homelab/gateway
2
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
No description
4 commits 2 branches 0 tags 58 KiB
Find a file
Exact
Jesse Garcia fd875b0cd0 +turn +matrix rtc -old nftables ~misc 
added firewall rules for turn and matrix rtc, removed the old config,
and updated misc items that have been a bit buggy.
2026-04-07 09:14:37 -06:00
inventory +turn +matrix rtc -old nftables ~misc 2026-04-07 09:14:37 -06:00
playbooks init 2026-03-26 23:48:14 -06:00
roles +turn +matrix rtc -old nftables ~misc 2026-04-07 09:14:37 -06:00
.gitignore init 2026-03-26 23:48:14 -06:00
.justfile init 2026-03-26 23:48:14 -06:00
ansible.cfg init 2026-03-26 23:48:14 -06:00
local.yml progress 2026-03-31 23:32:18 -06:00
README.md init 2026-03-26 23:48:14 -06:00
requirements.yml init 2026-03-26 23:48:14 -06:00

README.md

🛡️ Gateway

A role-based, software-engineered approach to a Linux sysadmin stack. This project utilizes Ansible to manage Linux hosts with a focus on WireGuard connectivity, CrowdSec intrusion prevention, and a strictly segmented nftables firewall.

📐 Network Segmentation (10.0.0.0/8)

To avoid collisions with standard consumer LANs and facilitate clean firewalling, we utilize a structured subdivision of the 10.0.0.0/8 block.

CIDR Range Purpose Logic
10.0.0.0/24 Core Infrastructure Physical hosts and Bind9 DNS.
10.10.0.0/24 WireGuard VPN Remote peers (Peers: .2+, Server: .1).
10.20.0.0/16 Docker Segments Each app project gets a /24 (e.g., 10.20.1.0).

By keying off the second octet, we identify traffic sources instantly during log analysis or troubleshooting.

🧱 Role Architecture

The infrastructure is broken into numbered roles to enforce a deterministic deployment order.

00-wireguard

  • Connectivity First: Establishes the wg0 interface before the firewall clamps down.
  • Pure Tunneling: Configures wg0.conf without PostUp/PostDown scripts, delegating all routing to the firewall role.

10-nftables (The "Compiled" Firewall)

Uses a modular directory structure (/etc/nftables.d/) to manage security policy as "Infra-as-Code."

  • 00-vars/: Global constants (Interfaces, IPs, Port Groups).
  • 05-sets/: Data structures (CrowdSec blackholes) defined before logic.
  • 10-filter/: Security policy. 00-base establishes a global drop policy and stateful tracking.
  • 20-nat/: Routing logic. Handles VPN masquerading and Port Forwarding (DNAT) for services like Matrix and Games.

20-crowdsec

  • Intrusion Prevention: Deploys the firewall bouncer.
  • System Integration: Populates the @crowdsec_blackhole set in the firewall to drop malicious traffic at the earliest possible stage (Pre-Routing/Input).

🚀 Execution Pattern

Bootstrapping

Before running the site-wide configuration, use the bootstrap playbook to prepare path-aware requirements (Python, APK mirrors).

ansible-playbook -i inventory/public.ini playbooks/00-bootstrap.yml

Full Deployment

The master playbook (local.yml) orchestrates the roles in order:

ansible-playbook -i inventory/public.ini local.yml

🛠️ Sysadmin Design Choices

  • Atomic Validation: The 10-nftables role templates the files and kemudian runs nft -c -f /etc/nftables.nft against the master loader. The service only reloads if the entire ruleset (variables + logic) passes the syntax check.
  • Encapsulation: Sub-services like Matrix or Forgejo have their own .nft fragments. This allows those services to be added or removed without editing the core firewall files.
  • Idempotency: Using with_filetree ensures that your local folder structure is perfectly mirrored to the server, and only changed files trigger a service reload.
  • SSH Obfuscation: Standardized across the stack to port 69.

📝 Maintenance

To add a new service (e.g., a Game Server):

  1. Define the target IP and ports in inventory/group_vars/all.yml.
  2. Add a new fragment to roles/10-nftables/templates/nftables.d/10-filter/ and 20-nat/.
  3. Re-run local.yml.