Compare commits

..

1 commit

Author SHA1 Message Date
smeagol-help
4afb6e4325 fix(container): update image docker.io/library/haproxy ( 2.9.0 → 2.9.1 )
| datasource | package                   | from  | to    |
| ---------- | ------------------------- | ----- | ----- |
| docker     | docker.io/library/haproxy | 2.9.0 | 2.9.1 |
2024-01-03 22:08:02 +00:00
11 changed files with 123 additions and 123 deletions

View file

@ -13,16 +13,6 @@ set container name haproxy-k8s-api volume config source '/config/containers/hapr
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg' set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k8s-api volume config mode 'ro' set container name haproxy-k8s-api volume config mode 'ro'
# haproxy-k3s-api
set container name haproxy-k3s-api image 'docker.io/library/haproxy:2.9.1'
set container name haproxy-k3s-api memory '0'
set container name haproxy-k3s-api network containers address '10.5.0.3'
set container name haproxy-k3s-api restart 'on-failure'
set container name haproxy-k3s-api shared-memory '0'
set container name haproxy-k3s-api volume config source '/config/containers/haproxy-k3s/config/haproxy.cfg'
set container name haproxy-k3s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k3s-api volume config mode 'ro'
# node-exporter # node-exporter
set container name node-exporter environment procfs value '/host/proc' set container name node-exporter environment procfs value '/host/proc'
set container name node-exporter environment rootfs value '/host/rootfs' set container name node-exporter environment rootfs value '/host/rootfs'

View file

@ -2,7 +2,7 @@
# From IOT to LAN # From IOT to LAN
set firewall ipv4 name iot-lan default-action 'drop' set firewall ipv4 name iot-lan default-action 'drop'
set firewall ipv4 name iot-lan description 'From IOT to LAN' set firewall ipv4 name iot-lan description 'From IOT to LAN'
set firewall ipv4 name iot-lan default-log set firewall ipv4 name iot-lan enable-default-log
set firewall ipv4 name iot-lan rule 999 action 'drop' set firewall ipv4 name iot-lan rule 999 action 'drop'
set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-lan rule 999 state invalid set firewall ipv4 name iot-lan rule 999 state invalid
@ -11,7 +11,7 @@ set firewall ipv4 name iot-lan rule 999 log
# From IOT to LOCAL # From IOT to LOCAL
set firewall ipv4 name iot-local default-action 'drop' set firewall ipv4 name iot-local default-action 'drop'
set firewall ipv4 name iot-local description 'From IOT to LOCAL' set firewall ipv4 name iot-local description 'From IOT to LOCAL'
set firewall ipv4 name iot-local default-log set firewall ipv4 name iot-local enable-default-log
set firewall ipv4 name iot-local rule 50 action 'accept' set firewall ipv4 name iot-local rule 50 action 'accept'
set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name iot-local rule 50 destination port '67,68' set firewall ipv4 name iot-local rule 50 destination port '67,68'
@ -46,13 +46,37 @@ set firewall ipv4 name iot-local rule 999 log
# From IOT to SERVERS # From IOT to SERVERS
set firewall ipv4 name iot-servers default-action 'drop' set firewall ipv4 name iot-servers default-action 'drop'
set firewall ipv4 name iot-servers description 'From IOT to SERVERS' set firewall ipv4 name iot-servers description 'From IOT to SERVERS'
set firewall ipv4 name iot-servers default-log set firewall ipv4 name iot-servers enable-default-log
set firewall ipv4 name iot-servers rule 100 action 'accept'
set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas'
set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds'
set firewall ipv4 name iot-servers rule 100 protocol 'tcp'
set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners'
set firewall ipv4 name iot-servers rule 200 action 'accept'
set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex'
set firewall ipv4 name iot-servers rule 200 destination port '32400'
set firewall ipv4 name iot-servers rule 200 protocol 'tcp'
set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients'
set firewall ipv4 name iot-servers rule 300 action 'accept'
set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt'
set firewall ipv4 name iot-servers rule 300 destination port '1883'
set firewall ipv4 name iot-servers rule 300 protocol 'tcp'
set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients'
set firewall ipv4 name iot-servers rule 400 action 'accept' set firewall ipv4 name iot-servers rule 400 action 'accept'
set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players' set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress' set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 400 destination port 'http,https' set firewall ipv4 name iot-servers rule 400 destination port 'http,https'
set firewall ipv4 name iot-servers rule 400 protocol 'tcp' set firewall ipv4 name iot-servers rule 400 protocol 'tcp'
set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players' set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players'
set firewall ipv4 name iot-servers rule 410 action 'accept'
set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices'
set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 410 destination port 'http,https'
set firewall ipv4 name iot-servers rule 410 protocol 'tcp'
set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed'
set firewall ipv4 name iot-servers rule 999 action 'drop' set firewall ipv4 name iot-servers rule 999 action 'drop'
set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-servers rule 999 state invalid set firewall ipv4 name iot-servers rule 999 state invalid
@ -73,7 +97,19 @@ set firewall ipv4 name iot-containers rule 999 log
# From IOT to TRUSTED # From IOT to TRUSTED
set firewall ipv4 name iot-trusted default-action 'drop' set firewall ipv4 name iot-trusted default-action 'drop'
set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED' set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
set firewall ipv4 name iot-trusted default-log set firewall ipv4 name iot-trusted enable-default-log
set firewall ipv4 name iot-trusted rule 100 action 'accept'
set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted rule 110 action 'accept'
set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted rule 999 action 'drop' set firewall ipv4 name iot-trusted rule 999 action 'drop'
set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-trusted rule 999 state invalid set firewall ipv4 name iot-trusted rule 999 state invalid
@ -82,7 +118,7 @@ set firewall ipv4 name iot-trusted rule 999 log
# From IOT to VIDEO # From IOT to VIDEO
set firewall ipv4 name iot-video default-action 'drop' set firewall ipv4 name iot-video default-action 'drop'
set firewall ipv4 name iot-video description 'From IOT to VIDEO' set firewall ipv4 name iot-video description 'From IOT to VIDEO'
set firewall ipv4 name iot-video default-log set firewall ipv4 name iot-video enable-default-log
set firewall ipv4 name iot-video rule 100 action 'accept' set firewall ipv4 name iot-video rule 100 action 'accept'
set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name iot-video rule 100 protocol 'tcp' set firewall ipv4 name iot-video rule 100 protocol 'tcp'
@ -99,7 +135,7 @@ set firewall ipv4 name iot-wan description 'From IOT to WAN'
# From LAN to IoT # From LAN to IoT
set firewall ipv4 name lan-iot default-action 'drop' set firewall ipv4 name lan-iot default-action 'drop'
set firewall ipv4 name lan-iot description 'From LAN to IOT' set firewall ipv4 name lan-iot description 'From LAN to IOT'
set firewall ipv4 name lan-iot default-log set firewall ipv4 name lan-iot enable-default-log
set firewall ipv4 name lan-iot rule 999 action 'drop' set firewall ipv4 name lan-iot rule 999 action 'drop'
set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-iot rule 999 state invalid set firewall ipv4 name lan-iot rule 999 state invalid
@ -108,7 +144,7 @@ set firewall ipv4 name lan-iot rule 999 log
# From LAN to LOCAL # From LAN to LOCAL
set firewall ipv4 name lan-local default-action 'drop' set firewall ipv4 name lan-local default-action 'drop'
set firewall ipv4 name lan-local description 'From LAN to LOCAL' set firewall ipv4 name lan-local description 'From LAN to LOCAL'
set firewall ipv4 name lan-local default-log set firewall ipv4 name lan-local enable-default-log
set firewall ipv4 name lan-local rule 40 action 'accept' set firewall ipv4 name lan-local rule 40 action 'accept'
set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns' set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns'
set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s' set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s'
@ -138,7 +174,7 @@ set firewall ipv4 name lan-local rule 999 log
# From LAN to SERVERS # From LAN to SERVERS
set firewall ipv4 name lan-servers default-action 'drop' set firewall ipv4 name lan-servers default-action 'drop'
set firewall ipv4 name lan-servers description 'From LAN to SERVERS' set firewall ipv4 name lan-servers description 'From LAN to SERVERS'
set firewall ipv4 name lan-servers default-log set firewall ipv4 name lan-servers enable-default-log
set firewall ipv4 name lan-servers rule 999 action 'drop' set firewall ipv4 name lan-servers rule 999 action 'drop'
set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-servers rule 999 state invalid set firewall ipv4 name lan-servers rule 999 state invalid
@ -159,7 +195,7 @@ set firewall ipv4 name lan-containers rule 999 log
# From LAN to TRUSTED # From LAN to TRUSTED
set firewall ipv4 name lan-trusted default-action 'drop' set firewall ipv4 name lan-trusted default-action 'drop'
set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED' set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED'
set firewall ipv4 name lan-trusted default-log set firewall ipv4 name lan-trusted enable-default-log
set firewall ipv4 name lan-trusted rule 999 action 'drop' set firewall ipv4 name lan-trusted rule 999 action 'drop'
set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-trusted rule 999 state invalid set firewall ipv4 name lan-trusted rule 999 state invalid
@ -168,7 +204,7 @@ set firewall ipv4 name lan-trusted rule 999 log
# From LAN to VIDEO # From LAN to VIDEO
set firewall ipv4 name lan-video default-action 'drop' set firewall ipv4 name lan-video default-action 'drop'
set firewall ipv4 name lan-video description 'From LAN to VIDEO' set firewall ipv4 name lan-video description 'From LAN to VIDEO'
set firewall ipv4 name lan-video default-log set firewall ipv4 name lan-video enable-default-log
set firewall ipv4 name lan-video rule 999 action 'drop' set firewall ipv4 name lan-video rule 999 action 'drop'
set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-video rule 999 state invalid set firewall ipv4 name lan-video rule 999 state invalid
@ -181,7 +217,7 @@ set firewall ipv4 name lan-wan description 'From LAN to WAN'
# From LOCAL to IOT # From LOCAL to IOT
set firewall ipv4 name local-iot default-action 'drop' set firewall ipv4 name local-iot default-action 'drop'
set firewall ipv4 name local-iot description 'From LOCAL to IOT' set firewall ipv4 name local-iot description 'From LOCAL to IOT'
set firewall ipv4 name local-iot default-log set firewall ipv4 name local-iot enable-default-log
set firewall ipv4 name local-iot rule 100 action 'accept' set firewall ipv4 name local-iot rule 100 action 'accept'
set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp' set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-iot rule 100 protocol '2' set firewall ipv4 name local-iot rule 100 protocol '2'
@ -190,6 +226,11 @@ set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name local-iot rule 110 destination port 'mdns' set firewall ipv4 name local-iot rule 110 destination port 'mdns'
set firewall ipv4 name local-iot rule 110 protocol 'udp' set firewall ipv4 name local-iot rule 110 protocol 'udp'
set firewall ipv4 name local-iot rule 110 source port 'mdns' set firewall ipv4 name local-iot rule 110 source port 'mdns'
set firewall ipv4 name local-iot rule 200 action 'accept'
set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery
set firewall ipv4 name local-iot rule 200 protocol 'udp'
set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
set firewall ipv4 name local-iot rule 999 action 'drop' set firewall ipv4 name local-iot rule 999 action 'drop'
set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-iot rule 999 state invalid set firewall ipv4 name local-iot rule 999 state invalid
@ -198,7 +239,7 @@ set firewall ipv4 name local-iot rule 999 log
# From LOCAL to LAN # From LOCAL to LAN
set firewall ipv4 name local-lan default-action 'drop' set firewall ipv4 name local-lan default-action 'drop'
set firewall ipv4 name local-lan description 'From LOCAL to LAN' set firewall ipv4 name local-lan description 'From LOCAL to LAN'
set firewall ipv4 name local-lan default-log set firewall ipv4 name local-lan enable-default-log
set firewall ipv4 name local-lan rule 999 action 'drop' set firewall ipv4 name local-lan rule 999 action 'drop'
set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-lan rule 999 state invalid set firewall ipv4 name local-lan rule 999 state invalid
@ -207,7 +248,7 @@ set firewall ipv4 name local-lan rule 999 log
# From LOCAL to SERVERS # From LOCAL to SERVERS
set firewall ipv4 name local-servers default-action 'drop' set firewall ipv4 name local-servers default-action 'drop'
set firewall ipv4 name local-servers description 'From LOCAL to SERVERS' set firewall ipv4 name local-servers description 'From LOCAL to SERVERS'
set firewall ipv4 name local-servers default-log set firewall ipv4 name local-servers enable-default-log
set firewall ipv4 name local-servers rule 40 action 'accept' set firewall ipv4 name local-servers rule 40 action 'accept'
set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns' set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s' set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s'
@ -245,7 +286,7 @@ set firewall ipv4 name local-containers rule 999 log
# From LOCAL to TRUSTED # From LOCAL to TRUSTED
set firewall ipv4 name local-trusted default-action 'drop' set firewall ipv4 name local-trusted default-action 'drop'
set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED' set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED'
set firewall ipv4 name local-trusted default-log set firewall ipv4 name local-trusted enable-default-log
set firewall ipv4 name local-trusted rule 100 action 'accept' set firewall ipv4 name local-trusted rule 100 action 'accept'
set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp' set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-trusted rule 100 protocol '2' set firewall ipv4 name local-trusted rule 100 protocol '2'
@ -271,7 +312,7 @@ set firewall ipv4 name local-trusted rule 999 log
# From LOCAL to VIDEO # From LOCAL to VIDEO
set firewall ipv4 name local-video default-action 'drop' set firewall ipv4 name local-video default-action 'drop'
set firewall ipv4 name local-video description 'From LOCAL to VIDEO' set firewall ipv4 name local-video description 'From LOCAL to VIDEO'
set firewall ipv4 name local-video default-log set firewall ipv4 name local-video enable-default-log
set firewall ipv4 name local-video rule 999 action 'drop' set firewall ipv4 name local-video rule 999 action 'drop'
set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-video rule 999 state invalid set firewall ipv4 name local-video rule 999 state invalid
@ -285,7 +326,7 @@ set firewall ipv4 name local-wan description 'From LOCAL to WAN'
# From SERVERS to IOT # From SERVERS to IOT
set firewall ipv4 name servers-iot default-action 'drop' set firewall ipv4 name servers-iot default-action 'drop'
set firewall ipv4 name servers-iot description 'From SERVERS to IOT' set firewall ipv4 name servers-iot description 'From SERVERS to IOT'
set firewall ipv4 name servers-iot default-log set firewall ipv4 name servers-iot enable-default-log
set firewall ipv4 name servers-iot rule 100 action 'accept' set firewall ipv4 name servers-iot rule 100 action 'accept'
set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-iot rule 100 protocol 'tcp' set firewall ipv4 name servers-iot rule 100 protocol 'tcp'
@ -302,7 +343,7 @@ set firewall ipv4 name servers-iot rule 999 log
# From SERVERS to LAN # From SERVERS to LAN
set firewall ipv4 name servers-lan default-action 'drop' set firewall ipv4 name servers-lan default-action 'drop'
set firewall ipv4 name servers-lan description 'From SERVERS to LAN' set firewall ipv4 name servers-lan description 'From SERVERS to LAN'
set firewall ipv4 name servers-lan default-log set firewall ipv4 name servers-lan enable-default-log
set firewall ipv4 name servers-lan rule 999 action 'drop' set firewall ipv4 name servers-lan rule 999 action 'drop'
set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-lan rule 999 state invalid set firewall ipv4 name servers-lan rule 999 state invalid
@ -311,7 +352,7 @@ set firewall ipv4 name servers-lan rule 999 log
# From SERVERS to LOCAL # From SERVERS to LOCAL
set firewall ipv4 name servers-local default-action 'drop' set firewall ipv4 name servers-local default-action 'drop'
set firewall ipv4 name servers-local description 'From SERVERS to LOCAL' set firewall ipv4 name servers-local description 'From SERVERS to LOCAL'
set firewall ipv4 name servers-local default-log set firewall ipv4 name servers-local enable-default-log
set firewall ipv4 name servers-local rule 50 action 'accept' set firewall ipv4 name servers-local rule 50 action 'accept'
set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name servers-local rule 50 destination port '67,68' set firewall ipv4 name servers-local rule 50 destination port '67,68'
@ -351,7 +392,7 @@ set firewall ipv4 name servers-local rule 999 log
# From SERVERS to CONTAINERS # From SERVERS to CONTAINERS
set firewall ipv4 name servers-containers default-action 'accept' set firewall ipv4 name servers-containers default-action 'accept'
set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS' set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS'
set firewall ipv4 name servers-containers default-log set firewall ipv4 name servers-containers enable-default-log
set firewall ipv4 name servers-containers rule 40 action 'accept' set firewall ipv4 name servers-containers rule 40 action 'accept'
set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns' set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s' set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s'
@ -368,7 +409,7 @@ set firewall ipv4 name servers-containers rule 999 log
# From SERVERS to TRUSTED # From SERVERS to TRUSTED
set firewall ipv4 name servers-trusted default-action 'drop' set firewall ipv4 name servers-trusted default-action 'drop'
set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED' set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED'
set firewall ipv4 name servers-trusted default-log set firewall ipv4 name servers-trusted enable-default-log
set firewall ipv4 name servers-trusted rule 999 action 'drop' set firewall ipv4 name servers-trusted rule 999 action 'drop'
set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-trusted rule 999 state invalid set firewall ipv4 name servers-trusted rule 999 state invalid
@ -377,7 +418,7 @@ set firewall ipv4 name servers-trusted rule 999 log
# From SERVERS to VIDEO # From SERVERS to VIDEO
set firewall ipv4 name servers-video default-action 'drop' set firewall ipv4 name servers-video default-action 'drop'
set firewall ipv4 name servers-video description 'From SERVERS to VIDEO' set firewall ipv4 name servers-video description 'From SERVERS to VIDEO'
set firewall ipv4 name servers-video default-log set firewall ipv4 name servers-video enable-default-log
set firewall ipv4 name servers-video rule 100 action 'accept' set firewall ipv4 name servers-video rule 100 action 'accept'
set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp' set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp'
@ -394,7 +435,7 @@ set firewall ipv4 name servers-wan description 'From SERVERS to WAN'
# From CONTAINERS to IOT # From CONTAINERS to IOT
set firewall ipv4 name containers-iot default-action 'drop' set firewall ipv4 name containers-iot default-action 'drop'
set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT' set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT'
set firewall ipv4 name containers-iot default-log set firewall ipv4 name containers-iot enable-default-log
set firewall ipv4 name containers-iot rule 999 action 'drop' set firewall ipv4 name containers-iot rule 999 action 'drop'
set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-iot rule 999 state invalid set firewall ipv4 name containers-iot rule 999 state invalid
@ -403,7 +444,7 @@ set firewall ipv4 name containers-iot rule 999 log
# From CONTAINERS to LAN # From CONTAINERS to LAN
set firewall ipv4 name containers-lan default-action 'drop' set firewall ipv4 name containers-lan default-action 'drop'
set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN' set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN'
set firewall ipv4 name containers-lan default-log set firewall ipv4 name containers-lan enable-default-log
set firewall ipv4 name containers-lan rule 999 action 'drop' set firewall ipv4 name containers-lan rule 999 action 'drop'
set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-lan rule 999 state invalid set firewall ipv4 name containers-lan rule 999 state invalid
@ -412,7 +453,7 @@ set firewall ipv4 name containers-lan rule 999 log
# From CONTAINERS to LOCAL # From CONTAINERS to LOCAL
set firewall ipv4 name containers-local default-action 'drop' set firewall ipv4 name containers-local default-action 'drop'
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL' set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
set firewall ipv4 name containers-local default-log set firewall ipv4 name containers-local enable-default-log
set firewall ipv4 name containers-local rule 50 action 'accept' set firewall ipv4 name containers-local rule 50 action 'accept'
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name containers-local rule 50 destination port '67,68' set firewall ipv4 name containers-local rule 50 destination port '67,68'
@ -438,7 +479,7 @@ set firewall ipv4 name containers-servers rule 999 log
# From CONTAINERS to TRUSTED # From CONTAINERS to TRUSTED
set firewall ipv4 name containers-trusted default-action 'drop' set firewall ipv4 name containers-trusted default-action 'drop'
set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED' set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED'
set firewall ipv4 name containers-trusted default-log set firewall ipv4 name containers-trusted enable-default-log
set firewall ipv4 name containers-trusted rule 999 action 'drop' set firewall ipv4 name containers-trusted rule 999 action 'drop'
set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-trusted rule 999 state invalid set firewall ipv4 name containers-trusted rule 999 state invalid
@ -447,7 +488,7 @@ set firewall ipv4 name containers-trusted rule 999 log
# From CONTAINERS to VIDEO # From CONTAINERS to VIDEO
set firewall ipv4 name containers-video default-action 'drop' set firewall ipv4 name containers-video default-action 'drop'
set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO' set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO'
set firewall ipv4 name containers-video default-log set firewall ipv4 name containers-video enable-default-log
set firewall ipv4 name containers-video rule 999 action 'drop' set firewall ipv4 name containers-video rule 999 action 'drop'
set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-video rule 999 state invalid set firewall ipv4 name containers-video rule 999 state invalid
@ -460,6 +501,16 @@ set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
# From TRUSTED to IOT # From TRUSTED to IOT
set firewall ipv4 name trusted-iot default-action 'accept' set firewall ipv4 name trusted-iot default-action 'accept'
set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT' set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
set firewall ipv4 name trusted-iot rule 110 action 'accept'
set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 111 action 'accept'
set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 999 action 'drop' set firewall ipv4 name trusted-iot rule 999 action 'drop'
set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-iot rule 999 state invalid set firewall ipv4 name trusted-iot rule 999 state invalid
@ -476,7 +527,7 @@ set firewall ipv4 name trusted-lan rule 999 log
# From TRUSTED to LOCAL # From TRUSTED to LOCAL
set firewall ipv4 name trusted-local default-action 'drop' set firewall ipv4 name trusted-local default-action 'drop'
set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL' set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL'
set firewall ipv4 name trusted-local default-log set firewall ipv4 name trusted-local enable-default-log
set firewall ipv4 name trusted-local rule 50 action 'accept' set firewall ipv4 name trusted-local rule 50 action 'accept'
set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name trusted-local rule 50 destination port '67,68' set firewall ipv4 name trusted-local rule 50 destination port '67,68'
@ -498,6 +549,11 @@ set firewall ipv4 name trusted-local rule 120 action 'accept'
set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns' set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s' set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp' set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
set firewall ipv4 name trusted-local rule 210 action 'accept'
set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery
set firewall ipv4 name trusted-local rule 210 protocol 'udp'
set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-local rule 211 action 'accept' set firewall ipv4 name trusted-local rule 211 action 'accept'
set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players' set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
@ -556,7 +612,12 @@ set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN'
# From VIDEO to IOT # From VIDEO to IOT
set firewall ipv4 name video-iot default-action 'drop' set firewall ipv4 name video-iot default-action 'drop'
set firewall ipv4 name video-iot description 'From VIDEO to IOT' set firewall ipv4 name video-iot description 'From VIDEO to IOT'
set firewall ipv4 name video-iot default-log set firewall ipv4 name video-iot enable-default-log
set firewall ipv4 name video-iot rule 100 action 'accept'
set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass'
set firewall ipv4 name video-iot rule 100 protocol 'tcp'
set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass'
set firewall ipv4 name video-iot rule 100 destination port '8123'
set firewall ipv4 name video-iot rule 999 action 'drop' set firewall ipv4 name video-iot rule 999 action 'drop'
set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-iot rule 999 state invalid set firewall ipv4 name video-iot rule 999 state invalid
@ -565,7 +626,7 @@ set firewall ipv4 name video-iot rule 999 log
# From VIDEO to LAN # From VIDEO to LAN
set firewall ipv4 name video-lan default-action 'drop' set firewall ipv4 name video-lan default-action 'drop'
set firewall ipv4 name video-lan description 'From VIDEO to LAN' set firewall ipv4 name video-lan description 'From VIDEO to LAN'
set firewall ipv4 name video-lan default-log set firewall ipv4 name video-lan enable-default-log
set firewall ipv4 name video-lan rule 999 action 'drop' set firewall ipv4 name video-lan rule 999 action 'drop'
set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-lan rule 999 state invalid set firewall ipv4 name video-lan rule 999 state invalid
@ -574,7 +635,7 @@ set firewall ipv4 name video-lan rule 999 log
# From VIDEO to LOCAL # From VIDEO to LOCAL
set firewall ipv4 name video-local default-action 'drop' set firewall ipv4 name video-local default-action 'drop'
set firewall ipv4 name video-local description 'From VIDEO to LOCAL' set firewall ipv4 name video-local description 'From VIDEO to LOCAL'
set firewall ipv4 name video-local default-log set firewall ipv4 name video-local enable-default-log
set firewall ipv4 name video-local rule 50 action 'accept' set firewall ipv4 name video-local rule 50 action 'accept'
set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name video-local rule 50 destination port '67,68' set firewall ipv4 name video-local rule 50 destination port '67,68'
@ -592,7 +653,7 @@ set firewall ipv4 name video-local rule 999 log
# From VIDEO to SERVERS # From VIDEO to SERVERS
set firewall ipv4 name video-servers default-action 'drop' set firewall ipv4 name video-servers default-action 'drop'
set firewall ipv4 name video-servers description 'From VIDEO to SERVERS' set firewall ipv4 name video-servers description 'From VIDEO to SERVERS'
set firewall ipv4 name video-servers default-log set firewall ipv4 name video-servers enable-default-log
set firewall ipv4 name video-servers rule 100 action 'accept' set firewall ipv4 name video-servers rule 100 action 'accept'
set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name video-servers rule 100 protocol 'udp' set firewall ipv4 name video-servers rule 100 protocol 'udp'
@ -618,7 +679,7 @@ set firewall ipv4 name video-containers rule 999 log
# From VIDEO to TRUSTED # From VIDEO to TRUSTED
set firewall ipv4 name video-trusted default-action 'drop' set firewall ipv4 name video-trusted default-action 'drop'
set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED' set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED'
set firewall ipv4 name video-trusted default-log set firewall ipv4 name video-trusted enable-default-log
set firewall ipv4 name video-trusted rule 999 action 'drop' set firewall ipv4 name video-trusted rule 999 action 'drop'
set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-trusted rule 999 state invalid set firewall ipv4 name video-trusted rule 999 state invalid
@ -630,7 +691,7 @@ set firewall ipv4 name video-wan description 'From VIDEO to WAN'
# From WAN to IOT # From WAN to IOT
set firewall ipv4 name wan-iot default-action 'drop' set firewall ipv4 name wan-iot default-action 'drop'
set firewall ipv4 name wan-iot description 'From WAN to IOT' set firewall ipv4 name wan-iot description 'From WAN to IOT'
set firewall ipv4 name wan-iot default-log set firewall ipv4 name wan-iot enable-default-log
set firewall ipv4 name wan-iot rule 999 action 'drop' set firewall ipv4 name wan-iot rule 999 action 'drop'
set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-iot rule 999 state invalid set firewall ipv4 name wan-iot rule 999 state invalid
@ -639,7 +700,7 @@ set firewall ipv4 name wan-iot rule 999 log
# From WAN to LAN # From WAN to LAN
set firewall ipv4 name wan-lan default-action 'drop' set firewall ipv4 name wan-lan default-action 'drop'
set firewall ipv4 name wan-lan description 'From WAN to LAN' set firewall ipv4 name wan-lan description 'From WAN to LAN'
set firewall ipv4 name wan-lan default-log set firewall ipv4 name wan-lan enable-default-log
set firewall ipv4 name wan-lan rule 999 action 'drop' set firewall ipv4 name wan-lan rule 999 action 'drop'
set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-lan rule 999 state invalid set firewall ipv4 name wan-lan rule 999 state invalid
@ -648,7 +709,7 @@ set firewall ipv4 name wan-lan rule 999 log
# From WAN to LOCAL # From WAN to LOCAL
set firewall ipv4 name wan-local default-action 'drop' set firewall ipv4 name wan-local default-action 'drop'
set firewall ipv4 name wan-local description 'From WAN to LOCAL' set firewall ipv4 name wan-local description 'From WAN to LOCAL'
set firewall ipv4 name wan-local default-log set firewall ipv4 name wan-local enable-default-log
set firewall ipv4 name wan-local rule 1 action 'drop' set firewall ipv4 name wan-local rule 1 action 'drop'
set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid' set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid'
set firewall ipv4 name wan-local rule 1 state invalid set firewall ipv4 name wan-local rule 1 state invalid
@ -661,7 +722,7 @@ set firewall ipv4 name wan-local rule 100 protocol 'udp'
# From WAN to SERVERS # From WAN to SERVERS
set firewall ipv4 name wan-servers default-action 'drop' set firewall ipv4 name wan-servers default-action 'drop'
set firewall ipv4 name wan-servers description 'From WAN to SERVERS' set firewall ipv4 name wan-servers description 'From WAN to SERVERS'
set firewall ipv4 name wan-servers default-log set firewall ipv4 name wan-servers enable-default-log
set firewall ipv4 name wan-servers rule 100 action 'accept' set firewall ipv4 name wan-servers rule 100 action 'accept'
set firewall ipv4 name wan-servers rule 100 destination port 32400 set firewall ipv4 name wan-servers rule 100 destination port 32400
set firewall ipv4 name wan-servers rule 100 protocol 'tcp' set firewall ipv4 name wan-servers rule 100 protocol 'tcp'
@ -674,7 +735,7 @@ set firewall ipv4 name wan-servers rule 999 log
# From WAN to CONTAINERS # From WAN to CONTAINERS
set firewall ipv4 name wan-containers default-action 'drop' set firewall ipv4 name wan-containers default-action 'drop'
set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS' set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS'
set firewall ipv4 name wan-containers default-log set firewall ipv4 name wan-containers enable-default-log
set firewall ipv4 name wan-containers rule 999 action 'drop' set firewall ipv4 name wan-containers rule 999 action 'drop'
set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-containers rule 999 state invalid set firewall ipv4 name wan-containers rule 999 state invalid
@ -683,7 +744,7 @@ set firewall ipv4 name wan-containers rule 999 log
# From WAN to TRUSTED # From WAN to TRUSTED
set firewall ipv4 name wan-trusted default-action 'drop' set firewall ipv4 name wan-trusted default-action 'drop'
set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED' set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED'
set firewall ipv4 name wan-trusted default-log set firewall ipv4 name wan-trusted enable-default-log
set firewall ipv4 name wan-trusted rule 999 action 'drop' set firewall ipv4 name wan-trusted rule 999 action 'drop'
set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-trusted rule 999 state invalid set firewall ipv4 name wan-trusted rule 999 state invalid
@ -692,7 +753,7 @@ set firewall ipv4 name wan-trusted rule 999 log
# From WAN to VIDEO # From WAN to VIDEO
set firewall ipv4 name wan-video default-action 'drop' set firewall ipv4 name wan-video default-action 'drop'
set firewall ipv4 name wan-video description 'From WAN to VIDEO' set firewall ipv4 name wan-video description 'From WAN to VIDEO'
set firewall ipv4 name wan-video default-log set firewall ipv4 name wan-video enable-default-log
set firewall ipv4 name wan-video rule 999 action 'drop' set firewall ipv4 name wan-video rule 999 action 'drop'
set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-video rule 999 state invalid set firewall ipv4 name wan-video rule 999 state invalid

View file

@ -67,6 +67,7 @@ set firewall zone trusted from containers firewall name 'containers-trusted'
set firewall zone trusted from video firewall name 'video-trusted' set firewall zone trusted from video firewall name 'video-trusted'
set firewall zone trusted from wan firewall name 'wan-trusted' set firewall zone trusted from wan firewall name 'wan-trusted'
set firewall zone trusted interface 'eth4.20' set firewall zone trusted interface 'eth4.20'
set firewall zone trusted interface 'wg01'
# video # video
set firewall zone video default-action 'drop' set firewall zone video default-action 'drop'
@ -88,4 +89,4 @@ set firewall zone wan from servers firewall name 'servers-wan'
set firewall zone wan from containers firewall name 'containers-wan' set firewall zone wan from containers firewall name 'containers-wan'
set firewall zone wan from trusted firewall name 'trusted-wan' set firewall zone wan from trusted firewall name 'trusted-wan'
set firewall zone wan from video firewall name 'video-wan' set firewall zone wan from video firewall name 'video-wan'
set firewall zone wan interface 'eth5' set firewall zone wan interface 'eth0'

View file

@ -8,13 +8,13 @@ set firewall global-options all-ping 'enable'
# Address Groups # Address Groups
set firewall group address-group router-addresses address 10.0.0.1 set firewall group address-group router-addresses address 10.0.0.1
set firewall group address-group router-addresses address 127.0.0.1 set firewall group address-group router-addresses address 127.0.0.1
set firewall group address-group k8s_nodes address '10.1.1.61-10.1.1.63' # master nodes set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes
set firewall group address-group k8s_nodes address '10.1.1.41-10.1.1.46' # worker nodes set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes
set firewall group address-group k8s_api address '10.5.0.2' set firewall group address-group k8s_api address '10.5.0.2'
set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx
set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx
set firewall group address-group k8s_vector_aggregator address '10.45.0.2' set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
set firewall group address-group nas address '10.1.1.11-10.1.1.12' set firewall group address-group nas address '10.1.1.11-12'
set firewall group address-group unifi_devices address '10.1.0.11' set firewall group address-group unifi_devices address '10.1.0.11'
set firewall group address-group unifi_devices address '10.1.0.12' set firewall group address-group unifi_devices address '10.1.0.12'
set firewall group address-group unifi_devices address '10.1.0.13' set firewall group address-group unifi_devices address '10.1.0.13'
@ -24,7 +24,6 @@ set firewall group address-group unifi_devices address '10.1.0.23'
set firewall group address-group unifi_devices address '10.1.0.24' set firewall group address-group unifi_devices address '10.1.0.24'
set firewall group address-group vyos_unifi address '10.5.0.10' set firewall group address-group vyos_unifi address '10.5.0.10'
set firewall group network-group k8s_services network '10.45.0.0/16' set firewall group network-group k8s_services network '10.45.0.0/16'
set firewall group address-group sonos_players address '10.1.2.31'
# Port groups # Port groups
set firewall group port-group wireguard port '51820' set firewall group port-group wireguard port '51820'

View file

@ -16,3 +16,16 @@ set interfaces ethernet eth4 vif 30 description 'IOT'
set interfaces ethernet eth4 vif 40 address '10.1.4.1/24' set interfaces ethernet eth4 vif 40 address '10.1.4.1/24'
set interfaces ethernet eth4 vif 40 description 'VIDEO' set interfaces ethernet eth4 vif 40 description 'VIDEO'
set interfaces wireguard wg01 address '10.0.11.1/24'
set interfaces wireguard wg01 description 'WIREGUARD'
set interfaces wireguard wg01 peer ipad-jahanson allowed-ips '10.0.11.4/32'
set interfaces wireguard wg01 peer ipad-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer ipad-jahanson public-key 'jv1XSCkzxGY0kBfLbF79gwLVOCmyCTUmSFd36QcwiWE='
set interfaces wireguard wg01 peer iphone-jahanson allowed-ips '10.0.11.2/32'
set interfaces wireguard wg01 peer iphone-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer iphone-jahanson public-key 'HHBmTzVQH1qt14rVqzxCUATkLRPGu5WisHyY9O4yTkM='
set interfaces wireguard wg01 peer legion-jahanson allowed-ips '10.0.11.3/32'
set interfaces wireguard wg01 peer legion-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer legion-jahanson public-key 'OA8fW79KEJej2lbZZY/Bf7EHcRjeiDowqIBwXGRLZ3A='
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}"

View file

@ -3,7 +3,7 @@
# Forward Plex to Sting # Forward Plex to Sting
set nat destination rule 110 description 'PLEX' set nat destination rule 110 description 'PLEX'
set nat destination rule 110 destination port '32400' set nat destination rule 110 destination port '32400'
set nat destination rule 110 inbound-interface name 'eth5' set nat destination rule 110 inbound-interface 'eth5'
set nat destination rule 110 protocol 'tcp' set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '10.1.1.12' set nat destination rule 110 translation address '10.1.1.12'
set nat destination rule 110 translation port '32400' set nat destination rule 110 translation port '32400'

View file

@ -65,9 +65,6 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma
# VMs # VMs
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee ip-address '10.1.1.55'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee mac-address '00:a0:98:00:a6:72'
# k8s prod masters # k8s prod masters
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61'
@ -139,5 +136,3 @@ set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 sto
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera ip-address '10.1.4.12' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera ip-address '10.1.4.12'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera mac-address 'ec:71:db:62:aa:e9' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera mac-address 'ec:71:db:62:aa:e9'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping sidehouse-camera ip-address '10.1.4.13'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping sidehouse-camera mac-address 'ec:71:db:5e:46:a7'

View file

@ -7,6 +7,5 @@
!/bind/ !/bind/
!/dnsdist/ !/dnsdist/
!/haproxy/ !/haproxy/
!/haproxy-k3s/
!/unifi/ !/unifi/
!/vector-agent/ !/vector-agent/

View file

@ -1,9 +0,0 @@
# Ignore everything
/*
# Track certain files and directories
!.gitignore
!/config/
/config/*
!/config/haproxy.cfg

View file

@ -1,48 +0,0 @@
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
daemon
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
#---------------------------------------------------------------------
# apiserver frontend which proxys to the control plane nodes
#---------------------------------------------------------------------
frontend k8s_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_controlplane
#---------------------------------------------------------------------
# round robin balancing for apiserver
#---------------------------------------------------------------------
backend k8s_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker2 10.1.1.55:6443 check

View file

@ -17,10 +17,9 @@ END
tee -a /home/vyos/.bash_aliases <<END >/dev/null tee -a /home/vyos/.bash_aliases <<END >/dev/null
export SOPS_AGE_KEY_FILE=/config/secrets/age.key export SOPS_AGE_KEY_FILE=/config/secrets/age.key
export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519" export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519"
export VISUAL=vim export VISUAL=vi
export EDITOR=vim export EDITOR=vi
alias podman="sudo podman" alias podman="sudo podman"
END END
# Force X550 NIC to 2.5Gbps autonegotiation. Fixes a Intel driver issue. # Force X550 NIC to 2.5Gbps autonegotiation. Fixes a Intel driver issue.
#ethtool -s eth0 speed 2500 duplex full autoneg on ethtool -s eth0 speed 2500 duplex full autoneg on
systemctl start nextdns