From 4482b157109835597c2ff3f1fc2bace96550e32a Mon Sep 17 00:00:00 2001
From: Ryan Holt <ryan@ryanholt.net>
Date: Wed, 22 Dec 2021 18:30:47 -0500
Subject: [PATCH] allow https to servers from wireless, amongst others

---
 .../inventory/group_vars/all/address_book.yaml   | 16 +++++++++-------
 .../inventory/host_vars/fw/firewall_zones.yml    |  2 ++
 ansible/inventory/host_vars/fw/main.yml          |  5 +++++
 ansible/playbooks/vyos/templates/ha_proxy.cfg.j2 | 10 ++++------
 .../playbooks/vyos/templates/ipxe-metal.conf.j2  |  6 +++---
 5 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/ansible/inventory/group_vars/all/address_book.yaml b/ansible/inventory/group_vars/all/address_book.yaml
index 9fcf06f..971e420 100644
--- a/ansible/inventory/group_vars/all/address_book.yaml
+++ b/ansible/inventory/group_vars/all/address_book.yaml
@@ -139,13 +139,6 @@ address_book:
       ipv4_addr: 10.20.0.15
       groups:
         - pki
-    sm-0:
-      hostname: sm-0
-      network: servers
-      dhcp_client: false
-      ipv4_addr: 10.20.10.18
-      groups:
-        - utility
     sidero:
       hostname: sidero
       network: servers
@@ -172,6 +165,15 @@ address_book:
     ####################
     ### DHCP Clients ###
     ####################
+
+    sm-0:
+      hostname: sm-0
+      mac_addr: 00:25:90:99:12:70
+      network: servers
+      dhcp_client: true
+      ipv4_addr: 10.20.10.18
+      groups:
+        - sidero
     ubnt-upstairs:
       hostname: ubnt-upstairs
       mac_addr: 80:2a:a8:10:ed:da
diff --git a/ansible/inventory/host_vars/fw/firewall_zones.yml b/ansible/inventory/host_vars/fw/firewall_zones.yml
index ac52648..24dea09 100644
--- a/ansible/inventory/host_vars/fw/firewall_zones.yml
+++ b/ansible/inventory/host_vars/fw/firewall_zones.yml
@@ -271,6 +271,8 @@ vyos_firewall_zones:
           - accept_related: null
           - drop_invalid: null
           - accept_icmp: null
+          - accept_http: null
+          - accept_https: null
           - accept_k8s_api: null
           - accept_dns: null
           - accept_smb_from_smb_clients: null
diff --git a/ansible/inventory/host_vars/fw/main.yml b/ansible/inventory/host_vars/fw/main.yml
index f744d37..3bffc57 100644
--- a/ansible/inventory/host_vars/fw/main.yml
+++ b/ansible/inventory/host_vars/fw/main.yml
@@ -38,6 +38,9 @@ vyos_managed_files:
   - template: cloudflare-ipv4.sh.j2
     dest: /config/scripts/cloudflare-ipv4.sh
     mode: "0755"
+  - template: ipxe-metal.conf.j2
+    dest: /config/dhcp/ipxe-metal.conf
+    mode: "0755"
 
 # -------------------------
 # Interfaces configuration
@@ -158,11 +161,13 @@ vyos_dhcp_server:
   hostfile-update: true
   interfaces:
     mgmt:
+      domain: "{{ vyos_domain }}"
       subnet_parameters: "option omada-address 10.45.10.20;"
     wired:
       domain: "{{ vyos_domain }}"
     servers:
       domain: "{{ vyos_domain }}"
+      subnet_parameters: "include &quot;/config/dhcp/ipxe-metal.conf&quot;;"
     iot:
       domain: "{{ vyos_domain }}"
     video:
diff --git a/ansible/playbooks/vyos/templates/ha_proxy.cfg.j2 b/ansible/playbooks/vyos/templates/ha_proxy.cfg.j2
index ccffbf7..875c5da 100644
--- a/ansible/playbooks/vyos/templates/ha_proxy.cfg.j2
+++ b/ansible/playbooks/vyos/templates/ha_proxy.cfg.j2
@@ -51,9 +51,9 @@ backend k8s_controlplane
     mode tcp
     option ssl-hello-chk
     balance     roundrobin
-        server master1 master1.cluster-0.{{ vyos_domain }}:6443 check
-        server master2 master2.cluster-0.{{ vyos_domain }}:6443 check
-        server master3 master3.cluster-0.{{ vyos_domain }}:6443 check
+        server cp-0 cp-0.{{ vyos_domain }}:6443 check
+        server cp-1 cp-1.{{ vyos_domain }}:6443 check
+        server cp-2 cp-2.{{ vyos_domain }}:6443 check
 
 backend talos_controlplane
     option httpchk GET /healthz
@@ -61,6 +61,4 @@ backend talos_controlplane
     mode tcp
     option ssl-hello-chk
     balance     roundrobin
-        server master1 master1.cluster-0.{{ vyos_domain }}:50000 check
-        server master2 master2.cluster-0.{{ vyos_domain }}:50000 check
-        server master3 master3.cluster-0.{{ vyos_domain }}:50000 check
+        server sidero sidero.{{ vyos_domain }}:50000 check
diff --git a/ansible/playbooks/vyos/templates/ipxe-metal.conf.j2 b/ansible/playbooks/vyos/templates/ipxe-metal.conf.j2
index 3d289a3..19b1a99 100644
--- a/ansible/playbooks/vyos/templates/ipxe-metal.conf.j2
+++ b/ansible/playbooks/vyos/templates/ipxe-metal.conf.j2
@@ -2,12 +2,12 @@ allow bootp;
 allow booting;
 
 # IP address for PXE-based TFTP methods
-next-server {{ vyos_address_book_enriched['hosts']['abraham']['ipv4_addr'] }};
+next-server {{ vyos_address_book_enriched['hosts']['sm-0']['ipv4_addr'] }};
 
 # Configuration for iPXE clients
 class "ipxeclient" {
   match if exists user-class and (option user-class = "iPXE");
-  filename "http://{{ vyos_address_book_enriched['hosts']['abraham']['ipv4_addr'] }}:8081/boot.ipxe";
+  filename "http://{{ vyos_address_book_enriched['hosts']['sm-0']['ipv4_addr'] }}:8081/boot.ipxe";
 }
 
 # Configuration for legacy BIOS-based PXE boot
@@ -26,5 +26,5 @@ class "pxeclients" {
 class "httpclients" {
   match if not exists user-class and substring (option vendor-class-identifier, 0, 10) = "HTTPClient";
   option vendor-class-identifier "HTTPClient";
-  filename "http://{{ vyos_address_book_enriched['hosts']['abraham']['ipv4_addr'] }}:8081/tftp/ipxe.efi";
+  filename "http://{{ vyos_address_book_enriched['hosts']['sm-0']['ipv4_addr'] }}:8081/tftp/ipxe.efi";
 }