diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index dcffea9..19cd384 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -20,3 +20,5 @@ roles: version: v2022.10.17 - src: geerlingguy.certbot version: 5.1.0 + - src: artis3n.tailscale + version: v4.4.1 diff --git a/ansible/group_vars/all/tailscale.yml b/ansible/group_vars/all/tailscale.yml new file mode 100644 index 0000000..0a954c9 --- /dev/null +++ b/ansible/group_vars/all/tailscale.yml @@ -0,0 +1,6 @@ +# Just install for now, don't configure +tailscale_up_skip: true + +tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs + +tailscale_port: 41641 diff --git a/ansible/main.yml b/ansible/main.yml index 11dfa84..5335a83 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -16,6 +16,7 @@ - headscale - fail2ban_ssh - restic + - artis3n.tailscale - hosts: - pve @@ -79,6 +80,7 @@ - nginx - ingress - nebula + - artis3n.tailscale - hosts: pve roles: @@ -114,6 +116,7 @@ - commento - website - remark42 + - artis3n.tailscale - hosts: jellyfin roles: diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf index bc5119f..9b348c1 100644 --- a/ansible/roles/ingress/files/nftables.conf +++ b/ansible/roles/ingress/files/nftables.conf @@ -19,6 +19,9 @@ table inet filter { # Allow nebula udp dport {{ nebula_listen_port }} accept; + + # Allow Tailscale + udp dport {{ tailscale_port }} accept; } chain POSTROUTING { @@ -27,6 +30,7 @@ table inet filter { # NAT - because the proxmox machines may not have routes back ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade + ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade } chain FORWARD { @@ -39,5 +43,9 @@ table inet filter { # Allow monitoring of nebula network ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept + + # Allow traffic from Tailscale to proxmox network + ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept + ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept } } diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index 4e412ce..f03e941 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -91,6 +91,15 @@ resource "linode_firewall" "casey" { ipv4 = ["0.0.0.0/0"] ipv6 = ["::/0"] } + + inbound { + label = "allow-inbound-tailscale" + action = "ACCEPT" + protocol = "UDP" + ports = "41641" + ipv4 = ["0.0.0.0/0"] + ipv6 = ["::/0"] + } } resource "linode_rdns" "casey_reverse_ipv4" { diff --git a/terraform/walker_vps.tf b/terraform/walker_vps.tf index d5fb40a..5a79b91 100644 --- a/terraform/walker_vps.tf +++ b/terraform/walker_vps.tf @@ -4,7 +4,8 @@ module "walker_firewall" { description = "walker" ports = [ "80/tcp", - "443/tcp" + "443/tcp", + "41641/udp" ] }