Add dynamically-changing IP whitelist courtesy of ddns

2023-11-28 16:04:16 -06:00 · 2023-11-28 16:04:16 -06:00 · d7eff5fb99
parent 28cb44c95a
commit d7eff5fb99
5 changed files with 21 additions and 12 deletions
--- a/inventories/hardcoded/hosts.yml
+++ b/inventories/hardcoded/hosts.yml
@ -2,3 +2,5 @@ all:
  hosts:
    vm-general-1.ashburn.mgmt.desu.ltd:
    bastion1.dallas.mgmt.desu.ltd:
+    pi-homeauto-1.home.mgmt.desu.ltd:
+      ansible_host: 192.168.1.144
--- a/inventories/production/group_vars/all.yml
+++ b/inventories/production/group_vars/all.yml
@ -2,6 +2,10 @@

 # For homebrew roles and such, mostly Ansible-related setup
 common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
+# And my home address, for whitelisting
+common_home_address: "{{ lookup('community.general.dig', 'home.ddns.mgmt.desu.ltd') }}"
+# Along with a mask. This allows for some variability in my exact IP
+common_home_address_mask: "24"
 # This is a token generated post-setup
 # It is to be used for querying netbox
 netbox_token: !vault |
--- a/playbooks/debug.yml
+++ b/playbooks/debug.yml
@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+---
+- hosts: localhost
+  tasks:
+    - name: debug home address
+      ansible.builtin.debug:
+        msg: "Record: {{ common_home_address }}"
--- a/playbooks/prod_web.yml
+++ b/playbooks/prod_web.yml
@ -252,16 +252,14 @@
            proxy_pass: http://firefly:8080
          - name: firefly-importer.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://firefly-importer:8080
          - name: git.desu.ltd
            proxy_pass: http://gitea:3000
          - name: lr.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://libreddit:8080
          - name: matrix.desu.ltd
@ -293,26 +291,22 @@
          # desu.ltd media bullshit
          - name: prowlarr.media.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://prowlarr:9696
          - name: sonarr.media.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://sonarr:8989
          - name: radarr.media.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://radarr:7878
          - name: transmission.media.desu.ltd
            directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
              - "deny all"
            proxy_pass: http://transmission:9091
          # 9iron
--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,5 @@
 ansible
 ansible-lint
+dnspython
 pynetbox
 pytz