Set up gitea port forwarding

This commit is contained in:
Wojciech Kozlowski 2022-11-15 23:01:51 +01:00
parent d844925ee0
commit f4d20636d4
7 changed files with 29 additions and 11 deletions

View File

@ -27,8 +27,6 @@ vpn_wg0_endpoint_address:
vpn_remote_br0_subnet: vpn_remote_br0_subnet:
vpn_reverse_proxy_address:
# Service variables # Service variables
host_services: [ host_services: [
service_name_1, service_name_1,

View File

@ -3,7 +3,7 @@
table ip br0_ipv4 { table ip br0_ipv4 {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['rproxy'].address }};
} }
chain postrouting { chain postrouting {

View File

@ -21,7 +21,7 @@ table inet filter {
ct state invalid drop; ct state invalid drop;
# Accept HTTP, HTTPS, SSH. # Accept HTTP, HTTPS, SSH.
tcp dport { 80, 443, {{ ansible_port }} } ct state new accept; tcp dport { 80, 443, {{ ansible_port }}, {{ services['git'].ssh_port }} } ct state new accept;
# Count and drop any other traffic. # Count and drop any other traffic.
counter drop; counter drop;

View File

@ -3,7 +3,8 @@
table ip br0_ipv4 { table ip br0_ipv4 {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ vpn_reverse_proxy_address }}; iif {{ ethx }} tcp dport { 80, 443 } dnat to {{ services['lrproxy'].address }};
iif {{ ethx }} tcp dport {{ services['git'].ssh_port }} dnat to {{ services['git'].address }};
} }
chain input { chain input {

View File

@ -34,6 +34,8 @@ ExecStart=/usr/bin/podman run \
-e GITEA__database__PASSWD="{{ services[service_name].database_passwd }}" \ -e GITEA__database__PASSWD="{{ services[service_name].database_passwd }}" \
-e GITEA__server__DOMAIN="{{ services[service_name].domain }}" \ -e GITEA__server__DOMAIN="{{ services[service_name].domain }}" \
-e GITEA__server__ROOT_URL="https://%(DOMAIN)s/" \ -e GITEA__server__ROOT_URL="https://%(DOMAIN)s/" \
-e GITEA__server__SSH_PORT="{{ services[service_name].ssh_port }}" \
-e GITEA__server__SSH_LISTEN_PORT="{{ services[service_name].ssh_port }}" \
-e GITEA__mailer__ENABLED="true" \ -e GITEA__mailer__ENABLED="true" \
-e GITEA__mailer__FROM="Gitea <git@{{ services[service_name].domain }}>" \ -e GITEA__mailer__FROM="Gitea <git@{{ services[service_name].domain }}>" \
-e GITEA__mailer__MAILER_TYPE="smtp" \ -e GITEA__mailer__MAILER_TYPE="smtp" \

View File

@ -29,9 +29,17 @@
nftables_conf is changed and nftables_conf is changed and
nftables_start is not changed nftables_start is not changed
- name: Reload nft scripts for interfaces - block:
command: "{{ item }}" - name: List all post-up nft scripts for interfaces
with_fileglob: find:
- "/usr/local/sbin/post-up-*.nft" paths: /usr/local/sbin
patterns: "post-up-*.nft"
register: nft_post_up_scripts
- name: Reload nft scripts for interfaces
command: "{{ item.path }}"
with_items:
- "{{ nft_post_up_scripts.files }}"
when: when:
nftables_restart is changed nftables_restart is changed

View File

@ -25,8 +25,17 @@
fi' fi'
register: br_intf register: br_intf
- name: Restart bridge interface - block:
shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi - name: Restart bridge interface
shell: if ip link show dev br0 ; then ifdown br0 && ifup br0 ; else ifup br0 ; fi
- name: Reconnect all services
systemd:
name: connect-pod-service@{{ item }}.service
state: started
with_items:
- "{{ host_services }}"
when: when:
br_intf_post_up_inet is changed or br_intf_post_up_inet is changed or
br_intf_post_up_ipv4 is changed or br_intf_post_up_ipv4 is changed or