From 643d843bfb279faea5f07084360fbf818b872755 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sat, 30 Jan 2021 22:59:56 +0000 Subject: [PATCH] Enable unsafe routing to PVE network over nebula --- ansible/galaxy-requirements.yml | 1 + ansible/main.yml | 2 + ansible/roles/nebula/files/certs/ingress.crt | 39 ++++++++++---------- ansible/roles/nebula/files/certs/ingress.key | 20 +++++----- ansible/roles/nebula/files/nebula.yml | 8 +++- ansible/roles/nebula/tasks/main.yml | 11 ++++++ 6 files changed, 50 insertions(+), 31 deletions(-) diff --git a/ansible/galaxy-requirements.yml b/ansible/galaxy-requirements.yml index 4a6521e..85da69e 100644 --- a/ansible/galaxy-requirements.yml +++ b/ansible/galaxy-requirements.yml @@ -3,3 +3,4 @@ - src: realorangeone.reflector - src: https://github.com/IronicBadger/ansible-role-proxmox-nag-removal name: proxmox-nag-removal +- src: chmduquesne.iptables_persistent diff --git a/ansible/main.yml b/ansible/main.yml index 35bffe6..f2093c3 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -47,6 +47,8 @@ - hosts: ingress roles: + - role: chmduquesne.iptables_persistent + become: true - ingress - nebula diff --git a/ansible/roles/nebula/files/certs/ingress.crt b/ansible/roles/nebula/files/certs/ingress.crt index 5c509cd..8284d36 100644 --- a/ansible/roles/nebula/files/certs/ingress.crt +++ b/ansible/roles/nebula/files/certs/ingress.crt @@ -1,20 +1,21 @@ $ANSIBLE_VAULT;1.1;AES256 -39323766353534666565353365343264316566373835373965323039643032326630356163346466 -6231396366316132363365626364333739363261633539660a636239303437343964663937616333 -34643531646239656531636663613536396333386563366539623533366136656664333934336561 -3632663565613633380a613262386463316630333666343338613138646238363563643465373937 -30383062386266316339353535656462623862303337636431653038376434356436666132396638 -39313638373539626536366138336135323562366163323865363336376661363339616539323838 -31336234323234383630336636303932333130363965383834303634353766313364636437383365 -32646461396239343531643664666632326263343934636162356237333535393936363530366138 -33373463656334636332356331333363633130353363383762343336353033306565363362383235 -35633237343434333230363234383663383037656664303462636161303534666236663938356438 -32383334373964356364613033613835646132663462623663343363323563613836663266323833 -64346332323431643964393338633564316436363136313034383037323731626662653364383630 -30323138376439323134343035336538363231393036663234636363316530643661336264653730 -66333665643662346334353562396536373436343464623732653665323732396433363364383731 -36643761626162643136313036356164386661303238386665373165313261646666656562353864 -30613761633532623464323561613063303663343062636533656135366230326534303530373562 -66633963343634363463376434323030326439343865356333626437613033363832303134396233 -35343461666338396230346463653262666536333538393762343734643731306130353439653934 -353831323464636265326662623339356536 +33613132393536346238646436336337333631646337353863653235313463663238393731313438 +6630633261383936623762313834333233653036376663620a336338333734616561623734653737 +63313162393834333636313763643832643861643635633534343364643436646166363337353135 +6661386263333064640a663737306436356639336234633961363836633161376237366439653931 +65323761333863316530313331343730656436376435346230333466363265303734396432373065 +65386139643266333539313162393632643038343364323438653230623461626266393864633261 +65323361623639376562393538326431396238643263376366396632333962396264653730623466 +63383463363832613738616461656638616330333733663164346562386630653734313463653461 +33336563656534613339323536666265313435396563653033613835386630313465666466396330 +64336631343364383734613839356639346165313633326130376634663537336261366238623637 +38306435313861653232323666643235303930636137636165633838313962306438333236313135 +61313638343066646261613530623039316439386637326335376264653032396235306431363134 +35353932363565633463653330633339343331343366393436666166343130643038666230383431 +36353138623533633865333837633035666566376264313737373861373834306132653662393037 +36393538373964366564323963386664313832303439393166633636336637396262613331333862 +38663164613230323762343833396231366139643836623665326231626533323433636164613736 +37653163663131333332366339613337376635623064383935303038646336373361346366616636 +62363162633835353937323565646665313730396633383835313662306161383466383562333462 +39363234646365343938393733323463333764623638363238643037323065303865633066333666 +61363731646566366663 diff --git a/ansible/roles/nebula/files/certs/ingress.key b/ansible/roles/nebula/files/certs/ingress.key index b6e5017..cdccb2a 100644 --- a/ansible/roles/nebula/files/certs/ingress.key +++ b/ansible/roles/nebula/files/certs/ingress.key @@ -1,11 +1,11 @@ $ANSIBLE_VAULT;1.1;AES256 -36326234316536306532643962333761653138383133376665336236663261643765666536373163 -6637363962666264306238346538333233356162663432610a386466313439626433383664353435 -32656534326534336136323136336139643562633264346538643536316563613664303963653262 -6361616138343439310a396133646138623935373634316161376337346534336530636566653364 -33653932383261643964333862373735646363366136386532666164333464303966313061363061 -65363235656164343566653034313163313163373464386639306138386536613236376336373536 -64383037636433333233363532633338643737366133316465646537623535316663663363613931 -65366639323663653534636131323439663338636633656331383961346536376366626532326130 -36663564383839346237343137313964653764656532663461373161613836313566616164636335 -6166613333643234313630363134643733343038666234356165 +64383037313331303138303765616563663233333366613162363534626131653635626639343437 +3134643661613762373363616435366335303838623061640a303031326164616563623632653037 +35636633653731616533373862663839646462383830616634656630376231343639643434366437 +3933353135646430320a343366386363643037323538323132646366393165383935363236643934 +61336261383633636464316563306631333131393861373963636637656262393231663035333164 +65653537626365613335313363313765373561333466613365336239363136346531333335323461 +38393737376365663533386365353035346539333566343938336136623134633736613936656461 +35663634363332366530626233663333663963343764316633366337663166393335376638393037 +38376331626266353431623235353462626230663230323666346636306439646164333965396539 +3764336237653833366565313531366462336130303565346639 diff --git a/ansible/roles/nebula/files/nebula.yml b/ansible/roles/nebula/files/nebula.yml index ba492fd..74e06c5 100644 --- a/ansible/roles/nebula/files/nebula.yml +++ b/ansible/roles/nebula/files/nebula.yml @@ -11,9 +11,9 @@ lighthouse: am_lighthouse: "{{ nebula_is_lighthouse | lower }}" interval: 60 hosts: - {% if not nebula_is_lighthouse %} +{% if not nebula_is_lighthouse %} - "{{ nebula_lighthouse_ip }}" - {% endif %} +{% endif %} listen: host: 0.0.0.0 @@ -31,6 +31,10 @@ tun: mtu: 1300 routes: unsafe_routes: +{% if ansible_fqdn != "ingress" %} + - route: 10.23.1.0/24 + via: "{{ nebula.clients.ingress.ip }}" +{% endif %} logging: diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml index f8a57db..d5ea5f9 100644 --- a/ansible/roles/nebula/tasks/main.yml +++ b/ansible/roles/nebula/tasks/main.yml @@ -53,3 +53,14 @@ name: nebula enabled: true become: true + +- name: Enable unsafe routing + iptables: + table: nat + chain: POSTROUTING + out_interface: ens18 + source: "{{ nebula.subnet }}" + jump: MASQUERADE + notify: persist iptables + become: true + when: ansible_fqdn == "ingress"