More changes from home-infra split

container-config/nginx/snippets/local-only.conf

@@ -1,4 +1,5 @@
 allow 192.168.0.0/16;
+allow 10.0.0.0/8;
 allow fe80::/10;
 allow fc00::/7;
 deny all;

ignition/home-gw.bu

@@ -15,14 +15,14 @@ storage:
           table inet nat {
             chain prerouting {
               type nat hook prerouting priority 0
-              tcp dport 80 dnat ip to 10.0.0.2
-              tcp dport 80 dnat ip6 to [fd00::2]
-              tcp dport 443 dnat ip to 10.0.0.2
-              tcp dport 443 dnat ip6 to [fd00::2]
+              iifname ens* tcp dport 80 dnat ip to 10.0.0.2
+              iifname ens* tcp dport 80 dnat ip6 to [fd00::2]
+              iifname ens* tcp dport 443 dnat ip to 10.0.0.2
+              iifname ens* tcp dport 443 dnat ip6 to [fd00::2]
             }
             chain postrouting {
               type nat hook postrouting priority 0
-              oifname gateway masquerade
+              iifname infra oifname ens* masquerade
             }
           }
 passwd:

infra/etc/containers/systemd/certbot.container

@@ -7,4 +7,6 @@ Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bi
 Tmpfs=/etc/letsencrypt
 Tmpfs=/var/lib/letsencrypt
 Tmpfs=/var/log/letsencrypt
+Environment=CERTBOT_TYPE=home
+Secret=cloudflare
 AutoUpdate=registry

infra/etc/containers/systemd/certbot.container.d/override.conf

@@ -1,3 +0,0 @@
-[Container]
-Environment=CERTBOT_TYPE=home
-Secret=cloudflare

setup-vyos.sh

@@ -27,7 +27,7 @@ set interfaces ethernet eth2 address 192.168.254.1/24
 set interfaces ethernet eth2 address fc01::1/64
 set interfaces ethernet eth3 address 192.168.253.1/24
 set interfaces ethernet eth3 address fc02::1/64
-set interfaces wireguard wg0 address 10.255.0.1/24
+set interfaces wireguard wg0 address 192.168.252.1/24
 set interfaces wireguard wg0 port 51820
 
 set service ssh disable-password-authentication
@@ -61,7 +61,6 @@ set service dns forwarding name-server 9.9.9.9
 set service dns forwarding dnssec validate
 set service dns forwarding allow-from 127.0.0.1/32
 set service dns forwarding allow-from 192.168.0.0/16
-set service dns forwarding allow-from 10.255.0.0/16
 set service tftp-server directory /config/tftp
 set service tftp-server listen-address 192.168.253.1
 set service monitoring telegraf influxdb url http://home.strypsteen.com

vps/etc/containers/systemd/certbot.container

@@ -0,0 +1,13 @@
+[Container]
+Image=docker.io/certbot/dns-cloudflare
+UserNS=host
+Network=certbot.network
+Entrypoint=run-certbot
+Volume=/etc/certificates:/etc/certificates:z
+Volume=/var/lib/system-config/container-config/certbot/run-certbot:/usr/local/bin/run-certbot:Z,ro
+Tmpfs=/etc/letsencrypt
+Tmpfs=/var/lib/letsencrypt
+Tmpfs=/var/log/letsencrypt
+Environment=CERTBOT_TYPE=vps
+PublishPort=80:80
+AutoUpdate=registry

vps/etc/containers/systemd/certbot.container.d/override.conf

@@ -1,4 +0,0 @@
-[Container]
-Network=certbot.network
-Environment=CERTBOT_TYPE=vps
-PublishPort=80:80

vps/etc/systemd/system/certbot.timer

@@ -0,0 +1,5 @@
+[Timer]
+OnCalendar=monthly
+Unit=certbot.service
+[Install]
+WantedBy=timers.target