diff --git a/roles/debian/files/nftables.conf b/roles/debian/files/nftables.conf index 6ec6a16..430db42 100644 --- a/roles/debian/files/nftables.conf +++ b/roles/debian/files/nftables.conf @@ -23,6 +23,14 @@ table inet filter { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-router-solicit } accept comment "accept IPv6 neighbor discovery" } + + chain forward { + type filter hook forward priority filter; policy drop + } + + chain output { + type filter hook output priority filter; policy accept + } } include "/etc/nftables.d/*.nft" diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml deleted file mode 100644 index 6836d2b..0000000 --- a/roles/dokuwiki/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -dependencies: - - role: nginx - - role: nginx-php diff --git a/roles/forgejo/meta/main.yml b/roles/forgejo/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/forgejo/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/friwall/meta/main.yml b/roles/friwall/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/friwall/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/grafana/meta/main.yml b/roles/grafana/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/grafana/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/influxdb/meta/main.yml b/roles/influxdb/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/influxdb/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/kanboard/meta/main.yml b/roles/kanboard/meta/main.yml deleted file mode 100644 index 6836d2b..0000000 --- a/roles/kanboard/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -dependencies: - - role: nginx - - role: nginx-php diff --git a/roles/netbox/meta/main.yml b/roles/netbox/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/netbox/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/ocserv/README.md b/roles/ocserv/README.md deleted file mode 100644 index 49c6f67..0000000 --- a/roles/ocserv/README.md +++ /dev/null @@ -1,11 +0,0 @@ -Install and configure ocserv with a script to configure nftables on (dis)connection. - -Create a self‐signed CA authority for issuing user certificates. User and group are read from the CN and OU certificate subject fields, respectively. To configure VPN groups, define the variable `vpn` as follows: - - "vpn": { - "network": "" - "routes": { - "": [ "", … ] - … - } - } diff --git a/roles/ocserv/files/ocserv-script b/roles/ocserv/files/ocserv-script deleted file mode 100644 index c56a7da..0000000 --- a/roles/ocserv/files/ocserv-script +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -set -x - -[ -n "$DEVICE" ] || exit 1 -[ -n "$USERNAME" ] || exit 2 -[ -n "$IP_REMOTE" ] || exit 3 - -chain="inet ocserv client-${USERNAME}" -remote_ip="${IP_REMOTE%/*}" - -case "${REASON}" in -connect) - nft "add chain ${chain} { type filter hook forward priority filter; policy accept; }" - nft "flush chain ${chain}" # in case it already existed and not empty - if [ -n "$OCSERV_ROUTES" ] ; then - # convert netmask to prefix len, e.g. /255.0.0.0 to /8 and replace spaces with commas - routes="$(netmask $OCSERV_ROUTES | paste -s -d ',' | tr -d '[:space:]')" - nft "add rule ${chain} iif ${DEVICE} ip saddr ${remote_ip} ip daddr { ${routes} } mark set 0x100" - fi - ;; -disconnect) - nft "delete chain ${chain}" - ;; -esac diff --git a/roles/ocserv/files/ocserv.nft b/roles/ocserv/files/ocserv.nft deleted file mode 100644 index 5879f16..0000000 --- a/roles/ocserv/files/ocserv.nft +++ /dev/null @@ -1,14 +0,0 @@ -table inet ocserv { - chain forward { - type filter hook forward priority filter + 10; policy drop; - ct state { established, related } accept - meta mark 0x100 accept - } -} - -table ip ocserv { - chain postrouting { - type nat hook postrouting priority srcnat; policy drop; - meta mark 0x100 masquerade - } -} diff --git a/roles/ocserv/handlers/main.yml b/roles/ocserv/handlers/main.yml deleted file mode 100644 index 34e7883..0000000 --- a/roles/ocserv/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: reload nftables - service: - name: nftables - state: reloaded - when: "'handler' not in ansible_skip_tags" - -- name: reload systemd - command: systemctl daemon-reload - when: "'handler' not in ansible_skip_tags" - -- name: restart ocserv - service: - name: ocserv - state: restarted - when: "'handler' not in ansible_skip_tags" diff --git a/roles/ocserv/meta/main.yml b/roles/ocserv/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/ocserv/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/ocserv/tasks/main.yml b/roles/ocserv/tasks/main.yml deleted file mode 100644 index 3201c77..0000000 --- a/roles/ocserv/tasks/main.yml +++ /dev/null @@ -1,78 +0,0 @@ -- name: Install packages - package: - name: - - netmask # for ocserv-script - - ocserv - install_recommends: false # don’t install dnsmasq for whatever reason - -- name: Configure firewall - copy: - dest: /etc/nftables.d/ - src: ocserv.nft - notify: reload nftables - -- name: Generate CA key - command: - cmd: openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca.key - chdir: /etc/ocserv - creates: ca.key - notify: restart ocserv - -- name: Create CA certificate - command: - cmd: > - openssl req -key ca.key -out ca.crt -new -x509 -days 3650 - -subj "/O=FRI/CN=vrata" - -addext keyUsage=critical,keyCertSign,cRLSign - chdir: /etc/ocserv - creates: ca.crt - notify: restart ocserv - -# this script allows routing from the client to their networks on connection -- name: Install ocserv firewall script - copy: - dest: /usr/local/bin/ - src: ocserv-script - mode: 755 - -- name: Configure ocserv - template: - dest: /etc/ocserv/ocserv.conf - src: ocserv.conf.j2 - notify: restart ocserv - -- name: Create config-per-group directory - file: - path: /etc/ocserv/config-per-group/ - state: directory - -- name: Configure ocserv routes for each group - template: - dest: '/etc/ocserv/config-per-group/{{ item.key }}' - src: ocserv-group.j2 - loop: '{{ vpn.routes | dict2items }}' - notify: restart ocserv - -- name: Create ocserv service override directory - file: - path: /etc/systemd/system/ocserv.service.d - state: directory - owner: root - group: root - mode: 0755 - -- name: Set ocserv to start after network is online - copy: - dest: /etc/systemd/system/ocserv.service.d/override.conf - content: | - [Unit] - After=network-online.target - Wants=network-online.target - notify: reload systemd - -- name: Enable IP forwarding - sysctl: - name: net.ipv4.ip_forward - value: 1 - sysctl_file: /etc/sysctl.d/99-local.conf - sysctl_set: true diff --git a/roles/ocserv/templates/ocserv-group.j2 b/roles/ocserv/templates/ocserv-group.j2 deleted file mode 100644 index d9d04e0..0000000 --- a/roles/ocserv/templates/ocserv-group.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for route in item.value %} -route = {{ route }} -{% endfor %} diff --git a/roles/ocserv/templates/ocserv.conf.j2 b/roles/ocserv/templates/ocserv.conf.j2 deleted file mode 100644 index 3ddeadf..0000000 --- a/roles/ocserv/templates/ocserv.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -listen-host = {{ dns_name }} -tcp-port = 443 -server-cert = /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem -server-key = /etc/letsencrypt/live/{{ dns_name }}/privkey.pem - -run-as-user = ocserv -run-as-group = ocserv -socket-file = /run/ocserv-socket -chroot-dir = /var/lib/ocserv -connect-script = /usr/local/bin/ocserv-script -disconnect-script = /usr/local/bin/ocserv-script - -device = vpns -cisco-client-compat = true -dtls-legacy = true -compression = true -isolate-workers = true - -auth = certificate -ca-cert = /etc/ocserv/ca.crt -cert-user-oid = 2.5.4.3 -cert-group-oid = 2.5.4.11 -config-per-group = /etc/ocserv/config-per-group/ -default-domain = {{ domain }} -ipv4-network = {{ vpn.network }} -route = {{ vpn.network }} diff --git a/roles/reverse-proxy/meta/main.yml b/roles/reverse-proxy/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/reverse-proxy/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/synapse/meta/main.yml b/roles/synapse/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/synapse/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/roles/unifi/meta/main.yml b/roles/unifi/meta/main.yml deleted file mode 100644 index 69891c7..0000000 --- a/roles/unifi/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: - - role: nginx diff --git a/setup.yml b/setup.yml index bc85778..7778cbe 100644 --- a/setup.yml +++ b/setup.yml @@ -41,25 +41,32 @@ - hosts: doc roles: + - nginx + - nginx-php - dokuwiki - hosts: git roles: + - nginx - forgejo - hosts: kanboard roles: + - nginx + - nginx-php - kanboard - hosts: matrix roles: - postgres + - nginx - synapse vars: user: synapse - hosts: monitor roles: + - nginx - influxdb - grafana @@ -67,23 +74,23 @@ roles: - postgres - redis + - nginx - netbox vars: user: netbox - hosts: unifi roles: + - nginx - unifi -- hosts: vrata - roles: - - ocserv - - hosts: web-front roles: + - nginx - reverse-proxy - hosts: zid roles: - opensmtpd + - nginx - friwall