diff --git a/config-parts/container.sh b/config-parts/container.sh index f0b0644..513cf48 100644 --- a/config-parts/container.sh +++ b/config-parts/container.sh @@ -1,7 +1,7 @@ #!/bin/vbash # Container networks -set container network services prefix '10.5.0.0/24' +set container network containers prefix '10.5.0.0/24' # cloudflare-ddns set container name cloudflare-ddns allow-host-networks @@ -21,7 +21,7 @@ set container name bind cap-add 'net-bind-service' set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19' set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind' set container name bind memory '0' -set container name bind network services address '10.5.0.3' +set container name bind network containers address '10.5.0.3' set container name bind restart 'on-failure' set container name bind shared-memory '0' set container name bind volume config source '/config/containers/bind/config' @@ -36,7 +36,7 @@ set container name dnsdist cap-add 'net-bind-service' set container name dnsdist environment TZ value 'America/Chicago' set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.4' set container name dnsdist memory '0' -set container name dnsdist network services address '10.5.0.4' +set container name dnsdist network containers address '10.5.0.4' set container name dnsdist restart 'on-failure' set container name dnsdist shared-memory '0' set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf' @@ -46,7 +46,7 @@ set container name dnsdist volume config mode 'ro' # haproxy-k8s-api set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.7.8' set container name haproxy-k8s-api memory '0' -set container name haproxy-k8s-api network services address '10.5.0.2' +set container name haproxy-k8s-api network containers address '10.5.0.2' set container name haproxy-k8s-api restart 'on-failure' set container name haproxy-k8s-api shared-memory '0' set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg' @@ -113,7 +113,7 @@ set container name unifi environment UNIFI_STDOUT value 'true' set container name unifi environment UNIFI_UID value '999' set container name unifi image 'ghcr.io/jacobalberty/unifi-docker:v7.3.83' set container name unifi memory '0' -set container name unifi network services address '10.5.0.10' +set container name unifi network containers address '10.5.0.10' set container name unifi restart 'on-failure' set container name unifi shared-memory '0' set container name unifi volume data source '/config/containers/unifi' @@ -124,7 +124,7 @@ set container name unifi volume data mode 'rw' set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0' set container name onepassword-connect environment TZ value 'America/Chicago' set container name onepassword-connect memory '0' -set container name onepassword-connect network services address '10.5.0.5' +set container name onepassword-connect network containers address '10.5.0.5' set container name onepassword-connect shared-memory '0' set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json' set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json' @@ -138,7 +138,7 @@ set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7. set container name onepassword-sync environment TZ value 'America/Chicago' set container name onepassword-sync memory '0' set container name onepassword-sync shared-memory '0' -set container name onepassword-sync network services address '10.5.0.6' +set container name onepassword-sync network containers address '10.5.0.6' set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json' set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json' set container name onepassword-sync volume credentials mode 'ro' diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh index 37b6a96..b514bb9 100644 --- a/config-parts/firewall-name.sh +++ b/config-parts/firewall-name.sh @@ -38,13 +38,13 @@ set firewall name guest-servers description 'From GUEST to SERVERS' set firewall name guest-servers enable-default-log # From GUEST to SERVICES -set firewall name guest-services default-action 'drop' -set firewall name guest-services description 'From GUEST to SERVICES' -set firewall name guest-services enable-default-log -set firewall name guest-services rule 1 action 'accept' -set firewall name guest-services rule 1 description 'Rule: accept_dns' -set firewall name guest-services rule 1 destination port 'domain,domain-s' -set firewall name guest-services rule 1 protocol 'tcp_udp' +set firewall name guest-containers default-action 'drop' +set firewall name guest-containers description 'From GUEST to SERVICES' +set firewall name guest-containers enable-default-log +set firewall name guest-containers rule 1 action 'accept' +set firewall name guest-containers rule 1 description 'Rule: accept_dns' +set firewall name guest-containers rule 1 destination port 'domain,domain-s' +set firewall name guest-containers rule 1 protocol 'tcp_udp' # From GUEST to TRUSTED set firewall name guest-trusted default-action 'drop' @@ -172,12 +172,12 @@ set firewall name iot-servers rule 10 protocol 'tcp' set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed' # From IOT to SERVICES -set firewall name iot-services default-action 'accept' -set firewall name iot-services description 'From IOT to SERVICES' -set firewall name iot-services rule 1 action 'accept' -set firewall name iot-services rule 1 description 'Rule: accept_dns' -set firewall name iot-services rule 1 destination port 'domain,domain-s' -set firewall name iot-services rule 1 protocol 'tcp_udp' +set firewall name iot-containers default-action 'accept' +set firewall name iot-containers description 'From IOT to SERVICES' +set firewall name iot-containers rule 1 action 'accept' +set firewall name iot-containers rule 1 description 'Rule: accept_dns' +set firewall name iot-containers rule 1 destination port 'domain,domain-s' +set firewall name iot-containers rule 1 protocol 'tcp_udp' # From IOT to TRUSTED set firewall name iot-trusted default-action 'drop' @@ -242,12 +242,12 @@ set firewall name lan-servers rule 1 description 'Rule: accept_icmp' set firewall name lan-servers rule 1 protocol 'icmp' # From LAN to SERVICES -set firewall name lan-services default-action 'accept' -set firewall name lan-services description 'From LAN to SERVICES' -set firewall name lan-services rule 1 action 'accept' -set firewall name lan-services rule 1 description 'Rule: accept_dns' -set firewall name lan-services rule 1 destination port 'domain,domain-s' -set firewall name lan-services rule 1 protocol 'tcp_udp' +set firewall name lan-containers default-action 'accept' +set firewall name lan-containers description 'From LAN to SERVICES' +set firewall name lan-containers rule 1 action 'accept' +set firewall name lan-containers rule 1 description 'Rule: accept_dns' +set firewall name lan-containers rule 1 destination port 'domain,domain-s' +set firewall name lan-containers rule 1 protocol 'tcp_udp' # From LAN to TRUSTED set firewall name lan-trusted default-action 'drop' @@ -314,12 +314,12 @@ set firewall name local-servers rule 4 destination port '6001' set firewall name local-servers rule 4 protocol 'tcp' # From LOCAL to SERVICES -set firewall name local-services default-action 'accept' -set firewall name local-services description 'From LOCAL to SERVICES' -set firewall name local-services rule 1 action 'accept' -set firewall name local-services rule 1 description 'Rule: accept_dns' -set firewall name local-services rule 1 destination port 'domain,domain-s' -set firewall name local-services rule 1 protocol 'tcp_udp' +set firewall name local-containers default-action 'accept' +set firewall name local-containers description 'From LOCAL to SERVICES' +set firewall name local-containers rule 1 action 'accept' +set firewall name local-containers rule 1 description 'Rule: accept_dns' +set firewall name local-containers rule 1 destination port 'domain,domain-s' +set firewall name local-containers rule 1 protocol 'tcp_udp' # From LOCAL to TRUSTED set firewall name local-trusted default-action 'drop' @@ -423,19 +423,25 @@ set firewall name servers-local rule 7 description 'Rule: accept_speedtest_expor set firewall name servers-local rule 7 destination port '9798' set firewall name servers-local rule 7 protocol 'tcp' set firewall name servers-local rule 7 source group address-group 'k8s_nodes' +# TODO: Needed because of MetalLB? +set firewall name servers-local rule 8 action 'accept' +set firewall name servers-local rule 8 description 'Rule: accept_bgp_2' +set firewall name servers-local rule 8 destination port '3784' +set firewall name servers-local rule 8 protocol 'udp' +set firewall name servers-local rule 8 source group address-group 'k8s_nodes' # From SERVERS to SERVICES -set firewall name servers-services default-action 'accept' -set firewall name servers-services description 'From SERVERS to SERVICES' -set firewall name servers-services enable-default-log -set firewall name servers-services rule 1 action 'accept' -set firewall name servers-services rule 1 description 'Rule: accept_dns' -set firewall name servers-services rule 1 destination port 'domain,domain-s' -set firewall name servers-services rule 1 protocol 'tcp_udp' -set firewall name servers-services rule 2 action 'accept' -set firewall name servers-services rule 2 description 'Rule: accept_k8s_api' -set firewall name servers-services rule 2 destination port '6443' -set firewall name servers-services rule 2 protocol 'tcp' +set firewall name servers-containers default-action 'accept' +set firewall name servers-containers description 'From SERVERS to SERVICES' +set firewall name servers-containers enable-default-log +set firewall name servers-containers rule 1 action 'accept' +set firewall name servers-containers rule 1 description 'Rule: accept_dns' +set firewall name servers-containers rule 1 destination port 'domain,domain-s' +set firewall name servers-containers rule 1 protocol 'tcp_udp' +set firewall name servers-containers rule 2 action 'accept' +set firewall name servers-containers rule 2 description 'Rule: accept_k8s_api' +set firewall name servers-containers rule 2 destination port '6443' +set firewall name servers-containers rule 2 protocol 'tcp' # From SERVERS to TRUSTED set firewall name servers-trusted default-action 'drop' @@ -596,12 +602,12 @@ set firewall name trusted-servers rule 1 description 'Rule: accept_icmp' set firewall name trusted-servers rule 1 protocol 'icmp' # From TRUSTED to SERVICES -set firewall name trusted-services default-action 'accept' -set firewall name trusted-services description 'From TRUSTED to SERVICES' -set firewall name trusted-services rule 1 action 'accept' -set firewall name trusted-services rule 1 description 'Rule: accept_dns' -set firewall name trusted-services rule 1 destination port 'domain,domain-s' -set firewall name trusted-services rule 1 protocol 'tcp_udp' +set firewall name trusted-containers default-action 'accept' +set firewall name trusted-containers description 'From TRUSTED to SERVICES' +set firewall name trusted-containers rule 1 action 'accept' +set firewall name trusted-containers rule 1 description 'Rule: accept_dns' +set firewall name trusted-containers rule 1 destination port 'domain,domain-s' +set firewall name trusted-containers rule 1 protocol 'tcp_udp' # From TRUSTED to VIDEO set firewall name trusted-video default-action 'accept' @@ -649,12 +655,12 @@ set firewall name video-servers description 'From VIDEO to SERVERS' set firewall name video-servers enable-default-log # From VIDEO to SERVICES -set firewall name video-services default-action 'accept' -set firewall name video-services description 'From VIDEO to SERVICES' -set firewall name video-services rule 1 action 'accept' -set firewall name video-services rule 1 description 'Rule: accept_dns' -set firewall name video-services rule 1 destination port 'domain,domain-s' -set firewall name video-services rule 1 protocol 'tcp_udp' +set firewall name video-containers default-action 'accept' +set firewall name video-containers description 'From VIDEO to SERVICES' +set firewall name video-containers rule 1 action 'accept' +set firewall name video-containers rule 1 description 'Rule: accept_dns' +set firewall name video-containers rule 1 destination port 'domain,domain-s' +set firewall name video-containers rule 1 protocol 'tcp_udp' # From VIDEO to TRUSTED set firewall name video-trusted default-action 'drop' @@ -701,9 +707,9 @@ set firewall name wan-servers rule 10 protocol 'tcp' set firewall name wan-servers rule 10 destination address 10.1.1.12 # From WAN to SERVICES -set firewall name wan-services default-action 'drop' -set firewall name wan-services description 'From WAN to SERVICES' -set firewall name wan-services enable-default-log +set firewall name wan-containers default-action 'drop' +set firewall name wan-containers description 'From WAN to SERVICES' +set firewall name wan-containers enable-default-log # From WAN to TRUSTED set firewall name wan-trusted default-action 'drop' diff --git a/config-parts/firewall-zone.sh b/config-parts/firewall-zone.sh index 3e16ba3..6517ef8 100644 --- a/config-parts/firewall-zone.sh +++ b/config-parts/firewall-zone.sh @@ -5,7 +5,7 @@ set firewall zone guest from iot firewall name 'iot-guest' set firewall zone guest from lan firewall name 'lan-guest' set firewall zone guest from local firewall name 'local-guest' set firewall zone guest from servers firewall name 'servers-guest' -set firewall zone guest from services firewall name 'services-guest' +set firewall zone guest from containers firewall name 'containers-guest' set firewall zone guest from trusted firewall name 'trusted-guest' set firewall zone guest from video firewall name 'video-guest' set firewall zone guest from wan firewall name 'wan-guest' @@ -16,7 +16,7 @@ set firewall zone iot from guest firewall name 'guest-iot' set firewall zone iot from lan firewall name 'lan-iot' set firewall zone iot from local firewall name 'local-iot' set firewall zone iot from servers firewall name 'servers-iot' -set firewall zone iot from services firewall name 'services-iot' +set firewall zone iot from containers firewall name 'containers-iot' set firewall zone iot from trusted firewall name 'trusted-iot' set firewall zone iot from video firewall name 'video-iot' set firewall zone iot from wan firewall name 'wan-iot' @@ -27,7 +27,7 @@ set firewall zone lan from guest firewall name 'guest-lan' set firewall zone lan from iot firewall name 'iot-lan' set firewall zone lan from local firewall name 'local-lan' set firewall zone lan from servers firewall name 'servers-lan' -set firewall zone lan from services firewall name 'services-lan' +set firewall zone lan from containers firewall name 'containers-lan' set firewall zone lan from trusted firewall name 'trusted-lan' set firewall zone lan from video firewall name 'video-lan' set firewall zone lan from wan firewall name 'wan-lan' @@ -39,7 +39,7 @@ set firewall zone local from guest firewall name 'guest-local' set firewall zone local from iot firewall name 'iot-local' set firewall zone local from lan firewall name 'lan-local' set firewall zone local from servers firewall name 'servers-local' -set firewall zone local from services firewall name 'services-local' +set firewall zone local from containers firewall name 'containers-local' set firewall zone local from trusted firewall name 'trusted-local' set firewall zone local from video firewall name 'video-local' set firewall zone local from wan firewall name 'wan-local' @@ -50,23 +50,23 @@ set firewall zone servers from guest firewall name 'guest-servers' set firewall zone servers from iot firewall name 'iot-servers' set firewall zone servers from lan firewall name 'lan-servers' set firewall zone servers from local firewall name 'local-servers' -set firewall zone servers from services firewall name 'services-servers' +set firewall zone servers from containers firewall name 'containers-servers' set firewall zone servers from trusted firewall name 'trusted-servers' set firewall zone servers from video firewall name 'video-servers' set firewall zone servers from wan firewall name 'wan-servers' set firewall zone servers interface 'eth1.10' -set firewall zone services default-action 'drop' -set firewall zone services description 'VyOS services zone' -set firewall zone services from guest firewall name 'guest-services' -set firewall zone services from iot firewall name 'iot-services' -set firewall zone services from lan firewall name 'lan-services' -set firewall zone services from local firewall name 'local-services' -set firewall zone services from servers firewall name 'servers-services' -set firewall zone services from trusted firewall name 'trusted-services' -set firewall zone services from video firewall name 'video-services' -set firewall zone services from wan firewall name 'wan-services' -set firewall zone services interface 'pod-services' +set firewall zone containers default-action 'drop' +set firewall zone containers description 'VyOS containers zone' +set firewall zone containers from guest firewall name 'guest-containers' +set firewall zone containers from iot firewall name 'iot-containers' +set firewall zone containers from lan firewall name 'lan-containers' +set firewall zone containers from local firewall name 'local-containers' +set firewall zone containers from servers firewall name 'servers-containers' +set firewall zone containers from trusted firewall name 'trusted-containers' +set firewall zone containers from video firewall name 'video-containers' +set firewall zone containers from wan firewall name 'wan-containers' +set firewall zone containers interface 'pod-containers' set firewall zone trusted default-action 'drop' set firewall zone trusted from guest firewall name 'guest-trusted' @@ -74,7 +74,7 @@ set firewall zone trusted from iot firewall name 'iot-trusted' set firewall zone trusted from lan firewall name 'lan-trusted' set firewall zone trusted from local firewall name 'local-trusted' set firewall zone trusted from servers firewall name 'servers-trusted' -set firewall zone trusted from services firewall name 'services-trusted' +set firewall zone trusted from containers firewall name 'containers-trusted' set firewall zone trusted from video firewall name 'video-trusted' set firewall zone trusted from wan firewall name 'wan-trusted' set firewall zone trusted interface 'eth1.20' @@ -86,7 +86,7 @@ set firewall zone video from iot firewall name 'iot-video' set firewall zone video from lan firewall name 'lan-video' set firewall zone video from local firewall name 'local-video' set firewall zone video from servers firewall name 'servers-video' -set firewall zone video from services firewall name 'services-video' +set firewall zone video from containers firewall name 'containers-video' set firewall zone video from trusted firewall name 'trusted-video' set firewall zone video from wan firewall name 'wan-video' set firewall zone video interface 'eth1.50' @@ -97,7 +97,7 @@ set firewall zone wan from iot firewall name 'iot-wan' set firewall zone wan from lan firewall name 'lan-wan' set firewall zone wan from local firewall name 'local-wan' set firewall zone wan from servers firewall name 'servers-wan' -set firewall zone wan from services firewall name 'services-wan' +set firewall zone wan from containers firewall name 'containers-wan' set firewall zone wan from trusted firewall name 'trusted-wan' set firewall zone wan from video firewall name 'video-wan' set firewall zone wan interface 'eth0' diff --git a/config-parts/interfaces.sh b/config-parts/interfaces.sh index c8f2672..9bfbbf6 100644 --- a/config-parts/interfaces.sh +++ b/config-parts/interfaces.sh @@ -2,11 +2,11 @@ set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 description 'WAN' -set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:68' +set interfaces ethernet eth0 hw-id '04:42:1a:ef:35:75' set interfaces ethernet eth1 address '10.1.0.1/24' set interfaces ethernet eth1 description 'LAN' -set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:69' +set interfaces ethernet eth1 hw-id '04:42:1a:ef:35:74' set interfaces ethernet eth1 vif 10 address '10.1.1.1/24' set interfaces ethernet eth1 vif 10 description 'SERVERS' set interfaces ethernet eth1 vif 20 address '10.1.2.1/24' diff --git a/containers/bind/config/named.conf b/containers/bind/config/named.conf index 605b18c..4edb9a9 100644 --- a/containers/bind/config/named.conf +++ b/containers/bind/config/named.conf @@ -7,7 +7,7 @@ acl "trusted" { 10.1.4.0/24; # VIDEO 192.168.2.0/24; # GUEST 10.0.11.0/24; # WIREGUARD - 10.5.0.0/24; # SERVICES + 10.5.0.0/24; # CONTAINERS }; options { diff --git a/containers/bind/config/zones/db.hsn.dev b/containers/bind/config/zones/db.hsn.dev index b94db2d..1b4a5e4 100644 --- a/containers/bind/config/zones/db.hsn.dev +++ b/containers/bind/config/zones/db.hsn.dev @@ -15,7 +15,7 @@ $ORIGIN hsn.dev. ; NS Records @ IN NS gateway.jahanson.tech. -; Services +; Containers onepassword-connect IN A 10.5.0.5 ; CNAME Records diff --git a/containers/bind/config/zones/db.jahanson.tech b/containers/bind/config/zones/db.jahanson.tech index 63c2a8a..95e1053 100644 --- a/containers/bind/config/zones/db.jahanson.tech +++ b/containers/bind/config/zones/db.jahanson.tech @@ -33,7 +33,7 @@ livingroom-vacuum IN A 10.1.3.18 ; Video driveway-camera IN A 10.1.4.12 -; Services +; Containers cluster-0 IN A 10.5.0.2 ; CNAME records