diff --git a/.gitattributes b/.gitattributes index 07ef734..9796c84 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,5 @@ *.secret filter=git-crypt diff=git-crypt *.secret.yaml filter=git-crypt diff=git-crypt *.secret.values filter=git-crypt diff=git-crypt -*.secret.sh filter=git-crypt diff=git-crypt \ No newline at end of file +*.secret.sh filter=git-crypt diff=git-crypt +*.secret.conf filter=git-crypt diff=git-crypt \ No newline at end of file diff --git a/fritzbox/README.md b/fritzbox/README.md new file mode 100644 index 0000000..7bf8a3b --- /dev/null +++ b/fritzbox/README.md @@ -0,0 +1,51 @@ +# FritzBox Wireguard Setup + +This folder contains configuration and documentation for connecting your FritzBox router (home network) to the Kubernetes cluster via a Wireguard Site-to-Site VPN. + +## 1. Prerequisites +- Your FritzBox must be running FRITZ!OS 7.50+ (Tested with 8.25). +- The Kubernetes Wireguard endpoint (`k8s/wireguard`) must be deployed and running on `vpn.haumdaucher.de`. + +## 2. Connecting the FritzBox + +The FritzBox will be configured to connect to the cluster via a "LAN-to-LAN" coupling. Since we prefer "infrastructure as code", we have pre-generated the exact configuration file. For FritzBox specifically, this requires a manual import step. + +1. Locate the file `fritzbox-wireguard.secret.conf` in this directory. +2. Ensure you have unlocked `git-crypt` so you can read its decrypted contents. +3. Open your FritzBox Web Interface (usually `http://fritz.box`). +4. Navigate to **Internet > Permit Access > VPN (WireGuard)**. +5. Click on **Add Connection** (or "Verbindung hinzufügen"). +6. Select **Connect networks or establish special connections** (Netzwerke koppeln oder spezielle Verbindungen herstellen). +7. Ask if it has been set up on the other side -> choose **Yes** (or choose to upload a config file directly). +8. Choose **Upload a configuration file** and select the decrypted `fritzbox-wireguard.secret.conf` file. +9. Finish the setup. + +The FritzBox will immediately try to connect to `vpn.haumdaucher.de:51820`. + +## 3. Verifying the Connection + +### From the Kubernetes Side +Connect to your cluster and check the Wireguard pod logs: +```bash +# Get the pod name +kubectl get pods -n wireguard + +# Execute into the pod to check connection status +kubectl exec -it -n wireguard -- wg show +``` +You should see a peer connected and the `latest handshake` timestamp indicating a successful connection. + +### Bidirectional Ping Test +1. **Cluster -> Home Network:** + Exec into any pod in your cluster (e.g., a toolbox or home-assistant pod) and ping a device on your local network: + ```bash + ping 192.168.10.1 # Ping your FritzBox local IP + ``` +2. **Home Network -> Cluster:** + From your laptop at home, try to ping a known K8s Service IP (e.g., `10.233.0.1` for kubernetes default service, or a specific pod IP): + ```bash + ping 10.233.0.1 + ``` + +## Backups +Any future manual configurations, firmware backups, or notes related to the FritzBox should be stored within this `fritzbox/` folder. Use `.secret` extensions for any files containing sensitive tokens or passwords. diff --git a/fritzbox/fritzbox-wireguard.secret.conf b/fritzbox/fritzbox-wireguard.secret.conf new file mode 100644 index 0000000..4c1a28a Binary files /dev/null and b/fritzbox/fritzbox-wireguard.secret.conf differ diff --git a/k8s/wireguard/deployment.yaml b/k8s/wireguard/deployment.yaml new file mode 100644 index 0000000..df821dc --- /dev/null +++ b/k8s/wireguard/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wireguard + namespace: wireguard + labels: + app: wireguard +spec: + replicas: 1 + selector: + matchLabels: + app: wireguard + template: + metadata: + labels: + app: wireguard + spec: + hostNetwork: true + containers: + - name: wireguard + image: alpine:latest + command: ["/bin/sh", "-c"] + args: + - | + apk add --no-cache wireguard-tools iptables + cp /config/wg0.conf /etc/wireguard/wg0.conf + chmod 600 /etc/wireguard/wg0.conf + wg-quick up wg0 + echo "Wireguard is up" + trap "wg-quick down wg0" SIGINT SIGTERM + sleep infinity & + wait + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + volumeMounts: + - name: wg-config + mountPath: /config/wg0.conf + subPath: wg0.conf + readOnly: true + - name: lib-modules + mountPath: /lib/modules + readOnly: true + volumes: + - name: wg-config + secret: + secretName: wireguard-config + - name: lib-modules + hostPath: + path: /lib/modules diff --git a/k8s/wireguard/kustomization.yaml b/k8s/wireguard/kustomization.yaml new file mode 100644 index 0000000..3b9db94 --- /dev/null +++ b/k8s/wireguard/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: wireguard + +resources: + - namespace.yaml + - secret.secret.yaml + - deployment.yaml diff --git a/k8s/wireguard/namespace.yaml b/k8s/wireguard/namespace.yaml new file mode 100644 index 0000000..75e9be3 --- /dev/null +++ b/k8s/wireguard/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wireguard diff --git a/k8s/wireguard/secret.secret.yaml b/k8s/wireguard/secret.secret.yaml new file mode 100644 index 0000000..dd7997a Binary files /dev/null and b/k8s/wireguard/secret.secret.yaml differ