From 31c27facb197a64d00a3f50f3fbb7aac06c37a8d Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@josephhanson.dev>
Date: Wed, 29 Mar 2023 13:30:45 -0500
Subject: [PATCH] Initial Commit.

---
 .gitattributes                             |   1 +
 .github/.gitignore                         |  10 +
 .gitignore                                 |  17 +
 .sops.yaml                                 |   6 +
 apply-config.sh                            |  88 +++
 config-parts/.gitignore                    |   6 +
 config-parts/container.sh                  | 122 ++++
 config-parts/firewall-name.sh              | 712 +++++++++++++++++++++
 config-parts/firewall-zone.sh              | 103 +++
 config-parts/firewall.sh                   | 146 +++++
 config-parts/interfaces.sh                 |  33 +
 config-parts/nat.sh                        |  96 +++
 config-parts/protocols.sh                  |  14 +
 config-parts/service-dhcp_server.sh        | 202 ++++++
 config-parts/service.sh                    |  14 +
 config-parts/system-static_host_mapping.sh |  35 +
 config-parts/system.sh                     |  24 +
 containers/.gitignore                      |  11 +
 containers/coredns/.gitignore              |  14 +
 containers/coredns/config/Corefile         |  60 ++
 containers/dnsdist/.gitignore              |   9 +
 containers/dnsdist/config/dnsdist.conf     |  91 +++
 containers/haproxy/.gitignore              |   9 +
 containers/haproxy/config/haproxy.cfg      |  66 ++
 containers/unifi/.gitignore                |   6 +
 containers/unifi/.gitkeep                  |   0
 scripts/.gitignore                         |  13 +
 scripts/custom-config-backup.sh            |  26 +
 scripts/vyos-postconfig-bootup.script      |  24 +
 scripts/vyos-preconfig-bootup.script       |  13 +
 30 files changed, 1971 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .github/.gitignore
 create mode 100644 .gitignore
 create mode 100644 .sops.yaml
 create mode 100644 apply-config.sh
 create mode 100644 config-parts/.gitignore
 create mode 100644 config-parts/container.sh
 create mode 100644 config-parts/firewall-name.sh
 create mode 100644 config-parts/firewall-zone.sh
 create mode 100644 config-parts/firewall.sh
 create mode 100644 config-parts/interfaces.sh
 create mode 100644 config-parts/nat.sh
 create mode 100644 config-parts/protocols.sh
 create mode 100644 config-parts/service-dhcp_server.sh
 create mode 100644 config-parts/service.sh
 create mode 100644 config-parts/system-static_host_mapping.sh
 create mode 100644 config-parts/system.sh
 create mode 100644 containers/.gitignore
 create mode 100644 containers/coredns/.gitignore
 create mode 100644 containers/coredns/config/Corefile
 create mode 100644 containers/dnsdist/.gitignore
 create mode 100644 containers/dnsdist/config/dnsdist.conf
 create mode 100644 containers/haproxy/.gitignore
 create mode 100644 containers/haproxy/config/haproxy.cfg
 create mode 100644 containers/unifi/.gitignore
 create mode 100644 containers/unifi/.gitkeep
 create mode 100644 scripts/.gitignore
 create mode 100644 scripts/custom-config-backup.sh
 create mode 100644 scripts/vyos-postconfig-bootup.script
 create mode 100644 scripts/vyos-preconfig-bootup.script

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..176a458
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto
diff --git a/.github/.gitignore b/.github/.gitignore
new file mode 100644
index 0000000..2109756
--- /dev/null
+++ b/.github/.gitignore
@@ -0,0 +1,10 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+!renovate.json5
+
+!/workflows/
+/workflows/*
+!/workflows/**.yaml
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..21fc007
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,17 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+!.gitattributes
+!.sops.yaml
+!apply-config.sh
+!secret.sops.env
+
+# VyOS config
+!scripts/
+!config-parts/
+!containers/
+
+# CI
+!.github/
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..f1a18cd
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,6 @@
+---
+creation_rules:
+  - path_regex: .*\.sops\.env
+    # Personal, VyOS
+    age: >-
+      age1jrwr0h64c8lze8870uzq2pkk40d7z426k759988f9wmzm2ylpdjsgh30m7
diff --git a/apply-config.sh b/apply-config.sh
new file mode 100644
index 0000000..3ab733e
--- /dev/null
+++ b/apply-config.sh
@@ -0,0 +1,88 @@
+#!/bin/vbash
+# shellcheck shell=bash
+# shellcheck source=/dev/null
+dry_run=false
+
+if [ "$(id -g -n)" != 'vyattacfg' ] ; then
+    exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $@"
+fi
+
+while getopts "d" options; do
+  case "${options}" in
+    d)
+      dry_run=true
+      ;;
+    *)
+      echo 'error in command line parsing' >&2
+      exit 1
+      ;;
+  esac
+done
+
+# Load secrets into ENV vars
+if [ -f "/config/secrets.sops.env" ]; then
+  export SOPS_AGE_KEY_FILE=/config/secrets/age.key
+
+  mapfile environmentAsArray < <(
+    sops --decrypt "/config/secrets.sops.env" \
+      | grep --invert-match '^#' \
+        | grep --invert-match '^\s*$'
+  ) # Uses grep to remove commented and blank lines
+  for variableDeclaration in "${environmentAsArray[@]}"; do
+    export "${variableDeclaration//[$'\r\n']}" # The substitution removes the line breaks
+  done
+fi
+
+# Include VyOS specific functions and aliases
+source /opt/vyatta/etc/functions/script-template
+
+# Reset the configuration
+load /opt/vyatta/etc/config.boot.default
+
+# Load all config files
+for f in /config/config-parts/*.sh
+do
+  if [ -f "${f}" ]; then
+    echo "Processing ${f}"
+    source "${f}"
+  fi
+done
+
+if "$dry_run"; then
+  # Show what's different from the running config
+  compare
+else
+  # Pull new container images
+  AVAILABLE_IMAGES=($(run show container image | awk '{ if ( NR > 1  ) { print $1 ":" $2} }'))
+  CONFIG_IMAGES=($(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq))
+
+  for image in "${CONFIG_IMAGES[@]}"
+  do
+    if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ " ${image} " ]]; then
+      echo "Pulling image ${image}"
+      run add container image "${image}"
+    fi
+  done
+
+  # Commit and save
+  echo "Committing and saving config"
+  commit
+  save
+
+  # Clean obsolete container images
+  IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)"
+  for image in "${AVAILABLE_IMAGES[@]}"
+  do
+    image_name=$(echo "${image}" | awk '{ print $1 }')
+    image_tag=$(echo "${image}" | awk '{ print $2 }')
+    image_id=$(echo "${image}" | awk '{ print $3 }')
+    image_name_tag="${image_name}:${image_tag}"
+
+    if [[ ! " ${CONFIG_IMAGES[*]} " =~ " ${image_name_tag} " ]]; then
+      echo "Removing container ${image_name_tag}"
+      run delete container image "${image_id}"
+    fi
+  done
+fi
+
+exit
diff --git a/config-parts/.gitignore b/config-parts/.gitignore
new file mode 100644
index 0000000..dbf1943
--- /dev/null
+++ b/config-parts/.gitignore
@@ -0,0 +1,6 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+!*.sh
diff --git a/config-parts/container.sh b/config-parts/container.sh
new file mode 100644
index 0000000..ffb7983
--- /dev/null
+++ b/config-parts/container.sh
@@ -0,0 +1,122 @@
+#!/bin/vbash
+
+# Container networks
+set container network services prefix '10.5.0.0/24'
+
+# cloudflare-ddns
+set container name cloudflare-ddns allow-host-networks
+set container name cloudflare-ddns environment CF_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}"
+set container name cloudflare-ddns environment DOMAINS value 'ipv4.jahanson.tech,ipv4.hsn.dev'
+set container name cloudflare-ddns environment IP6_PROVIDER value "none"
+set container name cloudflare-ddns environment TZ value 'America/Chicago'
+set container name cloudflare-ddns environment PGID value "1000"
+set container name cloudflare-ddns environment PUID value "1000"
+set container name cloudflare-ddns image 'docker.io/favonia/cloudflare-ddns:1.9.1'
+set container name cloudflare-ddns memory '0'
+set container name cloudflare-ddns restart 'on-failure'
+set container name cloudflare-ddns shared-memory '0'
+
+# coredns - main instance
+set container name coredns cap-add 'net-bind-service'
+set container name coredns image 'docker.io/coredns/coredns:1.10.1'
+set container name coredns memory '0'
+set container name coredns network services address '10.5.0.3'
+set container name coredns restart 'on-failure'
+set container name coredns shared-memory '0'
+set container name coredns volume config destination '/config'
+set container name coredns volume config source '/config/containers/coredns/config'
+set container name coredns volume config mode 'ro'
+set container name coredns volume corefile destination '/Corefile'
+set container name coredns volume corefile source '/config/containers/coredns/config/Corefile'
+set container name coredns volume corefile mode 'ro'
+set container name coredns volume vyoshosts destination '/host/etc/hosts'
+set container name coredns volume vyoshosts source '/etc/hosts'
+set container name coredns volume vyoshosts mode 'ro'
+
+# dnsdist
+set container name dnsdist cap-add 'net-bind-service'
+set container name dnsdist environment TZ value 'America/Chicago'
+set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.3'
+set container name dnsdist memory '0'
+set container name dnsdist network services address '10.5.0.4'
+set container name dnsdist restart 'on-failure'
+set container name dnsdist shared-memory '0'
+set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
+set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
+set container name dnsdist volume config mode 'ro'
+
+# haproxy-k8s-api
+set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.7.4'
+set container name haproxy-k8s-api memory '0'
+set container name haproxy-k8s-api network services address '10.5.0.2'
+set container name haproxy-k8s-api restart 'on-failure'
+set container name haproxy-k8s-api shared-memory '0'
+set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
+set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
+set container name haproxy-k8s-api volume config mode 'ro'
+
+# node-exporter
+set container name node-exporter environment procfs value '/host/proc'
+set container name node-exporter environment rootfs value '/host/rootfs'
+set container name node-exporter environment sysfs value '/host/sys'
+set container name node-exporter image 'quay.io/prometheus/node-exporter:v1.5.0'
+set container name node-exporter memory '0'
+set container name node-exporter network services address '10.5.0.7'
+set container name node-exporter restart 'on-failure'
+set container name node-exporter shared-memory '0'
+set container name node-exporter volume procfs destination '/host/proc'
+set container name node-exporter volume procfs mode 'ro'
+set container name node-exporter volume procfs source '/proc'
+set container name node-exporter volume rootfs destination '/host/rootfs'
+set container name node-exporter volume rootfs mode 'ro'
+set container name node-exporter volume rootfs source '/'
+set container name node-exporter volume sysfs destination '/host/sys'
+set container name node-exporter volume sysfs mode 'ro'
+set container name node-exporter volume sysfs source '/sys'
+
+# speedtest-exporter
+set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3'
+set container name speedtest-exporter memory '0'
+set container name speedtest-exporter network services address '10.5.0.8'
+set container name speedtest-exporter restart 'on-failure'
+set container name speedtest-exporter shared-memory '0'
+
+# udp-broadcast-relay-mdns
+set container name udp-broadcast-relay-mdns allow-host-networks
+set container name udp-broadcast-relay-mdns cap-add 'net-raw'
+set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth1.20;eth1.40'
+set container name udp-broadcast-relay-mdns environment CFG_ID value '2'
+set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251'
+set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353'
+set container name udp-broadcast-relay-mdns environment SEPARATOR value ';'
+set container name udp-broadcast-relay-mdns image 'ghcr.io/onedr0p/udp-broadcast-relay-redux:1.0.27'
+set container name udp-broadcast-relay-mdns memory '0'
+set container name udp-broadcast-relay-mdns restart 'on-failure'
+set container name udp-broadcast-relay-mdns shared-memory '0'
+
+# udp-broadcast-relay-sonos
+set container name udp-broadcast-relay-sonos allow-host-networks
+set container name udp-broadcast-relay-sonos cap-add 'net-raw'
+set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth1.20;eth1.40'
+set container name udp-broadcast-relay-sonos environment CFG_ID value '1'
+set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250'
+set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900'
+set container name udp-broadcast-relay-sonos environment SEPARATOR value ';'
+set container name udp-broadcast-relay-sonos image 'ghcr.io/onedr0p/udp-broadcast-relay-redux:1.0.27'
+set container name udp-broadcast-relay-sonos memory '0'
+set container name udp-broadcast-relay-sonos restart 'on-failure'
+set container name udp-broadcast-relay-sonos shared-memory '0'
+
+# unifi
+set container name unifi environment RUNAS_UID0 value 'false'
+set container name unifi environment TZ value 'America/Chicago'
+set container name unifi environment UNIFI_GID value '999'
+set container name unifi environment UNIFI_STDOUT value 'true'
+set container name unifi environment UNIFI_UID value '999'
+set container name unifi image 'ghcr.io/jacobalberty/unifi-docker:v7.3.83'
+set container name unifi memory '0'
+set container name unifi network services address '10.5.0.10'
+set container name unifi restart 'on-failure'
+set container name unifi shared-memory '0'
+set container name unifi volume data destination '/unifi'
+set container name unifi volume data source '/config/containers/unifi'
diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh
new file mode 100644
index 0000000..2e2b680
--- /dev/null
+++ b/config-parts/firewall-name.sh
@@ -0,0 +1,712 @@
+#!/bin/vbash
+
+# From GUEST to IOT
+set firewall name guest-iot default-action 'drop'
+set firewall name guest-iot description 'From GUEST to IOT'
+set firewall name guest-iot enable-default-log
+set firewall name guest-iot rule 1 action 'accept'
+set firewall name guest-iot rule 1 description 'Rule: accept_tcp_printer_from_allowed_devices'
+set firewall name guest-iot rule 1 destination group address-group 'printers'
+set firewall name guest-iot rule 1 destination port 'http,9100'
+set firewall name guest-iot rule 1 protocol 'tcp'
+set firewall name guest-iot rule 1 source group address-group 'printer_allowed'
+set firewall name guest-iot rule 2 action 'accept'
+set firewall name guest-iot rule 2 description 'Rule: accept_udp_printer_from_allowed_devices'
+set firewall name guest-iot rule 2 destination group address-group 'printers'
+set firewall name guest-iot rule 2 destination port '161'
+set firewall name guest-iot rule 2 protocol 'udp'
+set firewall name guest-iot rule 2 source group address-group 'printer_allowed'
+
+# From GUEST to LAN
+set firewall name guest-lan default-action 'drop'
+set firewall name guest-lan description 'From GUEST to LAN'
+set firewall name guest-lan enable-default-log
+
+# From GUEST to LOCAL
+set firewall name guest-local default-action 'drop'
+set firewall name guest-local description 'From GUEST to LOCAL'
+set firewall name guest-local enable-default-log
+set firewall name guest-local rule 1 action 'accept'
+set firewall name guest-local rule 1 description 'Rule: accept_dhcp'
+set firewall name guest-local rule 1 destination port '67,68'
+set firewall name guest-local rule 1 protocol 'udp'
+set firewall name guest-local rule 1 source port '67,68'
+
+# From GUEST to SERVERS
+set firewall name guest-servers default-action 'drop'
+set firewall name guest-servers description 'From GUEST to SERVERS'
+set firewall name guest-servers enable-default-log
+
+# From GUEST to SERVICES
+set firewall name guest-services default-action 'drop'
+set firewall name guest-services description 'From GUEST to SERVICES'
+set firewall name guest-services enable-default-log
+set firewall name guest-services rule 1 action 'accept'
+set firewall name guest-services rule 1 description 'Rule: accept_dns'
+set firewall name guest-services rule 1 destination port 'domain,domain-s'
+set firewall name guest-services rule 1 protocol 'tcp_udp'
+
+# From GUEST to TRUSTED
+set firewall name guest-trusted default-action 'drop'
+set firewall name guest-trusted description 'From GUEST to TRUSTED'
+set firewall name guest-trusted enable-default-log
+
+# From GUEST to VIDEO
+set firewall name guest-video default-action 'drop'
+set firewall name guest-video description 'From GUEST to VIDEO'
+set firewall name guest-video enable-default-log
+
+# From GUEST to WAN
+set firewall name guest-wan default-action 'accept'
+set firewall name guest-wan description 'From GUEST to WAN'
+
+# From IOT to GUEST
+set firewall name iot-guest default-action 'drop'
+set firewall name iot-guest description 'From IOT to GUEST'
+set firewall name iot-guest enable-default-log
+
+# From IOT to LAN
+set firewall name iot-lan default-action 'drop'
+set firewall name iot-lan description 'From IOT to LAN'
+set firewall name iot-lan enable-default-log
+
+# From IOT to LOCAL
+set firewall name iot-local default-action 'drop'
+set firewall name iot-local description 'From IOT to LOCAL'
+set firewall name iot-local enable-default-log
+set firewall name iot-local rule 1 action 'accept'
+set firewall name iot-local rule 1 description 'Rule: accept_ssh'
+set firewall name iot-local rule 1 destination port 'ssh'
+set firewall name iot-local rule 1 protocol 'tcp'
+set firewall name iot-local rule 2 action 'accept'
+set firewall name iot-local rule 2 description 'Rule: accept_ntp'
+set firewall name iot-local rule 2 destination port 'ntp'
+set firewall name iot-local rule 2 protocol 'udp'
+set firewall name iot-local rule 3 action 'accept'
+set firewall name iot-local rule 3 description 'Rule: accept_dhcp'
+set firewall name iot-local rule 3 destination port '67,68'
+set firewall name iot-local rule 3 protocol 'udp'
+set firewall name iot-local rule 3 source port '67,68'
+set firewall name iot-local rule 4 action 'accept'
+set firewall name iot-local rule 4 description 'Rule: accept_igmp'
+set firewall name iot-local rule 4 protocol '2'
+set firewall name iot-local rule 5 action 'accept'
+set firewall name iot-local rule 5 description 'Rule: accept_mdns'
+set firewall name iot-local rule 5 destination port 'mdns'
+set firewall name iot-local rule 5 protocol 'udp'
+set firewall name iot-local rule 5 source port 'mdns'
+set firewall name iot-local rule 6 action 'accept'
+set firewall name iot-local rule 6 description 'Rule: accept_discovery_from_sonos_players'
+set firewall name iot-local rule 6 destination port '1900,1901,1902'
+set firewall name iot-local rule 6 protocol 'udp'
+set firewall name iot-local rule 6 source group address-group 'sonos_players'
+set firewall name iot-local rule 7 action 'accept'
+set firewall name iot-local rule 7 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall name iot-local rule 7 destination port '1900,1901,1902,57621'
+set firewall name iot-local rule 7 protocol 'udp'
+set firewall name iot-local rule 7 source group address-group 'sonos_controllers'
+
+# From IOT to SERVERS
+set firewall name iot-servers default-action 'drop'
+set firewall name iot-servers description 'From IOT to SERVERS'
+set firewall name iot-servers enable-default-log
+set firewall name iot-servers rule 1 action 'accept'
+set firewall name iot-servers rule 1 description 'Rule: accept_nas_smb_from_scanners'
+set firewall name iot-servers rule 1 destination group address-group 'nas'
+set firewall name iot-servers rule 1 destination port 'microsoft-ds'
+set firewall name iot-servers rule 1 protocol 'tcp'
+set firewall name iot-servers rule 1 source group address-group 'scanners'
+set firewall name iot-servers rule 2 action 'accept'
+set firewall name iot-servers rule 2 description 'Rule: accept_plex_from_plex_clients'
+set firewall name iot-servers rule 2 destination group address-group 'k8s_plex'
+set firewall name iot-servers rule 2 destination port '32400'
+set firewall name iot-servers rule 2 protocol 'tcp'
+set firewall name iot-servers rule 2 source group address-group 'plex_clients'
+set firewall name iot-servers rule 3 action 'accept'
+set firewall name iot-servers rule 3 description 'Rule: accept_jellyfin_from_jellyfin_clients'
+set firewall name iot-servers rule 3 destination group address-group 'k8s_jellyfin'
+set firewall name iot-servers rule 3 destination port '8096'
+set firewall name iot-servers rule 3 protocol 'tcp'
+set firewall name iot-servers rule 3 source group address-group 'jellyfin_clients'
+set firewall name iot-servers rule 4 action 'accept'
+set firewall name iot-servers rule 4 description 'Rule: accept_mqtt_from_mqtt_clients'
+set firewall name iot-servers rule 4 destination group address-group 'k8s_mqtt'
+set firewall name iot-servers rule 4 destination port '1883'
+set firewall name iot-servers rule 4 protocol 'tcp'
+set firewall name iot-servers rule 4 source group address-group 'mqtt_clients'
+set firewall name iot-servers rule 5 action 'accept'
+set firewall name iot-servers rule 5 description 'Rule: accept_mqtt_from_esp'
+set firewall name iot-servers rule 5 destination group address-group 'k8s_mqtt'
+set firewall name iot-servers rule 5 destination port '1883'
+set firewall name iot-servers rule 5 protocol 'tcp'
+set firewall name iot-servers rule 5 source group address-group 'esp'
+set firewall name iot-servers rule 6 action 'accept'
+set firewall name iot-servers rule 6 description 'Rule: accept_k8s_ingress_from_sonos_players'
+set firewall name iot-servers rule 6 destination group address-group 'k8s_ingress'
+set firewall name iot-servers rule 6 destination port 'http,https'
+set firewall name iot-servers rule 6 protocol 'tcp'
+set firewall name iot-servers rule 6 source group address-group 'sonos_players'
+set firewall name iot-servers rule 7 action 'accept'
+set firewall name iot-servers rule 7 description 'Rule: accept_k8s_ingress_from_ereaders'
+set firewall name iot-servers rule 7 destination group address-group 'k8s_ingress'
+set firewall name iot-servers rule 7 destination port 'http,https'
+set firewall name iot-servers rule 7 protocol 'tcp'
+set firewall name iot-servers rule 7 source group address-group 'ereaders'
+set firewall name iot-servers rule 8 action 'accept'
+set firewall name iot-servers rule 8 description 'Rule: accept_k8s_ingress_from_wall_displays'
+set firewall name iot-servers rule 8 destination group address-group 'k8s_ingress'
+set firewall name iot-servers rule 8 destination port 'http,https'
+set firewall name iot-servers rule 8 protocol 'tcp'
+set firewall name iot-servers rule 8 source group address-group 'wall_displays'
+set firewall name iot-servers rule 9 action 'accept'
+set firewall name iot-servers rule 9 description 'Rule: accept_k8s_ingress_from_allowed_devices'
+set firewall name iot-servers rule 9 destination group address-group 'k8s_ingress'
+set firewall name iot-servers rule 9 destination port 'http,https'
+set firewall name iot-servers rule 9 protocol 'tcp'
+set firewall name iot-servers rule 9 source group address-group 'k8s_ingress_allowed'
+set firewall name iot-servers rule 10 action 'accept'
+set firewall name iot-servers rule 10 description 'Rule: accept_vector_journald_from_allowed_devices'
+set firewall name iot-servers rule 10 destination group address-group 'k8s_vector_aggregator'
+set firewall name iot-servers rule 10 destination port '6002'
+set firewall name iot-servers rule 10 protocol 'tcp'
+set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed'
+
+# From IOT to SERVICES
+set firewall name iot-services default-action 'accept'
+set firewall name iot-services description 'From IOT to SERVICES'
+set firewall name iot-services rule 1 action 'accept'
+set firewall name iot-services rule 1 description 'Rule: accept_dns'
+set firewall name iot-services rule 1 destination port 'domain,domain-s'
+set firewall name iot-services rule 1 protocol 'tcp_udp'
+
+# From IOT to TRUSTED
+set firewall name iot-trusted default-action 'drop'
+set firewall name iot-trusted description 'From IOT to TRUSTED'
+set firewall name iot-trusted enable-default-log
+set firewall name iot-trusted rule 1 action 'accept'
+set firewall name iot-trusted rule 1 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
+set firewall name iot-trusted rule 1 destination group address-group 'sonos_controllers'
+set firewall name iot-trusted rule 1 destination port '30000-65535'
+set firewall name iot-trusted rule 1 protocol 'udp'
+set firewall name iot-trusted rule 1 source group address-group 'sonos_players'
+set firewall name iot-trusted rule 2 action 'accept'
+set firewall name iot-trusted rule 2 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
+set firewall name iot-trusted rule 2 destination group address-group 'sonos_controllers'
+set firewall name iot-trusted rule 2 destination port '1400,3400,3401,3500,30000-65535'
+set firewall name iot-trusted rule 2 protocol 'tcp'
+set firewall name iot-trusted rule 2 source group address-group 'sonos_players'
+
+# From IOT to VIDEO
+set firewall name iot-video default-action 'drop'
+set firewall name iot-video description 'From IOT to VIDEO'
+set firewall name iot-video enable-default-log
+
+# From IOT to WAN
+set firewall name iot-wan default-action 'accept'
+set firewall name iot-wan description 'From IOT to WAN'
+
+# From LAN to GUEST
+set firewall name lan-guest default-action 'drop'
+set firewall name lan-guest description 'From LAN to GUEST'
+set firewall name lan-guest enable-default-log
+
+# From LAN to GUEST
+set firewall name lan-iot default-action 'drop'
+set firewall name lan-iot description 'From LAN to IOT'
+set firewall name lan-iot enable-default-log
+
+# From LAN to LOCAL
+set firewall name lan-local default-action 'drop'
+set firewall name lan-local description 'From LAN to LOCAL'
+set firewall name lan-local enable-default-log
+set firewall name lan-local rule 1 action 'accept'
+set firewall name lan-local rule 1 description 'Rule: accept_ssh'
+set firewall name lan-local rule 1 destination port 'ssh'
+set firewall name lan-local rule 1 protocol 'tcp'
+set firewall name lan-local rule 2 action 'accept'
+set firewall name lan-local rule 2 description 'Rule: accept_ntp'
+set firewall name lan-local rule 2 destination port 'ntp'
+set firewall name lan-local rule 2 protocol 'udp'
+set firewall name lan-local rule 3 action 'accept'
+set firewall name lan-local rule 3 description 'Rule: accept_dhcp'
+set firewall name lan-local rule 3 destination port '67,68'
+set firewall name lan-local rule 3 protocol 'udp'
+set firewall name lan-local rule 3 source port '67,68'
+
+# From LAN to SERVERS
+set firewall name lan-servers default-action 'drop'
+set firewall name lan-servers description 'From LAN to SERVERS'
+set firewall name lan-servers enable-default-log
+set firewall name lan-servers rule 1 action 'accept'
+set firewall name lan-servers rule 1 description 'Rule: accept_icmp'
+set firewall name lan-servers rule 1 protocol 'icmp'
+
+# From LAN to SERVICES
+set firewall name lan-services default-action 'accept'
+set firewall name lan-services description 'From LAN to SERVICES'
+set firewall name lan-services rule 1 action 'accept'
+set firewall name lan-services rule 1 description 'Rule: accept_dns'
+set firewall name lan-services rule 1 destination port 'domain,domain-s'
+set firewall name lan-services rule 1 protocol 'tcp_udp'
+
+# From LAN to TRUSTED
+set firewall name lan-trusted default-action 'drop'
+set firewall name lan-trusted description 'From LAN to TRUSTED'
+set firewall name lan-trusted enable-default-log
+
+# From LAN to VIDEO
+set firewall name lan-video default-action 'drop'
+set firewall name lan-video description 'From LAN to VIDEO'
+set firewall name lan-video enable-default-log
+
+# From LAN to WAN
+set firewall name lan-wan default-action 'accept'
+set firewall name lan-wan description 'From LAN to WAN'
+
+# From LOCAL to GUEST
+set firewall name local-guest default-action 'drop'
+set firewall name local-guest description 'From LOCAL to GUEST'
+set firewall name local-guest enable-default-log
+
+# From LOCAL to IOT
+set firewall name local-iot default-action 'drop'
+set firewall name local-iot description 'From LOCAL to IOT'
+set firewall name local-iot enable-default-log
+set firewall name local-iot rule 1 action 'accept'
+set firewall name local-iot rule 1 description 'Rule: accept_igmp'
+set firewall name local-iot rule 1 protocol '2'
+set firewall name local-iot rule 2 action 'accept'
+set firewall name local-iot rule 2 description 'Rule: accept_mdns'
+set firewall name local-iot rule 2 destination port 'mdns'
+set firewall name local-iot rule 2 protocol 'udp'
+set firewall name local-iot rule 2 source port 'mdns'
+set firewall name local-iot rule 3 action 'accept'
+set firewall name local-iot rule 3 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall name local-iot rule 3 destination port '1900,1901,1902,57621'
+set firewall name local-iot rule 3 protocol 'udp'
+set firewall name local-iot rule 3 source group address-group 'sonos_controllers'
+
+# From LOCAL to LAN
+set firewall name local-lan default-action 'drop'
+set firewall name local-lan description 'From LOCAL to LAN'
+set firewall name local-lan enable-default-log
+
+# From LOCAL to SERVERS
+set firewall name local-servers default-action 'drop'
+set firewall name local-servers description 'From LOCAL to SERVERS'
+set firewall name local-servers enable-default-log
+set firewall name local-servers rule 1 action 'accept'
+set firewall name local-servers rule 1 description 'Rule: accept_bgp'
+set firewall name local-servers rule 1 destination port 'bgp'
+set firewall name local-servers rule 1 protocol 'tcp'
+set firewall name local-servers rule 2 action 'accept'
+set firewall name local-servers rule 2 description 'Rule: accept_k8s_api'
+set firewall name local-servers rule 2 destination port '6443'
+set firewall name local-servers rule 2 protocol 'tcp'
+set firewall name local-servers rule 3 action 'accept'
+set firewall name local-servers rule 3 description 'Rule: accept_dns'
+set firewall name local-servers rule 3 destination port 'domain,domain-s'
+set firewall name local-servers rule 3 protocol 'tcp_udp'
+set firewall name local-servers rule 4 action 'accept'
+set firewall name local-servers rule 4 description 'Rule: accept_vector_syslog'
+set firewall name local-servers rule 4 destination group address-group 'k8s_vector_aggregator'
+set firewall name local-servers rule 4 destination port '6001'
+set firewall name local-servers rule 4 protocol 'tcp'
+
+# From LOCAL to SERVICES
+set firewall name local-services default-action 'accept'
+set firewall name local-services description 'From LOCAL to SERVICES'
+set firewall name local-services rule 1 action 'accept'
+set firewall name local-services rule 1 description 'Rule: accept_dns'
+set firewall name local-services rule 1 destination port 'domain,domain-s'
+set firewall name local-services rule 1 protocol 'tcp_udp'
+
+# From LOCAL to TRUSTED
+set firewall name local-trusted default-action 'drop'
+set firewall name local-trusted description 'From LOCAL to TRUSTED'
+set firewall name local-trusted enable-default-log
+set firewall name local-trusted rule 1 action 'accept'
+set firewall name local-trusted rule 1 description 'Rule: accept_igmp'
+set firewall name local-trusted rule 1 protocol '2'
+set firewall name local-trusted rule 2 action 'accept'
+set firewall name local-trusted rule 2 description 'Rule: accept_mdns'
+set firewall name local-trusted rule 2 destination port 'mdns'
+set firewall name local-trusted rule 2 protocol 'udp'
+set firewall name local-trusted rule 2 source port 'mdns'
+set firewall name local-trusted rule 3 action 'accept'
+set firewall name local-trusted rule 3 description 'Rule: accept_discovery_from_sonos_players'
+set firewall name local-trusted rule 3 destination port '1900,1901,1902'
+set firewall name local-trusted rule 3 protocol 'udp'
+set firewall name local-trusted rule 3 source group address-group 'sonos_players'
+
+# From LOCAL to VIDEO
+set firewall name local-video default-action 'drop'
+set firewall name local-video description 'From LOCAL to VIDEO'
+set firewall name local-video enable-default-log
+
+# From LOCAL to WAN
+set firewall name local-wan default-action 'accept'
+set firewall name local-wan description 'From LOCAL to WAN'
+
+# From SERVERS to GUEST
+set firewall name servers-guest default-action 'drop'
+set firewall name servers-guest description 'From SERVERS to GUEST'
+set firewall name servers-guest enable-default-log
+
+# From SERVERS to IOT
+set firewall name servers-iot default-action 'drop'
+set firewall name servers-iot description 'From SERVERS to IOT'
+set firewall name servers-iot enable-default-log
+set firewall name servers-iot rule 1 action 'accept'
+set firewall name servers-iot rule 1 description 'Rule: accept_icmp'
+set firewall name servers-iot rule 1 protocol 'icmp'
+set firewall name servers-iot rule 2 action 'accept'
+set firewall name servers-iot rule 2 description 'Rule: accept_p1reader_from_k8s_nodes'
+set firewall name servers-iot rule 2 destination port '8088'
+set firewall name servers-iot rule 2 protocol 'tcp'
+set firewall name servers-iot rule 2 source group address-group 'k8s_nodes'
+set firewall name servers-iot rule 3 action 'accept'
+set firewall name servers-iot rule 3 description 'Rule: accept_adb_from_k8s_nodes'
+set firewall name servers-iot rule 3 destination group address-group 'android_tv_players'
+set firewall name servers-iot rule 3 destination port '5555'
+set firewall name servers-iot rule 3 protocol 'tcp'
+set firewall name servers-iot rule 3 source group address-group 'k8s_nodes'
+set firewall name servers-iot rule 4 action 'accept'
+set firewall name servers-iot rule 4 description 'Rule: accept_3d_printer_control_from_k8s_nodes'
+set firewall name servers-iot rule 4 destination group address-group '3d_printer_controllers'
+set firewall name servers-iot rule 4 destination port '7125'
+set firewall name servers-iot rule 4 protocol 'tcp'
+set firewall name servers-iot rule 4 source group address-group 'k8s_nodes'
+set firewall name servers-iot rule 5 action 'accept'
+set firewall name servers-iot rule 5 description 'Rule: accept_k8s_nodes'
+set firewall name servers-iot rule 5 protocol 'tcp'
+set firewall name servers-iot rule 5 source group address-group 'k8s_nodes'
+
+# From SERVERS to LAN
+set firewall name servers-lan default-action 'drop'
+set firewall name servers-lan description 'From SERVERS to LAN'
+set firewall name servers-lan rule 1 action 'accept'
+set firewall name servers-lan rule 1 description 'Rule: accept_icmp'
+set firewall name servers-lan rule 1 protocol 'icmp'
+
+# From SERVERS to LOCAL
+set firewall name servers-local default-action 'drop'
+set firewall name servers-local description 'From SERVERS to LOCAL'
+set firewall name servers-local enable-default-log
+set firewall name servers-local rule 1 action 'accept'
+set firewall name servers-local rule 1 description 'Rule: accept_icmp'
+set firewall name servers-local rule 1 protocol 'icmp'
+set firewall name servers-local rule 2 action 'accept'
+set firewall name servers-local rule 2 description 'Rule: accept_ntp'
+set firewall name servers-local rule 2 destination port 'ntp'
+set firewall name servers-local rule 2 protocol 'udp'
+set firewall name servers-local rule 3 action 'accept'
+set firewall name servers-local rule 3 description 'Rule: accept_dhcp'
+set firewall name servers-local rule 3 destination port '67,68'
+set firewall name servers-local rule 3 protocol 'udp'
+set firewall name servers-local rule 3 source port '67,68'
+set firewall name servers-local rule 4 action 'accept'
+set firewall name servers-local rule 4 description 'Rule: accept_bgp'
+set firewall name servers-local rule 4 destination port 'bgp'
+set firewall name servers-local rule 4 protocol 'tcp'
+set firewall name servers-local rule 5 action 'accept'
+set firewall name servers-local rule 5 description 'Rule: accept_tftp'
+set firewall name servers-local rule 5 destination port '69'
+set firewall name servers-local rule 5 protocol 'udp'
+set firewall name servers-local rule 6 action 'accept'
+set firewall name servers-local rule 6 description 'Rule: accept_prometheus_from_k8s_nodes'
+set firewall name servers-local rule 6 destination port '9153'
+set firewall name servers-local rule 6 protocol 'tcp'
+set firewall name servers-local rule 6 source group address-group 'k8s_nodes'
+
+# From SERVERS to SERVICES
+set firewall name servers-services default-action 'accept'
+set firewall name servers-services description 'From SERVERS to SERVICES'
+set firewall name servers-services enable-default-log
+set firewall name servers-services rule 1 action 'accept'
+set firewall name servers-services rule 1 description 'Rule: accept_dns'
+set firewall name servers-services rule 1 destination port 'domain,domain-s'
+set firewall name servers-services rule 1 protocol 'tcp_udp'
+set firewall name servers-services rule 2 action 'accept'
+set firewall name servers-services rule 2 description 'Rule: accept_k8s_api'
+set firewall name servers-services rule 2 destination port '6443'
+set firewall name servers-services rule 2 protocol 'tcp'
+
+# From SERVERS to TRUSTED
+set firewall name servers-trusted default-action 'drop'
+set firewall name servers-trusted description 'From SERVERS to TRUSTED'
+set firewall name servers-trusted rule 1 action 'accept'
+set firewall name servers-trusted rule 1 description 'Rule: accept_icmp'
+set firewall name servers-trusted rule 1 protocol 'icmp'
+
+# From SERVERS to VIDEO
+set firewall name servers-video default-action 'drop'
+set firewall name servers-video description 'From SERVERS to VIDEO'
+set firewall name servers-video enable-default-log
+set firewall name servers-video rule 1 action 'accept'
+set firewall name servers-video rule 1 description 'Rule: accept_icmp'
+set firewall name servers-video rule 1 protocol 'icmp'
+set firewall name servers-video rule 2 action 'accept'
+set firewall name servers-video rule 2 description 'Rule: accept_k8s_nodes'
+set firewall name servers-video rule 2 protocol 'tcp'
+set firewall name servers-video rule 2 source group address-group 'k8s_nodes'
+## From jellydocks --> Video
+set firewall name servers-video rule 3 action 'accept'
+set firewall name servers-video rule 3 description 'Rule: accept_jellydocks'
+set firewall name servers-video rule 3 protocol 'tcp'
+set firewall name servers-video rule 3 source address 10.1.1.14
+
+# From SERVERS to WAN
+set firewall name servers-wan default-action 'accept'
+set firewall name servers-wan description 'From SERVERS to WAN'
+
+# From SERVICES to GUEST
+set firewall name services-guest default-action 'drop'
+set firewall name services-guest description 'From SERVICES to GUEST'
+set firewall name services-guest enable-default-log
+
+# From SERVICES to IOT
+set firewall name services-iot default-action 'drop'
+set firewall name services-iot description 'From SERVICES to IOT'
+set firewall name services-iot enable-default-log
+
+# From SERVICES to LAN
+set firewall name services-lan default-action 'drop'
+set firewall name services-lan description 'From SERVICES to LAN'
+set firewall name services-lan enable-default-log
+
+# From SERVICES to LOCAL
+set firewall name services-local default-action 'drop'
+set firewall name services-local description 'From SERVICES to LOCAL'
+set firewall name services-local enable-default-log
+set firewall name services-local rule 1 action 'accept'
+set firewall name services-local rule 1 description 'Rule: accept_ntp'
+set firewall name services-local rule 1 destination port 'ntp'
+set firewall name services-local rule 1 protocol 'udp'
+set firewall name services-local rule 2 action 'accept'
+set firewall name services-local rule 2 description 'Rule: accept_dhcp'
+set firewall name services-local rule 2 destination port '67,68'
+set firewall name services-local rule 2 protocol 'udp'
+set firewall name services-local rule 2 source port '67,68'
+
+# From SERVICES to SERVICES
+set firewall name services-servers default-action 'accept'
+set firewall name services-servers description 'From SERVICES to SERVERS'
+set firewall name services-servers rule 1 action 'accept'
+set firewall name services-servers rule 1 description 'Rule: accept_icmp'
+set firewall name services-servers rule 1 protocol 'icmp'
+
+# From SERVICES to TRUSTED
+set firewall name services-trusted default-action 'drop'
+set firewall name services-trusted description 'From SERVICES to TRUSTED'
+set firewall name services-trusted enable-default-log
+
+# From SERVICES to VIDEO
+set firewall name services-video default-action 'drop'
+set firewall name services-video description 'From SERVICES to VIDEO'
+set firewall name services-video enable-default-log
+
+# From SERVICES to WAN
+set firewall name services-wan default-action 'accept'
+set firewall name services-wan description 'From SERVICES to WAN'
+
+# From TRUSTED to GUEST
+set firewall name trusted-guest default-action 'drop'
+set firewall name trusted-guest description 'From TRUSTED to GUEST'
+set firewall name trusted-guest enable-default-log
+
+# From TRUSTED to IOT
+set firewall name trusted-iot default-action 'accept'
+set firewall name trusted-iot description 'From TRUSTED to IOT'
+set firewall name trusted-iot rule 1 action 'accept'
+set firewall name trusted-iot rule 1 description 'Rule: accept_icmp'
+set firewall name trusted-iot rule 1 protocol 'icmp'
+set firewall name trusted-iot rule 2 action 'accept'
+set firewall name trusted-iot rule 2 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
+set firewall name trusted-iot rule 2 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
+set firewall name trusted-iot rule 2 protocol 'tcp'
+set firewall name trusted-iot rule 2 source group address-group 'sonos_controllers'
+set firewall name trusted-iot rule 3 action 'accept'
+set firewall name trusted-iot rule 3 description 'Rule: accept_app_control_from_sonos_controllers_udp'
+set firewall name trusted-iot rule 3 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
+set firewall name trusted-iot rule 3 protocol 'udp'
+set firewall name trusted-iot rule 3 source group address-group 'sonos_controllers'
+
+# From TRUSTED to LAN
+set firewall name trusted-lan default-action 'accept'
+set firewall name trusted-lan description 'From TRUSTED to LAN'
+
+# From TRUSTED to LOCAL
+set firewall name trusted-local default-action 'drop'
+set firewall name trusted-local description 'From TRUSTED to LOCAL'
+set firewall name trusted-local enable-default-log
+set firewall name trusted-local rule 1 action 'accept'
+set firewall name trusted-local rule 1 description 'Rule: accept_icmp'
+set firewall name trusted-local rule 1 protocol 'icmp'
+set firewall name trusted-local rule 2 action 'accept'
+set firewall name trusted-local rule 2 description 'Rule: accept_ssh'
+set firewall name trusted-local rule 2 destination port 'ssh'
+set firewall name trusted-local rule 2 protocol 'tcp'
+set firewall name trusted-local rule 3 action 'accept'
+set firewall name trusted-local rule 3 description 'Rule: accept_ntp'
+set firewall name trusted-local rule 3 destination port 'ntp'
+set firewall name trusted-local rule 3 protocol 'udp'
+set firewall name trusted-local rule 4 action 'accept'
+set firewall name trusted-local rule 4 description 'Rule: accept_dhcp'
+set firewall name trusted-local rule 4 destination port '67,68'
+set firewall name trusted-local rule 4 protocol 'udp'
+set firewall name trusted-local rule 4 source port '67,68'
+set firewall name trusted-local rule 5 action 'accept'
+set firewall name trusted-local rule 5 description 'Rule: accept_igmp'
+set firewall name trusted-local rule 5 protocol '2'
+set firewall name trusted-local rule 6 action 'accept'
+set firewall name trusted-local rule 6 description 'Rule: accept_mdns'
+set firewall name trusted-local rule 6 destination port 'mdns'
+set firewall name trusted-local rule 6 protocol 'udp'
+set firewall name trusted-local rule 6 source port 'mdns'
+set firewall name trusted-local rule 7 action 'accept'
+set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api'
+set firewall name trusted-local rule 7 destination port '8443'
+set firewall name trusted-local rule 7 protocol 'tcp'
+set firewall name trusted-local rule 8 action 'accept'
+set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players'
+set firewall name trusted-local rule 8 destination port '1900,1901,1902'
+set firewall name trusted-local rule 8 protocol 'udp'
+set firewall name trusted-local rule 8 source group address-group 'sonos_players'
+set firewall name trusted-local rule 9 action 'accept'
+set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621'
+set firewall name trusted-local rule 9 protocol 'udp'
+set firewall name trusted-local rule 9 source group address-group 'sonos_controllers'
+
+# From TRUSTED to SERVERS
+set firewall name trusted-servers default-action 'accept'
+set firewall name trusted-servers description 'From TRUSTED to SERVERS'
+set firewall name trusted-servers rule 1 action 'accept'
+set firewall name trusted-servers rule 1 description 'Rule: accept_icmp'
+set firewall name trusted-servers rule 1 protocol 'icmp'
+
+# From TRUSTED to SERVICES
+set firewall name trusted-services default-action 'accept'
+set firewall name trusted-services description 'From TRUSTED to SERVICES'
+set firewall name trusted-services rule 1 action 'accept'
+set firewall name trusted-services rule 1 description 'Rule: accept_dns'
+set firewall name trusted-services rule 1 destination port 'domain,domain-s'
+set firewall name trusted-services rule 1 protocol 'tcp_udp'
+
+# From TRUSTED to VIDEO
+set firewall name trusted-video default-action 'accept'
+set firewall name trusted-video description 'From TRUSTED to VIDEO'
+set firewall name trusted-video rule 1 action 'accept'
+set firewall name trusted-video rule 1 description 'Rule: accept_icmp'
+set firewall name trusted-video rule 1 protocol 'icmp'
+
+# From TRUSTED to WAN
+set firewall name trusted-wan default-action 'accept'
+set firewall name trusted-wan description 'From TRUSTED to WAN'
+
+# From VIDEO to GUEST
+set firewall name video-guest default-action 'drop'
+set firewall name video-guest description 'From VIDEO to GUEST'
+set firewall name video-guest enable-default-log
+
+# From VIDEO to IOT
+set firewall name video-iot default-action 'drop'
+set firewall name video-iot description 'From VIDEO to IOT'
+set firewall name video-iot enable-default-log
+
+# From VIDEO to LAN
+set firewall name video-lan default-action 'drop'
+set firewall name video-lan description 'From VIDEO to LAN'
+set firewall name video-lan enable-default-log
+
+# From VIDEO to LOCAL
+set firewall name video-local default-action 'drop'
+set firewall name video-local description 'From VIDEO to LOCAL'
+set firewall name video-local enable-default-log
+set firewall name video-local rule 1 action 'accept'
+set firewall name video-local rule 1 description 'Rule: accept_ntp'
+set firewall name video-local rule 1 destination port 'ntp'
+set firewall name video-local rule 1 protocol 'udp'
+set firewall name video-local rule 2 action 'accept'
+set firewall name video-local rule 2 description 'Rule: accept_dhcp'
+set firewall name video-local rule 2 destination port '67,68'
+set firewall name video-local rule 2 protocol 'udp'
+set firewall name video-local rule 2 source port '67,68'
+
+# From VIDEO to SERVERS
+set firewall name video-servers default-action 'drop'
+set firewall name video-servers description 'From VIDEO to SERVERS'
+set firewall name video-servers enable-default-log
+
+# From VIDEO to SERVICES
+set firewall name video-services default-action 'accept'
+set firewall name video-services description 'From VIDEO to SERVICES'
+set firewall name video-services rule 1 action 'accept'
+set firewall name video-services rule 1 description 'Rule: accept_dns'
+set firewall name video-services rule 1 destination port 'domain,domain-s'
+set firewall name video-services rule 1 protocol 'tcp_udp'
+
+# From VIDEO to TRUSTED
+set firewall name video-trusted default-action 'drop'
+set firewall name video-trusted description 'From VIDEO to TRUSTED'
+set firewall name video-trusted enable-default-log
+
+# From VIDEO to WAN
+set firewall name video-wan default-action 'drop'
+set firewall name video-wan description 'From VIDEO to WAN'
+
+# From WAN to GUEST
+set firewall name wan-guest default-action 'drop'
+set firewall name wan-guest description 'From WAN to GUEST'
+set firewall name wan-guest enable-default-log
+
+# From WAN to IOT
+set firewall name wan-iot default-action 'drop'
+set firewall name wan-iot description 'From WAN to IOT'
+set firewall name wan-iot enable-default-log
+
+# From WAN to LAN
+set firewall name wan-lan default-action 'drop'
+set firewall name wan-lan description 'From WAN to LAN'
+set firewall name wan-lan enable-default-log
+
+# From WAN to LOCAL
+set firewall name wan-local default-action 'drop'
+set firewall name wan-local description 'From WAN to LOCAL'
+set firewall name wan-local enable-default-log
+set firewall name wan-local rule 1 action 'accept'
+set firewall name wan-local rule 1 description 'Rule: accept_wireguard'
+set firewall name wan-local rule 1 destination port '51820'
+set firewall name wan-local rule 1 protocol 'udp'
+
+# From WAN to SERVERS
+set firewall name wan-servers default-action 'drop'
+set firewall name wan-servers description 'From WAN to SERVERS'
+set firewall name wan-servers enable-default-log
+set firewall name wan-servers rule 1 action 'accept'
+set firewall name wan-servers rule 1 description 'Rule: accept_ingress_from_cloudflare'
+set firewall name wan-servers rule 1 destination group address-group 'k8s_ingress'
+set firewall name wan-servers rule 1 destination port 'http,https'
+set firewall name wan-servers rule 1 protocol 'tcp'
+set firewall name wan-servers rule 1 source group network-group 'cloudflare-ipv4'
+## Plex
+set firewall name wan-servers rule 10 action 'accept'
+set firewall name wan-servers rule 10 destination port 32400
+set firewall name wan-servers rule 10 protocol 'tcp'
+set firewall name wan-servers rule 10 destination address 10.1.1.12
+
+# From WAN to SERVICES
+set firewall name wan-services default-action 'drop'
+set firewall name wan-services description 'From WAN to SERVICES'
+set firewall name wan-services enable-default-log
+
+# From WAN to TRUSTED
+set firewall name wan-trusted default-action 'drop'
+set firewall name wan-trusted description 'From WAN to TRUSTED'
+set firewall name wan-trusted enable-default-log
+
+# From WAN to VIDEO
+set firewall name wan-video default-action 'drop'
+set firewall name wan-video description 'From WAN to VIDEO'
+set firewall name wan-video enable-default-log
diff --git a/config-parts/firewall-zone.sh b/config-parts/firewall-zone.sh
new file mode 100644
index 0000000..413ab40
--- /dev/null
+++ b/config-parts/firewall-zone.sh
@@ -0,0 +1,103 @@
+#!/bin/vbash
+
+set firewall zone guest default-action 'drop'
+set firewall zone guest from iot firewall name 'iot-guest'
+set firewall zone guest from lan firewall name 'lan-guest'
+set firewall zone guest from local firewall name 'local-guest'
+set firewall zone guest from servers firewall name 'servers-guest'
+set firewall zone guest from services firewall name 'services-guest'
+set firewall zone guest from trusted firewall name 'trusted-guest'
+set firewall zone guest from video firewall name 'video-guest'
+set firewall zone guest from wan firewall name 'wan-guest'
+set firewall zone guest interface 'eth1.30'
+
+set firewall zone iot default-action 'drop'
+set firewall zone iot from guest firewall name 'guest-iot'
+set firewall zone iot from lan firewall name 'lan-iot'
+set firewall zone iot from local firewall name 'local-iot'
+set firewall zone iot from servers firewall name 'servers-iot'
+set firewall zone iot from services firewall name 'services-iot'
+set firewall zone iot from trusted firewall name 'trusted-iot'
+set firewall zone iot from video firewall name 'video-iot'
+set firewall zone iot from wan firewall name 'wan-iot'
+set firewall zone iot interface 'eth1.40'
+
+set firewall zone lan default-action 'drop'
+set firewall zone lan from guest firewall name 'guest-lan'
+set firewall zone lan from iot firewall name 'iot-lan'
+set firewall zone lan from local firewall name 'local-lan'
+set firewall zone lan from servers firewall name 'servers-lan'
+set firewall zone lan from services firewall name 'services-lan'
+set firewall zone lan from trusted firewall name 'trusted-lan'
+set firewall zone lan from video firewall name 'video-lan'
+set firewall zone lan from wan firewall name 'wan-lan'
+set firewall zone lan interface 'eth1'
+
+set firewall zone local default-action 'drop'
+set firewall zone local description 'Local router zone'
+set firewall zone local from guest firewall name 'guest-local'
+set firewall zone local from iot firewall name 'iot-local'
+set firewall zone local from lan firewall name 'lan-local'
+set firewall zone local from servers firewall name 'servers-local'
+set firewall zone local from services firewall name 'services-local'
+set firewall zone local from trusted firewall name 'trusted-local'
+set firewall zone local from video firewall name 'video-local'
+set firewall zone local from wan firewall name 'wan-local'
+set firewall zone local local-zone
+
+set firewall zone servers default-action 'drop'
+set firewall zone servers from guest firewall name 'guest-servers'
+set firewall zone servers from iot firewall name 'iot-servers'
+set firewall zone servers from lan firewall name 'lan-servers'
+set firewall zone servers from local firewall name 'local-servers'
+set firewall zone servers from services firewall name 'services-servers'
+set firewall zone servers from trusted firewall name 'trusted-servers'
+set firewall zone servers from video firewall name 'video-servers'
+set firewall zone servers from wan firewall name 'wan-servers'
+set firewall zone servers interface 'eth1.10'
+
+set firewall zone services default-action 'drop'
+set firewall zone services description 'VyOS services zone'
+set firewall zone services from guest firewall name 'guest-services'
+set firewall zone services from iot firewall name 'iot-services'
+set firewall zone services from lan firewall name 'lan-services'
+set firewall zone services from local firewall name 'local-services'
+set firewall zone services from servers firewall name 'servers-services'
+set firewall zone services from trusted firewall name 'trusted-services'
+set firewall zone services from video firewall name 'video-services'
+set firewall zone services from wan firewall name 'wan-services'
+set firewall zone services interface 'cni-services'
+
+set firewall zone trusted default-action 'drop'
+set firewall zone trusted from guest firewall name 'guest-trusted'
+set firewall zone trusted from iot firewall name 'iot-trusted'
+set firewall zone trusted from lan firewall name 'lan-trusted'
+set firewall zone trusted from local firewall name 'local-trusted'
+set firewall zone trusted from servers firewall name 'servers-trusted'
+set firewall zone trusted from services firewall name 'services-trusted'
+set firewall zone trusted from video firewall name 'video-trusted'
+set firewall zone trusted from wan firewall name 'wan-trusted'
+set firewall zone trusted interface 'eth1.20'
+set firewall zone trusted interface 'wg01'
+
+set firewall zone video default-action 'drop'
+set firewall zone video from guest firewall name 'guest-video'
+set firewall zone video from iot firewall name 'iot-video'
+set firewall zone video from lan firewall name 'lan-video'
+set firewall zone video from local firewall name 'local-video'
+set firewall zone video from servers firewall name 'servers-video'
+set firewall zone video from services firewall name 'services-video'
+set firewall zone video from trusted firewall name 'trusted-video'
+set firewall zone video from wan firewall name 'wan-video'
+set firewall zone video interface 'eth1.50'
+set firewall zone wan default-action 'drop'
+
+set firewall zone wan from guest firewall name 'guest-wan'
+set firewall zone wan from iot firewall name 'iot-wan'
+set firewall zone wan from lan firewall name 'lan-wan'
+set firewall zone wan from local firewall name 'local-wan'
+set firewall zone wan from servers firewall name 'servers-wan'
+set firewall zone wan from services firewall name 'services-wan'
+set firewall zone wan from trusted firewall name 'trusted-wan'
+set firewall zone wan from video firewall name 'video-wan'
+set firewall zone wan interface 'eth0'
diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh
new file mode 100644
index 0000000..e0c0538
--- /dev/null
+++ b/config-parts/firewall.sh
@@ -0,0 +1,146 @@
+#!/bin/vbash
+
+# General configuration
+set firewall state-policy established action 'accept'
+set firewall state-policy invalid action 'drop'
+set firewall state-policy related action 'accept'
+
+# Address Groups
+set firewall group address-group 3d_printer_controllers address '10.1.3.56'
+
+set firewall group address-group android_tv_players address '10.1.3.16'
+
+set firewall group address-group ereaders address '10.1.3.51'
+set firewall group address-group ereaders address '10.1.3.52'
+
+set firewall group address-group esp address '10.1.3.21'
+set firewall group address-group esp address '10.1.3.31'
+set firewall group address-group esp address '10.1.3.32'
+set firewall group address-group esp address '10.1.3.33'
+set firewall group address-group esp address '10.1.3.34'
+set firewall group address-group esp address '10.1.3.35'
+set firewall group address-group esp address '10.1.3.36'
+set firewall group address-group esp address '10.1.3.42'
+set firewall group address-group esp address '10.1.3.45'
+set firewall group address-group esp address '10.1.3.46'
+
+set firewall group address-group ios_devices address '10.1.2.31'
+set firewall group address-group ios_devices address '10.1.2.32'
+set firewall group address-group ios_devices address '10.1.2.33'
+set firewall group address-group ios_devices address '10.1.2.34'
+set firewall group address-group ios_devices address '10.1.2.35'
+set firewall group address-group ios_devices address '10.1.2.36'
+
+set firewall group address-group jellyfin_clients address '10.1.2.21'
+set firewall group address-group jellyfin_clients address '10.1.2.31'
+set firewall group address-group jellyfin_clients address '10.1.2.32'
+set firewall group address-group jellyfin_clients address '10.1.2.33'
+set firewall group address-group jellyfin_clients address '10.1.2.34'
+set firewall group address-group jellyfin_clients address '10.1.2.35'
+set firewall group address-group jellyfin_clients address '10.1.2.36'
+set firewall group address-group jellyfin_clients address '10.1.3.16'
+
+set firewall group address-group k8s_api address '10.5.0.2'
+
+set firewall group address-group k8s_ingress address '10.45.0.1'
+
+set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
+set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
+
+set firewall group address-group k8s_jellyfin address '10.45.0.21'
+
+set firewall group address-group k8s_mqtt address '10.45.0.10'
+
+set firewall group address-group k8s_nodes address '10.1.1.31'
+set firewall group address-group k8s_nodes address '10.1.1.32'
+set firewall group address-group k8s_nodes address '10.1.1.34'
+
+
+set firewall group address-group k8s_plex address '10.45.0.20'
+
+set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
+
+set firewall group address-group mqtt_clients address '10.1.2.21'
+set firewall group address-group mqtt_clients address '10.1.2.32'
+set firewall group address-group mqtt_clients address '10.1.3.18'
+set firewall group address-group mqtt_clients address '10.1.3.22'
+set firewall group address-group mqtt_clients address '10.1.3.56'
+
+set firewall group address-group nas address '10.1.1.11'
+
+set firewall group address-group plex_clients address '10.1.2.21'
+set firewall group address-group plex_clients address '10.1.2.31'
+set firewall group address-group plex_clients address '10.1.2.32'
+set firewall group address-group plex_clients address '10.1.2.33'
+set firewall group address-group plex_clients address '10.1.2.34'
+set firewall group address-group plex_clients address '10.1.2.35'
+set firewall group address-group plex_clients address '10.1.2.36'
+set firewall group address-group plex_clients address '10.1.3.16'
+
+set firewall group address-group printers address '10.1.3.55'
+
+set firewall group address-group printer_allowed address '192.168.2.11'
+
+set firewall group address-group scanners address '10.1.3.55'
+
+set firewall group address-group sonos_controllers address '10.1.2.21'
+set firewall group address-group sonos_controllers address '10.1.2.31'
+set firewall group address-group sonos_controllers address '10.1.2.32'
+set firewall group address-group sonos_controllers address '10.1.2.33'
+set firewall group address-group sonos_controllers address '10.1.2.34'
+set firewall group address-group sonos_controllers address '10.1.2.36'
+
+set firewall group address-group sonos_players address '10.1.3.61'
+set firewall group address-group sonos_players address '10.1.3.62'
+set firewall group address-group sonos_players address '10.1.3.63'
+set firewall group address-group sonos_players address '10.1.3.65'
+set firewall group address-group sonos_players address '10.1.3.66'
+
+set firewall group address-group sonos_players address '10.1.3.71'
+set firewall group address-group sonos_players address '10.1.3.72'
+set firewall group address-group sonos_players address '10.1.3.73'
+set firewall group address-group sonos_players address '10.1.3.74'
+
+set firewall group address-group unifi_devices address '10.1.0.11'
+set firewall group address-group unifi_devices address '10.1.0.12'
+set firewall group address-group unifi_devices address '10.1.0.13'
+set firewall group address-group unifi_devices address '10.1.0.21'
+set firewall group address-group unifi_devices address '10.1.0.22'
+set firewall group address-group unifi_devices address '10.1.0.23'
+set firewall group address-group unifi_devices address '10.1.0.24'
+
+set firewall group address-group vector_journald_allowed address '10.1.3.56'
+set firewall group address-group vector_journald_allowed address '10.1.3.60'
+
+set firewall group address-group vyos_chronyd address '10.5.0.5'
+
+set firewall group address-group vyos_coredns address '10.5.0.3'
+
+set firewall group address-group vyos_dnsdist address '10.5.0.4'
+
+set firewall group address-group vyos_unifi address '10.5.0.10'
+
+set firewall group address-group wall_displays address '10.1.3.53'
+set firewall group address-group wall_displays address '10.1.3.54'
+
+# Network groups
+set firewall group network-group cloudflare-ipv4 network '173.245.48.0/20'
+set firewall group network-group cloudflare-ipv4 network '103.21.244.0/22'
+set firewall group network-group cloudflare-ipv4 network '103.22.200.0/22'
+set firewall group network-group cloudflare-ipv4 network '103.31.4.0/22'
+set firewall group network-group cloudflare-ipv4 network '141.101.64.0/18'
+set firewall group network-group cloudflare-ipv4 network '108.162.192.0/18'
+set firewall group network-group cloudflare-ipv4 network '190.93.240.0/20'
+set firewall group network-group cloudflare-ipv4 network '188.114.96.0/20'
+set firewall group network-group cloudflare-ipv4 network '197.234.240.0/22'
+set firewall group network-group cloudflare-ipv4 network '198.41.128.0/17'
+set firewall group network-group cloudflare-ipv4 network '162.158.0.0/15'
+set firewall group network-group cloudflare-ipv4 network '104.16.0.0/13'
+set firewall group network-group cloudflare-ipv4 network '104.24.0.0/14'
+set firewall group network-group cloudflare-ipv4 network '172.64.0.0/13'
+set firewall group network-group cloudflare-ipv4 network '131.0.72.0/22'
+
+set firewall group network-group k8s_services network '10.45.0.0/16'
+
+# Port groups
+set firewall group port-group wireguard port '51820'
diff --git a/config-parts/interfaces.sh b/config-parts/interfaces.sh
new file mode 100644
index 0000000..c8f2672
--- /dev/null
+++ b/config-parts/interfaces.sh
@@ -0,0 +1,33 @@
+#!/bin/vbash
+
+set interfaces ethernet eth0 address 'dhcp'
+set interfaces ethernet eth0 description 'WAN'
+set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:68'
+
+set interfaces ethernet eth1 address '10.1.0.1/24'
+set interfaces ethernet eth1 description 'LAN'
+set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:69'
+set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
+set interfaces ethernet eth1 vif 10 description 'SERVERS'
+set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
+set interfaces ethernet eth1 vif 20 description 'TRUSTED'
+set interfaces ethernet eth1 vif 30 address '192.168.2.1/24'
+set interfaces ethernet eth1 vif 30 description 'GUEST'
+set interfaces ethernet eth1 vif 40 address '10.1.3.1/24'
+set interfaces ethernet eth1 vif 40 description 'IOT'
+set interfaces ethernet eth1 vif 50 address '10.1.4.1/24'
+set interfaces ethernet eth1 vif 50 description 'VIDEO'
+
+set interfaces wireguard wg01 address '10.0.11.1/24'
+set interfaces wireguard wg01 description 'WIREGUARD'
+set interfaces wireguard wg01 peer ipad-jahanson allowed-ips '10.0.11.4/32'
+set interfaces wireguard wg01 peer ipad-jahanson persistent-keepalive '15'
+set interfaces wireguard wg01 peer ipad-jahanson public-key 'jv1XSCkzxGY0kBfLbF79gwLVOCmyCTUmSFd36QcwiWE='
+set interfaces wireguard wg01 peer iphone-jahanson allowed-ips '10.0.11.2/32'
+set interfaces wireguard wg01 peer iphone-jahanson persistent-keepalive '15'
+set interfaces wireguard wg01 peer iphone-jahanson public-key 'HHBmTzVQH1qt14rVqzxCUATkLRPGu5WisHyY9O4yTkM='
+set interfaces wireguard wg01 peer legion-jahanson allowed-ips '10.0.11.3/32'
+set interfaces wireguard wg01 peer legion-jahanson persistent-keepalive '15'
+set interfaces wireguard wg01 peer legion-jahanson public-key 'OA8fW79KEJej2lbZZY/Bf7EHcRjeiDowqIBwXGRLZ3A='
+set interfaces wireguard wg01 port '51820'
+set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}"
diff --git a/config-parts/nat.sh b/config-parts/nat.sh
new file mode 100644
index 0000000..28046a7
--- /dev/null
+++ b/config-parts/nat.sh
@@ -0,0 +1,96 @@
+#!/bin/vbash
+
+# Forward HTTP(S) to ingress
+set nat destination rule 100 description 'HTTPS'
+set nat destination rule 100 destination port '443'
+set nat destination rule 100 inbound-interface 'eth0'
+set nat destination rule 100 protocol 'tcp'
+set nat destination rule 100 translation address '10.45.0.1'
+set nat destination rule 100 translation port '443'
+
+set nat destination rule 101 description 'HTTP'
+set nat destination rule 101 destination port '80'
+set nat destination rule 101 inbound-interface 'eth0'
+set nat destination rule 101 protocol 'tcp'
+set nat destination rule 101 translation address '10.45.0.1'
+set nat destination rule 101 translation port '80'
+
+# Forward Plex to Sting
+set nat destination rule 110 description 'PLEX'
+set nat destination rule 110 destination port '32400'
+set nat destination rule 110 inbound-interface 'eth0'
+set nat destination rule 110 protocol 'tcp'
+set nat destination rule 110 translation address '10.1.1.12'
+set nat destination rule 110 translation port '32400'
+
+# Force DNS
+set nat destination rule 102 description 'Force DNS for IoT'
+set nat destination rule 102 destination address '!10.5.0.4'
+set nat destination rule 102 destination port '53'
+set nat destination rule 102 inbound-interface 'eth1.40'
+set nat destination rule 102 protocol 'tcp_udp'
+set nat destination rule 102 translation address '10.5.0.4'
+set nat destination rule 102 translation port '53'
+
+set nat destination rule 103 description 'Force DNS for Video'
+set nat destination rule 103 destination address '!10.5.0.4'
+set nat destination rule 103 destination port '53'
+set nat destination rule 103 inbound-interface 'eth1.50'
+set nat destination rule 103 protocol 'tcp_udp'
+set nat destination rule 103 translation address '10.5.0.4'
+set nat destination rule 103 translation port '53'
+
+set nat destination rule 104 description 'Force NTP for LAN'
+set nat destination rule 104 destination address '!10.1.0.1'
+set nat destination rule 104 destination port '123'
+set nat destination rule 104 inbound-interface 'eth1'
+set nat destination rule 104 protocol 'udp'
+set nat destination rule 104 translation address '10.1.0.1'
+set nat destination rule 104 translation port '123'
+
+# Force NTP
+set nat destination rule 105 description 'Force NTP for Servers'
+set nat destination rule 105 destination address '!10.1.1.1'
+set nat destination rule 105 destination port '123'
+set nat destination rule 105 inbound-interface 'eth1.10'
+set nat destination rule 105 protocol 'udp'
+set nat destination rule 105 translation address '10.1.1.1'
+set nat destination rule 105 translation port '123'
+set nat destination rule 106 description 'Force NTP for Trusted'
+
+set nat destination rule 106 destination address '!10.1.2.1'
+set nat destination rule 106 destination port '123'
+set nat destination rule 106 inbound-interface 'eth1.20'
+set nat destination rule 106 protocol 'udp'
+set nat destination rule 106 translation address '10.1.2.1'
+set nat destination rule 106 translation port '123'
+
+set nat destination rule 107 description 'Force NTP for IoT'
+set nat destination rule 107 destination address '!10.1.3.1'
+set nat destination rule 107 destination port '123'
+set nat destination rule 107 inbound-interface 'eth1.40'
+set nat destination rule 107 protocol 'udp'
+set nat destination rule 107 translation address '10.1.3.1'
+set nat destination rule 107 translation port '123'
+
+set nat destination rule 108 description 'Force NTP for Video'
+set nat destination rule 108 destination address '!10.1.4.1'
+set nat destination rule 108 destination port '123'
+set nat destination rule 108 inbound-interface 'eth1.50'
+set nat destination rule 108 protocol 'udp'
+set nat destination rule 108 translation address '10.1.4.1'
+set nat destination rule 108 translation port '123'
+
+set nat destination rule 109 description 'Force NTP for Wireguard Trusted'
+set nat destination rule 109 destination address '!10.0.11.1'
+set nat destination rule 109 destination port '123'
+set nat destination rule 109 inbound-interface 'wg01'
+set nat destination rule 109 protocol 'udp'
+set nat destination rule 109 translation address '10.0.11.1'
+set nat destination rule 109 translation port '123'
+
+# LAN -> WAN masquerade
+set nat source rule 100 description 'LAN -> WAN'
+set nat source rule 100 destination address '0.0.0.0/0'
+set nat source rule 100 outbound-interface 'eth0'
+set nat source rule 100 translation address 'masquerade'
diff --git a/config-parts/protocols.sh b/config-parts/protocols.sh
new file mode 100644
index 0000000..ca5f3a7
--- /dev/null
+++ b/config-parts/protocols.sh
@@ -0,0 +1,14 @@
+#!/bin/vbash
+
+# BGP configuration
+set protocols bgp neighbor 10.1.1.31 address-family ipv4-unicast
+set protocols bgp neighbor 10.1.1.31 description 'gandalf'
+set protocols bgp neighbor 10.1.1.31 remote-as '64512'
+set protocols bgp neighbor 10.1.1.32 address-family ipv4-unicast
+set protocols bgp neighbor 10.1.1.32 description 'glamdring'
+set protocols bgp neighbor 10.1.1.32 remote-as '64512'
+set protocols bgp neighbor 10.1.1.34 address-family ipv4-unicast
+set protocols bgp neighbor 10.1.1.34 description 'lembas'
+set protocols bgp neighbor 10.1.1.34 remote-as '64512'
+set protocols bgp parameters router-id '10.1.0.1'
+set protocols bgp system-as '64512'
diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh
new file mode 100644
index 0000000..0382978
--- /dev/null
+++ b/config-parts/service-dhcp_server.sh
@@ -0,0 +1,202 @@
+#!/bin/vbash
+
+set service dhcp-server hostfile-update
+set service dhcp-server host-decl-name
+
+# Guest VLAN
+set service dhcp-server shared-network-name GUEST authoritative
+set service dhcp-server shared-network-name GUEST ping-check
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 default-router '192.168.2.1'
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 lease '86400'
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 start '192.168.2.200'
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 stop '192.168.2.254'
+
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop ip-address '192.168.2.11'
+set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop mac-address '14:f6:d8:32:46:41'
+
+# IoT VLAN
+set service dhcp-server shared-network-name IOT authoritative
+set service dhcp-server shared-network-name IOT ping-check
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254'
+
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5'
+
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08'
+
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug ip-address '10.1.3.33'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug mac-address 'a4:e5:7c:ab:f4:cd'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug ip-address '10.1.3.31'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug mac-address 'a4:e5:7c:ab:f5:ad'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-hue-bridge ip-address '10.1.3.24'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-hue-bridge mac-address '00:17:88:2e:2d:5d'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-speaker-esp ip-address '10.1.3.36'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-speaker-esp mac-address 'e8:9f:6d:0a:53:24'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping backyard-shed-esp ip-address '10.1.3.42'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping backyard-shed-esp mac-address 'b4:e6:2d:59:de:0c'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos ip-address '10.1.3.65'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos mac-address 'b8:e9:37:55:d8:6c'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader ip-address '10.1.3.51'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader mac-address '58:b0:d4:6e:53:29'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet ip-address '10.1.3.54'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet mac-address '4c:ef:c0:00:50:aa'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo ip-address '10.1.3.21'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo mac-address '8c:aa:b5:c1:ce:c8'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet ip-address '10.1.3.53'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet mac-address 'f4:f3:09:c9:40:33'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp ip-address '10.1.3.45'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp mac-address 'c4:5b:be:49:4c:c8'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge ip-address '10.1.3.23'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge mac-address 'ec:e5:12:1b:39:a6'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter ip-address '10.1.3.46'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter mac-address 'cc:db:a7:48:19:b3'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker ip-address '10.1.3.13'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker mac-address '68:a4:0e:35:43:72'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '68:a4:0e:34:fc:6f'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos ip-address '10.1.3.61'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos mac-address '48:a6:b8:d3:6c:f4'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier ip-address '10.1.3.19'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier mac-address '78:11:dc:bc:eb:de'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver ip-address '10.1.3.17'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver mac-address '00:05:cd:82:29:21'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-shield ip-address '10.1.3.16'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-shield mac-address '48:b0:2d:2d:4b:cc'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos ip-address '10.1.3.63'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos mac-address '48:a6:b8:dc:6c:7e'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv ip-address '10.1.3.14'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv mac-address '74:40:be:0d:54:9a'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub ip-address '10.1.3.15'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub mac-address '00:04:20:fd:2d:e4'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch ip-address '10.1.3.20'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch mac-address '98:41:5c:b2:98:2e'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos ip-address '10.1.3.66'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos mac-address 'b8:e9:37:9b:f5:c6'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader ip-address '10.1.3.52'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader mac-address '58:b0:d4:67:f5:74'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 ip-address '10.1.3.34'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 mac-address 'a4:e5:7c:ab:c8:db'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer ip-address '10.1.3.55'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer mac-address '80:2b:f9:d4:3a:be'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum ip-address '10.1.3.22'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum mac-address '7c:49:eb:94:4a:58'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos ip-address '10.1.3.62'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos mac-address '94:9f:3e:04:88:2a'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug ip-address '10.1.3.32'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug mac-address 'a4:e5:7c:ab:ca:33'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-speaker-esp ip-address '10.1.3.35'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-speaker-esp mac-address '4c:75:25:bf:b4:d0'
+
+# LAN
+set service dhcp-server shared-network-name LAN authoritative
+set service dhcp-server shared-network-name LAN ping-check
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 default-router '10.1.0.1'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 lease '86400'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 start '10.1.0.200'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 stop '10.1.0.254'
+
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-pro-24 ip-address '10.1.0.11'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-pro-24 mac-address '24:5a:4c:9b:c0:6e'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-industrial ip-address '10.1.0.12'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-industrial mac-address '68:d7:9a:3c:b0:75'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-joe ip-address '10.1.0.13'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-joe mac-address '74:83:c2:f7:f2:17'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-elisia ip-address '10.1.0.14'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-elisia mac-address '74:83:c2:f7:f2:1d'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-16-xg ip-address '10.1.0.15'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-16-xg mac-address '74:83:c2:0e:f9:fe'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-8-150w ip-address '10.1.0.16'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-8-150w mac-address 'b4:fb:e4:8d:a8:da'
+
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping uap-nanohd ip-address '10.1.0.21'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping uap-nanohd mac-address '18:e8:29:b4:d9:4f'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping u6-lite ip-address '10.1.0.22'
+set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping u6-lite mac-address '24:5a:4c:13:1d:a8'
+
+# Servers VLAN
+set service dhcp-server shared-network-name SERVERS authoritative
+set service dhcp-server shared-network-name SERVERS ping-check
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 default-router '10.1.1.1'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 domain-name 'jahanson.tech'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 lease '86400'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254'
+
+# Need to add all of the macs for the servers.
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gandalf ip-address '10.1.1.31'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gandalf mac-address '80:61:5f:04:88:5a'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping glamdring ip-address '10.1.1.32'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping glamdring mac-address 'd4:5d:64:91:b2:42'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping shadowfax ip-address '10.1.1.33'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping shadowfax mac-address '00:e0:4c:68:02:b1'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping lembas ip-address '10.1.1.34'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping lembas mac-address 'c8:1f:66:10:51:d9'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping homeassistant ip-address '10.1.1.13'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping homeassistant mac-address '80:e8:2c:db:68:a2'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping jellydocks ip-address '10.1.1.14'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping jellydocks mac-address 'ea:87:86:9c:73:43'
+
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping horus ip-address '10.1.1.51'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping horus mac-address 'b8:27:eb:b2:09:b0'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo ip-address '10.1.1.52'
+set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo mac-address 'dc:a6:32:09:76:4c'
+
+# Trusted VLAN
+set service dhcp-server shared-network-name TRUSTED authoritative
+set service dhcp-server shared-network-name TRUSTED ping-check
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 default-router '10.1.2.1'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 domain-name 'jahanson.tech'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 lease '86400'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 start '10.1.2.200'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 stop '10.1.2.254'
+
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-ipad ip-address '10.1.2.32'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-ipad mac-address '8A:0B:3A:F1:9F:91'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-iphone ip-address '10.1.2.31'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-iphone mac-address 'c2:d2:9a:62:ef:03'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary ip-address '10.1.2.21'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary mac-address 'f8:4d:89:7a:db:8b'
+
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad ip-address '10.1.2.35'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad mac-address 'aa:ab:96:ce:f8:03'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad ip-address '10.1.2.36'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad mac-address '34:e2:fd:ac:7c:fa'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad ip-address '10.1.2.34'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad mac-address '94:bf:2d:f0:3f:c3'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone ip-address '10.1.2.33'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone mac-address '8c:98:6b:a9:18:cb'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook ip-address '10.1.2.22'
+set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook mac-address '8c:85:90:18:42:38'
+
+# Video VLAN
+set service dhcp-server shared-network-name VIDEO authoritative
+set service dhcp-server shared-network-name VIDEO ping-check
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'jahanson.tech'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.5.0.4'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254'
+
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera ip-address '10.1.4.12'
+set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera mac-address 'ec:71:db:62:aa:e9'
diff --git a/config-parts/service.sh b/config-parts/service.sh
new file mode 100644
index 0000000..6b40dff
--- /dev/null
+++ b/config-parts/service.sh
@@ -0,0 +1,14 @@
+#!/bin/vbash
+
+# NTP server
+delete service ntp allow-client
+set service ntp allow-client address '127.0.0.0/8'
+set service ntp allow-client address '10.0.0.0/8'
+set service ntp allow-client address '172.16.0.0/12'
+set service ntp allow-client address '192.168.0.0/16'
+delete service ntp server
+set service ntp server north-america.pool.ntp.org
+
+# SSH server
+set service ssh disable-password-authentication
+set service ssh port '22'
diff --git a/config-parts/system-static_host_mapping.sh b/config-parts/system-static_host_mapping.sh
new file mode 100644
index 0000000..2664f9c
--- /dev/null
+++ b/config-parts/system-static_host_mapping.sh
@@ -0,0 +1,35 @@
+# Gateway
+set system static-host-mapping host-name gateway.jahanson.tech inet 10.1.0.1
+set system static-host-mapping host-name gateway.jahanson.tech alias vpn.hsn.dev
+set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.dev
+
+# Unifi controller
+set system static-host-mapping host-name unifi inet 10.5.0.10
+
+# NAS
+set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
+set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
+set system static-host-mapping host-name elessar.jahanson.tech alias garage.hsn.dev
+set system static-host-mapping host-name elessar.jahanson.tech alias s3.hsn.dev
+
+# Kubernetes hosts
+set system static-host-mapping host-name gandalf.jahanson.tech inet 10.1.1.31
+set system static-host-mapping host-name glamdring.jahanson.tech inet 10.1.1.32
+# set system static-host-mapping host-name shadowfax.jahanson.tech inet 10.1.1.33
+set system static-host-mapping host-name lembas.jahanson.tech inet 10.1.1.34
+
+# Kubernetes cluster VIP
+set system static-host-mapping host-name cluster-0.jahanson.tech inet 10.5.0.2
+
+# Other hosts
+set system static-host-mapping host-name sting.jahanson.tech inet 10.1.1.12
+set system static-host-mapping host-name frodo.jahanson.tech inet 10.1.1.52
+set system static-host-mapping host-name frodo.jahanson.tech alias pikvm.jahanson.tech
+set system static-host-mapping host-name horus.jahanson.tech inet 10.1.1.51
+
+set system static-host-mapping host-name driveway-camera-doorbell.jahanson.tech inet 10.1.4.12
+set system static-host-mapping host-name hallway-zigbee-adapter.jahanson.tech inet 10.1.3.46
+set system static-host-mapping host-name garage-tablet.jahanson.tech inet 10.1.3.54
+set system static-host-mapping host-name hallway-tablet.jahanson.tech inet 10.1.3.53
+set system static-host-mapping host-name livingroom-vacuum.jahanson.tech inet 10.1.3.18
+set system static-host-mapping host-name upstairs-vacuum.jahanson.tech inet 10.1.3.22
diff --git a/config-parts/system.sh b/config-parts/system.sh
new file mode 100644
index 0000000..be283f1
--- /dev/null
+++ b/config-parts/system.sh
@@ -0,0 +1,24 @@
+#!/bin/vbash
+
+set system domain-name 'jahanson.tech'
+set system host-name 'gateway'
+
+set system ipv6 disable-forwarding
+
+set system login user vyos authentication public-keys personal key 'AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w'
+set system login user vyos authentication public-keys personal type 'ssh-ed25519'
+
+set system name-server '1.1.1.1'
+
+set system sysctl parameter kernel.pty.max value '24000'
+
+# Sent to vector syslog server
+# set system syslog host 10.45.0.2 facility kern level 'warning'
+# set system syslog host 10.45.0.2 facility kern protocol 'tcp'
+# set system syslog host 10.45.0.2 port '6001'
+
+# Custom backup
+# set system task-scheduler task backup-config crontab-spec '30 0 * * *'
+# set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh'
+
+set system time-zone 'America/Chicago'
diff --git a/containers/.gitignore b/containers/.gitignore
new file mode 100644
index 0000000..4c4abf1
--- /dev/null
+++ b/containers/.gitignore
@@ -0,0 +1,11 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+
+!/coredns/
+!/dnsdist/
+!/haproxy/
+!/unifi/
+!/vector-agent/
diff --git a/containers/coredns/.gitignore b/containers/coredns/.gitignore
new file mode 100644
index 0000000..4532e68
--- /dev/null
+++ b/containers/coredns/.gitignore
@@ -0,0 +1,14 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+
+!/config/
+/config/*
+!/config/Corefile
+!/config/custom-hosts
+
+!/config-vyos/
+/config-vyos/*
+!/config-vyos/Corefile
diff --git a/containers/coredns/config/Corefile b/containers/coredns/config/Corefile
new file mode 100644
index 0000000..a93169d
--- /dev/null
+++ b/containers/coredns/config/Corefile
@@ -0,0 +1,60 @@
+(common) {
+  errors
+  log error
+  reload
+  loadbalance
+  cache
+  loop
+  local
+
+  prometheus :9153
+
+  health {
+    lameduck 5s
+  }
+}
+
+(k8s_gateway) {
+  forward . 10.45.0.3:53
+}
+
+unifi {
+  import common
+  hosts /host/etc/hosts {
+    ttl 1
+    reload 5s
+  }
+}
+
+# Hack to prevent the gatway returning 127.0.0.1 from /etc/hosts
+gateway.jahanson.tech {
+  import common
+  template IN A gateway.jahanson.tech {
+    answer "{{ .Name }} 60 IN A 10.1.0.1"
+  }
+}
+
+hsn.dev {
+  import common
+  hosts /host/etc/hosts {
+    ttl 1
+    reload 5s
+    fallthrough
+  }
+  import k8s_gateway
+}
+
+jahanson.tech {
+  import common
+  hosts /host/etc/hosts {
+    ttl 1
+    reload 5s
+  }
+}
+
+1.10.in-addr.arpa {
+  hosts /host/etc/hosts {
+    ttl 1
+    reload 5s
+  }
+}
diff --git a/containers/dnsdist/.gitignore b/containers/dnsdist/.gitignore
new file mode 100644
index 0000000..80f91e9
--- /dev/null
+++ b/containers/dnsdist/.gitignore
@@ -0,0 +1,9 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+
+!/config/
+/config/*
+!/config/dnsdist.conf
diff --git a/containers/dnsdist/config/dnsdist.conf b/containers/dnsdist/config/dnsdist.conf
new file mode 100644
index 0000000..d84a6d9
--- /dev/null
+++ b/containers/dnsdist/config/dnsdist.conf
@@ -0,0 +1,91 @@
+-- udp/tcp dns listening
+setLocal("0.0.0.0:53", {})
+
+-- Local CoreDNS
+newServer({
+  address = "10.5.0.3",
+  pool = "coredns"
+})
+
+-- ControlD - Servers
+newServer({
+  address = "76.76.2.22:443",
+  tls = "openssl",
+  subjectName = "dns.controld.com",
+  dohPath = "/14pk0z49y0u",
+  validateCertificates = true,
+  checkInterval = 10,
+  checkTimeout = 2000,
+  pool = "controld_servers"
+})
+
+-- ControlD - Trusted
+newServer({
+  address = "76.76.2.22:443",
+  tls = "openssl",
+  subjectName = "dns.controld.com",
+  dohPath = "/7l9xgidtyr",
+  validateCertificates = true,
+  checkInterval = 10,
+  checkTimeout = 2000,
+  pool = "controld_trusted"
+})
+
+-- ControlD - IoT
+newServer({
+  address = "76.76.2.22:443",
+  tls = "openssl",
+  subjectName = "dns.controld.com",
+  dohPath = "/227g88d4fp5",
+  validateCertificates = true,
+  checkInterval = 10,
+  checkTimeout = 2000,
+  pool = "controld_iot"
+})
+
+-- CloudFlare DNS over TLS
+newServer({
+  address = "1.1.1.1:853",
+  tls = "openssl",
+  subjectName = "cloudflare-dns.com",
+  validateCertificates = true,
+  checkInterval = 10,
+  checkTimeout = 2000,
+  pool = "cloudflare"
+})
+newServer({
+  address = "1.0.0.1:853",
+  tls = "openssl",
+  subjectName = "cloudflare-dns.com",
+  validateCertificates = true,
+  checkInterval = 10,
+  checkTimeout = 2000,
+  pool = "cloudflare"
+})
+
+-- Enable caching
+pc = newPacketCache(10000, {
+  maxTTL = 86400,
+  minTTL = 0,
+  temporaryFailureTTL = 60,
+  staleTTL = 60,
+  dontAge = false
+})
+getPool(""):setCache(pc)
+
+-- Request logging, uncomment to log DNS requests/responses to stdout
+-- addAction(AllRule(), LogAction("", false, false, true, false, false))
+-- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false))
+
+-- Routing rules
+addAction('unifi', PoolAction('coredns'))
+addAction('hsn.dev', PoolAction('coredns'))
+addAction('jahanson.tech', PoolAction('coredns'))
+addAction('1.10.in-addr.arpa', PoolAction('coredns'))
+
+addAction("10.1.0.0/24", PoolAction("controld_servers"))  -- lan
+addAction("10.1.1.0/24", PoolAction("controld_servers"))  -- servers vlan
+addAction("10.1.2.0/24", PoolAction("controld_trusted"))  -- trusted vlan
+addAction("10.1.3.0/24", PoolAction("controld_iot"))      -- iot vlan
+addAction("10.0.11.0/24", PoolAction("controld_trusted")) -- wg_trusted vlan
+addAction("192.168.2.0/24", PoolAction("cloudflare"))     -- guest vlan
diff --git a/containers/haproxy/.gitignore b/containers/haproxy/.gitignore
new file mode 100644
index 0000000..8842544
--- /dev/null
+++ b/containers/haproxy/.gitignore
@@ -0,0 +1,9 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+
+!/config/
+/config/*
+!/config/haproxy.cfg
diff --git a/containers/haproxy/config/haproxy.cfg b/containers/haproxy/config/haproxy.cfg
new file mode 100644
index 0000000..2c65e40
--- /dev/null
+++ b/containers/haproxy/config/haproxy.cfg
@@ -0,0 +1,66 @@
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    log /dev/log local0
+    log /dev/log local1 notice
+    daemon
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 1
+    timeout http-request    10s
+    timeout queue           20s
+    timeout connect         5s
+    timeout client          20s
+    timeout server          20s
+    timeout http-keep-alive 10s
+    timeout check           10s
+
+#---------------------------------------------------------------------
+# apiserver frontend which proxys to the control plane nodes
+#---------------------------------------------------------------------
+frontend k8s_apiserver
+    bind *:6443
+    mode tcp
+    option tcplog
+    default_backend k8s_controlplane
+
+frontend talos_apiserver
+    bind *:50000
+    mode tcp
+    option tcplog
+    default_backend talos_controlplane
+
+#---------------------------------------------------------------------
+# round robin balancing for apiserver
+#---------------------------------------------------------------------
+backend k8s_controlplane
+    option httpchk GET /healthz
+    http-check expect status 200
+    mode tcp
+    option ssl-hello-chk
+    balance     roundrobin
+        server worker1 gandalf.jahanson.tech:6443 check
+        server worker2 glamdring.jahanson.tech:6443 check
+        server worker3 lembas.jahanson.tech:6443 check
+
+backend talos_controlplane
+    option httpchk GET /healthz
+    http-check expect status 200
+    mode tcp
+    option ssl-hello-chk
+    balance     roundrobin
+        server worker1 gandalf.jahanson.tech:50000 check
+        server worker2 glamdring.jahanson.tech:50000 check
+        server worker3 lembas.jahanson.tech:50000 check
diff --git a/containers/unifi/.gitignore b/containers/unifi/.gitignore
new file mode 100644
index 0000000..05121a5
--- /dev/null
+++ b/containers/unifi/.gitignore
@@ -0,0 +1,6 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+!.gitkeep
diff --git a/containers/unifi/.gitkeep b/containers/unifi/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/scripts/.gitignore b/scripts/.gitignore
new file mode 100644
index 0000000..95f87f2
--- /dev/null
+++ b/scripts/.gitignore
@@ -0,0 +1,13 @@
+# Ignore everything
+/*
+
+# Track certain files and directories
+!.gitignore
+!*.sh
+!*.script
+
+!/commit
+/commit/*
+!/commit/pre-hooks.d
+/commit/pre-hooks.d/*
+!/commit/pre-hooks.d/**.sh
diff --git a/scripts/custom-config-backup.sh b/scripts/custom-config-backup.sh
new file mode 100644
index 0000000..6c41738
--- /dev/null
+++ b/scripts/custom-config-backup.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# Description: Backup config directory and configuration commands to a USB device
+#
+
+dest=/media/usb-backup
+
+# Only backup if $dest is a mount
+if mountpoint -q $dest; then
+    # Backup # VyOS /config
+    backup_dest="$dest/vyos"
+    if [ ! -d "$backup_dest" ]; then
+        mkdir "$backup_dest"
+    fi
+    tar --exclude="overlay*" --exclude="unifi*" -zvcf "$backup_dest/config.$(date +%Y%m%d%H%M%S).tar.gz" /config
+
+    # Unifi backups
+    backup_dest="$dest/unifi"
+    if [ ! -d "$backup_dest" ]; then
+        mkdir "$backup_dest"
+    fi
+    tar -zvcf "$backup_dest/unifi-backup.$(date +%Y%m%d%H%M%S).tar.gz" /config/containers/unifi/data/backup
+
+    # Delete backups older than 1 month
+    find $dest -type f -mtime +30 -delete
+fi
diff --git a/scripts/vyos-postconfig-bootup.script b/scripts/vyos-postconfig-bootup.script
new file mode 100644
index 0000000..27414ab
--- /dev/null
+++ b/scripts/vyos-postconfig-bootup.script
@@ -0,0 +1,24 @@
+#!/bin/sh
+# This script is executed at boot time after VyOS configuration is fully
+# applied. Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+# Add dotfiles for home directory
+tee /home/vyos/.gitconfig <<END
+[init]
+  defaultBranch = main
+[safe]
+  directory = /config
+[user]
+  email = joe@veri.dev
+  name = Joseph Hanson
+END
+#
+tee -a /home/vyos/.bash_aliases <<END
+export SOPS_AGE_KEY_FILE=/config/secrets/age.key
+export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519"
+export VISUAL=nano
+export EDITOR=nano
+alias podman="sudo podman"
+END
+#
diff --git a/scripts/vyos-preconfig-bootup.script b/scripts/vyos-preconfig-bootup.script
new file mode 100644
index 0000000..66c26bc
--- /dev/null
+++ b/scripts/vyos-preconfig-bootup.script
@@ -0,0 +1,13 @@
+#!/bin/sh
+# This script is executed at boot time before VyOS configuration is applied.
+# Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+# TODO: Remove if issues don't come back, turn back on if they do
+# Clean dangling container network files
+# rm /var/lib/cni/networks/services/10.5.*
+
+# Mount USB Backup Drive
+# backupdest=/media/usb-backup
+# mkdir -p "$backupdest"
+# mount -t vfat -o rw,uid=vyos,gid=vyattacfg /dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0376621010005300-0:0-part1 "$backupdest"