Compare commits
1 commit
35502e53ff
...
8d708b8087
| Author | SHA1 | Date | |
|---|---|---|---|
| 8d708b8087 |
47 changed files with 52 additions and 380 deletions
|
|
@ -24,7 +24,7 @@ jobs:
|
|||
# work in our environmnet.
|
||||
# Rather manually setup python (pip) before instead.
|
||||
- name: Run ansible-lint
|
||||
uses: https://github.com/ansible/ansible-lint@v25.11.0
|
||||
uses: https://github.com/ansible/ansible-lint@v25.9.2
|
||||
with:
|
||||
setup_python: "false"
|
||||
requirements_file: "requirements.yml"
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
# renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
|
||||
nextcloud__version: 32
|
||||
# renovate: datasource=docker depName=docker.io/library/postgres
|
||||
nextcloud__postgres_version: 15.15
|
||||
nextcloud__postgres_version: 15.14
|
||||
nextcloud__fqdn: cloud.hamburg.ccc.de
|
||||
nextcloud__data_dir: /data/nextcloud
|
||||
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
|
||||
nextcloud__use_custom_new_user_skeleton: true
|
||||
nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
|
||||
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
|
|
|
|||
|
|
@ -53,6 +53,7 @@ nginx__configurations:
|
|||
- name: metrics.hamburg.ccc.de
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
|
||||
|
||||
|
||||
alloy_config: |
|
||||
prometheus.remote_write "default" {
|
||||
endpoint {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
|
||||
netbox__version: "v4.4.6"
|
||||
netbox__version: "v4.4.5"
|
||||
netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
|
||||
netbox__custom_pipeline_oidc_group_and_role_mapping: true
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
|
||||
nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
|
||||
|
|
@ -7,13 +7,13 @@ all:
|
|||
chaosknoten:
|
||||
ansible_host: chaosknoten.hamburg.ccc.de
|
||||
cloud:
|
||||
ansible_host: cloud.hosts.hamburg.ccc.de
|
||||
ansible_host: cloud-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
eh22-wiki:
|
||||
ansible_host: eh22-wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: eh22-wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
grafana:
|
||||
ansible_host: grafana-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -23,9 +23,9 @@ all:
|
|||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
keycloak:
|
||||
ansible_host: keycloak.hosts.hamburg.ccc.de
|
||||
ansible_host: keycloak-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
lists:
|
||||
ansible_host: lists.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -37,13 +37,13 @@ all:
|
|||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
onlyoffice:
|
||||
ansible_host: onlyoffice.hosts.hamburg.ccc.de
|
||||
ansible_host: onlyoffice-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pad:
|
||||
ansible_host: pad.hosts.hamburg.ccc.de
|
||||
ansible_host: pad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pretalx:
|
||||
ansible_host: pretalx-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -51,13 +51,10 @@ all:
|
|||
public-reverse-proxy:
|
||||
ansible_host: public-reverse-proxy.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
router:
|
||||
ansible_host: router.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
wiki:
|
||||
ansible_host: wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
zammad:
|
||||
ansible_host: zammad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -91,19 +88,12 @@ base_config_hosts:
|
|||
pad:
|
||||
pretalx:
|
||||
public-reverse-proxy:
|
||||
router:
|
||||
tickets:
|
||||
wiki:
|
||||
zammad:
|
||||
ntfy:
|
||||
sunders:
|
||||
renovate:
|
||||
systemd_networkd_hosts:
|
||||
hosts:
|
||||
router:
|
||||
nftables_hosts:
|
||||
hosts:
|
||||
router:
|
||||
docker_compose_hosts:
|
||||
hosts:
|
||||
ccchoir:
|
||||
|
|
@ -183,7 +173,6 @@ infrastructure_authorized_keys_hosts:
|
|||
pad:
|
||||
pretalx:
|
||||
public-reverse-proxy:
|
||||
router:
|
||||
wiki:
|
||||
zammad:
|
||||
ntfy:
|
||||
|
|
|
|||
|
|
@ -4,16 +4,6 @@
|
|||
roles:
|
||||
- base_config
|
||||
|
||||
- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
|
||||
hosts: systemd_networkd_hosts
|
||||
roles:
|
||||
- systemd_networkd
|
||||
|
||||
- name: Ensure nftables deployment on nftables_hosts
|
||||
hosts: nftables_hosts
|
||||
roles:
|
||||
- nftables
|
||||
|
||||
- name: Ensure deployment of infrastructure authorized keys
|
||||
hosts: infrastructure_authorized_keys_hosts
|
||||
roles:
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
services:
|
||||
|
||||
prometheus:
|
||||
image: docker.io/prom/prometheus:v3.7.3
|
||||
image: docker.io/prom/prometheus:v3.7.2
|
||||
container_name: prometheus
|
||||
command:
|
||||
- '--config.file=/etc/prometheus/prometheus.yml'
|
||||
|
|
@ -19,7 +19,7 @@ services:
|
|||
- prom_data:/prometheus
|
||||
|
||||
alertmanager:
|
||||
image: docker.io/prom/alertmanager:v0.29.0
|
||||
image: docker.io/prom/alertmanager:v0.28.1
|
||||
container_name: alertmanager
|
||||
command:
|
||||
- '--config.file=/etc/alertmanager/alertmanager.yaml'
|
||||
|
|
@ -32,7 +32,7 @@ services:
|
|||
- alertmanager_data:/alertmanager
|
||||
|
||||
grafana:
|
||||
image: docker.io/grafana/grafana:12.3.0
|
||||
image: docker.io/grafana/grafana:12.2.1
|
||||
container_name: grafana
|
||||
ports:
|
||||
- 3000:3000
|
||||
|
|
@ -59,7 +59,7 @@ services:
|
|||
- /dev/null:/etc/prometheus/pve.yml
|
||||
|
||||
loki:
|
||||
image: docker.io/grafana/loki:3.6.0
|
||||
image: docker.io/grafana/loki:3.5.7
|
||||
container_name: loki
|
||||
ports:
|
||||
- 13100:3100
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ services:
|
|||
- "8080:8080"
|
||||
|
||||
db:
|
||||
image: docker.io/library/postgres:15.15
|
||||
image: docker.io/library/postgres:15.14
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- keycloak
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -7,13 +7,12 @@ server {
|
|||
##listen [::]:443 ssl http2;
|
||||
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8444 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
services:
|
||||
ntfy:
|
||||
image: docker.io/binwiederhier/ntfy:v2.15.0
|
||||
image: docker.io/binwiederhier/ntfy:v2.14.0
|
||||
container_name: ntfy
|
||||
command:
|
||||
- serve
|
||||
|
|
|
|||
|
|
@ -3,13 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ services:
|
|||
- pretalx_net
|
||||
|
||||
redis:
|
||||
image: docker.io/library/redis:8.4.0
|
||||
image: docker.io/library/redis:8.2.2
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- redis:/data
|
||||
|
|
|
|||
|
|
@ -6,27 +6,27 @@ map $host $upstream_acme_challenge_host {
|
|||
staging.c3cat.de 172.31.17.151:31820;
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de 172.31.17.143:31820;
|
||||
element.hamburg.ccc.de 172.31.17.151:31820;
|
||||
git.hamburg.ccc.de 172.31.17.154:31820;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:31820;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
hamburg.ccc.de 172.31.17.151:31820;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
id.hamburg.ccc.de 172.31.17.144:31820;
|
||||
invite.hamburg.ccc.de 172.31.17.144:31820;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
|
||||
matrix.hamburg.ccc.de 172.31.17.150:31820;
|
||||
mas.hamburg.ccc.de 172.31.17.150:31820;
|
||||
element-admin.hamburg.ccc.de 172.31.17.151:31820;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:31820;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
|
||||
pad.hamburg.ccc.de 172.31.17.141:31820;
|
||||
pretalx.hamburg.ccc.de 172.31.17.157:31820;
|
||||
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hamburg.ccc.de 172.31.17.151:31820;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.ccchh.net 172.31.17.146:31820;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:31820;
|
||||
www.hamburg.ccc.de 172.31.17.151:31820;
|
||||
tickets.hamburg.ccc.de 172.31.17.148:31820;
|
||||
sunders.hamburg.ccc.de 172.31.17.170:31820;
|
||||
|
|
@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
|
|||
eh11.easterhegg.eu 172.31.17.151:31820;
|
||||
eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
|
||||
eh22.easterhegg.eu 172.31.17.165:31820;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
|
|
|
|||
|
|
@ -20,16 +20,16 @@ stream {
|
|||
map $ssl_preread_server_name $address {
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
||||
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de 172.31.17.144:8443;
|
||||
invite.hamburg.ccc.de 172.31.17.144:8443;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:8443;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
|
||||
wiki.ccchh.net 172.31.17.146:8443;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:8443;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:8443;
|
||||
|
|
@ -56,7 +56,7 @@ stream {
|
|||
eh11.easterhegg.eu 172.31.17.151:8443;
|
||||
eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
|
||||
eh22.easterhegg.eu 172.31.17.165:8443;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
|
|
|
|||
|
|
@ -1,79 +0,0 @@
|
|||
#!/usr/sbin/nft -f
|
||||
|
||||
## Variables
|
||||
|
||||
# Interfaces
|
||||
define if_net1_v4_wan = "net1"
|
||||
define if_net2_v6_wan = "net2"
|
||||
define if_net0_2_v4_nat = "net0.2"
|
||||
define if_net0_3_ci_runner = "net0.3"
|
||||
|
||||
# Interface Groups
|
||||
define wan_ifs = { $if_net1_v4_wan,
|
||||
$if_net2_v6_wan }
|
||||
define lan_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_3_ci_runner }
|
||||
# define v4_exposed_ifs = { }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat }
|
||||
|
||||
|
||||
## Rules
|
||||
|
||||
table inet reverse-path-forwarding {
|
||||
chain rpf-filter {
|
||||
type filter hook prerouting priority mangle + 10; policy drop;
|
||||
|
||||
# Only allow packets if their source address is routed via their incoming interface.
|
||||
# https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
|
||||
fib saddr . mark . iif oif exists accept
|
||||
}
|
||||
}
|
||||
|
||||
table inet host {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
iifname "lo" accept comment "allow loopback"
|
||||
|
||||
ct state invalid drop
|
||||
ct state established,related accept
|
||||
|
||||
ip protocol icmp accept
|
||||
ip6 nexthdr icmpv6 accept
|
||||
|
||||
# Allow SSH access.
|
||||
tcp dport 22 accept comment "allow ssh access"
|
||||
|
||||
# Allow DHCP server access.
|
||||
iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
|
||||
}
|
||||
}
|
||||
|
||||
table ip v4nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority dstnat; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
|
||||
oifname $if_net1_v4_wan masquerade
|
||||
}
|
||||
}
|
||||
|
||||
table inet forward {
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
ct state invalid drop
|
||||
ct state established,related accept
|
||||
|
||||
# Allow internet access.
|
||||
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
|
||||
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
|
||||
|
||||
# Allow access to exposed networks from internet.
|
||||
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:54:11:15
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
Name=net0
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:9A:FB:34
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
Name=net1
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:AE:C7:04
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
Name=net2
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[NetDev]
|
||||
Name=net0.2
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=2
|
||||
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
[NetDev]
|
||||
Name=net0.3
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=3
|
||||
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
[Match]
|
||||
Name=net0
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
VLAN=net0.2
|
||||
VLAN=net0.3
|
||||
|
||||
LinkLocalAddressing=no
|
||||
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
[Match]
|
||||
Name=net1
|
||||
|
||||
[Network]
|
||||
DNS=212.12.50.158
|
||||
IPForward=ipv4
|
||||
IPv6AcceptRA=no
|
||||
|
||||
[Address]
|
||||
Address=212.12.48.123/24
|
||||
|
||||
[Route]
|
||||
Gateway=212.12.48.55
|
||||
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
[Match]
|
||||
Name=net2
|
||||
|
||||
[Network]
|
||||
#DNS=212.12.50.158
|
||||
IPForward=ipv6
|
||||
IPv6AcceptRA=no
|
||||
|
||||
[Address]
|
||||
Address=2a00:14b0:4200:3500::130:2/112
|
||||
|
||||
[Route]
|
||||
Gateway=2a00:14b0:4200:3500::130:1
|
||||
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
[Match]
|
||||
Name=net0.2
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=v4-NAT
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
DHCPServer=true
|
||||
|
||||
[DHCPServer]
|
||||
PoolOffset=100
|
||||
PoolSize=150
|
||||
|
||||
[Address]
|
||||
Address=10.32.2.1/24
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net2
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:42:102::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
[Match]
|
||||
Name=net0.3
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=ci-runners
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
DHCPServer=true
|
||||
|
||||
[DHCPServer]
|
||||
PoolOffset=100
|
||||
PoolSize=150
|
||||
|
||||
[Address]
|
||||
Address=10.32.3.1/24
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net2
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:42:103::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@
|
|||
- name: ensure apt dependencies are installed
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- python3-pip
|
||||
- virtualenv
|
||||
- git
|
||||
state: present
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
|
||||
- name: check if cloud-init config file exists
|
||||
ansible.builtin.stat:
|
||||
path: /etc/cloud/cloud.cfg
|
||||
register: base_config__stat_cloud_cfg
|
||||
|
||||
- name: ensure the cloud-init ssh module is disabled
|
||||
ansible.builtin.replace:
|
||||
path: /etc/cloud/cloud.cfg
|
||||
regexp: " - ssh$"
|
||||
replace: " #- ssh"
|
||||
become: true
|
||||
when: base_config__stat_cloud_cfg.stat.exists
|
||||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
# Role `nftables`
|
||||
|
||||
Deploys nftables.
|
||||
|
||||
## Support Distributions
|
||||
|
||||
Should work on Debian-based distributions.
|
||||
|
||||
## Required Arguments
|
||||
|
||||
- `nftables__config`: nftables configuration to deploy.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
- name: Restart nftables service
|
||||
ansible.builtin.systemd_service:
|
||||
name: nftables
|
||||
state: restarted
|
||||
become: true
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
nftables__config:
|
||||
type: str
|
||||
required: true
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
- name: ensure nftables is installed
|
||||
ansible.builtin.apt:
|
||||
name: nftables
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: deploy nftables configuration
|
||||
ansible.builtin.copy:
|
||||
content: "{{ nftables__config }}"
|
||||
dest: "/etc/nftables.conf"
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
become: true
|
||||
notify: Restart nftables service
|
||||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- "11"
|
||||
- "12"
|
||||
- "13"
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- "11"
|
||||
- "12"
|
||||
- "13"
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
# Role `systemd_networkd`
|
||||
|
||||
Deploys the given systemd-networkd configuration files.
|
||||
|
||||
## Support Distributions
|
||||
|
||||
Should work on Debian-based distributions.
|
||||
|
||||
## Required Arguments
|
||||
|
||||
- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
systemd_networkd__config_dir:
|
||||
type: path
|
||||
required: true
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
- name: ensure rsync is installed
|
||||
ansible.builtin.apt:
|
||||
name: rsync
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: synchronize systemd-networkd configs
|
||||
ansible.posix.synchronize:
|
||||
src: "{{ systemd_networkd__config_dir }}"
|
||||
dest: "/etc/systemd/network"
|
||||
archive: false
|
||||
recursive: true
|
||||
delete: true
|
||||
become: true
|
||||
Loading…
Add table
Add a link
Reference in a new issue