From b6eca40ae0cb3229fb0f4b48099862c6d1132510 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 7 Feb 2024 18:21:16 +0000 Subject: [PATCH] Allow tailscale IP in more places --- ansible/host_vars/casey/main.yml | 2 +- ansible/roles/base/files/ssh-jail.conf | 2 +- ansible/roles/base/files/sshd_config | 2 +- ansible/roles/gateway/files/nginx-fail2ban-jail.conf | 4 ++-- ansible/roles/http_proxy/files/squid.conf | 2 +- ansible/roles/traefik/files/fail2ban/traefik-jail.conf | 2 +- ansible/roles/traefik/files/traefik.yml | 2 ++ 7 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ansible/host_vars/casey/main.yml b/ansible/host_vars/casey/main.yml index 71c02f2..b71e0f2 100644 --- a/ansible/host_vars/casey/main.yml +++ b/ansible/host_vars/casey/main.yml @@ -1,6 +1,6 @@ nebula_is_lighthouse: true nebula_listen_port: "{{ nebula_lighthouse_port }}" -ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }} +ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }} f2b@{{ tailscale_cidr }} nginx_https_redirect: true diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf index 0e97596..f31c5e5 100644 --- a/ansible/roles/base/files/ssh-jail.conf +++ b/ansible/roles/base/files/ssh-jail.conf @@ -4,4 +4,4 @@ bantime = 600 findtime = 30 maxretry = 5 port = {{ ssh_port }},ssh -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }} diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 17951c6..1a8d024 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -2,7 +2,7 @@ # Change to a high/odd port if this server is exposed to the internet directly Port {{ ssh_port }} -AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }} +AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0 diff --git a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf index 523b7ae..85bc426 100644 --- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf @@ -6,9 +6,9 @@ maxretry = 100 filter = nginx-tcp logpath = /var/log/nginx/ips.log port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} [traefik] enabled = true port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} diff --git a/ansible/roles/http_proxy/files/squid.conf b/ansible/roles/http_proxy/files/squid.conf index 416da5d..81c70ce 100644 --- a/ansible/roles/http_proxy/files/squid.conf +++ b/ansible/roles/http_proxy/files/squid.conf @@ -2,7 +2,7 @@ # Recommended minimum configuration: # -acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} +acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }} # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing diff --git a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf index 66efcbf..b3b5b0e 100644 --- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf +++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf @@ -6,5 +6,5 @@ maxretry = 5 filter = traefik logpath = /tmp/traefik-logs/access.log port = http,https -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }} +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} action = gateway diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index a530ee7..13bd1ff 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -11,6 +11,7 @@ entryPoints: - "{{ wireguard.cidr }}" - "{{ pve_hosts.internal_cidr }}" - "{{ nebula.cidr }}" + - "{{ tailscale_cidr }}" web-secure: address: :443 http: @@ -33,6 +34,7 @@ entryPoints: - "{{ wireguard.cidr }}" - "{{ pve_hosts.internal_cidr }}" - "{{ nebula.cidr }}" + - "{{ tailscale_cidr }}" traefik: address: :8080