Enable the firewall.

2026-04-18 15:49:08 -04:00
parent 01f2927bd4
commit a5e70c5d4e
4 changed files with 94 additions and 18 deletions
--- a/nix/configuration/configuration.nix
+++ b/nix/configuration/configuration.nix
@@ -137,14 +137,14 @@ in
    nix.settings.keep-derivations = true;

    # Automatic garbage collection
-    nix.gc = lib.mkIf (!config.me.buildingPortable) {
-      # Runs nix-collect-garbage --delete-older-than 5d
-      automatic = true;
-      persistent = true;
-      dates = "monthly";
-      # randomizedDelaySec = "14m";
-      options = "--delete-older-than 30d";
-    };
+    # nix.gc = lib.mkIf (!config.me.buildingPortable) {
+    #   # Runs nix-collect-garbage --delete-older-than 5d
+    #   automatic = true;
+    #   persistent = true;
+    #   dates = "monthly";
+    #   # randomizedDelaySec = "14m";
+    #   options = "--delete-older-than 30d";
+    # };
    nix.settings.auto-optimise-store = !config.me.buildingPortable;

    environment.systemPackages = [
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@@ -32,6 +32,10 @@
 #+begin_src bash
  kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
 #+end_src
+** Show dropped packets for a specific pod
+#+begin_src bash
+  kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop
+#+end_src
 ** Install flux
 #+begin_src bash
  nix shell 'nixpkgs#fluxcd'
--- a/nix/kubernetes/keys/package/deploy-script/package.nix
+++ b/nix/kubernetes/keys/package/deploy-script/package.nix
@@ -53,6 +53,33 @@ let
      group = "11236";
      mode = "0600";
    })
+    + (lib.concatMapStringsSep "\n" create_pv_dir [
+      {
+        path = "manual-pv/gitea-psql";
+        owner = "26";
+        group = "26";
+        mode = "0777";
+      }
+      # {
+      #   path = "manual-pv/gitea";
+      #   owner = "1000";
+      #   group = "1000";
+      #   mode = "0777";
+      # }
+      # {
+      #   path = "manual-pv/gitea/gitea";
+      #   owner = "1000";
+      #   group = "1000";
+      #   mode = "0700";
+      # }
+      # {
+      #   path = "manual-pv/gitea/gitea/public";
+      #   owner = "1000";
+      #   group = "1000";
+      #   mode = "0755";
+      # }
+    ])
+
  );
  deploy_script = (writeShellScript "deploy-script" deploy_script_body);
  deploy_file = (
@@ -287,6 +314,20 @@ let
         echo "${public_key_name} is already trusted in ${destination}"
      fi
    '';
+  create_pv_dir =
+    {
+      path,
+      owner,
+      group,
+      mode,
+    }:
+    ''
+      ##
+      ## create pv directory ${path}
+      ##
+      ${openssh}/bin/ssh mrmanager doas install -d -o "${owner}" -g "${group}" -m "${mode}" "/nk8spv/${path}"
+    '';
+
 in
 stdenv.mkDerivation (finalAttrs: {
  name = "deploy-script";
--- a/nix/kubernetes/roles/firewall/default.nix
+++ b/nix/kubernetes/roles/firewall/default.nix
@@ -32,23 +32,54 @@
      # "net.ipv6.conf.all.forwarding" = 1;
    };

-    networking.firewall.enable = false;
+    networking.firewall.enable = true;
    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;

-    networking.firewall.extraInputRules = ''
-      ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
-      ip6 saddr fd00:3e42:e349::/112 accept
-      ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # Allow traffic from the pods on the lxc interfaces even though the interfaces do not have the correct ip addressses set for the return path.
+    networking.firewall.extraReversePathFilterRules = ''
+      iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      iifname "lxc*" ip saddr 10.200.0.0/16 accept
    '';

-    networking.firewall.extraForwardRules = ''
-      ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
-      ip6 daddr fd00:3e42:e349::/112 accept
-      ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
-    '';
+    networking.firewall.extraInputRules = builtins.concatStringsSep "\n" [
+      # Allow pod-to-node communication
+      ''
+        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+    ];
+
+    # networking.firewall.extraInputRules = ''
+    #   ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+    #   ip6 saddr fd00:3e42:e349::/112 accept
+    #   ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # '';
+
+    networking.firewall.extraForwardRules = builtins.concatStringsSep "\n" [
+      # Allow pod to external communication
+      ''
+        iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
+        iifname "lxc*" ip saddr 10.200.0.0/16 accept
+      ''
+      # Allow pod-to-pod communication
+      ''
+        ip saddr 10.200.0.0/16 ip daddr 10.200.0.0/16 accept
+        ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+      # Allow external-to-pod communication
+      ''
+        ip daddr 10.200.0.0/16 accept
+        ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+      ''
+    ];
+
+    # networking.firewall.extraForwardRules = ''
+    #   ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
+    #   ip6 daddr fd00:3e42:e349::/112 accept
+    #   ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
+    # '';

    # Check logs for blocked connections:
    # journalctl -k or dmesg