moved to hosted role

carpenike · Sep 22, 2021 · 4138b1c · 4138b1c
1 parent d4084d8
commit 4138b1c
Show file tree

Hide file tree

Showing 71 changed files with 137 additions and 1,695 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,18 @@
-k8s-config.yaml
-.terraform
-*.tfstate*
+# Folders
+ignore/
+bin/
+
+# Trash
+.DS_Store
+Thumbs.db
+
+# Direnv
+.direnv
+
+# Sops
 .decrypted~*
+
 # Ansible
 xanmanning.k3s*
+.ansible/
+ansible/roles/ansible-role-vyos/
diff --git a/ansible/inventory/group_vars/all/firewall_rules.yml b/ansible/inventory/group_vars/all/firewall_rules.yml
diff --git a/ansible/inventory/group_vars/all/generic.yaml b/ansible/inventory/group_vars/all/generic.yaml
@@ -1,2 +1,2 @@
 ---
-timezone: America/New_York
+vyos_timezone: America/New_York
diff --git a/ansible/inventory/group_vars/vyos/vyos.yml b/ansible/inventory/group_vars/vyos/vyos.yml
@@ -1,3 +1,4 @@
+---
 ansible_connection: ansible.netcommon.network_cli
 ansible_network_os: vyos.vyos.vyos
 ansible_user: vyos

diff --git a/ansible/inventory/host_vars/fw/firewall_rules.yml b/ansible/inventory/host_vars/fw/firewall_rules.yml
@@ -2,12 +2,12 @@
 # Firewall Rule definition
 # -------------------------
 
-firewall_rules:
+vyos_firewall_rules:
   accept_wireguard:
     action: accept
     protocol: udp
     destination:
-      port: "{{ wireguard['servers']['wg_trusted']['port'] }}"
+      port: "{{ vyos_wireguard['servers']['wg_trusted']['port'] }}"
 
   accept_k8s_api:
     action: accept

diff --git a/ansible/inventory/host_vars/fw/firewall_zones.yml b/ansible/inventory/host_vars/fw/firewall_zones.yml
@@ -2,7 +2,7 @@
 # Firewall zone definition
 # -------------------------
 
-firewall_zones:
+vyos_firewall_zones:
   - name: wan
     description: WAN zone
     interfaces:
@@ -51,6 +51,9 @@ firewall_zones:
           - accept_mullvad_vpn_from_k8s_nodes: null
       - ignoreZones:
           - video
+          - wireless
+          - iot
+          - servers
         default: accept
         defaultLog: true
         rules:
@@ -153,12 +156,13 @@ firewall_zones:
           - accept_ssh: null
       - ignoreZones:
           - mgmt
-          - wireless
-          - iot
-          - servers
           - wired
           - wg_trusted
+          - iot
+          - video
+          - servers
           - wan
+          - wireless
         default: drop
         rules:
           - accept_established: null
@@ -194,6 +198,7 @@ firewall_zones:
       - ignoreZones:
           - wired
           - wg_trusted
+          - servers
         default: drop
         rules:
           - accept_established: null
@@ -307,12 +312,13 @@ firewall_zones:
           - accept_discovery_from_sonos_controllers: null
           - accept_dns: null
       - ignoreZones:
+          - wired
+          - wg_trusted
           - wan
-          - local
           - mgmt
+          - wireless
           - iot
-          - wired
-          - wg_trusted
+          - local
         default: drop
         defaultLog: true
         rules:
@@ -363,7 +369,9 @@ firewall_zones:
           - accept_app_control_from_sonos_players: null
       - ignoreZones:
           - local
+          - servers
           - wg_trusted
+          - iot
         default: drop
         rules:
           - accept_established: null
@@ -407,13 +415,14 @@ firewall_zones:
           - accept_app_control_from_sonos_players: null
       - ignoreZones:
           - servers
+          - local
+          - iot
         default: drop
         defaultLog: true
         rules:
           - accept_established: null
           - accept_related: null
           - drop_invalid: null
-          - accept_wide_range_from_k8s: null
   - name: iot
     description: iot iot zone
     interfaces:
@@ -463,10 +472,11 @@ firewall_zones:
           - accept_mdns: null
           - accept_discovery_from_sonos_controllers: null
       - ignoreZones:
-          - local
-          - servers
           - wired
           - wg_trusted
+          - wireless
+          - servers
+          - local
         default: drop
         defaultLog: true
         rules:
@@ -503,8 +513,10 @@ firewall_zones:
           - accept_rtsp_from_k8s_nodes: null
           # - accept_k8s_nodes: null
       - ignoreZones:
-          - servers
+          - mgmt
+          - wired
           - wg_trusted
+          - servers
         default: drop
         defaultLog: true
         rules:

diff --git a/ansible/inventory/host_vars/fw/main.sops.yml b/ansible/inventory/host_vars/fw/main.sops.yml
@@ -1,5 +1,6 @@
 Kind: Secret
 SSH_PASSWORD: ENC[AES256_GCM,data:Ww3fJTcppv+yqkpdMXeG,iv:pTmGSRz5mGCX163p0WOABejkz101qEh+EwnWFfN5BjE=,tag:OcHkHb93iEVWKpGAAddWyw==,type:str]
+vyos_domain: ENC[AES256_GCM,data:MEptzRamH1qHOrSo,iv:KhPxygE5oruYEwqnLnRkT+PccefcBADXCSaeLzTXfms=,tag:U174+TTAS26kkrt/+9y9zg==,type:str]
 secure_values:
   wireguard:
     wg_trusted:
@@ -16,8 +17,8 @@ sops:
   azure_kv: []
   hc_vault: []
   age: []
-  lastmodified: "2021-09-14T15:12:51Z"
-  mac: ENC[AES256_GCM,data:lshO0h6PoCs5sHh7yA1h4391CEwF2xWVuqVNZEeuqErxj2PrFi2WqeRuJQ7AJv5EEaTiECEBgQWbgr8zZM64ZA6VTNVVNuJB0ous6OZoxUqYfr0UWJeI8djyRIkojsqFWuz8bgTzqiAlOwhkqHbQJAx9N1O4xRml4IjS03Q20N0=,iv:wBk1tXnfRihkpeo8w2sx5zW1dRYPr026ycO7UBRaSqk=,tag:4JcLa1Oy9ZYlBMTLyAr4Ig==,type:str]
+  lastmodified: "2021-09-22T16:41:37Z"
+  mac: ENC[AES256_GCM,data:PPIgH68mB+rEknsYNabaftPV18WKdV5tNVZKblhbrMoXpjDRTcBJ3YLuTEu1tzprDc1yB8VRSYA0pUzhn4j0BHXSHflLHyco0kbQBRMZ0g0S/cV6DCVlq4Mr6xKpa+wiFES6neMCCxMBqvIHNcQxg7Ai89EIbuTIrDx/f5TBwYw=,iv:kZGNTAwI2hLFNseoDZjRgT2fhwAVYqHH65gtDyXHjls=,tag:JtQSRK55gP1XmEcoECGoOA==,type:str]
   pgp:
     - created_at: "2021-06-29T00:45:38Z"
       enc: |