From 3f1364557e1753ca0e8f2efcec9087516f4e0cbe Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 10 Jul 2019 17:21:54 +0200
Subject: added new jumphost

---
 chaos-at-home/ch-jump.yml                          |  8 ++++++
 inventory/group_vars/chaos_at_home/network.yml     |  4 ++-
 inventory/host_vars/ch-jump.yml                    | 29 ++++++++++++++++++++++
 inventory/host_vars/ch-router.yml                  | 21 +++++++++++++---
 inventory/hosts.ini                                |  3 +++
 .../preseed/templates/preseed_debian-buster.cfg.j2 |  2 +-
 .../templates/preseed_debian-stretch.cfg.j2        |  2 +-
 .../preseed/templates/preseed_ubuntu-bionic.cfg.j2 |  2 +-
 .../preseed/templates/preseed_ubuntu-xenial.cfg.j2 |  2 +-
 roles/vm/host/tasks/main.yml                       |  1 +
 roles/vm/install/tasks/main.yml                    |  2 +-
 11 files changed, 67 insertions(+), 9 deletions(-)
 create mode 100644 chaos-at-home/ch-jump.yml
 create mode 100644 inventory/host_vars/ch-jump.yml

diff --git a/chaos-at-home/ch-jump.yml b/chaos-at-home/ch-jump.yml
new file mode 100644
index 00000000..8abf7338
--- /dev/null
+++ b/chaos-at-home/ch-jump.yml
@@ -0,0 +1,8 @@
+---
+- name: Basic Setup
+  hosts: ch-jump
+  roles:
+  - role: base
+  - role: sshd
+  - role: zsh
+  - role: admin-user
diff --git a/inventory/group_vars/chaos_at_home/network.yml b/inventory/group_vars/chaos_at_home/network.yml
index 95c240c1..7e317bbc 100644
--- a/inventory/group_vars/chaos_at_home/network.yml
+++ b/inventory/group_vars/chaos_at_home/network.yml
@@ -30,8 +30,10 @@ network_zones:
     prefix: 192.168.32.0/24
     gw: 192.168.32.254
     dns:
-      - 192.168.32.254
+#      - 192.168.32.254
+      - 9.9.9.9
     offsets:
+      ch-jump: 22
       web: 80
       mail: 143
       ch-router: 254
diff --git a/inventory/host_vars/ch-jump.yml b/inventory/host_vars/ch-jump.yml
new file mode 100644
index 00000000..b46120f1
--- /dev/null
+++ b/inventory/host_vars/ch-jump.yml
@@ -0,0 +1,29 @@
+---
+vm_host: ch-gnocchi
+
+install:
+  host: "{{ vm_host }}"
+  mem: 1024
+  numcpu: 2
+  disks:
+    primary: /dev/sda
+    scsi:
+      sda:
+        vg: "{{ hostvars[vm_host].host_name }}"
+        lv: "{{ inventory_hostname }}"
+        size: 10g
+  interfaces:
+  - bridge: br-svc
+    name: primary0
+  autostart: True
+
+network:
+  nameservers: "{{ network_zones.svc.dns }}"
+  domain: "{{ host_domain }}"
+  systemd_link:
+    interfaces: "{{ install.interfaces }}"
+  primary:
+    interface: primary0
+    ip: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}"
+    mask: "{{ network_zones.svc.prefix | ipaddr('netmask') }}"
+    gateway: "{{ network_zones.svc.gw }}"
diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml
index deaf0371..c3df8e2b 100644
--- a/inventory/host_vars/ch-router.yml
+++ b/inventory/host_vars/ch-router.yml
@@ -65,19 +65,34 @@ openwrt_mixin:
 
         SSH_PORT=$(uci get dropbear.@dropbear[0].Port)
 
+
+        ## Local Traffic
+        #
         iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
         iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
 
+
+        ## WAN Traffic
+        #
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p icmp -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport "$SSH_PORT" -j ACCEPT
         iptables -A INPUT -i "$MAGENTA_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-        iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -t nat -A PREROUTING -i "$MAGENTA_IF" -d "$MAGENTA_IPADDR" -p tcp --dport 2342 -j DNAT --to "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}"
+        iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -d "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-jump']) | ipaddr('address') }}" -p tcp --dport 2342 -j ACCEPT
+
+
+        ## LAN Traffic
+        #
+        iptables -A INPUT -i "$SVC_IF" -p icmp -d "$SVC_IPADDR" -s 192.168.0.0/16 -j ACCEPT
         iptables -A INPUT -i "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j ACCEPT
+        iptables -A FORWARD -i "$SVC_IF" -o "$MAGENTA_IF" -s 192.168.0.0/16 -j ACCEPT
         iptables -A FORWARD -i "$MAGENTA_IF" -o "$SVC_IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s "$SVC_IPADDR/$SVC_NETMASK" -j SNAT --to "$MAGENTA_IPADDR"
+        iptables -t nat -A POSTROUTING -o "$MAGENTA_IF" -s 192.168.0.0/16 -j SNAT --to "$MAGENTA_IPADDR"
+
 
+        ## Drop all other inbound traffic
+        #
         iptables -P INPUT DROP
         iptables -P FORWARD DROP
       }
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 19d76295..77a3efff 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -20,6 +20,8 @@ ch-keyserver host_name=keyserver
 ch-pan host_name=pan
 ch-gnocchi host_name=gnocchi
 ch-router host_name=router
+ch-gwlan host_name=gwlan
+ch-jump host_name=jump ansible_port=2342 ansible_host=ch-jump
 
 [chaos_at_home:children]
 mz_chaos_at_home
@@ -159,6 +161,7 @@ ch-gnocchi
 emc-stats
 emc-master
 ch-keyserver
+ch-jump
 r3-vex2
 
 
diff --git a/roles/preseed/templates/preseed_debian-buster.cfg.j2 b/roles/preseed/templates/preseed_debian-buster.cfg.j2
index 7dbeb680..6e9f4e47 100644
--- a/roles/preseed/templates/preseed_debian-buster.cfg.j2
+++ b/roles/preseed/templates/preseed_debian-buster.cfg.j2
@@ -10,7 +10,7 @@ d-i keyboard-configuration/xkb-keymap select us
 d-i hw-detect/load_firmware boolean false
 
 d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }}
-{% if install_dhcp is defined and install_dhcp %}
+{% if 'install_dhcp' in hostvars[hostname] and hostvars[hostname].install_dhcp %}
 d-i netcfg/disable_dhcp boolean false
 d-i netcfg/disable_autoconfig boolean false
 {% else %}
diff --git a/roles/preseed/templates/preseed_debian-stretch.cfg.j2 b/roles/preseed/templates/preseed_debian-stretch.cfg.j2
index d99a7626..69a6ca5b 100644
--- a/roles/preseed/templates/preseed_debian-stretch.cfg.j2
+++ b/roles/preseed/templates/preseed_debian-stretch.cfg.j2
@@ -10,7 +10,7 @@ d-i keyboard-configuration/xkb-keymap select us
 d-i hw-detect/load_firmware boolean false
 
 d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }}
-{% if install_dhcp is defined and install_dhcp %}
+{% if 'install_dhcp' in hostvars[hostname] and hostvars[hostname].install_dhcp %}
 d-i netcfg/disable_dhcp boolean false
 d-i netcfg/disable_autoconfig boolean false
 {% else %}
diff --git a/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2
index 9d0b13ee..f4b0fff1 100644
--- a/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2
+++ b/roles/preseed/templates/preseed_ubuntu-bionic.cfg.j2
@@ -14,7 +14,7 @@ d-i keyboard-configuration/layoutcode string us
 d-i hw-detect/load_firmware boolean false
 
 d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }}
-{% if install_dhcp is defined and install_dhcp %}
+{% if 'install_dhcp' in hostvars[hostname] and hostvars[hostname].install_dhcp %}
 d-i netcfg/disable_dhcp boolean false
 d-i netcfg/disable_autoconfig boolean false
 {% else %}
diff --git a/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2 b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2
index 9e18c2ee..7d053a5d 100644
--- a/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2
+++ b/roles/preseed/templates/preseed_ubuntu-xenial.cfg.j2
@@ -14,7 +14,7 @@ d-i keyboard-configuration/layoutcode string us
 d-i hw-detect/load_firmware boolean false
 
 d-i netcfg/choose_interface select {{ install_interface | default(hostvars[hostname].network_cooked.primary.interface) }}
-{% if install_dhcp is defined and install_dhcp %}
+{% if 'install_dhcp' in hostvars[hostname] and hostvars[hostname].install_dhcp %}
 d-i netcfg/disable_dhcp boolean false
 d-i netcfg/disable_autoconfig boolean false
 {% else %}
diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml
index 6a966464..f83b7d0b 100644
--- a/roles/vm/host/tasks/main.yml
+++ b/roles/vm/host/tasks/main.yml
@@ -8,6 +8,7 @@
       - python-libvirt
       - haveged
       - bridge-utils
+      - acl
     state: present
 
 - name: configure haveged
diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml
index a15e2a47..e7e5cf1a 100644
--- a/roles/vm/install/tasks/main.yml
+++ b/roles/vm/install/tasks/main.yml
@@ -43,7 +43,7 @@
       wait_for_virt:
         name: "{{ hostname }}"
         states: shutdown,crashed
-        timeout: 900
+        timeout: 1800
       register: installer_result
       failed_when: installer_result.failed or installer_result.state == "crashed"
 
-- 
cgit v1.2.3