#!/bin/bash # shellcheck disable=SC2121 set system name-server 9.9.9.9 set system static-host-mapping host-name pve.strypsteen.com inet 192.168.253.2 set system static-host-mapping host-name home.strypsteen.com alias auth.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias chat.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias cloud.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias code.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias git.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias llm.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias matrix.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias metrics.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias monitoring.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias network.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias office.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias photos.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias remote-desktop.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias vault.strypsteen.com set system static-host-mapping host-name home.strypsteen.com alias xmr.strypsteen.com set system sysctl parameter net.ipv6.conf.eth0.use_tempaddr value 2 set system time-zone Europe/Brussels set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 ipv6 address autoconf set interfaces ethernet eth1 address 192.168.255.1/24 set interfaces ethernet eth1 address fc00::1/64 set interfaces ethernet eth2 address 192.168.254.1/24 set interfaces ethernet eth2 address fc01::1/64 set interfaces ethernet eth3 address 192.168.253.1/24 set interfaces ethernet eth3 address fc02::1/64 set interfaces wireguard wg0 address 192.168.252.1/24 set interfaces wireguard wg0 port 51820 set service ssh disable-password-authentication set service dhcp-server hostfile-update set service dhcp-server shared-network-name mgmt option default-router 192.168.255.1 set service dhcp-server shared-network-name mgmt option name-server 192.168.255.1 set service dhcp-server shared-network-name mgmt subnet 192.168.255.0/24 subnet-id 1 set service dhcp-server shared-network-name mgmt subnet 192.168.255.0/24 range 0 start 192.168.255.2 set service dhcp-server shared-network-name mgmt subnet 192.168.255.0/24 range 0 stop 192.168.255.254 set service dhcp-server shared-network-name mgmt subnet 192.168.255.0/24 lease 1800 set service dhcp-server shared-network-name lan option default-router 192.168.254.1 set service dhcp-server shared-network-name lan option name-server 192.168.254.1 set service dhcp-server shared-network-name lan subnet 192.168.254.0/24 subnet-id 2 set service dhcp-server shared-network-name lan subnet 192.168.254.0/24 range 0 start 192.168.254.2 set service dhcp-server shared-network-name lan subnet 192.168.254.0/24 range 0 stop 192.168.254.254 set service dhcp-server shared-network-name lan subnet 192.168.254.0/24 lease 1800 set service dhcp-server shared-network-name server option bootfile-name netboot.xyz.efi set service dhcp-server shared-network-name server option bootfile-server 192.168.253.1 set service dhcp-server shared-network-name server option default-router 192.168.253.1 set service dhcp-server shared-network-name server option domain-name server.home.arpa set service dhcp-server shared-network-name server option name-server 192.168.253.1 set service dhcp-server shared-network-name server subnet 192.168.253.0/24 subnet-id 3 set service dhcp-server shared-network-name server subnet 192.168.253.0/24 range 0 start 192.168.253.3 set service dhcp-server shared-network-name server subnet 192.168.253.0/24 range 0 stop 192.168.253.253 set service dhcp-server shared-network-name server subnet 192.168.253.0/24 lease 1800 set service router-advert interface eth1 prefix ::/64 set service router-advert interface eth2 prefix ::/64 set service router-advert interface eth3 prefix ::/64 set service dns forwarding listen-address 192.168.252.1 set service dns forwarding listen-address 192.168.253.1 set service dns forwarding listen-address 192.168.254.1 set service dns forwarding listen-address 192.168.255.1 set service dns forwarding name-server 127.0.0.1 set service dns forwarding dnssec validate set service dns forwarding allow-from 192.168.0.0/16 set service tftp-server directory /config/tftp set service tftp-server listen-address 192.168.253.1 set service monitoring telegraf influxdb url http://home.server.home.arpa set service monitoring telegraf influxdb bucket vyos set service monitoring telegraf influxdb authentication organization metrics set nat source rule 1 outbound-interface name eth0 set nat source rule 1 translation address masquerade set nat66 source rule 1 outbound-interface name eth0 set nat66 source rule 1 translation address masquerade set firewall global-options source-validation strict set firewall global-options ipv6-source-validation strict firewall_types="ipv4 ipv6" for i in ${firewall_types}; do set firewall "$i" forward filter default-action drop set firewall "$i" forward filter rule 1 action accept set firewall "$i" forward filter rule 1 state established set firewall "$i" forward filter rule 1 state related set firewall "$i" forward filter rule 2 action accept set firewall "$i" forward filter rule 2 outbound-interface name eth0 set firewall "$i" forward filter rule 3 action accept set firewall "$i" forward filter rule 3 inbound-interface name eth1 set firewall "$i" forward filter rule 4 action accept set firewall "$i" forward filter rule 4 inbound-interface name eth2 set firewall "$i" forward filter rule 4 outbound-interface name eth3 set firewall "$i" forward filter rule 5 action accept set firewall "$i" forward filter rule 5 inbound-interface name eth3 set firewall "$i" forward filter rule 5 outbound-interface name eth2 set firewall "$i" forward filter rule 6 action accept set firewall "$i" forward filter rule 6 inbound-interface name wg0 done