Update dependency ansible-lint to v24.2.2

Allow `ingress` to serve as tailscale exit node
Rename private domain
2024-04-09 18:00:20 +01:00 · 2024-03-28 23:30:24 +00:00 · 2024-03-23 12:55:54 +00:00 · 2024-03-23 11:54:26 +00:00 · 2024-03-22 18:13:25 +00:00 · 2024-03-21 23:20:27 +00:00
12 changed files with 54 additions and 14 deletions
--- a/ansible/dev-requirements.txt
+++ b/ansible/dev-requirements.txt
@ -1,4 +1,4 @@
-ansible-lint==24.2.1
+ansible-lint==24.2.2
 yamllint==1.33.0
 ansible
 passlib
--- a/ansible/group_vars/all/pve.yml
+++ b/ansible/group_vars/all/pve.yml
@ -17,6 +17,7 @@ pve_hosts:
    ip: 10.23.1.10
    external_ip: 192.168.2.201
    external_ipv6: "{{ vault_ingress_ipv6 }}"
+    link_local: fe80::d4e4:22ff:fe8b:429d
  homeassistant:
    ip: 192.168.2.203
  qbittorrent:
--- a/ansible/host_vars/pve/main.yml
+++ b/ansible/host_vars/pve/main.yml
@ -25,7 +25,7 @@ sanoid_datasets:

 sanoid_templates:
  production:
-    frequently: 2
+    frequently: 4
    hourly: 48
    daily: 28
    monthly: 3
--- a/ansible/roles/forrest/tasks/main.yml
+++ b/ansible/roles/forrest/tasks/main.yml
@ -6,3 +6,30 @@

 - name: Prometheus
  include_tasks: prometheus.yml
+
+- name: Get routes
+  command:
+    argv:
+      - ip
+      - -6
+      - route
+      - show
+      - "{{ vps_hosts.private_ipv6_range }}"
+  register: routes
+  changed_when: false
+  become: true
+
+- name: Add route to private services via ingress
+  command:
+    argv:
+      - ip
+      - -6
+      - route
+      - add
+      - "{{ vps_hosts.private_ipv6_range }}"
+      - via
+      - "{{ pve_hosts.ingress.link_local }}"
+      - dev
+      - eth0
+  become: true
+  when: vps_hosts.private_ipv6_marker not in routes.stdout
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -30,7 +30,7 @@ table inet filter {

        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} counter masquerade
    }

    chain FORWARD {
@ -44,8 +44,9 @@ table inet filter {
        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept

-        # Allow traffic from Tailscale to proxmox network
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
-        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
+        # Allow Tailscale exit node
+        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
+        ip saddr {{ tailscale_cidr }} accept
+        ip daddr {{ tailscale_cidr }} ct state related,established accept
    }
 }
--- a/ansible/roles/traefik/files/file-provider-homeassistant.yml
+++ b/ansible/roles/traefik/files/file-provider-homeassistant.yml
@ -3,6 +3,8 @@ http:
    router-homeassistant:
      rule: Host(`homeassistant.jakehoward.tech`)
      service: service-homeassistant
+      middlewares:
+        - tailscale-only@file
  services:
    service-homeassistant:
      loadBalancer:
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -10,7 +10,16 @@ http:
          Permissions-Policy: interest-cohort=()

    tailscale-only:
-      ipAllowList:
+      ipWhiteList:
        sourceRange:
          - "{{ tailscale_cidr }}"
          - "{{ tailscale_cidr_ipv6 }}"
+          - "{{ pve_hosts.forrest.ip }}"
+
+    private-access:
+      ipWhiteList:
+        sourceRange:
+          - "{{ tailscale_cidr }}"
+          - "{{ tailscale_cidr_ipv6 }}"
+          - "{{ nebula.cidr }}"
+          - "{{ pve_hosts.internal_cidr }}"
--- a/ansible/roles/vaultwarden/files/docker-compose.yml
+++ b/ansible/roles/vaultwarden/files/docker-compose.yml
@ -22,7 +22,7 @@ services:
      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=5
      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=200

-      - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit
+      - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit,tailscale-only@file
    environment:
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://vaultwarden.jakehoward.tech
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@ -7,7 +7,7 @@ resource "linode_instance" "casey" {
 }

 resource "linode_ipv6_range" "casey_extra" {
-  linode_id = linode_instance.casey.id
+  linode_id     = linode_instance.casey.id
  prefix_length = 64
 }

--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@ -127,7 +127,7 @@ resource "cloudflare_record" "jakehowardtech_calibre" {
 resource "cloudflare_record" "jakehowardtech_homeassistant" {
  zone_id = cloudflare_zone.jakehowardtech.id
  name    = "homeassistant"
-  value   = cloudflare_record.sys_domain_pve.hostname
+  value   = cloudflare_record.sys_domain_pve_private.hostname
  type    = "CNAME"
  ttl     = 1
 }
@ -143,7 +143,7 @@ resource "cloudflare_record" "jakehowardtech_grafana" {
 resource "cloudflare_record" "jakehowardtech_vaultwarden" {
  zone_id = cloudflare_zone.jakehowardtech.id
  name    = "vaultwarden"
-  value   = cloudflare_record.sys_domain_pve.hostname
+  value   = cloudflare_record.sys_domain_pve_private.hostname
  type    = "CNAME"
  ttl     = 1
 }
--- a/terraform/sys_domains.tf
+++ b/terraform/sys_domains.tf
@ -38,9 +38,9 @@ resource "cloudflare_record" "sys_domain_pve" {
  ttl     = 1
 }

-resource "cloudflare_record" "sys_domain_private" {
+resource "cloudflare_record" "sys_domain_pve_private" {
  zone_id = cloudflare_zone.theorangeonenet.id
-  name    = "private.sys"
+  name    = "pve-private.sys"
  value   = local.private_ipv6_marker
  type    = "AAAA"
  ttl     = 1
--- a/terraform/theorangeone.net.tf
+++ b/terraform/theorangeone.net.tf
@ -29,7 +29,7 @@ resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
 resource "cloudflare_record" "theorangeonenet_whoami_private" {
  zone_id = cloudflare_zone.theorangeonenet.id
  name    = "whoami-private"
-  value   = cloudflare_record.sys_domain_private.hostname
+  value   = cloudflare_record.sys_domain_pve_private.hostname
  type    = "CNAME"
  ttl     = 1
 }
Author	SHA1	Message	Date
Renovate	f556af8bc9	Update dependency ansible-lint to v24.2.2 / terraform (push) Successful in 1m43s Details / ansible (push) Successful in 3m0s Details	2024-04-09 18:00:20 +01:00
Jake Howard	8424b3211b	Allow `ingress` to serve as tailscale exit node / terraform (push) Successful in 38s Details / ansible (push) Successful in 1m46s Details	2024-03-28 23:30:24 +00:00
Jake Howard	b83e239123	Rename private domain / terraform (push) Successful in 33s Details / ansible (push) Successful in 1m35s Details	2024-03-23 12:55:54 +00:00
Jake Howard	5157940f20	Stop exposing homeassistant / terraform (push) Successful in 58s Details / ansible (push) Successful in 1m52s Details	2024-03-23 11:54:26 +00:00
Jake Howard	eb6fe3a23b	Allow forrest to access internal services / terraform (push) Successful in 36s Details / ansible (push) Successful in 1m36s Details This is mostly for monitoring	2024-03-22 18:13:25 +00:00
Jake Howard	b2656bdf43	Make vaultwarden VPN only / terraform (push) Successful in 33s Details / ansible (push) Successful in 1m36s Details The first service to go dark...	2024-03-21 23:20:27 +00:00
Jake Howard	124b83526d	Fix spacing / terraform (push) Successful in 35s Details / ansible (push) Successful in 2m0s Details	2024-03-20 17:59:32 +00:00
Jake Howard	0295507d0b	Increase frequency of snapshots / terraform (push) Failing after 34s Details / ansible (push) Successful in 1m34s Details	2024-03-19 21:31:27 +00:00