Timotej Lazar
d33fec65a2
system: support LDAP queries with no user_group set
...
Though it might be better to allow multiple groups. On the other hand
the main filter is in the group→ipset settings file anyway; any VPN
user not in one of those groups will not get forwarded to anywhere.
2024-04-22 10:43:50 +02:00
Timotej Lazar
c3e35777e0
Do not configure prefixes defined in NetBox
...
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.
With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
2024-03-18 17:37:19 +01:00
Timotej Lazar
a8abf580f9
vpn: assign an IPv6 subnet instead of a single address
...
We are limited by the size of IPv4 pool (/18), so why not give
everyone an IPv4-internetful of IPv6 addresses.
2023-12-12 19:26:55 +01:00
Timotej Lazar
85714f83b9
Warn about deleting key for active connection
2023-12-10 13:21:52 +01:00
Timotej Lazar
bb68978b22
Clean up save_config
2023-12-10 12:32:47 +01:00
Timotej Lazar
ff2246df8c
vpn: configure IPv6 addresses for WG clients
2023-12-08 17:12:37 +01:00
Timotej Lazar
92e552eb76
nat: rename bound variable
2023-12-04 09:47:50 +01:00
Timotej Lazar
32b182856d
Set blueprint paths in main app
...
Make blueprints more self-contained for no apparent reason.
2023-12-04 09:46:37 +01:00
Timotej Lazar
abc7a0728b
Generate ipsets for network groups
...
Like office and server.
2023-10-03 13:36:58 +02:00
Timotej Lazar
c09410f731
Show allowed characters when creating new WG key
2023-10-03 11:38:07 +02:00
Timotej Lazar
ea6ca9b55d
Tweak HTML templates
2023-09-15 14:57:42 +02:00
Timotej Lazar
d2b08bf891
Simplify
2023-09-15 14:26:11 +02:00
Timotej Lazar
d704202e6e
Parametrize wg.conf template
2023-09-15 14:24:22 +02:00
Timotej Lazar
f5af9eeb59
Rename a variable
2023-09-15 13:58:21 +02:00
Timotej Lazar
e5f86e72c2
Get OIDC end_session_endpoint from server metadata
2023-09-14 10:09:45 +02:00
Timotej Lazar
02059e5043
Copy OIDC settings to app.config on init
...
So we avoid locking the settings file at runtime.
2023-09-13 13:21:23 +02:00
Timotej Lazar
0dc2563b31
Rename route for SSO authorization
2023-09-11 15:37:58 +02:00
Timotej Lazar
ea6aa37131
Fix OIDC id_token parsing
...
Unbreak it, actually.
2023-09-11 15:10:19 +02:00
Timotej Lazar
719bcf7c55
Improve LDAP lookup of user groups
2023-09-07 15:02:08 +02:00
Timotej Lazar
9dc0fbb4fe
Switch to OIDC authentication
2023-09-07 11:46:57 +02:00
Timotej Lazar
5add39a8a7
Add form for editing ipsets
2023-07-24 16:43:57 +02:00
Timotej Lazar
a5df435931
Consolidate error handling
...
Do or do not; there is no try. With some exceptions.
2023-07-12 14:19:18 +02:00
Timotej Lazar
8c824fe9e6
Improve admin settings page
...
The improvements are mostly cosmetic^Wquestionable.
2023-07-07 13:23:51 +02:00
Timotej Lazar
dd607dbddd
Add a nicer response for TimeoutError
2023-07-07 10:15:02 +02:00
Timotej Lazar
6b72316076
Add node status page
2023-07-07 10:13:55 +02:00
Timotej Lazar
4ef3efbc68
Handle exceptions when sending mail
2023-07-07 09:04:17 +02:00
Timotej Lazar
5262c64244
Add form for editing NAT addresses
2023-07-07 08:20:35 +02:00
Timotej Lazar
8b8c675759
Rename networks.json to ipsets.json
...
Getting ready for some changes.
2023-07-06 16:28:15 +02:00
Timotej Lazar
1ff6c9d0d3
Tweak templates for editing and managing rules
2023-07-04 12:18:01 +02:00
Timotej Lazar
5e65755ec0
Add error reporting over email and improve logging
2023-07-03 16:01:14 +02:00
Timotej Lazar
b55ae4d305
Use a script on firewall nodes to update config
...
So we can get some feedback to firewall master.
2023-06-28 14:17:39 +02:00
Timotej Lazar
4fb2d2c732
Add version number to config tarballs
...
Preparing to rework the updater script.
2023-06-26 18:26:35 +02:00
Timotej Lazar
fb1c328893
Normalize line endings from textareas
...
Every day for us something new.
2023-06-26 11:49:26 +02:00
Timotej Lazar
5ba9c03e23
Don’t print empty element lists in nftables
...
Because nft chokes on them.
2023-06-26 10:15:03 +02:00
Timotej Lazar
e84cb26dc7
Fix up Flask settings
...
DEBUG is apparently strongly discouraged. Use --debug instead.
2023-05-29 13:37:16 +02:00
Timotej Lazar
6780f074c7
Support IPv6 sets
...
Also some unrelated cleanups in system.save_config.
2023-05-29 13:00:39 +02:00
Timotej Lazar
765d4a3ce7
Add support for managing forwarding rules
2023-05-29 12:24:21 +02:00
Timotej Lazar
52a5b7cd11
Use iif/oif instead of iifname/oifname in nftables rules
...
Following the change in ansible scripts.
2023-05-23 11:31:13 +02:00
Timotej Lazar
22cec64bef
Simplify database locking
...
Use a single lock for everything to ensure we don’t go inconsistent.
One exception is the firewall nodes table which is only accessed when
pushing updated config.
2023-05-19 09:30:28 +02:00
Timotej Lazar
93458c4782
Allow custom timeout for db locking
2023-05-19 09:03:15 +02:00
Timotej Lazar
9272b3f8e3
Improve landing page slightly
2023-05-19 09:00:01 +02:00
Timotej Lazar
aeae0f8a29
Rework NAT settings again
2023-05-19 08:31:49 +02:00
Timotej Lazar
968a2736d2
Rework NAT settings
...
Support static NAT for L2 server networks. Also some other minor
tweaks.
2023-05-11 10:37:54 +02:00
Timotej Lazar
9476a28674
Rename “comment”→“name” in wg key config
2023-04-24 09:54:23 +02:00
Timotej Lazar
2793385693
Rename some bound variables
2023-04-07 22:51:38 +02:00
Timotej Lazar
771389bbdf
Create new config on change
2023-04-07 14:20:59 +02:00
Timotej Lazar
931cd3f8c1
Store generated configs in $HOME
...
And move app to ~/app.
2023-04-07 14:20:54 +02:00
Timotej Lazar
0afcd33a99
Store settings in $HOME
2023-04-07 13:32:26 +02:00
Timotej Lazar
f8c9341315
wg-fri.conf: keep standard AllowedIPs even when allowing all traffic
...
So it is easier to change later if needed.
2023-04-06 10:19:35 +02:00
Timotej Lazar
bba8193e14
Fix locking
...
Or maybe break it further.
2023-04-06 10:04:30 +02:00