feat(wireguard): accès distant au lab via VPN (Freebox 51820/udp → s01) (#80)

- rôle wireguard : serveur wg0 (10.99.0.0/24) sur storage-01, profils
  clients générés dans /etc/wireguard/clients/ (fichier .conf / QR code)
- gateway : filtrage nftables par pair — full (tout le lab) / portal
  (uniquement Traefik :80 = portail Guacamole), masquerade VPN→cluster
- dnsmasq : bind-dynamic + écoute wg0 → *.lab.local résolu dans le tunnel
- pairs initiaux : alkatrazz (full), invite-01 (portal)
- vault : clés WireGuard + reprise de l'archive Authentik (remplace #78)
- doc : admin/infra/wireguard.md (onboarding pair, pièges, exploitation)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
ALI YESILKAYA 2026-07-07 11:11:43 +02:00 committed by GitHub
parent fbec998c21
commit bc0e1dd53e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 388 additions and 123 deletions

View file

@ -0,0 +1,11 @@
# Profil WireGuard « {{ item.name }} » — accès {{ item.access }} au lab Funk
[Interface]
PrivateKey = {{ vault_wireguard_peer_private_keys[item.name] }}
Address = {{ item.ip }}/32
DNS = {{ wireguard_client_dns }}
[Peer]
PublicKey = {{ wireguard_server_public_key }}
Endpoint = {{ wireguard_endpoint }}
AllowedIPs = {{ wireguard_client_allowed_ips }}
PersistentKeepalive = 25

View file

@ -0,0 +1,13 @@
# Géré par Ansible — ne pas modifier manuellement
[Interface]
Address = {{ wireguard_server_ip }}/{{ wireguard_subnet.split('/')[1] }}
ListenPort = {{ wireguard_port }}
PrivateKey = {{ vault_wireguard_server_private_key }}
{% for peer in wireguard_peers %}
# {{ peer.name }} — accès {{ peer.access }}
[Peer]
PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.ip }}/32
{% endfor %}