Set up the nat_dhcp jail for mrmanager.

2023-05-28 22:36:31 -04:00 · 2023-05-28 22:36:31 -04:00 · e49d008d57
commit e49d008d57
parent 37f8749b3c
8 changed files with 29 additions and 4 deletions
--- a/ansible/environments/colo/host_vars/mrmanager
+++ b/ansible/environments/colo/host_vars/mrmanager
@ -15,3 +15,16 @@ etc_hosts: {}
 wireguard_directory: mrmanager
 enabled_wireguard:
  - colo
 jail_zfs_dataset: zdata/jail
 jail_zfs_dataset_mountpoint: /jail/main
 jail_canmount: "on"
 jail_list:
  - name: nat_dhcp
    enabled: true
    conf:
      src: nat_dhcp
 # bhyve_dataset: zroot/freebsd/release/vm
 # bhyve_list: []
 # bhyve_canmount: "on"
 # efi_dev: /dev/gpt/EFI
 devfs_rules: "mrmanager_devfs.rules"
--- a/ansible/environments/colo/hosts
+++ b/ansible/environments/colo/hosts
@ -1,2 +1,2 @@
 [server]
-mrmanager ansible_user=talexander ansible_host=74.80.180.138
+mrmanager ansible_user=talexander ansible_host=10.217.2.1
--- a/ansible/environments/jail/hosts
+++ b/ansible/environments/jail/hosts
@ -1,4 +1,5 @@
 [jail]
 nat_dhcp ansible_connection=jail
 homeserver_nat_dhcp ansible_ssh_host=nat_dhcp@172.16.16.2 ansible_connection=sshjail
 mrmanager_nat_dhcp ansible_ssh_host=nat_dhcp@10.217.2.1 ansible_connection=sshjail
 nat_dhcp@172.16.16.2 ansible_connection=sshjail
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@ -49,7 +49,7 @@
    - docker
    - vscode
- hosts: nat_dhcp:homeserver_nat_dhcp
+- hosts: nat_dhcp:homeserver_nat_dhcp:mrmanager_nat_dhcp
  vars:
    ansible_become: True
  roles:
--- a/ansible/roles/devfs/files/mrmanager_devfs.rules
+++ b/ansible/roles/devfs/files/mrmanager_devfs.rules
@ -0,0 +1,5 @@
 [tajaildhcp=14]
 add include $devfsrules_hide_all
 add include $devfsrules_unhide_basic
 add include $devfsrules_unhide_login
 add path 'bpf*' unhide
--- a/ansible/roles/firewall/files/mrmanager_pf.conf
+++ b/ansible/roles/firewall/files/mrmanager_pf.conf
@ -1,4 +1,5 @@
 ext_if = "lagg0"
 not_ext_if = "{ !lagg0 }"
 jail_nat_v4 = "{ 10.215.1.0/24 }"
 not_jail_nat_v4 = "{ any, !10.215.1.0/24 }"
@ -14,8 +15,9 @@ udp_pass_in = "{ 53 51820 51821 51822 }"
 set skip on lo
 # redirections
-nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> ($ext_if)
+nat pass on lagg0 inet from $jail_nat_v4 to $not_jail_nat_v4 -> (lagg0)
-rdr pass on !$ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
+nat pass on $not_ext_if inet from $jail_nat_v4 to 10.215.1.1 port 53 -> ($ext_if)
 rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53
 # filtering
 block log all
--- a/ansible/roles/network/files/mrmanager_routing.conf
+++ b/ansible/roles/network/files/mrmanager_routing.conf
@ -1 +1,3 @@
 defaultrouter="74.80.180.137"
 gateway_enable="YES"
 ipv6_gateway_enable="YES"
--- a/ansible/run.bash
+++ b/ansible/run.bash
@ -30,6 +30,8 @@ elif [ "$target" = "vm_poudriereodo" ]; then
    ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}"
 elif [ "$target" = "mrmanager" ]; then
    ansible-playbook -v -i environments/colo playbook.yaml --diff --limit mrmanager "${@}"
 elif [ "$target" = "jail_mrmanager_nat_dhcp" ]; then
    ansible-playbook -v -i environments/jail playbook.yaml --diff --limit mrmanager_nat_dhcp "${@}"
 else
    die 1 "Unrecognized target"
 fi
`@ -1,2 +1,2 @@`
	`[server]`	`[server]`
	`mrmanager ansible_user=talexander ansible_host=74.80.180.138`	`mrmanager ansible_user=talexander ansible_host=10.217.2.1`