diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml index d29fb6e..23bf6d2 100644 --- a/.forgejo/workflows/lint.yaml +++ b/.forgejo/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: # work in our environmnet. # Rather manually setup python (pip) before instead. - name: Run ansible-lint - uses: https://github.com/ansible/ansible-lint@v25.11.0 + uses: https://github.com/ansible/ansible-lint@v25.9.2 with: setup_python: "false" requirements_file: "requirements.yml" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index b6cf771..0cbcd4d 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,11 +1,11 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.15 +nextcloud__postgres_version: 15.14 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" nextcloud__use_custom_new_user_skeleton: true nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/" -nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1" +nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index ecc942c..2e3672e 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -53,6 +53,7 @@ nginx__configurations: - name: metrics.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}" + alloy_config: | prometheus.remote_write "default" { endpoint { diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml index 3be8bdd..60dd94a 100644 --- a/inventories/chaosknoten/host_vars/netbox.yaml +++ b/inventories/chaosknoten/host_vars/netbox.yaml @@ -1,5 +1,5 @@ # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox -netbox__version: "v4.4.6" +netbox__version: "v4.4.5" netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}" netbox__custom_pipeline_oidc_group_and_role_mapping: true diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml deleted file mode 100644 index 134d29f..0000000 --- a/inventories/chaosknoten/host_vars/router.yaml +++ /dev/null @@ -1,2 +0,0 @@ -systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/' -nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index 1028deb..b9e6358 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -7,13 +7,13 @@ all: chaosknoten: ansible_host: chaosknoten.hamburg.ccc.de cloud: - ansible_host: cloud.hosts.hamburg.ccc.de + ansible_host: cloud-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de eh22-wiki: - ansible_host: eh22-wiki.hosts.hamburg.ccc.de + ansible_host: eh22-wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de grafana: ansible_host: grafana-intern.hamburg.ccc.de ansible_user: chaos @@ -23,9 +23,9 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de keycloak: - ansible_host: keycloak.hosts.hamburg.ccc.de + ansible_host: keycloak-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de lists: ansible_host: lists.hamburg.ccc.de ansible_user: chaos @@ -37,13 +37,13 @@ all: ansible_user: chaos ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de onlyoffice: - ansible_host: onlyoffice.hosts.hamburg.ccc.de + ansible_host: onlyoffice-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pad: - ansible_host: pad.hosts.hamburg.ccc.de + ansible_host: pad-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de pretalx: ansible_host: pretalx-intern.hamburg.ccc.de ansible_user: chaos @@ -51,13 +51,10 @@ all: public-reverse-proxy: ansible_host: public-reverse-proxy.hamburg.ccc.de ansible_user: chaos - router: - ansible_host: router.hamburg.ccc.de - ansible_user: chaos wiki: - ansible_host: wiki.hosts.hamburg.ccc.de + ansible_host: wiki-intern.hamburg.ccc.de ansible_user: chaos - ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de + ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de zammad: ansible_host: zammad-intern.hamburg.ccc.de ansible_user: chaos @@ -91,19 +88,12 @@ base_config_hosts: pad: pretalx: public-reverse-proxy: - router: tickets: wiki: zammad: ntfy: sunders: renovate: -systemd_networkd_hosts: - hosts: - router: -nftables_hosts: - hosts: - router: docker_compose_hosts: hosts: ccchoir: @@ -183,7 +173,6 @@ infrastructure_authorized_keys_hosts: pad: pretalx: public-reverse-proxy: - router: wiki: zammad: ntfy: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index f416b91..d7bacac 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -4,16 +4,6 @@ roles: - base_config -- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts - hosts: systemd_networkd_hosts - roles: - - systemd_networkd - -- name: Ensure nftables deployment on nftables_hosts - hosts: nftables_hosts - roles: - - nftables - - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf index 8c801fe..d3ed959 100644 --- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf +++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 index 2d598f9..74d7916 100644 --- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 @@ -2,7 +2,7 @@ services: prometheus: - image: docker.io/prom/prometheus:v3.7.3 + image: docker.io/prom/prometheus:v3.7.2 container_name: prometheus command: - '--config.file=/etc/prometheus/prometheus.yml' @@ -19,7 +19,7 @@ services: - prom_data:/prometheus alertmanager: - image: docker.io/prom/alertmanager:v0.29.0 + image: docker.io/prom/alertmanager:v0.28.1 container_name: alertmanager command: - '--config.file=/etc/alertmanager/alertmanager.yaml' @@ -32,7 +32,7 @@ services: - alertmanager_data:/alertmanager grafana: - image: docker.io/grafana/grafana:12.3.0 + image: docker.io/grafana/grafana:12.2.1 container_name: grafana ports: - 3000:3000 @@ -59,7 +59,7 @@ services: - /dev/null:/etc/prometheus/pve.yml loki: - image: docker.io/grafana/loki:3.6.0 + image: docker.io/grafana/loki:3.5.7 container_name: loki ports: - 13100:3100 diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 index a260ab1..9fde708 100644 --- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 @@ -46,7 +46,7 @@ services: - "8080:8080" db: - image: docker.io/library/postgres:15.15 + image: docker.io/library/postgres:15.14 restart: unless-stopped networks: - keycloak diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf index 939e1da..303b052 100644 --- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf @@ -4,12 +4,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf index de1e9d6..4a9cfe6 100644 --- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf @@ -4,12 +4,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf index cd56b98..2b0d919 100644 --- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf +++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf @@ -7,13 +7,12 @@ server { ##listen [::]:443 ssl http2; # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; + listen 8444 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 index 50df05d..9fe2a7a 100644 --- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 @@ -1,7 +1,7 @@ --- services: ntfy: - image: docker.io/binwiederhier/ntfy:v2.15.0 + image: docker.io/binwiederhier/ntfy:v2.14.0 container_name: ntfy command: - serve diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf index 8a9a486..2471525 100644 --- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf +++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf @@ -3,13 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; - + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf index 6c453d1..53d0a0d 100644 --- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf +++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index dda67bb..3de7eac 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -15,7 +15,7 @@ services: - pretalx_net redis: - image: docker.io/library/redis:8.4.0 + image: docker.io/library/redis:8.2.2 restart: unless-stopped volumes: - redis:/data diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf index 409b5c6..165e166 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,27 +6,27 @@ map $host $upstream_acme_challenge_host { staging.c3cat.de 172.31.17.151:31820; ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820; + cloud.hamburg.ccc.de 172.31.17.143:31820; element.hamburg.ccc.de 172.31.17.151:31820; git.hamburg.ccc.de 172.31.17.154:31820; grafana.hamburg.ccc.de 172.31.17.145:31820; hackertours.hamburg.ccc.de 172.31.17.151:31820; staging.hackertours.hamburg.ccc.de 172.31.17.151:31820; hamburg.ccc.de 172.31.17.151:31820; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820; + id.hamburg.ccc.de 172.31.17.144:31820; + invite.hamburg.ccc.de 172.31.17.144:31820; + keycloak-admin.hamburg.ccc.de 172.31.17.144:31820; matrix.hamburg.ccc.de 172.31.17.150:31820; mas.hamburg.ccc.de 172.31.17.150:31820; element-admin.hamburg.ccc.de 172.31.17.151:31820; netbox.hamburg.ccc.de 172.31.17.167:31820; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820; + onlyoffice.hamburg.ccc.de 172.31.17.147:31820; + pad.hamburg.ccc.de 172.31.17.141:31820; pretalx.hamburg.ccc.de 172.31.17.157:31820; spaceapi.hamburg.ccc.de 172.31.17.151:31820; staging.hamburg.ccc.de 172.31.17.151:31820; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820; + wiki.ccchh.net 172.31.17.146:31820; + wiki.hamburg.ccc.de 172.31.17.146:31820; www.hamburg.ccc.de 172.31.17.151:31820; tickets.hamburg.ccc.de 172.31.17.148:31820; sunders.hamburg.ccc.de 172.31.17.170:31820; @@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host { eh11.easterhegg.eu 172.31.17.151:31820; eh20.easterhegg.eu 172.31.17.151:31820; www.eh20.easterhegg.eu 172.31.17.151:31820; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820; + eh22.easterhegg.eu 172.31.17.165:31820; easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820; eh2003.hamburg.ccc.de 172.31.17.151:31820; www.eh2003.hamburg.ccc.de 172.31.17.151:31820; diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf index 97e0e3c..4a449f5 100644 --- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf +++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf @@ -20,16 +20,16 @@ stream { map $ssl_preread_server_name $address { ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443; - cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443; - pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443; + cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443; + pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443; pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443; - id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; - keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443; + id.hamburg.ccc.de 172.31.17.144:8443; + invite.hamburg.ccc.de 172.31.17.144:8443; + keycloak-admin.hamburg.ccc.de 172.31.17.144:8444; grafana.hamburg.ccc.de 172.31.17.145:8443; - wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443; - wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443; - onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443; + wiki.ccchh.net 172.31.17.146:8443; + wiki.hamburg.ccc.de 172.31.17.146:8443; + onlyoffice.hamburg.ccc.de 172.31.17.147:8443; hackertours.hamburg.ccc.de 172.31.17.151:8443; staging.hackertours.hamburg.ccc.de 172.31.17.151:8443; netbox.hamburg.ccc.de 172.31.17.167:8443; @@ -56,7 +56,7 @@ stream { eh11.easterhegg.eu 172.31.17.151:8443; eh20.easterhegg.eu 172.31.17.151:8443; www.eh20.easterhegg.eu 172.31.17.151:8443; - eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443; + eh22.easterhegg.eu 172.31.17.165:8443; easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443; eh2003.hamburg.ccc.de 172.31.17.151:8443; www.eh2003.hamburg.ccc.de 172.31.17.151:8443; diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf deleted file mode 100644 index 3375bfb..0000000 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/sbin/nft -f - -## Variables - -# Interfaces -define if_net1_v4_wan = "net1" -define if_net2_v6_wan = "net2" -define if_net0_2_v4_nat = "net0.2" -define if_net0_3_ci_runner = "net0.3" - -# Interface Groups -define wan_ifs = { $if_net1_v4_wan, - $if_net2_v6_wan } -define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } -# define v4_exposed_ifs = { } -define v6_exposed_ifs = { $if_net0_2_v4_nat } - - -## Rules - -table inet reverse-path-forwarding { - chain rpf-filter { - type filter hook prerouting priority mangle + 10; policy drop; - - # Only allow packets if their source address is routed via their incoming interface. - # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100 - fib saddr . mark . iif oif exists accept - } -} - -table inet host { - chain input { - type filter hook input priority filter; policy drop; - - iifname "lo" accept comment "allow loopback" - - ct state invalid drop - ct state established,related accept - - ip protocol icmp accept - ip6 nexthdr icmpv6 accept - - # Allow SSH access. - tcp dport 22 accept comment "allow ssh access" - - # Allow DHCP server access. - iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access" - } -} - -table ip v4nat { - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - - oifname $if_net1_v4_wan masquerade - } -} - -table inet forward { - chain forward { - type filter hook forward priority filter; policy drop; - - ct state invalid drop - ct state established,related accept - - # Allow internet access. - meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access" - meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" - - # Allow access to exposed networks from internet. - # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" - meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" - } -} diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link deleted file mode 100644 index 0c55d13..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net0.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:54:11:15 -Type=ether - -[Link] -Name=net0 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link deleted file mode 100644 index ef04d04..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net1.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:9A:FB:34 -Type=ether - -[Link] -Name=net1 diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link deleted file mode 100644 index 2a56f72..0000000 --- a/resources/chaosknoten/router/systemd_networkd/00-net2.link +++ /dev/null @@ -1,6 +0,0 @@ -[Match] -MACAddress=BC:24:11:AE:C7:04 -Type=ether - -[Link] -Name=net2 diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev deleted file mode 100644 index a46afb4..0000000 --- a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev +++ /dev/null @@ -1,7 +0,0 @@ -[NetDev] -Name=net0.2 -Kind=vlan - -[VLAN] -Id=2 - diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev deleted file mode 100644 index 0cd60db..0000000 --- a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev +++ /dev/null @@ -1,7 +0,0 @@ -[NetDev] -Name=net0.3 -Kind=vlan - -[VLAN] -Id=3 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network deleted file mode 100644 index a32d75e..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ /dev/null @@ -1,12 +0,0 @@ -[Match] -Name=net0 - -[Link] -RequiredForOnline=no - -[Network] -VLAN=net0.2 -VLAN=net0.3 - -LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network deleted file mode 100644 index c8bffc1..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net1.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=net1 - -[Network] -DNS=212.12.50.158 -IPForward=ipv4 -IPv6AcceptRA=no - -[Address] -Address=212.12.48.123/24 - -[Route] -Gateway=212.12.48.55 - diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network deleted file mode 100644 index b3f497d..0000000 --- a/resources/chaosknoten/router/systemd_networkd/20-net2.network +++ /dev/null @@ -1,14 +0,0 @@ -[Match] -Name=net2 - -[Network] -#DNS=212.12.50.158 -IPForward=ipv6 -IPv6AcceptRA=no - -[Address] -Address=2a00:14b0:4200:3500::130:2/112 - -[Route] -Gateway=2a00:14b0:4200:3500::130:1 - diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network deleted file mode 100644 index b15259d..0000000 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network +++ /dev/null @@ -1,29 +0,0 @@ -[Match] -Name=net0.2 -Type=vlan - -[Link] -RequiredForOnline=no - -[Network] -Description=v4-NAT - -# Masquerading done in nftables (nftables.conf). -IPv6SendRA=yes - -DHCPServer=true - -[DHCPServer] -PoolOffset=100 -PoolSize=150 - -[Address] -Address=10.32.2.1/24 - -[IPv6SendRA] -UplinkInterface=net2 - -[IPv6Prefix] -Prefix=2a00:14b0:42:102::/64 -Assign=true -Token=static:::1 diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network deleted file mode 100644 index 9caca86..0000000 --- a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network +++ /dev/null @@ -1,29 +0,0 @@ -[Match] -Name=net0.3 -Type=vlan - -[Link] -RequiredForOnline=no - -[Network] -Description=ci-runners - -# Masquerading done in nftables (nftables.conf). -IPv6SendRA=yes - -DHCPServer=true - -[DHCPServer] -PoolOffset=100 -PoolSize=150 - -[Address] -Address=10.32.3.1/24 - -[IPv6SendRA] -UplinkInterface=net2 - -[IPv6Prefix] -Prefix=2a00:14b0:42:103::/64 -Assign=true -Token=static:::1 diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf index 472236a..a564fc2 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; @@ -22,6 +21,6 @@ server { # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; - + return 302 https://wiki.hamburg.ccc.de$request_uri; } diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf index b4eab7f..ccdd224 100644 --- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf +++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf @@ -3,12 +3,11 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 2a00:14b0:4200:3000:125::1; + set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml index 61a2635..5abcd10 100644 --- a/roles/ansible_pull/tasks/main.yaml +++ b/roles/ansible_pull/tasks/main.yaml @@ -3,7 +3,6 @@ - name: ensure apt dependencies are installed ansible.builtin.apt: name: - - python3-pip - virtualenv - git state: present diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml deleted file mode 100644 index cd8affd..0000000 --- a/roles/base_config/tasks/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason. -- name: check if cloud-init config file exists - ansible.builtin.stat: - path: /etc/cloud/cloud.cfg - register: base_config__stat_cloud_cfg - -- name: ensure the cloud-init ssh module is disabled - ansible.builtin.replace: - path: /etc/cloud/cloud.cfg - regexp: " - ssh$" - replace: " #- ssh" - become: true - when: base_config__stat_cloud_cfg.stat.exists diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/certbot/meta/main.yaml +++ b/roles/certbot/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml index 9b678e9..b4a1c6f 100644 --- a/roles/docker/meta/main.yaml +++ b/roles/docker/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml index 9b678e9..b4a1c6f 100644 --- a/roles/dokuwiki/meta/main.yml +++ b/roles/dokuwiki/meta/main.yml @@ -7,4 +7,3 @@ dependencies: major_versions: - 11 - 12 - - 13 diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 index 1beeaf3..c15a653 100644 --- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 +++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2 @@ -4,7 +4,6 @@ server { # Listen on a custom port for the proxy protocol. listen 8443 ssl http2 proxy_protocol; - listen [::]:8443 ssl http2 proxy_protocol; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. diff --git a/roles/nftables/README.md b/roles/nftables/README.md deleted file mode 100644 index 81d8871..0000000 --- a/roles/nftables/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Role `nftables` - -Deploys nftables. - -## Support Distributions - -Should work on Debian-based distributions. - -## Required Arguments - -- `nftables__config`: nftables configuration to deploy. diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml deleted file mode 100644 index 3b72c54..0000000 --- a/roles/nftables/handlers/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ -- name: Restart nftables service - ansible.builtin.systemd_service: - name: nftables - state: restarted - become: true diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml deleted file mode 100644 index aa56223..0000000 --- a/roles/nftables/meta/argument_specs.yaml +++ /dev/null @@ -1,6 +0,0 @@ -argument_specs: - main: - options: - nftables__config: - type: str - required: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml deleted file mode 100644 index 46ea18d..0000000 --- a/roles/nftables/tasks/main.yaml +++ /dev/null @@ -1,15 +0,0 @@ -- name: ensure nftables is installed - ansible.builtin.apt: - name: nftables - state: present - become: true - -- name: deploy nftables configuration - ansible.builtin.copy: - content: "{{ nftables__config }}" - dest: "/etc/nftables.conf" - mode: "0644" - owner: root - group: root - become: true - notify: Restart nftables service diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml index 78bb770..02b00ac 100644 --- a/roles/nginx/meta/main.yaml +++ b/roles/nginx/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - "11" - "12" - - "13" diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml index 78bb770..02b00ac 100644 --- a/roles/prometheus_node_exporter/meta/main.yaml +++ b/roles/prometheus_node_exporter/meta/main.yaml @@ -7,4 +7,3 @@ dependencies: major_versions: - "11" - "12" - - "13" diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md deleted file mode 100644 index 3297c47..0000000 --- a/roles/systemd_networkd/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Role `systemd_networkd` - -Deploys the given systemd-networkd configuration files. - -## Support Distributions - -Should work on Debian-based distributions. - -## Required Arguments - -- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy. diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml deleted file mode 100644 index 81b046a..0000000 --- a/roles/systemd_networkd/meta/argument_specs.yaml +++ /dev/null @@ -1,6 +0,0 @@ -argument_specs: - main: - options: - systemd_networkd__config_dir: - type: path - required: true diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml deleted file mode 100644 index f88ed14..0000000 --- a/roles/systemd_networkd/tasks/main.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- name: ensure rsync is installed - ansible.builtin.apt: - name: rsync - state: present - become: true - -- name: synchronize systemd-networkd configs - ansible.posix.synchronize: - src: "{{ systemd_networkd__config_dir }}" - dest: "/etc/systemd/network" - archive: false - recursive: true - delete: true - become: true