Questions about access restriction and configuration preservation.

mother-of-all-self-hosting / mash-playbook

🐋 Ansible playbook which helps you host various FOSS services as Docker containers on your own server

GNU Affero General Public License v3.0

487 stars 64 forks source link

Questions about access restriction and configuration preservation. #109

Open MrEddX opened 1 year ago

MrEddX commented 1 year ago

First of all, great project! Тhanks for sharing your work and knowledge.

The questions I have:

Is there any way to restrict access to some/all of the installed services by IP address or country?

For example: I want to make Healthchecks and Uptime Kuma available from one country, while WG Easy accessible from two IP addresses. Suppose I would have to add additional lines in /mash/<service>/labels file. And if it is true, then here comes the second question:

How can I make this custom configuration persistent on subsequent Ansible playbook runs?

Thanks.

moan0s commented 1 year ago

So AFAIK no such thing has been discussed yet.

Traefik supports IP whitelisting so for WG Easy you should be able to do something like

wg_easy_container_labels_additional_labels: |
  traefik.http.middlewares.wg-easy.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7

This will persistent between runs. Denylists seem more difficult but you could check out this answer on stackoverflow

spantaleev commented 1 year ago

This label merely defines a middleware.

To actually use it, it needs to be added to the middlewares list for the service. Not all roles define variables for doing this, so you may be out of luck until something is done about it.

MrEddX commented 1 year ago

I made the changes suggested by @moan0s in inventory/host_vars/<domain>/vars.yml, which are successfully reflected in the file /mash/<service>/labels on the remote server, but unfortunately this label does not lead to to the desired result, just as @spantaleev suggested.

Thank you both for your time.