Allow only exposing services over Tailscale

This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
2024-03-07 22:30:10 +00:00
parent 451a114262
commit f88d224168
10 changed files with 56 additions and 0 deletions
--- a/ansible/group_vars/all/tailscale.yml
+++ b/ansible/group_vars/all/tailscale.yml
@ -2,5 +2,6 @@
 tailscale_up_skip: true

 tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs

 tailscale_port: 41641
--- a/ansible/group_vars/all/vps-hosts.yml
+++ b/ansible/group_vars/all/vps-hosts.yml
@ -1,3 +1,5 @@
 "vps_hosts":
  "casey_ip": "213.219.38.11"
+  "private_ipv6_marker": "2a01:7e00:e000:7f7::1"
+  "private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
  "walker_ip": "192.248.168.230"
--- a/ansible/roles/gateway/files/nginx.conf
+++ b/ansible/roles/gateway/files/nginx.conf
@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination {
 server {
    listen 443;
    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
    proxy_pass $gateway_destination;
    proxy_protocol on;
 }
+
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+
+    access_log off;
+
+    deny all;
+
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
+}
--- a/ansible/roles/ingress/files/nginx.conf
+++ b/ansible/roles/ingress/files/nginx.conf
@ -9,6 +9,8 @@ access_log /var/log/nginx/access.log access;
 server {
    listen 443;
    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
    proxy_pass {{ pve_hosts.docker.ip }}:443;
    proxy_protocol on;
    proxy_socket_keepalive on;
--- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml
@ -7,6 +7,9 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
+
+      - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
+      - traefik.http.routers.whoami-private.middlewares=tailscale-only@file
    networks:
      - default
      - traefik
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -8,3 +8,9 @@ http:
      headers:
        customResponseHeaders:
          Permissions-Policy: interest-cohort=()
+
+    tailscale-only:
+      ipAllowList:
+        sourceRange:
+          - "{{ tailscale_cidr }}"
+          - "{{ tailscale_cidr_ipv6 }}"