From 2916f604e6a974360a4c5bbe4339f20d281af5cf Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 27 Aug 2020 23:52:35 +0200 Subject: finalize ch-imap-proxy --- chaos-at-home/ch-imap-proxy.yml | 59 ++++++++++++++++++++++++++ inventory/group_vars/chaos-at-home/network.yml | 17 +++++--- inventory/host_vars/ch-imap-proxy.yml | 2 +- inventory/host_vars/ch-router.yml | 9 ++-- 4 files changed, 75 insertions(+), 12 deletions(-) diff --git a/chaos-at-home/ch-imap-proxy.yml b/chaos-at-home/ch-imap-proxy.yml index d1479ce1..f3fad1df 100644 --- a/chaos-at-home/ch-imap-proxy.yml +++ b/chaos-at-home/ch-imap-proxy.yml @@ -14,3 +14,62 @@ request: challenge: http-self-test: false + post_tasks: + - name: install stunnel package + apt: + name: stunnel4 + state: present + + - name: generate stunnel config for imap + copy: + dest: /etc/stunnel/imap.conf + content: | + cert = /var/lib/acme/live/imap.chaos-at-home.org/fullchain + key = /var/lib/acme/live/imap.chaos-at-home.org/privkey + + [imap] + client = yes + accept = 127.0.0.1:143 + connect = 192.168.28.250:143 + protocol = imap + verify = 0 + + [imaps] + options = NO_SSLv2 + options = NO_SSLv3 + options = NO_TLSv1 + options = NO_TLSv1.1 + accept = 993 + connect = 127.0.0.1:143 + notify: restart stunnel4 + + - name: install systemd service unit for service-ip + copy: + dest: /etc/systemd/system/imap-service-ip.service + content: | + [Unit] + Description=Assign IMAP Sevice IP + After=network.target + + [Service] + Type=oneshot + ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.imap.addr }}/32 + ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.imap.addr }}/32 + RemainAfterExit=yes + + [Install] + WantedBy=multi-user.target + register: service_ip_systemd_unit + + - name: make sure service-ip systemd unit is enabeld and started + systemd: + daemon_reload: yes + name: imap-service-ip.service + state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}" + enabled: yes + + handlers: + - name: restart stunnel4 + service: + name: stunnel4 + state: restarted diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index 332729a1..d2bbde0a 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -15,11 +15,13 @@ network_zones: ch-oulu: 2 ## testing ch-oulu-vm1: 3 ## testing ch-mc: 10 - ch-auth-legacy: 88 ## legacy - ch-prometheus-legacy: 99 ## legacy ch-prometheus: 200 ch-prometheus-old: 250 ch-gw-lan: 254 + ############# + ## legacy stuff + ch-auth-legacy: 88 ## legacy + ch-prometheus-legacy: 99 ## legacy wifi: ssid: "chaos at home" encryption: "psk2" @@ -46,16 +48,19 @@ network_zones: offsets: ch-apps: 1 ch-imap-proxy: 9 - ch-stats-legacy: 10 ## legacy ch-jump: 22 ch-gw-lan: 28 ch-nic: 53 - ch-web-legacy: 80 ## legacy __svc_web__: 80 - ch-mail-legacy: 143 ## legacy __svc_imap__: 143 ch-router-obsd: 253 ch-router: 254 + ############# + ## legacy stuff + ch-stats-legacy: 10 + ch-web-legacy: 80 + ch-mail-legacy: 144 + mgmt: vlan: 42 @@ -90,6 +95,6 @@ network_services: addr: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets.__svc_web__) | ipaddr('address') }}" imap: ports: - - 143 + #- 143 - 993 addr: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets.__svc_imap__) | ipaddr('address') }}" diff --git a/inventory/host_vars/ch-imap-proxy.yml b/inventory/host_vars/ch-imap-proxy.yml index fb76d202..69acde86 100644 --- a/inventory/host_vars/ch-imap-proxy.yml +++ b/inventory/host_vars/ch-imap-proxy.yml @@ -33,4 +33,4 @@ network: - *_network_primary_ -# acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 22864a59..a63f29fc 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -150,20 +150,19 @@ openwrt_mixin: iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + {# TODO: generate this based on network_services #} iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 53 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-nic']) | ipaddr('address') }}" -p tcp --dport 53 -j ACCEPT - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 80 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web-legacy']) | ipaddr('address') }}" + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 443 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web-legacy']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-web']) | ipaddr('address') }}" -p tcp --dport 443 -j ACCEPT - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 143 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}:144" - iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" - iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 144 -j ACCEPT + iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 993 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail-legacy']) | ipaddr('address') }}" iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-mail']) | ipaddr('address') }}" -p tcp --dport 993 -j ACCEPT -- cgit v1.2.3