Enable unsafe routing to PVE network over nebula

This commit is contained in:
Jake Howard 2021-01-30 22:59:56 +00:00
parent da301eb7dd
commit 643d843bfb
Signed by: jake
GPG key ID: 57AFB45680EDD477
6 changed files with 50 additions and 31 deletions

View file

@ -3,3 +3,4 @@
- src: realorangeone.reflector - src: realorangeone.reflector
- src: https://github.com/IronicBadger/ansible-role-proxmox-nag-removal - src: https://github.com/IronicBadger/ansible-role-proxmox-nag-removal
name: proxmox-nag-removal name: proxmox-nag-removal
- src: chmduquesne.iptables_persistent

View file

@ -47,6 +47,8 @@
- hosts: ingress - hosts: ingress
roles: roles:
- role: chmduquesne.iptables_persistent
become: true
- ingress - ingress
- nebula - nebula

View file

@ -1,20 +1,21 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
39323766353534666565353365343264316566373835373965323039643032326630356163346466 33613132393536346238646436336337333631646337353863653235313463663238393731313438
6231396366316132363365626364333739363261633539660a636239303437343964663937616333 6630633261383936623762313834333233653036376663620a336338333734616561623734653737
34643531646239656531636663613536396333386563366539623533366136656664333934336561 63313162393834333636313763643832643861643635633534343364643436646166363337353135
3632663565613633380a613262386463316630333666343338613138646238363563643465373937 6661386263333064640a663737306436356639336234633961363836633161376237366439653931
30383062386266316339353535656462623862303337636431653038376434356436666132396638 65323761333863316530313331343730656436376435346230333466363265303734396432373065
39313638373539626536366138336135323562366163323865363336376661363339616539323838 65386139643266333539313162393632643038343364323438653230623461626266393864633261
31336234323234383630336636303932333130363965383834303634353766313364636437383365 65323361623639376562393538326431396238643263376366396632333962396264653730623466
32646461396239343531643664666632326263343934636162356237333535393936363530366138 63383463363832613738616461656638616330333733663164346562386630653734313463653461
33373463656334636332356331333363633130353363383762343336353033306565363362383235 33336563656534613339323536666265313435396563653033613835386630313465666466396330
35633237343434333230363234383663383037656664303462636161303534666236663938356438 64336631343364383734613839356639346165313633326130376634663537336261366238623637
32383334373964356364613033613835646132663462623663343363323563613836663266323833 38306435313861653232323666643235303930636137636165633838313962306438333236313135
64346332323431643964393338633564316436363136313034383037323731626662653364383630 61313638343066646261613530623039316439386637326335376264653032396235306431363134
30323138376439323134343035336538363231393036663234636363316530643661336264653730 35353932363565633463653330633339343331343366393436666166343130643038666230383431
66333665643662346334353562396536373436343464623732653665323732396433363364383731 36353138623533633865333837633035666566376264313737373861373834306132653662393037
36643761626162643136313036356164386661303238386665373165313261646666656562353864 36393538373964366564323963386664313832303439393166633636336637396262613331333862
30613761633532623464323561613063303663343062636533656135366230326534303530373562 38663164613230323762343833396231366139643836623665326231626533323433636164613736
66633963343634363463376434323030326439343865356333626437613033363832303134396233 37653163663131333332366339613337376635623064383935303038646336373361346366616636
35343461666338396230346463653262666536333538393762343734643731306130353439653934 62363162633835353937323565646665313730396633383835313662306161383466383562333462
353831323464636265326662623339356536 39363234646365343938393733323463333764623638363238643037323065303865633066333666
61363731646566366663

View file

@ -1,11 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36326234316536306532643962333761653138383133376665336236663261643765666536373163 64383037313331303138303765616563663233333366613162363534626131653635626639343437
6637363962666264306238346538333233356162663432610a386466313439626433383664353435 3134643661613762373363616435366335303838623061640a303031326164616563623632653037
32656534326534336136323136336139643562633264346538643536316563613664303963653262 35636633653731616533373862663839646462383830616634656630376231343639643434366437
6361616138343439310a396133646138623935373634316161376337346534336530636566653364 3933353135646430320a343366386363643037323538323132646366393165383935363236643934
33653932383261643964333862373735646363366136386532666164333464303966313061363061 61336261383633636464316563306631333131393861373963636637656262393231663035333164
65363235656164343566653034313163313163373464386639306138386536613236376336373536 65653537626365613335313363313765373561333466613365336239363136346531333335323461
64383037636433333233363532633338643737366133316465646537623535316663663363613931 38393737376365663533386365353035346539333566343938336136623134633736613936656461
65366639323663653534636131323439663338636633656331383961346536376366626532326130 35663634363332366530626233663333663963343764316633366337663166393335376638393037
36663564383839346237343137313964653764656532663461373161613836313566616164636335 38376331626266353431623235353462626230663230323666346636306439646164333965396539
6166613333643234313630363134643733343038666234356165 3764336237653833366565313531366462336130303565346639

View file

@ -11,9 +11,9 @@ lighthouse:
am_lighthouse: "{{ nebula_is_lighthouse | lower }}" am_lighthouse: "{{ nebula_is_lighthouse | lower }}"
interval: 60 interval: 60
hosts: hosts:
{% if not nebula_is_lighthouse %} {% if not nebula_is_lighthouse %}
- "{{ nebula_lighthouse_ip }}" - "{{ nebula_lighthouse_ip }}"
{% endif %} {% endif %}
listen: listen:
host: 0.0.0.0 host: 0.0.0.0
@ -31,6 +31,10 @@ tun:
mtu: 1300 mtu: 1300
routes: routes:
unsafe_routes: unsafe_routes:
{% if ansible_fqdn != "ingress" %}
- route: 10.23.1.0/24
via: "{{ nebula.clients.ingress.ip }}"
{% endif %}
logging: logging:

View file

@ -53,3 +53,14 @@
name: nebula name: nebula
enabled: true enabled: true
become: true become: true
- name: Enable unsafe routing
iptables:
table: nat
chain: POSTROUTING
out_interface: ens18
source: "{{ nebula.subnet }}"
jump: MASQUERADE
notify: persist iptables
become: true
when: ansible_fqdn == "ingress"