diff --git a/ansible/group_vars/all/pve.yml b/ansible/group_vars/all/pve.yml index 53c4951..291fe2c 100644 --- a/ansible/group_vars/all/pve.yml +++ b/ansible/group_vars/all/pve.yml @@ -1,5 +1,6 @@ pve_hosts: internal_cidr: 10.23.1.0/24 + internal_cidr_ipv6: fde3:15e9:e883::1/48 pve: ip: 10.23.1.1 external_ip: 192.168.2.200 @@ -7,17 +8,19 @@ pve_hosts: ip: 10.23.1.11 forrest: ip: 10.23.1.13 + ipv6: fde3:15e9:e883::103 jellyfin: ip: 10.23.1.101 dokku: ip: 10.23.1.102 docker: ip: 10.23.1.103 + ipv6: fde3:15e9:e883::203 ingress: ip: 10.23.1.10 external_ip: 192.168.2.201 external_ipv6: "{{ vault_ingress_ipv6 }}" - link_local: fe80::d4e4:22ff:fe8b:429d + ipv6: fde3:15e9:e883::100 homeassistant: ip: 192.168.2.203 qbittorrent: diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf index f31c5e5..b1148e9 100644 --- a/ansible/roles/base/files/ssh-jail.conf +++ b/ansible/roles/base/files/ssh-jail.conf @@ -4,4 +4,4 @@ bantime = 600 findtime = 30 maxretry = 5 port = {{ ssh_port }},ssh -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }} diff --git a/ansible/roles/forrest/tasks/main.yml b/ansible/roles/forrest/tasks/main.yml index 289e26e..4e4accf 100644 --- a/ansible/roles/forrest/tasks/main.yml +++ b/ansible/roles/forrest/tasks/main.yml @@ -28,7 +28,7 @@ - add - "{{ vps_hosts.private_ipv6_range }}" - via - - "{{ pve_hosts.ingress.link_local }}" + - "{{ pve_hosts.ingress.ipv6 }}" - dev - eth0 become: true diff --git a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf index 85bc426..e6218ab 100644 --- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf @@ -6,9 +6,9 @@ maxretry = 100 filter = nginx-tcp logpath = /var/log/nginx/ips.log port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} [traefik] enabled = true port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} diff --git a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf index b3b5b0e..b606c1a 100644 --- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf +++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf @@ -6,5 +6,5 @@ maxretry = 5 filter = traefik logpath = /tmp/traefik-logs/access.log port = http,https -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} action = gateway diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml index 378c911..5ea6539 100644 --- a/ansible/roles/traefik/files/file-provider-main.yml +++ b/ansible/roles/traefik/files/file-provider-main.yml @@ -15,6 +15,7 @@ http: - "{{ tailscale_cidr }}" - "{{ tailscale_cidr_ipv6 }}" - "{{ pve_hosts.forrest.ip }}" + - "{{ pve_hosts.forrest.ipv6 }}" private-access: ipWhiteList: @@ -23,3 +24,4 @@ http: - "{{ tailscale_cidr_ipv6 }}" - "{{ nebula.cidr }}" - "{{ pve_hosts.internal_cidr }}" + - "{{ pve_hosts.internal_cidr_ipv6 }}"