Renaming services to containers.
This commit is contained in:
parent
00e6b1492e
commit
21b1cee0bb
7 changed files with 88 additions and 82 deletions
|
@ -1,7 +1,7 @@
|
|||
#!/bin/vbash
|
||||
|
||||
# Container networks
|
||||
set container network services prefix '10.5.0.0/24'
|
||||
set container network containers prefix '10.5.0.0/24'
|
||||
|
||||
# cloudflare-ddns
|
||||
set container name cloudflare-ddns allow-host-networks
|
||||
|
@ -21,7 +21,7 @@ set container name bind cap-add 'net-bind-service'
|
|||
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
|
||||
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
|
||||
set container name bind memory '0'
|
||||
set container name bind network services address '10.5.0.3'
|
||||
set container name bind network containers address '10.5.0.3'
|
||||
set container name bind restart 'on-failure'
|
||||
set container name bind shared-memory '0'
|
||||
set container name bind volume config source '/config/containers/bind/config'
|
||||
|
@ -36,7 +36,7 @@ set container name dnsdist cap-add 'net-bind-service'
|
|||
set container name dnsdist environment TZ value 'America/Chicago'
|
||||
set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.4'
|
||||
set container name dnsdist memory '0'
|
||||
set container name dnsdist network services address '10.5.0.4'
|
||||
set container name dnsdist network containers address '10.5.0.4'
|
||||
set container name dnsdist restart 'on-failure'
|
||||
set container name dnsdist shared-memory '0'
|
||||
set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
|
||||
|
@ -46,7 +46,7 @@ set container name dnsdist volume config mode 'ro'
|
|||
# haproxy-k8s-api
|
||||
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.7.8'
|
||||
set container name haproxy-k8s-api memory '0'
|
||||
set container name haproxy-k8s-api network services address '10.5.0.2'
|
||||
set container name haproxy-k8s-api network containers address '10.5.0.2'
|
||||
set container name haproxy-k8s-api restart 'on-failure'
|
||||
set container name haproxy-k8s-api shared-memory '0'
|
||||
set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
|
||||
|
@ -113,7 +113,7 @@ set container name unifi environment UNIFI_STDOUT value 'true'
|
|||
set container name unifi environment UNIFI_UID value '999'
|
||||
set container name unifi image 'ghcr.io/jacobalberty/unifi-docker:v7.3.83'
|
||||
set container name unifi memory '0'
|
||||
set container name unifi network services address '10.5.0.10'
|
||||
set container name unifi network containers address '10.5.0.10'
|
||||
set container name unifi restart 'on-failure'
|
||||
set container name unifi shared-memory '0'
|
||||
set container name unifi volume data source '/config/containers/unifi'
|
||||
|
@ -124,7 +124,7 @@ set container name unifi volume data mode 'rw'
|
|||
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'
|
||||
set container name onepassword-connect environment TZ value 'America/Chicago'
|
||||
set container name onepassword-connect memory '0'
|
||||
set container name onepassword-connect network services address '10.5.0.5'
|
||||
set container name onepassword-connect network containers address '10.5.0.5'
|
||||
set container name onepassword-connect shared-memory '0'
|
||||
set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json'
|
||||
set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||
|
@ -138,7 +138,7 @@ set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.
|
|||
set container name onepassword-sync environment TZ value 'America/Chicago'
|
||||
set container name onepassword-sync memory '0'
|
||||
set container name onepassword-sync shared-memory '0'
|
||||
set container name onepassword-sync network services address '10.5.0.6'
|
||||
set container name onepassword-sync network containers address '10.5.0.6'
|
||||
set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json'
|
||||
set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||
set container name onepassword-sync volume credentials mode 'ro'
|
||||
|
|
|
@ -38,13 +38,13 @@ set firewall name guest-servers description 'From GUEST to SERVERS'
|
|||
set firewall name guest-servers enable-default-log
|
||||
|
||||
# From GUEST to SERVICES
|
||||
set firewall name guest-services default-action 'drop'
|
||||
set firewall name guest-services description 'From GUEST to SERVICES'
|
||||
set firewall name guest-services enable-default-log
|
||||
set firewall name guest-services rule 1 action 'accept'
|
||||
set firewall name guest-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name guest-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name guest-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name guest-containers default-action 'drop'
|
||||
set firewall name guest-containers description 'From GUEST to SERVICES'
|
||||
set firewall name guest-containers enable-default-log
|
||||
set firewall name guest-containers rule 1 action 'accept'
|
||||
set firewall name guest-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name guest-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name guest-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From GUEST to TRUSTED
|
||||
set firewall name guest-trusted default-action 'drop'
|
||||
|
@ -172,12 +172,12 @@ set firewall name iot-servers rule 10 protocol 'tcp'
|
|||
set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed'
|
||||
|
||||
# From IOT to SERVICES
|
||||
set firewall name iot-services default-action 'accept'
|
||||
set firewall name iot-services description 'From IOT to SERVICES'
|
||||
set firewall name iot-services rule 1 action 'accept'
|
||||
set firewall name iot-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name iot-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name iot-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name iot-containers default-action 'accept'
|
||||
set firewall name iot-containers description 'From IOT to SERVICES'
|
||||
set firewall name iot-containers rule 1 action 'accept'
|
||||
set firewall name iot-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name iot-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name iot-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From IOT to TRUSTED
|
||||
set firewall name iot-trusted default-action 'drop'
|
||||
|
@ -242,12 +242,12 @@ set firewall name lan-servers rule 1 description 'Rule: accept_icmp'
|
|||
set firewall name lan-servers rule 1 protocol 'icmp'
|
||||
|
||||
# From LAN to SERVICES
|
||||
set firewall name lan-services default-action 'accept'
|
||||
set firewall name lan-services description 'From LAN to SERVICES'
|
||||
set firewall name lan-services rule 1 action 'accept'
|
||||
set firewall name lan-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name lan-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name lan-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name lan-containers default-action 'accept'
|
||||
set firewall name lan-containers description 'From LAN to SERVICES'
|
||||
set firewall name lan-containers rule 1 action 'accept'
|
||||
set firewall name lan-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name lan-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name lan-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From LAN to TRUSTED
|
||||
set firewall name lan-trusted default-action 'drop'
|
||||
|
@ -314,12 +314,12 @@ set firewall name local-servers rule 4 destination port '6001'
|
|||
set firewall name local-servers rule 4 protocol 'tcp'
|
||||
|
||||
# From LOCAL to SERVICES
|
||||
set firewall name local-services default-action 'accept'
|
||||
set firewall name local-services description 'From LOCAL to SERVICES'
|
||||
set firewall name local-services rule 1 action 'accept'
|
||||
set firewall name local-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name local-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name local-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name local-containers default-action 'accept'
|
||||
set firewall name local-containers description 'From LOCAL to SERVICES'
|
||||
set firewall name local-containers rule 1 action 'accept'
|
||||
set firewall name local-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name local-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name local-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From LOCAL to TRUSTED
|
||||
set firewall name local-trusted default-action 'drop'
|
||||
|
@ -423,19 +423,25 @@ set firewall name servers-local rule 7 description 'Rule: accept_speedtest_expor
|
|||
set firewall name servers-local rule 7 destination port '9798'
|
||||
set firewall name servers-local rule 7 protocol 'tcp'
|
||||
set firewall name servers-local rule 7 source group address-group 'k8s_nodes'
|
||||
# TODO: Needed because of MetalLB?
|
||||
set firewall name servers-local rule 8 action 'accept'
|
||||
set firewall name servers-local rule 8 description 'Rule: accept_bgp_2'
|
||||
set firewall name servers-local rule 8 destination port '3784'
|
||||
set firewall name servers-local rule 8 protocol 'udp'
|
||||
set firewall name servers-local rule 8 source group address-group 'k8s_nodes'
|
||||
|
||||
# From SERVERS to SERVICES
|
||||
set firewall name servers-services default-action 'accept'
|
||||
set firewall name servers-services description 'From SERVERS to SERVICES'
|
||||
set firewall name servers-services enable-default-log
|
||||
set firewall name servers-services rule 1 action 'accept'
|
||||
set firewall name servers-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name servers-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name servers-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name servers-services rule 2 action 'accept'
|
||||
set firewall name servers-services rule 2 description 'Rule: accept_k8s_api'
|
||||
set firewall name servers-services rule 2 destination port '6443'
|
||||
set firewall name servers-services rule 2 protocol 'tcp'
|
||||
set firewall name servers-containers default-action 'accept'
|
||||
set firewall name servers-containers description 'From SERVERS to SERVICES'
|
||||
set firewall name servers-containers enable-default-log
|
||||
set firewall name servers-containers rule 1 action 'accept'
|
||||
set firewall name servers-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name servers-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name servers-containers rule 1 protocol 'tcp_udp'
|
||||
set firewall name servers-containers rule 2 action 'accept'
|
||||
set firewall name servers-containers rule 2 description 'Rule: accept_k8s_api'
|
||||
set firewall name servers-containers rule 2 destination port '6443'
|
||||
set firewall name servers-containers rule 2 protocol 'tcp'
|
||||
|
||||
# From SERVERS to TRUSTED
|
||||
set firewall name servers-trusted default-action 'drop'
|
||||
|
@ -596,12 +602,12 @@ set firewall name trusted-servers rule 1 description 'Rule: accept_icmp'
|
|||
set firewall name trusted-servers rule 1 protocol 'icmp'
|
||||
|
||||
# From TRUSTED to SERVICES
|
||||
set firewall name trusted-services default-action 'accept'
|
||||
set firewall name trusted-services description 'From TRUSTED to SERVICES'
|
||||
set firewall name trusted-services rule 1 action 'accept'
|
||||
set firewall name trusted-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name trusted-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name trusted-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name trusted-containers default-action 'accept'
|
||||
set firewall name trusted-containers description 'From TRUSTED to SERVICES'
|
||||
set firewall name trusted-containers rule 1 action 'accept'
|
||||
set firewall name trusted-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name trusted-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name trusted-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From TRUSTED to VIDEO
|
||||
set firewall name trusted-video default-action 'accept'
|
||||
|
@ -649,12 +655,12 @@ set firewall name video-servers description 'From VIDEO to SERVERS'
|
|||
set firewall name video-servers enable-default-log
|
||||
|
||||
# From VIDEO to SERVICES
|
||||
set firewall name video-services default-action 'accept'
|
||||
set firewall name video-services description 'From VIDEO to SERVICES'
|
||||
set firewall name video-services rule 1 action 'accept'
|
||||
set firewall name video-services rule 1 description 'Rule: accept_dns'
|
||||
set firewall name video-services rule 1 destination port 'domain,domain-s'
|
||||
set firewall name video-services rule 1 protocol 'tcp_udp'
|
||||
set firewall name video-containers default-action 'accept'
|
||||
set firewall name video-containers description 'From VIDEO to SERVICES'
|
||||
set firewall name video-containers rule 1 action 'accept'
|
||||
set firewall name video-containers rule 1 description 'Rule: accept_dns'
|
||||
set firewall name video-containers rule 1 destination port 'domain,domain-s'
|
||||
set firewall name video-containers rule 1 protocol 'tcp_udp'
|
||||
|
||||
# From VIDEO to TRUSTED
|
||||
set firewall name video-trusted default-action 'drop'
|
||||
|
@ -701,9 +707,9 @@ set firewall name wan-servers rule 10 protocol 'tcp'
|
|||
set firewall name wan-servers rule 10 destination address 10.1.1.12
|
||||
|
||||
# From WAN to SERVICES
|
||||
set firewall name wan-services default-action 'drop'
|
||||
set firewall name wan-services description 'From WAN to SERVICES'
|
||||
set firewall name wan-services enable-default-log
|
||||
set firewall name wan-containers default-action 'drop'
|
||||
set firewall name wan-containers description 'From WAN to SERVICES'
|
||||
set firewall name wan-containers enable-default-log
|
||||
|
||||
# From WAN to TRUSTED
|
||||
set firewall name wan-trusted default-action 'drop'
|
||||
|
|
|
@ -5,7 +5,7 @@ set firewall zone guest from iot firewall name 'iot-guest'
|
|||
set firewall zone guest from lan firewall name 'lan-guest'
|
||||
set firewall zone guest from local firewall name 'local-guest'
|
||||
set firewall zone guest from servers firewall name 'servers-guest'
|
||||
set firewall zone guest from services firewall name 'services-guest'
|
||||
set firewall zone guest from containers firewall name 'containers-guest'
|
||||
set firewall zone guest from trusted firewall name 'trusted-guest'
|
||||
set firewall zone guest from video firewall name 'video-guest'
|
||||
set firewall zone guest from wan firewall name 'wan-guest'
|
||||
|
@ -16,7 +16,7 @@ set firewall zone iot from guest firewall name 'guest-iot'
|
|||
set firewall zone iot from lan firewall name 'lan-iot'
|
||||
set firewall zone iot from local firewall name 'local-iot'
|
||||
set firewall zone iot from servers firewall name 'servers-iot'
|
||||
set firewall zone iot from services firewall name 'services-iot'
|
||||
set firewall zone iot from containers firewall name 'containers-iot'
|
||||
set firewall zone iot from trusted firewall name 'trusted-iot'
|
||||
set firewall zone iot from video firewall name 'video-iot'
|
||||
set firewall zone iot from wan firewall name 'wan-iot'
|
||||
|
@ -27,7 +27,7 @@ set firewall zone lan from guest firewall name 'guest-lan'
|
|||
set firewall zone lan from iot firewall name 'iot-lan'
|
||||
set firewall zone lan from local firewall name 'local-lan'
|
||||
set firewall zone lan from servers firewall name 'servers-lan'
|
||||
set firewall zone lan from services firewall name 'services-lan'
|
||||
set firewall zone lan from containers firewall name 'containers-lan'
|
||||
set firewall zone lan from trusted firewall name 'trusted-lan'
|
||||
set firewall zone lan from video firewall name 'video-lan'
|
||||
set firewall zone lan from wan firewall name 'wan-lan'
|
||||
|
@ -39,7 +39,7 @@ set firewall zone local from guest firewall name 'guest-local'
|
|||
set firewall zone local from iot firewall name 'iot-local'
|
||||
set firewall zone local from lan firewall name 'lan-local'
|
||||
set firewall zone local from servers firewall name 'servers-local'
|
||||
set firewall zone local from services firewall name 'services-local'
|
||||
set firewall zone local from containers firewall name 'containers-local'
|
||||
set firewall zone local from trusted firewall name 'trusted-local'
|
||||
set firewall zone local from video firewall name 'video-local'
|
||||
set firewall zone local from wan firewall name 'wan-local'
|
||||
|
@ -50,23 +50,23 @@ set firewall zone servers from guest firewall name 'guest-servers'
|
|||
set firewall zone servers from iot firewall name 'iot-servers'
|
||||
set firewall zone servers from lan firewall name 'lan-servers'
|
||||
set firewall zone servers from local firewall name 'local-servers'
|
||||
set firewall zone servers from services firewall name 'services-servers'
|
||||
set firewall zone servers from containers firewall name 'containers-servers'
|
||||
set firewall zone servers from trusted firewall name 'trusted-servers'
|
||||
set firewall zone servers from video firewall name 'video-servers'
|
||||
set firewall zone servers from wan firewall name 'wan-servers'
|
||||
set firewall zone servers interface 'eth1.10'
|
||||
|
||||
set firewall zone services default-action 'drop'
|
||||
set firewall zone services description 'VyOS services zone'
|
||||
set firewall zone services from guest firewall name 'guest-services'
|
||||
set firewall zone services from iot firewall name 'iot-services'
|
||||
set firewall zone services from lan firewall name 'lan-services'
|
||||
set firewall zone services from local firewall name 'local-services'
|
||||
set firewall zone services from servers firewall name 'servers-services'
|
||||
set firewall zone services from trusted firewall name 'trusted-services'
|
||||
set firewall zone services from video firewall name 'video-services'
|
||||
set firewall zone services from wan firewall name 'wan-services'
|
||||
set firewall zone services interface 'pod-services'
|
||||
set firewall zone containers default-action 'drop'
|
||||
set firewall zone containers description 'VyOS containers zone'
|
||||
set firewall zone containers from guest firewall name 'guest-containers'
|
||||
set firewall zone containers from iot firewall name 'iot-containers'
|
||||
set firewall zone containers from lan firewall name 'lan-containers'
|
||||
set firewall zone containers from local firewall name 'local-containers'
|
||||
set firewall zone containers from servers firewall name 'servers-containers'
|
||||
set firewall zone containers from trusted firewall name 'trusted-containers'
|
||||
set firewall zone containers from video firewall name 'video-containers'
|
||||
set firewall zone containers from wan firewall name 'wan-containers'
|
||||
set firewall zone containers interface 'pod-containers'
|
||||
|
||||
set firewall zone trusted default-action 'drop'
|
||||
set firewall zone trusted from guest firewall name 'guest-trusted'
|
||||
|
@ -74,7 +74,7 @@ set firewall zone trusted from iot firewall name 'iot-trusted'
|
|||
set firewall zone trusted from lan firewall name 'lan-trusted'
|
||||
set firewall zone trusted from local firewall name 'local-trusted'
|
||||
set firewall zone trusted from servers firewall name 'servers-trusted'
|
||||
set firewall zone trusted from services firewall name 'services-trusted'
|
||||
set firewall zone trusted from containers firewall name 'containers-trusted'
|
||||
set firewall zone trusted from video firewall name 'video-trusted'
|
||||
set firewall zone trusted from wan firewall name 'wan-trusted'
|
||||
set firewall zone trusted interface 'eth1.20'
|
||||
|
@ -86,7 +86,7 @@ set firewall zone video from iot firewall name 'iot-video'
|
|||
set firewall zone video from lan firewall name 'lan-video'
|
||||
set firewall zone video from local firewall name 'local-video'
|
||||
set firewall zone video from servers firewall name 'servers-video'
|
||||
set firewall zone video from services firewall name 'services-video'
|
||||
set firewall zone video from containers firewall name 'containers-video'
|
||||
set firewall zone video from trusted firewall name 'trusted-video'
|
||||
set firewall zone video from wan firewall name 'wan-video'
|
||||
set firewall zone video interface 'eth1.50'
|
||||
|
@ -97,7 +97,7 @@ set firewall zone wan from iot firewall name 'iot-wan'
|
|||
set firewall zone wan from lan firewall name 'lan-wan'
|
||||
set firewall zone wan from local firewall name 'local-wan'
|
||||
set firewall zone wan from servers firewall name 'servers-wan'
|
||||
set firewall zone wan from services firewall name 'services-wan'
|
||||
set firewall zone wan from containers firewall name 'containers-wan'
|
||||
set firewall zone wan from trusted firewall name 'trusted-wan'
|
||||
set firewall zone wan from video firewall name 'video-wan'
|
||||
set firewall zone wan interface 'eth0'
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
|
||||
set interfaces ethernet eth0 address 'dhcp'
|
||||
set interfaces ethernet eth0 description 'WAN'
|
||||
set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:68'
|
||||
set interfaces ethernet eth0 hw-id '04:42:1a:ef:35:75'
|
||||
|
||||
set interfaces ethernet eth1 address '10.1.0.1/24'
|
||||
set interfaces ethernet eth1 description 'LAN'
|
||||
set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:69'
|
||||
set interfaces ethernet eth1 hw-id '04:42:1a:ef:35:74'
|
||||
set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
|
||||
set interfaces ethernet eth1 vif 10 description 'SERVERS'
|
||||
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
|
||||
|
|
|
@ -7,7 +7,7 @@ acl "trusted" {
|
|||
10.1.4.0/24; # VIDEO
|
||||
192.168.2.0/24; # GUEST
|
||||
10.0.11.0/24; # WIREGUARD
|
||||
10.5.0.0/24; # SERVICES
|
||||
10.5.0.0/24; # CONTAINERS
|
||||
};
|
||||
|
||||
options {
|
||||
|
|
|
@ -15,7 +15,7 @@ $ORIGIN hsn.dev.
|
|||
; NS Records
|
||||
@ IN NS gateway.jahanson.tech.
|
||||
|
||||
; Services
|
||||
; Containers
|
||||
onepassword-connect IN A 10.5.0.5
|
||||
|
||||
; CNAME Records
|
||||
|
|
|
@ -33,7 +33,7 @@ livingroom-vacuum IN A 10.1.3.18
|
|||
; Video
|
||||
driveway-camera IN A 10.1.4.12
|
||||
|
||||
; Services
|
||||
; Containers
|
||||
cluster-0 IN A 10.5.0.2
|
||||
|
||||
; CNAME records
|
||||
|
|
Reference in a new issue