From 3eb33eb5564ba3a76c2496cbe3f91783fdaea321 Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wk@wojciechkozlowski.eu>
Date: Sat, 8 Jul 2023 13:07:19 +0200
Subject: [PATCH] Restrict traffic to certain addresses

---
 inventory/group_vars/asgard/vars.yml   | 1 +
 inventory/host_vars/yggdrasil/vars.yml | 2 ++
 roles                                  | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml
index e30fb3a..c998470 100644
--- a/inventory/group_vars/asgard/vars.yml
+++ b/inventory/group_vars/asgard/vars.yml
@@ -29,6 +29,7 @@ vpn_bridge_prefix: "10.66.{{ vpn_subnet_id }}"
 vpn_bridge_address: "{{ vpn_bridge_prefix }}.1"
 vpn_bridge_broadcast: "{{ vpn_bridge_prefix }}.255"
 vpn_bridge_netmask: "255.255.255.0"
+vpn_bridge_subnet: "{{ vpn_bridge_prefix }}.0/24"
 vpn_bridge_dnat: "\
   {% set vpn_bridge_dnat = [] %}\
   {% for properties in ( services_host_services.values() | selectattr('tcp', 'defined') ) %}\
diff --git a/inventory/host_vars/yggdrasil/vars.yml b/inventory/host_vars/yggdrasil/vars.yml
index da4096b..53cab9e 100644
--- a/inventory/host_vars/yggdrasil/vars.yml
+++ b/inventory/host_vars/yggdrasil/vars.yml
@@ -74,6 +74,8 @@ vpn_wireguard_routing_table: 66
 # vpn:bridge
 # --------------------------------------------------------------------------------------------------
 vpn_bridge_routing_table: "{{ vpn_wireguard_routing_table }}"
+vpn_bridge_local_only_daddr:
+  - "{{ services_host_services.database.address }}"
 
 # --------------------------------------------------------------------------------------------------
 # backups:snapshots
diff --git a/roles b/roles
index 024b0c7..403b65f 160000
--- a/roles
+++ b/roles
@@ -1 +1 @@
-Subproject commit 024b0c7fcc129d832b2fa1933dcd12da4b25ea61
+Subproject commit 403b65f81280ec1e4d9a3b9d2816b3f3b42587f8