diff options
| author |  Johannes Christ <[email protected]> | 2024-04-29 21:26:21 +0200 |
|---|---|---|
| committer | jchristgit <[email protected]> | 2024-04-29 21:49:31 +0200 |
| commit | d574da38f5f0c5f6a078a78d92503dbaa927c52c (patch) | |
| tree | 31d79f3e7268e0b51e6e189af7619a7d33b918c6 | |
| parent | Add LKE addresses to group variables (diff) | |
Whitelist possible LKE addresses to PostgreSQL on lovelace
This allows us to connect to PostgreSQL on lovelace from any possible
LKE node location, whilst not opening up our PostgreSQL instances to the
world.
This has already been rolled out.
| -rw-r--r-- | ansible/group_vars/all/linode.yml | 12 | ||||
| -rw-r--r-- | ansible/group_vars/all/nftables.yml | 22 |
2 files changed, 26 insertions, 8 deletions
diff --git a/ansible/group_vars/all/linode.yml b/ansible/group_vars/all/linode.yml index a5dde48..08b73d4 100644 --- a/ansible/group_vars/all/linode.yml +++ b/ansible/group_vars/all/linode.yml @@ -1,9 +1,5 @@ --- -lke_ipv4_addresses: - - 172.105.65.136 - - 139.162.171.26 - - 139.162.171.39 -lke_ipv6_addresses: - - 2a01:7e01::f03c:94ff:fe7d:6afb/128 - - 2a01:7e01::f03c:94ff:fe7d:99b4/128 - - 2a01:7e01::f03c:94ff:fe7d:99fd/128 +lke_all_addresses: "{{ lookup('ansible.builtin.url', 'https://geoip.linode.com/', wantlist=True) }}" +lke_frankfurt_addresses: "{{ lke_all_addresses | select('search', '^.*Frankfurt.*$') | map('split', ',') | map(attribute=0) | list }}" +lke_frankfurt_ipv4_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*\\..*$') }}" +lke_frankfurt_ipv6_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*:.*$') }}" diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml index 53a7239..0f1b8bb 100644 --- a/ansible/group_vars/all/nftables.yml +++ b/ansible/group_vars/all/nftables.yml @@ -14,6 +14,21 @@ nftables_configuration: | } } + {% if inventory_hostname == 'lovelace' %} + # Access control for database server + set possible_lke_ipv4_addrs { + type ipv4_addr + flags interval + elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} } + } + + set possible_lke_ipv6_addrs { + type ipv6_addr + flags interval + elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} } + } + {% endif %} + chain input { type filter hook input priority 0 @@ -45,6 +60,13 @@ nftables_configuration: | iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept {% endif %} + {% if inventory_hostname == 'lovelace' %} + # PostgreSQL connections + iifname {{ ansible_default_ipv4.interface }} ip saddr @possible_lke_ipv4_addrs tcp dport postgresql ct state new accept + {% if ansible_default_ipv6 is defined %} + iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept + {% endif %} + {% endif %} } chain forward { |