Switch Matrix+Plume to IPv6, Add Trusted Net to ip6tables

app/config/configuration/plume/app.env

@@ -16,7 +16,7 @@ DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@psq
 MIGRATION_DIRECTORY=migrations/postgres
 
 USE_HTTPS=0
-ROCKET_ADDRESS=0.0.0.0
+ROCKET_ADDRESS=::
 ROCKET_PORT=7878
 
 MEDIA_UPLOAD_DIRECTORY=/app/static/media

app/deployment/im.hcl

@@ -9,11 +9,8 @@ job "im" {
 
       config {
         image = "superboum/amd64_synapse:v36"
+        network_mode = "host"
         readonly_rootfs = true
-        port_map {
-          client_port = 8008
-          federation_port = 8448
-        }
         command = "python"
         args = [
           "-m", "synapse.app.homeserver",
@@ -95,16 +92,12 @@ job "im" {
       resources {
         cpu = 1000
         memory = 4000
-        network {
-          port "client_port" { }
-          port "federation_port" { }
-        }
       }
 
       service {
         name = "synapse-client"
-        port = "client_port"
+        port = 8008
-        address_mode = "host"
+        address_mode = "driver"
         tags = [
           "matrix",
           "traefik.enable=true",
@@ -115,7 +108,8 @@ job "im" {
         ]
         check {
           type = "tcp"
-          port = "client_port"
+          port = 8008
+          address_mode = "driver"
           interval = "60s"
           timeout = "5s"
           check_restart {
@@ -128,8 +122,8 @@ job "im" {
 
       service {
         name = "synapse-federation"
-        port = "federation_port"
+        port = 8448
-        address_mode = "host"
+        address_mode = "driver"
         tags = [
           "matrix",
           "traefik.enable=true",

app/deployment/plume.hcl

@@ -13,9 +13,7 @@ job "plume" {
       driver = "docker"
       config {
         image = "superboum/plume:v1"
-        port_map {
+        network_mode = "host"
-          web_port = 7878
-        }
         #command = "cat"
         #args = [ "/dev/stdout" ]
         volumes = [
@@ -51,11 +49,12 @@ job "plume" {
           "traefik.frontend.entryPoints=https,http",
           "traefik.frontend.rule=Host:plume.deuxfleurs.fr",
         ]
-        port = "web_port"
+        port = 7878
-        address_mode = "host"
+        address_mode = "driver"
         check {
           type = "tcp"
-          port = "web_port"
+          port = 7878
+          address_mode = "driver"
           interval = "60s"
           timeout = "5s"
           check_restart {

os/config/roles/network/templates/rules.v6

@@ -3,6 +3,10 @@
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 
+# Declaring our chains
+-N DEUXFLEURS-TRUSTED-NET
+-N DEUXFLEURS-TRUSTED-PORT
+
 # Internet Control Message Protocol
 # (required)
 -A INPUT -p icmp -j ACCEPT
@@ -21,6 +25,29 @@
 -A INPUT -s ::1/128 -j ACCEPT
 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
+# Who is part of our trusted net?
+# Max@Bruxelles
+-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3606:4800::0/64 -j DEUXFLEURS-TRUSTED-PORT
+# Max@Suresnes
+-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT
+# LX@Rennes
+-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT
+# ADRN@Gandi
+-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
+# Quentin@Rennes
+-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
+# Source address is not trusted
+-A DEUXFLEURS-TRUSTED-NET -j RETURN
+
+# What can do our trusted net?
+# Access garage basically
+-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT
+# Port is not allowed
+-A DEUXFLEURS-TRUSTED-PORT -j RETURN
+
+# Let's check if the user comes from our trusted network
+-A INPUT -j DEUXFLEURS-TRUSTED-NET
+
 COMMIT
 
 *nat