rc/servers
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: rc:ec4dcd4ffd019a950f3501398fc0d21d639b4315
Branches Tags
rc:master
..
compare: rc:a8b83e833be6fe6fdb35516d4f6c2f444b132223
Branches Tags
rc:master

4 commits
ec4dcd4ffd ... a8b83e833b

Author SHA1 Message Date
Timotej Lazar a8b83e833b facts: only look up cluster nodes when deploying to members 
And not when deploying to virtual machines running on a cluster.
 2024-09-04 16:56:56 +02:00
Timotej Lazar 17c8e84498 proxmox: support certificate renewals with ACME 
Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.
 2024-09-04 16:54:47 +02:00
Timotej Lazar 1c1dd52325 proxmox: support public services for firewall 
If no allowed IPs are set for a service, allow connections from anywhere.
 2024-09-04 16:44:46 +02:00
Timotej Lazar 6b1d871392 alpine: don’t assume all public services are TCP either 2024-09-04 16:42:13 +02:00
4 changed files with 16 additions and 2 deletions
Show stats Expand all files Collapse all files

2
roles/alpine/templates/local.nft.j2
View file

@ -14,7 +14,7 @@ table inet filter {
ip6 saddr { {{ prefixes | ipv6 | join(', ') }} } {{ service.protocol.value }} dport { {{ ports }} } accept
{% endif %}
{% else %}
tcp dport { {{ ports }} } accept
{{ service.protocol.value }} dport { {{ ports }} } accept
{% endif %}
{% endfor %}

2
roles/facts/tasks/main.yml
View file

@ -8,7 +8,7 @@
prefixes: '{{ query("netbox.netbox.nb_lookup", "prefixes", raw_data=true)
| sort(attribute="prefix") | sort(attribute="family.value") }}'
- when: 'cluster is defined'
- when: 'cluster is defined and not is_virtual'
block:
- name: Get my cluster and all nodes in it
set_fact:

7
roles/proxmox/tasks/main.yml
View file

@ -50,6 +50,13 @@
dest: /etc/sysctl.d/local.conf
src: sysctl.conf
- name: Set domain for ACME certificate renewals
command:
cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
| map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
| sort | unique | join(";") }}'
changed_when: false # maybe write a proper check if certificate requests are ever ansibled
- include_tasks: firewall.yml
- include_tasks: user.yml

7
roles/proxmox/templates/cluster.fw.j2
View file

@ -6,16 +6,23 @@ enable: 1
IN Ping(ACCEPT) -log nolog # don’t be rude
IN SSH(ACCEPT) -i mgmt # for ansible etc.
IN HTTP(ACCEPT) # allow HTTP connections for renewing certificates with ACME
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
{% for service in cluster_services %}
{% set prefixes = service | allowed_prefixes %}
{% set ports = service.ports | compact_numlist(range_delimiter=':') %}
{% if prefixes %}
{% if prefixes | ipv4 %}
IN ACCEPT -source {{ prefixes | ipv4 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% if prefixes | ipv6 %}
IN ACCEPT -source {{ prefixes | ipv6 | join(',') }} -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% else %}
IN ACCEPT -p {{ service.protocol.value }} -dport {{ ports }} # {{ service.name }}
{% endif %}
{% endfor %}