From a5e70c5d4e7809ff11b83267c30df106619cf5d5 Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 18 Apr 2026 15:49:08 -0400 Subject: [PATCH] Enable the firewall. --- nix/configuration/configuration.nix | 16 +++--- nix/kubernetes/README.org | 4 ++ .../keys/package/deploy-script/package.nix | 41 +++++++++++++++ nix/kubernetes/roles/firewall/default.nix | 51 +++++++++++++++---- 4 files changed, 94 insertions(+), 18 deletions(-) diff --git a/nix/configuration/configuration.nix b/nix/configuration/configuration.nix index fdb8d548..efe69bc9 100644 --- a/nix/configuration/configuration.nix +++ b/nix/configuration/configuration.nix @@ -137,14 +137,14 @@ in nix.settings.keep-derivations = true; # Automatic garbage collection - nix.gc = lib.mkIf (!config.me.buildingPortable) { - # Runs nix-collect-garbage --delete-older-than 5d - automatic = true; - persistent = true; - dates = "monthly"; - # randomizedDelaySec = "14m"; - options = "--delete-older-than 30d"; - }; + # nix.gc = lib.mkIf (!config.me.buildingPortable) { + # # Runs nix-collect-garbage --delete-older-than 5d + # automatic = true; + # persistent = true; + # dates = "monthly"; + # # randomizedDelaySec = "14m"; + # options = "--delete-older-than 30d"; + # }; nix.settings.auto-optimise-store = !config.me.buildingPortable; environment.systemPackages = [ diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org index bce9ceed..4e1aa19e 100644 --- a/nix/kubernetes/README.org +++ b/nix/kubernetes/README.org @@ -32,6 +32,10 @@ #+begin_src bash kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop #+end_src +** Show dropped packets for a specific pod +#+begin_src bash + kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop +#+end_src ** Install flux #+begin_src bash nix shell 'nixpkgs#fluxcd' diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix index 78fff16d..11db1500 100644 --- a/nix/kubernetes/keys/package/deploy-script/package.nix +++ b/nix/kubernetes/keys/package/deploy-script/package.nix @@ -53,6 +53,33 @@ let group = "11236"; mode = "0600"; }) + + (lib.concatMapStringsSep "\n" create_pv_dir [ + { + path = "manual-pv/gitea-psql"; + owner = "26"; + group = "26"; + mode = "0777"; + } + # { + # path = "manual-pv/gitea"; + # owner = "1000"; + # group = "1000"; + # mode = "0777"; + # } + # { + # path = "manual-pv/gitea/gitea"; + # owner = "1000"; + # group = "1000"; + # mode = "0700"; + # } + # { + # path = "manual-pv/gitea/gitea/public"; + # owner = "1000"; + # group = "1000"; + # mode = "0755"; + # } + ]) + ); deploy_script = (writeShellScript "deploy-script" deploy_script_body); deploy_file = ( @@ -287,6 +314,20 @@ let echo "${public_key_name} is already trusted in ${destination}" fi ''; + create_pv_dir = + { + path, + owner, + group, + mode, + }: + '' + ## + ## create pv directory ${path} + ## + ${openssh}/bin/ssh mrmanager doas install -d -o "${owner}" -g "${group}" -m "${mode}" "/nk8spv/${path}" + ''; + in stdenv.mkDerivation (finalAttrs: { name = "deploy-script"; diff --git a/nix/kubernetes/roles/firewall/default.nix b/nix/kubernetes/roles/firewall/default.nix index 3630b5c7..984fed03 100644 --- a/nix/kubernetes/roles/firewall/default.nix +++ b/nix/kubernetes/roles/firewall/default.nix @@ -32,23 +32,54 @@ # "net.ipv6.conf.all.forwarding" = 1; }; - networking.firewall.enable = false; + networking.firewall.enable = true; networking.nftables.enable = true; # We want to filter forwarded traffic. # Also needed for `networking.firewall.extraForwardRules` to do anything. networking.firewall.filterForward = true; - networking.firewall.extraInputRules = '' - ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept - ip6 saddr fd00:3e42:e349::/112 accept - ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept + # Allow traffic from the pods on the lxc interfaces even though the interfaces do not have the correct ip addressses set for the return path. + networking.firewall.extraReversePathFilterRules = '' + iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept + iifname "lxc*" ip saddr 10.200.0.0/16 accept ''; - networking.firewall.extraForwardRules = '' - ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept - ip6 daddr fd00:3e42:e349::/112 accept - ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept - ''; + networking.firewall.extraInputRules = builtins.concatStringsSep "\n" [ + # Allow pod-to-node communication + '' + ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept + '' + ]; + + # networking.firewall.extraInputRules = '' + # ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept + # ip6 saddr fd00:3e42:e349::/112 accept + # ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept + # ''; + + networking.firewall.extraForwardRules = builtins.concatStringsSep "\n" [ + # Allow pod to external communication + '' + iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept + iifname "lxc*" ip saddr 10.200.0.0/16 accept + '' + # Allow pod-to-pod communication + '' + ip saddr 10.200.0.0/16 ip daddr 10.200.0.0/16 accept + ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept + '' + # Allow external-to-pod communication + '' + ip daddr 10.200.0.0/16 accept + ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept + '' + ]; + + # networking.firewall.extraForwardRules = '' + # ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept + # ip6 daddr fd00:3e42:e349::/112 accept + # ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept + # ''; # Check logs for blocked connections: # journalctl -k or dmesg