diff --git a/ansible/environments/colo/host_vars/mrmanager b/ansible/environments/colo/host_vars/mrmanager index aeef3a6..80f9617 100644 --- a/ansible/environments/colo/host_vars/mrmanager +++ b/ansible/environments/colo/host_vars/mrmanager @@ -15,3 +15,16 @@ etc_hosts: {} wireguard_directory: mrmanager enabled_wireguard: - colo +jail_zfs_dataset: zdata/jail +jail_zfs_dataset_mountpoint: /jail/main +jail_canmount: "on" +jail_list: + - name: nat_dhcp + enabled: true + conf: + src: nat_dhcp +# bhyve_dataset: zroot/freebsd/release/vm +# bhyve_list: [] +# bhyve_canmount: "on" +# efi_dev: /dev/gpt/EFI +devfs_rules: "mrmanager_devfs.rules" diff --git a/ansible/environments/colo/hosts b/ansible/environments/colo/hosts index 3715639..67310e4 100644 --- a/ansible/environments/colo/hosts +++ b/ansible/environments/colo/hosts @@ -1,2 +1,2 @@ [server] -mrmanager ansible_user=talexander ansible_host=74.80.180.138 +mrmanager ansible_user=talexander ansible_host=10.217.2.1 diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts index 8e6ff96..065fb4c 100644 --- a/ansible/environments/jail/hosts +++ b/ansible/environments/jail/hosts @@ -1,4 +1,5 @@ [jail] nat_dhcp ansible_connection=jail homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail +mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail nat_dhcp@172.16.16.2 ansible_connection=sshjail diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 7bcfd7d..aadd389 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -49,7 +49,7 @@ - docker - vscode -- hosts: nat_dhcp:homeserver_nat_dhcp +- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp vars: ansible_become: True roles: diff --git a/ansible/roles/devfs/files/mrmanager_devfs.rules b/ansible/roles/devfs/files/mrmanager_devfs.rules new file mode 100644 index 0000000..adeaa53 --- /dev/null +++ b/ansible/roles/devfs/files/mrmanager_devfs.rules @@ -0,0 +1,5 @@ +[tajaildhcp=14] +add include $devfsrules_hide_all +add include $devfsrules_unhide_basic +add include $devfsrules_unhide_login +add path 'bpf*' unhide diff --git a/ansible/roles/firewall/files/mrmanager_pf.conf b/ansible/roles/firewall/files/mrmanager_pf.conf index d2d6ceb..c8a9680 100644 --- a/ansible/roles/firewall/files/mrmanager_pf.conf +++ b/ansible/roles/firewall/files/mrmanager_pf.conf @@ -1,4 +1,5 @@ ext_if = "lagg0" +not_ext_if = "{ !lagg0 }" jail_nat_v4 = "{ 10.215.1.0/24 }" not_jail_nat_v4 = "{ any, !10.215.1.0/24 }" @@ -14,8 +15,9 @@ udp_pass_in = "{ 53 51820 51821 51822 }" set skip on lo # redirections -nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> ($ext_if) -rdr pass on !$ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53 +nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0) +nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if) +rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53 # filtering block log all diff --git a/ansible/roles/network/files/mrmanager_routing.conf b/ansible/roles/network/files/mrmanager_routing.conf index 2544e1e..45a1d23 100644 --- a/ansible/roles/network/files/mrmanager_routing.conf +++ b/ansible/roles/network/files/mrmanager_routing.conf @@ -1 +1,3 @@ defaultrouter="74.80.180.137" +gateway_enable="YES" +ipv6_gateway_enable="YES" diff --git a/ansible/run.bash b/ansible/run.bash index 060eb64..e7f43a9 100755 --- a/ansible/run.bash +++ b/ansible/run.bash @@ -30,6 +30,8 @@ elif [ "$target" = "vm_poudriereodo" ]; then ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}" elif [ "$target" = "mrmanager" ]; then ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}" +elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then + ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}" else die 1 "Unrecognized target" fi