aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xconfig/backup-kv24ix13
-rw-r--r--config/kv24ix.txt193
-rw-r--r--terraform/garasjepi-zigbee2mqtt/main.tf8
-rw-r--r--terraform/modules/zigbee2mqtt/zigbee2mqtt.tf4
4 files changed, 212 insertions, 6 deletions
diff --git a/config/backup-kv24ix b/config/backup-kv24ix
new file mode 100755
index 0000000..1abcc44
--- /dev/null
+++ b/config/backup-kv24ix
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+basedir="${0%/*}"
+
+cd "$basedir"
+
+ssh ubnt@kv24ix.trygvis.io \
+ /opt/vyatta/bin/vyatta-op-cmd-wrapper show configuration commands \
+ > kv24ix.txt.new
+
+mv kv24ix.txt.new kv24ix.txt
diff --git a/config/kv24ix.txt b/config/kv24ix.txt
new file mode 100644
index 0000000..a29716b
--- /dev/null
+++ b/config/kv24ix.txt
@@ -0,0 +1,193 @@
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall ipv6-name WANv6_IN default-action drop
+set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
+set firewall ipv6-name WANv6_IN enable-default-log
+set firewall ipv6-name WANv6_IN rule 10 action accept
+set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_IN rule 10 state established enable
+set firewall ipv6-name WANv6_IN rule 10 state related enable
+set firewall ipv6-name WANv6_IN rule 20 action drop
+set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_IN rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL default-action drop
+set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
+set firewall ipv6-name WANv6_LOCAL enable-default-log
+set firewall ipv6-name WANv6_LOCAL rule 10 action accept
+set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
+set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
+set firewall ipv6-name WANv6_LOCAL rule 20 action drop
+set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL rule 30 action accept
+set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
+set firewall ipv6-name WANv6_LOCAL rule 40 action accept
+set firewall ipv6-name WANv6_LOCAL rule 40 description 'allow dhcpv6'
+set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
+set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
+set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall name WAN_IN default-action drop
+set firewall name WAN_IN description 'WAN to internal'
+set firewall name WAN_IN rule 10 action accept
+set firewall name WAN_IN rule 10 description 'Allow established/related'
+set firewall name WAN_IN rule 10 state established enable
+set firewall name WAN_IN rule 10 state related enable
+set firewall name WAN_IN rule 20 action drop
+set firewall name WAN_IN rule 20 description 'Drop invalid state'
+set firewall name WAN_IN rule 20 state invalid enable
+set firewall name WAN_LOCAL default-action drop
+set firewall name WAN_LOCAL description 'WAN to router'
+set firewall name WAN_LOCAL rule 10 action accept
+set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
+set firewall name WAN_LOCAL rule 10 state established enable
+set firewall name WAN_LOCAL rule 10 state related enable
+set firewall name WAN_LOCAL rule 20 action drop
+set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
+set firewall name WAN_LOCAL rule 20 state invalid enable
+set firewall name WAN_LOCAL rule 30 action accept
+set firewall name WAN_LOCAL rule 30 description 'Allow ICMP'
+set firewall name WAN_LOCAL rule 30 log disable
+set firewall name WAN_LOCAL rule 30 protocol icmp
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
+set interfaces ethernet eth0 address dhcp
+set interfaces ethernet eth0 description Internet
+set interfaces ethernet eth0 dhcpv6-pd pd 1 interface switch0 host-address '::1'
+set interfaces ethernet eth0 dhcpv6-pd pd 1 interface switch0 prefix-id ':1'
+set interfaces ethernet eth0 dhcpv6-pd pd 1 interface switch0 service slaac
+set interfaces ethernet eth0 dhcpv6-pd pd 1 prefix-length /56
+set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
+set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
+set interfaces ethernet eth0 firewall in name WAN_IN
+set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
+set interfaces ethernet eth0 firewall local name WAN_LOCAL
+set interfaces ethernet eth0 speed auto
+set interfaces ethernet eth1 description Local
+set interfaces ethernet eth1 duplex auto
+set interfaces ethernet eth1 speed auto
+set interfaces ethernet eth2 description Local
+set interfaces ethernet eth2 duplex auto
+set interfaces ethernet eth2 speed auto
+set interfaces ethernet eth3 description Local
+set interfaces ethernet eth3 duplex auto
+set interfaces ethernet eth3 speed auto
+set interfaces ethernet eth4 description Local
+set interfaces ethernet eth4 duplex auto
+set interfaces ethernet eth4 mtu 1500
+set interfaces ethernet eth4 poe output off
+set interfaces ethernet eth4 speed auto
+set interfaces loopback lo
+set interfaces switch switch0 address 192.168.10.1/24
+set interfaces switch switch0 description Local
+set interfaces switch switch0 firewall in
+set interfaces switch switch0 ipv6 address
+set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
+set interfaces switch switch0 mtu 1500
+set interfaces switch switch0 switch-port interface eth1
+set interfaces switch switch0 switch-port interface eth2
+set interfaces switch switch0 switch-port interface eth3
+set interfaces switch switch0 switch-port interface eth4
+set interfaces switch switch0 switch-port vlan-aware disable
+set interfaces wireguard wg0 address 'fdf3:aad9:a885:0b3a::16/64'
+set interfaces wireguard wg0 mtu 1420
+set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= allowed-ips '::0/0'
+set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= endpoint 'trygvis.io:51821'
+set interfaces wireguard wg0 peer cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= persistent-keepalive 60
+set interfaces wireguard wg0 private-key /config/auth/wg0.key
+set interfaces wireguard wg0 route-allowed-ips false
+set interfaces wireguard wg1 address 'fe80:fef1:078a:5b64:efd3:ae7b:d286:d7cf/64'
+set interfaces wireguard wg1 description tnet-knot
+set interfaces wireguard wg1 mtu 1420
+set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= allowed-ips '::/0'
+set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= endpoint 'knot.inamo.no:51003'
+set interfaces wireguard wg1 peer eF8DIAyneOlhEzyriFB528IUsnYqy/b5398i0SW06g4= persistent-keepalive 60
+set interfaces wireguard wg1 private-key /config/auth/knot.key
+set interfaces wireguard wg1 route-allowed-ips false
+set interfaces wireguard wg2 description route64.org
+set interfaces wireguard wg2 mtu 1420
+set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= endpoint '118.91.187.67:46010'
+set interfaces wireguard wg2 peer ztZNKsJH/CKQjYz9kUOtcIyKakqaNoNuVPZL8nlDxgM= persistent-keepalive 30
+set interfaces wireguard wg2 private-key /config/auth/route64.key
+set interfaces wireguard wg2 route-allowed-ips false
+set policy prefix-list6 bitraf-dn42 rule 1 action permit
+set policy prefix-list6 bitraf-dn42 rule 1 le 128
+set policy prefix-list6 bitraf-dn42 rule 1 prefix 'fdb1:4242:3538::/48'
+set policy route-map knot rule 1 action permit
+set policy route-map knot rule 1 match ipv6 address prefix-list bitraf-dn42
+set policy route-map knot rule 1 set ipv6-next-hop global 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
+set policy route-map knot rule 1 set ipv6-next-hop local 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce'
+set protocols bgp 4242423538 address-family ipv6-unicast network 'fdb1:4242:3538:2006::/64' route-map knot
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast capability graceful-restart
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast route-map export knot
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' address-family ipv6-unicast soft-reconfiguration inbound
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' nexthop-self
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' password trygvis
+set protocols bgp 4242423538 neighbor 'fe80:fef1:78a:5b64:efd3:ae7b:d286:d7ce' remote-as 4242423538
+set protocols bgp 4242423538 parameters
+set service dhcp-server disabled false
+set service dhcp-server hostfile-update disable
+set service dhcp-server shared-network-name LAN authoritative enable
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 default-router 192.168.10.1
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 dns-server 192.168.10.1
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 dns-server 8.8.8.8
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 lease 86400
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 start 192.168.10.100 stop 192.168.10.199
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping garasje ip-address 192.168.10.23
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping garasje mac-address 'b4:fb:e4:76:3c:58'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping kjokken ip-address 192.168.10.21
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping kjokken mac-address 'b4:fb:e4:76:3b:2b'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping kontor ip-address 192.168.10.22
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping kontor mac-address 'b4:fb:e4:76:3b:1c'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping laboratorium ip-address 192.168.10.26
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping laboratorium mac-address 'd8:b3:70:b3:35:19'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping nede ip-address 192.168.10.25
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping nede mac-address 'b4:fb:e4:76:3b:1b'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping stue ip-address 192.168.10.20
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping stue mac-address 'b4:fb:e4:76:3b:08'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swcloud ip-address 192.168.10.12
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swcloud mac-address '18:e8:29:43:73:02'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swnede ip-address 192.168.10.11
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swnede mac-address '18:e8:29:bf:9d:da'
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swoppe ip-address 192.168.10.10
+set service dhcp-server shared-network-name LAN subnet 192.168.10.0/24 static-mapping swoppe mac-address 'b4:fb:e4:8a:24:a6'
+set service dhcp-server static-arp disable
+set service dhcp-server use-dnsmasq disable
+set service dns forwarding cache-size 150
+set service dns forwarding listen-on switch0
+set service gui http-port 80
+set service gui https-port 443
+set service gui older-ciphers enable
+set service lldp interface switch0
+set service nat rule 5010 description 'masquerade for WAN'
+set service nat rule 5010 outbound-interface eth0
+set service nat rule 5010 type masquerade
+set service snmp community public authorization ro
+set service snmp location kv24ix
+set service ssh port 22
+set service ssh protocol-version v2
+set service unms disable
+set system analytics-handler send-analytics-report false
+set system config-management commit-revisions 10
+set system crash-handler send-crash-report false
+set system host-name kv24ix
+set system login user ubnt authentication encrypted-password '$5$YmwMYrjdnUz2i//n$.dj42FJRGmiS6l/YLkrAG6GW3l3/hX6ARCWpsvG7WC4'
+set system login user ubnt authentication plaintext-password ''
+set system login user ubnt authentication public-keys trygvis@biwia key AAAAC3NzaC1lZDI1NTE5AAAAIK3NIIYprtLQFNut7GGf0va7YYFeSXKSgWDQi4qbf5Ph
+set system login user ubnt authentication public-keys trygvis@biwia type ssh-ed25519
+set system login user ubnt level admin
+set system ntp server 0.ubnt.pool.ntp.org
+set system ntp server 1.ubnt.pool.ntp.org
+set system ntp server 2.ubnt.pool.ntp.org
+set system ntp server 3.ubnt.pool.ntp.org
+set system syslog global facility all level notice
+set system syslog global facility protocols level debug
+set system time-zone Europe/Oslo
diff --git a/terraform/garasjepi-zigbee2mqtt/main.tf b/terraform/garasjepi-zigbee2mqtt/main.tf
index 4d5bb25..1321115 100644
--- a/terraform/garasjepi-zigbee2mqtt/main.tf
+++ b/terraform/garasjepi-zigbee2mqtt/main.tf
@@ -13,7 +13,7 @@ provider "docker" {
locals {
host = "garasjepi.dn42.trygvis.io"
- docker_image = "koenkk/zigbee2mqtt:1.42.0"
+ version = "2.3.0"
public_ip = module.ipam.hosts.garasjepi.address
}
@@ -24,7 +24,7 @@ module "ipam" {
module "zigbee2mqtt" {
source = "../modules/zigbee2mqtt"
- docker_version = "2.1"
- public_ip = local.public_ip
- serial_port = "/dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2698168-if00"
+ docker_version = local.version
+ public_ip = local.public_ip
+ serial_port = "/dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2698168-if00"
}
diff --git a/terraform/modules/zigbee2mqtt/zigbee2mqtt.tf b/terraform/modules/zigbee2mqtt/zigbee2mqtt.tf
index 467c5e1..8723a38 100644
--- a/terraform/modules/zigbee2mqtt/zigbee2mqtt.tf
+++ b/terraform/modules/zigbee2mqtt/zigbee2mqtt.tf
@@ -16,7 +16,7 @@ resource "docker_container" "zigbee2mqtt" {
name = "zigbee2mqtt"
hostname = "zigbee2mqtt"
# privileged = true
- must_run = true
+ restart = "unless-stopped"
network_mode = "host"
@@ -40,6 +40,6 @@ resource "docker_container" "zigbee2mqtt" {
devices {
host_path = var.serial_port
container_path = "/dev/ttyACM0"
-# permissions = "rwm"
+ permissions = "rwm"
}
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-06-05 11:22:30 +0000