Ansible
Firewall Groups
Creating large firewall groups have been a problem for a long time, adding more onto a list is both troublesome and computational heavy. Pulling that out outside not only will increase performance, but also adds the ability for dynamic lists.Ansible: VyOS v2
I mentioned over a year ago about the collection in Ansible I used for VyOS. I had some issues with it regarding differences and performance, so I had to resolve to some odd workaround which was ugly(clear config path and recreate from scratch, which was very slow on big configs), but quite easy to use directly with VyOS. I later on made some custom templates for it to reduce boilerplate and coupling. I later found out that the collection, while being maintained (but never updated on Ansible Galaxy) was supporting VyOS 1.1, which is odd as the stable one is 1.3, and the newest is 1.5 since a couple of months ago. I also learned that VyOS had a builtin API. Therefore I went on to integrate with the API and Ansible, creating a role with some local actions.
Ansible: Release
I forgot to post the above, so a double post! 😄 I released parts of my working Ansible infrastructure, hopefully it can be used and maybe some people want to point out anything that might be problematic: https://github.com/McTwist/ansible-homelab/
This solidifies my integration and allows me to version track my infrastructure. However, I still cannot store my configs, because releasing them would mean I publicize my whole network infrastructure, which would be pretty bad. Even if it does not contain anything that would be problematic, it still is not something that should be released at all. I will eventually come up with a solution, probably storing them on my local git in a local branch that is not pushed or something.
Ansible: PHP
As previously mentioned, I created a couple of roles and a playbook to bundle them together. For the last 2 weeks I have been fixing bugs, but it is currently in a state where it is stable to even be released. While I do think that the coupling between the roles might be too tight, I need to split two roles into more sub-roles for it to work properly.
One of the roles, php-fpm, is used to handle the PHP part of the server. It basically takes in a list of PHP objects containing version, modules and pool variables. With some dictionary juggling and set theory, it will generate two lists from gathered modules: modules to be added; modules to be removed. With these lists it is just a matter to process them in the right order: add new modules and then remove old ones. All this is done for pools too.
Reverse Proxy
A reverse proxy is a service which a client can connect to and it’ll forward all connections to respective service, usually internally. This is mostly used for HTTP requests, where the reverse proxy will handle the default ports, certificates and hosts to keep track on. All requests are then forwarded to an internal web server, or any other server that supports HTTP. It separates the direct access to services and makes it possible for one IP to be used with several services. There are many programs for this, some that are full blown web servers.
The dreaded rename, DNS and validation
I finally took an hour of my time and went through all active, and some inactive, services that I run, giving them relatively random names. This way I can separate servers from services. Each server had 5-6 places to change for the name to take effect. I then spent way too long time to figure how to modify the DNS through Ansible to link the service names to each server. The first issue was that I did not find a way to write this without having issues with duplicate CNAMEs. I have previously written an action plugin that fails if it find duplicate entries, but the DNS entry is far too complex for it to be possible to verify that, especially when there can be duplicates for A records, but not for CNAME records.
Ansibled PiHole
A couple of days ago I updated my PiHoles. Suddenly one of them stopped working. I spent some time to fix it, but to no avail, it just refused to start. I therefore installed a third one within 20 minutes and set it up, realizing that I maybe could automate this task. I therefore spent about 4 hours in total making this bootstrap and automation for adlist and whatnot. I later created a fourth PiHole and applied the playbook on it. The problem? PiHole uses sqlite for their automatic adlist with gravity, but there’s no clear way to add any lists through cli, at least not documented. Adding individual domains and regexes exists, for both white and black, but a list containing lots of domains does not.
Ansible: Automatic state
Before I set up VyOS, I had the urge to learn Ansible, as it should work perfectly with anything CLI. However, this was the reason why it took almost a month to set up my network. I had to learn Ansible, figure out its quirks, find out that VyOS collection was poorly written, and that I didn’t understand Ansible until I’ve tinkered with it for a long while.
But don’t get me wrong, Ansible is good. My first playbook made it possible to update all my services, no matter what package manager they have, nor where they are located. (apt/apk/pacman/dnf/zypper for package managers; VM/CT/bare for services) By then I only had manually set up my main account to have a key used for SSH. I later extended this into a bootstrap playbook that on some services created a new ansible user that only has a key for access and can only be reachable from the ansible container. Neat.