Compare commits
1 commit
main
...
router-kil
| Author | SHA1 | Date | |
|---|---|---|---|
212913fcc2
|
40 changed files with 176 additions and 159 deletions
|
|
@ -7,5 +7,5 @@ nextcloud__data_dir: /data/nextcloud
|
|||
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
|
||||
nextcloud__use_custom_new_user_skeleton: true
|
||||
nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
|
||||
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
|
|
|
|||
|
|
@ -1,31 +1,31 @@
|
|||
all:
|
||||
hosts:
|
||||
ccchoir:
|
||||
ansible_host: ccchoir.hosts.hamburg.ccc.de
|
||||
ansible_host: ccchoir-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
chaosknoten:
|
||||
ansible_host: chaosknoten.hamburg.ccc.de
|
||||
cloud:
|
||||
ansible_host: cloud.hosts.hamburg.ccc.de
|
||||
ansible_host: cloud-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
eh22-wiki:
|
||||
ansible_host: eh22-wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: eh22-wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
grafana:
|
||||
ansible_host: grafana.hosts.hamburg.ccc.de
|
||||
ansible_host: grafana-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
tickets:
|
||||
ansible_host: tickets.hosts.hamburg.ccc.de
|
||||
ansible_host: tickets-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
keycloak:
|
||||
ansible_host: keycloak.hosts.hamburg.ccc.de
|
||||
ansible_host: keycloak-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
lists:
|
||||
ansible_host: lists.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -33,21 +33,21 @@ all:
|
|||
ansible_host: mumble.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
netbox:
|
||||
ansible_host: netbox.hosts.hamburg.ccc.de
|
||||
ansible_host: netbox-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
onlyoffice:
|
||||
ansible_host: onlyoffice.hosts.hamburg.ccc.de
|
||||
ansible_host: onlyoffice-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pad:
|
||||
ansible_host: pad.hosts.hamburg.ccc.de
|
||||
ansible_host: pad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
pretalx:
|
||||
ansible_host: pretalx.hosts.hamburg.ccc.de
|
||||
ansible_host: pretalx-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
public-reverse-proxy:
|
||||
ansible_host: public-reverse-proxy.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
|
|
@ -55,25 +55,25 @@ all:
|
|||
ansible_host: router.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
wiki:
|
||||
ansible_host: wiki.hosts.hamburg.ccc.de
|
||||
ansible_host: wiki-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
zammad:
|
||||
ansible_host: zammad.hosts.hamburg.ccc.de
|
||||
ansible_host: zammad-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
ntfy:
|
||||
ansible_host: ntfy.hosts.hamburg.ccc.de
|
||||
ansible_host: ntfy-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
sunders:
|
||||
ansible_host: sunders.hosts.hamburg.ccc.de
|
||||
ansible_host: sunders-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
renovate:
|
||||
ansible_host: renovate.hosts.hamburg.ccc.de
|
||||
ansible_host: renovate-intern.hamburg.ccc.de
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
|
||||
ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
|
||||
hypervisors:
|
||||
hosts:
|
||||
chaosknoten:
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
@ -43,12 +43,12 @@ server {
|
|||
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl proxy_protocol;
|
||||
listen 8443 ssl proxy_protocol;
|
||||
http2 on;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ server {
|
|||
server_name loki.hamburg.ccc.de;
|
||||
|
||||
listen [::]:50051 ssl;
|
||||
listen 172.31.17.145:50051 ssl;
|
||||
|
||||
http2 on;
|
||||
|
||||
|
|
@ -58,6 +59,7 @@ server {
|
|||
server_name loki.hamburg.ccc.de;
|
||||
|
||||
listen [::]:443 ssl;
|
||||
listen 172.31.17.145:443 ssl;
|
||||
|
||||
http2 on;
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ server {
|
|||
server_name metrics.hamburg.ccc.de;
|
||||
|
||||
listen [::]:443 ssl;
|
||||
listen 172.31.17.145:443 ssl;
|
||||
http2 on;
|
||||
|
||||
client_body_buffer_size 512k;
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -7,13 +7,12 @@ server {
|
|||
##listen [::]:443 ssl http2;
|
||||
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8444 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -2,13 +2,13 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl proxy_protocol;
|
||||
listen 8443 ssl proxy_protocol;
|
||||
http2 on;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,13 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host {
|
|||
c3cat.de 172.31.17.151:31820;
|
||||
www.c3cat.de 172.31.17.151:31820;
|
||||
staging.c3cat.de 172.31.17.151:31820;
|
||||
ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
|
||||
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
|
||||
cloud.hamburg.ccc.de 172.31.17.143:31820;
|
||||
element.hamburg.ccc.de 172.31.17.151:31820;
|
||||
git.hamburg.ccc.de 172.31.17.154:31820;
|
||||
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:31820;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
|
||||
hamburg.ccc.de 172.31.17.151:31820;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
|
||||
id.hamburg.ccc.de 172.31.17.144:31820;
|
||||
invite.hamburg.ccc.de 172.31.17.144:31820;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
|
||||
matrix.hamburg.ccc.de 172.31.17.150:31820;
|
||||
mas.hamburg.ccc.de 172.31.17.150:31820;
|
||||
element-admin.hamburg.ccc.de 172.31.17.151:31820;
|
||||
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
|
||||
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:31820;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
|
||||
pad.hamburg.ccc.de 172.31.17.141:31820;
|
||||
pretalx.hamburg.ccc.de 172.31.17.157:31820;
|
||||
spaceapi.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.hamburg.ccc.de 172.31.17.151:31820;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
|
||||
wiki.ccchh.net 172.31.17.146:31820;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:31820;
|
||||
www.hamburg.ccc.de 172.31.17.151:31820;
|
||||
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
|
||||
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
|
||||
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
|
||||
tickets.hamburg.ccc.de 172.31.17.148:31820;
|
||||
sunders.hamburg.ccc.de 172.31.17.170:31820;
|
||||
zammad.hamburg.ccc.de 172.31.17.152:31820;
|
||||
eh03.easterhegg.eu 172.31.17.151:31820;
|
||||
eh05.easterhegg.eu 172.31.17.151:31820;
|
||||
eh07.easterhegg.eu 172.31.17.151:31820;
|
||||
|
|
@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
|
|||
eh11.easterhegg.eu 172.31.17.151:31820;
|
||||
eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:31820;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
|
||||
eh22.easterhegg.eu 172.31.17.165:31820;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
|
||||
|
|
@ -73,7 +73,7 @@ map $host $upstream_acme_challenge_host {
|
|||
design.hamburg.ccc.de 172.31.17.162:31820;
|
||||
hydra.hamburg.ccc.de 172.31.17.163:31820;
|
||||
cfp.eh22.easterhegg.eu 172.31.17.157:31820;
|
||||
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
|
||||
ntfy.hamburg.ccc.de 172.31.17.149:31820;
|
||||
cryptoparty-hamburg.de 172.31.17.151:31820;
|
||||
cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
|
||||
staging.cryptoparty-hamburg.de 172.31.17.151:31820;
|
||||
|
|
|
|||
|
|
@ -18,21 +18,21 @@ stream {
|
|||
resolver 212.12.50.158 192.76.134.90;
|
||||
|
||||
map $ssl_preread_server_name $address {
|
||||
ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
|
||||
www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
|
||||
pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
|
||||
grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
|
||||
wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
|
||||
wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
|
||||
onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
|
||||
ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
|
||||
cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
|
||||
pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
|
||||
pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
|
||||
id.hamburg.ccc.de 172.31.17.144:8443;
|
||||
invite.hamburg.ccc.de 172.31.17.144:8443;
|
||||
keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
|
||||
grafana.hamburg.ccc.de 172.31.17.145:8443;
|
||||
wiki.ccchh.net 172.31.17.146:8443;
|
||||
wiki.hamburg.ccc.de 172.31.17.146:8443;
|
||||
onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
|
||||
hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
|
||||
netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
|
||||
netbox.hamburg.ccc.de 172.31.17.167:8443;
|
||||
matrix.hamburg.ccc.de 172.31.17.150:8443;
|
||||
mas.hamburg.ccc.de 172.31.17.150:8443;
|
||||
element-admin.hamburg.ccc.de 172.31.17.151:8443;
|
||||
|
|
@ -42,9 +42,9 @@ stream {
|
|||
hamburg.ccc.de 172.31.17.151:8443;
|
||||
staging.hamburg.ccc.de 172.31.17.151:8443;
|
||||
spaceapi.hamburg.ccc.de 172.31.17.151:8443;
|
||||
tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
|
||||
sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
|
||||
zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
|
||||
tickets.hamburg.ccc.de 172.31.17.148:8443;
|
||||
sunders.hamburg.ccc.de 172.31.17.170:8443;
|
||||
zammad.hamburg.ccc.de 172.31.17.152:8443;
|
||||
c3cat.de 172.31.17.151:8443;
|
||||
www.c3cat.de 172.31.17.151:8443;
|
||||
staging.c3cat.de 172.31.17.151:8443;
|
||||
|
|
@ -56,7 +56,7 @@ stream {
|
|||
eh11.easterhegg.eu 172.31.17.151:8443;
|
||||
eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
www.eh20.easterhegg.eu 172.31.17.151:8443;
|
||||
eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
|
||||
eh22.easterhegg.eu 172.31.17.165:8443;
|
||||
easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
|
||||
eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
|
||||
|
|
@ -90,8 +90,8 @@ stream {
|
|||
woodpecker.hamburg.ccc.de 172.31.17.160:8443;
|
||||
design.hamburg.ccc.de 172.31.17.162:8443;
|
||||
hydra.hamburg.ccc.de 172.31.17.163:8443;
|
||||
cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
|
||||
ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
|
||||
cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
|
||||
ntfy.hamburg.ccc.de 172.31.17.149:8443;
|
||||
cryptoparty-hamburg.de 172.31.17.151:8443;
|
||||
cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
|
||||
staging.cryptoparty-hamburg.de 172.31.17.151:8443;
|
||||
|
|
|
|||
|
|
@ -7,14 +7,20 @@ define if_net1_v4_wan = "net1"
|
|||
define if_net2_v6_wan = "net2"
|
||||
define if_net0_2_v4_nat = "net0.2"
|
||||
define if_net0_3_ci_runner = "net0.3"
|
||||
define if_net0_4_v4_nat_legacy = "net0.4"
|
||||
define if_net0_5_public = "net0.5"
|
||||
|
||||
# Interface Groups
|
||||
define wan_ifs = { $if_net1_v4_wan,
|
||||
$if_net2_v6_wan }
|
||||
define lan_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_3_ci_runner }
|
||||
# define v4_exposed_ifs = { }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat }
|
||||
$if_net0_3_ci_runner,
|
||||
$if_net0_4_v4_nat_legacy,
|
||||
$if_net0_5_public }
|
||||
define v4_exposed_ifs = { $if_net0_5_public }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_4_v4_nat_legacy,
|
||||
$if_net0_5_public }
|
||||
|
||||
|
||||
## Rules
|
||||
|
|
@ -39,29 +45,13 @@ table inet host {
|
|||
ct state established,related accept
|
||||
|
||||
ip protocol icmp accept
|
||||
# ICMPv6
|
||||
# https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
|
||||
# Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
|
||||
# Error messages that are essential to the establishment and maintenance of communications:
|
||||
icmpv6 type { destination-unreachable, packet-too-big } accept
|
||||
icmpv6 type { time-exceeded } accept
|
||||
icmpv6 type { parameter-problem } accept
|
||||
# Connectivity checking messages:
|
||||
icmpv6 type { echo-request, echo-reply } accept
|
||||
# Address Configuration and Router Selection messages:
|
||||
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
|
||||
# Link-Local Multicast Receiver Notification messages:
|
||||
icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
|
||||
# SEND Certificate Path Notification messages:
|
||||
icmpv6 type { 148, 149 } accept
|
||||
# Multicast Router Discovery messages:
|
||||
icmpv6 type { 151, 152, 153 } accept
|
||||
ip6 nexthdr icmpv6 accept
|
||||
|
||||
# Allow SSH access.
|
||||
tcp dport 22 accept comment "allow ssh access"
|
||||
|
||||
# Allow DHCP server access.
|
||||
iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
|
||||
iifname $if_net0_3_ci_runner udp dport 67 accept comment "allow dhcp server access"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -85,11 +75,10 @@ table inet forward {
|
|||
ct state established,related accept
|
||||
|
||||
# Allow internet access.
|
||||
meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
|
||||
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
|
||||
iifname $lan_ifs oifname $wan_ifs accept comment "allow internet access"
|
||||
|
||||
# Allow access to exposed networks from internet.
|
||||
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
[Match]
|
||||
MACAddress=BC:24:11:9A:FB:34
|
||||
# Stolen from turing to make 212.12.48.122 work.
|
||||
MACAddress=0E:A4:E3:97:16:92
|
||||
Type=ether
|
||||
|
||||
[Link]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
[NetDev]
|
||||
Name=net0.4
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=4
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
[NetDev]
|
||||
Name=net0.5
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=5
|
||||
|
|
@ -7,6 +7,7 @@ RequiredForOnline=no
|
|||
[Network]
|
||||
VLAN=net0.2
|
||||
VLAN=net0.3
|
||||
VLAN=net0.4
|
||||
VLAN=net0.5
|
||||
|
||||
LinkLocalAddressing=no
|
||||
|
||||
|
|
|
|||
|
|
@ -5,10 +5,11 @@ Name=net1
|
|||
DNS=212.12.50.158
|
||||
IPForward=ipv4
|
||||
IPv6AcceptRA=no
|
||||
|
||||
[Address]
|
||||
# v4 taken from turing for routing public v4 range and turing-compat for v4-NAT-legacy network.
|
||||
# Also just the v4 for other purposes as well.
|
||||
Address=212.12.48.122/24
|
||||
Address=212.12.48.123/24
|
||||
|
||||
[Route]
|
||||
# v6 for turing-compat for v4-NAT-legacy network routed v6.
|
||||
Address=2a00:14b0:4200:3000:122::1
|
||||
Gateway=212.12.48.55
|
||||
|
||||
Gateway=2a00:14b0:4200:3000::1
|
||||
|
|
|
|||
|
|
@ -11,12 +11,6 @@ Description=v4-NAT
|
|||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
DHCPServer=true
|
||||
|
||||
[DHCPServer]
|
||||
PoolOffset=100
|
||||
PoolSize=150
|
||||
|
||||
[Address]
|
||||
Address=10.32.2.1/24
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,23 @@
|
|||
[Match]
|
||||
Name=net0.4
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=v4-NAT-legacy
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=172.31.17.129/25
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net1
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:f000:23::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
[Match]
|
||||
Name=net0.5
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=public
|
||||
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=212.12.50.209/29
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net2
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:42:105::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
@ -22,6 +21,6 @@ server {
|
|||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
|
||||
return 302 https://wiki.hamburg.ccc.de$request_uri;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 2a00:14b0:4200:3000:125::1;
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@
|
|||
- name: ensure apt dependencies are installed
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- python3-pip
|
||||
- virtualenv
|
||||
- git
|
||||
state: present
|
||||
|
|
|
|||
|
|
@ -1,13 +0,0 @@
|
|||
# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
|
||||
- name: check if cloud-init config file exists
|
||||
ansible.builtin.stat:
|
||||
path: /etc/cloud/cloud.cfg
|
||||
register: base_config__stat_cloud_cfg
|
||||
|
||||
- name: ensure the cloud-init ssh module is disabled
|
||||
ansible.builtin.replace:
|
||||
path: /etc/cloud/cloud.cfg
|
||||
regexp: " - ssh$"
|
||||
replace: " #- ssh"
|
||||
become: true
|
||||
when: base_config__stat_cloud_cfg.stat.exists
|
||||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- 11
|
||||
- 12
|
||||
- 13
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
listen [::]:8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- "11"
|
||||
- "12"
|
||||
- "13"
|
||||
|
|
|
|||
|
|
@ -7,4 +7,3 @@ dependencies:
|
|||
major_versions:
|
||||
- "11"
|
||||
- "12"
|
||||
- "13"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue