Update Terraform linode to v2

Allow `ingress` to serve as tailscale exit node
2024-04-09 20:00:28 +01:00 · 2024-03-28 23:30:24 +00:00
3 changed files with 36 additions and 35 deletions
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@ -30,7 +30,7 @@ table inet filter {

        # NAT - because the proxmox machines may not have routes back
        ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
+        ip saddr {{ tailscale_cidr }} counter masquerade
    }

    chain FORWARD {
@ -44,8 +44,9 @@ table inet filter {
        # Allow monitoring of nebula network
        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept

-        # Allow traffic from Tailscale to proxmox network
-        ip saddr {{ tailscale_cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
-        ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ tailscale_cidr }} ct state related,established accept
+        # Allow Tailscale exit node
+        ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop
+        ip saddr {{ tailscale_cidr }} accept
+        ip daddr {{ tailscale_cidr }} ct state related,established accept
    }
 }
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@ -127,37 +127,37 @@ provider "registry.terraform.io/hashicorp/local" {
 }

 provider "registry.terraform.io/linode/linode" {
-  version     = "2.18.0"
-  constraints = "2.18.0"
+  version     = "2.19.0"
+  constraints = "2.19.0"
  hashes = [
-    "h1:3PW0EO9DYYIle1oqY1MSMAyu9KmEU2i4bzp4WyEtgAI=",
-    "h1:BKcde0bIpXEudZrY5aGCUwnOKXdymt/u9Z1DHz1iBOk=",
-    "h1:CeGbgARw4BrgUrEfPVRUjwoPI5WrCtA4bG39ckFHrlQ=",
-    "h1:Pj8+xPrzD7xxeOQNGHa8tAE7S3x3zQe88Df4yaJbnL4=",
-    "h1:Um8y3cSMDqSj/h3WaF6mzHuqe2P0GYhfTzc24tGaltk=",
-    "h1:V3S3olmiV+tBfIM+fIWxk1k54OnK0ILXVM/IU37yIqc=",
-    "h1:bfTb/5XVx5eP5w3/6zmNjcwO5Mn048CQs7NS9X1EkdY=",
-    "h1:gM+CNA0BYXGywol1D4oqvYZMfIFiKs5uKZo5bHXP4Ws=",
-    "h1:hmKFRUBaRwh9NhMIbeJdjGNFRoljB8+NJzSVKcaU+O0=",
-    "h1:i1o7iCsHtgmMp/L7SKLpXVmIU4OKo1W9ppsT04zSLo4=",
-    "h1:iYe8lT9CCHdzOFVCUjFuaYHh3gt+KIWXmxzQ/LHWQQY=",
-    "h1:lL+v4O5l5LA9G4OHbTM6avgQ43bG7ZVr05L8a0K/kPI=",
-    "h1:oHgufY4cCeH3lKuC8G+yVGl9wYzefGHgqy5qdJ2esIc=",
-    "h1:qhMGEItQOw0D2teO4Rumb334qYlIJnvSOTIkhH10VVY=",
-    "zh:03bc6644991818395759757cc5a3f07b6a8f7f797f04d701441e79e85cb9dc69",
-    "zh:5248ed1626e1531616fd227840c7734b8f2d13631427d80672b615e60f106a2d",
-    "zh:80a890b44a66639b1dabc2773e5dbb5f22a8e73495ce167a5064296463e17cdc",
-    "zh:874f5794a567250fc873af73c8c67a1980eb30de864ef76eb772ae492cf530ba",
-    "zh:94469b62cc27ce53fcd06a48b84de256136576699602ba68d157b2ad033ac0ed",
-    "zh:a1b9096702e1ee197f84634159d512b54d9223d00ff850ff4073eb9e5ac5eb9d",
-    "zh:a39c77dbf770a349529596124d4188fc7eeb8ecaf88ebc06f586d884f68df550",
-    "zh:bd5ee9da38d1846edc6af87771ede950bb703d99f78756c05da00fc0ca325be5",
-    "zh:c4b1d74d8d44ed258ca96a2b76d0101858672624a8d9731df8a97b8373dba728",
-    "zh:c69db2d6e4d7b04f9bc2f00223e61ae12127946043b07bca567fa3883bf5c071",
-    "zh:e818b9ea84e55ce1d2eb1f8852ec6606ce5d3691f356ea4eb3a701e5986ed339",
-    "zh:eeb7e6d518f62d6f02b497dbb5427a7a8ea38e2e5dddc8a114f7989a7a8c47f7",
-    "zh:fa77abf56e34701cdc49799cc13c6298be184d7cb48de20ee8b30e93fb3735a0",
-    "zh:fc3e94acd6fb2ad6b526169896fc6821298ba394a4d181c9b2448341e2e0eb54",
+    "h1:Aljt7dhW1XwtxDaGyc2gZ46eLAbjix7E1qYXxYqgbbU=",
+    "h1:BN3Dom+rZ8Xy/rQsjut3Oa4ug7uKAT+0OHKls8902OU=",
+    "h1:EQ7FeEVWKswJ3/ATDk0azs9jJ5Jm9Zgch/qmGPuOUMU=",
+    "h1:Ffm15Iu1XjVFUVc3NpdIE0YjoZISVNOJPUKbOlYdSB8=",
+    "h1:H3eY00bUbfpEJD3WSqtpJ7hCD+hmiXIo2wWenhxNW6o=",
+    "h1:HpYbpJzogDdK8is1dsZvd0MxpRDaDqTzheKsT7GeEiI=",
+    "h1:KKadsEER+BVuTGwh/BM1Kmy0jDOxiNQmYlJbTFsxtGU=",
+    "h1:MFV2JG/DHGO0IdRIMi6e7RkLEJ4laaUD24QrUOKaMLk=",
+    "h1:UJ+/KyZX5xKU+GOUslbIpQLih9vkEjIMjcElw19Hnqg=",
+    "h1:UyWZ+cA6vcA7Uj2KM6AGOAjKYMlBXFVAtHitheHL6mY=",
+    "h1:kRBXisxnnpMUMFEQrXHy3bL3lu7GvMJf32RgoYJg4C8=",
+    "h1:m8CL3NIDWcuxiJTVFMkKWoOCV70gbRgKkjNv9AAhm6E=",
+    "h1:qnj2eGbSlmsyLNti6Ya/I2Myy7Uy0/LLvkmNO8sSnDc=",
+    "h1:vff9zjH2m2uRYiK5FAnAAWuESm99YGw7QOWsdSqAHIE=",
+    "zh:0902b129119d4b2b5ad8b40796c73453efa4250af9c83ab110988b2786ddf077",
+    "zh:2b953ecdf1dfeb66e5dbb420a6c16f944be37e8436062546d714928fd6c137da",
+    "zh:336d750c34875ed04e30cd3e0b4ddfefbc3c4eec66ee81849d4becd6680c1b78",
+    "zh:3403e1d1da78ef55e73c473d53d90af3025fbdf826ac30786b3082a8a96cde0d",
+    "zh:3923876d57838f115f770e29ddc6113c634ecb5a0ef6745ecfdef265d606e48f",
+    "zh:47f7e0bb0e01bc6e6dfd13a371dfab2df5d545fc37148d655fd2bb394b1102c6",
+    "zh:59726409d8877d3336705fcd0fafc67b5d34de318340694c5f5546cc6c15e7c8",
+    "zh:6711e4b6b5a6895a0429b7d91ac8a20c439bafa486782f5724ed30c696c81d99",
+    "zh:728e75d6637e52f371ea316a9fc2c2e16b5cf154af58d5cddb656da3b8b87a9c",
+    "zh:7be53e746828bbcc2533f418e33efa6cf4bad749f20c412d23222b52c77d7779",
+    "zh:8647837eb549dec604399659b3fc5508749157b1b8cc3f98e09654279be7cd87",
+    "zh:abc9cf0879b0318baa8bec61c0225235af0b7a8d4eb3dce0d82fcbbc75dcfc98",
+    "zh:c6665a13be6231acf78dcbdbddad6e0cc27f4ec28716ca8946c15847568eeb4a",
+    "zh:cf033cc78046bdf2a12873c53d5e4d7b6f0275b2d5e50cf17b3be8e5103bfe2e",
  ]
 }

--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@ -14,7 +14,7 @@ terraform {
    }
    linode = {
      source  = "linode/linode"
-      version = "2.18.0"
+      version = "2.19.0"
    }
    gandi = {
      source  = "go-gandi/gandi"
Author	SHA1	Message	Date
Renovate	4e3ccf425a	Update Terraform linode to v2 / terraform (push) Successful in 1m16s Details / ansible (push) Successful in 1m57s Details	2024-04-09 20:00:28 +01:00
Jake Howard	8424b3211b	Allow `ingress` to serve as tailscale exit node / terraform (push) Successful in 38s Details / ansible (push) Successful in 1m46s Details	2024-03-28 23:30:24 +00:00