feat(wireguard): accès distant au lab via VPN (Freebox 51820/udp → s01) (#80)

- rôle wireguard : serveur wg0 (10.99.0.0/24) sur storage-01, profils
  clients générés dans /etc/wireguard/clients/ (fichier .conf / QR code)
- gateway : filtrage nftables par pair — full (tout le lab) / portal
  (uniquement Traefik :80 = portail Guacamole), masquerade VPN→cluster
- dnsmasq : bind-dynamic + écoute wg0 → *.lab.local résolu dans le tunnel
- pairs initiaux : alkatrazz (full), invite-01 (portal)
- vault : clés WireGuard + reprise de l'archive Authentik (remplace #78)
- doc : admin/infra/wireguard.md (onboarding pair, pièges, exploitation)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
ALI YESILKAYA 2026-07-07 11:11:43 +02:00 committed by GitHub
parent fbec998c21
commit bc0e1dd53e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 388 additions and 123 deletions

View file

@ -19,3 +19,15 @@ hermes_data_dir: /srv/data/hermes
postgres_data_dir: /srv/data/postgres
qdrant_data_dir: /srv/data/qdrant
minio_data_dir: /srv/data/minio
# Pairs WireGuard (clés privées : vault_wireguard_peer_private_keys.<name>)
# access: full = tout le lab (admin) | portal = portail Guacamole uniquement
wireguard_peers:
- name: alkatrazz
ip: 10.99.0.10
public_key: "uMlKJzEdnEyjUbY2m3RzJ+0/VWzshaHnug8MeDXFfFA="
access: full
- name: invite-01
ip: 10.99.0.50
public_key: "hMtM2Kn4ENhK1ENFUJQeNLwI1yy5V6o01HKi2zCUDA8="
access: portal