rc/friwall
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
57 commits 1 branch 0 tags 160 KiB
Commit graph

56 commits

Author SHA1 Message Date
Timotej Lazar c3e35777e0 Do not configure prefixes defined in NetBox 
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.

With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
 2024-03-18 17:37:19 +01:00
Timotej Lazar a8abf580f9 vpn: assign an IPv6 subnet instead of a single address 
We are limited by the size of IPv4 pool (/18), so why not give
everyone an IPv4-internetful of IPv6 addresses.
 2023-12-12 19:26:55 +01:00
Timotej Lazar 85714f83b9 Warn about deleting key for active connection 2023-12-10 13:21:52 +01:00
Timotej Lazar bb68978b22 Clean up save_config 2023-12-10 12:32:47 +01:00
Timotej Lazar ff2246df8c vpn: configure IPv6 addresses for WG clients 2023-12-08 17:12:37 +01:00
Timotej Lazar 92e552eb76 nat: rename bound variable 2023-12-04 09:47:50 +01:00
Timotej Lazar 32b182856d Set blueprint paths in main app 
Make blueprints more self-contained for no apparent reason.
 2023-12-04 09:46:37 +01:00
Timotej Lazar abc7a0728b Generate ipsets for network groups 
Like office and server.
 2023-10-03 13:36:58 +02:00
Timotej Lazar c09410f731 Show allowed characters when creating new WG key 2023-10-03 11:38:07 +02:00
Timotej Lazar ea6ca9b55d Tweak HTML templates 2023-09-15 14:57:42 +02:00
Timotej Lazar d2b08bf891 Simplify 2023-09-15 14:26:11 +02:00
Timotej Lazar d704202e6e Parametrize wg.conf template 2023-09-15 14:24:22 +02:00
Timotej Lazar f5af9eeb59 Rename a variable 2023-09-15 13:58:21 +02:00
Timotej Lazar e5f86e72c2 Get OIDC end_session_endpoint from server metadata 2023-09-14 10:09:45 +02:00
Timotej Lazar 02059e5043 Copy OIDC settings to app.config on init 
So we avoid locking the settings file at runtime.
 2023-09-13 13:21:23 +02:00
Timotej Lazar 0dc2563b31 Rename route for SSO authorization 2023-09-11 15:37:58 +02:00
Timotej Lazar ea6aa37131 Fix OIDC id_token parsing 
Unbreak it, actually.
 2023-09-11 15:10:19 +02:00
Timotej Lazar 719bcf7c55 Improve LDAP lookup of user groups 2023-09-07 15:02:08 +02:00
Timotej Lazar 9dc0fbb4fe Switch to OIDC authentication 2023-09-07 11:46:57 +02:00
Timotej Lazar 5add39a8a7 Add form for editing ipsets 2023-07-24 16:43:57 +02:00
Timotej Lazar a5df435931 Consolidate error handling 
Do or do not; there is no try. With some exceptions.
 2023-07-12 14:19:18 +02:00
Timotej Lazar 8c824fe9e6 Improve admin settings page 
The improvements are mostly cosmetic^Wquestionable.
 2023-07-07 13:23:51 +02:00
Timotej Lazar dd607dbddd Add a nicer response for TimeoutError 2023-07-07 10:15:02 +02:00
Timotej Lazar 6b72316076 Add node status page 2023-07-07 10:13:55 +02:00
Timotej Lazar 4ef3efbc68 Handle exceptions when sending mail 2023-07-07 09:04:17 +02:00
Timotej Lazar 5262c64244 Add form for editing NAT addresses 2023-07-07 08:20:35 +02:00
Timotej Lazar 8b8c675759 Rename networks.json to ipsets.json 
Getting ready for some changes.
 2023-07-06 16:28:15 +02:00
Timotej Lazar 1ff6c9d0d3 Tweak templates for editing and managing rules 2023-07-04 12:18:01 +02:00
Timotej Lazar 5e65755ec0 Add error reporting over email and improve logging 2023-07-03 16:01:14 +02:00
Timotej Lazar b55ae4d305 Use a script on firewall nodes to update config 
So we can get some feedback to firewall master.
 2023-06-28 14:17:39 +02:00
Timotej Lazar 4fb2d2c732 Add version number to config tarballs 
Preparing to rework the updater script.
 2023-06-26 18:26:35 +02:00
Timotej Lazar fb1c328893 Normalize line endings from textareas 
Every day for us something new.
 2023-06-26 11:49:26 +02:00
Timotej Lazar 5ba9c03e23 Don’t print empty element lists in nftables 
Because nft chokes on them.
 2023-06-26 10:15:03 +02:00
Timotej Lazar e84cb26dc7 Fix up Flask settings 
DEBUG is apparently strongly discouraged. Use --debug instead.
 2023-05-29 13:37:16 +02:00
Timotej Lazar 6780f074c7 Support IPv6 sets 
Also some unrelated cleanups in system.save_config.
 2023-05-29 13:00:39 +02:00
Timotej Lazar 765d4a3ce7 Add support for managing forwarding rules 2023-05-29 12:24:21 +02:00
Timotej Lazar 52a5b7cd11 Use iif/oif instead of iifname/oifname in nftables rules 
Following the change in ansible scripts.
 2023-05-23 11:31:13 +02:00
Timotej Lazar 22cec64bef Simplify database locking 
Use a single lock for everything to ensure we don’t go inconsistent.
One exception is the firewall nodes table which is only accessed when
pushing updated config.
 2023-05-19 09:30:28 +02:00
Timotej Lazar 93458c4782 Allow custom timeout for db locking 2023-05-19 09:03:15 +02:00
Timotej Lazar 9272b3f8e3 Improve landing page slightly 2023-05-19 09:00:01 +02:00
Timotej Lazar aeae0f8a29 Rework NAT settings again 2023-05-19 08:31:49 +02:00
Timotej Lazar 968a2736d2 Rework NAT settings 
Support static NAT for L2 server networks. Also some other minor
tweaks.
 2023-05-11 10:37:54 +02:00
Timotej Lazar 9476a28674 Rename “comment”→“name” in wg key config 2023-04-24 09:54:23 +02:00
Timotej Lazar 2793385693 Rename some bound variables 2023-04-07 22:51:38 +02:00
Timotej Lazar 771389bbdf Create new config on change 2023-04-07 14:20:59 +02:00
Timotej Lazar 931cd3f8c1 Store generated configs in $HOME 
And move app to ~/app.
 2023-04-07 14:20:54 +02:00
Timotej Lazar 0afcd33a99 Store settings in $HOME 2023-04-07 13:32:26 +02:00
Timotej Lazar f8c9341315 wg-fri.conf: keep standard AllowedIPs even when allowing all traffic 
So it is easier to change later if needed.
 2023-04-06 10:19:35 +02:00
Timotej Lazar bba8193e14 Fix locking 
Or maybe break it further.
 2023-04-06 10:04:30 +02:00
Timotej Lazar a791e2bcdd Do not allocate wireguard server IP to clients 
It’s possible to avoid assigning any IP to the server but let’s not.
 2023-02-06 17:02:07 +01:00