Before we relied on the combined data being present in ipsets.json
when generating a new config, but ipsets.json is only updated through
the form at /ipsets. So submitting any other form after changing
NetBox definitions might crash when trying to find an entry from
networks.json in ipsets.json.
Now we introduce a helper functon to always read both files and
combine the prefixes fron networks.json with ipsets.json. This way it
is not necessary to save a new ipsets.json before other changes.
Also don’t crash when enumerating networks for each VPN group.
Custom keys are created by admin and specify networks directly,
bypassing AD permissions. They are intended to join managed devices
into networks where users are not allowed to create keys themselves.
Also comprehend a set directly.
I have tried every possible permutation and I think this is the one.
NetBox-managed IP prefixes are pushed with ansible to firewall master.
The managed prefixes are added to custom IP sets defined in the app,
but only NAT addresses and VPN groups can be configured for them.
This way all NAT and VPN policy is (again) configured in the app. Also
both NetBox-managed and user-defined networks are treated the same.
Also improve^Wtweak config generation. Also templates.
Though it might be better to allow multiple groups. On the other hand
the main filter is in the group→ipset settings file anyway; any VPN
user not in one of those groups will not get forwarded to anywhere.
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.
With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
Use a single lock for everything to ensure we don’t go inconsistent.
One exception is the firewall nodes table which is only accessed when
pushing updated config.