Fix unbound; remove Nixos firewall (use only diplonat)

2023-04-21 11:29:15 +02:00 · 2023-04-21 11:29:15 +02:00 · a9e9149739
parent 529480b133
commit a9e9149739
10 changed files with 3 additions and 17 deletions
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@ -6,7 +6,7 @@
  # The IP range to use for the Wireguard overlay of this cluster
  deuxfleurs.clusterPrefix = "10.83.0.0/16";

-  deuxfleurs.cluster_nodes = {
+  deuxfleurs.clusterNodes = {
    "concombre" = {
      siteName = "neptune";
      publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34=";
--- a/cluster/prod/site/bespin.nix
+++ b/cluster/prod/site/bespin.nix
@ -4,6 +4,4 @@
  deuxfleurs.siteName = "bespin";
  deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254";
  deuxfleurs.cnameTarget = "bespin.site.deuxfleurs.fr.";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/prod/site/neptune.nix
+++ b/cluster/prod/site/neptune.nix
@ -5,6 +5,4 @@
  deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
  deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr.";
  deuxfleurs.publicIPv4 = "77.207.15.215";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/prod/site/orion.nix
+++ b/cluster/prod/site/orion.nix
@ -10,6 +10,4 @@
  deuxfleurs.staticIPv6.defaultGateway = "2a01:e0a:28f:5e60::1";
  deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr.";
  deuxfleurs.publicIPv4 = "82.66.80.201";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/prod/site/scorpio.nix
+++ b/cluster/prod/site/scorpio.nix
@ -5,6 +5,4 @@
  deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
  deuxfleurs.cnameTarget = "scorpio.site.deuxfleurs.fr.";
  deuxfleurs.publicIPv4 = "82.65.41.110";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/staging/site/bespin.nix
+++ b/cluster/staging/site/bespin.nix
@ -4,6 +4,4 @@
  deuxfleurs.siteName = "bespin";
  deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254";
  deuxfleurs.cnameTarget = "bespin.site.staging.deuxfleurs.org.";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/staging/site/corrin.nix
+++ b/cluster/staging/site/corrin.nix
@ -5,6 +5,4 @@
  deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
  deuxfleurs.cnameTarget = "corrin.site.staging.deuxfleurs.org.";
  deuxfleurs.publicIPv4 = "2.13.96.213";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/staging/site/jupiter.nix
+++ b/cluster/staging/site/jupiter.nix
@ -4,6 +4,4 @@
  deuxfleurs.siteName = "jupiter";
  deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1";
  deuxfleurs.cnameTarget = "jupiter.site.staging.deuxfleurs.org.";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/cluster/staging/site/neptune.nix
+++ b/cluster/staging/site/neptune.nix
@ -3,6 +3,4 @@
 {
  deuxfleurs.siteName = "neptune";
  deuxfleurs.cnameTarget = "neptune.site.staging.deuxfleurs.org.";
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@ -213,6 +213,8 @@ in
          access-control = [
            "127.0.0.0/8 allow"
            "172.17.0.0/16 allow"
+            "192.168.0.0/16 allow"
+            "${cfg.clusterPrefix} allow"
          ];
        };
        stub-zone = [