8 changed files with 23 additions and 77 deletions
--- a/inventory.example.yml
+++ b/inventory.example.yml
@ -67,7 +67,6 @@ all:
    haproxy:
      hosts:
        your_bastion_host:
-        your_fleet_host:
    wireguard:
      hosts:
        your_bastion_host:
--- a/roles/containers/tasks/main.yml
+++ b/roles/containers/tasks/main.yml
@ -126,6 +126,10 @@
  register: user_synapse
  when: '"synapse" in group_names'

+- name: Figure out local IP address
+  set_fact:
+    docker_ip: "{{ vpn_ip if wireguard_services else local_ip }}"
+
 - name: Generate docker-compose.yml
  template:
    src: "docker-compose.yml.j2"
--- a/roles/containers/templates/docker-compose.yml.j2
+++ b/roles/containers/templates/docker-compose.yml.j2
@ -1,9 +1,4 @@
 # vim: ft=yaml
-
-
-# docker doesn't play well with the firewall, so i have it listen on 127.0.0.1
-# and have haproxy expose it publicly (won't disrespect firewall rules)
-
 ---

 networks:
@ -25,8 +20,8 @@ services:
      - GITEA__server__DOMAIN={{ gitea_domain }}
      - GITEA__server__SSH_DOMAIN={{ gitea_domain }}
    ports:
-      - "127.0.0.1:3000:3000"
-      - "127.0.0.1:2498:22"
+      - "{{ docker_ip }}:3000:3000"
+      - "{{ docker_ip }}:2498:22"
    restart: unless-stopped
    volumes:
      - {{ dataroot }}/gitea:/data
@ -68,7 +63,7 @@ services:
    networks:
      - navidrome
    ports:
-      - "127.0.0.1:4533:4533"
+      - "{{ docker_ip }}:4533:4533"

 {% endif %}
 {% if "synapse" in group_names %}
@ -85,7 +80,7 @@ services:
    networks:
      - navidrome
    ports:
-      - "127.0.0.1:8008:8008/tcp"
+      - "{{ docker_ip }}:8008:8008/tcp"

 {% endif %}

@ -104,7 +99,7 @@ services:
    depends_on:
      - paperless-broker
    ports:
-      - "127.0.0.1:8000:8000"
+      - "{{ docker_ip }}:8000:8000"
    healthcheck:
      test: ["CMD", "curl", "-fs", "-S", "--max-time", "2", "http://localhost:8000"]
      interval: 30s
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@ -17,18 +17,12 @@
    default_firewall_src: "{{ bastion_vpn_ip if wireguard_services else bastion_ip }}"
  when: '"fleet" in group_names'

- name: Configure service interface
-  set_fact:
-    service_firewall_if: "{{ wireguard_interface if wireguard_services else omit }}"
-  when: 'wireguard_services'
-
+# this is actually kind of useless because docker bypasses this
 - name: Allow service ports
  community.general.ufw:
    rule: allow
    port: "{{ item.port }}"
    proto: "{{ item.proto | default('tcp') }}"
-    # service -> VPN interface if available, else default
-    interface_in: "{{ service_firewall_if if (item.interface | default('')) == 'service' else item.interface | default(omit) }}"
    src: "{{ item.src | default(default_firewall_src) }}"
  when: item.name in group_names
  with_items:
@ -37,12 +31,10 @@
      port: 8448
    - name: "synapse"
      port: 8008
-      interface: service

    # navidrome api/web interface
    - name: "navidrome"
      port: 4533
-      interface: service

    - name: "syncthing"
      port: 22000
@ -56,13 +48,9 @@
    # gitea sshd
    - name: "bastion"
      port: 2499
-    - name: "gitea"
-      port: 2498
-      interface: service
    # gitea http
    - name: "gitea"
      port: 3000
-      interface: service

    - name: "caddy"
      port: 80
@ -79,7 +67,7 @@
      proto: udp
      src: any

- name: Enable UFW
+- name: Deny all ports by default
  community.general.ufw:
    state: enabled

--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@ -5,41 +5,11 @@
    name:
      - haproxy

- name: Figure out local IP address
-  set_fact:
-    service_ip: "{{ vpn_ip if wireguard_services else local_ip }}"
-
-# for info about this, see top of roles/containers/templates/docker-compose.yml.j2
- name: Enumerate services to forward
-  set_fact:
-    haproxy_services:
-      - name: gitea
-        ports:
-          - 2498
-          - 3000
-      - name: navidrome
-        ports:
-          - 4533
-      - name: synapse
-        ports:
-          - 8008
-      - name: paperless
-        ports:
-          - 8000
-
- name: Deploy haproxy config (bastion)
+- name: Deploy haproxy config
  template:
-    src: haproxy.cfg.bastion.j2
+    src: haproxy.cfg.j2
    dest: /etc/haproxy/haproxy.cfg
    lstrip_blocks: true
-  when: '"bastion" in group_names'
-
- name: Deploy haproxy config (fleet)
-  template:
-    src: haproxy.cfg.fleet.j2
-    dest: /etc/haproxy/haproxy.cfg
-    lstrip_blocks: true
-  when: '"fleet" in group_names'

 - name: Enable haproxy service
  systemd:
--- a/roles/haproxy/templates/haproxy.cfg.fleet.j2
+++ b/roles/haproxy/templates/haproxy.cfg.fleet.j2
@ -1,17 +0,0 @@
-defaults
-	log global
-	mode tcp
-	timeout connect 10s
-	timeout client 36h
-	timeout server 36h
-	balance leastconn
-
-{% for service in haproxy_services %}
-{% if service.name in group_names %}
-{% for port in service.ports %}
-listen {{ service.name}}{{ port }}
-	bind {{ service_ip }}:{{ port }}
-	server localhost 127.0.0.1:{{ port }}
-{% endfor %}
-{% endif %}
-{% endfor %}
--- a/roles/haproxy/templates/haproxy.cfg.bastion.j2
+++ b/roles/haproxy/templates/haproxy.cfg.bastion.j2
@ -15,3 +15,12 @@ listen gitea_ssh
 	server {{ host }} {{ host }}:2498
 {% endfor %}
 {% endif %}
+
+
+{% if groups["syncthing"] | length > 0 and "syncthing" not in group_names %}
+listen syncthing
+	bind *:22000
+{% for host in groups["syncthing"] %}
+	server {{ host }} {{ host }}:22000
+{% endfor %}
+{% endif %}
--- a/roles/synapse/templates/homeserver.yaml.j2
+++ b/roles/synapse/templates/homeserver.yaml.j2
@ -1,4 +1,4 @@
-# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html

 server_name: "{{ matrix_domain }}"
 pid_file: /data/homeserver.pid
@ -12,8 +12,6 @@ listeners:
      - names: [client, federation]
        compress: false

-max_upload_size: 500M
-
 database:
  name: sqlite3
  args: