Compare commits
1 commit
main
...
router-kil
| Author | SHA1 | Date | |
|---|---|---|---|
212913fcc2
|
21 changed files with 119 additions and 64 deletions
|
|
@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud
|
|||
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
|
||||
nextcloud__use_custom_new_user_skeleton: true
|
||||
nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
|
||||
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@ all:
|
|||
chaosknoten:
|
||||
ansible_host: chaosknoten.hamburg.ccc.de
|
||||
cloud:
|
||||
ansible_host: cloud.hosts.hamburg.ccc.de
|
||||
ansible_host: cloud-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
eh22-wiki:
|
||||
ansible_host: eh22-wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: eh22-wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
grafana:
|
||||
ansible_host: grafana-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -23,9 +23,9 @@ all:
|
|||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
keycloak:
|
||||
ansible_host: keycloak.hosts.hamburg.ccc.de
|
||||
ansible_host: keycloak-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
lists:
|
||||
ansible_host: lists.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -37,13 +37,13 @@ all:
|
|||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
onlyoffice:
|
||||
ansible_host: onlyoffice.hosts.hamburg.ccc.de
|
||||
ansible_host: onlyoffice-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pad:
|
||||
ansible_host: pad.hosts.hamburg.ccc.de
|
||||
ansible_host: pad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pretalx:
|
||||
ansible_host: pretalx-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -55,9 +55,9 @@ all:
|
|||
ansible_host: router.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
wiki:
|
||||
ansible_host: wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
zammad:
|
||||
ansible_host: zammad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -7,13 +7,12 @@ server {
|
|||
##listen [::]:443 ssl http2;
|
||||
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8444 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,13 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -6,27 +6,27 @@ map $host $upstream_acme_challenge_host {
|
|||
staging.c3cat.de 172.31.17.151:31820;
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de 172.31.17.143:31820;
|
||||
element.hamburg.ccc.de 172.31.17.151:31820;
|
||||
git.hamburg.ccc.de 172.31.17.154:31820;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:31820;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
hamburg.ccc.de 172.31.17.151:31820;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
id.hamburg.ccc.de 172.31.17.144:31820;
|
||||
invite.hamburg.ccc.de 172.31.17.144:31820;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
|
||||
matrix.hamburg.ccc.de 172.31.17.150:31820;
|
||||
mas.hamburg.ccc.de 172.31.17.150:31820;
|
||||
element-admin.hamburg.ccc.de 172.31.17.151:31820;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:31820;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
|
||||
pad.hamburg.ccc.de 172.31.17.141:31820;
|
||||
pretalx.hamburg.ccc.de 172.31.17.157:31820;
|
||||
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hamburg.ccc.de 172.31.17.151:31820;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.ccchh.net 172.31.17.146:31820;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:31820;
|
||||
www.hamburg.ccc.de 172.31.17.151:31820;
|
||||
tickets.hamburg.ccc.de 172.31.17.148:31820;
|
||||
sunders.hamburg.ccc.de 172.31.17.170:31820;
|
||||
|
|
@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
|
|||
eh11.easterhegg.eu 172.31.17.151:31820;
|
||||
eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
|
||||
eh22.easterhegg.eu 172.31.17.165:31820;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
|
|
|
|||
|
|
@ -20,16 +20,16 @@ stream {
|
|||
map $ssl_preread_server_name $address {
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
||||
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de 172.31.17.144:8443;
|
||||
invite.hamburg.ccc.de 172.31.17.144:8443;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:8443;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
|
||||
wiki.ccchh.net 172.31.17.146:8443;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:8443;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:8443;
|
||||
|
|
@ -56,7 +56,7 @@ stream {
|
|||
eh11.easterhegg.eu 172.31.17.151:8443;
|
||||
eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
|
||||
eh22.easterhegg.eu 172.31.17.165:8443;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
|
|
|
|||
|
|
@ -7,14 +7,20 @@ define if_net1_v4_wan = "net1"
|
|||
define if_net2_v6_wan = "net2"
|
||||
define if_net0_2_v4_nat = "net0.2"
|
||||
define if_net0_3_ci_runner = "net0.3"
|
||||
define if_net0_4_v4_nat_legacy = "net0.4"
|
||||
define if_net0_5_public = "net0.5"
|
||||
|
||||
# Interface Groups
|
||||
define wan_ifs = { $if_net1_v4_wan,
|
||||
$if_net2_v6_wan }
|
||||
define lan_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_3_ci_runner }
|
||||
# define v4_exposed_ifs = { }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat }
|
||||
$if_net0_3_ci_runner,
|
||||
$if_net0_4_v4_nat_legacy,
|
||||
$if_net0_5_public }
|
||||
define v4_exposed_ifs = { $if_net0_5_public }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_4_v4_nat_legacy,
|
||||
$if_net0_5_public }
|
||||
|
||||
|
||||
## Rules
|
||||
|
|
@ -69,11 +75,10 @@ table inet forward {
|
|||
ct state established,related accept
|
||||
|
||||
# Allow internet access.
|
||||
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
|
||||
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
|
||||
iifname $lan_ifs oifname $wan_ifs accept comment "allow internet access"
|
||||
|
||||
# Allow access to exposed networks from internet.
|
||||
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:9A:FB:34
|
||||
# Stolen from turing to make 212.12.48.122 work.
|
||||
MACAddress=0E:A4:E3:97:16:92
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
[NetDev]
|
||||
Name=net0.4
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=4
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
[NetDev]
|
||||
Name=net0.5
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=5
|
||||
|
|
@ -7,6 +7,7 @@ RequiredForOnline=no
|
|||
[Network]
|
||||
VLAN=net0.2
|
||||
VLAN=net0.3
|
||||
VLAN=net0.4
|
||||
VLAN=net0.5
|
||||
|
||||
LinkLocalAddressing=no
|
||||
|
||||
|
|
|
|||
|
|
@ -5,10 +5,11 @@ Name=net1
|
|||
DNS=212.12.50.158
|
||||
IPForward=ipv4
|
||||
IPv6AcceptRA=no
|
||||
|
||||
[Address]
|
||||
# v4 taken from turing for routing public v4 range and turing-compat for v4-NAT-legacy network.
|
||||
# Also just the v4 for other purposes as well.
|
||||
Address=212.12.48.122/24
|
||||
Address=212.12.48.123/24
|
||||
|
||||
[Route]
|
||||
# v6 for turing-compat for v4-NAT-legacy network routed v6.
|
||||
Address=2a00:14b0:4200:3000:122::1
|
||||
Gateway=212.12.48.55
|
||||
|
||||
Gateway=2a00:14b0:4200:3000::1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
[Match]
|
||||
Name=net0.4
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=v4-NAT-legacy
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=172.31.17.129/25
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net1
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:f000:23::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
[Match]
|
||||
Name=net0.5
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=public
|
||||
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=212.12.50.209/29
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net2
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:42:105::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
@ -22,6 +21,6 @@ server {
|
|||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
|
||||
return 302 https://wiki.hamburg.ccc.de$request_uri;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue