From d6b56ec5edcbc619bcb39f97bcaedde854ca4ab2 Mon Sep 17 00:00:00 2001 From: Wojciech Kozlowski Date: Thu, 27 Jul 2023 23:13:26 +0200 Subject: [PATCH] Support IPv6 bridges --- inventory/group_vars/asgard/vars.yml | 26 ++++++++++++++++++++------ inventory/group_vars/home/vars.yml | 12 ++++++++---- inventory/host_vars/valkyrie/vars.yml | 8 +++++--- inventory/host_vars/yggdrasil/vars.yml | 24 ++++++++++++++++-------- roles | 2 +- 5 files changed, 50 insertions(+), 22 deletions(-) diff --git a/inventory/group_vars/asgard/vars.yml b/inventory/group_vars/asgard/vars.yml index bfca7f1..be6ac93 100644 --- a/inventory/group_vars/asgard/vars.yml +++ b/inventory/group_vars/asgard/vars.yml @@ -8,6 +8,11 @@ system_var_home_directory: "{{ system_var_root_directory }}/home" system_var_data_directory: "{{ system_var_root_directory }}/data" system_var_containers_directory: "{{ system_var_root_directory }}/containers" +# -------------------------------------------------------------------------------------------------- +# vpn +# -------------------------------------------------------------------------------------------------- +vpn_global_inet6_prefix: "fd6f:1af7:ce35" + # -------------------------------------------------------------------------------------------------- # vpn:wireguard # -------------------------------------------------------------------------------------------------- @@ -19,15 +24,24 @@ vpn_wireguard_subnet: "10.66.0.0/30" # -------------------------------------------------------------------------------------------------- # vpn:bridge # -------------------------------------------------------------------------------------------------- -vpn_bridge_prefix: "10.66.{{ vpn_subnet_id }}" -vpn_bridge_address: "{{ vpn_bridge_prefix }}.1" -vpn_bridge_broadcast: "{{ vpn_bridge_prefix }}.255" -vpn_bridge_prefixlen: "24" -vpn_bridge_subnet: "{{ vpn_bridge_prefix }}.0/{{ vpn_bridge_prefixlen }}" +vpn_bridge_inet_prefix: "10.66.{{ vpn_subnet_id }}" +vpn_bridge_inet_address: "{{ vpn_bridge_inet_prefix }}.1" +vpn_bridge_inet_prefixlen: "24" +vpn_bridge_inet_subnet: "{{ vpn_bridge_inet_prefix }}.0/{{ vpn_bridge_inet_prefixlen }}" + +vpn_bridge_inet6_prefix: "{{ vpn_global_inet6_prefix }}:{{ '%04x' % (0x6600 + vpn_subnet_id) }}" +vpn_bridge_inet6_address: "{{ vpn_bridge_inet6_prefix }}::1" +vpn_bridge_inet6_prefixlen: "64" +vpn_bridge_inet6_subnet: "{{ vpn_bridge_inet6_prefix }}::/{{ vpn_bridge_inet6_prefixlen }}" + vpn_bridge_dnat: "\ {% set vpn_bridge_dnat = [] %}\ {% for properties in ( services_host_services.values() | selectattr('tcp', 'defined') ) %}\ - {{ vpn_bridge_dnat.append({ 'address': properties.address, 'ports': properties.tcp }) }}\ + {{ vpn_bridge_dnat.append({ + 'inet_address': properties.inet_address, + 'inet6_address': properties.inet6_address, + 'ports': properties.tcp + }) }}\ {% endfor %}\ {{ vpn_bridge_dnat }}" diff --git a/inventory/group_vars/home/vars.yml b/inventory/group_vars/home/vars.yml index 873bb68..e3b9600 100644 --- a/inventory/group_vars/home/vars.yml +++ b/inventory/group_vars/home/vars.yml @@ -2,11 +2,15 @@ # -------------------------------------------------------------------------------------------------- # network # -------------------------------------------------------------------------------------------------- -local_network_address: "192.168.0.0" -local_network_masklen: 16 -local_network: "{{ local_network_address }}/{{ local_network_masklen }}" +local_inet_network_address: "192.168.0.0" +local_inet_network_prefixlen: 16 +local_inet_network: "{{ local_inet_network_address }}/{{ local_inet_network_prefixlen }}" + +local_inet6_network_address: "2001:1c00:161e:7900::" +local_inet6_network_prefixlen: 64 +local_inet6_network: "{{ local_inet6_network_address }}/{{ local_inet6_network_prefixlen }}" # -------------------------------------------------------------------------------------------------- # system:base # -------------------------------------------------------------------------------------------------- -system_base_fail2ban_ignoreip: "{{ local_network }}" +system_base_fail2ban_ignoreip: "{{ local_inet_network }} {{ local_inet6_network }}" diff --git a/inventory/host_vars/valkyrie/vars.yml b/inventory/host_vars/valkyrie/vars.yml index 4ca3936..f0087b7 100644 --- a/inventory/host_vars/valkyrie/vars.yml +++ b/inventory/host_vars/valkyrie/vars.yml @@ -28,16 +28,18 @@ vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_k vpn_wireguard_clients: - public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}" preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}" - subnet: "{{ hostvars.yggdrasil.vpn_bridge_prefix }}.0/24" + subnet: "{{ hostvars.yggdrasil.vpn_bridge_inet_prefix }}.0/24" # -------------------------------------------------------------------------------------------------- # services # -------------------------------------------------------------------------------------------------- services_host_services: rproxy: - address: "{{ vpn_bridge_prefix }}.2" + inet_address: "{{ vpn_bridge_inet_prefix }}.2" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::2" tcp: [80, 443] restic: true www: - address: "{{ vpn_bridge_prefix }}.3" + inet_address: "{{ vpn_bridge_inet_prefix }}.3" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::3" restic: false diff --git a/inventory/host_vars/yggdrasil/vars.yml b/inventory/host_vars/yggdrasil/vars.yml index c916c59..427e0c3 100644 --- a/inventory/host_vars/yggdrasil/vars.yml +++ b/inventory/host_vars/yggdrasil/vars.yml @@ -75,8 +75,10 @@ vpn_wireguard_routing_table: 66 # vpn:bridge # -------------------------------------------------------------------------------------------------- vpn_bridge_routing_table: "{{ vpn_wireguard_routing_table }}" -vpn_bridge_local_only_daddr: - - "{{ services_host_services.database.address }}" +vpn_bridge_local_only_inet_daddr: + - "{{ services_host_services.database.inet_address }}" +vpn_bridge_local_only_inet6_daddr: + - "{{ services_host_services.database.inet6_address }}" # -------------------------------------------------------------------------------------------------- # backups:snapshots @@ -142,26 +144,32 @@ services_containers_dataset: "{{ system_var_containers_dataset }}" services_host_services: lrproxy: - address: "{{ vpn_bridge_prefix }}.2" + inet_address: "{{ vpn_bridge_inet_prefix }}.2" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::2" tcp: [80, 443] restic: true database: - address: "{{ vpn_bridge_prefix }}.3" + inet_address: "{{ vpn_bridge_inet_prefix }}.3" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::3" restic: true cloud: - address: "{{ vpn_bridge_prefix }}.4" + inet_address: "{{ vpn_bridge_inet_prefix }}.4" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::4" restic: true restic_exclude: - "external" git: - address: "{{ vpn_bridge_prefix }}.5" + inet_address: "{{ vpn_bridge_inet_prefix }}.5" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::5" tcp: ["{{ services.git.ssh_port }}"] restic: true notes: - address: "{{ vpn_bridge_prefix }}.6" + inet_address: "{{ vpn_bridge_inet_prefix }}.6" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::6" restic: true music: - address: "{{ vpn_bridge_prefix }}.7" + inet_address: "{{ vpn_bridge_inet_prefix }}.7" + inet6_address: "{{ vpn_bridge_inet6_prefix }}::7" collection_path: "{{ music_user_data_collection_directory }}" archive_path: "{{ music_user_data_archive_directory }}" restic: true diff --git a/roles b/roles index f944dae..18ee9c7 160000 --- a/roles +++ b/roles @@ -1 +1 @@ -Subproject commit f944dae2fe14a5bf9319c8c1e822f380716d8bb4 +Subproject commit 18ee9c7a242c612d5661607ead478794e757ef03