talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Enable the firewall.

Browse Source
This commit is contained in:
Tom Alexander
2026-04-18 15:49:08 -04:00
parent 01f2927bd4
commit a5e70c5d4e
4 changed files with 94 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nix/configuration/configuration.nix
View File

@@ -137,14 +137,14 @@ in
nix.settings.keep-derivations = true; nix.settings.keep-derivations = true;
# Automatic garbage collection # Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) { # nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d # # Runs nix-collect-garbage --delete-older-than 5d
automatic = true; # automatic = true;
persistent = true; # persistent = true;
dates = "monthly"; # dates = "monthly";
# randomizedDelaySec = "14m"; # # randomizedDelaySec = "14m";
options = "--delete-older-than 30d"; # options = "--delete-older-than 30d";
}; # };
nix.settings.auto-optimise-store = !config.me.buildingPortable; nix.settings.auto-optimise-store = !config.me.buildingPortable;
environment.systemPackages = [ environment.systemPackages = [

4
nix/kubernetes/README.org
View File

@@ -32,6 +32,10 @@
#+begin_src bash #+begin_src bash
kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
#+end_src #+end_src
** Show dropped packets for a specific pod
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop
#+end_src
** Install flux ** Install flux
#+begin_src bash #+begin_src bash
nix shell 'nixpkgs#fluxcd' nix shell 'nixpkgs#fluxcd'

41
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -53,6 +53,33 @@ let
group = "11236"; group = "11236";
mode = "0600"; mode = "0600";
}) })
+ (lib.concatMapStringsSep "\n" create_pv_dir [
{
path = "manual-pv/gitea-psql";
owner = "26";
group = "26";
mode = "0777";
}
# {
# path = "manual-pv/gitea";
# owner = "1000";
# group = "1000";
# mode = "0777";
# }
# {
# path = "manual-pv/gitea/gitea";
# owner = "1000";
# group = "1000";
# mode = "0700";
# }
# {
# path = "manual-pv/gitea/gitea/public";
# owner = "1000";
# group = "1000";
# mode = "0755";
# }
])
); );
deploy_script = (writeShellScript "deploy-script" deploy_script_body); deploy_script = (writeShellScript "deploy-script" deploy_script_body);
deploy_file = ( deploy_file = (
@@ -287,6 +314,20 @@ let
echo "${public_key_name} is already trusted in ${destination}" echo "${public_key_name} is already trusted in ${destination}"
fi fi
''; '';
create_pv_dir =
{
path,
owner,
group,
mode,
}:
''
##
## create pv directory ${path}
##
${openssh}/bin/ssh mrmanager doas install -d -o "${owner}" -g "${group}" -m "${mode}" "/nk8spv/${path}"
'';
in in
stdenv.mkDerivation (finalAttrs: { stdenv.mkDerivation (finalAttrs: {
name = "deploy-script"; name = "deploy-script";

51
nix/kubernetes/roles/firewall/default.nix
View File

@@ -32,23 +32,54 @@
# "net.ipv6.conf.all.forwarding" = 1; # "net.ipv6.conf.all.forwarding" = 1;
}; };
networking.firewall.enable = false; networking.firewall.enable = true;
networking.nftables.enable = true; networking.nftables.enable = true;
# We want to filter forwarded traffic. # We want to filter forwarded traffic.
# Also needed for `networking.firewall.extraForwardRules` to do anything. # Also needed for `networking.firewall.extraForwardRules` to do anything.
networking.firewall.filterForward = true; networking.firewall.filterForward = true;
networking.firewall.extraInputRules = '' # Allow traffic from the pods on the lxc interfaces even though the interfaces do not have the correct ip addressses set for the return path.
ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept networking.firewall.extraReversePathFilterRules = ''
ip6 saddr fd00:3e42:e349::/112 accept iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept iifname "lxc*" ip saddr 10.200.0.0/16 accept
''; '';
networking.firewall.extraForwardRules = '' networking.firewall.extraInputRules = builtins.concatStringsSep "\n" [
ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept # Allow pod-to-node communication
ip6 daddr fd00:3e42:e349::/112 accept ''
ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
''; ''
];
# networking.firewall.extraInputRules = ''
# ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
# ip6 saddr fd00:3e42:e349::/112 accept
# ip6 saddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
# '';
networking.firewall.extraForwardRules = builtins.concatStringsSep "\n" [
# Allow pod to external communication
''
iifname "lxc*" ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 accept
iifname "lxc*" ip saddr 10.200.0.0/16 accept
''
# Allow pod-to-pod communication
''
ip saddr 10.200.0.0/16 ip daddr 10.200.0.0/16 accept
ip6 saddr 2620:11f:7001:7:ffff:eeee::/96 ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
''
# Allow external-to-pod communication
''
ip daddr 10.200.0.0/16 accept
ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
''
];
# networking.firewall.extraForwardRules = ''
# ip6 daddr 2620:11f:7001:7:ffff:eeee::/96 accept
# ip6 daddr fd00:3e42:e349::/112 accept
# ip6 daddr 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 accept
# '';
# Check logs for blocked connections: # Check logs for blocked connections:
# journalctl -k or dmesg # journalctl -k or dmesg