Support IPv6 bridges

This commit is contained in:
Wojciech Kozlowski 2023-07-27 23:13:26 +02:00
parent 3dcad38d0b
commit d6b56ec5ed
5 changed files with 50 additions and 22 deletions

View File

@ -8,6 +8,11 @@ system_var_home_directory: "{{ system_var_root_directory }}/home"
system_var_data_directory: "{{ system_var_root_directory }}/data"
system_var_containers_directory: "{{ system_var_root_directory }}/containers"
# --------------------------------------------------------------------------------------------------
# vpn
# --------------------------------------------------------------------------------------------------
vpn_global_inet6_prefix: "fd6f:1af7:ce35"
# --------------------------------------------------------------------------------------------------
# vpn:wireguard
# --------------------------------------------------------------------------------------------------
@ -19,15 +24,24 @@ vpn_wireguard_subnet: "10.66.0.0/30"
# --------------------------------------------------------------------------------------------------
# vpn:bridge
# --------------------------------------------------------------------------------------------------
vpn_bridge_prefix: "10.66.{{ vpn_subnet_id }}"
vpn_bridge_address: "{{ vpn_bridge_prefix }}.1"
vpn_bridge_broadcast: "{{ vpn_bridge_prefix }}.255"
vpn_bridge_prefixlen: "24"
vpn_bridge_subnet: "{{ vpn_bridge_prefix }}.0/{{ vpn_bridge_prefixlen }}"
vpn_bridge_inet_prefix: "10.66.{{ vpn_subnet_id }}"
vpn_bridge_inet_address: "{{ vpn_bridge_inet_prefix }}.1"
vpn_bridge_inet_prefixlen: "24"
vpn_bridge_inet_subnet: "{{ vpn_bridge_inet_prefix }}.0/{{ vpn_bridge_inet_prefixlen }}"
vpn_bridge_inet6_prefix: "{{ vpn_global_inet6_prefix }}:{{ '%04x' % (0x6600 + vpn_subnet_id) }}"
vpn_bridge_inet6_address: "{{ vpn_bridge_inet6_prefix }}::1"
vpn_bridge_inet6_prefixlen: "64"
vpn_bridge_inet6_subnet: "{{ vpn_bridge_inet6_prefix }}::/{{ vpn_bridge_inet6_prefixlen }}"
vpn_bridge_dnat: "\
{% set vpn_bridge_dnat = [] %}\
{% for properties in ( services_host_services.values() | selectattr('tcp', 'defined') ) %}\
{{ vpn_bridge_dnat.append({ 'address': properties.address, 'ports': properties.tcp }) }}\
{{ vpn_bridge_dnat.append({
'inet_address': properties.inet_address,
'inet6_address': properties.inet6_address,
'ports': properties.tcp
}) }}\
{% endfor %}\
{{ vpn_bridge_dnat }}"

View File

@ -2,11 +2,15 @@
# --------------------------------------------------------------------------------------------------
# network
# --------------------------------------------------------------------------------------------------
local_network_address: "192.168.0.0"
local_network_masklen: 16
local_network: "{{ local_network_address }}/{{ local_network_masklen }}"
local_inet_network_address: "192.168.0.0"
local_inet_network_prefixlen: 16
local_inet_network: "{{ local_inet_network_address }}/{{ local_inet_network_prefixlen }}"
local_inet6_network_address: "2001:1c00:161e:7900::"
local_inet6_network_prefixlen: 64
local_inet6_network: "{{ local_inet6_network_address }}/{{ local_inet6_network_prefixlen }}"
# --------------------------------------------------------------------------------------------------
# system:base
# --------------------------------------------------------------------------------------------------
system_base_fail2ban_ignoreip: "{{ local_network }}"
system_base_fail2ban_ignoreip: "{{ local_inet_network }} {{ local_inet6_network }}"

View File

@ -28,16 +28,18 @@ vpn_wireguard_interface_private_key: "{{ vault_vpn_wireguard_interface_private_k
vpn_wireguard_clients:
- public_key: "{{ vault_vpn_wireguard_clients_0_public_key }}"
preshared_key: "{{ vault_vpn_wireguard_clients_0_preshared_key }}"
subnet: "{{ hostvars.yggdrasil.vpn_bridge_prefix }}.0/24"
subnet: "{{ hostvars.yggdrasil.vpn_bridge_inet_prefix }}.0/24"
# --------------------------------------------------------------------------------------------------
# services
# --------------------------------------------------------------------------------------------------
services_host_services:
rproxy:
address: "{{ vpn_bridge_prefix }}.2"
inet_address: "{{ vpn_bridge_inet_prefix }}.2"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::2"
tcp: [80, 443]
restic: true
www:
address: "{{ vpn_bridge_prefix }}.3"
inet_address: "{{ vpn_bridge_inet_prefix }}.3"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::3"
restic: false

View File

@ -75,8 +75,10 @@ vpn_wireguard_routing_table: 66
# vpn:bridge
# --------------------------------------------------------------------------------------------------
vpn_bridge_routing_table: "{{ vpn_wireguard_routing_table }}"
vpn_bridge_local_only_daddr:
- "{{ services_host_services.database.address }}"
vpn_bridge_local_only_inet_daddr:
- "{{ services_host_services.database.inet_address }}"
vpn_bridge_local_only_inet6_daddr:
- "{{ services_host_services.database.inet6_address }}"
# --------------------------------------------------------------------------------------------------
# backups:snapshots
@ -142,26 +144,32 @@ services_containers_dataset: "{{ system_var_containers_dataset }}"
services_host_services:
lrproxy:
address: "{{ vpn_bridge_prefix }}.2"
inet_address: "{{ vpn_bridge_inet_prefix }}.2"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::2"
tcp: [80, 443]
restic: true
database:
address: "{{ vpn_bridge_prefix }}.3"
inet_address: "{{ vpn_bridge_inet_prefix }}.3"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::3"
restic: true
cloud:
address: "{{ vpn_bridge_prefix }}.4"
inet_address: "{{ vpn_bridge_inet_prefix }}.4"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::4"
restic: true
restic_exclude:
- "external"
git:
address: "{{ vpn_bridge_prefix }}.5"
inet_address: "{{ vpn_bridge_inet_prefix }}.5"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::5"
tcp: ["{{ services.git.ssh_port }}"]
restic: true
notes:
address: "{{ vpn_bridge_prefix }}.6"
inet_address: "{{ vpn_bridge_inet_prefix }}.6"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::6"
restic: true
music:
address: "{{ vpn_bridge_prefix }}.7"
inet_address: "{{ vpn_bridge_inet_prefix }}.7"
inet6_address: "{{ vpn_bridge_inet6_prefix }}::7"
collection_path: "{{ music_user_data_collection_directory }}"
archive_path: "{{ music_user_data_archive_directory }}"
restic: true

2
roles

@ -1 +1 @@
Subproject commit f944dae2fe14a5bf9319c8c1e822f380716d8bb4
Subproject commit 18ee9c7a242c612d5661607ead478794e757ef03