rc/servers
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: rc:a8b83e833be6fe6fdb35516d4f6c2f444b132223
Branches Tags
rc:master
..
compare: rc:ec4dcd4ffd019a950f3501398fc0d21d639b4315
Branches Tags
rc:master

No commits in common. "a8b83e833be6fe6fdb35516d4f6c2f444b132223" and "ec4dcd4ffd019a950f3501398fc0d21d639b4315" have entirely different histories.
a8b83e833b ... ec4dcd4ffd

4 changed files with 2 additions and 16 deletions
Show stats Expand all files Collapse all files

2
roles/alpine/templates/local.nft.j2
View file

@ -14,7 +14,7 @@ table inet filter {
ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
{% endif %}
{% else %}
{{ service.protocol.value }} dport { {{ ports }} } accept
tcp dport { {{ ports }} } accept
{% endif %}
{% endfor %}

2
roles/facts/tasks/main.yml
View file

@ -8,7 +8,7 @@
prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
| sort(attribute="prefix") | sort(attribute="family.value") }}'
- when: 'cluster is defined and not is_virtual'
- when: 'cluster is defined'
block:
- name: Get my cluster and all nodes in it
set_fact:

7
roles/proxmox/tasks/main.yml
View file

@ -50,13 +50,6 @@
dest: /etc/sysctl.d/local.conf
src: sysctl.conf
- name: Set domain for ACME certificate renewals
command:
cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
| map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
| sort | unique | join(";") }}'
changed_when: false # maybe write a proper check if certificate requests are ever ansibled
- include_tasks: firewall.yml
- include_tasks: user.yml

7
roles/proxmox/templates/cluster.fw.j2
View file

@ -6,23 +6,16 @@ enable: 1
IN Ping(ACCEPT) -log nolog # don’t be rude
IN SSH(ACCEPT) -i mgmt # for ansible etc.
IN HTTP(ACCEPT) # allow HTTP connections for renewing certificates with ACME
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
{% for service in cluster_services %}
{% set prefixes = service | allowed_prefixes %}
{% set ports = service.ports | compact_numlist(range_delimiter=':') %}
{% if prefixes %}
{% if prefixes | ipv4 %}
IN ACCEPT -source {{ prefixes | ipv4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% if prefixes | ipv6 %}
IN ACCEPT -source {{ prefixes | ipv6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% else %}
IN ACCEPT -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% endfor %}