Keep track of IPs for PVE hosts

Yea they're all random, I'll deal with that later

ansible/group_vars/all/nebula.yml

@@ -1,5 +1,5 @@
 nebula:
-  subnet: 10.23.2.0/24
+  cidr: 10.23.2.0/24
   clients:
     casey:
       ip: 10.23.2.1

ansible/group_vars/all/pve.yml

@@ -0,0 +1,13 @@
+pve_hosts:
+  internal_cidr: 10.23.1.0/24
+  ingress:
+    ip: 192.168.2.201
+    internal_ip: 10.23.1.88
+  jellyfin:
+    ip: 192.168.2.46
+    internal_ip: 10.23.1.29
+  pve_docker:
+    ip: 192.168.2.47
+    internal_ip: 10.23.1.7
+  homeassistant:
+    ip: 192.168.2.41

ansible/host_vars/pve-docker.yml

@@ -1,9 +1,7 @@
 expose_ssh: true
 
-private_ip: "{{ ansible_default_ipv4.address }}"
-protected_ip: 192.168.2.47
-
-traefik_proxy_protocol_trusted_ips: 10.23.0.0/16
+private_ip: "{{ pve_hosts.pve_docker.ip }}"
+protected_ip: "{{ pve_hosts.pve_docker.internal_ip }}"
 
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true

ansible/roles/nebula/files/nebula.yml

@@ -32,7 +32,7 @@ tun:
   routes:
   unsafe_routes:
 {% if ansible_fqdn != "ingress" %}
-    - route: 10.23.1.0/24
+    - route: "{{ pve_hosts.internal_cidr }}"
       via: "{{ nebula.clients.ingress.ip }}"
 {% endif %}
 

ansible/roles/nebula/tasks/main.yml

@@ -59,7 +59,7 @@
     table: nat
     chain: POSTROUTING
     out_interface: ens18
-    source: "{{ nebula.subnet }}"
+    source: "{{ nebula.cidr }}"
     jump: MASQUERADE
   notify: persist iptables
   become: true

ansible/roles/pve_nebula_route/tasks/main.yml

@@ -4,7 +4,7 @@
       - ip
       - route
       - show
-      - "{{ nebula.subnet }}"
+      - "{{ nebula.cidr }}"
   register: routes
   changed_when: false
   become: true
@@ -15,8 +15,8 @@
       - ip
       - route
       - add
-      - "{{ nebula.subnet }}"
+      - "{{ nebula.cidr }}"
       - via
-      - "{{ ingress_private_ip }}"
+      - "{{ pve_hosts.ingress.internal_ip }}"
   become: true
-  when: nebula.subnet not in routes.stdout
+  when: nebula.cidr not in routes.stdout

ansible/roles/pve_nebula_route/vars/main.yml

@@ -1 +0,0 @@
-ingress_private_ip: 10.23.1.88

ansible/roles/traefik/defaults/main.yml

@@ -1,7 +1,5 @@
 traefik_influx_db_dir: ./influxdb
 
-traefik_proxy_protocol_trusted_ips: "{{ wireguard.cidr }}"
-
 traefik_provider_jellyfin: false
 traefik_provider_homeassistant: false
 

ansible/roles/traefik/files/file-provider-homeassistant.yml

@@ -9,4 +9,4 @@ http:
     service-homeassistant:
       loadBalancer:
         servers:
-          - url: http://192.168.2.41:8123
+          - url: http://{{ pve_hosts.homeassistant.ip }}:8123

ansible/roles/traefik/files/file-provider-jellyfin.yml

@@ -9,4 +9,4 @@ http:
     service-jellyfin:
       loadBalancer:
         servers:
-          - url: http://10.23.1.29:8096
+          - url: http://{{ pve_hosts.jellyfin.internal_ip }}:8096

ansible/roles/traefik/files/traefik.yml

@@ -3,17 +3,23 @@ entryPoints:
     address: :80
     proxyProtocol:
       trustedIPs:
-        - "{{ traefik_proxy_protocol_trusted_ips }}"
+        - "{{ wireguard.cidr }}"
+        - "{{ pve_hosts.internal_cidr }}"
+        - "{{ nebula.cidr }}"
   web-secure:
     address: :443
     proxyProtocol:
       trustedIPs:
-        - "{{ traefik_proxy_protocol_trusted_ips }}"
+        - "{{ wireguard.cidr }}"
+        - "{{ pve_hosts.internal_cidr }}"
+        - "{{ nebula.cidr }}"
   matrix:
     address: :8448
     proxyProtocol:
       trustedIPs:
-        - "{{ traefik_proxy_protocol_trusted_ips }}"
+        - "{{ wireguard.cidr }}"
+        - "{{ pve_hosts.internal_cidr }}"
+        - "{{ nebula.cidr }}"
   traefik:
     address: "{{ private_ip }}:8080"