Commit graph

19 commits

Author SHA1 Message Date
Timotej Lazar 37c025e2a0 firewall_master: move secrets to password store 2024-02-13 13:13:56 +01:00
Timotej Lazar d94e79f8b7 certbot_dns: move secrets to password store 2024-02-13 13:13:43 +01:00
Timotej Lazar 27dac09549 access: move secrets to password store
Keeping ansible-vault values in NetBox is too cumbersome and limited.
2024-02-13 10:33:14 +01:00
Timotej Lazar 91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
Timotej Lazar f54b23f49a firewall: disable forwarding for mgmt interfaces in if-pre-up
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
2024-01-30 13:11:35 +01:00
Timotej Lazar 25289dd82f firewall: fix interface renaming
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
2024-01-30 13:11:35 +01:00
Timotej Lazar 544aa0a088 firewall: create empty ipsets for known networks
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
Timotej Lazar 161ce73be7 exit: restart keepalived on DHCP config update 2024-01-30 12:36:19 +01:00
Timotej Lazar aeb124e346 Add inside and outside roles for VLANs
Will probably rename inside/outside and office/server to int/ext.
2024-01-30 12:35:33 +01:00
Timotej Lazar 0802dc8637 access: move templates to netbox
And adjust tasks to work with FS switches also.
2023-12-29 14:55:00 +01:00
Timotej Lazar be398e54fe fabric: sort bridge VLANs by ID
Instead of barfing on unsortable dicts.
2023-12-29 13:52:05 +01:00
Timotej Lazar 6fd5432b69 fabric: reload switchd before reloading interfaces
Don’t want to bring up a nonexisting interface.
2023-12-29 09:01:01 +01:00
Timotej Lazar 0d24f9fdc7 firewall: log policy update messages to syslog 2023-12-18 12:55:50 +01:00
Timotej Lazar 2b275c2ab4 exit: receive VPN IPv6 addresses from firewalls
And share them with peer over backup link.
2023-12-18 12:55:50 +01:00
Timotej Lazar c2d0e88996 firewall: set IPv6 address for wireguard interface
And advertise it.
2023-12-18 12:55:50 +01:00
Timotej Lazar d789e4a037 leaf: don’t talk BGP at bridges and bonds 2023-12-18 12:55:50 +01:00
Timotej Lazar 9e8db74d24 fabric: allow setting bridge access VLANs on non-bond ports 2023-12-18 12:55:50 +01:00
Timotej Lazar 950cd41c33 fabric: only add enabled ports to bridge 2023-12-18 12:55:50 +01:00
Timotej Lazar 158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00