diff --git a/host_vars/.template b/host_vars/.template index b15de0b..cd652b4 100644 --- a/host_vars/.template +++ b/host_vars/.template @@ -27,8 +27,6 @@ vpn_wg0_endpoint_address: vpn_remote_br0_subnet: -vpn_reverse_proxy_address: - # Service variables host_services: [ service_name_1, diff --git a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 index e93c673..a60f253 100644 --- a/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 +++ b/playbooks/filesystem/valkyrie/usr/local/sbin/post-up-br0-ipv4.nft.j2 @@ -3,7 +3,7 @@ table ip br0_ipv4 { chain prerouting { type nat hook prerouting priority -100; - iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; + iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['rproxy'].address }}; } chain postrouting { diff --git a/playbooks/filesystem/yggdrasil/etc/nftables.conf.j2 b/playbooks/filesystem/yggdrasil/etc/nftables.conf.j2 index 8e78160..ddac20e 100755 --- a/playbooks/filesystem/yggdrasil/etc/nftables.conf.j2 +++ b/playbooks/filesystem/yggdrasil/etc/nftables.conf.j2 @@ -21,7 +21,7 @@ table inet filter { ct state invalid drop; # Accept HTTP, HTTPS, SSH. - tcp dport { 80, 443, {{ ansible_port }} } ct state new accept; + tcp dport { 80, 443, {{ ansible_port }}, {{ services['git'].ssh_port }} } ct state new accept; # Count and drop any other traffic. counter drop; diff --git a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 index cdf2636..7442e62 100644 --- a/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 +++ b/playbooks/filesystem/yggdrasil/usr/local/sbin/post-up-br0-ipv4.nft.j2 @@ -3,7 +3,8 @@ table ip br0_ipv4 { chain prerouting { type nat hook prerouting priority -100; - iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; + iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }}; + iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }}; } chain input { diff --git a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-git/.config/systemd/user/container-git-gitea.service.j2 b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-git/.config/systemd/user/container-git-gitea.service.j2 index 7c242f3..3c9ed28 100644 --- a/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-git/.config/systemd/user/container-git-gitea.service.j2 +++ b/playbooks/filesystem/yggdrasil/var/lib/yggdrasil/home/pod-git/.config/systemd/user/container-git-gitea.service.j2 @@ -34,6 +34,8 @@ ExecStart=/usr/bin/podman run \ -e GITEA__database__PASSWD="{{ services[service_name].database_passwd }}" \ -e GITEA__server__DOMAIN="{{ services[service_name].domain }}" \ -e GITEA__server__ROOT_URL="https://%(DOMAIN)s/" \ + -e GITEA__server__SSH_PORT="{{ services[service_name].ssh_port }}" \ + -e GITEA__server__SSH_LISTEN_PORT="{{ services[service_name].ssh_port }}" \ -e GITEA__mailer__ENABLED="true" \ -e GITEA__mailer__FROM="Gitea " \ -e GITEA__mailer__MAILER_TYPE="smtp" \ diff --git a/playbooks/tasks/hosts/firewall.yml b/playbooks/tasks/hosts/firewall.yml index ac935c0..adecab5 100644 --- a/playbooks/tasks/hosts/firewall.yml +++ b/playbooks/tasks/hosts/firewall.yml @@ -29,9 +29,17 @@ nftables_conf is changed and nftables_start is not changed -- name: Reload nft scripts for interfaces - command: "{{ item }}" - with_fileglob: - - "/usr/local/sbin/post-up-*.nft" +- block: + - name: List all post-up nft scripts for interfaces + find: + paths: /usr/local/sbin + patterns: "post-up-*.nft" + register: nft_post_up_scripts + + - name: Reload nft scripts for interfaces + command: "{{ item.path }}" + with_items: + - "{{ nft_post_up_scripts.files }}" + when: nftables_restart is changed diff --git a/playbooks/tasks/vpn/bridge.yml b/playbooks/tasks/vpn/bridge.yml index 11f69fe..48234e5 100644 --- a/playbooks/tasks/vpn/bridge.yml +++ b/playbooks/tasks/vpn/bridge.yml @@ -25,8 +25,17 @@ fi' register: br_intf -- name: Restart bridge interface - shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi +- block: + - name: Restart bridge interface + shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi + + - name: Reconnect all services + systemd: + name: connect-pod-service@{{ item }}.service + state: started + with_items: + - "{{ host_services }}" + when: br_intf_post_up_inet is changed or br_intf_post_up_ipv4 is changed or