fixed subnets, drone proto & host, cleaned up vault

2022-10-06 20:50:05 -04:00
parent 50470a25d7
commit 5d12d516ae
12 changed files with 27 additions and 23 deletions
--- a/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
@@ -2,7 +2,7 @@ upstream hass {
  server 127.0.0.1:8123;
 }
 server {
-  resolver 192.168.1.12 ipv6=off;
+  resolver 192.168.2.10 ipv6=off;
  modsecurity on;
  modsecurity_rules_file /etc/nginx/modsec_includes.conf;

@@ -10,7 +10,7 @@ server {
  server_name {{ assistant_server_name }};

  location / {
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;

--- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -4,7 +4,7 @@ upstream drone {

 geo $local_access {
  default 0;
-  192.168.1.1 1;
+  192.168.2.1 1;
 }

 server {
--- a/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }

 server {
@@ -16,4 +16,4 @@ server {
  if ($whitelisted = 0) {
    return 302 $scheme://bdebyl.net$request_uri;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
@@ -4,7 +4,7 @@ upstream graylog {

 geo $local_access {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }

 server {
@@ -18,7 +18,7 @@ server {
    if ($local_access = 1) {
      access_log off;
    }
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;

@@ -29,4 +29,4 @@ server {
    proxy_buffering off;
    proxy_pass http://graylog;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }

 server {
@@ -18,4 +18,4 @@ server {
  location / {
   return 302 https://$host$request_uri;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -1,6 +1,6 @@
 geo $whitelisted {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }

 upstream partkeepr {
@@ -54,4 +54,4 @@ server {

    chunked_transfer_encoding off;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -4,7 +4,7 @@ upstream pihole {

 geo $local_access {
  default 0;
-  192.168.1.0/24 1;
+  192.168.0.0/16 1;
 }

 server {
@@ -18,7 +18,7 @@ server {
    if ($local_access = 1) {
      access_log off;
    }
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;

@@ -29,4 +29,4 @@ server {
    proxy_buffering off;
    proxy_pass http://pihole;
  }
-}
+}
--- a/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
@@ -10,7 +10,7 @@ server {
  server_name {{ video_server_name }};

  location / {
-    allow 192.168.1.0/24;
+    allow 192.168.0.0/16;
    allow 127.0.0.1;
    deny all;

@@ -21,4 +21,4 @@ server {
    proxy_buffering off;
    proxy_pass http://shinobi;
  }
-}
+}