From 05f043d3f0a46ce0d2cd51efd6f97e9da75074b8 Mon Sep 17 00:00:00 2001 From: Marco Milano <64802282+marmila@users.noreply.github.com> Date: Wed, 28 Feb 2024 09:50:13 +0100 Subject: [PATCH] restore vault and haproxy to gateway node --- ansible/host_vars/gateway.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible/host_vars/gateway.yml b/ansible/host_vars/gateway.yml index 6eaf3440..d45c2e09 100644 --- a/ansible/host_vars/gateway.yml +++ b/ansible/host_vars/gateway.yml @@ -28,8 +28,7 @@ dnsmasq_additional_dns_hosts: s3_server: desc: "S3 Server" hostname: s3 - # ip: 89.168.19.79 - ip: 10.0.0.100 + ip: 10.0.0.11 elasticsearch: desc: "Elasticsearch server" hostname: elasticsearch @@ -53,7 +52,7 @@ dnsmasq_additional_dns_hosts: vault_server: desc: "Vault server" hostname: vault - ip: 10.0.0.11 + ip: 10.0.0.1 dnsmasq_enable_tftp: true dnsmasq_tftp_root: /srv/tftp dnsmasq_additional_conf: |- @@ -70,6 +69,7 @@ dnsmasq_additional_conf: |- dhcp-boot=tag:efi-x86_64,bootx64.efi # Ignore queries for domain "marmila.com" server=/marmila.com/ + #################### # ntp role variables #################### @@ -80,8 +80,10 @@ ntp_allow_hosts: [10.0.0.0/24] ######################### # tcp 9100 Prometheus (fluent-bit) +# tcp 8200, 8201 Vault server # udp 69, TFTP server -in_tcp_port: '{ ssh, https, http, iscsi-target, 9100 }' +# TCP 6443 load balancer K3S API +in_tcp_port: '{ ssh, https, http, iscsi-target, 9100, 8200, 8201, 6443 }' in_udp_port: '{ snmp, domain, ntp, bootps, 69 }' # tcp 9091 minio server forward_tcp_port: '{ http, https, ssh, 9091 }' @@ -141,10 +143,8 @@ nft_forward_host_rules: - iifname $wan_interface oifname $lan_interface ip daddr $lan_network tcp dport ssh ct state new accept 230 http from wan: - iifname $wan_interface oifname $lan_interface ip daddr $lan_network tcp dport {http, https} ct state new accept - 240 haproxy from wan: - - iifname $wan_interface oifname $lan_interface ip daddr 10.0.0.11 tcp dport 6443 ct state new accept 250 port-forwarding from wan: - - iifname $wan_interface oifname $lan_interface ip daddr 10.0.0.12 tcp dport 8080 ct state new accept + - iifname $wan_interface oifname $lan_interface ip daddr 10.0.0.11 tcp dport 8080 ct state new accept # NAT Post-routing nft_nat_host_postrouting_rules: 005 masquerade lan to wan: