summaryrefslogtreecommitdiff
path: root/inventory/host_vars/ch-jump.yml
blob: 8873864b12bdc183626ab9412594cf47b2af1204 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
---
install_jumphost: ch-gw-lan

install:
  vm:
    memory: 1G
    numcpus: 2
    autostart: True
  disks:
    primary: /dev/sda
    scsi:
      sda:
        type: zfs
        name: root
        size: 10g
  interfaces:
  - bridge: br-svc
    name: svc0
  - bridge: br-mgmt
    name: mgmt0

network:
  nameservers: "{{ network_zones.svc.dns }}"
  domain: "{{ host_domain }}"
  systemd_link:
    interfaces: "{{ install.interfaces }}"
  primary: &_network_primary_
    name: svc0
    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
    gateway: "{{ network_zones.svc.gateway }}"
    static_routes:
    - destination: "{{ network_zones.lan.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
    - destination: "{{ network_zones.c3voc.prefix }}"
      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-c3voc']) | ansible.utils.ipaddr('address') }}"
  interfaces:
  - *_network_primary_
  - name: mgmt0
    address: "{{ network_zones.mgmt.prefix | ansible.utils.ipaddr(network_zones.mgmt.offsets[inventory_hostname]) }}"


sshd_jump_users:
  equinox:
    authorized_keys: "{{ users.equinox.ssh }}"
  c3voc:
    authorized_keys: "{{ users.kunsi.ssh + users.evilscientress.ssh }}"
#  spel:
#    authorized_keys: "{{ users.spel.ssh }}"
#  fim:
#    authorized_keys:
#    - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzW8lF2i036gsT2BHaOzpHLZUZkit5FsoYHWaiuc9xmruuhzHDzADV17RBMckaIkXRmPnC4I3AZdfFO+RO/7bBdDMAOTw9eyKAcqVWEaR3JDc8C+TFSj8HKRi52jrRXsGD1epJFmhwOFV4VdMXKGlnLrEpTBKn+ZPf6x6bm5pDSfVR3U9nTuXNT/vs+FkrJPvkUZ3iA1cAnK8cRd7Dkasrob9YiskwhWDLSS0bmvTUZatQUqrfUmVcXQqyCkqvHhbOVdYx+gWsjpKHuykSyQEqLTBRzb9UmvzCRjN7sq+QoMRv/CoT1cQjAsgHk4D2tadXuNvRqTgLqrifwK4F3XnCfR+29twm4wSKY+6NKjHjECvJ63JcBFu3jHLXN3ph4va9Tfegkt07W7pdnfrqYxp7veCTyufuByMmReo8s1dwNb2nuBS0HN7Unv2x42ClAzox60QJFgf4sOFCVvJPzhr4mO3ZXahuR75VPYHmsp3TGJZ8RekNyZspD9KWw3FuRiNsYHP/QEFI0gg7X0w7rRQ2CaALA6NGmko0nyTo8CiRkMWVY8rhwJiQ1Eb+mQRW0Y35yqegw3oG/OHEEYIoKD8/Or4KqmrBzGRmFogDjEGmB91iO8XxwfrR+RD3kY34xSr7FXVIYFMK1b3Y4GJ80z6CzU7C2M80wxRww8hqRO1AIw== fim@digl012


nftables_base_rules:
  public-services: |
    table inet filter {
      chain sshd-jump {
        type filter hook output priority filter;
        ct state vmap { established: accept, related: accept, invalid: drop }
        skuid c3voc ip daddr != { {{ network_zones.c3voc.prefix }} } reject with icmp type admin-prohibited
        # skuid c3voc ip6 daddr != {  } reject with icmpv6 type admin-prohibited
      }
    }