aurore/ansible
aurore/ansible
10
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

grafana-ng: configuration firewall, dns, caddy

Browse source
This commit is contained in:
korenstin 2025-10-06 23:27:27 +02:00
parent 1deba6ebf8
commit b7c1b86056
Signed by: korenstin
GPG key ID: 0FC4734F279D20A1
4 changed files with 46 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
group_vars/infra/firewall.yml
View file

@ -90,6 +90,14 @@ firewall__zones:
addrs: addrs:
- 2a09:6840:128::98 - 2a09:6840:128::98
- 10.128.0.98 - 10.128.0.98
re2o-ldap.adm:
addrs:
- 2a09:6840:128::21
- 10.128.0.21
ldap-replica-edc.adm:
addrs:
- 2a09:6840:128::4:249
- 10.128.4.249
nextcloud.adm: nextcloud.adm:
addrs: addrs:
- 2a09:6840:128::58 - 2a09:6840:128::58
@ -123,6 +131,10 @@ firewall__zones:
addrs: addrs:
- 2a09:6840:211::1:1 - 2a09:6840:211::1:1
- 10.211.1.1 - 10.211.1.1
grafana.ext:
addrs:
- 2a09:6840:211::1:7
- 10.211.1.7
ns-1.pub: ns-1.pub:
addrs: addrs:
- 2a09:6840:215::1:2 - 2a09:6840:215::1:2
@ -268,6 +280,25 @@ firewall__forward:
tcp: tcp:
dport: 9090 dport: 9090
verdict: accept verdict: accept
# Prometheus for Grafana nixos
- src: grafana.ext
dst: prometheus.int
protocols:
tcp:
dport: 9090
verdict: accept
- src: grafana.ext
dst: re2o-ldap.adm
protocols:
tcp:
dport: 389
verdict: accept
- src: grafana.ext
dst: ldap-replica-edc.adm
protocols:
tcp:
dport: 389
verdict: accept
# Admin VPN clients # Admin VPN clients
- src: vpn-clients - src: vpn-clients
dst: infra dst: infra
@ -342,6 +373,12 @@ firewall__forward:
tcp: tcp:
dport: 3000 dport: 3000
verdict: accept verdict: accept
- src: proxy.pub
dst: grafana.ext
protocols:
tcp:
dport: 80
verdict: accept
- src: proxy.pub - src: proxy.pub
dst: nextcloud.adm dst: nextcloud.adm
protocols: protocols:

14
host_vars/ns-master.int.infra.auro.re/knotd.yml
View file

@ -343,6 +343,9 @@ knotd__hosts:
collabora.ext: collabora.ext:
- 2a09:6840:211::1:1 - 2a09:6840:211::1:1
- 10.211.1.1 - 10.211.1.1
grafana.ext:
- 2a09:6840:211::1:7
- 10.211.1.7
proxy.pub: proxy.pub:
- 2a09:6840:215::1:1 - 2a09:6840:215::1:1
- 45.66.111.206 - 45.66.111.206
@ -378,17 +381,14 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra - ns-1.pub.infra
- ns-2.pub.infra - ns-2.pub.infra
- ns-3.ovh.infra
- name: infra - name: infra
target: target:
- ns-1.pub.infra - ns-1.pub.infra
- ns-2.pub.infra - ns-2.pub.infra
- ns-3.ovh.infra
- name: test - name: test
target: target:
- ns-1.pub.infra - ns-1.pub.infra
- ns-2.pub.infra - ns-2.pub.infra
- ns-3.ovh.infra
- name: adm - name: adm
target: target:
- serge - serge
@ -436,6 +436,7 @@ knotd__zones:
target: proxy-ovh target: proxy-ovh
- name: - name:
- grafana - grafana
- grafana-ng
- nextcloud - nextcloud
- cloud - cloud
- office - office
@ -495,7 +496,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
mx: mx:
- exchange: mx - exchange: mx
preference: 5 preference: 5
@ -524,7 +524,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
hosts: "{{ knotd__hosts['infra.auro.re'] }}" hosts: "{{ knotd__hosts['infra.auro.re'] }}"
108.66.45.in-addr.arpa: 108.66.45.in-addr.arpa:
@ -541,7 +540,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
109.66.45.in-addr.arpa: 109.66.45.in-addr.arpa:
dnssec_policy: ripe dnssec_policy: ripe
notify: notify:
@ -556,7 +554,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
110.66.45.in-addr.arpa: 110.66.45.in-addr.arpa:
dnssec_policy: ripe dnssec_policy: ripe
notify: notify:
@ -571,7 +568,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re'] reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24']) | ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}" | add_origin_keys('adh.auro.re.') }}"
@ -589,7 +585,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re'] reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24']) | ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}" | add_origin_keys('auro.re.') }}"
@ -607,7 +602,6 @@ knotd__zones:
- target: - target:
- ns-1.pub.infra.auro.re. - ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re. - ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re'] reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32']) | ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.') | add_origin_keys('auro.re.')

4
host_vars/proxy.pub.infra.auro.re.yml
View file

@ -37,6 +37,10 @@ caddy__routes_https:
reverse: reverse:
- "[2a09:6840:128::98]:3000" - "[2a09:6840:128::98]:3000"
- 10.128.0.98:3000 - 10.128.0.98:3000
grafana-ng.auro.re:
reverse:
- "[2a09:6840:211::1:7]:80"
- 10.211.1.7:80
office.auro.re: office.auro.re:
reverse: reverse:
- "[2a09:6840:211::1:1]:9980" - "[2a09:6840:211::1:1]:9980"

1
shell.nix
View file

@ -4,6 +4,7 @@
ansible_2_16 ansible_2_16
python313Packages.jinja2 python313Packages.jinja2
python313Packages.requests python313Packages.requests
python313Packages.pydantic_1
python313Packages.pysocks python313Packages.pysocks
python313Packages.dns python313Packages.dns
]; ];