Add dynamically-changing IP whitelist courtesy of ddns

This commit is contained in:
Salt 2023-11-28 16:04:16 -06:00
parent 28cb44c95a
commit d7eff5fb99
5 changed files with 21 additions and 12 deletions

View File

@ -2,3 +2,5 @@ all:
hosts: hosts:
vm-general-1.ashburn.mgmt.desu.ltd: vm-general-1.ashburn.mgmt.desu.ltd:
bastion1.dallas.mgmt.desu.ltd: bastion1.dallas.mgmt.desu.ltd:
pi-homeauto-1.home.mgmt.desu.ltd:
ansible_host: 192.168.1.144

View File

@ -2,6 +2,10 @@
# For homebrew roles and such, mostly Ansible-related setup # For homebrew roles and such, mostly Ansible-related setup
common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible" common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
# And my home address, for whitelisting
common_home_address: "{{ lookup('community.general.dig', 'home.ddns.mgmt.desu.ltd') }}"
# Along with a mask. This allows for some variability in my exact IP
common_home_address_mask: "24"
# This is a token generated post-setup # This is a token generated post-setup
# It is to be used for querying netbox # It is to be used for querying netbox
netbox_token: !vault | netbox_token: !vault |

8
playbooks/debug.yml Executable file
View File

@ -0,0 +1,8 @@
#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
---
- hosts: localhost
tasks:
- name: debug home address
ansible.builtin.debug:
msg: "Record: {{ common_home_address }}"

View File

@ -252,16 +252,14 @@
proxy_pass: http://firefly:8080 proxy_pass: http://firefly:8080
- name: firefly-importer.desu.ltd - name: firefly-importer.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://firefly-importer:8080 proxy_pass: http://firefly-importer:8080
- name: git.desu.ltd - name: git.desu.ltd
proxy_pass: http://gitea:3000 proxy_pass: http://gitea:3000
- name: lr.desu.ltd - name: lr.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://libreddit:8080 proxy_pass: http://libreddit:8080
- name: matrix.desu.ltd - name: matrix.desu.ltd
@ -293,26 +291,22 @@
# desu.ltd media bullshit # desu.ltd media bullshit
- name: prowlarr.media.desu.ltd - name: prowlarr.media.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://prowlarr:9696 proxy_pass: http://prowlarr:9696
- name: sonarr.media.desu.ltd - name: sonarr.media.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://sonarr:8989 proxy_pass: http://sonarr:8989
- name: radarr.media.desu.ltd - name: radarr.media.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://radarr:7878 proxy_pass: http://radarr:7878
- name: transmission.media.desu.ltd - name: transmission.media.desu.ltd
directives: directives:
- "allow 24.182.160.0/20" - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
- "allow 97.91.128.0/17"
- "deny all" - "deny all"
proxy_pass: http://transmission:9091 proxy_pass: http://transmission:9091
# 9iron # 9iron

View File

@ -1,4 +1,5 @@
ansible ansible
ansible-lint ansible-lint
dnspython
pynetbox pynetbox
pytz pytz