Tips-Of-Mine/infrastructure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove Nebula

Browse Source 
I'm basically all in on Tailscale now
This commit is contained in:
Jake Howard
2024-07-14 21:40:52 +01:00
committed by Jake Howard
parent ceaf419c04
commit 01c236e4e9
30 changed files with 12 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ansible/roles/ingress/files/nftables.conf
View File

@ -17,9 +17,6 @@ table inet filter {
tcp dport {http, https, {{ ssh_port }}, 8443, 8448} accept
# Allow nebula
udp dport {{ nebula_listen_port }} accept;
# Allow Tailscale
udp dport {{ tailscale_port }} accept;
}
@ -29,7 +26,6 @@ table inet filter {
policy accept
# NAT - because the proxmox machines may not have routes back
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} counter masquerade
ip saddr {{ tailscale_cidr }} counter masquerade
}
@ -37,12 +33,8 @@ table inet filter {
type filter hook forward priority mangle
policy drop
# Allow traffic from nebula to proxmox network
ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
# Allow monitoring of nebula network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
# Allow monitoring of Tailscale network
ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ tailscale_cidr }} accept
# Allow Tailscale exit node
ip saddr {{ tailscale_cidr }} ip daddr 192.168.0.0/16 drop