diff options
| -rw-r--r-- | playbooks/network.yml | 8 | ||||
| -rw-r--r-- | roles/pf/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/pf/templates/pf.conf.j2 | 9 | ||||
| -rw-r--r-- | roles/relayd/tasks/main.yml | 15 | ||||
| -rw-r--r-- | roles/relayd/templates/relayd.conf.j2 | 58 | ||||
| -rw-r--r-- | roles/ssh/tasks/generate_dns.yml | 1 | ||||
| -rw-r--r-- | roles/ssh/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/ssh/templates/generate_dns.j2 | 27 |
8 files changed, 112 insertions, 16 deletions
diff --git a/playbooks/network.yml b/playbooks/network.yml new file mode 100644 index 0000000..7d59334 --- /dev/null +++ b/playbooks/network.yml @@ -0,0 +1,8 @@ + +# site.yml +# Deploy configuration to all servers. + +- hosts: openbsd + roles: + - ssh + - pf diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml index 7916c69..c47a721 100644 --- a/roles/pf/tasks/main.yml +++ b/roles/pf/tasks/main.yml @@ -3,12 +3,12 @@ --- -- name: Generate and sync configuration +- name: Generate pf configuration template: src: templates/pf.conf.j2 dest: /etc/pf.conf owner: root - group: "{{ group.root }}" + group: "{{ group_root }}" mode: "0600" - name: Restart pf diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2 index 64001cf..d39694d 100644 --- a/roles/pf/templates/pf.conf.j2 +++ b/roles/pf/templates/pf.conf.j2 @@ -13,18 +13,15 @@ set skip on { lo tun0 } block all -{% for key, value in services.tcp.items() %} -pass in quick on egress proto tcp to port {{ value }} -{% endfor %} -{% for key, value in services.udp.items() %} -pass in quick on egress proto udp to port {{ value }} +{% for service in services %} +pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }} {% endfor %} # ====================== # # sub-config. by Ansible # ====================== # -{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" %} +{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" ignore missing %} # ========================= # # out. interface by Ansible diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml new file mode 100644 index 0000000..5de324c --- /dev/null +++ b/roles/relayd/tasks/main.yml @@ -0,0 +1,15 @@ + +# relayd ~~ tasks/main.yml + +--- + +- name: Generate relayd configuration + template: + src: templates/relayd.conf.j2 + dest: /etc/relayd.conf + +- name: Enable and restart relayd + service: + name: relayd + state: restarted + enabled: true diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 new file mode 100644 index 0000000..4b43c8e --- /dev/null +++ b/roles/relayd/templates/relayd.conf.j2 @@ -0,0 +1,58 @@ + +# relayd ~~ /etc/relayd.conf +# managed by Ansible + +# ====== # +# tables +# ====== # + +table <local> { 127.0.0.1 } +{% for h in groups["all"] %} +{% set h = dict(hostvars[h]) %} +{##} +{% if h.ip.in is defined %} +table <{{ h.ansible_host }}> { {{ h.ip.in }} } +{% endif %} +{##} +{% endfor %} + +# ================ # +# filter for vhost +# ================ # + +http protocol vhost { +{% for h in groups["all"] %} +{% set h = dict(hostvars[h]) %} +{##} +{% if h.ip.in is defined %} + pass request header "Host" value "{{ h.ansible_host }}.{{ _i.domain_name }}" forward to <{{ h.ansible_host }}> +{% endif %} +{##} +{% endfor %} +} + +# ======================= # +# relays for all protocol +# ======================= # + +{% set relays = {} %} +{% for h in groups["servers"] %} + {% set h = dict(hostvars[h]) %} + {##} + {% for service in h.services | sort(attribute="port") if service.domain is defined %} + {% set _ = relays.update({ service.port : [] }) if relays[service.port] is not defined %} + {% set key_changer = { "host" : h.ansible_host, "domain" : service.domain } %} + {% set _ = relays[service.port].append(key_changer) %} + {% endfor %} + {##} +{% endfor %} + +{% for relay in relays %} +relay vhost_{{ relay }} { + listen on egress port {{ relay }} + protocol vhost +{% for h in relays[relay] %} + forward to <{{ h.host }}> port {{ relay }} check icmp +{% endfor %} +} +{% endfor %} diff --git a/roles/ssh/tasks/generate_dns.yml b/roles/ssh/tasks/generate_dns.yml index 6501299..60a21bd 100644 --- a/roles/ssh/tasks/generate_dns.yml +++ b/roles/ssh/tasks/generate_dns.yml @@ -5,3 +5,4 @@ template: src: templates/generate_dns.j2 dest: "{{ lookup('env', 'HOME') }}/.ssh/config.d/ssh_dns" + delegate_to: 127.0.0.1 diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml index e69de29..38300df 100644 --- a/roles/ssh/tasks/main.yml +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,6 @@ + +# ssh ~~ tasks/main.yml + +--- + +- include: generate_dns.yml diff --git a/roles/ssh/templates/generate_dns.j2 b/roles/ssh/templates/generate_dns.j2 index c8d5a44..59c6233 100644 --- a/roles/ssh/templates/generate_dns.j2 +++ b/roles/ssh/templates/generate_dns.j2 @@ -1,13 +1,24 @@ -{% for host in groups["servers"] %} -{% set host = hostvars[host] %} -Match originalhost dcontroller exec "systemctl is-active wg-quick@{{ _i.dcontroller }}.service" - HostName {{ host.ip.inbound }} - Port {{ host.services.tcp.ssh }} +# ssh configuration for dns ~~ ~/.ssh/.config.d/ +# managed by Ansible -Match originalhost {{ host.ansible_host }} - HostName {{ host.ip.outbound }} - Port {{ host.services.tcp.ssh }} +{% for h in groups["all"] %} +{% set h = hostvars[h] %} +{##} +{% if h.ip is defined %} +{% set _port = h.services | selectattr("name", "equalto", "ssh") | map(attribute="port") | list | join(' ') %} +{##} +# {{ h.ansible_host }} + +Match originalhost {{ h.ansible_host }} exec "systemctl is-active wg-quick@{{ _i.dcontroller }}.service" + HostName {{ h.ip.in }} + Port {{ _port }} + +Match originalhost {{ h.ansible_host }} + HostName {{ h.ip.out }} + Port {{ _port }} User root +{% endif %} +{##} {% endfor %} |