c3e35777e0
Do not configure prefixes defined in NetBox
...
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.
With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
2024-03-18 17:37:19 +01:00
a8abf580f9
vpn: assign an IPv6 subnet instead of a single address
...
We are limited by the size of IPv4 pool (/18), so why not give
everyone an IPv4-internetful of IPv6 addresses.
2023-12-12 19:26:55 +01:00
85714f83b9
Warn about deleting key for active connection
2023-12-10 13:21:52 +01:00
bb68978b22
Clean up save_config
2023-12-10 12:32:47 +01:00
ff2246df8c
vpn: configure IPv6 addresses for WG clients
2023-12-08 17:12:37 +01:00
92e552eb76
nat: rename bound variable
2023-12-04 09:47:50 +01:00
32b182856d
Set blueprint paths in main app
...
Make blueprints more self-contained for no apparent reason.
2023-12-04 09:46:37 +01:00
abc7a0728b
Generate ipsets for network groups
...
Like office and server.
2023-10-03 13:36:58 +02:00
c09410f731
Show allowed characters when creating new WG key
2023-10-03 11:38:07 +02:00
ea6ca9b55d
Tweak HTML templates
2023-09-15 14:57:42 +02:00
d2b08bf891
Simplify
2023-09-15 14:26:11 +02:00
d704202e6e
Parametrize wg.conf template
2023-09-15 14:24:22 +02:00
f5af9eeb59
Rename a variable
2023-09-15 13:58:21 +02:00
e5f86e72c2
Get OIDC end_session_endpoint from server metadata
2023-09-14 10:09:45 +02:00
02059e5043
Copy OIDC settings to app.config on init
...
So we avoid locking the settings file at runtime.
2023-09-13 13:21:23 +02:00
0dc2563b31
Rename route for SSO authorization
2023-09-11 15:37:58 +02:00
ea6aa37131
Fix OIDC id_token parsing
...
Unbreak it, actually.
2023-09-11 15:10:19 +02:00
719bcf7c55
Improve LDAP lookup of user groups
2023-09-07 15:02:08 +02:00
9dc0fbb4fe
Switch to OIDC authentication
2023-09-07 11:46:57 +02:00
5add39a8a7
Add form for editing ipsets
2023-07-24 16:43:57 +02:00
a5df435931
Consolidate error handling
...
Do or do not; there is no try. With some exceptions.
2023-07-12 14:19:18 +02:00
8c824fe9e6
Improve admin settings page
...
The improvements are mostly cosmetic^Wquestionable.
2023-07-07 13:23:51 +02:00
dd607dbddd
Add a nicer response for TimeoutError
2023-07-07 10:15:02 +02:00
6b72316076
Add node status page
2023-07-07 10:13:55 +02:00
4ef3efbc68
Handle exceptions when sending mail
2023-07-07 09:04:17 +02:00
5262c64244
Add form for editing NAT addresses
2023-07-07 08:20:35 +02:00
8b8c675759
Rename networks.json to ipsets.json
...
Getting ready for some changes.
2023-07-06 16:28:15 +02:00
1ff6c9d0d3
Tweak templates for editing and managing rules
2023-07-04 12:18:01 +02:00
5e65755ec0
Add error reporting over email and improve logging
2023-07-03 16:01:14 +02:00
b55ae4d305
Use a script on firewall nodes to update config
...
So we can get some feedback to firewall master.
2023-06-28 14:17:39 +02:00
4fb2d2c732
Add version number to config tarballs
...
Preparing to rework the updater script.
2023-06-26 18:26:35 +02:00
fb1c328893
Normalize line endings from textareas
...
Every day for us something new.
2023-06-26 11:49:26 +02:00
5ba9c03e23
Don’t print empty element lists in nftables
...
Because nft chokes on them.
2023-06-26 10:15:03 +02:00
e84cb26dc7
Fix up Flask settings
...
DEBUG is apparently strongly discouraged. Use --debug instead.
2023-05-29 13:37:16 +02:00
6780f074c7
Support IPv6 sets
...
Also some unrelated cleanups in system.save_config.
2023-05-29 13:00:39 +02:00
765d4a3ce7
Add support for managing forwarding rules
2023-05-29 12:24:21 +02:00
52a5b7cd11
Use iif/oif instead of iifname/oifname in nftables rules
...
Following the change in ansible scripts.
2023-05-23 11:31:13 +02:00
22cec64bef
Simplify database locking
...
Use a single lock for everything to ensure we don’t go inconsistent.
One exception is the firewall nodes table which is only accessed when
pushing updated config.
2023-05-19 09:30:28 +02:00
93458c4782
Allow custom timeout for db locking
2023-05-19 09:03:15 +02:00
9272b3f8e3
Improve landing page slightly
2023-05-19 09:00:01 +02:00
aeae0f8a29
Rework NAT settings again
2023-05-19 08:31:49 +02:00
968a2736d2
Rework NAT settings
...
Support static NAT for L2 server networks. Also some other minor
tweaks.
2023-05-11 10:37:54 +02:00
9476a28674
Rename “comment”→“name” in wg key config
2023-04-24 09:54:23 +02:00
2793385693
Rename some bound variables
2023-04-07 22:51:38 +02:00
771389bbdf
Create new config on change
2023-04-07 14:20:59 +02:00
931cd3f8c1
Store generated configs in $HOME
...
And move app to ~/app.
2023-04-07 14:20:54 +02:00
0afcd33a99
Store settings in $HOME
2023-04-07 13:32:26 +02:00
f8c9341315
wg-fri.conf: keep standard AllowedIPs even when allowing all traffic
...
So it is easier to change later if needed.
2023-04-06 10:19:35 +02:00
bba8193e14
Fix locking
...
Or maybe break it further.
2023-04-06 10:04:30 +02:00
a791e2bcdd
Do not allocate wireguard server IP to clients
...
It’s possible to avoid assigning any IP to the server but let’s not.
2023-02-06 17:02:07 +01:00
