aboutsummaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rwxr-xr-xroles/git/files/runner-zola/webhook.sh21
-rw-r--r--roles/git/tasks/main.yml14
-rw-r--r--roles/webserver/tasks/main.yml20
3 files changed, 29 insertions, 26 deletions
diff --git a/roles/git/files/runner-zola/webhook.sh b/roles/git/files/runner-zola/webhook.sh
index 1c10685..b874233 100755
--- a/roles/git/files/runner-zola/webhook.sh
+++ b/roles/git/files/runner-zola/webhook.sh
@@ -18,9 +18,24 @@ while true; do
REF=${REF:-main}
if [ ! -d blog ]; then
- # Use non-redirected port as redirection is handled via PREROUTING
- # iptables rules and if this hook runs on the same machine the request
- # packages will not go through the routing chain.
+ # Use non-redirected port to clone repository as the runner executes on
+ # the same machine as the webserver.
+ #
+ # We use a NAT:PREROUTING chain to implement the redirection (dnat).
+ # However as described by the netfilter packet flow and the connection
+ # tracking system (CONNTRACK), the NAT hooks are only traversed for NEW
+ # connections.
+ # For packages originating from the local machine, the connection will
+ # be seen as NEW by the CONNTRACK system on the OUTPUT path and hence
+ # the NAT:OUTPUT hooks will be traversed.
+ # Once the package is looped-back and arrives at the PREROUTING path,
+ # the NAT:PREROUTING rules wont be traversed as the package is already
+ # known to the CONNTRACK system (not NEW).
+ #
+ # We could additionally implement dnat for lo interface on the OUTPUT
+ # path as described here, but we dont do it and just use the actual
+ # port here :^)
+ # https://unix.stackexchange.com/questions/618229/nftables-destination-nat-block-local-access-to-port
git clone https://git.memzero.de:8443/blog
fi
git -C blog submodule init
diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml
index 131b971..2c69953 100644
--- a/roles/git/tasks/main.yml
+++ b/roles/git/tasks/main.yml
@@ -23,7 +23,7 @@
image: gitolite-cgit
network: "{{ NETWORK }}"
ports:
- - "2222:22"
+ - "8022:22"
env:
SSH_KEY: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/memzero.pub') }}"
volumes:
@@ -33,13 +33,11 @@
notify: Restart nginx
- name: Open port for gitolite ssh port
- ansible.builtin.iptables:
- chain: INPUT
- protocol: tcp
- match: tcp
- destination_port: 2222
- jump: ACCEPT
- comment: Accept gitolite SSH connections.
+ ansible.posix.firewalld:
+ port: 8022/tcp
+ permanent: yes
+ immediate: yes
+ state: enabled
become: true
- name: Build zola runner image
diff --git a/roles/webserver/tasks/main.yml b/roles/webserver/tasks/main.yml
index e2624c4..7838896 100644
--- a/roles/webserver/tasks/main.yml
+++ b/roles/webserver/tasks/main.yml
@@ -29,22 +29,12 @@
# Use 'z' to shared-ly relable selinux contexts.
- "{{ DATA_ROOT }}/nginx/www:/www:ro,z"
-# All services run in rootless-podman and nginx is the only entry point from
-# the outside acting as webserver and reverse proxy.
-# Since we dont want to lower the *unprivileged* port start (1024) we install
-# two forwarding routes from
-# 80 -> 8080
-# 443 -> 8443
- name: Forward port 80/443 to 8080/8443
- ansible.builtin.iptables:
- table: nat
- chain: PREROUTING
- protocol: tcp
- match: tcp
- destination_port: "{{ item.from }}"
- jump: REDIRECT
- to_ports: "{{ item.to }}"
- comment: "Redirect web traffic {{ item.from }} -> {{ item.to }}"
+ ansible.posix.firewalld:
+ rich_rule: "rule family=ipv4 forward-port port={{ item.from }} protocol=tcp to-port={{ item.to }}"
+ permanent: yes
+ immediate: yes
+ state: enabled
become: true
loop:
- { from: 80 , to: 8080 }