sonny/debian-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: sonny:a8b30402e31e0f9af11c9649e9c291d33939e69f
Branches Tags
sonny:main
...
compare: sonny:483e94b8aea11a0590203d285b480d16296bc051
Branches Tags
sonny:main

4 commits
a8b30402e3 ... 483e94b8ae

Author SHA1 Message Date
Sonny Bakker
483e94b8ae Enable localhost caching 2025-04-26 10:03:49 +02:00
Sonny Bakker
cce4b5d327 Disable https ports for now 2025-04-26 09:45:39 +02:00
Sonny Bakker
cf72ca62ff Remove unused rule 2025-04-26 09:45:25 +02:00
Sonny Bakker
15d282cfce Use inventory file 2025-04-26 09:40:48 +02:00
5 changed files with 12 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ansible.cfg
View file

@ -1,5 +1,6 @@
[defaults] [defaults]
ask_vault_pass = True ask_vault_pass = True
inventory = inventory.yml
[privilege_escalation] [privilege_escalation]
become_ask_pass = True become_ask_pass = True

4
inventory.yml Normal file
View file

@ -0,0 +1,4 @@
bookworm:
hosts:
fudiggity:
ansible_connection: local

2
playbook.yml
View file

@ -1,5 +1,5 @@
- name: Provision debian server - name: Provision debian server
hosts: localhost hosts: bookworm
pre_tasks: pre_tasks:
- name: Install shared packages - name: Install shared packages
become: true become: true

8
templates/network/resolved.j2
View file

@ -28,10 +28,10 @@
#DNSOverTLS=no #DNSOverTLS=no
#MulticastDNS=yes #MulticastDNS=yes
#LLMNR=yes #LLMNR=yes
#Cache=yes Cache=yes
#CacheFromLocalhost=no CacheFromLocalhost=yes
#DNSStubListener=yes DNSStubListener=yes
DNSStubListenerExtra={{ vpn_listen_address }} DNSStubListenerExtra={{ vpn_listen_address }}
DNSStubListenerExtra={{ vpn_media_listen_address }} DNSStubListenerExtra={{ vpn_media_listen_address }}
#ReadEtcHosts=yes ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no #ResolveUnicastSingleLabel=no

6
templates/nftables.j2
View file

@ -52,11 +52,9 @@ table ip filter {
chain vpn_chain { chain vpn_chain {
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS" meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"
tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS" # TODO: remove?
tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web" tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web" tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol" tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"
tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale" tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale"
@ -75,7 +73,7 @@ table ip filter {
chain media_vpn_chain { chain media_vpn_chain {
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS" meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"
tcp dport { 80, 443 } ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept comment "Jellyfin" tcp dport 80 ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept comment "Jellyfin"
} }
# docker's user configurable forward hook chain # docker's user configurable forward hook chain