From 6b1d871392f41d7628d090b305fa8ad2fde6c801 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 4 Sep 2024 16:42:13 +0200
Subject: [PATCH 1/4] =?UTF-8?q?alpine:=20don=E2=80=99t=20assume=20all=20pu?=
 =?UTF-8?q?blic=20services=20are=20TCP=20either?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/alpine/templates/local.nft.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/alpine/templates/local.nft.j2 b/roles/alpine/templates/local.nft.j2
index 463a77b..d6ed6af 100644
--- a/roles/alpine/templates/local.nft.j2
+++ b/roles/alpine/templates/local.nft.j2
@@ -14,7 +14,7 @@ table inet filter {
         ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
 {% endif %}
 {% else %}
-        tcp dport { {{ ports }} } accept
+        {{ service.protocol.value }} dport { {{ ports }} } accept
 {% endif %}
 
 {% endfor %}

From 1c1dd52325aed2640576ffb1cc9b7e4e3949552b Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 4 Sep 2024 16:44:46 +0200
Subject: [PATCH 2/4] proxmox: support public services for firewall

If no allowed IPs are set for a service, allow connections from anywhere.
---
 roles/proxmox/templates/cluster.fw.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/proxmox/templates/cluster.fw.j2 b/roles/proxmox/templates/cluster.fw.j2
index a5981ba..41fd5ed 100644
--- a/roles/proxmox/templates/cluster.fw.j2
+++ b/roles/proxmox/templates/cluster.fw.j2
@@ -11,11 +11,15 @@ IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('famil
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}
+{% if prefixes %}
 {% if prefixes | ipv4 %}
 IN ACCEPT -source {{ prefixes | ipv4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
 {% if prefixes | ipv6 %}
 IN ACCEPT -source {{ prefixes | ipv6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
 {% endif %}
+{% else %}
+IN ACCEPT -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
+{% endif %}
 {% endfor %}
 

From 17c8e84498e3c8815d293a843eb553a7733e1c51 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 4 Sep 2024 16:54:47 +0200
Subject: [PATCH 3/4] proxmox: support certificate renewals with ACME
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
---
 roles/proxmox/tasks/main.yml          | 7 +++++++
 roles/proxmox/templates/cluster.fw.j2 | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index 84fe500..64ee9f7 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -50,6 +50,13 @@
     dest: /etc/sysctl.d/local.conf
     src: sysctl.conf
 
+- name: Set domain for ACME certificate renewals
+  command:
+    cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
+             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
+             | sort | unique | join(";") }}'
+  changed_when: false # maybe write a proper check if certificate requests are ever ansibled
+
 - include_tasks: firewall.yml
 
 - include_tasks: user.yml
diff --git a/roles/proxmox/templates/cluster.fw.j2 b/roles/proxmox/templates/cluster.fw.j2
index 41fd5ed..519d8e1 100644
--- a/roles/proxmox/templates/cluster.fw.j2
+++ b/roles/proxmox/templates/cluster.fw.j2
@@ -6,8 +6,11 @@ enable: 1
 
 IN Ping(ACCEPT) -log nolog # don’t be rude
 IN SSH(ACCEPT) -i mgmt # for ansible etc.
+IN HTTP(ACCEPT) # allow HTTP connections for renewing certificates with ACME
+
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
+
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}

From a8b83e833be6fe6fdb35516d4f6c2f444b132223 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 4 Sep 2024 16:56:56 +0200
Subject: [PATCH 4/4] facts: only look up cluster nodes when deploying to
 members

And not when deploying to virtual machines running on a cluster.
---
 roles/facts/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/facts/tasks/main.yml b/roles/facts/tasks/main.yml
index 914e128..d34a6a7 100644
--- a/roles/facts/tasks/main.yml
+++ b/roles/facts/tasks/main.yml
@@ -8,7 +8,7 @@
         prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
             | sort(attribute="prefix") | sort(attribute="family.value") }}'
 
-    - when: 'cluster is defined'
+    - when: 'cluster is defined and not is_virtual'
       block:
         - name: Get my cluster and all nodes in it
           set_fact: