diff options
| -rw-r--r-- | ansible/group_vars/all/linode.yml | 12 | ||||
| -rw-r--r-- | ansible/group_vars/all/nftables.yml | 22 |
2 files changed, 26 insertions, 8 deletions
diff --git a/ansible/group_vars/all/linode.yml b/ansible/group_vars/all/linode.yml index a5dde48..08b73d4 100644 --- a/ansible/group_vars/all/linode.yml +++ b/ansible/group_vars/all/linode.yml @@ -1,9 +1,5 @@ --- -lke_ipv4_addresses: - - 172.105.65.136 - - 139.162.171.26 - - 139.162.171.39 -lke_ipv6_addresses: - - 2a01:7e01::f03c:94ff:fe7d:6afb/128 - - 2a01:7e01::f03c:94ff:fe7d:99b4/128 - - 2a01:7e01::f03c:94ff:fe7d:99fd/128 +lke_all_addresses: "{{ lookup('ansible.builtin.url', 'https://geoip.linode.com/', wantlist=True) }}" +lke_frankfurt_addresses: "{{ lke_all_addresses | select('search', '^.*Frankfurt.*$') | map('split', ',') | map(attribute=0) | list }}" +lke_frankfurt_ipv4_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*\\..*$') }}" +lke_frankfurt_ipv6_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*:.*$') }}" diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml index 53a7239..0f1b8bb 100644 --- a/ansible/group_vars/all/nftables.yml +++ b/ansible/group_vars/all/nftables.yml @@ -14,6 +14,21 @@ nftables_configuration: | } } + {% if inventory_hostname == 'lovelace' %} + # Access control for database server + set possible_lke_ipv4_addrs { + type ipv4_addr + flags interval + elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} } + } + + set possible_lke_ipv6_addrs { + type ipv6_addr + flags interval + elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} } + } + {% endif %} + chain input { type filter hook input priority 0 @@ -45,6 +60,13 @@ nftables_configuration: | iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept {% endif %} + {% if inventory_hostname == 'lovelace' %} + # PostgreSQL connections + iifname {{ ansible_default_ipv4.interface }} ip saddr @possible_lke_ipv4_addrs tcp dport postgresql ct state new accept + {% if ansible_default_ipv6 is defined %} + iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept + {% endif %} + {% endif %} } chain forward { |