Post-X-Society/Post-Tyranny-Tech-Infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Post-Tyranny-Tech-Infrastru.../ansible/roles/nat-gateway/tasks/main.yml

67 lines
1.6 KiB
YAML
Raw Normal View History

feat: Add infrastructure roles for multi-tenant architecture Add new Ansible roles and configuration for the edge proxy and private network architecture: ## New Roles: - **edge-traefik**: Edge reverse proxy that routes to private clients - Dynamic routing configuration for multiple clients - SSL termination at the edge - Routes traffic to private IPs (10.0.0.x) - **nat-gateway**: NAT/gateway configuration for edge server - IP forwarding and masquerading - Allows private network clients to access internet - iptables rules for Docker integration - **diun**: Docker Image Update Notifier - Monitors containers for available updates - Email notifications via Mailgun - Per-client configuration - **kuma**: Uptime monitoring integration - Registers HTTP monitors for client services - Automated monitor creation via API - Checks Authentik, Nextcloud, Collabora endpoints ## New Playbooks: - **setup-edge.yml**: Configure edge server with proxy and NAT ## Configuration: - **host_vars**: Per-client Ansible configuration (valk, white) - SSH bastion configuration for private IPs - Client-specific secrets file references This enables the scalable multi-tenant architecture where: - Edge server has public IP and routes traffic - Client servers use private IPs only (cost savings) - All traffic flows through edge proxy with SSL termination 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-20 19:05:51 +01:00
---
# NAT Gateway Configuration
# Enables internet access for private network clients via edge server
- name: Enable IP forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
state: present
reload: yes
tags: [nat, gateway]
- name: Install iptables-persistent
apt:
name: iptables-persistent
state: present
update_cache: yes
tags: [nat, gateway]
- name: Configure NAT (masquerading) for private network
iptables:
table: nat
chain: POSTROUTING
out_interface: eth0
source: 10.0.0.0/16
jump: MASQUERADE
comment: NAT for private network clients
notify: Save iptables rules
tags: [nat, gateway]
- name: Allow forwarding from private network (in DOCKER-USER chain)
iptables:
chain: DOCKER-USER
in_interface: enp7s0
out_interface: eth0
source: 10.0.0.0/16
jump: ACCEPT
comment: Allow forwarding from private network
notify: Save iptables rules
tags: [nat, gateway]
- name: Allow established connections back to private network (in DOCKER-USER chain)
iptables:
chain: DOCKER-USER
in_interface: eth0
out_interface: enp7s0
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Allow established connections to private network
notify: Save iptables rules
tags: [nat, gateway]
- name: Return from DOCKER-USER chain for other traffic
iptables:
chain: DOCKER-USER
jump: RETURN
comment: Let Docker handle other traffic
notify: Save iptables rules
tags: [nat, gateway]
- name: Save iptables rules
shell: |
iptables-save > /etc/iptables/rules.v4
args:
creates: /etc/iptables/rules.v4
tags: [nat, gateway]
Reference in a new issue Copy permalink