diff --git a/.yamllint.yml b/.yamllint.yml index b2c9482..c6f9bc9 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -5,7 +5,6 @@ ignore: | ansible/galaxy_collections ansible/group_vars/all/vps-hosts.yml ansible/roles/traefik/files/traefik.yml - ansible/roles/nebula/files/nebula.yml env rules: diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint index bc93701..61c3817 100644 --- a/ansible/.ansible-lint +++ b/ansible/.ansible-lint @@ -12,5 +12,4 @@ exclude_paths: - galaxy_roles/ - galaxy_collections/ - ~/.ansible - - roles/nebula/files/nebula.yml - roles/traefik/files/traefik.yml diff --git a/ansible/group_vars/all/nebula.yml b/ansible/group_vars/all/nebula.yml deleted file mode 100644 index f7cea27..0000000 --- a/ansible/group_vars/all/nebula.yml +++ /dev/null @@ -1,9 +0,0 @@ -nebula: - cidr: 10.23.2.0/24 - clients: - casey: - ip: 10.23.2.1 - walker: - ip: 10.23.2.4 - ingress: - ip: 10.23.2.5 diff --git a/ansible/group_vars/all/network.yml b/ansible/group_vars/all/network.yml index 46c9de9..df90549 100644 --- a/ansible/group_vars/all/network.yml +++ b/ansible/group_vars/all/network.yml @@ -1,2 +1 @@ -private_ip: "{{ nebula.clients[hostname_slug].ip }}" ssh_port: 7743 diff --git a/ansible/group_vars/all/tailscale.yml b/ansible/group_vars/all/tailscale.yml index c9bc3c0..19b564e 100644 --- a/ansible/group_vars/all/tailscale.yml +++ b/ansible/group_vars/all/tailscale.yml @@ -5,3 +5,7 @@ tailscale_cidr: 100.64.0.0/24 # It's really /10, but I don't use that many IPs tailscale_cidr_ipv6: fd7a:115c:a1e0::/120 # It's really /48, but I don't use that many IPs tailscale_port: 41641 + +tailscale_nodes: + casey: + ip: 100.64.0.1 diff --git a/ansible/host_vars/casey/main.yml b/ansible/host_vars/casey/main.yml index 2479bfd..19cd1f2 100644 --- a/ansible/host_vars/casey/main.yml +++ b/ansible/host_vars/casey/main.yml @@ -1,6 +1,3 @@ -nebula_is_lighthouse: true -nebula_listen_port: "{{ nebula_lighthouse_port }}" - nginx_https_redirect: true certbot_certs: diff --git a/ansible/host_vars/ingress.yml b/ansible/host_vars/ingress.yml index 0a60f81..751cb33 100644 --- a/ansible/host_vars/ingress.yml +++ b/ansible/host_vars/ingress.yml @@ -1,4 +1 @@ -# Listen on a static port so it can be opened in the firewall -nebula_listen_port: "{{ nebula_lighthouse_port }}" - nginx_https_redirect: true diff --git a/ansible/main.yml b/ansible/main.yml index 563d5fe..36da7e7 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -12,7 +12,6 @@ - role: geerlingguy.certbot become: true - gateway - - nebula - headscale - restic - artis3n.tailscale @@ -58,7 +57,6 @@ roles: - pve_docker - yourls - - pve_nebula_route - privatebin - vaultwarden - tandoor @@ -73,7 +71,6 @@ roles: - nginx - ingress - - nebula - artis3n.tailscale - hosts: pve @@ -81,7 +78,6 @@ - role: ironicbadger.proxmox_nag_removal become: true - zfs - - pve_nebula_route - role: ironicbadger.snapraid become: true - role: prometheus.prometheus.node_exporter @@ -91,7 +87,6 @@ roles: - prometheus - uptime_kuma - - pve_nebula_route - pve_tailscale_route - hosts: qbittorrent @@ -105,7 +100,6 @@ - nginx - role: geerlingguy.certbot become: true - - nebula - coredns_docker_proxy - plausible - restic diff --git a/ansible/roles/base/files/ssh-jail.conf b/ansible/roles/base/files/ssh-jail.conf index b1148e9..1d743e6 100644 --- a/ansible/roles/base/files/ssh-jail.conf +++ b/ansible/roles/base/files/ssh-jail.conf @@ -4,4 +4,4 @@ bantime = 600 findtime = 30 maxretry = 5 port = {{ ssh_port }},ssh -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ tailscale_cidr }} diff --git a/ansible/roles/base/files/sshd_config b/ansible/roles/base/files/sshd_config index 1a8d024..34426db 100644 --- a/ansible/roles/base/files/sshd_config +++ b/ansible/roles/base/files/sshd_config @@ -2,7 +2,7 @@ # Change to a high/odd port if this server is exposed to the internet directly Port {{ ssh_port }} -AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if hostname_slug in nebula.clients %}{{ me.user }}@{{ nebula.cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }} +AllowUsers {% if hostname_slug in pve_hosts %}{{ me.user }}@{{ pve_hosts.internal_cidr }}{% endif %} {{ me.user }}@{{ tailscale_cidr }} {{ ssh_extra_allowed_users }} # Bind to all interfaces (change to specific interface if needed) ListenAddress 0.0.0.0 diff --git a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf index e6218ab..a9397e4 100644 --- a/ansible/roles/gateway/files/nginx-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/nginx-fail2ban-jail.conf @@ -6,9 +6,9 @@ maxretry = 100 filter = nginx-tcp logpath = /var/log/nginx/ips.log port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} [traefik] enabled = true port = http,https,8448 -ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} +ignoreip = {{ wireguard.cidr }},{{ pve_hosts.internal_cidr }},{{ pve_hosts.internal_cidr_ipv6 }},{{ vps_hosts.values()|sort|join(",") }},{{ tailscale_cidr }} diff --git a/ansible/roles/http_proxy/files/squid.conf b/ansible/roles/http_proxy/files/squid.conf index 81c70ce..30656be 100644 --- a/ansible/roles/http_proxy/files/squid.conf +++ b/ansible/roles/http_proxy/files/squid.conf @@ -2,7 +2,7 @@ # Recommended minimum configuration: # -acl hide_internal dst {{ wireguard.cidr }} {{ nebula.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }} +acl hide_internal dst {{ wireguard.cidr }} {{ pve_hosts.internal_cidr }} {{ tailscale_cidr }} # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf index 3169ead..29644a8 100644 --- a/ansible/roles/ingress/files/nftables.conf +++ b/ansible/roles/ingress/files/nftables.conf @@ -17,9 +17,6 @@ table inet filter { tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept - # Allow nebula - udp dport {{ nebula_listen_port }} accept; - # Allow Tailscale udp dport {{ tailscale_port }} accept; } @@ -29,7 +26,6 @@ table inet filter { policy accept # NAT - because the proxmox machines may not have routes back - ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade ip saddr {{ tailscale_cidr }} counter masquerade } @@ -37,12 +33,8 @@ table inet filter { type filter hook forward priority mangle policy drop - # Allow traffic from nebula to proxmox network - ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept - ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept - - # Allow monitoring of nebula network - ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept + # Allow monitoring of Tailscale network + ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept # Allow Tailscale exit node ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop diff --git a/ansible/roles/nebula/defaults/main.yml b/ansible/roles/nebula/defaults/main.yml deleted file mode 100644 index 9149efd..0000000 --- a/ansible/roles/nebula/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -nebula_is_lighthouse: false -nebula_listen_port: 0 diff --git a/ansible/roles/nebula/files/ca.crt b/ansible/roles/nebula/files/ca.crt deleted file mode 100644 index 195802e..0000000 --- a/ansible/roles/nebula/files/ca.crt +++ /dev/null @@ -1,18 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35346565636566303064316339396339363831623963306131303331366338643338326261626137 -3031333365383139383466323931353339346534366136350a353034373561653238643039373766 -37316638363166303162373739393934653936373639323038663639656138313035666132646136 -6339386166383137320a363536336166343539633238336364663633306562313965636536303663 -35376234336566626232383231326362393664386464346363643262393932316130623936383366 -63313539653035383665373962376165336533396565643263666634333434663432386635663434 -31613064653739363637643433653639343930623038626539353534393861646165366166616638 -38313036303261336635666161383135353637633966646462376439313539383962343564626336 -37343566306638626337316135663763343961653065616531396332303966643638646163393461 -63353630393364666336633630653765613331386233386130366636393965323231373561333163 -38613165623533396531383031316631346434333239616335373162333637363830636263613338 -38316165343632313361633362383934653832306332663732303061333135393234306232636464 -36346465633166303335363365336336383333636165633230626263633663356336366662313263 -36353231623930653361313466643064356234656639616332326534306133396338363538366136 -30643633626230613364353434323262333335363132303865646130653733623032346166653031 -63653761393935333430636230353966353765626235336439383331333436623061373835616462 -3661 diff --git a/ansible/roles/nebula/files/certs/casey.crt b/ansible/roles/nebula/files/certs/casey.crt deleted file mode 100644 index 798fbbb..0000000 --- a/ansible/roles/nebula/files/certs/casey.crt +++ /dev/null @@ -1,20 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -63636434323163343761373034626236333037376261336634366531393035356435653037326238 -3839323731623165633234613132376534646266373466310a356635313261333263366632336664 -39326533333462373831663132633733666136623938313164313265326637333332616463386363 -6634333536313132310a613766363630313933343365333633333663613035313362343437383534 -32636433613365643633643536633862376231316135376437333835353164613839323562333430 -39323331353639333539356165616661663262386363386239346664643364653137633332626661 -35393332653530373162666365326135663633663265313634643135373562663763376530623038 -63343231333933616237666465306461663634363261656237383236383663336235363161623265 -30343366643637326135356636626564343436396635613566393636643264333933656265346333 -61363335303737666238393665633265393835633838636561393534343437366639636361373761 -34366334366236373633613037346463373632323265343034343335333436373733613465663464 -65643863303037643338366537336562613232313331323366663835316437376535623635383463 -38386539353834383236663766393563393063333233623661303335396534353166316230396566 -34393034333864346534383665616666633836376439646632303566613633376138313961636637 -37313635393739656161313466633231396539393666663635623034613765393438633735636666 -33326635373966353633356166313138656462373962663666653961366438383936626338663439 -36643039613061646531366462623064623837666633326532663232616139623737343732346130 -64646337356266353261363438326237313833323765663336346635353236396638376530663033 -306365363634643665646230366332653632 diff --git a/ansible/roles/nebula/files/certs/casey.key b/ansible/roles/nebula/files/certs/casey.key deleted file mode 100644 index fa8b5d4..0000000 --- a/ansible/roles/nebula/files/certs/casey.key +++ /dev/null @@ -1,11 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -31646561316237653338613966616162363239323863393862376136623639613730633339396230 -3830343834383934333236633462663734366432666331620a393739313230656636653432646532 -65386466633832623663386131393866666664303439613738303933656239393761653263386466 -3561656162343632350a383737343661663037306461636264353239373865613861393034626237 -37633134636638633539346534346365346332643939653737626136393961343864386438323731 -39353663353362623563326230643961623231646361396561623431376139626236313362343938 -38336138376133656130633161363766393861656466363565646264653963396539386266616631 -66333965383862633061623961316334326134326630623064323562373937323338313838353066 -38343830316665326663313331613561393238373161326637396630383030666137623633616365 -6461333239666365363339613533323536613839356332373530 diff --git a/ansible/roles/nebula/files/certs/ingress.crt b/ansible/roles/nebula/files/certs/ingress.crt deleted file mode 100644 index bb5a9d7..0000000 --- a/ansible/roles/nebula/files/certs/ingress.crt +++ /dev/null @@ -1,21 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -62613762323836666136313634353965643132326439656165623938326130633631623939336434 -3931613737633935363439316362613663363335626134340a306631376131363635326337333234 -34373262383861626564383834306462306633376332353630666265303766333731613839333231 -6666343965353866320a313930383762646431656433393433336436623064643864343639393465 -37613062336430646130653833363130343266303833353739393839376235646433663236636532 -31303439663030353934383862396234663633343932646234353566313833613038366262373862 -62646262393431343638373936333339373230346134313661303138656563613463613836643634 -33343236633235316364336438613932316431383839393136343662333365396639313931663461 -33363336323532376566316532373832306662373538343361336239346163626330333736636566 -33306435306136643563643465373964383336376566383539613530313830353961623861323936 -64633336323438353238616663323338396536386161326132633466643135636162363536656665 -39653734653839366362383034366437613734373830386533363138373036323231363764633335 -34633163353237656266663035616463383165623634353062636464373361376438653230343661 -35343434656335623533623836313335616162666665313064653730356537633666336163616132 -31663432396564613538303662396538643131656137343434646333666634653938353363316363 -38623730623532663133343937643663633961353034316234663931646331656636303739383464 -37623264663038656632343262336165343635633566393535343663393163313234396463373766 -35313337353833306262363532616265656461356536633430383234633464613839303562356565 -39643738616262383734656535636566323831373035306166343039666334633264303435663865 -39623533653333323766 diff --git a/ansible/roles/nebula/files/certs/ingress.key b/ansible/roles/nebula/files/certs/ingress.key deleted file mode 100644 index c5c72c6..0000000 --- a/ansible/roles/nebula/files/certs/ingress.key +++ /dev/null @@ -1,11 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -37626435646463663062363233393732353239386231366436653663623035656339633136346138 -3963626465363538653430343733663965373865376263330a373638663731656435646438646134 -38663334363137666530653934356337326264356664343633623432613265643139353464666136 -6236383631366130310a386265373334663831333137303538303737663062656239663839326338 -35613739313935373362333933653636383033343164363964353935633061636635353464643831 -64626363646136663166373632343830333634356565336138393436313864646333386561396663 -65636436663830633661396531643838333938366236633762323231363966643035643539383438 -30396136633264396561353034653161343536313461623532303265663531323937363737353566 -32363564333536306166346165393662353234363131383733396338633839333439373538623362 -3738616565663331353362633939343832323238383930643263 diff --git a/ansible/roles/nebula/files/certs/walker.crt b/ansible/roles/nebula/files/certs/walker.crt deleted file mode 100644 index d3938f6..0000000 --- a/ansible/roles/nebula/files/certs/walker.crt +++ /dev/null @@ -1,20 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32636232306462356330643137616236306261373438653332326239343662363234313765356563 -6361383264626665636130373539613936373036343061350a316438383266306538303836636138 -39643434323831303337336230623463633138633436386539363531626633633364663031376131 -3162363530393734380a303162386436396338383864333439313365383665666361313666373538 -35666262616466663061383463653361303230653036643033376434303236656638343134316262 -31303663396231623065316261353938613934303934613331393836663061653731316163663230 -39653337373230386337383665303638346136353031373931616166663437313431353832633239 -62343063323765636466353031353930636132373263306631616365623332646639333265653235 -61636237326561613364303538323861393061303839383532323136306134633437363731616464 -32633538376130613164646264666332303762386436383566663563346536663935323165323939 -65666333363163373165316633383430653066663938303562613739303835316661623437613863 -32383330336261356364353163666432353130343564366333626336306332643936623166386261 -35656431366431663830336631346164333362376262663365623635376161373864303831306462 -61326462343039376363663139636638663239306362353232366166623030376464336634643130 -65373532393034623730663431373763636261393035346639653137383235633265386365613063 -37303435363136613365633139316133386332373665626566346161343665626365656639346661 -30396133366566306238303564633662306561303830613937666264303731666230356633373662 -33656133323364313461353562373337356232666536643633336663326334353231613336646461 -376435366338383534623436353434623334 diff --git a/ansible/roles/nebula/files/certs/walker.key b/ansible/roles/nebula/files/certs/walker.key deleted file mode 100644 index 33a151a..0000000 --- a/ansible/roles/nebula/files/certs/walker.key +++ /dev/null @@ -1,11 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65626437643961386636343536313832353663373863313963383430363465333965363031653635 -3038636237383665653135313962643434386135346630360a666239663139353063623436633038 -38613062393337373232343338626334353033633738306138373464313739323334373637366334 -3335623465633164310a646162376139373838643731326361373366623765323263643934616432 -66626333653335343234393936653931306132333933616138616665626139396164386437633338 -36653637346532376564306537643330343135313331343163326331363664663761616533353563 -66643964313736653263666466643134656532643536343464356464663465313438643466643130 -35643738313337663663343466353232396264356163343234653032333032336134666437306139 -63653239363132396465376565306666363131366131376466356530386438653433613063646365 -6432616539316163376162613630623066626539666135366664 diff --git a/ansible/roles/nebula/files/nebula.yml b/ansible/roles/nebula/files/nebula.yml deleted file mode 100644 index 71e89d3..0000000 --- a/ansible/roles/nebula/files/nebula.yml +++ /dev/null @@ -1,59 +0,0 @@ -pki: - ca: /etc/nebula/ca.crt - cert: /etc/nebula/{{ ansible_hostname }}.crt - key: /etc/nebula/{{ ansible_hostname }}.key - -static_host_map: - "{{ nebula_lighthouse_ip }}": ["{{ nebula_lighthouse_public_ip }}:{{ nebula_lighthouse_port }}"] - - -lighthouse: - am_lighthouse: "{{ nebula_is_lighthouse | lower }}" - interval: 60 - hosts: -{% if not nebula_is_lighthouse %} - - "{{ nebula_lighthouse_ip }}" -{% endif %} - -listen: - host: 0.0.0.0 - port: "{{ nebula_listen_port }}" - -punchy: - punch: true - -tun: - disabled: false - dev: nebula1 - drop_local_broadcast: false - drop_multicast: false - tx_queue: 500 - mtu: 1300 - routes: - unsafe_routes: -{% if ansible_hostname != "ingress" %} - - route: "{{ pve_hosts.internal_cidr }}" - via: "{{ nebula.clients.ingress.ip }}" -{% endif %} - - -logging: - level: info - format: text - -firewall: - conntrack: - tcp_timeout: 12m - udp_timeout: 3m - default_timeout: 10m - max_connections: 100000 - - outbound: - - port: any - proto: any - host: any - - inbound: - - port: any - proto: any - host: any diff --git a/ansible/roles/nebula/handlers/main.yml b/ansible/roles/nebula/handlers/main.yml deleted file mode 100644 index 092c1e5..0000000 --- a/ansible/roles/nebula/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart nebula - service: - name: nebula - state: restarted - become: true diff --git a/ansible/roles/nebula/tasks/main.yml b/ansible/roles/nebula/tasks/main.yml deleted file mode 100644 index b2eb5c1..0000000 --- a/ansible/roles/nebula/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ -- name: Create config directory - file: - path: /etc/nebula - state: directory - mode: "0700" - become: true - -- name: Install nebula - package: - name: nebula - when: ansible_os_family == 'Archlinux' - become: true - -- name: Manually install nebula - block: - - name: Install binaries - unarchive: - src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz - dest: /usr/bin - remote_src: true - mode: "0755" - - - name: Install service - get_url: - url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service - dest: /usr/lib/systemd/system/nebula.service - mode: "0644" - when: ansible_os_family != 'Archlinux' - tags: - - skip_ansible_lint - notify: restart nebula - become: true - -- name: Install config - template: - src: files/nebula.yml - dest: /etc/nebula/config.yml - mode: "0600" - become: true - notify: restart nebula - -- name: Install CA certificate - template: - src: files/ca.crt - dest: /etc/nebula/ca.crt - mode: "0600" - become: true - notify: restart nebula - -- name: Install client certificates - template: - src: files/certs/{{ item }} - dest: /etc/nebula/{{ item }} - mode: "0600" - loop: - - "{{ ansible_hostname }}.key" - - "{{ ansible_hostname }}.crt" - become: true - notify: restart nebula - -- name: Enable service - service: - name: nebula - enabled: true - become: true diff --git a/ansible/roles/nebula/vars/main.yml b/ansible/roles/nebula/vars/main.yml deleted file mode 100644 index 2118116..0000000 --- a/ansible/roles/nebula/vars/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -nebula_lighthouse_public_ip: "{{ vps_hosts.casey_ip }}" -nebula_lighthouse_ip: "{{ nebula.clients.casey.ip }}" -nebula_lighthouse_port: 6328 - -nebula_version: 1.8.1 diff --git a/ansible/roles/prometheus/files/prometheus/prometheus.yml b/ansible/roles/prometheus/files/prometheus/prometheus.yml index c63b20c..fe89985 100644 --- a/ansible/roles/prometheus/files/prometheus/prometheus.yml +++ b/ansible/roles/prometheus/files/prometheus/prometheus.yml @@ -120,7 +120,7 @@ scrape_configs: metrics_path: /metrics static_configs: - targets: - - "{{ nebula.clients.casey.ip }}:9090" + - "{{ tailscale_nodes.casey.ip }}:9090" metric_relabel_configs: - source_labels: [__name__] regex: go_.+ diff --git a/ansible/roles/pve_nebula_route/tasks/main.yml b/ansible/roles/pve_nebula_route/tasks/main.yml deleted file mode 100644 index 85f32a5..0000000 --- a/ansible/roles/pve_nebula_route/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ -- name: Get routes - command: - argv: - - ip - - route - - show - - "{{ nebula.cidr }}" - register: routes - changed_when: false - become: true - -- name: Add route to nebula hosts via ingress - command: - argv: - - ip - - route - - add - - "{{ nebula.cidr }}" - - via - - "{{ pve_hosts.ingress.ip }}" - become: true - when: nebula.cidr not in routes.stdout diff --git a/ansible/roles/traefik/files/file-provider-main.yml b/ansible/roles/traefik/files/file-provider-main.yml index 5ea6539..ef97728 100644 --- a/ansible/roles/traefik/files/file-provider-main.yml +++ b/ansible/roles/traefik/files/file-provider-main.yml @@ -22,6 +22,5 @@ http: sourceRange: - "{{ tailscale_cidr }}" - "{{ tailscale_cidr_ipv6 }}" - - "{{ nebula.cidr }}" - "{{ pve_hosts.internal_cidr }}" - "{{ pve_hosts.internal_cidr_ipv6 }}" diff --git a/ansible/roles/traefik/files/traefik.yml b/ansible/roles/traefik/files/traefik.yml index eb5f9b5..3697b4b 100644 --- a/ansible/roles/traefik/files/traefik.yml +++ b/ansible/roles/traefik/files/traefik.yml @@ -10,7 +10,6 @@ entryPoints: trustedIPs: - "{{ wireguard.cidr }}" - "{{ pve_hosts.internal_cidr }}" - - "{{ nebula.cidr }}" - "{{ tailscale_cidr }}" web-secure: address: :443 diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index 67fb02f..a042b7b 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -66,15 +66,6 @@ resource "linode_firewall" "casey" { ipv6 = ["::/0"] } - inbound { - label = "allow-inbound-nebula" - action = "ACCEPT" - protocol = "UDP" - ports = "6328" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } - inbound { label = "allow-inbound-matrix" action = "ACCEPT"