Renaming services to containers.

This commit is contained in:
Joseph Hanson 2023-05-25 11:11:13 -05:00
parent 00e6b1492e
commit 21b1cee0bb
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
7 changed files with 88 additions and 82 deletions

View file

@ -1,7 +1,7 @@
#!/bin/vbash
# Container networks
set container network services prefix '10.5.0.0/24'
set container network containers prefix '10.5.0.0/24'
# cloudflare-ddns
set container name cloudflare-ddns allow-host-networks
@ -21,7 +21,7 @@ set container name bind cap-add 'net-bind-service'
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
set container name bind memory '0'
set container name bind network services address '10.5.0.3'
set container name bind network containers address '10.5.0.3'
set container name bind restart 'on-failure'
set container name bind shared-memory '0'
set container name bind volume config source '/config/containers/bind/config'
@ -36,7 +36,7 @@ set container name dnsdist cap-add 'net-bind-service'
set container name dnsdist environment TZ value 'America/Chicago'
set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.4'
set container name dnsdist memory '0'
set container name dnsdist network services address '10.5.0.4'
set container name dnsdist network containers address '10.5.0.4'
set container name dnsdist restart 'on-failure'
set container name dnsdist shared-memory '0'
set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
@ -46,7 +46,7 @@ set container name dnsdist volume config mode 'ro'
# haproxy-k8s-api
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.7.8'
set container name haproxy-k8s-api memory '0'
set container name haproxy-k8s-api network services address '10.5.0.2'
set container name haproxy-k8s-api network containers address '10.5.0.2'
set container name haproxy-k8s-api restart 'on-failure'
set container name haproxy-k8s-api shared-memory '0'
set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
@ -113,7 +113,7 @@ set container name unifi environment UNIFI_STDOUT value 'true'
set container name unifi environment UNIFI_UID value '999'
set container name unifi image 'ghcr.io/jacobalberty/unifi-docker:v7.3.83'
set container name unifi memory '0'
set container name unifi network services address '10.5.0.10'
set container name unifi network containers address '10.5.0.10'
set container name unifi restart 'on-failure'
set container name unifi shared-memory '0'
set container name unifi volume data source '/config/containers/unifi'
@ -124,7 +124,7 @@ set container name unifi volume data mode 'rw'
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'
set container name onepassword-connect environment TZ value 'America/Chicago'
set container name onepassword-connect memory '0'
set container name onepassword-connect network services address '10.5.0.5'
set container name onepassword-connect network containers address '10.5.0.5'
set container name onepassword-connect shared-memory '0'
set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json'
set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json'
@ -138,7 +138,7 @@ set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.
set container name onepassword-sync environment TZ value 'America/Chicago'
set container name onepassword-sync memory '0'
set container name onepassword-sync shared-memory '0'
set container name onepassword-sync network services address '10.5.0.6'
set container name onepassword-sync network containers address '10.5.0.6'
set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json'
set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json'
set container name onepassword-sync volume credentials mode 'ro'

View file

@ -38,13 +38,13 @@ set firewall name guest-servers description 'From GUEST to SERVERS'
set firewall name guest-servers enable-default-log
# From GUEST to SERVICES
set firewall name guest-services default-action 'drop'
set firewall name guest-services description 'From GUEST to SERVICES'
set firewall name guest-services enable-default-log
set firewall name guest-services rule 1 action 'accept'
set firewall name guest-services rule 1 description 'Rule: accept_dns'
set firewall name guest-services rule 1 destination port 'domain,domain-s'
set firewall name guest-services rule 1 protocol 'tcp_udp'
set firewall name guest-containers default-action 'drop'
set firewall name guest-containers description 'From GUEST to SERVICES'
set firewall name guest-containers enable-default-log
set firewall name guest-containers rule 1 action 'accept'
set firewall name guest-containers rule 1 description 'Rule: accept_dns'
set firewall name guest-containers rule 1 destination port 'domain,domain-s'
set firewall name guest-containers rule 1 protocol 'tcp_udp'
# From GUEST to TRUSTED
set firewall name guest-trusted default-action 'drop'
@ -172,12 +172,12 @@ set firewall name iot-servers rule 10 protocol 'tcp'
set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed'
# From IOT to SERVICES
set firewall name iot-services default-action 'accept'
set firewall name iot-services description 'From IOT to SERVICES'
set firewall name iot-services rule 1 action 'accept'
set firewall name iot-services rule 1 description 'Rule: accept_dns'
set firewall name iot-services rule 1 destination port 'domain,domain-s'
set firewall name iot-services rule 1 protocol 'tcp_udp'
set firewall name iot-containers default-action 'accept'
set firewall name iot-containers description 'From IOT to SERVICES'
set firewall name iot-containers rule 1 action 'accept'
set firewall name iot-containers rule 1 description 'Rule: accept_dns'
set firewall name iot-containers rule 1 destination port 'domain,domain-s'
set firewall name iot-containers rule 1 protocol 'tcp_udp'
# From IOT to TRUSTED
set firewall name iot-trusted default-action 'drop'
@ -242,12 +242,12 @@ set firewall name lan-servers rule 1 description 'Rule: accept_icmp'
set firewall name lan-servers rule 1 protocol 'icmp'
# From LAN to SERVICES
set firewall name lan-services default-action 'accept'
set firewall name lan-services description 'From LAN to SERVICES'
set firewall name lan-services rule 1 action 'accept'
set firewall name lan-services rule 1 description 'Rule: accept_dns'
set firewall name lan-services rule 1 destination port 'domain,domain-s'
set firewall name lan-services rule 1 protocol 'tcp_udp'
set firewall name lan-containers default-action 'accept'
set firewall name lan-containers description 'From LAN to SERVICES'
set firewall name lan-containers rule 1 action 'accept'
set firewall name lan-containers rule 1 description 'Rule: accept_dns'
set firewall name lan-containers rule 1 destination port 'domain,domain-s'
set firewall name lan-containers rule 1 protocol 'tcp_udp'
# From LAN to TRUSTED
set firewall name lan-trusted default-action 'drop'
@ -314,12 +314,12 @@ set firewall name local-servers rule 4 destination port '6001'
set firewall name local-servers rule 4 protocol 'tcp'
# From LOCAL to SERVICES
set firewall name local-services default-action 'accept'
set firewall name local-services description 'From LOCAL to SERVICES'
set firewall name local-services rule 1 action 'accept'
set firewall name local-services rule 1 description 'Rule: accept_dns'
set firewall name local-services rule 1 destination port 'domain,domain-s'
set firewall name local-services rule 1 protocol 'tcp_udp'
set firewall name local-containers default-action 'accept'
set firewall name local-containers description 'From LOCAL to SERVICES'
set firewall name local-containers rule 1 action 'accept'
set firewall name local-containers rule 1 description 'Rule: accept_dns'
set firewall name local-containers rule 1 destination port 'domain,domain-s'
set firewall name local-containers rule 1 protocol 'tcp_udp'
# From LOCAL to TRUSTED
set firewall name local-trusted default-action 'drop'
@ -423,19 +423,25 @@ set firewall name servers-local rule 7 description 'Rule: accept_speedtest_expor
set firewall name servers-local rule 7 destination port '9798'
set firewall name servers-local rule 7 protocol 'tcp'
set firewall name servers-local rule 7 source group address-group 'k8s_nodes'
# TODO: Needed because of MetalLB?
set firewall name servers-local rule 8 action 'accept'
set firewall name servers-local rule 8 description 'Rule: accept_bgp_2'
set firewall name servers-local rule 8 destination port '3784'
set firewall name servers-local rule 8 protocol 'udp'
set firewall name servers-local rule 8 source group address-group 'k8s_nodes'
# From SERVERS to SERVICES
set firewall name servers-services default-action 'accept'
set firewall name servers-services description 'From SERVERS to SERVICES'
set firewall name servers-services enable-default-log
set firewall name servers-services rule 1 action 'accept'
set firewall name servers-services rule 1 description 'Rule: accept_dns'
set firewall name servers-services rule 1 destination port 'domain,domain-s'
set firewall name servers-services rule 1 protocol 'tcp_udp'
set firewall name servers-services rule 2 action 'accept'
set firewall name servers-services rule 2 description 'Rule: accept_k8s_api'
set firewall name servers-services rule 2 destination port '6443'
set firewall name servers-services rule 2 protocol 'tcp'
set firewall name servers-containers default-action 'accept'
set firewall name servers-containers description 'From SERVERS to SERVICES'
set firewall name servers-containers enable-default-log
set firewall name servers-containers rule 1 action 'accept'
set firewall name servers-containers rule 1 description 'Rule: accept_dns'
set firewall name servers-containers rule 1 destination port 'domain,domain-s'
set firewall name servers-containers rule 1 protocol 'tcp_udp'
set firewall name servers-containers rule 2 action 'accept'
set firewall name servers-containers rule 2 description 'Rule: accept_k8s_api'
set firewall name servers-containers rule 2 destination port '6443'
set firewall name servers-containers rule 2 protocol 'tcp'
# From SERVERS to TRUSTED
set firewall name servers-trusted default-action 'drop'
@ -596,12 +602,12 @@ set firewall name trusted-servers rule 1 description 'Rule: accept_icmp'
set firewall name trusted-servers rule 1 protocol 'icmp'
# From TRUSTED to SERVICES
set firewall name trusted-services default-action 'accept'
set firewall name trusted-services description 'From TRUSTED to SERVICES'
set firewall name trusted-services rule 1 action 'accept'
set firewall name trusted-services rule 1 description 'Rule: accept_dns'
set firewall name trusted-services rule 1 destination port 'domain,domain-s'
set firewall name trusted-services rule 1 protocol 'tcp_udp'
set firewall name trusted-containers default-action 'accept'
set firewall name trusted-containers description 'From TRUSTED to SERVICES'
set firewall name trusted-containers rule 1 action 'accept'
set firewall name trusted-containers rule 1 description 'Rule: accept_dns'
set firewall name trusted-containers rule 1 destination port 'domain,domain-s'
set firewall name trusted-containers rule 1 protocol 'tcp_udp'
# From TRUSTED to VIDEO
set firewall name trusted-video default-action 'accept'
@ -649,12 +655,12 @@ set firewall name video-servers description 'From VIDEO to SERVERS'
set firewall name video-servers enable-default-log
# From VIDEO to SERVICES
set firewall name video-services default-action 'accept'
set firewall name video-services description 'From VIDEO to SERVICES'
set firewall name video-services rule 1 action 'accept'
set firewall name video-services rule 1 description 'Rule: accept_dns'
set firewall name video-services rule 1 destination port 'domain,domain-s'
set firewall name video-services rule 1 protocol 'tcp_udp'
set firewall name video-containers default-action 'accept'
set firewall name video-containers description 'From VIDEO to SERVICES'
set firewall name video-containers rule 1 action 'accept'
set firewall name video-containers rule 1 description 'Rule: accept_dns'
set firewall name video-containers rule 1 destination port 'domain,domain-s'
set firewall name video-containers rule 1 protocol 'tcp_udp'
# From VIDEO to TRUSTED
set firewall name video-trusted default-action 'drop'
@ -701,9 +707,9 @@ set firewall name wan-servers rule 10 protocol 'tcp'
set firewall name wan-servers rule 10 destination address 10.1.1.12
# From WAN to SERVICES
set firewall name wan-services default-action 'drop'
set firewall name wan-services description 'From WAN to SERVICES'
set firewall name wan-services enable-default-log
set firewall name wan-containers default-action 'drop'
set firewall name wan-containers description 'From WAN to SERVICES'
set firewall name wan-containers enable-default-log
# From WAN to TRUSTED
set firewall name wan-trusted default-action 'drop'

View file

@ -5,7 +5,7 @@ set firewall zone guest from iot firewall name 'iot-guest'
set firewall zone guest from lan firewall name 'lan-guest'
set firewall zone guest from local firewall name 'local-guest'
set firewall zone guest from servers firewall name 'servers-guest'
set firewall zone guest from services firewall name 'services-guest'
set firewall zone guest from containers firewall name 'containers-guest'
set firewall zone guest from trusted firewall name 'trusted-guest'
set firewall zone guest from video firewall name 'video-guest'
set firewall zone guest from wan firewall name 'wan-guest'
@ -16,7 +16,7 @@ set firewall zone iot from guest firewall name 'guest-iot'
set firewall zone iot from lan firewall name 'lan-iot'
set firewall zone iot from local firewall name 'local-iot'
set firewall zone iot from servers firewall name 'servers-iot'
set firewall zone iot from services firewall name 'services-iot'
set firewall zone iot from containers firewall name 'containers-iot'
set firewall zone iot from trusted firewall name 'trusted-iot'
set firewall zone iot from video firewall name 'video-iot'
set firewall zone iot from wan firewall name 'wan-iot'
@ -27,7 +27,7 @@ set firewall zone lan from guest firewall name 'guest-lan'
set firewall zone lan from iot firewall name 'iot-lan'
set firewall zone lan from local firewall name 'local-lan'
set firewall zone lan from servers firewall name 'servers-lan'
set firewall zone lan from services firewall name 'services-lan'
set firewall zone lan from containers firewall name 'containers-lan'
set firewall zone lan from trusted firewall name 'trusted-lan'
set firewall zone lan from video firewall name 'video-lan'
set firewall zone lan from wan firewall name 'wan-lan'
@ -39,7 +39,7 @@ set firewall zone local from guest firewall name 'guest-local'
set firewall zone local from iot firewall name 'iot-local'
set firewall zone local from lan firewall name 'lan-local'
set firewall zone local from servers firewall name 'servers-local'
set firewall zone local from services firewall name 'services-local'
set firewall zone local from containers firewall name 'containers-local'
set firewall zone local from trusted firewall name 'trusted-local'
set firewall zone local from video firewall name 'video-local'
set firewall zone local from wan firewall name 'wan-local'
@ -50,23 +50,23 @@ set firewall zone servers from guest firewall name 'guest-servers'
set firewall zone servers from iot firewall name 'iot-servers'
set firewall zone servers from lan firewall name 'lan-servers'
set firewall zone servers from local firewall name 'local-servers'
set firewall zone servers from services firewall name 'services-servers'
set firewall zone servers from containers firewall name 'containers-servers'
set firewall zone servers from trusted firewall name 'trusted-servers'
set firewall zone servers from video firewall name 'video-servers'
set firewall zone servers from wan firewall name 'wan-servers'
set firewall zone servers interface 'eth1.10'
set firewall zone services default-action 'drop'
set firewall zone services description 'VyOS services zone'
set firewall zone services from guest firewall name 'guest-services'
set firewall zone services from iot firewall name 'iot-services'
set firewall zone services from lan firewall name 'lan-services'
set firewall zone services from local firewall name 'local-services'
set firewall zone services from servers firewall name 'servers-services'
set firewall zone services from trusted firewall name 'trusted-services'
set firewall zone services from video firewall name 'video-services'
set firewall zone services from wan firewall name 'wan-services'
set firewall zone services interface 'pod-services'
set firewall zone containers default-action 'drop'
set firewall zone containers description 'VyOS containers zone'
set firewall zone containers from guest firewall name 'guest-containers'
set firewall zone containers from iot firewall name 'iot-containers'
set firewall zone containers from lan firewall name 'lan-containers'
set firewall zone containers from local firewall name 'local-containers'
set firewall zone containers from servers firewall name 'servers-containers'
set firewall zone containers from trusted firewall name 'trusted-containers'
set firewall zone containers from video firewall name 'video-containers'
set firewall zone containers from wan firewall name 'wan-containers'
set firewall zone containers interface 'pod-containers'
set firewall zone trusted default-action 'drop'
set firewall zone trusted from guest firewall name 'guest-trusted'
@ -74,7 +74,7 @@ set firewall zone trusted from iot firewall name 'iot-trusted'
set firewall zone trusted from lan firewall name 'lan-trusted'
set firewall zone trusted from local firewall name 'local-trusted'
set firewall zone trusted from servers firewall name 'servers-trusted'
set firewall zone trusted from services firewall name 'services-trusted'
set firewall zone trusted from containers firewall name 'containers-trusted'
set firewall zone trusted from video firewall name 'video-trusted'
set firewall zone trusted from wan firewall name 'wan-trusted'
set firewall zone trusted interface 'eth1.20'
@ -86,7 +86,7 @@ set firewall zone video from iot firewall name 'iot-video'
set firewall zone video from lan firewall name 'lan-video'
set firewall zone video from local firewall name 'local-video'
set firewall zone video from servers firewall name 'servers-video'
set firewall zone video from services firewall name 'services-video'
set firewall zone video from containers firewall name 'containers-video'
set firewall zone video from trusted firewall name 'trusted-video'
set firewall zone video from wan firewall name 'wan-video'
set firewall zone video interface 'eth1.50'
@ -97,7 +97,7 @@ set firewall zone wan from iot firewall name 'iot-wan'
set firewall zone wan from lan firewall name 'lan-wan'
set firewall zone wan from local firewall name 'local-wan'
set firewall zone wan from servers firewall name 'servers-wan'
set firewall zone wan from services firewall name 'services-wan'
set firewall zone wan from containers firewall name 'containers-wan'
set firewall zone wan from trusted firewall name 'trusted-wan'
set firewall zone wan from video firewall name 'video-wan'
set firewall zone wan interface 'eth0'

View file

@ -2,11 +2,11 @@
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:68'
set interfaces ethernet eth0 hw-id '04:42:1a:ef:35:75'
set interfaces ethernet eth1 address '10.1.0.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:69'
set interfaces ethernet eth1 hw-id '04:42:1a:ef:35:74'
set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
set interfaces ethernet eth1 vif 10 description 'SERVERS'
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'

View file

@ -7,7 +7,7 @@ acl "trusted" {
10.1.4.0/24; # VIDEO
192.168.2.0/24; # GUEST
10.0.11.0/24; # WIREGUARD
10.5.0.0/24; # SERVICES
10.5.0.0/24; # CONTAINERS
};
options {

View file

@ -15,7 +15,7 @@ $ORIGIN hsn.dev.
; NS Records
@ IN NS gateway.jahanson.tech.
; Services
; Containers
onepassword-connect IN A 10.5.0.5
; CNAME Records

View file

@ -33,7 +33,7 @@ livingroom-vacuum IN A 10.1.3.18
; Video
driveway-camera IN A 10.1.4.12
; Services
; Containers
cluster-0 IN A 10.5.0.2
; CNAME records