From d574da38f5f0c5f6a078a78d92503dbaa927c52c Mon Sep 17 00:00:00 2001
From: Johannes Christ <jc@jchri.st>
Date: Mon, 29 Apr 2024 21:26:21 +0200
Subject: Whitelist possible LKE addresses to PostgreSQL on lovelace

This allows us to connect to PostgreSQL on lovelace from any possible
LKE node location, whilst not opening up our PostgreSQL instances to the
world.

This has already been rolled out.
---
 ansible/group_vars/all/linode.yml   | 12 ++++--------
 ansible/group_vars/all/nftables.yml | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+), 8 deletions(-)

(limited to 'ansible')

diff --git a/ansible/group_vars/all/linode.yml b/ansible/group_vars/all/linode.yml
index a5dde48..08b73d4 100644
--- a/ansible/group_vars/all/linode.yml
+++ b/ansible/group_vars/all/linode.yml
@@ -1,9 +1,5 @@
 ---
-lke_ipv4_addresses:
-  - 172.105.65.136
-  - 139.162.171.26
-  - 139.162.171.39
-lke_ipv6_addresses:
-  - 2a01:7e01::f03c:94ff:fe7d:6afb/128
-  - 2a01:7e01::f03c:94ff:fe7d:99b4/128
-  - 2a01:7e01::f03c:94ff:fe7d:99fd/128
+lke_all_addresses: "{{ lookup('ansible.builtin.url', 'https://geoip.linode.com/', wantlist=True) }}"
+lke_frankfurt_addresses: "{{ lke_all_addresses | select('search', '^.*Frankfurt.*$') | map('split', ',') | map(attribute=0) | list }}"
+lke_frankfurt_ipv4_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*\\..*$') }}"
+lke_frankfurt_ipv6_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*:.*$') }}"
diff --git a/ansible/group_vars/all/nftables.yml b/ansible/group_vars/all/nftables.yml
index 53a7239..0f1b8bb 100644
--- a/ansible/group_vars/all/nftables.yml
+++ b/ansible/group_vars/all/nftables.yml
@@ -14,6 +14,21 @@ nftables_configuration: |
       }
     }
 
+  {% if inventory_hostname == 'lovelace' %}
+    # Access control for database server
+    set possible_lke_ipv4_addrs {
+      type ipv4_addr
+      flags interval
+      elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} }
+    }
+
+    set possible_lke_ipv6_addrs {
+      type ipv6_addr
+      flags interval
+      elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} }
+    }
+  {% endif %}
+
     chain input {
       type filter hook input priority 0
 
@@ -45,6 +60,13 @@ nftables_configuration: |
       iifname {{ ansible_default_ipv6.interface }} udp dport {{ wireguard_port }} ct state new accept
   {% endif %}
 
+  {% if inventory_hostname == 'lovelace' %}
+      # PostgreSQL connections
+      iifname {{ ansible_default_ipv4.interface }} ip saddr @possible_lke_ipv4_addrs tcp dport postgresql ct state new accept
+  {% if ansible_default_ipv6 is defined %}
+      iifname {{ ansible_default_ipv6.interface }} ip6 saddr @possible_lke_ipv6_addrs tcp dport postgresql ct state new accept
+  {% endif %}
+  {% endif %}
     }
 
     chain forward {
-- 
cgit v1.2.3