From f88d224168694ef1a2509688197d3e6fdaf268d8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Thu, 7 Mar 2024 22:30:10 +0000 Subject: [PATCH] Allow only exposing services over Tailscale This works using public DNS, so doesn't need Tailscale's magic DNS to override my local. --- ansible/group_vars/all/tailscale.yml | 1 + ansible/group_vars/all/vps-hosts.yml | 2 ++ ansible/roles/gateway/files/nginx.conf | 14 ++++++++++++++ ansible/roles/ingress/files/nginx.conf | 2 ++ .../pve_docker/files/whoami/docker-compose.yml | 3 +++ ansible/roles/traefik/files/file-provider-main.yml | 6 ++++++ terraform/casey_vps.tf | 10 ++++++++++ terraform/context.tf | 2 ++ terraform/sys_domains.tf | 8 ++++++++ terraform/theorangeone.net.tf | 8 ++++++++ 10 files changed, 56 insertions(+) diff --git a/ansible/group_vars/all/tailscale.yml b/ansible/group_vars/all/tailscale.yml index 0a954c9..c9bc3c0 100644 --- a/ansible/group_vars/all/tailscale.yml +++ b/ansible/group_vars/all/tailscale.yml @@ -2,5 +2,6 @@ tailscale_up_skip: true tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs +tailscale_cidr_ipv6: fd7a:115c:a1e0::/120 # It's really /48, but I don't use that many IPs tailscale_port: 41641 diff --git a/ansible/group_vars/all/vps-hosts.yml b/ansible/group_vars/all/vps-hosts.yml index 555954b..1e0fd83 100755 --- a/ansible/group_vars/all/vps-hosts.yml +++ b/ansible/group_vars/all/vps-hosts.yml @@ -1,3 +1,5 @@ "vps_hosts": "casey_ip": "213.219.38.11" + "private_ipv6_marker": "2a01:7e00:e000:7f7::1" + "private_ipv6_range": "2a01:7e00:e000:7f7::1/128" "walker_ip": "192.248.168.230" diff --git a/ansible/roles/gateway/files/nginx.conf b/ansible/roles/gateway/files/nginx.conf index 070cb88..2dcf1ed 100644 --- a/ansible/roles/gateway/files/nginx.conf +++ b/ansible/roles/gateway/files/nginx.conf @@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination { server { listen 443; listen 8448; + listen [::]:443; + listen [::]:8448; proxy_pass $gateway_destination; proxy_protocol on; } + +server { + listen [{{ vps_hosts.private_ipv6_marker }}]:443; + listen [{{ vps_hosts.private_ipv6_marker }}]:8448; + + access_log off; + + deny all; + + # This is never used, but need to keep nginx happy + proxy_pass 127.0.0.1:80; +} diff --git a/ansible/roles/ingress/files/nginx.conf b/ansible/roles/ingress/files/nginx.conf index 2b14cb8..270ef0d 100644 --- a/ansible/roles/ingress/files/nginx.conf +++ b/ansible/roles/ingress/files/nginx.conf @@ -9,6 +9,8 @@ access_log /var/log/nginx/access.log access; server { listen 443; listen 8448; + listen [::]:443; + listen [::]:8448; proxy_pass {{ pve_hosts.docker.ip }}:443; proxy_protocol on; proxy_socket_keepalive on; diff --git a/ansible/roles/pve_docker/files/whoami/docker-compose.yml b/ansible/roles/pve_docker/files/whoami/docker-compose.yml index 20803d8..3ed149d 100644 --- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml +++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml @@ -7,6 +7,9 @@ services: labels: - traefik.enable=true - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`) + + - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`) + - traefik.http.routers.whoami-private.middlewares=tailscale-only@file networks: - default - traefik diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml index 013625a..75d7438 100644 --- a/ansible/roles/traefik/files/file-provider-main.yml +++ b/ansible/roles/traefik/files/file-provider-main.yml @@ -8,3 +8,9 @@ http: headers: customResponseHeaders: Permissions-Policy: interest-cohort=() + + tailscale-only: + ipAllowList: + sourceRange: + - "{{ tailscale_cidr }}" + - "{{ tailscale_cidr_ipv6 }}" diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index f03e941..a3f30fb 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -6,6 +6,16 @@ resource "linode_instance" "casey" { private_ip = true } +resource "linode_ipv6_range" "casey_extra" { + linode_id = linode_instance.casey.id + prefix_length = 64 +} + +locals { + private_ipv6_marker = cidrhost(linode_ipv6_range.casey_extra.id, 1) + private_ipv6_range = cidrsubnet(linode_ipv6_range.casey_extra.id, 64, 1) +} + resource "linode_firewall" "casey" { label = "casey" linodes = [linode_instance.casey.id] diff --git a/terraform/context.tf b/terraform/context.tf index 6be5bbf..a82119a 100644 --- a/terraform/context.tf +++ b/terraform/context.tf @@ -2,6 +2,8 @@ resource "local_file" "hosts" { content = yamlencode({ vps_hosts : { casey_ip : linode_instance.casey.ip_address, + private_ipv6_marker : local.private_ipv6_marker, + private_ipv6_range : local.private_ipv6_range, walker_ip : vultr_instance.walker.main_ip, } }) diff --git a/terraform/sys_domains.tf b/terraform/sys_domains.tf index 7107cba..65ca93e 100644 --- a/terraform/sys_domains.tf +++ b/terraform/sys_domains.tf @@ -37,3 +37,11 @@ resource "cloudflare_record" "sys_domain_pve" { type = "A" ttl = 1 } + +resource "cloudflare_record" "sys_domain_private" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "private.sys" + value = local.private_ipv6_marker + type = "AAAA" + ttl = 1 +} diff --git a/terraform/theorangeone.net.tf b/terraform/theorangeone.net.tf index 3633079..bc59995 100644 --- a/terraform/theorangeone.net.tf +++ b/terraform/theorangeone.net.tf @@ -26,6 +26,14 @@ resource "cloudflare_record" "theorangeonenet_whoami_cdn" { ttl = 1 } +resource "cloudflare_record" "theorangeonenet_whoami_private" { + zone_id = cloudflare_zone.theorangeonenet.id + name = "whoami-private" + value = cloudflare_record.sys_domain_private.hostname + type = "CNAME" + ttl = 1 +} + resource "cloudflare_record" "theorangeonenet_mx1" { zone_id = cloudflare_zone.theorangeonenet.id name = "@"