From a9e9149739597dc287cff364437fffd1d886ccf7 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Fri, 21 Apr 2023 11:29:15 +0200 Subject: [PATCH] Fix unbound; remove Nixos firewall (use only diplonat) --- cluster/prod/cluster.nix | 2 +- cluster/prod/site/bespin.nix | 2 -- cluster/prod/site/neptune.nix | 2 -- cluster/prod/site/orion.nix | 2 -- cluster/prod/site/scorpio.nix | 2 -- cluster/staging/site/bespin.nix | 2 -- cluster/staging/site/corrin.nix | 2 -- cluster/staging/site/jupiter.nix | 2 -- cluster/staging/site/neptune.nix | 2 -- nix/deuxfleurs.nix | 2 ++ 10 files changed, 3 insertions(+), 17 deletions(-) diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix index cbeed8f..ea3bdec 100644 --- a/cluster/prod/cluster.nix +++ b/cluster/prod/cluster.nix @@ -6,7 +6,7 @@ # The IP range to use for the Wireguard overlay of this cluster deuxfleurs.clusterPrefix = "10.83.0.0/16"; - deuxfleurs.cluster_nodes = { + deuxfleurs.clusterNodes = { "concombre" = { siteName = "neptune"; publicKey = "VvXT0fPDfWsHxumZqVShpS33dJQAdpJ1E79ZbCBJP34="; diff --git a/cluster/prod/site/bespin.nix b/cluster/prod/site/bespin.nix index 3c9a668..cdce53e 100644 --- a/cluster/prod/site/bespin.nix +++ b/cluster/prod/site/bespin.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "bespin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; deuxfleurs.cnameTarget = "bespin.site.deuxfleurs.fr."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/neptune.nix b/cluster/prod/site/neptune.nix index 81495c6..ab24f4a 100644 --- a/cluster/prod/site/neptune.nix +++ b/cluster/prod/site/neptune.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "77.207.15.215"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/orion.nix b/cluster/prod/site/orion.nix index 5f6c33e..58c49ab 100644 --- a/cluster/prod/site/orion.nix +++ b/cluster/prod/site/orion.nix @@ -10,6 +10,4 @@ deuxfleurs.staticIPv6.defaultGateway = "2a01:e0a:28f:5e60::1"; deuxfleurs.cnameTarget = "orion.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "82.66.80.201"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/prod/site/scorpio.nix b/cluster/prod/site/scorpio.nix index b1e0f20..e36dc1d 100644 --- a/cluster/prod/site/scorpio.nix +++ b/cluster/prod/site/scorpio.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254"; deuxfleurs.cnameTarget = "scorpio.site.deuxfleurs.fr."; deuxfleurs.publicIPv4 = "82.65.41.110"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/bespin.nix b/cluster/staging/site/bespin.nix index 22feb59..2dbfbad 100644 --- a/cluster/staging/site/bespin.nix +++ b/cluster/staging/site/bespin.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "bespin"; deuxfleurs.staticIPv4.defaultGateway = "192.168.5.254"; deuxfleurs.cnameTarget = "bespin.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/corrin.nix b/cluster/staging/site/corrin.nix index 6eb5239..027f6b3 100644 --- a/cluster/staging/site/corrin.nix +++ b/cluster/staging/site/corrin.nix @@ -5,6 +5,4 @@ deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "corrin.site.staging.deuxfleurs.org."; deuxfleurs.publicIPv4 = "2.13.96.213"; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/jupiter.nix b/cluster/staging/site/jupiter.nix index 2d39f5a..28ba297 100644 --- a/cluster/staging/site/jupiter.nix +++ b/cluster/staging/site/jupiter.nix @@ -4,6 +4,4 @@ deuxfleurs.siteName = "jupiter"; deuxfleurs.staticIPv4.defaultGateway = "192.168.1.1"; deuxfleurs.cnameTarget = "jupiter.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/cluster/staging/site/neptune.nix b/cluster/staging/site/neptune.nix index f94d62f..86148f4 100644 --- a/cluster/staging/site/neptune.nix +++ b/cluster/staging/site/neptune.nix @@ -3,6 +3,4 @@ { deuxfleurs.siteName = "neptune"; deuxfleurs.cnameTarget = "neptune.site.staging.deuxfleurs.org."; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 74a5734..4423318 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -213,6 +213,8 @@ in access-control = [ "127.0.0.0/8 allow" "172.17.0.0/16 allow" + "192.168.0.0/16 allow" + "${cfg.clusterPrefix} allow" ]; }; stub-zone = [