Add LKE IP automatic whitelist updating

Credits to my boys, closes #638

Author: jb3

ansible/group_vars/all/linode.yml

@@ -1,5 +1,2 @@
 ---
-lke_all_addresses: "{{ lookup('ansible.builtin.url', 'https://geoip.linode.com/', wantlist=True) }}"
-lke_frankfurt_addresses: "{{ lke_all_addresses | select('search', '^.*Frankfurt.*$') | map('split', ',') | map(attribute=0) | list }}"
-lke_frankfurt_ipv4_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*\\..*$') }}"
-lke_frankfurt_ipv6_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*:.*$') }}"
+# Variables are now set by the linode-ips role to avoid repeated lookups.

ansible/group_vars/all/nftables.yml

@@ -33,17 +33,7 @@ nftables_configuration: |
 
   {% if "databases" in group_names %}
     # Access control for database server
-    set possible_lke_ipv4_addrs {
-      type ipv4_addr
-      flags interval
-      elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} }
-    }
-
-    set possible_lke_ipv6_addrs {
-      type ipv6_addr
-      flags interval
-      elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} }
-    }
+    include "/etc/nftables/lke.nft"
   {% endif %}
 
     chain input {

ansible/playbook.yml

@@ -1,6 +1,7 @@
 - name: Deploy common services
   hosts: all
   roles:
+    - linode-ips
     - common
     - pydis-mtls
     - wireguard
@@ -12,6 +13,7 @@
     - certbot
     - ci-user
     - alloy
+    - lke-nftables-update
     - nftables
     - prometheus-node-exporter
     - fail2ban

ansible/roles/linode-ips/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+- name: Fetch Linode GeoIP data
+  ansible.builtin.uri:
+    url: https://geoip.linode.com/
+    return_content: true
+  register: linode_geoip_response
+  run_once: true
+  delegate_to: localhost
+  become: false
+  tags:
+    - role::linode-ips
+    - role::lke-nftables-update
+    - role::nftables
+    - role::fail2ban
+
+- name: Set LKE address facts
+  ansible.builtin.set_fact:
+    lke_all_addresses: "{{ linode_geoip_response.content.splitlines() }}"
+  run_once: true
+  delegate_to: localhost
+  become: false
+  tags:
+    - role::linode-ips
+    - role::lke-nftables-update
+    - role::nftables
+    - role::fail2ban
+
+- name: Filter Frankfurt addresses
+  ansible.builtin.set_fact:
+    lke_frankfurt_addresses: "{{ lke_all_addresses | select('search', '^.*Frankfurt.*$') | map('split', ',') | map(attribute=0) | list }}"
+  run_once: true
+  delegate_to: localhost
+  become: false
+  tags:
+    - role::linode-ips
+    - role::lke-nftables-update
+    - role::nftables
+    - role::fail2ban
+
+- name: Set LKE IPv4 and IPv6 facts
+  ansible.builtin.set_fact:
+    lke_frankfurt_ipv4_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*\\..*$') | list }}"
+    lke_frankfurt_ipv6_addresses: "{{ lke_frankfurt_addresses | select('search', '^.*:.*$') | list }}"
+  run_once: true
+  delegate_to: localhost
+  become: false
+  tags:
+    - role::linode-ips
+    - role::lke-nftables-update
+    - role::nftables
+    - role::fail2ban

ansible/roles/lke-nftables-update/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true

ansible/roles/lke-nftables-update/tasks/main.yml

@@ -0,0 +1,69 @@
+---
+- name: Ensure curl is installed
+  ansible.builtin.package:
+    name: curl
+    state: present
+  tags:
+    - role::lke-nftables-update
+
+- name: Ensure /etc/nftables directory exists
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  tags:
+    - role::lke-nftables-update
+
+- name: Template initial LKE IPs file
+  ansible.builtin.template:
+    src: lke.nft.j2
+    dest: /etc/nftables/lke.nft
+    owner: root
+    group: root
+    mode: "0644"
+  tags:
+    - role::lke-nftables-update
+
+- name: Template LKE IP update script
+  ansible.builtin.template:
+    src: update-lke-ips.sh.j2
+    dest: /usr/local/bin/update-lke-ips.sh
+    owner: root
+    group: root
+    mode: "0755"
+  tags:
+    - role::lke-nftables-update
+
+- name: Template LKE IP update service
+  ansible.builtin.template:
+    src: lke-nftables-update.service.j2
+    dest: /etc/systemd/system/lke-nftables-update.service
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd
+  tags:
+    - role::lke-nftables-update
+
+- name: Template LKE IP update timer
+  ansible.builtin.template:
+    src: lke-nftables-update.timer.j2
+    dest: /etc/systemd/system/lke-nftables-update.timer
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - Reload systemd
+  tags:
+    - role::lke-nftables-update
+
+- name: Enable and start LKE IP update timer
+  ansible.builtin.service:
+    name: lke-nftables-update.timer
+    state: started
+    enabled: true
+  tags:
+    - role::lke-nftables-update

ansible/roles/lke-nftables-update/templates/lke-nftables-update.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Update LKE IP whitelist in nftables
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/update-lke-ips.sh

ansible/roles/lke-nftables-update/templates/lke-nftables-update.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Hourly update of LKE IP whitelist in nftables
+
+[Timer]
+OnCalendar=hourly
+RandomizedDelaySec=600
+Persistent=true
+
+[Install]
+WantedBy=timers.target

ansible/roles/lke-nftables-update/templates/lke.nft.j2

@@ -0,0 +1,14 @@
+# Managed by Ansible - do not edit manually.
+# This file is updated periodically by a systemd timer.
+
+set possible_lke_ipv4_addrs {
+  type ipv4_addr
+  flags interval
+  elements = { {{ lke_frankfurt_ipv4_addresses | join(", ") }} }
+}
+
+set possible_lke_ipv6_addrs {
+  type ipv6_addr
+  flags interval
+  elements = { {{ lke_frankfurt_ipv6_addresses | join(", ") }} }
+}

ansible/roles/lke-nftables-update/templates/update-lke-ips.sh.j2

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euo pipefail
+
+# Fetch IPs from Linode
+IPS=$(curl -s --connect-timeout 10 --max-time 30 https://geoip.linode.com/)
+
+# Filter for Frankfurt and extract IPs
+# The CSV format is: ip,city,country,region,provider
+FRANKFURT_IPS=$(echo "$IPS" | grep "Frankfurt" | cut -d',' -f1)
+
+# Ensure we got some IPs to avoid clearing the whitelist on error
+if [ -z "$FRANKFURT_IPS" ]; then
+    echo "No Frankfurt IPs found in Linode GeoIP data." >&2
+    exit 1
+fi
+
+IPV4_IPS=$(echo "$FRANKFURT_IPS" | grep '\.' || true)
+IPV6_IPS=$(echo "$FRANKFURT_IPS" | grep ':' || true)
+
+# Helper to join by comma
+join_ips() {
+  local ips=$1
+  echo "$ips" | tr '\n' ',' | sed 's/,$//' | sed 's/,/, /g'
+}
+
+IPV4_ELEMENTS=$(join_ips "$IPV4_IPS")
+IPV6_ELEMENTS=$(join_ips "$IPV6_IPS")
+
+# Create temporary file
+TMP_FILE="/etc/nftables/lke.nft.tmp"
+cat <<EOF > "$TMP_FILE"
+# Automatically updated by update-lke-ips.sh
+set possible_lke_ipv4_addrs {
+  type ipv4_addr
+  flags interval
+  elements = { $IPV4_ELEMENTS }
+}
+
+set possible_lke_ipv6_addrs {
+  type ipv6_addr
+  flags interval
+  elements = { $IPV6_ELEMENTS }
+}
+EOF
+
+# Move to final location and reload
+mv "$TMP_FILE" /etc/nftables/lke.nft
+systemctl reload nftables