Ansible
Creating large firewall groups have been a problem for a long time, adding more onto a list is both troublesome and computational heavy. Pulling that out outside not only will increase performance, but also adds the ability for dynamic lists.
I mentioned over a year ago about the collection in Ansible I used for VyOS. I had some issues with it regarding differences and performance, so I had to resolve to some odd workaround which was ugly(clear config path and recreate from scratch, which was very slow on big configs), but quite easy to use directly with VyOS. I later on made some custom templates for it to reduce boilerplate and coupling.
I forgot to post the above, so a double post! 😄 I released parts of my working Ansible infrastructure, hopefully it can be used and maybe some people want to point out anything that might be problematic: https://github.com/McTwist/ansible-homelab/
This solidifies my integration and allows me to version track my infrastructure. However, I still cannot store my configs, because releasing them would mean I publicize my whole network infrastructure, which would be pretty bad.
As previously mentioned, I created a couple of roles and a playbook to bundle them together. For the last 2 weeks I have been fixing bugs, but it is currently in a state where it is stable to even be released. While I do think that the coupling between the roles might be too tight, I need to split two roles into more sub-roles for it to work properly.
One of the roles, php-fpm, is used to handle the PHP part of the server.
A reverse proxy is a service which a client can connect to and it’ll forward all connections to respective service, usually internally. This is mostly used for HTTP requests, where the reverse proxy will handle the default ports, certificates and hosts to keep track on. All requests are then forwarded to an internal web server, or any other server that supports HTTP. It separates the direct access to services and makes it possible for one IP to be used with several services.
I finally took an hour of my time and went through all active, and some inactive, services that I run, giving them relatively random names. This way I can separate servers from services. Each server had 5-6 places to change for the name to take effect. I then spent way too long time to figure how to modify the DNS through Ansible to link the service names to each server. The first issue was that I did not find a way to write this without having issues with duplicate CNAMEs.
A couple of days ago I updated my PiHoles. Suddenly one of them stopped working. I spent some time to fix it, but to no avail, it just refused to start. I therefore installed a third one within 20 minutes and set it up, realizing that I maybe could automate this task. I therefore spent about 4 hours in total making this bootstrap and automation for adlist and whatnot. I later created a fourth PiHole and applied the playbook on it.
Before I set up VyOS, I had the urge to learn Ansible, as it should work perfectly with anything CLI. However, this was the reason why it took almost a month to set up my network. I had to learn Ansible, figure out its quirks, find out that VyOS collection was poorly written, and that I didn’t understand Ansible until I’ve tinkered with it for a long while.
But don’t get me wrong, Ansible is good.