Initial commit, squashed

roles/firewall_master/templates/interfaces.j2

@@ -0,0 +1,14 @@
+auto lo
+iface lo inet loopback
+
+{% for iface in interfaces %}
+auto {{ iface.name }}
+iface {{ iface.name }} inet static
+{% for address in iface.ip_addresses %}
+    address {{ address.address }}
+{% endfor %}
+{% if iface.custom_fields.gateway %}
+    gateway {{ iface.custom_fields.gateway.address | ipaddr('address') }}
+{% endif %}
+
+{% endfor %}

roles/firewall_master/templates/networks.json.j2

@@ -0,0 +1,21 @@
+{% set groups = vlans | map(attribute='name') | select('match', '.+-.+')
+    | map('split', '-') | map('first') | unique -%}
+{% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', raw_data=true) %}
+
+{
+{% for vlan in vlans %}
+{% set vlan_prefixes = prefixes | selectattr('vlan') | selectattr('vlan.id', '==', vlan.id) | map(attribute='prefix') %}
+  "{{ vlan.name }}": {
+    "ip": {{ vlan_prefixes | ipv4 | to_json }},
+    "ip6": {{ vlan_prefixes | ipv6 | to_json }}
+  }{% if not loop.last or groups %},{% endif +%}
+{% endfor %}
+
+{% for group in groups %}
+{% set group_prefixes = prefixes | selectattr('vlan') | selectattr('vlan.name', 'match', '^'~group) | map(attribute='prefix') %}
+  "{{ group }}": {
+    "ip": {{ group_prefixes | ipv4 | to_json }},
+    "ip6": {{ group_prefixes | ipv6 | to_json }}
+  }{% if not loop.last %},{% endif +%}
+{% endfor %}
+}

roles/firewall_master/templates/nginx.conf.j2

@@ -0,0 +1,21 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name {{ fqdn }};
+
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name {{ fqdn }};
+
+	ssl_certificate /etc/letsencrypt/live/{{ fqdn }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem;
+
+	location / {
+		uwsgi_pass unix:/run/friwall.socket;
+		include uwsgi_params;
+	}
+}

roles/firewall_master/templates/nodes.json.j2

@@ -0,0 +1,10 @@
+{% set nodes = query('netbox.netbox.nb_lookup', 'devices', raw_data=true)
+    | selectattr('config_context') | selectattr('config_context', 'contains', 'master')
+    | selectattr('config_context.master', '==', inventory_hostname)
+    | map(attribute='name') -%}
+
+{
+{% for node in nodes %}
+  "{{ hostvars[node].interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first | selectattr('role') | selectattr('role.value', '==', 'loopback') | map(attribute='address') | ipv4 | first | ipaddr('address') }}": -1{{ '' if loop.last else ',' }} {# TODO help my eyes the goggles do nothing +#}
+{% endfor %}
+}

roles/firewall_master/templates/settings.json.j2

@@ -0,0 +1,10 @@
+{
+  "ldap_host": "{{ domain }}",
+  "ldap_user": "{{ ldap_user }}",
+  "ldap_pass": "{{ ldap_pass }}",
+  "ldap_base_dn": "{{ ldap_base_dn }}",
+  "oidc_server": "{{ oidc_server }}",
+  "oidc_client_id": "{{ oidc_client_id }}",
+  "oidc_client_secret": "{{ oidc_client_secret }}",
+  "wg_net": "{{ wg_net }}",
+}