nft role + disable iptables when nft enabled

2024-07-24 21:32:13 +02:00 · 2024-07-24 21:32:13 +02:00 · 848917a72c
commit 848917a72c
parent a74dba4557
17 changed files with 348 additions and 57 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@ -5,26 +5,21 @@ ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
 acme_bootstrap_certs: no
 trusted_ranges:
-    # localhost
-  - { v: ipv4, cidr: "127.0.0.1/8" }
-  - { v: ipv6, cidr: "::1" }
-    # rf1928
-  - { v: ipv4, cidr: "10.0.0.0/8" }
-  - { v: ipv4, cidr: "172.16.0.0/12" }
-  - { v: ipv4, cidr: "192.168.0.0/16" }
-    # v6 local
-  - { v: ipv6, cidr: "fe80::/10" }
-    # vihamij
-  - { v: ipv4, cidr: "45.88.49.140" }
-    # eventinfra
-  - { v: ipv4, cidr: "204.2.64.0/20" }
-    # bitlair
-  - { v: ipv4, cidr: "100.64.0.0/10" }
-  - { v: ipv4, cidr: "185.205.52.194/32" }
-  - { v: ipv6, cidr: "2a02:166b:92::/48" }
-    # foobar
-  - { v: ipv4, cidr: "31.187.251.213/32" }
-  - { v: ipv6, cidr: "2a0e:5700:4:2::/64" }
+  - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
+  - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
+  - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" }
+  - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" }
+  - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" }
+  - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra" }
+  - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
+  - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair" }
+  - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar" }
+#  - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
+#  - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
+#  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
+  - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
+  - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
+  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar" }

 root_access:
  - ak
--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@ -6,6 +6,11 @@ git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no

+nft: true
+group_nft_input:
+  - "# Allow web-traffic from world"
+  - "tcp dport { http, https } accept"
+
 nginx_client_max_body_size: 4G

 nginx_sites:
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@ -5,3 +5,8 @@ etherpad_domain: pad.bitlair.nl
 nginx_sites:
  - server_name: "pad.bitlair.nl"
    localproxy: "9001"
+
+nft: true
+group_nft_input:
+  - "# Allow web-traffic from world"
+  - "tcp dport { http, https } accept"