@gitea.jafner.tools key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_PUBLICKEYS_deploygiteajafnertools_KEY
set system login user vyos authentication public-keys deploy@gitea.jafner.tools type 'ssh-ed25519'
set system login user vyos authentication public-keys jafner425@gmail.com key $SYSTEM_LOGIN_USER_VYOS_AUTHENTICATION_PUBLICKEYS_jafner425gmailcom_KEY
set system login user vyos authentication public-keys jafner425@gmail.com type 'ssh-ed25519'
set system name-server '192.168.1.32'
set system name-server 'eth5'
set system option performance 'latency'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system task-scheduler task update-nat-reflection executable path '/home/vyos/ipupdate.sh'
set system task-scheduler task update-nat-reflection interval '5'
set system time-zone 'America/Los_Angeles'