Initial Commit.
This commit is contained in:
Joseph Hanson
commit
31c27facb1
30 changed files with 1971 additions and 0 deletions
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
* text=auto
|
||||||
10
.github/.gitignore
vendored
Normal file
10
.github/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
!renovate.json5
|
||||||
|
|
||||||
|
!/workflows/
|
||||||
|
/workflows/*
|
||||||
|
!/workflows/**.yaml
|
||||||
17
.gitignore
vendored
Normal file
17
.gitignore
vendored
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
!.gitattributes
|
||||||
|
!.sops.yaml
|
||||||
|
!apply-config.sh
|
||||||
|
!secret.sops.env
|
||||||
|
|
||||||
|
# VyOS config
|
||||||
|
!scripts/
|
||||||
|
!config-parts/
|
||||||
|
!containers/
|
||||||
|
|
||||||
|
# CI
|
||||||
|
!.github/
|
||||||
6
.sops.yaml
Normal file
6
.sops.yaml
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: .*\.sops\.env
|
||||||
|
# Personal, VyOS
|
||||||
|
age: >-
|
||||||
|
age1jrwr0h64c8lze8870uzq2pkk40d7z426k759988f9wmzm2ylpdjsgh30m7
|
||||||
88
apply-config.sh
Normal file
88
apply-config.sh
Normal file
|
|
@ -0,0 +1,88 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
# shellcheck shell=bash
|
||||||
|
# shellcheck source=/dev/null
|
||||||
|
dry_run=false
|
||||||
|
|
||||||
|
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
|
||||||
|
exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
while getopts "d" options; do
|
||||||
|
case "${options}" in
|
||||||
|
d)
|
||||||
|
dry_run=true
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo 'error in command line parsing' >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
# Load secrets into ENV vars
|
||||||
|
if [ -f "/config/secrets.sops.env" ]; then
|
||||||
|
export SOPS_AGE_KEY_FILE=/config/secrets/age.key
|
||||||
|
|
||||||
|
mapfile environmentAsArray < <(
|
||||||
|
sops --decrypt "/config/secrets.sops.env" \
|
||||||
|
| grep --invert-match '^#' \
|
||||||
|
| grep --invert-match '^\s*$'
|
||||||
|
) # Uses grep to remove commented and blank lines
|
||||||
|
for variableDeclaration in "${environmentAsArray[@]}"; do
|
||||||
|
export "${variableDeclaration//[$'\r\n']}" # The substitution removes the line breaks
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Include VyOS specific functions and aliases
|
||||||
|
source /opt/vyatta/etc/functions/script-template
|
||||||
|
|
||||||
|
# Reset the configuration
|
||||||
|
load /opt/vyatta/etc/config.boot.default
|
||||||
|
|
||||||
|
# Load all config files
|
||||||
|
for f in /config/config-parts/*.sh
|
||||||
|
do
|
||||||
|
if [ -f "${f}" ]; then
|
||||||
|
echo "Processing ${f}"
|
||||||
|
source "${f}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if "$dry_run"; then
|
||||||
|
# Show what's different from the running config
|
||||||
|
compare
|
||||||
|
else
|
||||||
|
# Pull new container images
|
||||||
|
AVAILABLE_IMAGES=($(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }'))
|
||||||
|
CONFIG_IMAGES=($(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq))
|
||||||
|
|
||||||
|
for image in "${CONFIG_IMAGES[@]}"
|
||||||
|
do
|
||||||
|
if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ " ${image} " ]]; then
|
||||||
|
echo "Pulling image ${image}"
|
||||||
|
run add container image "${image}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Commit and save
|
||||||
|
echo "Committing and saving config"
|
||||||
|
commit
|
||||||
|
save
|
||||||
|
|
||||||
|
# Clean obsolete container images
|
||||||
|
IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)"
|
||||||
|
for image in "${AVAILABLE_IMAGES[@]}"
|
||||||
|
do
|
||||||
|
image_name=$(echo "${image}" | awk '{ print $1 }')
|
||||||
|
image_tag=$(echo "${image}" | awk '{ print $2 }')
|
||||||
|
image_id=$(echo "${image}" | awk '{ print $3 }')
|
||||||
|
image_name_tag="${image_name}:${image_tag}"
|
||||||
|
|
||||||
|
if [[ ! " ${CONFIG_IMAGES[*]} " =~ " ${image_name_tag} " ]]; then
|
||||||
|
echo "Removing container ${image_name_tag}"
|
||||||
|
run delete container image "${image_id}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit
|
||||||
6
config-parts/.gitignore
vendored
Normal file
6
config-parts/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
!*.sh
|
||||||
122
config-parts/container.sh
Normal file
122
config-parts/container.sh
Normal file
|
|
@ -0,0 +1,122 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# Container networks
|
||||||
|
set container network services prefix '10.5.0.0/24'
|
||||||
|
|
||||||
|
# cloudflare-ddns
|
||||||
|
set container name cloudflare-ddns allow-host-networks
|
||||||
|
set container name cloudflare-ddns environment CF_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}"
|
||||||
|
set container name cloudflare-ddns environment DOMAINS value 'ipv4.jahanson.tech,ipv4.hsn.dev'
|
||||||
|
set container name cloudflare-ddns environment IP6_PROVIDER value "none"
|
||||||
|
set container name cloudflare-ddns environment TZ value 'America/Chicago'
|
||||||
|
set container name cloudflare-ddns environment PGID value "1000"
|
||||||
|
set container name cloudflare-ddns environment PUID value "1000"
|
||||||
|
set container name cloudflare-ddns image 'docker.io/favonia/cloudflare-ddns:1.9.1'
|
||||||
|
set container name cloudflare-ddns memory '0'
|
||||||
|
set container name cloudflare-ddns restart 'on-failure'
|
||||||
|
set container name cloudflare-ddns shared-memory '0'
|
||||||
|
|
||||||
|
# coredns - main instance
|
||||||
|
set container name coredns cap-add 'net-bind-service'
|
||||||
|
set container name coredns image 'docker.io/coredns/coredns:1.10.1'
|
||||||
|
set container name coredns memory '0'
|
||||||
|
set container name coredns network services address '10.5.0.3'
|
||||||
|
set container name coredns restart 'on-failure'
|
||||||
|
set container name coredns shared-memory '0'
|
||||||
|
set container name coredns volume config destination '/config'
|
||||||
|
set container name coredns volume config source '/config/containers/coredns/config'
|
||||||
|
set container name coredns volume config mode 'ro'
|
||||||
|
set container name coredns volume corefile destination '/Corefile'
|
||||||
|
set container name coredns volume corefile source '/config/containers/coredns/config/Corefile'
|
||||||
|
set container name coredns volume corefile mode 'ro'
|
||||||
|
set container name coredns volume vyoshosts destination '/host/etc/hosts'
|
||||||
|
set container name coredns volume vyoshosts source '/etc/hosts'
|
||||||
|
set container name coredns volume vyoshosts mode 'ro'
|
||||||
|
|
||||||
|
# dnsdist
|
||||||
|
set container name dnsdist cap-add 'net-bind-service'
|
||||||
|
set container name dnsdist environment TZ value 'America/Chicago'
|
||||||
|
set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.3'
|
||||||
|
set container name dnsdist memory '0'
|
||||||
|
set container name dnsdist network services address '10.5.0.4'
|
||||||
|
set container name dnsdist restart 'on-failure'
|
||||||
|
set container name dnsdist shared-memory '0'
|
||||||
|
set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
|
||||||
|
set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
|
||||||
|
set container name dnsdist volume config mode 'ro'
|
||||||
|
|
||||||
|
# haproxy-k8s-api
|
||||||
|
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.7.4'
|
||||||
|
set container name haproxy-k8s-api memory '0'
|
||||||
|
set container name haproxy-k8s-api network services address '10.5.0.2'
|
||||||
|
set container name haproxy-k8s-api restart 'on-failure'
|
||||||
|
set container name haproxy-k8s-api shared-memory '0'
|
||||||
|
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
|
||||||
|
set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
|
||||||
|
set container name haproxy-k8s-api volume config mode 'ro'
|
||||||
|
|
||||||
|
# node-exporter
|
||||||
|
set container name node-exporter environment procfs value '/host/proc'
|
||||||
|
set container name node-exporter environment rootfs value '/host/rootfs'
|
||||||
|
set container name node-exporter environment sysfs value '/host/sys'
|
||||||
|
set container name node-exporter image 'quay.io/prometheus/node-exporter:v1.5.0'
|
||||||
|
set container name node-exporter memory '0'
|
||||||
|
set container name node-exporter network services address '10.5.0.7'
|
||||||
|
set container name node-exporter restart 'on-failure'
|
||||||
|
set container name node-exporter shared-memory '0'
|
||||||
|
set container name node-exporter volume procfs destination '/host/proc'
|
||||||
|
set container name node-exporter volume procfs mode 'ro'
|
||||||
|
set container name node-exporter volume procfs source '/proc'
|
||||||
|
set container name node-exporter volume rootfs destination '/host/rootfs'
|
||||||
|
set container name node-exporter volume rootfs mode 'ro'
|
||||||
|
set container name node-exporter volume rootfs source '/'
|
||||||
|
set container name node-exporter volume sysfs destination '/host/sys'
|
||||||
|
set container name node-exporter volume sysfs mode 'ro'
|
||||||
|
set container name node-exporter volume sysfs source '/sys'
|
||||||
|
|
||||||
|
# speedtest-exporter
|
||||||
|
set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3'
|
||||||
|
set container name speedtest-exporter memory '0'
|
||||||
|
set container name speedtest-exporter network services address '10.5.0.8'
|
||||||
|
set container name speedtest-exporter restart 'on-failure'
|
||||||
|
set container name speedtest-exporter shared-memory '0'
|
||||||
|
|
||||||
|
# udp-broadcast-relay-mdns
|
||||||
|
set container name udp-broadcast-relay-mdns allow-host-networks
|
||||||
|
set container name udp-broadcast-relay-mdns cap-add 'net-raw'
|
||||||
|
set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth1.20;eth1.40'
|
||||||
|
set container name udp-broadcast-relay-mdns environment CFG_ID value '2'
|
||||||
|
set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251'
|
||||||
|
set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353'
|
||||||
|
set container name udp-broadcast-relay-mdns environment SEPARATOR value ';'
|
||||||
|
set container name udp-broadcast-relay-mdns image 'ghcr.io/onedr0p/udp-broadcast-relay-redux:1.0.27'
|
||||||
|
set container name udp-broadcast-relay-mdns memory '0'
|
||||||
|
set container name udp-broadcast-relay-mdns restart 'on-failure'
|
||||||
|
set container name udp-broadcast-relay-mdns shared-memory '0'
|
||||||
|
|
||||||
|
# udp-broadcast-relay-sonos
|
||||||
|
set container name udp-broadcast-relay-sonos allow-host-networks
|
||||||
|
set container name udp-broadcast-relay-sonos cap-add 'net-raw'
|
||||||
|
set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth1.20;eth1.40'
|
||||||
|
set container name udp-broadcast-relay-sonos environment CFG_ID value '1'
|
||||||
|
set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250'
|
||||||
|
set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900'
|
||||||
|
set container name udp-broadcast-relay-sonos environment SEPARATOR value ';'
|
||||||
|
set container name udp-broadcast-relay-sonos image 'ghcr.io/onedr0p/udp-broadcast-relay-redux:1.0.27'
|
||||||
|
set container name udp-broadcast-relay-sonos memory '0'
|
||||||
|
set container name udp-broadcast-relay-sonos restart 'on-failure'
|
||||||
|
set container name udp-broadcast-relay-sonos shared-memory '0'
|
||||||
|
|
||||||
|
# unifi
|
||||||
|
set container name unifi environment RUNAS_UID0 value 'false'
|
||||||
|
set container name unifi environment TZ value 'America/Chicago'
|
||||||
|
set container name unifi environment UNIFI_GID value '999'
|
||||||
|
set container name unifi environment UNIFI_STDOUT value 'true'
|
||||||
|
set container name unifi environment UNIFI_UID value '999'
|
||||||
|
set container name unifi image 'ghcr.io/jacobalberty/unifi-docker:v7.3.83'
|
||||||
|
set container name unifi memory '0'
|
||||||
|
set container name unifi network services address '10.5.0.10'
|
||||||
|
set container name unifi restart 'on-failure'
|
||||||
|
set container name unifi shared-memory '0'
|
||||||
|
set container name unifi volume data destination '/unifi'
|
||||||
|
set container name unifi volume data source '/config/containers/unifi'
|
||||||
712
config-parts/firewall-name.sh
Normal file
712
config-parts/firewall-name.sh
Normal file
|
|
@ -0,0 +1,712 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# From GUEST to IOT
|
||||||
|
set firewall name guest-iot default-action 'drop'
|
||||||
|
set firewall name guest-iot description 'From GUEST to IOT'
|
||||||
|
set firewall name guest-iot enable-default-log
|
||||||
|
set firewall name guest-iot rule 1 action 'accept'
|
||||||
|
set firewall name guest-iot rule 1 description 'Rule: accept_tcp_printer_from_allowed_devices'
|
||||||
|
set firewall name guest-iot rule 1 destination group address-group 'printers'
|
||||||
|
set firewall name guest-iot rule 1 destination port 'http,9100'
|
||||||
|
set firewall name guest-iot rule 1 protocol 'tcp'
|
||||||
|
set firewall name guest-iot rule 1 source group address-group 'printer_allowed'
|
||||||
|
set firewall name guest-iot rule 2 action 'accept'
|
||||||
|
set firewall name guest-iot rule 2 description 'Rule: accept_udp_printer_from_allowed_devices'
|
||||||
|
set firewall name guest-iot rule 2 destination group address-group 'printers'
|
||||||
|
set firewall name guest-iot rule 2 destination port '161'
|
||||||
|
set firewall name guest-iot rule 2 protocol 'udp'
|
||||||
|
set firewall name guest-iot rule 2 source group address-group 'printer_allowed'
|
||||||
|
|
||||||
|
# From GUEST to LAN
|
||||||
|
set firewall name guest-lan default-action 'drop'
|
||||||
|
set firewall name guest-lan description 'From GUEST to LAN'
|
||||||
|
set firewall name guest-lan enable-default-log
|
||||||
|
|
||||||
|
# From GUEST to LOCAL
|
||||||
|
set firewall name guest-local default-action 'drop'
|
||||||
|
set firewall name guest-local description 'From GUEST to LOCAL'
|
||||||
|
set firewall name guest-local enable-default-log
|
||||||
|
set firewall name guest-local rule 1 action 'accept'
|
||||||
|
set firewall name guest-local rule 1 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name guest-local rule 1 destination port '67,68'
|
||||||
|
set firewall name guest-local rule 1 protocol 'udp'
|
||||||
|
set firewall name guest-local rule 1 source port '67,68'
|
||||||
|
|
||||||
|
# From GUEST to SERVERS
|
||||||
|
set firewall name guest-servers default-action 'drop'
|
||||||
|
set firewall name guest-servers description 'From GUEST to SERVERS'
|
||||||
|
set firewall name guest-servers enable-default-log
|
||||||
|
|
||||||
|
# From GUEST to SERVICES
|
||||||
|
set firewall name guest-services default-action 'drop'
|
||||||
|
set firewall name guest-services description 'From GUEST to SERVICES'
|
||||||
|
set firewall name guest-services enable-default-log
|
||||||
|
set firewall name guest-services rule 1 action 'accept'
|
||||||
|
set firewall name guest-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name guest-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name guest-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From GUEST to TRUSTED
|
||||||
|
set firewall name guest-trusted default-action 'drop'
|
||||||
|
set firewall name guest-trusted description 'From GUEST to TRUSTED'
|
||||||
|
set firewall name guest-trusted enable-default-log
|
||||||
|
|
||||||
|
# From GUEST to VIDEO
|
||||||
|
set firewall name guest-video default-action 'drop'
|
||||||
|
set firewall name guest-video description 'From GUEST to VIDEO'
|
||||||
|
set firewall name guest-video enable-default-log
|
||||||
|
|
||||||
|
# From GUEST to WAN
|
||||||
|
set firewall name guest-wan default-action 'accept'
|
||||||
|
set firewall name guest-wan description 'From GUEST to WAN'
|
||||||
|
|
||||||
|
# From IOT to GUEST
|
||||||
|
set firewall name iot-guest default-action 'drop'
|
||||||
|
set firewall name iot-guest description 'From IOT to GUEST'
|
||||||
|
set firewall name iot-guest enable-default-log
|
||||||
|
|
||||||
|
# From IOT to LAN
|
||||||
|
set firewall name iot-lan default-action 'drop'
|
||||||
|
set firewall name iot-lan description 'From IOT to LAN'
|
||||||
|
set firewall name iot-lan enable-default-log
|
||||||
|
|
||||||
|
# From IOT to LOCAL
|
||||||
|
set firewall name iot-local default-action 'drop'
|
||||||
|
set firewall name iot-local description 'From IOT to LOCAL'
|
||||||
|
set firewall name iot-local enable-default-log
|
||||||
|
set firewall name iot-local rule 1 action 'accept'
|
||||||
|
set firewall name iot-local rule 1 description 'Rule: accept_ssh'
|
||||||
|
set firewall name iot-local rule 1 destination port 'ssh'
|
||||||
|
set firewall name iot-local rule 1 protocol 'tcp'
|
||||||
|
set firewall name iot-local rule 2 action 'accept'
|
||||||
|
set firewall name iot-local rule 2 description 'Rule: accept_ntp'
|
||||||
|
set firewall name iot-local rule 2 destination port 'ntp'
|
||||||
|
set firewall name iot-local rule 2 protocol 'udp'
|
||||||
|
set firewall name iot-local rule 3 action 'accept'
|
||||||
|
set firewall name iot-local rule 3 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name iot-local rule 3 destination port '67,68'
|
||||||
|
set firewall name iot-local rule 3 protocol 'udp'
|
||||||
|
set firewall name iot-local rule 3 source port '67,68'
|
||||||
|
set firewall name iot-local rule 4 action 'accept'
|
||||||
|
set firewall name iot-local rule 4 description 'Rule: accept_igmp'
|
||||||
|
set firewall name iot-local rule 4 protocol '2'
|
||||||
|
set firewall name iot-local rule 5 action 'accept'
|
||||||
|
set firewall name iot-local rule 5 description 'Rule: accept_mdns'
|
||||||
|
set firewall name iot-local rule 5 destination port 'mdns'
|
||||||
|
set firewall name iot-local rule 5 protocol 'udp'
|
||||||
|
set firewall name iot-local rule 5 source port 'mdns'
|
||||||
|
set firewall name iot-local rule 6 action 'accept'
|
||||||
|
set firewall name iot-local rule 6 description 'Rule: accept_discovery_from_sonos_players'
|
||||||
|
set firewall name iot-local rule 6 destination port '1900,1901,1902'
|
||||||
|
set firewall name iot-local rule 6 protocol 'udp'
|
||||||
|
set firewall name iot-local rule 6 source group address-group 'sonos_players'
|
||||||
|
set firewall name iot-local rule 7 action 'accept'
|
||||||
|
set firewall name iot-local rule 7 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||||
|
set firewall name iot-local rule 7 destination port '1900,1901,1902,57621'
|
||||||
|
set firewall name iot-local rule 7 protocol 'udp'
|
||||||
|
set firewall name iot-local rule 7 source group address-group 'sonos_controllers'
|
||||||
|
|
||||||
|
# From IOT to SERVERS
|
||||||
|
set firewall name iot-servers default-action 'drop'
|
||||||
|
set firewall name iot-servers description 'From IOT to SERVERS'
|
||||||
|
set firewall name iot-servers enable-default-log
|
||||||
|
set firewall name iot-servers rule 1 action 'accept'
|
||||||
|
set firewall name iot-servers rule 1 description 'Rule: accept_nas_smb_from_scanners'
|
||||||
|
set firewall name iot-servers rule 1 destination group address-group 'nas'
|
||||||
|
set firewall name iot-servers rule 1 destination port 'microsoft-ds'
|
||||||
|
set firewall name iot-servers rule 1 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 1 source group address-group 'scanners'
|
||||||
|
set firewall name iot-servers rule 2 action 'accept'
|
||||||
|
set firewall name iot-servers rule 2 description 'Rule: accept_plex_from_plex_clients'
|
||||||
|
set firewall name iot-servers rule 2 destination group address-group 'k8s_plex'
|
||||||
|
set firewall name iot-servers rule 2 destination port '32400'
|
||||||
|
set firewall name iot-servers rule 2 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 2 source group address-group 'plex_clients'
|
||||||
|
set firewall name iot-servers rule 3 action 'accept'
|
||||||
|
set firewall name iot-servers rule 3 description 'Rule: accept_jellyfin_from_jellyfin_clients'
|
||||||
|
set firewall name iot-servers rule 3 destination group address-group 'k8s_jellyfin'
|
||||||
|
set firewall name iot-servers rule 3 destination port '8096'
|
||||||
|
set firewall name iot-servers rule 3 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 3 source group address-group 'jellyfin_clients'
|
||||||
|
set firewall name iot-servers rule 4 action 'accept'
|
||||||
|
set firewall name iot-servers rule 4 description 'Rule: accept_mqtt_from_mqtt_clients'
|
||||||
|
set firewall name iot-servers rule 4 destination group address-group 'k8s_mqtt'
|
||||||
|
set firewall name iot-servers rule 4 destination port '1883'
|
||||||
|
set firewall name iot-servers rule 4 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 4 source group address-group 'mqtt_clients'
|
||||||
|
set firewall name iot-servers rule 5 action 'accept'
|
||||||
|
set firewall name iot-servers rule 5 description 'Rule: accept_mqtt_from_esp'
|
||||||
|
set firewall name iot-servers rule 5 destination group address-group 'k8s_mqtt'
|
||||||
|
set firewall name iot-servers rule 5 destination port '1883'
|
||||||
|
set firewall name iot-servers rule 5 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 5 source group address-group 'esp'
|
||||||
|
set firewall name iot-servers rule 6 action 'accept'
|
||||||
|
set firewall name iot-servers rule 6 description 'Rule: accept_k8s_ingress_from_sonos_players'
|
||||||
|
set firewall name iot-servers rule 6 destination group address-group 'k8s_ingress'
|
||||||
|
set firewall name iot-servers rule 6 destination port 'http,https'
|
||||||
|
set firewall name iot-servers rule 6 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 6 source group address-group 'sonos_players'
|
||||||
|
set firewall name iot-servers rule 7 action 'accept'
|
||||||
|
set firewall name iot-servers rule 7 description 'Rule: accept_k8s_ingress_from_ereaders'
|
||||||
|
set firewall name iot-servers rule 7 destination group address-group 'k8s_ingress'
|
||||||
|
set firewall name iot-servers rule 7 destination port 'http,https'
|
||||||
|
set firewall name iot-servers rule 7 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 7 source group address-group 'ereaders'
|
||||||
|
set firewall name iot-servers rule 8 action 'accept'
|
||||||
|
set firewall name iot-servers rule 8 description 'Rule: accept_k8s_ingress_from_wall_displays'
|
||||||
|
set firewall name iot-servers rule 8 destination group address-group 'k8s_ingress'
|
||||||
|
set firewall name iot-servers rule 8 destination port 'http,https'
|
||||||
|
set firewall name iot-servers rule 8 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 8 source group address-group 'wall_displays'
|
||||||
|
set firewall name iot-servers rule 9 action 'accept'
|
||||||
|
set firewall name iot-servers rule 9 description 'Rule: accept_k8s_ingress_from_allowed_devices'
|
||||||
|
set firewall name iot-servers rule 9 destination group address-group 'k8s_ingress'
|
||||||
|
set firewall name iot-servers rule 9 destination port 'http,https'
|
||||||
|
set firewall name iot-servers rule 9 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 9 source group address-group 'k8s_ingress_allowed'
|
||||||
|
set firewall name iot-servers rule 10 action 'accept'
|
||||||
|
set firewall name iot-servers rule 10 description 'Rule: accept_vector_journald_from_allowed_devices'
|
||||||
|
set firewall name iot-servers rule 10 destination group address-group 'k8s_vector_aggregator'
|
||||||
|
set firewall name iot-servers rule 10 destination port '6002'
|
||||||
|
set firewall name iot-servers rule 10 protocol 'tcp'
|
||||||
|
set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed'
|
||||||
|
|
||||||
|
# From IOT to SERVICES
|
||||||
|
set firewall name iot-services default-action 'accept'
|
||||||
|
set firewall name iot-services description 'From IOT to SERVICES'
|
||||||
|
set firewall name iot-services rule 1 action 'accept'
|
||||||
|
set firewall name iot-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name iot-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name iot-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From IOT to TRUSTED
|
||||||
|
set firewall name iot-trusted default-action 'drop'
|
||||||
|
set firewall name iot-trusted description 'From IOT to TRUSTED'
|
||||||
|
set firewall name iot-trusted enable-default-log
|
||||||
|
set firewall name iot-trusted rule 1 action 'accept'
|
||||||
|
set firewall name iot-trusted rule 1 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
|
||||||
|
set firewall name iot-trusted rule 1 destination group address-group 'sonos_controllers'
|
||||||
|
set firewall name iot-trusted rule 1 destination port '30000-65535'
|
||||||
|
set firewall name iot-trusted rule 1 protocol 'udp'
|
||||||
|
set firewall name iot-trusted rule 1 source group address-group 'sonos_players'
|
||||||
|
set firewall name iot-trusted rule 2 action 'accept'
|
||||||
|
set firewall name iot-trusted rule 2 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
|
||||||
|
set firewall name iot-trusted rule 2 destination group address-group 'sonos_controllers'
|
||||||
|
set firewall name iot-trusted rule 2 destination port '1400,3400,3401,3500,30000-65535'
|
||||||
|
set firewall name iot-trusted rule 2 protocol 'tcp'
|
||||||
|
set firewall name iot-trusted rule 2 source group address-group 'sonos_players'
|
||||||
|
|
||||||
|
# From IOT to VIDEO
|
||||||
|
set firewall name iot-video default-action 'drop'
|
||||||
|
set firewall name iot-video description 'From IOT to VIDEO'
|
||||||
|
set firewall name iot-video enable-default-log
|
||||||
|
|
||||||
|
# From IOT to WAN
|
||||||
|
set firewall name iot-wan default-action 'accept'
|
||||||
|
set firewall name iot-wan description 'From IOT to WAN'
|
||||||
|
|
||||||
|
# From LAN to GUEST
|
||||||
|
set firewall name lan-guest default-action 'drop'
|
||||||
|
set firewall name lan-guest description 'From LAN to GUEST'
|
||||||
|
set firewall name lan-guest enable-default-log
|
||||||
|
|
||||||
|
# From LAN to GUEST
|
||||||
|
set firewall name lan-iot default-action 'drop'
|
||||||
|
set firewall name lan-iot description 'From LAN to IOT'
|
||||||
|
set firewall name lan-iot enable-default-log
|
||||||
|
|
||||||
|
# From LAN to LOCAL
|
||||||
|
set firewall name lan-local default-action 'drop'
|
||||||
|
set firewall name lan-local description 'From LAN to LOCAL'
|
||||||
|
set firewall name lan-local enable-default-log
|
||||||
|
set firewall name lan-local rule 1 action 'accept'
|
||||||
|
set firewall name lan-local rule 1 description 'Rule: accept_ssh'
|
||||||
|
set firewall name lan-local rule 1 destination port 'ssh'
|
||||||
|
set firewall name lan-local rule 1 protocol 'tcp'
|
||||||
|
set firewall name lan-local rule 2 action 'accept'
|
||||||
|
set firewall name lan-local rule 2 description 'Rule: accept_ntp'
|
||||||
|
set firewall name lan-local rule 2 destination port 'ntp'
|
||||||
|
set firewall name lan-local rule 2 protocol 'udp'
|
||||||
|
set firewall name lan-local rule 3 action 'accept'
|
||||||
|
set firewall name lan-local rule 3 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name lan-local rule 3 destination port '67,68'
|
||||||
|
set firewall name lan-local rule 3 protocol 'udp'
|
||||||
|
set firewall name lan-local rule 3 source port '67,68'
|
||||||
|
|
||||||
|
# From LAN to SERVERS
|
||||||
|
set firewall name lan-servers default-action 'drop'
|
||||||
|
set firewall name lan-servers description 'From LAN to SERVERS'
|
||||||
|
set firewall name lan-servers enable-default-log
|
||||||
|
set firewall name lan-servers rule 1 action 'accept'
|
||||||
|
set firewall name lan-servers rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name lan-servers rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From LAN to SERVICES
|
||||||
|
set firewall name lan-services default-action 'accept'
|
||||||
|
set firewall name lan-services description 'From LAN to SERVICES'
|
||||||
|
set firewall name lan-services rule 1 action 'accept'
|
||||||
|
set firewall name lan-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name lan-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name lan-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From LAN to TRUSTED
|
||||||
|
set firewall name lan-trusted default-action 'drop'
|
||||||
|
set firewall name lan-trusted description 'From LAN to TRUSTED'
|
||||||
|
set firewall name lan-trusted enable-default-log
|
||||||
|
|
||||||
|
# From LAN to VIDEO
|
||||||
|
set firewall name lan-video default-action 'drop'
|
||||||
|
set firewall name lan-video description 'From LAN to VIDEO'
|
||||||
|
set firewall name lan-video enable-default-log
|
||||||
|
|
||||||
|
# From LAN to WAN
|
||||||
|
set firewall name lan-wan default-action 'accept'
|
||||||
|
set firewall name lan-wan description 'From LAN to WAN'
|
||||||
|
|
||||||
|
# From LOCAL to GUEST
|
||||||
|
set firewall name local-guest default-action 'drop'
|
||||||
|
set firewall name local-guest description 'From LOCAL to GUEST'
|
||||||
|
set firewall name local-guest enable-default-log
|
||||||
|
|
||||||
|
# From LOCAL to IOT
|
||||||
|
set firewall name local-iot default-action 'drop'
|
||||||
|
set firewall name local-iot description 'From LOCAL to IOT'
|
||||||
|
set firewall name local-iot enable-default-log
|
||||||
|
set firewall name local-iot rule 1 action 'accept'
|
||||||
|
set firewall name local-iot rule 1 description 'Rule: accept_igmp'
|
||||||
|
set firewall name local-iot rule 1 protocol '2'
|
||||||
|
set firewall name local-iot rule 2 action 'accept'
|
||||||
|
set firewall name local-iot rule 2 description 'Rule: accept_mdns'
|
||||||
|
set firewall name local-iot rule 2 destination port 'mdns'
|
||||||
|
set firewall name local-iot rule 2 protocol 'udp'
|
||||||
|
set firewall name local-iot rule 2 source port 'mdns'
|
||||||
|
set firewall name local-iot rule 3 action 'accept'
|
||||||
|
set firewall name local-iot rule 3 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||||
|
set firewall name local-iot rule 3 destination port '1900,1901,1902,57621'
|
||||||
|
set firewall name local-iot rule 3 protocol 'udp'
|
||||||
|
set firewall name local-iot rule 3 source group address-group 'sonos_controllers'
|
||||||
|
|
||||||
|
# From LOCAL to LAN
|
||||||
|
set firewall name local-lan default-action 'drop'
|
||||||
|
set firewall name local-lan description 'From LOCAL to LAN'
|
||||||
|
set firewall name local-lan enable-default-log
|
||||||
|
|
||||||
|
# From LOCAL to SERVERS
|
||||||
|
set firewall name local-servers default-action 'drop'
|
||||||
|
set firewall name local-servers description 'From LOCAL to SERVERS'
|
||||||
|
set firewall name local-servers enable-default-log
|
||||||
|
set firewall name local-servers rule 1 action 'accept'
|
||||||
|
set firewall name local-servers rule 1 description 'Rule: accept_bgp'
|
||||||
|
set firewall name local-servers rule 1 destination port 'bgp'
|
||||||
|
set firewall name local-servers rule 1 protocol 'tcp'
|
||||||
|
set firewall name local-servers rule 2 action 'accept'
|
||||||
|
set firewall name local-servers rule 2 description 'Rule: accept_k8s_api'
|
||||||
|
set firewall name local-servers rule 2 destination port '6443'
|
||||||
|
set firewall name local-servers rule 2 protocol 'tcp'
|
||||||
|
set firewall name local-servers rule 3 action 'accept'
|
||||||
|
set firewall name local-servers rule 3 description 'Rule: accept_dns'
|
||||||
|
set firewall name local-servers rule 3 destination port 'domain,domain-s'
|
||||||
|
set firewall name local-servers rule 3 protocol 'tcp_udp'
|
||||||
|
set firewall name local-servers rule 4 action 'accept'
|
||||||
|
set firewall name local-servers rule 4 description 'Rule: accept_vector_syslog'
|
||||||
|
set firewall name local-servers rule 4 destination group address-group 'k8s_vector_aggregator'
|
||||||
|
set firewall name local-servers rule 4 destination port '6001'
|
||||||
|
set firewall name local-servers rule 4 protocol 'tcp'
|
||||||
|
|
||||||
|
# From LOCAL to SERVICES
|
||||||
|
set firewall name local-services default-action 'accept'
|
||||||
|
set firewall name local-services description 'From LOCAL to SERVICES'
|
||||||
|
set firewall name local-services rule 1 action 'accept'
|
||||||
|
set firewall name local-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name local-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name local-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From LOCAL to TRUSTED
|
||||||
|
set firewall name local-trusted default-action 'drop'
|
||||||
|
set firewall name local-trusted description 'From LOCAL to TRUSTED'
|
||||||
|
set firewall name local-trusted enable-default-log
|
||||||
|
set firewall name local-trusted rule 1 action 'accept'
|
||||||
|
set firewall name local-trusted rule 1 description 'Rule: accept_igmp'
|
||||||
|
set firewall name local-trusted rule 1 protocol '2'
|
||||||
|
set firewall name local-trusted rule 2 action 'accept'
|
||||||
|
set firewall name local-trusted rule 2 description 'Rule: accept_mdns'
|
||||||
|
set firewall name local-trusted rule 2 destination port 'mdns'
|
||||||
|
set firewall name local-trusted rule 2 protocol 'udp'
|
||||||
|
set firewall name local-trusted rule 2 source port 'mdns'
|
||||||
|
set firewall name local-trusted rule 3 action 'accept'
|
||||||
|
set firewall name local-trusted rule 3 description 'Rule: accept_discovery_from_sonos_players'
|
||||||
|
set firewall name local-trusted rule 3 destination port '1900,1901,1902'
|
||||||
|
set firewall name local-trusted rule 3 protocol 'udp'
|
||||||
|
set firewall name local-trusted rule 3 source group address-group 'sonos_players'
|
||||||
|
|
||||||
|
# From LOCAL to VIDEO
|
||||||
|
set firewall name local-video default-action 'drop'
|
||||||
|
set firewall name local-video description 'From LOCAL to VIDEO'
|
||||||
|
set firewall name local-video enable-default-log
|
||||||
|
|
||||||
|
# From LOCAL to WAN
|
||||||
|
set firewall name local-wan default-action 'accept'
|
||||||
|
set firewall name local-wan description 'From LOCAL to WAN'
|
||||||
|
|
||||||
|
# From SERVERS to GUEST
|
||||||
|
set firewall name servers-guest default-action 'drop'
|
||||||
|
set firewall name servers-guest description 'From SERVERS to GUEST'
|
||||||
|
set firewall name servers-guest enable-default-log
|
||||||
|
|
||||||
|
# From SERVERS to IOT
|
||||||
|
set firewall name servers-iot default-action 'drop'
|
||||||
|
set firewall name servers-iot description 'From SERVERS to IOT'
|
||||||
|
set firewall name servers-iot enable-default-log
|
||||||
|
set firewall name servers-iot rule 1 action 'accept'
|
||||||
|
set firewall name servers-iot rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name servers-iot rule 1 protocol 'icmp'
|
||||||
|
set firewall name servers-iot rule 2 action 'accept'
|
||||||
|
set firewall name servers-iot rule 2 description 'Rule: accept_p1reader_from_k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 2 destination port '8088'
|
||||||
|
set firewall name servers-iot rule 2 protocol 'tcp'
|
||||||
|
set firewall name servers-iot rule 2 source group address-group 'k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 3 action 'accept'
|
||||||
|
set firewall name servers-iot rule 3 description 'Rule: accept_adb_from_k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 3 destination group address-group 'android_tv_players'
|
||||||
|
set firewall name servers-iot rule 3 destination port '5555'
|
||||||
|
set firewall name servers-iot rule 3 protocol 'tcp'
|
||||||
|
set firewall name servers-iot rule 3 source group address-group 'k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 4 action 'accept'
|
||||||
|
set firewall name servers-iot rule 4 description 'Rule: accept_3d_printer_control_from_k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 4 destination group address-group '3d_printer_controllers'
|
||||||
|
set firewall name servers-iot rule 4 destination port '7125'
|
||||||
|
set firewall name servers-iot rule 4 protocol 'tcp'
|
||||||
|
set firewall name servers-iot rule 4 source group address-group 'k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 5 action 'accept'
|
||||||
|
set firewall name servers-iot rule 5 description 'Rule: accept_k8s_nodes'
|
||||||
|
set firewall name servers-iot rule 5 protocol 'tcp'
|
||||||
|
set firewall name servers-iot rule 5 source group address-group 'k8s_nodes'
|
||||||
|
|
||||||
|
# From SERVERS to LAN
|
||||||
|
set firewall name servers-lan default-action 'drop'
|
||||||
|
set firewall name servers-lan description 'From SERVERS to LAN'
|
||||||
|
set firewall name servers-lan rule 1 action 'accept'
|
||||||
|
set firewall name servers-lan rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name servers-lan rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From SERVERS to LOCAL
|
||||||
|
set firewall name servers-local default-action 'drop'
|
||||||
|
set firewall name servers-local description 'From SERVERS to LOCAL'
|
||||||
|
set firewall name servers-local enable-default-log
|
||||||
|
set firewall name servers-local rule 1 action 'accept'
|
||||||
|
set firewall name servers-local rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name servers-local rule 1 protocol 'icmp'
|
||||||
|
set firewall name servers-local rule 2 action 'accept'
|
||||||
|
set firewall name servers-local rule 2 description 'Rule: accept_ntp'
|
||||||
|
set firewall name servers-local rule 2 destination port 'ntp'
|
||||||
|
set firewall name servers-local rule 2 protocol 'udp'
|
||||||
|
set firewall name servers-local rule 3 action 'accept'
|
||||||
|
set firewall name servers-local rule 3 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name servers-local rule 3 destination port '67,68'
|
||||||
|
set firewall name servers-local rule 3 protocol 'udp'
|
||||||
|
set firewall name servers-local rule 3 source port '67,68'
|
||||||
|
set firewall name servers-local rule 4 action 'accept'
|
||||||
|
set firewall name servers-local rule 4 description 'Rule: accept_bgp'
|
||||||
|
set firewall name servers-local rule 4 destination port 'bgp'
|
||||||
|
set firewall name servers-local rule 4 protocol 'tcp'
|
||||||
|
set firewall name servers-local rule 5 action 'accept'
|
||||||
|
set firewall name servers-local rule 5 description 'Rule: accept_tftp'
|
||||||
|
set firewall name servers-local rule 5 destination port '69'
|
||||||
|
set firewall name servers-local rule 5 protocol 'udp'
|
||||||
|
set firewall name servers-local rule 6 action 'accept'
|
||||||
|
set firewall name servers-local rule 6 description 'Rule: accept_prometheus_from_k8s_nodes'
|
||||||
|
set firewall name servers-local rule 6 destination port '9153'
|
||||||
|
set firewall name servers-local rule 6 protocol 'tcp'
|
||||||
|
set firewall name servers-local rule 6 source group address-group 'k8s_nodes'
|
||||||
|
|
||||||
|
# From SERVERS to SERVICES
|
||||||
|
set firewall name servers-services default-action 'accept'
|
||||||
|
set firewall name servers-services description 'From SERVERS to SERVICES'
|
||||||
|
set firewall name servers-services enable-default-log
|
||||||
|
set firewall name servers-services rule 1 action 'accept'
|
||||||
|
set firewall name servers-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name servers-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name servers-services rule 1 protocol 'tcp_udp'
|
||||||
|
set firewall name servers-services rule 2 action 'accept'
|
||||||
|
set firewall name servers-services rule 2 description 'Rule: accept_k8s_api'
|
||||||
|
set firewall name servers-services rule 2 destination port '6443'
|
||||||
|
set firewall name servers-services rule 2 protocol 'tcp'
|
||||||
|
|
||||||
|
# From SERVERS to TRUSTED
|
||||||
|
set firewall name servers-trusted default-action 'drop'
|
||||||
|
set firewall name servers-trusted description 'From SERVERS to TRUSTED'
|
||||||
|
set firewall name servers-trusted rule 1 action 'accept'
|
||||||
|
set firewall name servers-trusted rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name servers-trusted rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From SERVERS to VIDEO
|
||||||
|
set firewall name servers-video default-action 'drop'
|
||||||
|
set firewall name servers-video description 'From SERVERS to VIDEO'
|
||||||
|
set firewall name servers-video enable-default-log
|
||||||
|
set firewall name servers-video rule 1 action 'accept'
|
||||||
|
set firewall name servers-video rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name servers-video rule 1 protocol 'icmp'
|
||||||
|
set firewall name servers-video rule 2 action 'accept'
|
||||||
|
set firewall name servers-video rule 2 description 'Rule: accept_k8s_nodes'
|
||||||
|
set firewall name servers-video rule 2 protocol 'tcp'
|
||||||
|
set firewall name servers-video rule 2 source group address-group 'k8s_nodes'
|
||||||
|
## From jellydocks --> Video
|
||||||
|
set firewall name servers-video rule 3 action 'accept'
|
||||||
|
set firewall name servers-video rule 3 description 'Rule: accept_jellydocks'
|
||||||
|
set firewall name servers-video rule 3 protocol 'tcp'
|
||||||
|
set firewall name servers-video rule 3 source address 10.1.1.14
|
||||||
|
|
||||||
|
# From SERVERS to WAN
|
||||||
|
set firewall name servers-wan default-action 'accept'
|
||||||
|
set firewall name servers-wan description 'From SERVERS to WAN'
|
||||||
|
|
||||||
|
# From SERVICES to GUEST
|
||||||
|
set firewall name services-guest default-action 'drop'
|
||||||
|
set firewall name services-guest description 'From SERVICES to GUEST'
|
||||||
|
set firewall name services-guest enable-default-log
|
||||||
|
|
||||||
|
# From SERVICES to IOT
|
||||||
|
set firewall name services-iot default-action 'drop'
|
||||||
|
set firewall name services-iot description 'From SERVICES to IOT'
|
||||||
|
set firewall name services-iot enable-default-log
|
||||||
|
|
||||||
|
# From SERVICES to LAN
|
||||||
|
set firewall name services-lan default-action 'drop'
|
||||||
|
set firewall name services-lan description 'From SERVICES to LAN'
|
||||||
|
set firewall name services-lan enable-default-log
|
||||||
|
|
||||||
|
# From SERVICES to LOCAL
|
||||||
|
set firewall name services-local default-action 'drop'
|
||||||
|
set firewall name services-local description 'From SERVICES to LOCAL'
|
||||||
|
set firewall name services-local enable-default-log
|
||||||
|
set firewall name services-local rule 1 action 'accept'
|
||||||
|
set firewall name services-local rule 1 description 'Rule: accept_ntp'
|
||||||
|
set firewall name services-local rule 1 destination port 'ntp'
|
||||||
|
set firewall name services-local rule 1 protocol 'udp'
|
||||||
|
set firewall name services-local rule 2 action 'accept'
|
||||||
|
set firewall name services-local rule 2 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name services-local rule 2 destination port '67,68'
|
||||||
|
set firewall name services-local rule 2 protocol 'udp'
|
||||||
|
set firewall name services-local rule 2 source port '67,68'
|
||||||
|
|
||||||
|
# From SERVICES to SERVICES
|
||||||
|
set firewall name services-servers default-action 'accept'
|
||||||
|
set firewall name services-servers description 'From SERVICES to SERVERS'
|
||||||
|
set firewall name services-servers rule 1 action 'accept'
|
||||||
|
set firewall name services-servers rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name services-servers rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From SERVICES to TRUSTED
|
||||||
|
set firewall name services-trusted default-action 'drop'
|
||||||
|
set firewall name services-trusted description 'From SERVICES to TRUSTED'
|
||||||
|
set firewall name services-trusted enable-default-log
|
||||||
|
|
||||||
|
# From SERVICES to VIDEO
|
||||||
|
set firewall name services-video default-action 'drop'
|
||||||
|
set firewall name services-video description 'From SERVICES to VIDEO'
|
||||||
|
set firewall name services-video enable-default-log
|
||||||
|
|
||||||
|
# From SERVICES to WAN
|
||||||
|
set firewall name services-wan default-action 'accept'
|
||||||
|
set firewall name services-wan description 'From SERVICES to WAN'
|
||||||
|
|
||||||
|
# From TRUSTED to GUEST
|
||||||
|
set firewall name trusted-guest default-action 'drop'
|
||||||
|
set firewall name trusted-guest description 'From TRUSTED to GUEST'
|
||||||
|
set firewall name trusted-guest enable-default-log
|
||||||
|
|
||||||
|
# From TRUSTED to IOT
|
||||||
|
set firewall name trusted-iot default-action 'accept'
|
||||||
|
set firewall name trusted-iot description 'From TRUSTED to IOT'
|
||||||
|
set firewall name trusted-iot rule 1 action 'accept'
|
||||||
|
set firewall name trusted-iot rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name trusted-iot rule 1 protocol 'icmp'
|
||||||
|
set firewall name trusted-iot rule 2 action 'accept'
|
||||||
|
set firewall name trusted-iot rule 2 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
|
||||||
|
set firewall name trusted-iot rule 2 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
|
||||||
|
set firewall name trusted-iot rule 2 protocol 'tcp'
|
||||||
|
set firewall name trusted-iot rule 2 source group address-group 'sonos_controllers'
|
||||||
|
set firewall name trusted-iot rule 3 action 'accept'
|
||||||
|
set firewall name trusted-iot rule 3 description 'Rule: accept_app_control_from_sonos_controllers_udp'
|
||||||
|
set firewall name trusted-iot rule 3 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
|
||||||
|
set firewall name trusted-iot rule 3 protocol 'udp'
|
||||||
|
set firewall name trusted-iot rule 3 source group address-group 'sonos_controllers'
|
||||||
|
|
||||||
|
# From TRUSTED to LAN
|
||||||
|
set firewall name trusted-lan default-action 'accept'
|
||||||
|
set firewall name trusted-lan description 'From TRUSTED to LAN'
|
||||||
|
|
||||||
|
# From TRUSTED to LOCAL
|
||||||
|
set firewall name trusted-local default-action 'drop'
|
||||||
|
set firewall name trusted-local description 'From TRUSTED to LOCAL'
|
||||||
|
set firewall name trusted-local enable-default-log
|
||||||
|
set firewall name trusted-local rule 1 action 'accept'
|
||||||
|
set firewall name trusted-local rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name trusted-local rule 1 protocol 'icmp'
|
||||||
|
set firewall name trusted-local rule 2 action 'accept'
|
||||||
|
set firewall name trusted-local rule 2 description 'Rule: accept_ssh'
|
||||||
|
set firewall name trusted-local rule 2 destination port 'ssh'
|
||||||
|
set firewall name trusted-local rule 2 protocol 'tcp'
|
||||||
|
set firewall name trusted-local rule 3 action 'accept'
|
||||||
|
set firewall name trusted-local rule 3 description 'Rule: accept_ntp'
|
||||||
|
set firewall name trusted-local rule 3 destination port 'ntp'
|
||||||
|
set firewall name trusted-local rule 3 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 4 action 'accept'
|
||||||
|
set firewall name trusted-local rule 4 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name trusted-local rule 4 destination port '67,68'
|
||||||
|
set firewall name trusted-local rule 4 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 4 source port '67,68'
|
||||||
|
set firewall name trusted-local rule 5 action 'accept'
|
||||||
|
set firewall name trusted-local rule 5 description 'Rule: accept_igmp'
|
||||||
|
set firewall name trusted-local rule 5 protocol '2'
|
||||||
|
set firewall name trusted-local rule 6 action 'accept'
|
||||||
|
set firewall name trusted-local rule 6 description 'Rule: accept_mdns'
|
||||||
|
set firewall name trusted-local rule 6 destination port 'mdns'
|
||||||
|
set firewall name trusted-local rule 6 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 6 source port 'mdns'
|
||||||
|
set firewall name trusted-local rule 7 action 'accept'
|
||||||
|
set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api'
|
||||||
|
set firewall name trusted-local rule 7 destination port '8443'
|
||||||
|
set firewall name trusted-local rule 7 protocol 'tcp'
|
||||||
|
set firewall name trusted-local rule 8 action 'accept'
|
||||||
|
set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players'
|
||||||
|
set firewall name trusted-local rule 8 destination port '1900,1901,1902'
|
||||||
|
set firewall name trusted-local rule 8 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 8 source group address-group 'sonos_players'
|
||||||
|
set firewall name trusted-local rule 9 action 'accept'
|
||||||
|
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||||
|
set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621'
|
||||||
|
set firewall name trusted-local rule 9 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 9 source group address-group 'sonos_controllers'
|
||||||
|
|
||||||
|
# From TRUSTED to SERVERS
|
||||||
|
set firewall name trusted-servers default-action 'accept'
|
||||||
|
set firewall name trusted-servers description 'From TRUSTED to SERVERS'
|
||||||
|
set firewall name trusted-servers rule 1 action 'accept'
|
||||||
|
set firewall name trusted-servers rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name trusted-servers rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From TRUSTED to SERVICES
|
||||||
|
set firewall name trusted-services default-action 'accept'
|
||||||
|
set firewall name trusted-services description 'From TRUSTED to SERVICES'
|
||||||
|
set firewall name trusted-services rule 1 action 'accept'
|
||||||
|
set firewall name trusted-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name trusted-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name trusted-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From TRUSTED to VIDEO
|
||||||
|
set firewall name trusted-video default-action 'accept'
|
||||||
|
set firewall name trusted-video description 'From TRUSTED to VIDEO'
|
||||||
|
set firewall name trusted-video rule 1 action 'accept'
|
||||||
|
set firewall name trusted-video rule 1 description 'Rule: accept_icmp'
|
||||||
|
set firewall name trusted-video rule 1 protocol 'icmp'
|
||||||
|
|
||||||
|
# From TRUSTED to WAN
|
||||||
|
set firewall name trusted-wan default-action 'accept'
|
||||||
|
set firewall name trusted-wan description 'From TRUSTED to WAN'
|
||||||
|
|
||||||
|
# From VIDEO to GUEST
|
||||||
|
set firewall name video-guest default-action 'drop'
|
||||||
|
set firewall name video-guest description 'From VIDEO to GUEST'
|
||||||
|
set firewall name video-guest enable-default-log
|
||||||
|
|
||||||
|
# From VIDEO to IOT
|
||||||
|
set firewall name video-iot default-action 'drop'
|
||||||
|
set firewall name video-iot description 'From VIDEO to IOT'
|
||||||
|
set firewall name video-iot enable-default-log
|
||||||
|
|
||||||
|
# From VIDEO to LAN
|
||||||
|
set firewall name video-lan default-action 'drop'
|
||||||
|
set firewall name video-lan description 'From VIDEO to LAN'
|
||||||
|
set firewall name video-lan enable-default-log
|
||||||
|
|
||||||
|
# From VIDEO to LOCAL
|
||||||
|
set firewall name video-local default-action 'drop'
|
||||||
|
set firewall name video-local description 'From VIDEO to LOCAL'
|
||||||
|
set firewall name video-local enable-default-log
|
||||||
|
set firewall name video-local rule 1 action 'accept'
|
||||||
|
set firewall name video-local rule 1 description 'Rule: accept_ntp'
|
||||||
|
set firewall name video-local rule 1 destination port 'ntp'
|
||||||
|
set firewall name video-local rule 1 protocol 'udp'
|
||||||
|
set firewall name video-local rule 2 action 'accept'
|
||||||
|
set firewall name video-local rule 2 description 'Rule: accept_dhcp'
|
||||||
|
set firewall name video-local rule 2 destination port '67,68'
|
||||||
|
set firewall name video-local rule 2 protocol 'udp'
|
||||||
|
set firewall name video-local rule 2 source port '67,68'
|
||||||
|
|
||||||
|
# From VIDEO to SERVERS
|
||||||
|
set firewall name video-servers default-action 'drop'
|
||||||
|
set firewall name video-servers description 'From VIDEO to SERVERS'
|
||||||
|
set firewall name video-servers enable-default-log
|
||||||
|
|
||||||
|
# From VIDEO to SERVICES
|
||||||
|
set firewall name video-services default-action 'accept'
|
||||||
|
set firewall name video-services description 'From VIDEO to SERVICES'
|
||||||
|
set firewall name video-services rule 1 action 'accept'
|
||||||
|
set firewall name video-services rule 1 description 'Rule: accept_dns'
|
||||||
|
set firewall name video-services rule 1 destination port 'domain,domain-s'
|
||||||
|
set firewall name video-services rule 1 protocol 'tcp_udp'
|
||||||
|
|
||||||
|
# From VIDEO to TRUSTED
|
||||||
|
set firewall name video-trusted default-action 'drop'
|
||||||
|
set firewall name video-trusted description 'From VIDEO to TRUSTED'
|
||||||
|
set firewall name video-trusted enable-default-log
|
||||||
|
|
||||||
|
# From VIDEO to WAN
|
||||||
|
set firewall name video-wan default-action 'drop'
|
||||||
|
set firewall name video-wan description 'From VIDEO to WAN'
|
||||||
|
|
||||||
|
# From WAN to GUEST
|
||||||
|
set firewall name wan-guest default-action 'drop'
|
||||||
|
set firewall name wan-guest description 'From WAN to GUEST'
|
||||||
|
set firewall name wan-guest enable-default-log
|
||||||
|
|
||||||
|
# From WAN to IOT
|
||||||
|
set firewall name wan-iot default-action 'drop'
|
||||||
|
set firewall name wan-iot description 'From WAN to IOT'
|
||||||
|
set firewall name wan-iot enable-default-log
|
||||||
|
|
||||||
|
# From WAN to LAN
|
||||||
|
set firewall name wan-lan default-action 'drop'
|
||||||
|
set firewall name wan-lan description 'From WAN to LAN'
|
||||||
|
set firewall name wan-lan enable-default-log
|
||||||
|
|
||||||
|
# From WAN to LOCAL
|
||||||
|
set firewall name wan-local default-action 'drop'
|
||||||
|
set firewall name wan-local description 'From WAN to LOCAL'
|
||||||
|
set firewall name wan-local enable-default-log
|
||||||
|
set firewall name wan-local rule 1 action 'accept'
|
||||||
|
set firewall name wan-local rule 1 description 'Rule: accept_wireguard'
|
||||||
|
set firewall name wan-local rule 1 destination port '51820'
|
||||||
|
set firewall name wan-local rule 1 protocol 'udp'
|
||||||
|
|
||||||
|
# From WAN to SERVERS
|
||||||
|
set firewall name wan-servers default-action 'drop'
|
||||||
|
set firewall name wan-servers description 'From WAN to SERVERS'
|
||||||
|
set firewall name wan-servers enable-default-log
|
||||||
|
set firewall name wan-servers rule 1 action 'accept'
|
||||||
|
set firewall name wan-servers rule 1 description 'Rule: accept_ingress_from_cloudflare'
|
||||||
|
set firewall name wan-servers rule 1 destination group address-group 'k8s_ingress'
|
||||||
|
set firewall name wan-servers rule 1 destination port 'http,https'
|
||||||
|
set firewall name wan-servers rule 1 protocol 'tcp'
|
||||||
|
set firewall name wan-servers rule 1 source group network-group 'cloudflare-ipv4'
|
||||||
|
## Plex
|
||||||
|
set firewall name wan-servers rule 10 action 'accept'
|
||||||
|
set firewall name wan-servers rule 10 destination port 32400
|
||||||
|
set firewall name wan-servers rule 10 protocol 'tcp'
|
||||||
|
set firewall name wan-servers rule 10 destination address 10.1.1.12
|
||||||
|
|
||||||
|
# From WAN to SERVICES
|
||||||
|
set firewall name wan-services default-action 'drop'
|
||||||
|
set firewall name wan-services description 'From WAN to SERVICES'
|
||||||
|
set firewall name wan-services enable-default-log
|
||||||
|
|
||||||
|
# From WAN to TRUSTED
|
||||||
|
set firewall name wan-trusted default-action 'drop'
|
||||||
|
set firewall name wan-trusted description 'From WAN to TRUSTED'
|
||||||
|
set firewall name wan-trusted enable-default-log
|
||||||
|
|
||||||
|
# From WAN to VIDEO
|
||||||
|
set firewall name wan-video default-action 'drop'
|
||||||
|
set firewall name wan-video description 'From WAN to VIDEO'
|
||||||
|
set firewall name wan-video enable-default-log
|
||||||
103
config-parts/firewall-zone.sh
Normal file
103
config-parts/firewall-zone.sh
Normal file
|
|
@ -0,0 +1,103 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
set firewall zone guest default-action 'drop'
|
||||||
|
set firewall zone guest from iot firewall name 'iot-guest'
|
||||||
|
set firewall zone guest from lan firewall name 'lan-guest'
|
||||||
|
set firewall zone guest from local firewall name 'local-guest'
|
||||||
|
set firewall zone guest from servers firewall name 'servers-guest'
|
||||||
|
set firewall zone guest from services firewall name 'services-guest'
|
||||||
|
set firewall zone guest from trusted firewall name 'trusted-guest'
|
||||||
|
set firewall zone guest from video firewall name 'video-guest'
|
||||||
|
set firewall zone guest from wan firewall name 'wan-guest'
|
||||||
|
set firewall zone guest interface 'eth1.30'
|
||||||
|
|
||||||
|
set firewall zone iot default-action 'drop'
|
||||||
|
set firewall zone iot from guest firewall name 'guest-iot'
|
||||||
|
set firewall zone iot from lan firewall name 'lan-iot'
|
||||||
|
set firewall zone iot from local firewall name 'local-iot'
|
||||||
|
set firewall zone iot from servers firewall name 'servers-iot'
|
||||||
|
set firewall zone iot from services firewall name 'services-iot'
|
||||||
|
set firewall zone iot from trusted firewall name 'trusted-iot'
|
||||||
|
set firewall zone iot from video firewall name 'video-iot'
|
||||||
|
set firewall zone iot from wan firewall name 'wan-iot'
|
||||||
|
set firewall zone iot interface 'eth1.40'
|
||||||
|
|
||||||
|
set firewall zone lan default-action 'drop'
|
||||||
|
set firewall zone lan from guest firewall name 'guest-lan'
|
||||||
|
set firewall zone lan from iot firewall name 'iot-lan'
|
||||||
|
set firewall zone lan from local firewall name 'local-lan'
|
||||||
|
set firewall zone lan from servers firewall name 'servers-lan'
|
||||||
|
set firewall zone lan from services firewall name 'services-lan'
|
||||||
|
set firewall zone lan from trusted firewall name 'trusted-lan'
|
||||||
|
set firewall zone lan from video firewall name 'video-lan'
|
||||||
|
set firewall zone lan from wan firewall name 'wan-lan'
|
||||||
|
set firewall zone lan interface 'eth1'
|
||||||
|
|
||||||
|
set firewall zone local default-action 'drop'
|
||||||
|
set firewall zone local description 'Local router zone'
|
||||||
|
set firewall zone local from guest firewall name 'guest-local'
|
||||||
|
set firewall zone local from iot firewall name 'iot-local'
|
||||||
|
set firewall zone local from lan firewall name 'lan-local'
|
||||||
|
set firewall zone local from servers firewall name 'servers-local'
|
||||||
|
set firewall zone local from services firewall name 'services-local'
|
||||||
|
set firewall zone local from trusted firewall name 'trusted-local'
|
||||||
|
set firewall zone local from video firewall name 'video-local'
|
||||||
|
set firewall zone local from wan firewall name 'wan-local'
|
||||||
|
set firewall zone local local-zone
|
||||||
|
|
||||||
|
set firewall zone servers default-action 'drop'
|
||||||
|
set firewall zone servers from guest firewall name 'guest-servers'
|
||||||
|
set firewall zone servers from iot firewall name 'iot-servers'
|
||||||
|
set firewall zone servers from lan firewall name 'lan-servers'
|
||||||
|
set firewall zone servers from local firewall name 'local-servers'
|
||||||
|
set firewall zone servers from services firewall name 'services-servers'
|
||||||
|
set firewall zone servers from trusted firewall name 'trusted-servers'
|
||||||
|
set firewall zone servers from video firewall name 'video-servers'
|
||||||
|
set firewall zone servers from wan firewall name 'wan-servers'
|
||||||
|
set firewall zone servers interface 'eth1.10'
|
||||||
|
|
||||||
|
set firewall zone services default-action 'drop'
|
||||||
|
set firewall zone services description 'VyOS services zone'
|
||||||
|
set firewall zone services from guest firewall name 'guest-services'
|
||||||
|
set firewall zone services from iot firewall name 'iot-services'
|
||||||
|
set firewall zone services from lan firewall name 'lan-services'
|
||||||
|
set firewall zone services from local firewall name 'local-services'
|
||||||
|
set firewall zone services from servers firewall name 'servers-services'
|
||||||
|
set firewall zone services from trusted firewall name 'trusted-services'
|
||||||
|
set firewall zone services from video firewall name 'video-services'
|
||||||
|
set firewall zone services from wan firewall name 'wan-services'
|
||||||
|
set firewall zone services interface 'cni-services'
|
||||||
|
|
||||||
|
set firewall zone trusted default-action 'drop'
|
||||||
|
set firewall zone trusted from guest firewall name 'guest-trusted'
|
||||||
|
set firewall zone trusted from iot firewall name 'iot-trusted'
|
||||||
|
set firewall zone trusted from lan firewall name 'lan-trusted'
|
||||||
|
set firewall zone trusted from local firewall name 'local-trusted'
|
||||||
|
set firewall zone trusted from servers firewall name 'servers-trusted'
|
||||||
|
set firewall zone trusted from services firewall name 'services-trusted'
|
||||||
|
set firewall zone trusted from video firewall name 'video-trusted'
|
||||||
|
set firewall zone trusted from wan firewall name 'wan-trusted'
|
||||||
|
set firewall zone trusted interface 'eth1.20'
|
||||||
|
set firewall zone trusted interface 'wg01'
|
||||||
|
|
||||||
|
set firewall zone video default-action 'drop'
|
||||||
|
set firewall zone video from guest firewall name 'guest-video'
|
||||||
|
set firewall zone video from iot firewall name 'iot-video'
|
||||||
|
set firewall zone video from lan firewall name 'lan-video'
|
||||||
|
set firewall zone video from local firewall name 'local-video'
|
||||||
|
set firewall zone video from servers firewall name 'servers-video'
|
||||||
|
set firewall zone video from services firewall name 'services-video'
|
||||||
|
set firewall zone video from trusted firewall name 'trusted-video'
|
||||||
|
set firewall zone video from wan firewall name 'wan-video'
|
||||||
|
set firewall zone video interface 'eth1.50'
|
||||||
|
set firewall zone wan default-action 'drop'
|
||||||
|
|
||||||
|
set firewall zone wan from guest firewall name 'guest-wan'
|
||||||
|
set firewall zone wan from iot firewall name 'iot-wan'
|
||||||
|
set firewall zone wan from lan firewall name 'lan-wan'
|
||||||
|
set firewall zone wan from local firewall name 'local-wan'
|
||||||
|
set firewall zone wan from servers firewall name 'servers-wan'
|
||||||
|
set firewall zone wan from services firewall name 'services-wan'
|
||||||
|
set firewall zone wan from trusted firewall name 'trusted-wan'
|
||||||
|
set firewall zone wan from video firewall name 'video-wan'
|
||||||
|
set firewall zone wan interface 'eth0'
|
||||||
146
config-parts/firewall.sh
Normal file
146
config-parts/firewall.sh
Normal file
|
|
@ -0,0 +1,146 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# General configuration
|
||||||
|
set firewall state-policy established action 'accept'
|
||||||
|
set firewall state-policy invalid action 'drop'
|
||||||
|
set firewall state-policy related action 'accept'
|
||||||
|
|
||||||
|
# Address Groups
|
||||||
|
set firewall group address-group 3d_printer_controllers address '10.1.3.56'
|
||||||
|
|
||||||
|
set firewall group address-group android_tv_players address '10.1.3.16'
|
||||||
|
|
||||||
|
set firewall group address-group ereaders address '10.1.3.51'
|
||||||
|
set firewall group address-group ereaders address '10.1.3.52'
|
||||||
|
|
||||||
|
set firewall group address-group esp address '10.1.3.21'
|
||||||
|
set firewall group address-group esp address '10.1.3.31'
|
||||||
|
set firewall group address-group esp address '10.1.3.32'
|
||||||
|
set firewall group address-group esp address '10.1.3.33'
|
||||||
|
set firewall group address-group esp address '10.1.3.34'
|
||||||
|
set firewall group address-group esp address '10.1.3.35'
|
||||||
|
set firewall group address-group esp address '10.1.3.36'
|
||||||
|
set firewall group address-group esp address '10.1.3.42'
|
||||||
|
set firewall group address-group esp address '10.1.3.45'
|
||||||
|
set firewall group address-group esp address '10.1.3.46'
|
||||||
|
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.31'
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.32'
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.33'
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.34'
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.35'
|
||||||
|
set firewall group address-group ios_devices address '10.1.2.36'
|
||||||
|
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.21'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.31'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.32'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.33'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.34'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.35'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.2.36'
|
||||||
|
set firewall group address-group jellyfin_clients address '10.1.3.16'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_api address '10.5.0.2'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_ingress address '10.45.0.1'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
|
||||||
|
set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_jellyfin address '10.45.0.21'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_mqtt address '10.45.0.10'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_nodes address '10.1.1.31'
|
||||||
|
set firewall group address-group k8s_nodes address '10.1.1.32'
|
||||||
|
set firewall group address-group k8s_nodes address '10.1.1.34'
|
||||||
|
|
||||||
|
|
||||||
|
set firewall group address-group k8s_plex address '10.45.0.20'
|
||||||
|
|
||||||
|
set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
|
||||||
|
|
||||||
|
set firewall group address-group mqtt_clients address '10.1.2.21'
|
||||||
|
set firewall group address-group mqtt_clients address '10.1.2.32'
|
||||||
|
set firewall group address-group mqtt_clients address '10.1.3.18'
|
||||||
|
set firewall group address-group mqtt_clients address '10.1.3.22'
|
||||||
|
set firewall group address-group mqtt_clients address '10.1.3.56'
|
||||||
|
|
||||||
|
set firewall group address-group nas address '10.1.1.11'
|
||||||
|
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.21'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.31'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.32'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.33'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.34'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.35'
|
||||||
|
set firewall group address-group plex_clients address '10.1.2.36'
|
||||||
|
set firewall group address-group plex_clients address '10.1.3.16'
|
||||||
|
|
||||||
|
set firewall group address-group printers address '10.1.3.55'
|
||||||
|
|
||||||
|
set firewall group address-group printer_allowed address '192.168.2.11'
|
||||||
|
|
||||||
|
set firewall group address-group scanners address '10.1.3.55'
|
||||||
|
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.21'
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.31'
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.32'
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.33'
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.34'
|
||||||
|
set firewall group address-group sonos_controllers address '10.1.2.36'
|
||||||
|
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.61'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.62'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.63'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.65'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.66'
|
||||||
|
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.71'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.72'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.73'
|
||||||
|
set firewall group address-group sonos_players address '10.1.3.74'
|
||||||
|
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.11'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.12'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.13'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.21'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.22'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.23'
|
||||||
|
set firewall group address-group unifi_devices address '10.1.0.24'
|
||||||
|
|
||||||
|
set firewall group address-group vector_journald_allowed address '10.1.3.56'
|
||||||
|
set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
||||||
|
|
||||||
|
set firewall group address-group vyos_chronyd address '10.5.0.5'
|
||||||
|
|
||||||
|
set firewall group address-group vyos_coredns address '10.5.0.3'
|
||||||
|
|
||||||
|
set firewall group address-group vyos_dnsdist address '10.5.0.4'
|
||||||
|
|
||||||
|
set firewall group address-group vyos_unifi address '10.5.0.10'
|
||||||
|
|
||||||
|
set firewall group address-group wall_displays address '10.1.3.53'
|
||||||
|
set firewall group address-group wall_displays address '10.1.3.54'
|
||||||
|
|
||||||
|
# Network groups
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '173.245.48.0/20'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '103.21.244.0/22'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '103.22.200.0/22'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '103.31.4.0/22'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '141.101.64.0/18'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '108.162.192.0/18'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '190.93.240.0/20'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '188.114.96.0/20'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '197.234.240.0/22'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '198.41.128.0/17'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '162.158.0.0/15'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '104.16.0.0/13'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '104.24.0.0/14'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '172.64.0.0/13'
|
||||||
|
set firewall group network-group cloudflare-ipv4 network '131.0.72.0/22'
|
||||||
|
|
||||||
|
set firewall group network-group k8s_services network '10.45.0.0/16'
|
||||||
|
|
||||||
|
# Port groups
|
||||||
|
set firewall group port-group wireguard port '51820'
|
||||||
33
config-parts/interfaces.sh
Normal file
33
config-parts/interfaces.sh
Normal file
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
set interfaces ethernet eth0 address 'dhcp'
|
||||||
|
set interfaces ethernet eth0 description 'WAN'
|
||||||
|
set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:68'
|
||||||
|
|
||||||
|
set interfaces ethernet eth1 address '10.1.0.1/24'
|
||||||
|
set interfaces ethernet eth1 description 'LAN'
|
||||||
|
set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:69'
|
||||||
|
set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
|
||||||
|
set interfaces ethernet eth1 vif 10 description 'SERVERS'
|
||||||
|
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
|
||||||
|
set interfaces ethernet eth1 vif 20 description 'TRUSTED'
|
||||||
|
set interfaces ethernet eth1 vif 30 address '192.168.2.1/24'
|
||||||
|
set interfaces ethernet eth1 vif 30 description 'GUEST'
|
||||||
|
set interfaces ethernet eth1 vif 40 address '10.1.3.1/24'
|
||||||
|
set interfaces ethernet eth1 vif 40 description 'IOT'
|
||||||
|
set interfaces ethernet eth1 vif 50 address '10.1.4.1/24'
|
||||||
|
set interfaces ethernet eth1 vif 50 description 'VIDEO'
|
||||||
|
|
||||||
|
set interfaces wireguard wg01 address '10.0.11.1/24'
|
||||||
|
set interfaces wireguard wg01 description 'WIREGUARD'
|
||||||
|
set interfaces wireguard wg01 peer ipad-jahanson allowed-ips '10.0.11.4/32'
|
||||||
|
set interfaces wireguard wg01 peer ipad-jahanson persistent-keepalive '15'
|
||||||
|
set interfaces wireguard wg01 peer ipad-jahanson public-key 'jv1XSCkzxGY0kBfLbF79gwLVOCmyCTUmSFd36QcwiWE='
|
||||||
|
set interfaces wireguard wg01 peer iphone-jahanson allowed-ips '10.0.11.2/32'
|
||||||
|
set interfaces wireguard wg01 peer iphone-jahanson persistent-keepalive '15'
|
||||||
|
set interfaces wireguard wg01 peer iphone-jahanson public-key 'HHBmTzVQH1qt14rVqzxCUATkLRPGu5WisHyY9O4yTkM='
|
||||||
|
set interfaces wireguard wg01 peer legion-jahanson allowed-ips '10.0.11.3/32'
|
||||||
|
set interfaces wireguard wg01 peer legion-jahanson persistent-keepalive '15'
|
||||||
|
set interfaces wireguard wg01 peer legion-jahanson public-key 'OA8fW79KEJej2lbZZY/Bf7EHcRjeiDowqIBwXGRLZ3A='
|
||||||
|
set interfaces wireguard wg01 port '51820'
|
||||||
|
set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}"
|
||||||
96
config-parts/nat.sh
Normal file
96
config-parts/nat.sh
Normal file
|
|
@ -0,0 +1,96 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# Forward HTTP(S) to ingress
|
||||||
|
set nat destination rule 100 description 'HTTPS'
|
||||||
|
set nat destination rule 100 destination port '443'
|
||||||
|
set nat destination rule 100 inbound-interface 'eth0'
|
||||||
|
set nat destination rule 100 protocol 'tcp'
|
||||||
|
set nat destination rule 100 translation address '10.45.0.1'
|
||||||
|
set nat destination rule 100 translation port '443'
|
||||||
|
|
||||||
|
set nat destination rule 101 description 'HTTP'
|
||||||
|
set nat destination rule 101 destination port '80'
|
||||||
|
set nat destination rule 101 inbound-interface 'eth0'
|
||||||
|
set nat destination rule 101 protocol 'tcp'
|
||||||
|
set nat destination rule 101 translation address '10.45.0.1'
|
||||||
|
set nat destination rule 101 translation port '80'
|
||||||
|
|
||||||
|
# Forward Plex to Sting
|
||||||
|
set nat destination rule 110 description 'PLEX'
|
||||||
|
set nat destination rule 110 destination port '32400'
|
||||||
|
set nat destination rule 110 inbound-interface 'eth0'
|
||||||
|
set nat destination rule 110 protocol 'tcp'
|
||||||
|
set nat destination rule 110 translation address '10.1.1.12'
|
||||||
|
set nat destination rule 110 translation port '32400'
|
||||||
|
|
||||||
|
# Force DNS
|
||||||
|
set nat destination rule 102 description 'Force DNS for IoT'
|
||||||
|
set nat destination rule 102 destination address '!10.5.0.4'
|
||||||
|
set nat destination rule 102 destination port '53'
|
||||||
|
set nat destination rule 102 inbound-interface 'eth1.40'
|
||||||
|
set nat destination rule 102 protocol 'tcp_udp'
|
||||||
|
set nat destination rule 102 translation address '10.5.0.4'
|
||||||
|
set nat destination rule 102 translation port '53'
|
||||||
|
|
||||||
|
set nat destination rule 103 description 'Force DNS for Video'
|
||||||
|
set nat destination rule 103 destination address '!10.5.0.4'
|
||||||
|
set nat destination rule 103 destination port '53'
|
||||||
|
set nat destination rule 103 inbound-interface 'eth1.50'
|
||||||
|
set nat destination rule 103 protocol 'tcp_udp'
|
||||||
|
set nat destination rule 103 translation address '10.5.0.4'
|
||||||
|
set nat destination rule 103 translation port '53'
|
||||||
|
|
||||||
|
set nat destination rule 104 description 'Force NTP for LAN'
|
||||||
|
set nat destination rule 104 destination address '!10.1.0.1'
|
||||||
|
set nat destination rule 104 destination port '123'
|
||||||
|
set nat destination rule 104 inbound-interface 'eth1'
|
||||||
|
set nat destination rule 104 protocol 'udp'
|
||||||
|
set nat destination rule 104 translation address '10.1.0.1'
|
||||||
|
set nat destination rule 104 translation port '123'
|
||||||
|
|
||||||
|
# Force NTP
|
||||||
|
set nat destination rule 105 description 'Force NTP for Servers'
|
||||||
|
set nat destination rule 105 destination address '!10.1.1.1'
|
||||||
|
set nat destination rule 105 destination port '123'
|
||||||
|
set nat destination rule 105 inbound-interface 'eth1.10'
|
||||||
|
set nat destination rule 105 protocol 'udp'
|
||||||
|
set nat destination rule 105 translation address '10.1.1.1'
|
||||||
|
set nat destination rule 105 translation port '123'
|
||||||
|
set nat destination rule 106 description 'Force NTP for Trusted'
|
||||||
|
|
||||||
|
set nat destination rule 106 destination address '!10.1.2.1'
|
||||||
|
set nat destination rule 106 destination port '123'
|
||||||
|
set nat destination rule 106 inbound-interface 'eth1.20'
|
||||||
|
set nat destination rule 106 protocol 'udp'
|
||||||
|
set nat destination rule 106 translation address '10.1.2.1'
|
||||||
|
set nat destination rule 106 translation port '123'
|
||||||
|
|
||||||
|
set nat destination rule 107 description 'Force NTP for IoT'
|
||||||
|
set nat destination rule 107 destination address '!10.1.3.1'
|
||||||
|
set nat destination rule 107 destination port '123'
|
||||||
|
set nat destination rule 107 inbound-interface 'eth1.40'
|
||||||
|
set nat destination rule 107 protocol 'udp'
|
||||||
|
set nat destination rule 107 translation address '10.1.3.1'
|
||||||
|
set nat destination rule 107 translation port '123'
|
||||||
|
|
||||||
|
set nat destination rule 108 description 'Force NTP for Video'
|
||||||
|
set nat destination rule 108 destination address '!10.1.4.1'
|
||||||
|
set nat destination rule 108 destination port '123'
|
||||||
|
set nat destination rule 108 inbound-interface 'eth1.50'
|
||||||
|
set nat destination rule 108 protocol 'udp'
|
||||||
|
set nat destination rule 108 translation address '10.1.4.1'
|
||||||
|
set nat destination rule 108 translation port '123'
|
||||||
|
|
||||||
|
set nat destination rule 109 description 'Force NTP for Wireguard Trusted'
|
||||||
|
set nat destination rule 109 destination address '!10.0.11.1'
|
||||||
|
set nat destination rule 109 destination port '123'
|
||||||
|
set nat destination rule 109 inbound-interface 'wg01'
|
||||||
|
set nat destination rule 109 protocol 'udp'
|
||||||
|
set nat destination rule 109 translation address '10.0.11.1'
|
||||||
|
set nat destination rule 109 translation port '123'
|
||||||
|
|
||||||
|
# LAN -> WAN masquerade
|
||||||
|
set nat source rule 100 description 'LAN -> WAN'
|
||||||
|
set nat source rule 100 destination address '0.0.0.0/0'
|
||||||
|
set nat source rule 100 outbound-interface 'eth0'
|
||||||
|
set nat source rule 100 translation address 'masquerade'
|
||||||
14
config-parts/protocols.sh
Normal file
14
config-parts/protocols.sh
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# BGP configuration
|
||||||
|
set protocols bgp neighbor 10.1.1.31 address-family ipv4-unicast
|
||||||
|
set protocols bgp neighbor 10.1.1.31 description 'gandalf'
|
||||||
|
set protocols bgp neighbor 10.1.1.31 remote-as '64512'
|
||||||
|
set protocols bgp neighbor 10.1.1.32 address-family ipv4-unicast
|
||||||
|
set protocols bgp neighbor 10.1.1.32 description 'glamdring'
|
||||||
|
set protocols bgp neighbor 10.1.1.32 remote-as '64512'
|
||||||
|
set protocols bgp neighbor 10.1.1.34 address-family ipv4-unicast
|
||||||
|
set protocols bgp neighbor 10.1.1.34 description 'lembas'
|
||||||
|
set protocols bgp neighbor 10.1.1.34 remote-as '64512'
|
||||||
|
set protocols bgp parameters router-id '10.1.0.1'
|
||||||
|
set protocols bgp system-as '64512'
|
||||||
202
config-parts/service-dhcp_server.sh
Normal file
202
config-parts/service-dhcp_server.sh
Normal file
|
|
@ -0,0 +1,202 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
set service dhcp-server hostfile-update
|
||||||
|
set service dhcp-server host-decl-name
|
||||||
|
|
||||||
|
# Guest VLAN
|
||||||
|
set service dhcp-server shared-network-name GUEST authoritative
|
||||||
|
set service dhcp-server shared-network-name GUEST ping-check
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 default-router '192.168.2.1'
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 start '192.168.2.200'
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 stop '192.168.2.254'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop ip-address '192.168.2.11'
|
||||||
|
set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop mac-address '14:f6:d8:32:46:41'
|
||||||
|
|
||||||
|
# IoT VLAN
|
||||||
|
set service dhcp-server shared-network-name IOT authoritative
|
||||||
|
set service dhcp-server shared-network-name IOT ping-check
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug ip-address '10.1.3.33'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-3dprinter-plug mac-address 'a4:e5:7c:ab:f4:cd'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug ip-address '10.1.3.31'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-desk-plug mac-address 'a4:e5:7c:ab:f5:ad'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-hue-bridge ip-address '10.1.3.24'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-hue-bridge mac-address '00:17:88:2e:2d:5d'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-speaker-esp ip-address '10.1.3.36'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping attic-office-speaker-esp mac-address 'e8:9f:6d:0a:53:24'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping backyard-shed-esp ip-address '10.1.3.42'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping backyard-shed-esp mac-address 'b4:e6:2d:59:de:0c'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos ip-address '10.1.3.65'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bedroom-eva-sonos mac-address 'b8:e9:37:55:d8:6c'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader ip-address '10.1.3.51'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping bernd-ereader mac-address '58:b0:d4:6e:53:29'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet ip-address '10.1.3.54'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garage-tablet mac-address '4c:ef:c0:00:50:aa'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo ip-address '10.1.3.21'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping garden-wlanthermo mac-address '8c:aa:b5:c1:ce:c8'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet ip-address '10.1.3.53'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tablet mac-address 'f4:f3:09:c9:40:33'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp ip-address '10.1.3.45'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-p1reader-esp mac-address 'c4:5b:be:49:4c:c8'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge ip-address '10.1.3.23'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-tado-bridge mac-address 'ec:e5:12:1b:39:a6'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter ip-address '10.1.3.46'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping hallway-zigbee-adapter mac-address 'cc:db:a7:48:19:b3'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker ip-address '10.1.3.13'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-coffeemaker mac-address '68:a4:0e:35:43:72'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '68:a4:0e:34:fc:6f'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos ip-address '10.1.3.61'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-sonos mac-address '48:a6:b8:d3:6c:f4'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier ip-address '10.1.3.19'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-airpurifier mac-address '78:11:dc:bc:eb:de'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver ip-address '10.1.3.17'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver mac-address '00:05:cd:82:29:21'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-shield ip-address '10.1.3.16'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-shield mac-address '48:b0:2d:2d:4b:cc'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos ip-address '10.1.3.63'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-sonos mac-address '48:a6:b8:dc:6c:7e'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv ip-address '10.1.3.14'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-tv mac-address '74:40:be:0d:54:9a'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub ip-address '10.1.3.15'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-harmony-hub mac-address '00:04:20:fd:2d:e4'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch ip-address '10.1.3.20'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-nintendo-switch mac-address '98:41:5c:b2:98:2e'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos ip-address '10.1.3.66'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-receiver-sonos mac-address 'b8:e9:37:9b:f5:c6'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader ip-address '10.1.3.52'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping manyie-ereader mac-address '58:b0:d4:67:f5:74'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 ip-address '10.1.3.34'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping spare-p1eu-1 mac-address 'a4:e5:7c:ab:c8:db'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer ip-address '10.1.3.55'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping study-printer mac-address '80:2b:f9:d4:3a:be'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum ip-address '10.1.3.22'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-vacuum mac-address '7c:49:eb:94:4a:58'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos ip-address '10.1.3.62'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-sonos mac-address '94:9f:3e:04:88:2a'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug ip-address '10.1.3.32'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-desk-plug mac-address 'a4:e5:7c:ab:ca:33'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-speaker-esp ip-address '10.1.3.35'
|
||||||
|
set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping upstairs-office-speaker-esp mac-address '4c:75:25:bf:b4:d0'
|
||||||
|
|
||||||
|
# LAN
|
||||||
|
set service dhcp-server shared-network-name LAN authoritative
|
||||||
|
set service dhcp-server shared-network-name LAN ping-check
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 default-router '10.1.0.1'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 start '10.1.0.200'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 range 0 stop '10.1.0.254'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-pro-24 ip-address '10.1.0.11'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-pro-24 mac-address '24:5a:4c:9b:c0:6e'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-industrial ip-address '10.1.0.12'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-industrial mac-address '68:d7:9a:3c:b0:75'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-joe ip-address '10.1.0.13'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-joe mac-address '74:83:c2:f7:f2:17'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-elisia ip-address '10.1.0.14'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping usw-flex-mini-elisia mac-address '74:83:c2:f7:f2:1d'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-16-xg ip-address '10.1.0.15'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-16-xg mac-address '74:83:c2:0e:f9:fe'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-8-150w ip-address '10.1.0.16'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping us-8-150w mac-address 'b4:fb:e4:8d:a8:da'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping uap-nanohd ip-address '10.1.0.21'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping uap-nanohd mac-address '18:e8:29:b4:d9:4f'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping u6-lite ip-address '10.1.0.22'
|
||||||
|
set service dhcp-server shared-network-name LAN subnet 10.1.0.0/24 static-mapping u6-lite mac-address '24:5a:4c:13:1d:a8'
|
||||||
|
|
||||||
|
# Servers VLAN
|
||||||
|
set service dhcp-server shared-network-name SERVERS authoritative
|
||||||
|
set service dhcp-server shared-network-name SERVERS ping-check
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 default-router '10.1.1.1'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 domain-name 'jahanson.tech'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254'
|
||||||
|
|
||||||
|
# Need to add all of the macs for the servers.
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gandalf ip-address '10.1.1.31'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gandalf mac-address '80:61:5f:04:88:5a'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping glamdring ip-address '10.1.1.32'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping glamdring mac-address 'd4:5d:64:91:b2:42'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping shadowfax ip-address '10.1.1.33'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping shadowfax mac-address '00:e0:4c:68:02:b1'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping lembas ip-address '10.1.1.34'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping lembas mac-address 'c8:1f:66:10:51:d9'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping homeassistant ip-address '10.1.1.13'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping homeassistant mac-address '80:e8:2c:db:68:a2'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping jellydocks ip-address '10.1.1.14'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping jellydocks mac-address 'ea:87:86:9c:73:43'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping horus ip-address '10.1.1.51'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping horus mac-address 'b8:27:eb:b2:09:b0'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo ip-address '10.1.1.52'
|
||||||
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo mac-address 'dc:a6:32:09:76:4c'
|
||||||
|
|
||||||
|
# Trusted VLAN
|
||||||
|
set service dhcp-server shared-network-name TRUSTED authoritative
|
||||||
|
set service dhcp-server shared-network-name TRUSTED ping-check
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 default-router '10.1.2.1'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 domain-name 'jahanson.tech'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 start '10.1.2.200'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 range 0 stop '10.1.2.254'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-ipad ip-address '10.1.2.32'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-ipad mac-address '8A:0B:3A:F1:9F:91'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-iphone ip-address '10.1.2.31'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping jahanson-iphone mac-address 'c2:d2:9a:62:ef:03'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary ip-address '10.1.2.21'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary mac-address 'f8:4d:89:7a:db:8b'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad ip-address '10.1.2.35'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad mac-address 'aa:ab:96:ce:f8:03'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad ip-address '10.1.2.36'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad mac-address '34:e2:fd:ac:7c:fa'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad ip-address '10.1.2.34'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad mac-address '94:bf:2d:f0:3f:c3'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone ip-address '10.1.2.33'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone mac-address '8c:98:6b:a9:18:cb'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook ip-address '10.1.2.22'
|
||||||
|
set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook mac-address '8c:85:90:18:42:38'
|
||||||
|
|
||||||
|
# Video VLAN
|
||||||
|
set service dhcp-server shared-network-name VIDEO authoritative
|
||||||
|
set service dhcp-server shared-network-name VIDEO ping-check
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'jahanson.tech'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.5.0.4'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254'
|
||||||
|
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera ip-address '10.1.4.12'
|
||||||
|
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera mac-address 'ec:71:db:62:aa:e9'
|
||||||
14
config-parts/service.sh
Normal file
14
config-parts/service.sh
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
# NTP server
|
||||||
|
delete service ntp allow-client
|
||||||
|
set service ntp allow-client address '127.0.0.0/8'
|
||||||
|
set service ntp allow-client address '10.0.0.0/8'
|
||||||
|
set service ntp allow-client address '172.16.0.0/12'
|
||||||
|
set service ntp allow-client address '192.168.0.0/16'
|
||||||
|
delete service ntp server
|
||||||
|
set service ntp server north-america.pool.ntp.org
|
||||||
|
|
||||||
|
# SSH server
|
||||||
|
set service ssh disable-password-authentication
|
||||||
|
set service ssh port '22'
|
||||||
35
config-parts/system-static_host_mapping.sh
Normal file
35
config-parts/system-static_host_mapping.sh
Normal file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Gateway
|
||||||
|
set system static-host-mapping host-name gateway.jahanson.tech inet 10.1.0.1
|
||||||
|
set system static-host-mapping host-name gateway.jahanson.tech alias vpn.hsn.dev
|
||||||
|
set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.dev
|
||||||
|
|
||||||
|
# Unifi controller
|
||||||
|
set system static-host-mapping host-name unifi inet 10.5.0.10
|
||||||
|
|
||||||
|
# NAS
|
||||||
|
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
|
||||||
|
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
|
||||||
|
set system static-host-mapping host-name elessar.jahanson.tech alias garage.hsn.dev
|
||||||
|
set system static-host-mapping host-name elessar.jahanson.tech alias s3.hsn.dev
|
||||||
|
|
||||||
|
# Kubernetes hosts
|
||||||
|
set system static-host-mapping host-name gandalf.jahanson.tech inet 10.1.1.31
|
||||||
|
set system static-host-mapping host-name glamdring.jahanson.tech inet 10.1.1.32
|
||||||
|
# set system static-host-mapping host-name shadowfax.jahanson.tech inet 10.1.1.33
|
||||||
|
set system static-host-mapping host-name lembas.jahanson.tech inet 10.1.1.34
|
||||||
|
|
||||||
|
# Kubernetes cluster VIP
|
||||||
|
set system static-host-mapping host-name cluster-0.jahanson.tech inet 10.5.0.2
|
||||||
|
|
||||||
|
# Other hosts
|
||||||
|
set system static-host-mapping host-name sting.jahanson.tech inet 10.1.1.12
|
||||||
|
set system static-host-mapping host-name frodo.jahanson.tech inet 10.1.1.52
|
||||||
|
set system static-host-mapping host-name frodo.jahanson.tech alias pikvm.jahanson.tech
|
||||||
|
set system static-host-mapping host-name horus.jahanson.tech inet 10.1.1.51
|
||||||
|
|
||||||
|
set system static-host-mapping host-name driveway-camera-doorbell.jahanson.tech inet 10.1.4.12
|
||||||
|
set system static-host-mapping host-name hallway-zigbee-adapter.jahanson.tech inet 10.1.3.46
|
||||||
|
set system static-host-mapping host-name garage-tablet.jahanson.tech inet 10.1.3.54
|
||||||
|
set system static-host-mapping host-name hallway-tablet.jahanson.tech inet 10.1.3.53
|
||||||
|
set system static-host-mapping host-name livingroom-vacuum.jahanson.tech inet 10.1.3.18
|
||||||
|
set system static-host-mapping host-name upstairs-vacuum.jahanson.tech inet 10.1.3.22
|
||||||
24
config-parts/system.sh
Normal file
24
config-parts/system.sh
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/vbash
|
||||||
|
|
||||||
|
set system domain-name 'jahanson.tech'
|
||||||
|
set system host-name 'gateway'
|
||||||
|
|
||||||
|
set system ipv6 disable-forwarding
|
||||||
|
|
||||||
|
set system login user vyos authentication public-keys personal key 'AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w'
|
||||||
|
set system login user vyos authentication public-keys personal type 'ssh-ed25519'
|
||||||
|
|
||||||
|
set system name-server '1.1.1.1'
|
||||||
|
|
||||||
|
set system sysctl parameter kernel.pty.max value '24000'
|
||||||
|
|
||||||
|
# Sent to vector syslog server
|
||||||
|
# set system syslog host 10.45.0.2 facility kern level 'warning'
|
||||||
|
# set system syslog host 10.45.0.2 facility kern protocol 'tcp'
|
||||||
|
# set system syslog host 10.45.0.2 port '6001'
|
||||||
|
|
||||||
|
# Custom backup
|
||||||
|
# set system task-scheduler task backup-config crontab-spec '30 0 * * *'
|
||||||
|
# set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh'
|
||||||
|
|
||||||
|
set system time-zone 'America/Chicago'
|
||||||
11
containers/.gitignore
vendored
Normal file
11
containers/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
!/coredns/
|
||||||
|
!/dnsdist/
|
||||||
|
!/haproxy/
|
||||||
|
!/unifi/
|
||||||
|
!/vector-agent/
|
||||||
14
containers/coredns/.gitignore
vendored
Normal file
14
containers/coredns/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
!/config/
|
||||||
|
/config/*
|
||||||
|
!/config/Corefile
|
||||||
|
!/config/custom-hosts
|
||||||
|
|
||||||
|
!/config-vyos/
|
||||||
|
/config-vyos/*
|
||||||
|
!/config-vyos/Corefile
|
||||||
60
containers/coredns/config/Corefile
Normal file
60
containers/coredns/config/Corefile
Normal file
|
|
@ -0,0 +1,60 @@
|
||||||
|
(common) {
|
||||||
|
errors
|
||||||
|
log error
|
||||||
|
reload
|
||||||
|
loadbalance
|
||||||
|
cache
|
||||||
|
loop
|
||||||
|
local
|
||||||
|
|
||||||
|
prometheus :9153
|
||||||
|
|
||||||
|
health {
|
||||||
|
lameduck 5s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
(k8s_gateway) {
|
||||||
|
forward . 10.45.0.3:53
|
||||||
|
}
|
||||||
|
|
||||||
|
unifi {
|
||||||
|
import common
|
||||||
|
hosts /host/etc/hosts {
|
||||||
|
ttl 1
|
||||||
|
reload 5s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Hack to prevent the gatway returning 127.0.0.1 from /etc/hosts
|
||||||
|
gateway.jahanson.tech {
|
||||||
|
import common
|
||||||
|
template IN A gateway.jahanson.tech {
|
||||||
|
answer "{{ .Name }} 60 IN A 10.1.0.1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
hsn.dev {
|
||||||
|
import common
|
||||||
|
hosts /host/etc/hosts {
|
||||||
|
ttl 1
|
||||||
|
reload 5s
|
||||||
|
fallthrough
|
||||||
|
}
|
||||||
|
import k8s_gateway
|
||||||
|
}
|
||||||
|
|
||||||
|
jahanson.tech {
|
||||||
|
import common
|
||||||
|
hosts /host/etc/hosts {
|
||||||
|
ttl 1
|
||||||
|
reload 5s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
1.10.in-addr.arpa {
|
||||||
|
hosts /host/etc/hosts {
|
||||||
|
ttl 1
|
||||||
|
reload 5s
|
||||||
|
}
|
||||||
|
}
|
||||||
9
containers/dnsdist/.gitignore
vendored
Normal file
9
containers/dnsdist/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
!/config/
|
||||||
|
/config/*
|
||||||
|
!/config/dnsdist.conf
|
||||||
91
containers/dnsdist/config/dnsdist.conf
Normal file
91
containers/dnsdist/config/dnsdist.conf
Normal file
|
|
@ -0,0 +1,91 @@
|
||||||
|
-- udp/tcp dns listening
|
||||||
|
setLocal("0.0.0.0:53", {})
|
||||||
|
|
||||||
|
-- Local CoreDNS
|
||||||
|
newServer({
|
||||||
|
address = "10.5.0.3",
|
||||||
|
pool = "coredns"
|
||||||
|
})
|
||||||
|
|
||||||
|
-- ControlD - Servers
|
||||||
|
newServer({
|
||||||
|
address = "76.76.2.22:443",
|
||||||
|
tls = "openssl",
|
||||||
|
subjectName = "dns.controld.com",
|
||||||
|
dohPath = "/14pk0z49y0u",
|
||||||
|
validateCertificates = true,
|
||||||
|
checkInterval = 10,
|
||||||
|
checkTimeout = 2000,
|
||||||
|
pool = "controld_servers"
|
||||||
|
})
|
||||||
|
|
||||||
|
-- ControlD - Trusted
|
||||||
|
newServer({
|
||||||
|
address = "76.76.2.22:443",
|
||||||
|
tls = "openssl",
|
||||||
|
subjectName = "dns.controld.com",
|
||||||
|
dohPath = "/7l9xgidtyr",
|
||||||
|
validateCertificates = true,
|
||||||
|
checkInterval = 10,
|
||||||
|
checkTimeout = 2000,
|
||||||
|
pool = "controld_trusted"
|
||||||
|
})
|
||||||
|
|
||||||
|
-- ControlD - IoT
|
||||||
|
newServer({
|
||||||
|
address = "76.76.2.22:443",
|
||||||
|
tls = "openssl",
|
||||||
|
subjectName = "dns.controld.com",
|
||||||
|
dohPath = "/227g88d4fp5",
|
||||||
|
validateCertificates = true,
|
||||||
|
checkInterval = 10,
|
||||||
|
checkTimeout = 2000,
|
||||||
|
pool = "controld_iot"
|
||||||
|
})
|
||||||
|
|
||||||
|
-- CloudFlare DNS over TLS
|
||||||
|
newServer({
|
||||||
|
address = "1.1.1.1:853",
|
||||||
|
tls = "openssl",
|
||||||
|
subjectName = "cloudflare-dns.com",
|
||||||
|
validateCertificates = true,
|
||||||
|
checkInterval = 10,
|
||||||
|
checkTimeout = 2000,
|
||||||
|
pool = "cloudflare"
|
||||||
|
})
|
||||||
|
newServer({
|
||||||
|
address = "1.0.0.1:853",
|
||||||
|
tls = "openssl",
|
||||||
|
subjectName = "cloudflare-dns.com",
|
||||||
|
validateCertificates = true,
|
||||||
|
checkInterval = 10,
|
||||||
|
checkTimeout = 2000,
|
||||||
|
pool = "cloudflare"
|
||||||
|
})
|
||||||
|
|
||||||
|
-- Enable caching
|
||||||
|
pc = newPacketCache(10000, {
|
||||||
|
maxTTL = 86400,
|
||||||
|
minTTL = 0,
|
||||||
|
temporaryFailureTTL = 60,
|
||||||
|
staleTTL = 60,
|
||||||
|
dontAge = false
|
||||||
|
})
|
||||||
|
getPool(""):setCache(pc)
|
||||||
|
|
||||||
|
-- Request logging, uncomment to log DNS requests/responses to stdout
|
||||||
|
-- addAction(AllRule(), LogAction("", false, false, true, false, false))
|
||||||
|
-- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false))
|
||||||
|
|
||||||
|
-- Routing rules
|
||||||
|
addAction('unifi', PoolAction('coredns'))
|
||||||
|
addAction('hsn.dev', PoolAction('coredns'))
|
||||||
|
addAction('jahanson.tech', PoolAction('coredns'))
|
||||||
|
addAction('1.10.in-addr.arpa', PoolAction('coredns'))
|
||||||
|
|
||||||
|
addAction("10.1.0.0/24", PoolAction("controld_servers")) -- lan
|
||||||
|
addAction("10.1.1.0/24", PoolAction("controld_servers")) -- servers vlan
|
||||||
|
addAction("10.1.2.0/24", PoolAction("controld_trusted")) -- trusted vlan
|
||||||
|
addAction("10.1.3.0/24", PoolAction("controld_iot")) -- iot vlan
|
||||||
|
addAction("10.0.11.0/24", PoolAction("controld_trusted")) -- wg_trusted vlan
|
||||||
|
addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan
|
||||||
9
containers/haproxy/.gitignore
vendored
Normal file
9
containers/haproxy/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
|
||||||
|
!/config/
|
||||||
|
/config/*
|
||||||
|
!/config/haproxy.cfg
|
||||||
66
containers/haproxy/config/haproxy.cfg
Normal file
66
containers/haproxy/config/haproxy.cfg
Normal file
|
|
@ -0,0 +1,66 @@
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Global settings
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
global
|
||||||
|
log /dev/log local0
|
||||||
|
log /dev/log local1 notice
|
||||||
|
daemon
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# common defaults that all the 'listen' and 'backend' sections will
|
||||||
|
# use if not designated in their block
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
defaults
|
||||||
|
mode http
|
||||||
|
log global
|
||||||
|
option httplog
|
||||||
|
option dontlognull
|
||||||
|
option http-server-close
|
||||||
|
option forwardfor except 127.0.0.0/8
|
||||||
|
option redispatch
|
||||||
|
retries 1
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout queue 20s
|
||||||
|
timeout connect 5s
|
||||||
|
timeout client 20s
|
||||||
|
timeout server 20s
|
||||||
|
timeout http-keep-alive 10s
|
||||||
|
timeout check 10s
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# apiserver frontend which proxys to the control plane nodes
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
frontend k8s_apiserver
|
||||||
|
bind *:6443
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
default_backend k8s_controlplane
|
||||||
|
|
||||||
|
frontend talos_apiserver
|
||||||
|
bind *:50000
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
default_backend talos_controlplane
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# round robin balancing for apiserver
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
backend k8s_controlplane
|
||||||
|
option httpchk GET /healthz
|
||||||
|
http-check expect status 200
|
||||||
|
mode tcp
|
||||||
|
option ssl-hello-chk
|
||||||
|
balance roundrobin
|
||||||
|
server worker1 gandalf.jahanson.tech:6443 check
|
||||||
|
server worker2 glamdring.jahanson.tech:6443 check
|
||||||
|
server worker3 lembas.jahanson.tech:6443 check
|
||||||
|
|
||||||
|
backend talos_controlplane
|
||||||
|
option httpchk GET /healthz
|
||||||
|
http-check expect status 200
|
||||||
|
mode tcp
|
||||||
|
option ssl-hello-chk
|
||||||
|
balance roundrobin
|
||||||
|
server worker1 gandalf.jahanson.tech:50000 check
|
||||||
|
server worker2 glamdring.jahanson.tech:50000 check
|
||||||
|
server worker3 lembas.jahanson.tech:50000 check
|
||||||
6
containers/unifi/.gitignore
vendored
Normal file
6
containers/unifi/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
!.gitkeep
|
||||||
0
containers/unifi/.gitkeep
Normal file
0
containers/unifi/.gitkeep
Normal file
13
scripts/.gitignore
vendored
Normal file
13
scripts/.gitignore
vendored
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Ignore everything
|
||||||
|
/*
|
||||||
|
|
||||||
|
# Track certain files and directories
|
||||||
|
!.gitignore
|
||||||
|
!*.sh
|
||||||
|
!*.script
|
||||||
|
|
||||||
|
!/commit
|
||||||
|
/commit/*
|
||||||
|
!/commit/pre-hooks.d
|
||||||
|
/commit/pre-hooks.d/*
|
||||||
|
!/commit/pre-hooks.d/**.sh
|
||||||
26
scripts/custom-config-backup.sh
Normal file
26
scripts/custom-config-backup.sh
Normal file
|
|
@ -0,0 +1,26 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Description: Backup config directory and configuration commands to a USB device
|
||||||
|
#
|
||||||
|
|
||||||
|
dest=/media/usb-backup
|
||||||
|
|
||||||
|
# Only backup if $dest is a mount
|
||||||
|
if mountpoint -q $dest; then
|
||||||
|
# Backup # VyOS /config
|
||||||
|
backup_dest="$dest/vyos"
|
||||||
|
if [ ! -d "$backup_dest" ]; then
|
||||||
|
mkdir "$backup_dest"
|
||||||
|
fi
|
||||||
|
tar --exclude="overlay*" --exclude="unifi*" -zvcf "$backup_dest/config.$(date +%Y%m%d%H%M%S).tar.gz" /config
|
||||||
|
|
||||||
|
# Unifi backups
|
||||||
|
backup_dest="$dest/unifi"
|
||||||
|
if [ ! -d "$backup_dest" ]; then
|
||||||
|
mkdir "$backup_dest"
|
||||||
|
fi
|
||||||
|
tar -zvcf "$backup_dest/unifi-backup.$(date +%Y%m%d%H%M%S).tar.gz" /config/containers/unifi/data/backup
|
||||||
|
|
||||||
|
# Delete backups older than 1 month
|
||||||
|
find $dest -type f -mtime +30 -delete
|
||||||
|
fi
|
||||||
24
scripts/vyos-postconfig-bootup.script
Normal file
24
scripts/vyos-postconfig-bootup.script
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# This script is executed at boot time after VyOS configuration is fully
|
||||||
|
# applied. Any modifications required to work around unfixed bugs or use
|
||||||
|
# services not available through the VyOS CLI system can be placed here.
|
||||||
|
|
||||||
|
# Add dotfiles for home directory
|
||||||
|
tee /home/vyos/.gitconfig <<END
|
||||||
|
[init]
|
||||||
|
defaultBranch = main
|
||||||
|
[safe]
|
||||||
|
directory = /config
|
||||||
|
[user]
|
||||||
|
email = joe@veri.dev
|
||||||
|
name = Joseph Hanson
|
||||||
|
END
|
||||||
|
#
|
||||||
|
tee -a /home/vyos/.bash_aliases <<END
|
||||||
|
export SOPS_AGE_KEY_FILE=/config/secrets/age.key
|
||||||
|
export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519"
|
||||||
|
export VISUAL=nano
|
||||||
|
export EDITOR=nano
|
||||||
|
alias podman="sudo podman"
|
||||||
|
END
|
||||||
|
#
|
||||||
13
scripts/vyos-preconfig-bootup.script
Normal file
13
scripts/vyos-preconfig-bootup.script
Normal file
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# This script is executed at boot time before VyOS configuration is applied.
|
||||||
|
# Any modifications required to work around unfixed bugs or use
|
||||||
|
# services not available through the VyOS CLI system can be placed here.
|
||||||
|
|
||||||
|
# TODO: Remove if issues don't come back, turn back on if they do
|
||||||
|
# Clean dangling container network files
|
||||||
|
# rm /var/lib/cni/networks/services/10.5.*
|
||||||
|
|
||||||
|
# Mount USB Backup Drive
|
||||||
|
# backupdest=/media/usb-backup
|
||||||
|
# mkdir -p "$backupdest"
|
||||||
|
# mount -t vfat -o rw,uid=vyos,gid=vyattacfg /dev/disk/by-id/usb-Samsung_Flash_Drive_FIT_0376621010005300-0:0-part1 "$backupdest"
|
||||||
Reference in a new issue