Install tailscale
All checks were successful
/ terraform (push) Successful in 29s
/ ansible (push) Successful in 1m34s

Install, not configure
This commit is contained in:
Jake Howard 2024-02-01 19:41:47 +00:00
parent 29cac09b48
commit 02847355a7
Signed by: jake
GPG key ID: 57AFB45680EDD477
6 changed files with 30 additions and 1 deletions

View file

@ -20,3 +20,5 @@ roles:
version: v2022.10.17 version: v2022.10.17
- src: geerlingguy.certbot - src: geerlingguy.certbot
version: 5.1.0 version: 5.1.0
- src: artis3n.tailscale
version: v4.4.1

View file

@ -0,0 +1,6 @@
# Just install for now, don't configure
tailscale_up_skip: true
tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs
tailscale_port: 41641

View file

@ -16,6 +16,7 @@
- headscale - headscale
- fail2ban_ssh - fail2ban_ssh
- restic - restic
- artis3n.tailscale
- hosts: - hosts:
- pve - pve
@ -79,6 +80,7 @@
- nginx - nginx
- ingress - ingress
- nebula - nebula
- artis3n.tailscale
- hosts: pve - hosts: pve
roles: roles:
@ -114,6 +116,7 @@
- commento - commento
- website - website
- remark42 - remark42
- artis3n.tailscale
- hosts: jellyfin - hosts: jellyfin
roles: roles:

View file

@ -19,6 +19,9 @@ table inet filter {
# Allow nebula # Allow nebula
udp dport {{ nebula_listen_port }} accept; udp dport {{ nebula_listen_port }} accept;
# Allow Tailscale
udp dport {{ tailscale_port }} accept;
} }
chain POSTROUTING { chain POSTROUTING {
@ -27,6 +30,7 @@ table inet filter {
# NAT - because the proxmox machines may not have routes back # NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
} }
chain FORWARD { chain FORWARD {
@ -39,5 +43,9 @@ table inet filter {
# Allow monitoring of nebula network # Allow monitoring of nebula network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
# Allow traffic from Tailscale to proxmox network
ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
} }
} }

View file

@ -91,6 +91,15 @@ resource "linode_firewall" "casey" {
ipv4 = ["0.0.0.0/0"] ipv4 = ["0.0.0.0/0"]
ipv6 = ["::/0"] ipv6 = ["::/0"]
} }
inbound {
label = "allow-inbound-tailscale"
action = "ACCEPT"
protocol = "UDP"
ports = "41641"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["::/0"]
}
} }
resource "linode_rdns" "casey_reverse_ipv4" { resource "linode_rdns" "casey_reverse_ipv4" {

View file

@ -4,7 +4,8 @@ module "walker_firewall" {
description = "walker" description = "walker"
ports = [ ports = [
"80/tcp", "80/tcp",
"443/tcp" "443/tcp",
"41641/udp"
] ]
} }