From b6eca40ae0cb3229fb0f4b48099862c6d1132510 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 7 Feb 2024 18:21:16 +0000
Subject: [PATCH] Allow tailscale IP in more places

---
 ansible/host_vars/casey/main.yml                       | 2 +-
 ansible/roles/base/files/ssh-jail.conf                 | 2 +-
 ansible/roles/base/files/sshd_config                   | 2 +-
 ansible/roles/gateway/files/nginx-fail2ban-jail.conf   | 4 ++--
 ansible/roles/http_proxy/files/squid.conf              | 2 +-
 ansible/roles/traefik/files/fail2ban/traefik-jail.conf | 2 +-
 ansible/roles/traefik/files/traefik.yml                | 2 ++
 7 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/ansible/host_vars/casey/main.yml b/ansible/host_vars/casey/main.yml
index 71c02f2..b71e0f2 100644
--- a/ansible/host_vars/casey/main.yml
+++ b/ansible/host_vars/casey/main.yml
@@ -1,6 +1,6 @@
 nebula_is_lighthouse: true
 nebula_listen_port: "{{ nebula_lighthouse_port }}"
-ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}
+ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }} f2b@{{ tailscale_cidr }}
 
 nginx_https_redirect: true
 
diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf
index 0e97596..f31c5e5 100644
--- a/ansible/roles/base/files/ssh-jail.conf
+++ b/ansible/roles/base/files/ssh-jail.conf
@@ -4,4 +4,4 @@ bantime  = 600
 findtime = 30
 maxretry = 5
 port     = {{ ssh_port }},ssh
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ tailscale_cidr }}
diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config
index 17951c6..1a8d024 100644
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}
 
-AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
+AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }}
 
 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0
diff --git a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf
index 523b7ae..85bc426 100644
--- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf
+++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf
@@ -6,9 +6,9 @@ maxretry = 100
 filter   = nginx-tcp
 logpath  = /var/log/nginx/ips.log
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 
 [traefik]
 enabled = true
 port     = http,https,8448
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
diff --git a/ansible/roles/http_proxy/files/squid.conf b/ansible/roles/http_proxy/files/squid.conf
index 416da5d..81c70ce 100644
--- a/ansible/roles/http_proxy/files/squid.conf
+++ b/ansible/roles/http_proxy/files/squid.conf
@@ -2,7 +2,7 @@
 # Recommended minimum configuration:
 #
 
-acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }}
+acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }}
 
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
diff --git a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf
index 66efcbf..b3b5b0e 100644
--- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf
+++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf
@@ -6,5 +6,5 @@ maxretry = 5
 filter   = traefik
 logpath = /tmp/traefik-logs/access.log
 port     = http,https
-ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }}
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }}
 action = gateway
diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml
index a530ee7..13bd1ff 100644
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@@ -11,6 +11,7 @@ entryPoints:
         - "{{ wireguard.cidr }}"
         - "{{ pve_hosts.internal_cidr }}"
         - "{{ nebula.cidr }}"
+        - "{{ tailscale_cidr }}"
   web-secure:
     address: :443
     http:
@@ -33,6 +34,7 @@ entryPoints:
         - "{{ wireguard.cidr }}"
         - "{{ pve_hosts.internal_cidr }}"
         - "{{ nebula.cidr }}"
+        - "{{ tailscale_cidr }}"
   traefik:
     address: :8080