Add dynamically-changing IP whitelist courtesy of ddns

inventories/hardcoded/hosts.yml

@@ -2,3 +2,5 @@ all:
   hosts:
     vm-general-1.ashburn.mgmt.desu.ltd:
     bastion1.dallas.mgmt.desu.ltd:
+    pi-homeauto-1.home.mgmt.desu.ltd:
+      ansible_host: 192.168.1.144

inventories/production/group_vars/all.yml

@@ -2,6 +2,10 @@
 
 # For homebrew roles and such, mostly Ansible-related setup
 common_ansible_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfXVgMHeD2wtCAIVoDYQ+R19vKfhmR2FgUTkHhAzE2156fB/+IMB+6Qc4X3aFRIcUp+Ls8Vm8JQ3d0jvbcGQkgbAjRExQa71XGBmhxJCxzlCLBoQzBmTSnryL09LExoMynzVgrso8TQP92vZBGJFI/lLGAaop2l9pu+3cgM3sRaK+A11lcRCrS25C3hqPQhKC44zjzOt7sIoaG6RqG3CQ8jhE35bthQdBySOZVDgDKfjDyPuDzVxiKjsuNm4Ojzm0QW5gq6GkLOg2B8OSQ1TGQgBHQu4b8zsKBOUOdbZb0JLM8NdpH1cMntC0QBofy3DzqR/CFaSaBzUx+dnkBH0/pjBOrhHzzqZGOJayfC1igYki67HqzFV5IjhAVa+c4S9L/zbFk0+YZYdgMoKNlMU2LgzrSEastuXHD7NUy3fMP4BZbqg37SjQzFRXoUp5+ctVs9tCoy/qvvjT3UVGcn312eJrRRfWrYagU2nWKGyqbTOpsuOJ5OLlhopy6eP9+yRM= ansible"
+# And my home address, for whitelisting
+common_home_address: "{{ lookup('community.general.dig', 'home.ddns.mgmt.desu.ltd') }}"
+# Along with a mask. This allows for some variability in my exact IP
+common_home_address_mask: "24"
 # This is a token generated post-setup
 # It is to be used for querying netbox
 netbox_token: !vault |

playbooks/debug.yml

@@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+---
+- hosts: localhost
+  tasks:
+    - name: debug home address
+      ansible.builtin.debug:
+        msg: "Record: {{ common_home_address }}"

playbooks/home_automation.yml

@@ -0,0 +1,44 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+---
+# Home media storage Pi
+- hosts: pi-homeauto-1.home.mgmt.desu.ltd
+  gather_facts: no
+  module_defaults:
+    docker_container:
+      state: started
+      restart_policy: unless-stopped
+      pull: yes
+  pre_tasks:
+    - name: ensure docker network
+      docker_network: name=web
+      tags: [ docker ]
+  tasks:
+    - name: include tasks for apps
+      include_tasks: tasks/app/{{ task }}
+      with_items:
+        - ddns-route53.yml
+        - homeassistant.yml
+      loop_control:
+        loop_var: task
+      tags: [ always ]
+  roles:
+    - role: backup
+      vars:
+        backup_s3backup_list_extra:
+          - /data
+        backup_time: "Sun *-*-* 02:00:00"
+      tags: [ backup ]
+    - role: ingress
+      vars:
+        ingress_container_image: "nginx:latest"
+        ingress_container_ports:
+          - 80:80
+        ingress_container_config_mount: /etc/nginx/conf.d
+        ingress_container_persist_dir: /data/nginx
+        ingress_listen_args: 80
+        ingress_listen_tls: no
+        ingress_servers:
+          - name: homeauto.local.desu.ltd
+            proxy_pass: http://localhost:8123
+      tags: [ ingress ]

playbooks/prod_web.yml

@@ -252,16 +252,14 @@
             proxy_pass: http://firefly:8080
           - name: firefly-importer.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://firefly-importer:8080
           - name: git.desu.ltd
             proxy_pass: http://gitea:3000
           - name: lr.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://libreddit:8080
           - name: matrix.desu.ltd
@@ -293,26 +291,22 @@
           # desu.ltd media bullshit
           - name: prowlarr.media.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://prowlarr:9696
           - name: sonarr.media.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://sonarr:8989
           - name: radarr.media.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://radarr:7878
           - name: transmission.media.desu.ltd
             directives:
-              - "allow 24.182.160.0/20"
-              - "allow 97.91.128.0/17"
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
               - "deny all"
             proxy_pass: http://transmission:9091
           # 9iron

playbooks/site_main.yml

@@ -6,3 +6,5 @@
   # Production configuration
 - import_playbook: prod_db.yml
 - import_playbook: prod_web.yml
+  # Home automation stuff
+- import_playbook: home_automation.yml

playbooks/tasks/app/ddclient.yml

@@ -1,13 +0,0 @@
-# vim:ft=ansible:
-- name: docker deploy ddclient
-  docker_container:
-    name: ddclient
-    state: started
-    image: linuxserver/ddclient:latest
-    restart_policy: unless-stopped
-    pull: yes
-    env:
-      TZ: America/Chicago
-    volumes:
-      - /data/ddclient:/config
-  tags: [ docker, ddclient ]

requirements.txt

@@ -1,4 +1,5 @@
 ansible
 ansible-lint
+dnspython
 pynetbox
 pytz