Remove Nebula

I'm basically all in on Tailscale now
2024-07-14 21:40:52 +01:00 · 2024-07-14 21:40:52 +01:00 · 01c236e4e9
commit 01c236e4e9
parent ceaf419c04
30 changed files with 12 additions and 321 deletions
--- a/.yamllint.yml
+++ b/.yamllint.yml
@ -5,7 +5,6 @@ ignore: |
  ansible/galaxy_collections
  ansible/group_vars/all/vps-hosts.yml
  ansible/roles/traefik/files/traefik.yml
  ansible/roles/nebula/files/nebula.yml
  env
 rules:
--- a/ansible/.ansible-lint
+++ b/ansible/.ansible-lint
@ -12,5 +12,4 @@ exclude_paths:
  - galaxy_roles/
  - galaxy_collections/
  - ~/.ansible
  - roles/nebula/files/nebula.yml
  - roles/traefik/files/traefik.yml
--- a/ansible/group_vars/all/nebula.yml
+++ b/ansible/group_vars/all/nebula.yml
@ -1,9 +0,0 @@
 nebula:
  cidr: 10.23.2.0/24
  clients:
    casey:
      ip: 10.23.2.1
    walker:
      ip: 10.23.2.4
    ingress:
      ip: 10.23.2.5
--- a/ansible/group_vars/all/network.yml
+++ b/ansible/group_vars/all/network.yml
@ -1,2 +1 @@
 private_ip: "{{ nebula.clients[hostname_slug].ip }}"
 ssh_port: 7743
--- a/ansible/group_vars/all/tailscale.yml
+++ b/ansible/group_vars/all/tailscale.yml
@ -5,3 +5,7 @@ tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
 tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
 tailscale_port: 41641
 tailscale_nodes:
  casey:
    ip: 100.64.0.1
--- a/ansible/host_vars/casey/main.yml
+++ b/ansible/host_vars/casey/main.yml
@ -1,6 +1,3 @@
 nebula_is_lighthouse: true
 nebula_listen_port: "{{ nebula_lighthouse_port }}"
 nginx_https_redirect: true
 certbot_certs:
--- a/ansible/host_vars/ingress.yml
+++ b/ansible/host_vars/ingress.yml
@ -1,4 +1 @@
 # Listen on a static port so it can be opened in the firewall
 nebula_listen_port: "{{ nebula_lighthouse_port }}"
 nginx_https_redirect: true
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -12,7 +12,6 @@
    - role: geerlingguy.certbot
      become: true
    - gateway
    - nebula
    - headscale
    - restic
    - artis3n.tailscale
@ -58,7 +57,6 @@
  roles:
    - pve_docker
    - yourls
    - pve_nebula_route
    - privatebin
    - vaultwarden
    - tandoor
@ -73,7 +71,6 @@
  roles:
    - nginx
    - ingress
    - nebula
    - artis3n.tailscale
 - hosts: pve
@ -81,7 +78,6 @@
    - role: ironicbadger.proxmox_nag_removal
      become: true
    - zfs
    - pve_nebula_route
    - role: ironicbadger.snapraid
      become: true
    - role: prometheus.prometheus.node_exporter
@ -91,7 +87,6 @@
  roles:
    - prometheus
    - uptime_kuma
    - pve_nebula_route
    - pve_tailscale_route
 - hosts: qbittorrent
@ -105,7 +100,6 @@
    - nginx
    - role: geerlingguy.certbot
      become: true
    - nebula
    - coredns_docker_proxy
    - plausible
    - restic
--- a/ansible/roles/base/files/ssh-jail.conf
+++ b/ansible/roles/base/files/ssh-jail.conf
@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }}
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0
--- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf
+++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf
@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
--- a/ansible/roles/http_proxy/files/squid.conf
+++ b/ansible/roles/http_proxy/files/squid.conf
@ -2,7 +2,7 @@
 # Recommended minimum configuration:
 #
-acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
+acl hide_internal dst {{ wireguard.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -17,9 +17,6 @@ table inet filter {
        tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
        # Allow nebula
        udp dport {{ nebula_listen_port }} accept;
        # Allow Tailscale
        udp dport {{ tailscale_port }} accept;
    }
@ -29,7 +26,6 @@ table inet filter {
        policy accept
        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
        ip saddr {{ tailscale_cidr }} counter masquerade
    }
@ -37,12 +33,8 @@ table inet filter {
        type filter hook forward priority mangle
        policy drop
-        # Allow traffic from nebula to proxmox network
+        # Allow monitoring of Tailscale network
-        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept
        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
        # Allow Tailscale exit node
        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
--- a/ansible/roles/nebula/defaults/main.yml
+++ b/ansible/roles/nebula/defaults/main.yml
@ -1,2 +0,0 @@
 nebula_is_lighthouse: false
 nebula_listen_port: 0
--- a/ansible/roles/nebula/files/ca.crt
+++ b/ansible/roles/nebula/files/ca.crt
@ -1,18 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 35346565636566303064316339396339363831623963306131303331366338643338326261626137
 3031333365383139383466323931353339346534366136350a353034373561653238643039373766
 37316638363166303162373739393934653936373639323038663639656138313035666132646136
 6339386166383137320a363536336166343539633238336364663633306562313965636536303663
 35376234336566626232383231326362393664386464346363643262393932316130623936383366
 63313539653035383665373962376165336533396565643263666634333434663432386635663434
 31613064653739363637643433653639343930623038626539353534393861646165366166616638
 38313036303261336635666161383135353637633966646462376439313539383962343564626336
 37343566306638626337316135663763343961653065616531396332303966643638646163393461
 63353630393364666336633630653765613331386233386130366636393965323231373561333163
 38613165623533396531383031316631346434333239616335373162333637363830636263613338
 38316165343632313361633362383934653832306332663732303061333135393234306232636464
 36346465633166303335363365336336383333636165633230626263633663356336366662313263
 36353231623930653361313466643064356234656639616332326534306133396338363538366136
 30643633626230613364353434323262333335363132303865646130653733623032346166653031
 63653761393935333430636230353966353765626235336439383331333436623061373835616462
 3661
--- a/ansible/roles/nebula/files/certs/casey.crt
+++ b/ansible/roles/nebula/files/certs/casey.crt
@ -1,20 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 63636434323163343761373034626236333037376261336634366531393035356435653037326238
 3839323731623165633234613132376534646266373466310a356635313261333263366632336664
 39326533333462373831663132633733666136623938313164313265326637333332616463386363
 6634333536313132310a613766363630313933343365333633333663613035313362343437383534
 32636433613365643633643536633862376231316135376437333835353164613839323562333430
 39323331353639333539356165616661663262386363386239346664643364653137633332626661
 35393332653530373162666365326135663633663265313634643135373562663763376530623038
 63343231333933616237666465306461663634363261656237383236383663336235363161623265
 30343366643637326135356636626564343436396635613566393636643264333933656265346333
 61363335303737666238393665633265393835633838636561393534343437366639636361373761
 34366334366236373633613037346463373632323265343034343335333436373733613465663464
 65643863303037643338366537336562613232313331323366663835316437376535623635383463
 38386539353834383236663766393563393063333233623661303335396534353166316230396566
 34393034333864346534383665616666633836376439646632303566613633376138313961636637
 37313635393739656161313466633231396539393666663635623034613765393438633735636666
 33326635373966353633356166313138656462373962663666653961366438383936626338663439
 36643039613061646531366462623064623837666633326532663232616139623737343732346130
 64646337356266353261363438326237313833323765663336346635353236396638376530663033
 306365363634643665646230366332653632
--- a/ansible/roles/nebula/files/certs/casey.key
+++ b/ansible/roles/nebula/files/certs/casey.key
@ -1,11 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 31646561316237653338613966616162363239323863393862376136623639613730633339396230
 3830343834383934333236633462663734366432666331620a393739313230656636653432646532
 65386466633832623663386131393866666664303439613738303933656239393761653263386466
 3561656162343632350a383737343661663037306461636264353239373865613861393034626237
 37633134636638633539346534346365346332643939653737626136393961343864386438323731
 39353663353362623563326230643961623231646361396561623431376139626236313362343938
 38336138376133656130633161363766393861656466363565646264653963396539386266616631
 66333965383862633061623961316334326134326630623064323562373937323338313838353066
 38343830316665326663313331613561393238373161326637396630383030666137623633616365
 6461333239666365363339613533323536613839356332373530
--- a/ansible/roles/nebula/files/certs/ingress.crt
+++ b/ansible/roles/nebula/files/certs/ingress.crt
@ -1,21 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 62613762323836666136313634353965643132326439656165623938326130633631623939336434
 3931613737633935363439316362613663363335626134340a306631376131363635326337333234
 34373262383861626564383834306462306633376332353630666265303766333731613839333231
 6666343965353866320a313930383762646431656433393433336436623064643864343639393465
 37613062336430646130653833363130343266303833353739393839376235646433663236636532
 31303439663030353934383862396234663633343932646234353566313833613038366262373862
 62646262393431343638373936333339373230346134313661303138656563613463613836643634
 33343236633235316364336438613932316431383839393136343662333365396639313931663461
 33363336323532376566316532373832306662373538343361336239346163626330333736636566
 33306435306136643563643465373964383336376566383539613530313830353961623861323936
 64633336323438353238616663323338396536386161326132633466643135636162363536656665
 39653734653839366362383034366437613734373830386533363138373036323231363764633335
 34633163353237656266663035616463383165623634353062636464373361376438653230343661
 35343434656335623533623836313335616162666665313064653730356537633666336163616132
 31663432396564613538303662396538643131656137343434646333666634653938353363316363
 38623730623532663133343937643663633961353034316234663931646331656636303739383464
 37623264663038656632343262336165343635633566393535343663393163313234396463373766
 35313337353833306262363532616265656461356536633430383234633464613839303562356565
 39643738616262383734656535636566323831373035306166343039666334633264303435663865
 39623533653333323766
--- a/ansible/roles/nebula/files/certs/ingress.key
+++ b/ansible/roles/nebula/files/certs/ingress.key
@ -1,11 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 37626435646463663062363233393732353239386231366436653663623035656339633136346138
 3963626465363538653430343733663965373865376263330a373638663731656435646438646134
 38663334363137666530653934356337326264356664343633623432613265643139353464666136
 6236383631366130310a386265373334663831333137303538303737663062656239663839326338
 35613739313935373362333933653636383033343164363964353935633061636635353464643831
 64626363646136663166373632343830333634356565336138393436313864646333386561396663
 65636436663830633661396531643838333938366236633762323231363966643035643539383438
 30396136633264396561353034653161343536313461623532303265663531323937363737353566
 32363564333536306166346165393662353234363131383733396338633839333439373538623362
 3738616565663331353362633939343832323238383930643263
--- a/ansible/roles/nebula/files/certs/walker.crt
+++ b/ansible/roles/nebula/files/certs/walker.crt
@ -1,20 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 32636232306462356330643137616236306261373438653332326239343662363234313765356563
 6361383264626665636130373539613936373036343061350a316438383266306538303836636138
 39643434323831303337336230623463633138633436386539363531626633633364663031376131
 3162363530393734380a303162386436396338383864333439313365383665666361313666373538
 35666262616466663061383463653361303230653036643033376434303236656638343134316262
 31303663396231623065316261353938613934303934613331393836663061653731316163663230
 39653337373230386337383665303638346136353031373931616166663437313431353832633239
 62343063323765636466353031353930636132373263306631616365623332646639333265653235
 61636237326561613364303538323861393061303839383532323136306134633437363731616464
 32633538376130613164646264666332303762386436383566663563346536663935323165323939
 65666333363163373165316633383430653066663938303562613739303835316661623437613863
 32383330336261356364353163666432353130343564366333626336306332643936623166386261
 35656431366431663830336631346164333362376262663365623635376161373864303831306462
 61326462343039376363663139636638663239306362353232366166623030376464336634643130
 65373532393034623730663431373763636261393035346639653137383235633265386365613063
 37303435363136613365633139316133386332373665626566346161343665626365656639346661
 30396133366566306238303564633662306561303830613937666264303731666230356633373662
 33656133323364313461353562373337356232666536643633336663326334353231613336646461
 376435366338383534623436353434623334
--- a/ansible/roles/nebula/files/certs/walker.key
+++ b/ansible/roles/nebula/files/certs/walker.key
@ -1,11 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 65626437643961386636343536313832353663373863313963383430363465333965363031653635
 3038636237383665653135313962643434386135346630360a666239663139353063623436633038
 38613062393337373232343338626334353033633738306138373464313739323334373637366334
 3335623465633164310a646162376139373838643731326361373366623765323263643934616432
 66626333653335343234393936653931306132333933616138616665626139396164386437633338
 36653637346532376564306537643330343135313331343163326331363664663761616533353563
 66643964313736653263666466643134656532643536343464356464663465313438643466643130
 35643738313337663663343466353232396264356163343234653032333032336134666437306139
 63653239363132396465376565306666363131366131376466356530386438653433613063646365
 6432616539316163376162613630623066626539666135366664
--- a/ansible/roles/nebula/files/nebula.yml
+++ b/ansible/roles/nebula/files/nebula.yml
@ -1,59 +0,0 @@
 pki:
  ca: /etc/nebula/ca.crt
  cert: /etc/nebula/{{ ansible_hostname }}.crt
  key: /etc/nebula/{{ ansible_hostname }}.key
 static_host_map:
  "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"]
 lighthouse:
  am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
  interval: 60
  hosts:
 {% if not nebula_is_lighthouse %}
    - "{{ nebula_lighthouse_ip }}"
 {% endif %}
 listen:
  host: 0.0.0.0
  port: "{{ nebula_listen_port }}"
 punchy:
  punch: true
 tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:
 {% if ansible_hostname != "ingress" %}
    - route: "{{ pve_hosts.internal_cidr }}"
      via: "{{ nebula.clients.ingress.ip }}"
 {% endif %}
 logging:
  level: info
  format: text
 firewall:
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
    max_connections: 100000
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: any
      host: any
--- a/ansible/roles/nebula/handlers/main.yml
+++ b/ansible/roles/nebula/handlers/main.yml
@ -1,5 +0,0 @@
 - name: restart nebula
  service:
    name: nebula
    state: restarted
  become: true
--- a/ansible/roles/nebula/tasks/main.yml
+++ b/ansible/roles/nebula/tasks/main.yml
@ -1,65 +0,0 @@
 - name: Create config directory
  file:
    path: /etc/nebula
    state: directory
    mode: "0700"
  become: true
 - name: Install nebula
  package:
    name: nebula
  when: ansible_os_family == 'Archlinux'
  become: true
 - name: Manually install nebula
  block:
    - name: Install binaries
      unarchive:
        src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
        dest: /usr/bin
        remote_src: true
        mode: "0755"
    - name: Install service
      get_url:
        url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
        dest: /usr/lib/systemd/system/nebula.service
        mode: "0644"
  when: ansible_os_family != 'Archlinux'
  tags:
    - skip_ansible_lint
  notify: restart nebula
  become: true
 - name: Install config
  template:
    src: files/nebula.yml
    dest: /etc/nebula/config.yml
    mode: "0600"
  become: true
  notify: restart nebula
 - name: Install CA certificate
  template:
    src: files/ca.crt
    dest: /etc/nebula/ca.crt
    mode: "0600"
  become: true
  notify: restart nebula
 - name: Install client certificates
  template:
    src: files/certs/{{ item }}
    dest: /etc/nebula/{{ item }}
    mode: "0600"
  loop:
    - "{{ ansible_hostname }}.key"
    - "{{ ansible_hostname }}.crt"
  become: true
  notify: restart nebula
 - name: Enable service
  service:
    name: nebula
    enabled: true
  become: true
--- a/ansible/roles/nebula/vars/main.yml
+++ b/ansible/roles/nebula/vars/main.yml
@ -1,5 +0,0 @@
 nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}"
 nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}"
 nebula_lighthouse_port: 6328
 nebula_version: 1.8.1
--- a/ansible/roles/prometheus/files/prometheus/prometheus.yml
+++ b/ansible/roles/prometheus/files/prometheus/prometheus.yml
@ -120,7 +120,7 @@ scrape_configs:
    metrics_path: /metrics
    static_configs:
      - targets:
-          - "{{ nebula.clients.casey.ip }}:9090"
+          - "{{ tailscale_nodes.casey.ip }}:9090"
    metric_relabel_configs:
      - source_labels: [__name__]
        regex: go_.+
--- a/ansible/roles/pve_nebula_route/tasks/main.yml
+++ b/ansible/roles/pve_nebula_route/tasks/main.yml
@ -1,22 +0,0 @@
 - name: Get routes
  command:
    argv:
      - ip
      - route
      - show
      - "{{ nebula.cidr }}"
  register: routes
  changed_when: false
  become: true
 - name: Add route to nebula hosts via ingress
  command:
    argv:
      - ip
      - route
      - add
      - "{{ nebula.cidr }}"
      - via
      - "{{ pve_hosts.ingress.ip }}"
  become: true
  when: nebula.cidr not in routes.stdout
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -22,6 +22,5 @@ http:
        sourceRange:
          - "{{ tailscale_cidr }}"
          - "{{ tailscale_cidr_ipv6 }}"
          - "{{ nebula.cidr }}"
          - "{{ pve_hosts.internal_cidr }}"
          - "{{ pve_hosts.internal_cidr_ipv6 }}"
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -10,7 +10,6 @@ entryPoints:
      trustedIPs:
        - "{{ wireguard.cidr }}"
        - "{{ pve_hosts.internal_cidr }}"
        - "{{ nebula.cidr }}"
        - "{{ tailscale_cidr }}"
  web-secure:
    address: :443
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -66,15 +66,6 @@ resource "linode_firewall" "casey" {
    ipv6     = ["::/0"]
  }
  inbound {
    label    = "allow-inbound-nebula"
    action   = "ACCEPT"
    protocol = "UDP"
    ports    = "6328"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }
  inbound {
    label    = "allow-inbound-matrix"
    action   = "ACCEPT"
`@ -1,2 +1 @@`
	`private_ip: "{{ nebula.clients[hostname_slug].ip }}"`
	`ssh_port: 7743`	`ssh_port: 7743`
		`@ -1,2 +0,0 @@`
			`nebula_is_lighthouse: false`
			`nebula_listen_port: 0`