talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add the admin_git jail.

Browse Source 
This jail hosts the git repo used for the kubernetes cluster manifests. It lives in a jail instead of inside a git website hosted inside kubernetes because it is needed for the bootstrapping process, creating a chicken-and-egg type of scenario. I figure I can set up mirroring of the git repo to a hosted git website for publishing.
This commit is contained in:
Tom Alexander 2023-06-17 17:35:09 -04:00
parent 0f1769dd1f
commit 62ade773d8
Signed by: talexander
GPG Key ID: D3A179C9A53C0EDE
5 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ansible/environments/jail/host_vars/admin_git Normal file
View File

@ -0,0 +1,20 @@
os_flavor: "freebsd"
users:
talexander:
initialize: true
uid: 11235
gid: 11235
groups:
- name: wheel
authorized_keys:
- yubikey
- main_fido
- backup_fido
git:
initialize: false
shell: /usr/local/bin/git-shell
authorized_keys:
- yubikey
- main_fido
- backup_fido
sshd_enabled: true

1
ansible/environments/jail/hosts
View File

@ -3,3 +3,4 @@ nat_dhcp ansible_connection=jail
homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
nat_dhcp@172.16.16.2 ansible_connection=sshjail nat_dhcp@172.16.16.2 ansible_connection=sshjail
admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail

8
ansible/playbook.yaml
View File

@ -92,3 +92,11 @@
- wireguard - wireguard
- plainmacs - plainmacs
- mrmanager - mrmanager
- hosts: admin_git
vars:
ansible_become: True
roles:
- sudo
- doas
- users

6
ansible/roles/firewall/files/mrmanager_pf.conf
View File

@ -25,6 +25,12 @@ rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 6443 -> 10.215
nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat) nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat) nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.204 port 6443 -> (jail_nat)
rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
rdr pass on jail_nat inet proto tcp from $jail_nat_v4 to any port 65099 -> 10.215.1.210 port 22
nat pass on $not_ext_if proto {tcp, udp} from $not_jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
nat pass on $not_ext_if proto {tcp, udp} from $jail_nat_v4 to 10.215.1.210 port 65099 -> (jail_nat)
# filtering # filtering
block log all block log all

2
ansible/run.bash
View File

@ -34,6 +34,8 @@ elif [ "$target" = "mrmanager" ]; then
ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}" ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}"
elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}" ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}"
elif [ "$target" = "jail_admin_git" ]; then
ansible-playbook -v -i environments/jail playbook.yaml --diff --limit admin_git "${@}"
else else
die 1 "Unrecognized target" die 1 "Unrecognized target"
fi fi