diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..fc4e23c 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" +nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 93c61be..e592d23 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -1,31 +1,31 @@ all: hosts: ccchoir: - ansible_host: ccchoir.hosts.hamburg.ccc.de + ansible_host: ccchoir-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud.hosts.hamburg.ccc.de + ansible_host: cloud-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki.hosts.hamburg.ccc.de + ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de grafana: - ansible_host: grafana.hosts.hamburg.ccc.de + ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de tickets: - ansible_host: tickets.hosts.hamburg.ccc.de + ansible_host: tickets-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak.hosts.hamburg.ccc.de + ansible_host: keycloak-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos @@ -33,21 +33,21 @@ all: ansible_host: mumble.hamburg.ccc.de ansible_user: chaos netbox: - ansible_host: netbox.hosts.hamburg.ccc.de + ansible_host: netbox-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice.hosts.hamburg.ccc.de + ansible_host: onlyoffice-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad.hosts.hamburg.ccc.de + ansible_host: pad-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pretalx: - ansible_host: pretalx.hosts.hamburg.ccc.de + ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos @@ -55,25 +55,25 @@ all: ansible_host: router.hamburg.ccc.de ansible_user: chaos wiki: - ansible_host: wiki.hosts.hamburg.ccc.de + ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de zammad: - ansible_host: zammad.hosts.hamburg.ccc.de + ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de ntfy: - ansible_host: ntfy.hosts.hamburg.ccc.de + ansible_host: ntfy-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de sunders: - ansible_host: sunders.hosts.hamburg.ccc.de + ansible_host: sunders-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de renovate: - ansible_host: renovate.hosts.hamburg.ccc.de + ansible_host: renovate-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de hypervisors: hosts: chaosknoten: diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf index a8d71a9..ff37e48 100644 --- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf +++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -43,12 +43,12 @@ server { server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index 8c801fe..d3ed959 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf index a6dcdc1..c5b68e1 100644 --- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf index 8a509be..e2bf4a7 100644 --- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf @@ -17,6 +17,7 @@ server { server_name loki.hamburg.ccc.de; listen [::]:50051 ssl; + listen 172.31.17.145:50051 ssl; http2 on; @@ -58,6 +59,7 @@ server { server_name loki.hamburg.ccc.de; listen [::]:443 ssl; + listen 172.31.17.145:443 ssl; http2 on; diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf index ef2fe07..2c52523 100644 --- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf +++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf @@ -18,6 +18,7 @@ server { server_name metrics.hamburg.ccc.de; listen [::]:443 ssl; + listen 172.31.17.145:443 ssl; http2 on; client_body_buffer_size 512k; diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 939e1da..303b052 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -4,12 +4,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index de1e9d6..4a9cfe6 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -4,12 +4,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index cd56b98..2b0d919 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,13 +7,12 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; + listen 8444 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf index 533c9d2..5550686 100644 --- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf +++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf index ebae48d..e7d404d 100644 --- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf +++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf @@ -2,13 +2,13 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl proxy_protocol; + listen 8443 ssl proxy_protocol; http2 on; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 8a9a486..2471525 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -3,13 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; - + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 6c453d1..53d0a0d 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf index a4f5bb9..0fa99e7 100644 --- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf index d66e977..f12067a 100644 --- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf @@ -2,12 +2,12 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 82e596a..165e166 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host { c3cat.de 172.31.17.151:31820; www.c3cat.de 172.31.17.151:31820; staging.c3cat.de 172.31.17.151:31820; - ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; - www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; + ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; + cloud.hamburg.ccc.de 172.31.17.143:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; - grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820; + grafana.hamburg.ccc.de 172.31.17.145:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + id.hamburg.ccc.de 172.31.17.144:31820; + invite.hamburg.ccc.de 172.31.17.144:31820; + keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; - netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; - pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820; + netbox.hamburg.ccc.de 172.31.17.167:31820; + onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + pad.hamburg.ccc.de 172.31.17.141:31820; + pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; + wiki.ccchh.net 172.31.17.146:31820; + wiki.hamburg.ccc.de 172.31.17.146:31820; www.hamburg.ccc.de 172.31.17.151:31820; - tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820; - sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820; - zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820; + tickets.hamburg.ccc.de 172.31.17.148:31820; + sunders.hamburg.ccc.de 172.31.17.170:31820; + zammad.hamburg.ccc.de 172.31.17.152:31820; eh03.easterhegg.eu 172.31.17.151:31820; eh05.easterhegg.eu 172.31.17.151:31820; eh07.easterhegg.eu 172.31.17.151:31820; @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; + eh22.easterhegg.eu 172.31.17.165:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; @@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host { design.hamburg.ccc.de 172.31.17.162:31820; hydra.hamburg.ccc.de 172.31.17.163:31820; cfp.eh22.easterhegg.eu 172.31.17.157:31820; - ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820; + ntfy.hamburg.ccc.de 172.31.17.149:31820; cryptoparty-hamburg.de 172.31.17.151:31820; cryptoparty.hamburg.ccc.de 172.31.17.151:31820; staging.cryptoparty-hamburg.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 489dda5..4a449f5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -18,21 +18,21 @@ stream { resolver 212.12.50.158 192.76.134.90; map $ssl_preread_server_name $address { - ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; - www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; - pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; + ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; + pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; + id.hamburg.ccc.de 172.31.17.144:8443; + invite.hamburg.ccc.de 172.31.17.144:8443; + keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; + grafana.hamburg.ccc.de 172.31.17.145:8443; + wiki.ccchh.net 172.31.17.146:8443; + wiki.hamburg.ccc.de 172.31.17.146:8443; + onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; - netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443; + netbox.hamburg.ccc.de 172.31.17.167:8443; matrix.hamburg.ccc.de 172.31.17.150:8443; mas.hamburg.ccc.de 172.31.17.150:8443; element-admin.hamburg.ccc.de 172.31.17.151:8443; @@ -42,9 +42,9 @@ stream { hamburg.ccc.de 172.31.17.151:8443; staging.hamburg.ccc.de 172.31.17.151:8443; spaceapi.hamburg.ccc.de 172.31.17.151:8443; - tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443; - sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443; - zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443; + tickets.hamburg.ccc.de 172.31.17.148:8443; + sunders.hamburg.ccc.de 172.31.17.170:8443; + zammad.hamburg.ccc.de 172.31.17.152:8443; c3cat.de 172.31.17.151:8443; www.c3cat.de 172.31.17.151:8443; staging.c3cat.de 172.31.17.151:8443; @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; + eh22.easterhegg.eu 172.31.17.165:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; @@ -90,8 +90,8 @@ stream { woodpecker.hamburg.ccc.de 172.31.17.160:8443; design.hamburg.ccc.de 172.31.17.162:8443; hydra.hamburg.ccc.de 172.31.17.163:8443; - cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443; - ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443; + cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443; + ntfy.hamburg.ccc.de 172.31.17.149:8443; cryptoparty-hamburg.de 172.31.17.151:8443; cryptoparty.hamburg.ccc.de 172.31.17.151:8443; staging.cryptoparty-hamburg.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index ca62a97..8d30852 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -7,14 +7,20 @@ define if_net1_v4_wan = "net1" define if_net2_v6_wan = "net2" define if_net0_2_v4_nat = "net0.2" define if_net0_3_ci_runner = "net0.3" +define if_net0_4_v4_nat_legacy = "net0.4" +define if_net0_5_public = "net0.5" # Interface Groups define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } -# define v4_exposed_ifs = { } -define v6_exposed_ifs = { $if_net0_2_v4_nat } + $if_net0_3_ci_runner, + $if_net0_4_v4_nat_legacy, + $if_net0_5_public } +define v4_exposed_ifs = { $if_net0_5_public } +define v6_exposed_ifs = { $if_net0_2_v4_nat, + $if_net0_4_v4_nat_legacy, + $if_net0_5_public } ## Rules @@ -39,29 +45,13 @@ table inet host { ct state established,related accept ip protocol icmp accept - # ICMPv6 - # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24 - # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped" - # Error messages that are essential to the establishment and maintenance of communications: - icmpv6 type { destination-unreachable, packet-too-big } accept - icmpv6 type { time-exceeded } accept - icmpv6 type { parameter-problem } accept - # Connectivity checking messages: - icmpv6 type { echo-request, echo-reply } accept - # Address Configuration and Router Selection messages: - icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept - # Link-Local Multicast Receiver Notification messages: - icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept - # SEND Certificate Path Notification messages: - icmpv6 type { 148, 149 } accept - # Multicast Router Discovery messages: - icmpv6 type { 151, 152, 153 } accept + ip6 nexthdr icmpv6 accept # Allow SSH access. tcp dport 22 accept comment "allow ssh access" # Allow DHCP server access. - iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" + iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access" } } @@ -85,11 +75,10 @@ table inet forward { ct state established,related accept # Allow internet access. - meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" - meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" + iifname $lan_ifs oifname $wan_ifs accept comment "allow internet access" # Allow access to exposed networks from internet. - # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link index ef04d04..9489f17 100644 --- a/resources/chaosknoten/router/systemd_networkd/00-net1.link +++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link @@ -1,5 +1,6 @@ [Match] -MACAddress=BC:24:11:9A:FB:34 +# Stolen from turing to make 212.12.48.122 work. +MACAddress=0E:A4:E3:97:16:92 Type=ether [Link] diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev new file mode 100644 index 0000000..5cb68ed --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.4-v4_nat_legacy.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.4 +Kind=vlan + +[VLAN] +Id=4 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev new file mode 100644 index 0000000..be3c9d9 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.5 +Kind=vlan + +[VLAN] +Id=5 diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network index a32d75e..59897cf 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -7,6 +7,7 @@ RequiredForOnline=no [Network] VLAN=net0.2 VLAN=net0.3 +VLAN=net0.4 +VLAN=net0.5 LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network index c8bffc1..5789ef6 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network @@ -5,10 +5,11 @@ Name=net1 DNS=212.12.50.158 IPForward=ipv4 IPv6AcceptRA=no - -[Address] +# v4 taken from turing for routing public v4 range and turing-compat for v4-NAT-legacy network. +# Also just the v4 for other purposes as well. +Address=212.12.48.122/24 Address=212.12.48.123/24 - -[Route] +# v6 for turing-compat for v4-NAT-legacy network routed v6. +Address=2a00:14b0:4200:3000:122::1 Gateway=212.12.48.55 - +Gateway=2a00:14b0:4200:3000::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network index b15259d..c7fd9a7 100644 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network @@ -11,12 +11,6 @@ Description=v4-NAT # Masquerading done in nftables (nftables.conf). IPv6SendRA=yes -DHCPServer=true - -[DHCPServer] -PoolOffset=100 -PoolSize=150 - [Address] Address=10.32.2.1/24 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network new file mode 100644 index 0000000..dd63a73 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.4-v4_nat_legacy.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.4 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=v4-NAT-legacy + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=172.31.17.129/25 + +[IPv6SendRA] +UplinkInterface=net1 + +[IPv6Prefix] +Prefix=2a00:14b0:f000:23::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network new file mode 100644 index 0000000..d49eb60 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network @@ -0,0 +1,22 @@ +[Match] +Name=net0.5 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +IPv6SendRA=yes + +[Address] +Address=212.12.50.209/29 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:105::/64 +Assign=true +Token=static:::1 diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf index ceb9b2b..04cc006 100644 --- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf +++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf index 8d36244..9e2ca26 100644 --- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf +++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index 472236a..a564fc2 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -22,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index b4eab7f..ccdd224 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf index 5bb2435..c1f9182 100644 --- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf @@ -2,7 +2,7 @@ # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { # Listen on a custom port for the proxy protocol. - listen [::]:8443 ssl http2 proxy_protocol; + listen 8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 61a2635..5abcd10 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,7 +3,6 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: - - python3-pip - virtualenv - git state: present diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml deleted file mode 100644 index cd8affd..0000000 --- a/roles/base_config/tasks/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. -- name: check if cloud-init config file exists - ansible.builtin.stat: - path: /etc/cloud/cloud.cfg - register: base_config__stat_cloud_cfg - -- name: ensure the cloud-init ssh module is disabled - ansible.builtin.replace: - path: /etc/cloud/cloud.cfg - regexp: " - ssh$" - replace: " #- ssh" - become: true - when: base_config__stat_cloud_cfg.stat.exists diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index 9b678e9..b4a1c6f 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index 1beeaf3..c15a653 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,7 +4,6 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 78bb770..02b00ac 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - "11" - "12" - - "13" diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml index 78bb770..02b00ac 100644 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - "11" - "12" - - "13"